Another View: FOIA and data sharing don't mix'an industry view
- By Benjamin Wright, Steve Roberts
- Aug 21, 2002
The Bush administration rightly believes that sharing cybersecurity data can help industry keep its security house in order and prevent hackers and disgruntled insiders from savaging private-sector information systems.
The logic behind information sharing is simple: Because industry is often the first victim of new hoaxes, virus outbreaks or denial-of-service attacks, national prevention, enforcement and remediation are enhanced if the private sector shares its knowledge and experience.
That's why agencies such as the National Infrastructure Protection Center and the Computer Crime and Intellectual Property Section gather intelligence from industry to solve computer crime cases and prevent future ones. The administration's homeland security budget for fiscal 2003 even requests funding for a new Cyber Warning Intelligence Network to coordinate public and private resources for responding to cyberspace crises and a National Infrastructure Simulation and Analysis Center to model and analyze the nation's infrastructures and their electronic interdependencies.
Until information from multiple sources is consolidated, the big picture'critical for recognizing a pattern of attack and for implementing a response'is often buried in the sheer size and scope of cyberspace.
In fact, the sharing of information makes so much sense that corporations could well find themselves compelled to participate, even if no particular government regulation or organization requires them to do so.
Several perceived risks make companies reluctant to share data with either government or trade groups. Private-sector information sharing and analysis centers, such as those in the technology and financial services industries, have not been particularly effective at fostering a dialogue within industry itself, much less with government.
Industry officials worry that information shared with government could be subject to release under the Freedom of Information Act. Sensitive correspondence, such as the extent of a virus outbreak or a damaging hacker incident, might become public, they fear. Public revelation could spook customers or aid competitors. Or it might make companies more conspicuous and inviting targets for cybercriminals.
Companies also want assurance that information they share won't be leaked to the press or turned over to plaintiffs in lawsuits.
Sens. Robert Bennett (R-Utah) and Jon Kyl (R-Ariz.) have introduced a bill that at least in part responds to these concerns: the Critical Infrastructure Information Security Act. S 1456 would neutralize FOIA as an instrument for publicizing infrastructure information disclosed to government.
The bill would not by itself resolve all legal issues. But in an era when confidence in homeland security measures is almost as important as the measures themselves, industry thinks this bill is a step in the right direction.
Ultimately, government agencies may need to treat data given to homeland security organizations as the legal profession protects attorney-client communications. Only then will companies be as frank and open with feds as they are with their own closest advisers.Benjamin Wright is a Dallas attorney and co-author of The Law of Electronic Commerce. E-mail him at [email protected]. Steve Roberts is a critical infrastructure consultant to SRA International Inc. of Fairfax, Va.