Opinion: We're going soft on CFATS

Aug. 3, 2012
DHS plan to not screen security-sensitive chemical plants' employees is off the mark

My opinion for the week is this: Employees at particularly security-sensitive chemical plants should be screened like TWIC card holders. Currently CFATS has no plans to do that, and I think that's a mistake.

Suzanne Spaulding, DHS Deputy Undersecretary for the National Protection and Programs Directorate, testified this week that the plan to screen select chemical plant employees against the FBI terror database is off the table. The idea had been floated as part of the Chemical Facility Anti Terrorism Standards (CFATS) and would have mirrored the Transportation Worker Identification Credential (TWIC) program for ports that screens cardholders against the FBI terror database and which also uses the FBI Integrated Automated Fingerprint Identification System (IAFIS). The GAO spells out the TWIC process in its May 2011 document "Transportation Worker Identification Credential: Internal control weaknesses need to be corrected to help achieve security objectives."

So, why do we have definitive enrollment screening processes for TWIC workers like truck drivers that access ports or longshoremen that work the docks, when we shun the same screening process for chemical plant workers? As I see it, there are at least four reasons why the DHS might not want to do this:

Reason #1: The chemical industry has lobbied hard to keep these costs off of their employees and businesses. This, I think, is the most likely of the scenarios, as the chemical industry has a very strong lobbying effort and has fought tooth-and-nail to ensure that CFATS makes no specific mandates other than that high-tier, security-sensitive facilities should have their facilities assessed and a proper plan in place. Notably, the American Chemistry Council has fought the EPA on moves to change to inherently safer chemicals. Assessment: Very likely.

Reason #2: The FBI either doesn't have the capability to screen the employees or has elected not to do so. I doubt this is a particularly likely option, as the FBI was able to undertake the screening for select government employees and other private industries like TWIC workers. DHS has typically assessed a fee to industries that want to use the background check service. For example, the TWIC card full enrollment costs $129.75, but it's only $105.25 for workers with full, complete, current background checks already in place. From those numbers, we can determine that the background check cost is approximately $25 of the card issuance cost, so the model would simply be that the FBI would have to reinvest that $25/employee cost in the technology and people to provide CFATS background checks. Assessment: Unlikely.

Reason #3: Terrorism background checks aren't needed. This would be hard to believe. DHS already has broken the CFATS facilities into security tiers, and it would be simple enough to only apply high-security measures to the most security-sensitive tier. Clearly the facilities are at risk (if they weren't, then CFATS wouldn't have to exist at all), and background checks are one component of reducing risk. Assessment: Extremely unlikely.

Reason #4: The DHS is getting ready to change its background assessment process for screening private employees for links to terrorism. I would have to put this "revamping" option as the second mostly like option as the reason employees of security-sensitive chemical facilities don't receive FBI terror screenings. (Again, first most likely is that the DHS was out-lobbied by the ACC or some other industry organization.) If the case is that DHS is about to change out its terror screening program, then we'll be watching very closely. Assessment: Unlikely.

Still, while all of this discussion happens on Capitol Hill, let's remind ourselves of the basics: If a chemical plant goes tick-tick-boom, the gas plumes and environmental contamination and direct explosions are likely to impact many of our nation's cities, industrial corridors and valued resources. Stay vigilant.

Sponsored Recommendations

Trend Micro commits to U.S. cyber protection by joining Hacking Policy Council

Trend brings formidable experience in this space through its Zero Day Initiative (ZDI), a vendor-agnostic bug bounty program, and a leading voice in ethical disclosure practices...

Keeper Security shares most important files to preserve when disaster strikes

By protecting these documents and storing them in a safe place, such as a digital vault, you'll be much more prepared when disaster strikes.

Former National Cyber Director Chris Inglis joins Semperis’ Strategic Advisory Board

Inglis’ appointment follows announcements from Semperis of aggressive expansion into the public sector and other strategic advisory board appointments, such as the addition of...

NordVPN survey: Americans scored 64% in the National Privacy Test

Results show that the world's online privacy and cybersecurity awareness is declining every year.