Schneier on Security
A blog covering security and security technology.
« 1801 Cipher Solved |
| Fingerprinting Paper »
March 18, 2009
Hiding Behind Terrorism Law
The Bayer company is refusing to talk about a fatal accident at a West Virginia plant, citing a 2002 terrorism law.
CSB had intended to hear community concerns, gather more information on the accident, and inform residents of the status of its investigation. However, Bayer attorneys contacted CSB Chairman John Bresland and set up a Feb. 12 conference at the board's Washington, D.C., headquarters. There, they warned CSB not to reveal details of the accident or the facility's layout at the community meeting.
"This is where it gets a little strange," Bresland tells C&EN. To justify their request, Bayer attorneys cited the Maritime Transportation Security Act of 2002, an antiterrorism law that requires companies with plants on waterways to develop security plans to minimize the threat of a terrorist attack. Part of the plans can be designated as "sensitive security information" that can be disseminated only on a "need-to-know basis." Enforcement of the act is overseen by the Coast Guard and covers some 3,200 facilities, including 320 chemical and petrochemical facilities. Among those facilities is the Bayer plant.
Bayer argued that CSB's planned public meeting could reveal sensitive plant-specific security information, Bresland says, and therefore would be a violation of the maritime transportation law. The board got cold feet and canceled the meeting.
Bresland contends that CSB wasn't agreeing with Bayer, but says it was better to put off the meeting than to hold it and be unable to answer questions posed by the public.
The board then met with Coast Guard officials, Bresland says, and formally canceled the community meeting. The outcome of the Coast Guard meeting remains murky. It is unclear what role the Coast Guard might have in editing or restricting release of future CSB reports of accidents at covered facilities, the board says. "This could really cause difficulties for us," Bresland says. "We could find ourselves hemming and hawing about what actually happened in an accident."
This isn't the first time that the specter of terrorism has been used to keep embarrassing information secret.
EDITED TO ADD (3/20): The meeting has been rescheduled. No word on how forthcoming Bayer will be.
Posted on March 18, 2009 at 12:45 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Don't assume malice when idiocy or bureaucracy is an equally plausible answer.
I've seen cadres of lawyers take the most inane positions because they honestly believed (probably correctly) it was the only way to comply with the law.
Whether or not the law is actually relevant, or if it's something for the company to actually worry about being held accountable for isn't entirely the issue. Lawyers aren't risk managers, they're risk avoiders. If something could possibly be interpreted in a way that's bad for the client, they're obligated to recommend against it.
The BIG suckers always find something to hide behind, some politician to cover them, etc.
In order to stop that, we must stop power altogether.
I can be done.
I'm not convinced they're hiding behind the law, nor am I convinced they are not.
Whether or not the primary reason for citing the law was legitimate or as a cover, it probably has some legitimacy, otherwise I doubt the Coast Guard would have sided with Bayer, which apparrently they did. (Of course, that is not to say that Bayer didn't have a sigh of relief when they found a legitimate out.)
The devil is in the details, which are not always as simple as those on the outside looking in may think.
I, you seem to have the cause/effect backward in this case: you are implying that the company does something bad, and then the government helps to cover it up. In fact it is far more frequent that the government passes down a rule ahead of time (2002 in this case) saying "You have to protect/classify information X." and if the company reveals that information, even after an incident, then they will be liable.
If Bayer violated the law and revealed the information, they could perhaps be violating government regulation and law and be subject to fines or prosecution.
In my industry we could get hit with fines up to $1 million dollars per day per violation for failing to follow a rule.
On the bright side, at least they didn't play the "people could use this to distribute child porn!" card.
There is the possibility that CSB engaging less in cowardice than merely attempting to be conscientious in a legal and compliance landscape that is evolving to be positively labyrinthine. Without details, as HJohn said, it's hard to tell.
"CSB had intended to hear community concerns, gather more information on the accident, and inform residents of the status of its investigation."
Ok. Why couldn't the CSB do just that, instead of running away and hiding. It is really the CSB that is being irresponsible here.
Right now, the citizens have no information and no forum to voice their concerns.
If a citizen asked a question the CSB couldn't answer due to the Bayer gag order, then the CSB can just say, "Sorry, we can't provide any details on that matter due to Bayer's notification that it may violate the Maritime Transportation Security Act of 2002".
Pretty simple. Besides, I suspect that the citizens of that community would become aware of the Maritime Transportation Security Act of 2002, something I suspect they previously wouldn't known much about.
For the most part, that sounds like a reasonable compromise, depending on how much of the details were protected by the Maritime Trans Security Act. If the details were a significant percentage, it would look even worse to answer 90% of the questions by saying "can't answer."
The biggest reason I'm not ready to condemn the CBS or Bayer too harshly (yet) is that the CBS went from postponing after talking to Bayer to canceling after talking the Coast Guard. Appears it was the Coast Guard's concerns, and not Bayers, that had the most impact. If Bayer didn't at least have a point, I doubt the Coast Guard meeting would have resulting in the cancelation.
On the the other hand...
"According to Bayer plant data filed with the Environmental Protection Agency, the company stores up to 1.4 million lb of chlorine and ammonia, 19,000 lb of phosgene, and 240,000 lb of MIC [methyl isocyanate...the Bhophal killer gas cloud] on-site."
Another question is whether the penalties for violating MTSA requirements are greater than those for offending the CSB's sense of transparency.
"The devil is in the details, which are not always as simple as those on the outside looking in may think."
That is precisely the reason the information should be revealed to the limit of what the law allows. Are you buying into the "security theater" aspects of this..."they must know best so we shouldn't ask any questions"?
If you wish to give companies and their paid shills the benefit of the doubt, fine. I expect the whole matter is the all too common farrago of greed, incompetence and irresponsibility we usually see from large corporations, all gleefully hidden from view by "security concerns"
Bring back the corporate death penalty.
@Ed Bryant: "Are you buying into the "security theater" aspects of this..."they must know best so we shouldn't ask any questions"?"
No, I'm not. I think it is more likely one would think they are hiding something than think "they must know best."
I'm yet to be convinced either way. We really don't know the details, and depending on those details that may be a good thing.
I agree that disclosure to the point allowed is a good thing. But the interesting paradox of that is that when something cannot be disclosed, you don't know what it is. Because it is unknown, we too often assume the worst. It's a catch 22--it can't be disclosed, but those of us that don't have the "need to know" can never know for sure if that is valid.
In regards to the "corporate death penalty," that's a bit drastic without knowing the details. CSB may be cowards, the may not be, but they certainly have more information than us.
It seems Bayer is increasing fear in the local community. I wonder if that fear level can equate to terror itself.
Almost like how ACTA copyright/etc is being held secret for National Security reasons.
I wonder whether the state of W. Virginia shouldn't be able to apply its own sanctions against the company, while they continue to interfere with the public safety investigation.
I actually don't find it surprising that one Federal agency is derelict in its appointed duty, because of the flimsy excuse that another Federal agency has claimed its own interest trumps that of the first.
The original article Bruce linked to, in the house organ of the American Chemical Society, is worth a read.
People at the Bayer plant called 911 repeatedly and then wouldn't talk about what was going on, even when asking for an ambulance. The frustrated county authorities eventually "called for shelter-in-place for several thousand people living near the plant." In other words, thousands of people were effectively imprisoned in their houses because Bayer was stonewalling.
I was a chemist in a former life, and for a year was the process control engineer for a chemical factory in Texas, where I dealt with government regulations, so I know some of what Bayer was dealing with.
Having been there, I have no sympathy for the people who made the decisions to stonewall during an emergency. If you're moral, sometimes you just have to do what's right and to heck with regulations and laws and company policy.
In this case, we had two people killed at a plant that stores more methyl isocyanate than Bhopal did (in fact, it's Bhopal's sister plant), and which has had previous explosions. And the excuse for stonewalling is because the plant is on the Kanawha river, and - what? Al Qaeda is going to come zipping along in their Zodiacs?
I wish we lived in a world where people actually dying trumped movie-plot scenarios.
How about a world where lawmakers actually gave more than a second's thought to the side effects of the laws and regulations they create? Too often they make ridiculous and inflexible rules that actually cause more problems than they solve. Those problems need to happen to send the message "Stop making dumb rules."
by the way, I'm agreeing with you. Movie plot scenarios DO happen (I've been in a few), but they're certainly not the norm.
We are mostly in agreement. But...Quis custodiet ipsos custodes?
BTW, my corporate death penalty comment was not intended for the corporation involved in this mess, but rather generally for companies which commit felonies.
I think Bob's comment above is especially cogent: "I wish we lived in a world where people actually dying trumped movie-plot scenarios."
Thanks for your reply.
@Edward Bryant: "Quis custodiet ipsos custodes?"
A tough question is always who will guard the guards.
I agree with Bob's comment as well.
I'm still in the middle on it because I'm not convinced either way. Funny thing is, if they have legitimate reasons for not disclosing information, then I'll probably never have enough information to know I agree with them. One could go crazy thinking about it.
I deal with tons of very sensitive information, much of it carries very strict penalties for disclosure, so I may be more sensitive than most to the "when in doubt, don't" argument. I do wish people actually dying trumped movie plots, but real public humiliation and civil penalties aren't a movie plot (they are often inappropriate responses to movie plot fears).
@Killroy: "Too often they make ridiculous and inflexible rules that actually cause more problems than they solve."
I second that. Huge, expensive, cumbersome solutions to rare problems, then they wonder why we go bankrupt.
Rather than tell people how to fix things in a rapidly changing world, tell them what the consequences are if they don't. They'll likely come up with a much more effective solution for their environment than what is legislated.
It's possible (even likely) that the original report has got it somewhat wrong, but if we take what it says at face value is seems unlikely that the law forces anyone to withhold information this completely.
All the writeup says that the law says is that certain parts of plans to prevent terrorist attack can be confidential.
It seems unlikely that releasing any information at all about these fatalities would have revealed confidential parts of the plan to secure the facility against terrorists coming up the river on their jet-skis.
As a general principle, while it's quite true that lawyers are risk avoiders and not risk managers, it is therefore the job of the non-lawyers running the company to be risk managers, and override the lawyers when that is called for.
I also deal with a lot of sensitive information and subscribe to "when in doubt, don't" about discussing it.
But in the case of Bayer's CropScience plant, concealing details of the plant's construction or the accident is trying to close the barn door after the horses are already out. The escaped horses are the well-known facts that the plant stores huge quantities of highly toxic gases, and is about three miles upwind of downtown Charleston.
Anything else is small beer to an attacker who's willing and able to hijack an airliner and crash it into something.
But there's a better solution than security-through-putative-obscurity: make sure a catastrophe simply can't happen, no matter what some terrorist or nutcase does.
As the original article mentions, many chemical plants have moved to a system known as "inherently safer process design". That's where you either don't use hazardous chemicals in the first place, or make them in small quantities as needed from non-hazardous reagents, and use them immediately instead of storing them. As the article remarks about methyl isocyanate, a company like Bayer "can literally produce MIC and use it up on the spot... [the] technology has been around since the 1960s."
Like the CropScience plant, a DuPont plant cited in the article also uses methyl isocyanate to make pesticides. But unlike CropScience, DuPont makes it from a non-hazardous chemical and "the only MIC on-site is in a short transfer line." So terrorists could blow that plant up, but instead of causing thousands of casualties and chaos and riots, they'd just generate a big insurance claim.
Perhaps a tax break is in order for companies that refit old, dangerous facilities using "inherently safer process design".
Hey, y'all don't be jokin' about this-here stuff. Here in West Virginia, we cain't even catfish on the lakes at night anymore, what with the Coast Guard chasin' off all them Al Kider terrorist fellers in them Zodiac boats 'fore they can blow up the aspirin plant.
I think you've hit the nail on the head. I found this part the most interesting:
"The accident took place at about 10:30 PM, and a tape of the 911 calls between plant officials and emergency responders shows that a plant guard would not identify where in the facility the accident had occurred or which chemicals or processes were involved.
Even when calling for an ambulance, the guard refused to reveal the extent of the accident despite repeated questions from an exasperated county emergency services official. Eventually county officials called for shelter-in-place for several thousand people living near the plant.
As a result of Bayer's unwillingness to aid emergency responders, the West Virginia Legislature is considering a new law that would require companies to immediately report accident details to emergency responders."
Bayer's risk management calculation is likely to backfire if they draw too much attention and ire from authorities that are sworn to protect much broader concepts of safety and security.
Good "backfire" point, however it could be possible that a guard may not know all of the details, and the problem stems from failing to adequately prepare for an emergency, rather than intentionally withholding information.
I know many guards who don't necessarily know the names of every place in a facility, and certainly wouldn't know the name of chemicals or processes. All they may know is that something bad happened, and people are hurt, and they're trying to get help as soon as possible.
This information is dated. As of Friday, March 13th CSB announced (http://www.csb.gov/index.cfm?folder=news_releases&page=news&NEWS_ID=461) that they would hold the public meeting.
It appears that the CSB wanted to ensure they knew the 'security' ground rules before they went to the public meeting; a wise move.
There has been no word yet on what, if any restrictions will be placed on the CSB presentation.
Thank you. This is exactly why I said there wasn't enough information to convince me their motives were nefarious. Appears they were just looking before they leep.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.