Cybersecurity vs. FOIA: Can Congress find a balance?
Cybersecurity legislation pending in Congress exempts business information from disclosure under the Freedom of Information Act, but balancing the public’s right to know with needs of cybersecurity could be a difficult job for lawmakers.
Witnesses on both sides of the issue warned the Senate Judiciary Committee on March 13 that overly broad exemptions could threaten public safety, and that the threat of public disclosure could hamstring the sharing of information about threats and vulnerabilities.
“The last thing we need is more secrecy disguised as concern for the security of critical infrastructure,” said retired Marine Master Sgt. Jerry Ensminger, whose 9-year-old daughter died of leukemia at Camp Lejeune, N.C.
GOP's alternative cyber bill sets up 'classic Washington duel'
Bipartisan cyber bill now the center of partisan turf war
In sometimes angry testimony, Ensminger described the difficulties he has faced from what he called the Navy Department’s “extreme secrecy” about studies of ground water contamination at the Marine base believed to have caused the death. He said the Navy has hidden much of the information behind FOIA exemptions intended to protect information about critical infrastructure.
Paul Rosenzweig, a visiting fellow of the Heritage Foundation who teaches law at George Washington University, said a broad FOIA exemption is the most cost-effective way to encourage the private sector to share information with government.
“In the absence of a FOIA exemption, you will not get the critical infrastructure information that is deemed essential,” Rosenzweig said.
More effective sharing of information about cyber threats and vulnerabilities has long been recognized as essential to improving the protection of the nation’s critical infrastructure, most of which is owned and operated by the private sector. But businesses have been reluctant to share information with each other because of concerns about competition and antitrust laws. They have also been hesitant to share with the government because of fears that proprietary or damaging information could be exposed through FOIA requests.
“As Congress considers new exemptions to FOIA in connection with comprehensive cybersecurity legislation, we must remain vigilant and ensure that the public’s access to essential health and safety information is protected,” Judiciary Committee Chairman Patrick Leahy (D-Vt.), said in introducing the committee’s hearing.
The Freedom of Information Act, signed into law 45 years ago by President Lyndon Johnson, contains nine exemptions for information that is shielded from release. Exemption 3 applies to records shielded from disclosure by any other statute. That exemption is cited in the cybersecurity legislation introduced earlier this year by Sen. Joseph Lieberman (I-Conn.).
The Cybersecurity Act of 2012 (S. 2195) says that information submitted to the Homeland Security Department “shall be treated as voluntarily shared critical infrastructure information under Section 214 of the Homeland Security Act.”
Section 214 of the law, enacted in November 2002, establishes Critical Infrastructure Information as a category protected under Exemption 3 of FOIA.
The Cybersecurity Act states that it would not shield “information submitted to conceal violations of law, inefficiency, or administrative error; prevent embarrassment to a person, organization, or agency; or interfere with competition in the private sector.” It also would not shield information that is provided to federal regulators in other departments under other laws.
Rosenzweig said he was in favor of a broad exemption for any information provided by companies, adding that FOIA is intended to apply only to information from and about government and that there is no public need to access private-sector information. Important information about critical infrastructure would not come into the government’s possession without such an exemption, he said. Releasing such information could provide useful information to adversaries and “would have the effect of drawing a target around the high vulnerabilities” disclosed.
Kenneth Bunting, executive director of the National Freedom of Information Coalition at the Missouri School of Journalism, said that although some protection for sensitive information is proper, any exemption should be narrowly defined, with a clear test for balancing the value of disclosure against the risks and an effective oversight process.
Bunting said history has shown that “given any leeway,” agencies will find ways to shield information they do not want made public.