Quick Facts
Since the September 11 terrorist attack, the United States government has been harping about the need for more public-private threat information sharing. But while the government is hot to gain access to private sector documents, it hasn’t been all that forthcoming when it comes to revealing their own classified material. This article outlines the need and some necessary steps to achieve workable information-sharing relationship between the public and private sectors.

Audience:
• Senior managers and executives
• Business continuity managers
• Records managers

It’s a well-known fact that 85 percent of the nation’s infrastructure is owned by the private sector. Domestic and international terrorists want to destroy U.S. businesses. Meanwhile, federal, state, and local governments have information about these threats, but cannot share it with the private sector because it is classified. Likewise, the government would like to gain more access to private sector threat information, but these documents need classified document protections. The following proposes the formation of a national, civilian security clearance that would enable the bidirectional sharing of classified and private-sector threat information, solving both of these problems.

The federal government has classified threat information. The information may not be very detailed or reliable, but the government’s challenge is to define whom it can trust with this information. National security clearances are designed for military and national security secrets and are not the right tool for this challenge. Business have a need to know when credible threats are nearby, but this “need to know” does not necessarily require the divulgence of names, sources, or methods. As such, it may be possible for the government to devise a method whereby it can share threat information with the private sector without revealing potentially dangerous material.

On the other side of the equation, most businesses and private citizens have accepted the tradeoff between privacy and security. A few years ago, we would have been outraged to take off our shoes, belts, and jackets to walk through an airport metal detector. Today, in order to reach our destination, men and women have to get dressed after passing through a very public detector.

The private sector is ready to share plans and company confidential information with the government if it can be protected from the Freedom of Information Act (FOIA). Predatory attorneys and insurance agents would be eager to see these plans for private gain. These documents need the protection of a security clearance before business will share them with the government. A civilian clearance would be appropriate, because much of the information the private sector would be sharing is not as sensitive as the federal government’s national secrets.

The Department of Homeland Security
There is a need for a clearance system, but the National Security Agency (NSA) and police options offer either too much or too little protection. The Department of Homeland Security (DHS) has also been studying this issue. In a DHS report, federal government survey respondents stated that information sharing with state and city officials is hampered due to a lack of clearances. The private sector was not included in the survey, as noted by the General Accounting Office’s (GAO) report “Homeland Security Efforts to Improve Information Sharing Need to be Strengthened,” which was released on Aug. 29. Presidential Executive Order 13311, issued on Jul. 29, directs DHS to implement the requirements and procedures wherein federal information should be shared with state and local government personnel. The directive and DHS report should have included the privately owned infrastructure security directors as well.
Several independent organizations offer increased security or shared security information. The following examples might be useful in determining what we need to do to share sensitive civilian information more freely.

Business Network of Emergency Resources
The Business Network of Emergency Resources, Inc. (BNet) is an organization dedicated to supporting New York in mitigating loss, providing emergency access, and improving communication between employers and the government. One of the BNet products is a corporate emergency access system (CEAS) that lets business people pass through yellow fire department tape to retrieve critical records or resources.

New Jersey Business Force
Business Executives for National Security (BENS) has several public policy efforts underway including the New Jersey Business Force. The New Jersey Business Force is comprised of a collection of business leaders that have agreed to provide resources to the city and state officials in a time of crisis. These relationships are called upon in times of need. Trusted relationships are important, but are not enough to encourage businesses and government officials to engage in more sensitive information sharing.

Information Sharing and Analyst Centers
The National Strategy for Physical Protection of Critical Infrastructures and Key Assets is a White House document that tasks security to multiple levels of government and encourages private sector participation in Information Sharing and Analyst Centers. ISACs are private associations that have a governing board with Federal oversight and a closed industry membership. Members of these virtual centers can exchange information by industry.

In practice, ISACs typically have a minimal number of members. The perception is that they have high fees for the value received. There are eight virtual ISACs where industries from financial services to water districts can join and share data. The primary topic of concern in an ISAC, however, is cyber security, not physical security. ISACs do not have a routine federal flow of threat information and threats are not routinely shared.

Infragard
Infragard is an FBI association of private companies dedicated to the protection of cyber and physical security. Infragard has local chapters across the United States and two levels of membership, classified and unclassified. Civilians must submit to an FBI background check to belong to Infragard. The FBI check is a basic background check, but it assures that the membership applicant has a need to know and a clean background. Once the background check is complete, members can obtain threat information from the FBI.

While the Infragard “clearance” is not used outside of Infragard, it is an excellent example of a civilian clearance that could be used on a broader basis. The FBI background check is sufficient for the FBI to pass risk and threat information to infrastructure businesses. If this “clearance” can acquire Patriot Act protections, then businesses would be safe in sharing their vulnerability documents and emergency plans with various government agencies.

America’s private sector is a major target of terrorism. We are the victims and also the first responders. Our leaders talk about security as a shared responsibility, but proceed with a suspicious, Cold War mentality. Keeping vital information confined to the government puts businesses at risk. A civilian security clearance will enable smart decisions to be made when a company’s security director comes face-to-face with the next Timothy McVeigh..

Read this article in Contingency Planning & Management