Congress hashes out details of cyber-security law amid concerns about liability and data privacy.
As congress continued last week to hash out the details of legislation creating a Department of Homeland Security, securing cyberspace took on an increasingly high profile in the debate.
While the original proposal contained few provisions related to data networks, the bill now appears unlikely to come to a vote in either chamber without key cyber-security items in place.
For operators of large, private networks, the governments heightened demands regarding information sharing raise concerns regarding liability and the safeguarding of sensitive data, according to industry sources.
The IT and telecommunications industries have stepped up pressure on lawmakers to include in the Homeland Security legislation an exemption from the Freedom of Information Act, or FOIA, for data voluntarily turned over by the private sector. However, some in industry question whether such an exemption will effectively spur more companies to disclose more information about network vulnerabilities.
"A lot of places are not going to share information even with those [proposed FOIA exemption] assurances," said Scott Blake, vice president of information security at BindView Corp. Speaking on a panel of cyber-security specialists on Capitol Hill Tuesday, Blake said that many companies perceive few benefits from turning information over to the government and that more important than a new FOIA carve-out is an increased sense of trust between the public and private sectors.
There is a general perception in the industry that increased information-sharing demands are a one-way street and that government agencies will be unwilling to share any timely or specific data. "If I voluntarily give information to the government and I dont get anything in return, Im only going to go to that well so often," said Joe DiPietro, director of enterprise integration at Check Point Software Technologies Ltd.
Included in the House of Representatives version of the Homeland Security legislation last week was a provision that would exempt information turned over to the proposed department from FOIA, but the large IT players want it to extend to other agencies as well, according to Shannon Kellogg, vice president of information security programs at the Information Technology Association of America.
Although there have been increased data-sharing efforts in the IT industry since the formation of the IT Information Sharing and Analysis Center a year ago, some worry that that the ISAC could effectively create information haves and have-nots. "They are essentially private warning systems," BindViews Blake said about the ISACs established for various industries. "Smaller companies that dont have the resources to be participants are going to suffer."
The Senate last week was considering incorporating into its version of the Homeland Security legislation a cyber-crime bill passed earlier this month by the House of Representatives, Rep. Lamar Smith, R-Texas, said at the cyber-security forum Tuesday. The bill exempts ISPs from liability for disclosing data to the government if they believe theres danger of death or serious physical injury. It also increases the maximum penalty for knowingly attempting to cause serious injury through a cyber-attack to 20 years.
According to Smith, there have been more congressional hearings on cyber-crime and cyber-security than on any other subject this year.
Privacy advocates have long voiced concern that increased information sharing, particularly with additional FOIA exemptions, could have an adverse effect on fundamental rights. Now, however, some in the IT industry are raising similar concerns about the federal government retaining massive volumes of data from myriad sources.
"When you start to put inaccurate information into large databases ... decisions will be made based on inaccurate information," said Becky Richards, director of compliance and policy at San Francisco-based Truste Inc., at the hearings. "We need to not give up our privacy for these security systems."