PCII and Black Energy 2 incident response

PCII is a program that allows industry to share (cyber security) information with the government while keeping that information out of public sight — it is exempt from FOIA request.


I was reading an article about the Black Energy 2 cyber “attacks”, and came across an interesting quote regarding PCII:

Organizations that do not want to disclose the breach, but still want to cooperate with ICS-CERT, can invoke the confidentiality protections of the Protected Critical Infrastructure Information (“PCII”) Program to share information with the government.

I am glad that ICS-CERT carries a banner for ICS security. They use the press to their advantage and have won great attention to the issue.

I also think that in a general way it is nice that organizations can share some cyber security details with the government. In theory this may allow the government to understand a bigger picture, and take responses in ways that a private organization might not be able to.

I have to admit though, that there is another way to interpret the quote. Let me re-phrase:

Organizations that were foolish enough to connect their industrial control systems directly to the Internet, despite years of warning from the private sector and DHS, can comfortably request taxpayer assistance by invoking the PCII program. This loophole allows possibly-negligent organizations to receive federal cyber security incident response subsidies while keeping it secret from the taxpayers who ultimately foot the bill.

My point is that in some way we need to encourage industry to take responsibility for their inaction on the cyber issue. There are many ways to do this. But, we can have those conversations another day.