Critics balk at bill to hide companies' security data
- By William Jackson
- May 16, 2002
Sen. Robert Bennett says his bill is not intended to provide cover against civil or criminal proceedings.
The Justice Department and public advocacy groups last week raised objections to a bill designed to encourage companies to share vulnerability data, saying it would shield disclosures from the Freedom of Information Act.
The Critical Infrastructure Information Security Act of 2001, now before the Senate Governmental Affairs Committee, would encourage companies'which generally have been less than forthcoming'to share vulnerability information with each other and with the government.
Industry officials worry that confidential data, once in the government's hands, could come out under FOIA. That could create civil and criminal liabilities, they said.
If such information is not exempted from FOIA, 'we won't get it,' said the bill's sponsor, Sen. Robert Bennett (R-Utah).
But the committee's chairman, Sen. Joseph I. Lieberman (D-Conn.), warned of unintended consequences that could 'undermine the bedrock American principle of the public's right to know.'
John G. Malcolm, deputy assistant attorney general in Justice's Criminal Division, told the committee that overly broad definitions could hamper investigations.
Bennett welcomed Malcolm's statement. 'We have come a long way' in bringing Justice on board, he said. 'The original response was not only 'No,' but 'Hell, no.' '
Other groups, however, are still responding with a resounding 'no.'
The Natural Resources Defense Council warned that the bill's broad scope would lead to disastrous unintended consequences.Hidden messages
Council fellow Rena Steinzor, a law professor at the University of Maryland, said companies could bury incriminating information in their disclosures, forestalling its use against them.
'Secrecy is not the best way to protect critical infrastructure, and this committee should abandon the approach' in favor of requiring companies to assess and correct their own weaknesses, she said.
The bill's supporters said the private sector, which controls up to 90 percent of the nation's critical infrastructure, is refusing to share much information about what is needed to secure their systems.
The bill, S 1456, provides that federal, state or local authorities or third parties in any civil action could not use the information 'unless such information is submitted in bad faith.'
Some objectors said such sweeping protection would encourage companies to make so-called data dumps in their disclosures to forestall future investigations.Ports in a storm?
'We do not want to provide inadvertent safe harbors' for violators of clean air and water laws and other health and safety regulations, Sen. Daniel K. Akaka (D-Hawaii) said.
FOIA already provides adequate protection against disclosure of confidential information, Malcolm said, but he acknowledged that companies have reasonable concerns about sharing.
'We don't know what we don't know, and we need to know it now,' he said.
Malcolm said the administration supports a narrowly drafted exception to FOIA but has not provided specific guidance. He offered two suggestions for fine-tuning the bill:
- Make it clear that restrictions do not cover independently obtained information. 'It is important to protect the copy of the information submitted to the government but not the information itself,' he said.
- Clarify who can receive privileged information and how those people must handle it.
David L. Sobel, general counsel for the Electronic Privacy Information Center of Washington, agreed with Malcolm that existing FOIA protections are adequate.
'Rather than seek ways to hide information, Congress should consider approaches that would make as much as possible available to the public,' he said.
Bennett said the bill's intent is not to provide cover against civil or criminal proceedings. But Steinzor argued it is so broadly written and fundamentally flawed that it would likely result in decades of litigation over scope.
If the natural resources council 'had its druthers, this approach would be dropped in favor of more direct action,' she said.
William Jackson is freelance writer and the author of the CyberEye blog.