House panel jousts over information-sharing bill

WASHINGTON -- Law enforcement and private-sector officials arguing for legislation protecting corporate information security data from public disclosure were accused today of backing a measure that could be used to hide dirty corporate secrets.

Instead of trying to entice corporations to share information security data by weakening federal sunshine laws, U.S Rep. Janice Schakowski (D-Ill.) said at a congressional hearing today that there is another option, "and that is to say this information isn't voluntary, that we require it."

"This is a time of war on terrorism, and we're calling on individuals and businesses to be patriotic and to provide information," said Schakowski, the ranking Democrat on the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.

Bush administration officials have repeatedly opposed forcing companies to share data about threats, software vulnerabilities and other information related to data security. Instead, the administration has been working to convince private companies of the need for voluntary cooperation.

Indeed, Schakowski said she has no legislation planned to require companies to share data but will seek to amend legislation creating a cabinet-level homeland security department. That legislation, which is being debated in the House, would include a set of new exemptions to the federal Freedom of Information Act (FOIA) for information security.

That FOIA exemption is intended to help the private-sector Information Sharing and Analysis Centers (ISAC), which are industry-specific groups intended to assist private-sector companies with protecting themselves from cyberthreats.

Stanley Jarocki, chairman of the financial services ISAC, testified at the hearing. Jarocki said fear of disclosure "has severely hindered information sharing efforts," and he called for a "narrowly written" exemption to the FOIA statute.

How narrow an exemption is the apparent point of contention. Schakowski accused the Bush administration of backing a measure that was overly broad and could conceivably be used by a company to hide a pollution incident from public disclosure under the guise of security.

John Tritak, director of the Critical Information Assurance Office, said the Bush administration wants a narrowly crafted rule. "No one is talking about a safe haven for illegal activity," he said.

Negotiations are under way in both chambers on this issue, and the Senate is working on its own version of the rule. The proposed legislation includes provisions that would protect companies that collaborate on information security from running afoul of antitrust laws.

Speaking to reporters outside the hearing, Scott Charney, Microsoft Corp.'s chief security strategist, said the argument that FOIA exemption will be used by companies to hide information "presumes that this information is public information today. It's not."

The ISACs are sharing information, "but we are probably not doing it as openly as we like because of concerns about unintended or broad disclosure," Charney said.

Business Software Alliance (BSA) officials also defended the FOIA exemption today at a news conference at which the BSA released a survey of 600 corporate IT professionals, 47% of whom said they believe it's likely that U.S. businesses will be hit by a major cyberattack in the next year.

In that survey, 45% also said U.S. companies aren't prepared for a major cyberattack.

At a Capitol Hill news conference, U.S. Rep. Billy Tauzin, (R-La.), chairman of the House Energy and Commerce Committee, called the report a "wake-up call to businesses and consumers in our country about the risk of a cyberattack."

Robert Holleyman, the BSA's president and CEO, said the findings also underscore the need for the FOIA exemption, and he added that he believes businesses' sharing of information with the government would increase substantially if the exemption was approved.

But he questioned whether businesses should be required to supply that information if the FOIA exemption isn't a catalyst. Holleyman said that if it's determined that the FOIA isn't working, the new homeland security office will have to look for alternatives.

"But I think there is a wide sense among the business community that this limited FOIA exemption will in fact work," he said.

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon