Wednesday, June 11, 2008

Revise HR 6193

In reviewing yesterday’s blog about the Improving Public Access to Documents Act (IPADA) of 2008 it sure looks like I could find nothing good about the recently introduced legislation. That is because I was focusing on the provisions of the bill that would most directly impact chemical facilities. I overlooked the avowed purpose of the legislation; to make it easier to share intelligence information in order to prevent terrorist attacks.

The congressional findings section of the bill {Section 2} states the problem clearly:

    • "The proliferation and widespread use of "sensitive but unclassified" (SBU) control markings by the Federal government interferes with accurate, actionable and timely homeland security information sharing, increases the cost of information security, and needlessly limits public access to information."

Intelligence Dissemination

Anything that can aid in the timely dissemination of intelligence information to the people that can put it to use is probably a good thing in the long run. Police agencies, counter-terrorism agencies and even high-risk chemical facilities can all do their job of protecting the public from the results of a successful terrorist attack if they have actionable intelligence information as soon as practicable.

In general, this bill tries to make it easier to get that information to the people who can use it. The legislation requires that all DHS produced intelligence information is produced in a common format to aid in its utilization. It also prohibits DHS from using the ‘Sensitive but Unclassified’ (SBU) marking as the sole factor for determining who does not get to see the information.

Protecting CVI

Sharing intelligence is a good thing. Sharing CVI may not be a good thing. They are two different types of information. They need different rules. Unfortunately, Congress, in its Section 550 authorization for CFATS, only had a choice between making the vulnerability information classified (definitely overkill) or lumping it into the SBU category.

To determine how to protect CVI we need to take a realistic look at how that information should be used. From that we can decide who needs to see that information. Using that we can add provisions to HR 6193 to ensure that dissemination is enhanced while prohibiting unnecessary disclosure of the information.

Who Needs to See CVI

Two sets of personnel need routineaccess to CVI to administer the CFATS program, the facility security management team and DHS. Both of these groups will initiate documents that require CVI markings. The Secretary has given implicit authority to facility management to designate certain specified documents as CVI. This is not addressed in the marking provisions of Section 210G in this bill.

Facility employees will need routine access to some of the CVI produced by the facility. This will include substantial portions of the Site Security Plan (SSP) and portions of the Security Vulnerability Assessment (SVA). They should also receive some access to intelligence information that pertains to their facility so that they can be observing for specific indicators of pre-attack surveillance. They should be extensively trained and drilled on the Emergency Response Plan (ERP) portion of the SSP.

Security personnel at the facility (employee or contract) will need to understand the SVA and be completely aware of all provisions of the SSP. This includes local police or National Guard forces that serve as a security response force for the facility. They will need complete access to the available intelligence information. Their incident reports and counter-surveillance observations will likely become CVI as those reports are consolidated and forwarded to DHS; part of the developing counter-terrorism intelligence apparatus.

Fire and Rescue first responders that will respond to any terrorist incident will need to be completely aware of the ERP portion of the SSP. They will need to be aware of the layout of the facility and the locations of all of the hazardous chemical storage areas within the facility.

Local law enforcement personnel will have to know which facilities are high-risk facilities. As intelligence is developed pertaining to the facility their management will have to be brought into the counter-surveillance plan to coordinate local police patrols. The entire force will have to be familiar with the police portion of the ERP portion of the SSP.

Local Emergency Planning Committees

One group that DHS has completely overlooked in their discussions about chemical facility security is the Local Emergency Planning Committee (LEPC), an organization mandated by the Emergency Planning and Community Right-to-Know Act (EPCRA). The LEPC is made up of emergency management agencies, responders, industryand the public. EPCRA dictates that the mission of these committees is to develop emergency response plans for accidental chemical releases. These off-site response plans should be made an integral part of the ERP portion of the SSP.

Where these committees work well they have already developed the interagency contacts and trust that make for an effective emergency response. They should be notified as early as possible when a facility in their area is designated a high-risk facility. This would allow the committee to begin updating their emergency response plans to deal with the results of a successful terrorist attack. This means that LEPCs will routinely require some access to CVI.

Restricting FOIA Releases

While legitimate arguments can certainly be made that the certain elements of intelligence information and analysis should be made available to the public, those arguments are less impressive when it comes to CVI. The bulk of the information that will be legitimately marked as CVI will address facility vulnerabilities and responses to those vulnerabilities. There is no legitimate need for the public to know that type of information.

What the public does have an undeniable right to know (and is codified in EPCRA) is what chemicals they might be exposed to in the event of a successful attack. Since these are generally the same chemicals covered by the EPA regulations, they should already be aware of these risks.

They also have a right to know that appropriate Emergency Response Plans have been made for a successful terrorist attack and what parts they may be expected to play in those plans. In most cases the ERP for a terrorist attack is going to be pretty much the same as one for an accidental release.

Thus an FOIA request for CVI information should only be able to obtain a list of the Chemicals of Interest (COI) (Appendix A, 6 CFR Part 27) at the facility and a copy of the off-site emergency response plan. Even the COI list should be restricted to just the Flammable Release and Toxic Release chemicals on site (the same data that is available under EPCRA). Presumably the Theft/Diversion and Contamination COI are not a specific threat to the local community, thus they lose the ‘need to know’ that information.

High-Risk Facility Identification

One last piece of CVI that must be considered for possible local release under a FOIA request is the identity of high-risk chemical facilities.DHS has consistently maintained that that information should be tightly protected. Their view point is that releasing this information would provide potential terrorists a comprehensive list of potential targets. This is certainly a strong argument.

The other side of that argument is the fact that the chemical facility that is attacked to release toxic or flammable chemicals on the surrounding community is not the real target of the attack. They are, in fact, the weapon used in the attack. The target is the surrounding community. As such the community deserves to know that they are potential targets.

A workable compromise between the two points of view should revolve around the class of COI involved with the particular facility. Where the COI are release chemicals (toxic or flammable) the target is the community, so the high-risk classification should be releasable. After all, the presence of those COI is already publicly available knowledge under EPRCA. Where the COI are theft/diversion or contamination issues the high-risk classification should not be releasable.

Modifications to HR 6193

If modifications are made to HR 6193 to take into account the special nature of CVI, I think that this legislation has the potential to make a positive contribution to the proper dissemination of anti-terror intelligence. While I was not an ‘intel weenie’ by any stretch of the imagination, my brief stint in an Infantry Battalion S-2 showed me how much intelligence information is not shared with the ultimate users. The reason then was the same as that being addressed here. The classification markings unnecessarily restricted access to valuable information.

The modifications to HR 6193 should include:

  • An acknowledgement that CVI information is fundamentally different than intelligence information.
  • DHS should be required to develop a proactive plan for sharing CVI information with local emergency planning and response personnel.
  • High-risk chemical facilities should be required to develop a proactive plan for sharing CVI information with employees and security personnel.
  • The FOAI provisions of Section 210F(d) need to be revised to explicitly limit the types of CVI that may be considered releasable under FOAI requests.

No comments:

/* Use this with templates/template-twocol.html */