A power utility will, as a matter of normal commercial prudence, know what it's five biggest vulnerabilities are. And it will, within the cost constraints of making a profit, allocate mitigation for those vulnerabilities. They may still be the biggest 5 vulnerabilities, or some of the previous vulnerabilities in the 6-10 slots may move up. But there will always be some top 5 vulnerabilities.

The government wants to know what those vulnerabilities are, and what the mitigation of those vulnerabilities is. But the government doesn't know what it will do with that information. So it is unable to get regulatory authority for that information, on the very good public policy basis that the government can't demand information when it cannot show public good.

So they ask for that information. The utility may get optimistic, and hope the government will do something useful with it. So they may be willing to share. But they don't want their top 5 vulnerabilities (and, to repeat, there are always a top 5) touted in the press as some big scandal. Nor do they want to provide that list to the morons at Earth First! Or even to activists like Banisar. So they want some expectation that this won't happen.

But these top 5 vulnerabilities are not a trade secret, or a paten table technology, or any current category of protected information. And without an exemption from FOIA, providing this information to the government is like enacting the Banisar Activist Saboteur and Terrorist Assistance Act of 2002.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/56/10234#10234