Reposting Security Information

There is an interesting article over on ComputerWorld.com discussing some of the continuing fall out over the inappropriately disclosed TSA operations manual. I have not discussed the issue here since it does not directly impact the chemical security community. The recent congressional complaints about the continued reposting of the manual on other web sites changes that because of some last minute changes made to the Chemical and Water Security Act of 2009. Reposting of CVI ComputerWorld.com is reporting today that three Republican members of the Homeland Security Committee have “expressed concerns over the ‘repeated reposting’ of the security manual on multiple Web sites and asked her [Secretary Napolitano] to clarify if the sites could be compelled to take it down”. Now this manual was a TSA manual and was reportedly marked SSI, not CVI, but the re-posting of CVI material has already been identified as a potential problem caused by the provisions of HR 2868 introduced in a House floor amendment. Rep. Barton (R, TX) noted in the floor debate that:

“But then they are creating this new loophole, that if a group that is not controlled by Homeland Security somehow gets information, they can publish it. They can put it on their Web site, and they’re not liable.” (Congressional Record, pg H12517)

Congressman Dent was referring to wording in Chairman Thompson’s amendment (Congressional Record, pg H12515) that made significant changes to the wording of the information protection provisions of the legislation. That language amended §2110(g)(2) (for instance). The specific language that Dent was referring to was the new wording of §2110(g)(2)(B) describing information excluded from §2110 protections “that is obtained from another source with respect to which the Secretary has not made a determination under either such subparagraph”. He interprets this to mean anyone not specifically regulated under the new legislation. Unfortunately, it is unclear as to what the specific congressional intent on this wording was since the amendment was made after the committee reports from the Homeland Security and the Energy and Commerce committees were filed. Additionally, according to Mr. Thompson’s comments on the floor (H12517) during the debate that this wording for §2210 was provided by the Judiciary Committee which held no hearings or debates on HR 2868 and provided no committee report. With advent of this issue with the TSA it will be interesting to see how the Senate deals with the issue of protecting CVI when they deal with HR 2868. I suspect that there will be several amendments offered, either in committee or on the floor, attempting to make it a specific violation to post CVI information on the Internet. Current CVI and Subsequent Posting Of course, the current CVI rules under 6 CFR 27.400 are less than totally clear on the subject of subsequent public postings of CVI. Section 27.400(c) does define a ‘covered person’ under the CVI rules as each “Each person who otherwise receives or gains access to what they know or should reasonably know constitutes CVI”. Proving that someone ‘should reasonably know’ can be a challenge at times, particularly if the CVI markings were removed from a document before it was posted the first time on an unauthorized site. The CFATS regulations do provide for the imposition of a ‘civil penalty’ and the “issuance of an order requiring retrieval of CVI to remedy unauthorized disclosure or an order to cease future unauthorized disclosure” {§27.400(j)}. The lack of criminal sanctions makes the enforcement of the CVI rules problematic beyond their effect on covered facilities and government employees who may be terminated. Pragmatic Effects Unfortunately, from a security perspective, once the initial leak or inappropriate posting is done there is little that can be done to stop the spread of this information on the Internet. As the ComputerWorld.com article points out: “Even if such sites could somehow be compelled to take the documents down it is unlikely to make any difference or stop the document from being disseminated anyway.” In this case copies of the document have already been posted on overseas servers, beyond the effective reach of DHS. I have not read (nor do I currently intend to read) the TSA document in question, so I can not really comment on the security implications of the release of this particular document. I will opine that, if this was a deliberate act to subvert the appropriately classified (not ‘Classified’ as this document has not been alleged to fall into that sphere of security) distribution restrictions, then this is an illegal act for which appropriate legal sanctions should be sought. If, on the other hand, this is simply an instance of bureaucratic ineptitude, a mistake of public proportions, then the focus should be on correcting the oversights in execution that lead to the disclosure to prevent future repetitions on more critical documents.