Apart from a hefty increase in federal IT security spending in the coming year, the single most important tool the Bush administration wants to create to promote a safer Internet is a Freedom of Information Act exemption for enterprises willing to share cyber- security data with the government.
However, if such a carve-out to the safeguard against undue government secrecy is to pass Congress this session, it will likely have to be defined much more narrowly than the versions of the legislation currently circulating.
At a technology forum on Capitol Hill this month, Richard Clarke, the presidents special adviser on cyberspace security, told congressional staffers that current FOIA rules constitute a major barrier to cooperation between the private sector and government.
Fearful that sensitive network information could be made public, companies are reluctant to share information about Internet attacks and other security issues, Clarke said.
“The biggest thing Congress could do this session in terms of cyber-security is to pass a very, very narrowly crafted amendment to the Freedom of Information Act,” Clarke said Feb. 14 at The Forum on Technology and Innovation, chaired by Sens. Jay Rockefeller, D-W.Va., and Bill Frist, R-Tenn.
The measure does not stem from the Sept. 11 terrorist attacks, although policy-makers have brought it under the large umbrella of responses to terrorism. Several versions of the proposed legislation have circulated in the Senate and the House over the past two years, but opposition to restricting the flow of government-held information prevented it from progressing to a vote late last year, despite heightened security concerns.
The initiative constitutes a major lobbying effort by several of the countrys largest industries, including IT, energy, manufacturing and pharmaceuticals.
“The opponents are making nonsensical arguments,” said Harris Miller, president of the Information Technology Association of America, in Washington. “Any time you touch FOIA, people go ballistic. But this information would not be available to the government [without this legislation].”
Privacy advocates and government watchdogs are leery of the legislation becoming a conduit for the government to exempt a much wider range of data than relevant to Internet security. The current Senate version of the measure, sponsored by Sens. Robert Bennett, R-Utah, and John Kyl, R-Ariz., appears to widen the scope of exempted information.
The Bennett bill, which covers more than a dozen federal bodies, states that information collected under the proposed FOIA exemption can be used for “analysis, warning, interdependency study, recovery, reconstitution, or other informational purposes.”
“The Bennett bill has now expanded to the point where it is not limited to cyber-security,” said David Sobel, general counsel at the Electronic Privacy Information Center, in Washington. “It really extends to physical security as well.”
A more narrowly defined exemption—one that applies only to actual network intrusions, for example—might be acceptable, although it is not clear that such information wouldnt already be exempted from FOIA, Sobel said.
“I still need to be convinced that theres something so special and unique about cyber-security that it doesnt fall under the normal FOIA exemptions,” Sobel said.
ITAAs Miller said existing FOIA exemptions do not provide the industry with sufficient assurance that their private data will not be made public if they hand it over to government agencies. “FOIA has been interpreted very liberally by the courts,” he said.
However, Miller said that the industry is not committed to the precise language in the Bennett bill. “Were willing to work with people whove said this is too broad,” he said. “We have not said these words are carved in stone.”
Another facet of the initiative that troubles civil liberties groups is that it remains unclear which government agencies would receive exempted information and what they would do with it. “The government does not have a very good track record in terms of securing its own systems,” EPICs Sobel said. “It just seems like an unworkable system when theres no obligation on the part of the government to do anything.”
Clarke heads the White House Critical Infrastructure Protection Board, which is one of several government/industry bodies established to promote cyber-security. The Department of Commerce has its Critical Infrastructure Assurance Office and the FBI its National Infrastructure Protection Center.
In addition, there is the CERT Coordination Center and several information sharing and analysis centers for specific industries, including financial services, IT, telecommunications, transportation and electricity.
- Cyber-Security: Striving for Public/Private Pact
- EPIC Sues Govt. Agencies Over Privacy Data
- Trust Me!