There was a very misleading article posted on the Washington Post web site this last Thursday. It reflects a very paranoid assessment of cooperation between industry and government that cannot even get the name correct of the organization that it is attacking. It misleadingly identifies the Chemical Sector Coordinating Council (misnamed the Chemical Sector Committee) as a policy advisory agency, implying that the CSCC helps to set regulatory requirements for chemical security.
Purpose of Sector Coordinating Councils
The CSCC is just one of 18 such organizations established under the Homeland Security Presidential Directive #7. These Sector Coordinating Councils are established to provide a forum for industries within the 18 critical infrastructure sectors to share information about infrastructure protection, both within the sector and with the federal government. There are no government officials serving in any of the SCCs. There is a similar Government Coordinating Council for each sector, made up of representatives from federal agencies, State and local governments for that sector, with a similar mandate. Coordination between the two is done by the Sector Specific Agency office within the appropriate Cabinet level agency. For the Chemical Sector, that agency is DHS, but the chemical sector specific agency office is completely separate from the Infrastructure Security Compliance Division that manages CFATS implementation.
Congress has given DHS very limited authority to manage security issues in the chemical sector. The CFATS regulations cover just a tiny minority of chemical facilities. Even if you consider facilities that use the highest-risk chemicals, CFATS regulates only a small percentage of those facilities. The work of the CSCC helps to share information on chemical security measures for both those facilities covered under CFATS and those that will never be regulated by DHS.
The security guidance and information produced by the CSCC can get to industry much quicker than DHS will ever be able to implement security regulations. The CSCC is not bound by the requirements for publishing and public comment that DHS is, so they can respond much quicker to new and changing security conditions. Of course, their recommendations are not regulations and no one is required to follow their guidance.
A good example of this is the recent publication of the Roadmap to Secure Control Systems in the Chemical Sector. While Congress has just begun to debate the whole issue of regulating cyber security, a debate that, as of yet, hardly touches on chemical control system security, the CSCC has already provided the chemical industry with the information needed to get them started moving down the road to increased control system security. Now Congress might eventually get around to enacting legislation that would authorize DHS to establish regulations, but the effects of such regulations would be years in the making. Because of the CSCC, the chemical industry already is sharing the information to begin to allow them to move in the direction that might be mandated by Congress eventually.
Influence on CFATS Regulations
The Washington Post article implies that the CSCC directly influences the implementation of chemical security regulations. This is a gross exaggeration and over simplification of the regulatory process. First off, the CSCC has no official connection with CFATS policy or regulatory development. Do individual members of the CSCC lobby DHS generally and ISCD specifically, absolutely. Does industry control the CFATS process, absolutely not. All one has to do is look at the law suit filed the petroleum industry (one of the richest, most politically influential portions of the chemical sector) to get DHS to stop regulating security at their fuel distribution centers, to see how DHS applies their regulations despite industry objections.
But yes, DHS does seek input from the chemical sector, as required by both law and common sense. Congress has established a regulatory establishment process that requires the executive branch to take into account the impact their regulations would have on the business community. Overly burdensome regulations serve no purpose, they will either drive companies out of business, or force them to include the costs of fines in the cost of their products as they ignore the regulations. Now there will be legitimate disagreements about what constitutes ‘overly burdensome’ regulations, but those disagreements will be resolved through the political and legal processes.
From a common sense perspective, DHS should consult with the industry that they regulate. Chemical facility security is a relatively new field and there are few, if any, real experts. Industry self-interest dictates that they will hire or develop such experts as they need to secure their facilities and they will pay better than the government. That combined with the miniscule number of people authorized by Congress to develop and enforce chemical facility security regulations ensures that DHS will have to frequently turn to industry to advise them on how to effectively achieve the government’s security goals.
DHS ISCD is to be commended on the way that they have worked with industry to ensure as trouble free an implementation of a major new regulatory framework as possible. Each step along the way DHS has used voluntary cooperation from some of the highest risk facilities to walk those facilities through the innovative Chemical Security Assessment Tool. The lessons learned in those cooperative ventures have been used to modify the tool to make it easier to use for subsequent users.
This does not mean that DHS has allowed industry to set the standards by which they are evaluated; they just made the process easier to follow. Anyone that has been following the CFATS implementation process knows that there have been many industry objections to some of the requirement. Some have been changed when there was sufficient justification; most have remained the way they were designed. Some of the delays in the Site Security Plan approval process have been because ISCD kept holding facilities to the standards that they had set forth in the Risk Based Performance Standards Guidance Document when industry interpreted those standards less strictly than did DHS.
Articles such as this one in the Washington Post do little to advance the legitimate political discussion about potential changes to chemical security legislation. The blatant mischaracterization of the Chemical Sector Coordinating Council as a body of insiders designed to influence the chemical security process at DHS is factually flawed and denigrates a legitimate effort to enhance the security of the chemical industry, and by implication similar efforts in the other critical infrastructure sectors.
The admitted fact that many of the companies that participate in the CSCC have also politically opposed the simplistic application of inherently safer technology as the savior of chemical security has little, if anything, to do with their legitimate interest in cooperation to enhance chemical facility security. Even those that disagree with industry on the IST issue should applaud the industry’s effort to extend chemical security activities to unregulated chemical facilities.
Ill advised attacks like this article poison the political atmosphere and make it more difficult to establish a real dialog that will help to advance legitimate security concerns of those on both sides of the debate.
Cyber Espionage Campaign Hits Energy Companies
2 weeks ago