Rule changes may further protect company security data

Industry squares off with critics, who say a push to add protection to sunshine law is unnecessary.

A heated debate is brewing on Capitol Hill over just how well to keep the security secrets of companies that work with federal agencies to investigate online crimes.

Members of the House and Senate plan in the coming months to introduce cybersecurity bills that differ in how to further protect companies from public disclosure under the Freedom of Information Act (FOIA), which has the potential to make public the proprietary data companies share with government.

Two bills being drafted by both Republicans and Democrats would amend the current FOIA legislation to provide more specific protections for companies that share data with the government on security vulnerabilities. To date, companies have been reluctant to share such information out of fear that competitors could gain access to it. Without changes to the existing law, companies say, the future of the public-private partnership in critical infrastructure protection hangs in the balance.

Reps. Tom Davis (R-Va.) and Jim Moran (D-Va.) plan in the next several weeks to reintroduce the Cyber Security Information Act, which would give companies a blanket FOIA exemption for security information they share with federal agencies. An earlier version of the bill failed to make it through the last session of Congress.

The new version, however, will include an antitrust exemption for information shared within one of the private sector Information Sharing and Analysis Centers (ISAC). Four ISACs have been set up by companies in different sectors of the economy to collect and share information on cyberthreats and pass that information on to the government.

Sen. Robert Bennett (R-Utah) says he plans to introduce a similar bill this month. Sources on Capitol Hill, however, say Bennett's bill won't offer the same level of exemption and liability coverage included in the Davis-Moran bill.

However, many privacy and security experts have spoken out against both bills, arguing that new regulations are not needed at all because the current FOIA laws provide more than adequate protections for company data. Further amendments to the FOIA would simply be duplicative, they say.

Enacted in 1966, the Freedom of Information Act requires government agencies to disclose records for which members submit written requests. Agencies can refuse to divulge information if they determine it would compromise national security or confidential trade secrets.

However, since the signing of a 1998 presidential directive that calls on the federal government to form a security alliance with the private sector to defend the nation's critical network infrastructure from attack, private companies have argued that the original FOIA language doesn't offer enough assurances that their proprietary data will remain secret.

"What we want is clearer language that says if this information is shared with the government, it's protected from FOIA requests," says Rick Lane, director of e-commerce at the U.S. Chamber of Commerce. "The general counsels at companies are reading the current FOIA laws and telling companies that according to the language they may be covered and they may not. The fact of the matter is you don't know."

Critics of the push to amend the FOIA legislation, however, don't agree and point to the current law's long track record of successfully protecting sensitive corporate data.

"I consider it a phony issue, though a persistent one," says Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists in Washington. "The fact of the matter is that FOIA exemptions for proprietary information and other confidential business information are already in effect. No new exemption is necessary or desirable."

"If anyone looks at the case law that has developed over the last 25 years, they would be hard-pressed to make the case for inadequate protection of so-called cybersecurity information," says David Sobel, general counsel at the Electronic Privacy Information Center, a privacy watchdog group in Washington. "The courts have been extremely deferential to any private sector submitters of information, giving the submitters veto power over the release of the information."

Perceptions Matter

The debate about whether or not new FOIA legislation would be duplicative is irrelevant, says Frank Cilluffo, a security analyst at the Center for Strategic and International Studies in Washington. "The perception is that it matters and has continued to be an obstacle [for companies] to not share information," says Cilluffo. "Liability exposure in its various forms is the primary concern."

And eliminating the perception problem may lead to both more information sharing and more accurate reporting of incidents, says Vint Cerf, senior vice president for Internet architecture and technology at WorldCom Inc. "Some companies are reluctant to report security incidents out of concern for the impact disclosure might have on their businesses. Such an exemption might lead both to more reporting and more information sharing."

George Samenuk, president and CEO of Network Associates Inc. in Santa Clara, Calif., says that because "public policy will never catch up to technology development," it is imperative that policymakers use their bully pulpit to affect change in information sharing. "Policymakers should eliminate barriers to sharing information," he said at a recent conference on Internet security.

Still, nobody can point to a single case where industry has been damaged as the result of the disclosure of confidential security information through the FOIA, according to Aftergood. Why? Because "it never happened," he says.

"All of the talk about the need for a FOIA exemption is a distraction from real policy issues, and a waste of time," says Aftergood. "It also tends to weaken the FOIA as an instrument of government accountability, which is why we think it should be opposed."

According to the most recent survey by the San Francisco-based Computer Security Institute and the FBI, last year only 25% of companies reported hacks and intrusions to law enforcement. Of those that didn't report the incidents, 52% said they feared negative publicity and 39% cited concerns about competitors using the information to their advantage.

However, the energy industry is one example where the private sector has already field-tested an effective information sharing architecture under the current FOIA law.

The North American Electric Reliability Council (NERC) in Princeton, N.J., and the FBI's National Infrastructure Protection Center (NIPC) have developed an information sharing program in which independent electric utility companies provide the NIPC with information on cyberthreats, says NERC spokesman Gene Gorzelnik. "We will continue working with utilities, transmission providers, independent power producers and others to make sure all are aware of this program and participate," he said.

Cyberpolitics

The Davis-Moran and Bennett bills are on a collision course, fueled by what most experts say is little more than a desire by Democrats and Republicans alike to coddle big business.

On one side, the New Democrat coalition's "E-Genda" suffers from a lack of consensus across the board on privacy issues but is likely to support whichever bill is endorsed by industry.

On the other side, a struggle for influence in the Senate is under way, with committee leaders vying for position in the aftermath of Vermont Sen. James Jeffords' defection from the Republican Party. It is unclear what effect the turmoil will have on the acceptance of Bennett's bill, say Senate staffers.

Davis, an outspoken proponent of enhancing critical infrastructure protection efforts between the government and private sector, and industry representatives have argued that current FOIA protections are insufficient because of the private sector's perception that there are loopholes that could allow their sensitive information to leak out. Critics say that's a political argument based on industry's faulty perception of the law.

"[Davis and Moran's] position when I testified on this last year was basically 'so what if this is redundant,' " says Sobel. Although he believes passing any new laws would be tantamount to legislating based on "a misperception," Sobel says Davis and Moran "would just like to say that they've passed cybersecurity legislation that industry supports."

Not so, says Harris Miller, president of the Information Technology Association of America (ITAA) in Arlington, Va. Companies do, in fact, have to deal with potential exposure, and they are uncomfortable with the current FOIA language, says Miller.

"With all due respect to the legal experts, I believe companies know their best interests and will act accordingly," says Miller. "And if the legal experts believe there is no problem with the current law, then why should they care if it is changed to satisfy the concerns of the companies?"

Although both bills offer additional protections for companies' private data, sources on Capitol Hill say early drafts show that they don't both offer the same level of protection.

The Bennett version, for example, "is much less a blanket exemption and less inclined to give a total liability exclusion to industry than the Davis and Moran bill would," says Patrice McDermott, an information policy analyst at OMB Watch, a Washington-based public policy advocacy group.

Betsy Holahan, a spokesperson for Sen. Bennett on the Joint Economic Committee, however, says the bill is still very much "a work in progress." Once the committee reorganization has been finalized, the bill should move forward, she says.

Sources say Sen. Patrick Leahy (D-Vt.), who chairs the Judiciary Committee, is likely to oppose the Bennett bill, as is Sen. Joseph Lieberman (D-Conn.), the influential chairman of the Senate Governmental Affairs Committee.

The private sector is likely to back the bill that offers the most in the way of liability and antitrust protections, say experts. Therefore, sources say, the Davis-Moran bill is the front-runner for industry support at the moment.

Special Report

Security Risk and Reward

Stories in this report:

Related:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon