Sharing Information with the Private Sector

As the terrorist attacks on transportation infrastructure in London and Madrid demonstrate, critical infrastructure can be a prime target for the transnational terrorist enemy we face today. The private sector owns and operates an estimated 85% of infrastructure and resources that are critical to our Nation's physical and economic security. It is, therefore, vital to ensure we develop effective and efficient information sharing partnerships with private sector entities. Important sectors of private industry have made significant investments in mechanisms and methodologies to evaluate, assess, and exchange information across regional, market, and security-related communities of interest. This Strategy builds on these efforts to adopt an effective framework that ensures a two-way flow of timely and actionable security information between public and private partners.

Efforts to improve information sharing with the private sector have initially focused on sharing with the owners and operators of our Nation's critical infrastructure and key resources. In accordance with the National Infrastructure Protection Plan, we are currently implementing a networked approach to information sharing that allows distribution and access to information both horizontally and vertically using secure networks and coordination mechanisms, allowing information sharing and collaboration within and among sectors. It also enables multi-directional information sharing between government and industry that focuses, streamlines, and reduces redundancy in reporting to the greatest extent possible.

These processes are enabling the integration of private sector security partners, as appropriate, into the intelligence cycle and National Common Operating Picture. Moreover, sector security partners are becoming more confident that the integrity and confidentiality of their sensitive information can and will be protected and that the information sharing process can produce actionable information regarding threats, incidents, vulnerabilities, and potential consequences to critical infrastructure and key resources. These efforts are being integrated into broader efforts to establish the ISE.

It is important to note that critical infrastructure and key resource owners and operators utilize a number of mechanisms that facilitate the flow of information, mitigate obstacles to voluntary information sharing, and provide feedback and continuous improvement regarding structure and process. These include the Sector Coordination Councils, Government Coordination Councils, National Infrastructure Coordinating Center, Sector-level Information Sharing and Analysis Centers (commonly referred to as ISACs), DHS Protective Security Advisors, the DHS Homeland Infrastructure Threat and Risk Analysis Center (HITRAC), and State and major urban area fusion centers. These mechanisms accommodate a broad range of sector cultures, operations, and risk management approaches and recognize the unique policy and legal challenges for full two-way sharing of information between private sector owners and operators and government, as well as the important requirements for efficient operational processes.

Our efforts to improve information sharing with the private sector have been guided by a number of important factors:

• Current, reliable, accurate, and actionable information is critical to private sector decisions to protect their business;

• Private sector entities gather, process, analyze, and share information in order to protect their companies, assets, employees, infrastructure, and ability to operate, so as to maintain a competitive advantage;

• In many cases, private sector entities have spent years establishing strong working relationships with Federal, State, and local law enforcement and other entities; this Strategy respects and encourages those established relationships;

• The private sector operates within multiple information sharing frameworks: industry executives often prefer to separately share threat-related information with Federal and State as well as local government officials and other business executives as they assess the threat environment in which they operate, implement protective measures, and engage in emergency response planning activities;

• As we incorporate the information sharing needs and capabilities of the private sector into our efforts to enable information sharing, we need to recognize that at times the environment in which homeland security, law enforcement, and terrorism-related information is shared mirrors the regulatory environment in which the sharing entity operates; and

• The private sector relies on multiple information sources including professional and local organizations, private information providers, news outlets, colleagues, open intelligence sources on the web, and company management in both domestic and foreign locations, in addition to the government at all levels (Federal, State, and local).

Accordingly, as we improve efforts to share terrorism-related information with the private sector we must continue to:

• Build a trusted relationship between Federal, State, local, and tribal officials and private sector representatives to facilitate information sharing;

• Improve the two-way sharing of terrorism-related information on incidents, threats, consequences, and vulnerabilities, including enhancing the quantity and quality of specific, timely, and actionable information provided by the Federal Government to critical infrastructure sectors and their State, local, and tribal partners;

• Ensure that Federal, State, local, and tribal authorities have policies in place that ensure the protection of private sector information that is shared with government entities;

• Integrate private sector analytical efforts into Federal, State, local, and tribal processes, as appropriate, for a more complete understanding of the terrorism risk; and

• Establish mechanisms and processes to ensure compliance with all relevant U.S. laws, including applicable information privacy laws.

We will continue to build upon existing successful information sharing partnerships in a variety of areas key to our national security. Those include programs such as the following:

• The Critical Infrastructure Partnership Advisory Council - provides the framework for owner and operator members of Sector Coordinating Councils and members of Government Coordinating Councils to engage in intra-government and public-private cooperation, information sharing, and engagement across the entire range of critical infrastructure protection activities;

• InfraGard - a partnership between the Federal Government, an association of businesses, academic institutions, State and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States;

• Protected Critical Infrastructure Information/Sensitive Security Information - an information-protection tool that facilitates information sharing between the government and the private sector, which is used by DHS and other Federal, State, and local analysts in pursuit of a more secure homeland, focusing primarily on analyzing and securing critical infrastructure and protected systems, identifying vulnerabilities and developing risk assessments, and enhancing recovery preparedness measures;

• The Overseas Security Advisory Council - a Federal advisory committee that promotes security cooperation between American business and private sector interests worldwide and currently encompasses the 34-member core Council, an Executive Office, over 100 Country Councils, and more than 3,500 constituent member organizations and 372 associates; and

• Existing collaborative information sharing relationships between private sector entities and State and local authorities to facilitate the sharing of time-sensitive threat and vulnerability information, which reflect the preference, in some cases, of private sector entities to coordinate the sharing of threat-related and other information with the government authorities responsible for regulating their activities.

The President also created the National Infrastructure Advisory Council (NIAC). The NIAC is charged to make recommendations on improving the cooperation and partnership between the Federal Government and industry, for the purpose of securing the critical infrastructures. The advice from the NIAC is meant to assist the President and the Secretary of Homeland Security in the development of policies and strategies that range from risk assessment and management to information sharing, protective measure, and clarification on roles and responsibilities between public and private sectors.

Finally, the needs and capabilities of the private sector, particularly those entities considered to be critical infrastructure or key resources, will be incorporated into efforts to establish a national, integrated network of State and major urban area fusion centers and to produce "federally coordinated" terrorism-related information products at NCTC.