The White House proposal to create a Homeland Security department could allow corporate scofflaws to hide nefarious business activities from the public in the name of national security, critics warned today.
The proposal would permit companies that own and operate critical computer systems to share information on network vulnerabilities and hacker attacks with federal investigators without fear that the data could be made public through Freedom of Information Act (FOIA) requests.
The White House says it needs more cooperation from the private sector to identify and combat a flood of network attacks on government agencies, the military and the private sector. The administration believes that changing FOIA will encourage businesses to share that information.
Opponents claim that such a change would allow companies to justify shielding nearly anything from public view, including the kinds of accounting and business practices that brought down Enron and WorldCom.
They also say FOIA already bars the disclosure of information that reveals trade secrets, and that the new exemption amounts to an industry ploy to avoid liability for a range of corporate malfeasance.
"The damage this exclusion could do is legion," said Rep. Janice Schakowsky (D-Ill.), ranking member of the House Government Reform subcommittee, which hosted a panel of administration officials today.
"It astounds me that in a moment in history when transparency in business is in the headlines every day ... that we now want to offer a loophole big enough to drive any corporation and its secrets through," Schakowsky said.
Schakowsky's sentiments have been echoed in recent weeks by consumer groups and scores of lawmakers on both sides of the aisle, including House Majority Leader Dick Armey (R-Texas).
James X. Dempsey, deputy director for the Center for Democracy and Technology, charged that by dumping information with the Department of Homeland Security, companies could "shield vital health and safety information from the public, even if disclosure of the information would pose no threat whatsoever."
The bill also would allow the administration to grant antitrust immunity to selected industries that voluntarily share vulnerability and attack information, Dempsey said.
Administration officials defended the White House plan, saying the measures are needed to allow the government to respond quickly in the event of a concerted cyberterrorist attack on the nation's infrastructure.
Ronald Dick, director of the FBI's National Infrastructure Protection Center, said that if private sector companies don't think the law is clear, then for all intents and purposes it is not.
"We spend a good deal of time with the private sector trying to explain how current exemptions will protect the information they provide to us, but the problem is that if we're not able to convince them that (current FOIA) exemptions are adequate, that's still of concern to them."
"Nobody intends this to become a mechanism by which people can foist their responsibilities off, or so that gross negligence can be buried in government," Tritak said. "The real goal is to create an environment where dynamic information sharing is taking place and problems can be dealt with in real time."
Scott Charney, chief security strategist for Microsoft Corp, said his company and many others fear that under current FOIA law, the hazy definition of what constitutes a "trade secret" would lead to endless litigation from FOIA seekers.
Charney said Microsoft would almost certainly share more information with the federal government if the new exemptions were passed.
"Does that mean if they pass a new FOIA exemption everyone shares every deepest and darkest secret? Probably not," he said. "Will it increase the flow of information?"
But Alan Paller, director of research for the SANS Institute, said most companies still won't share vulnerability and hacker data with the government, even if the new FOIA exemptions are enacted.
"There's significant evidence that they won't share it unless they think you're part of the 'fix it immediately' camp, and the federal government is not usually considered part of that group," Paller said.
Earlier today, the Senate Governmental Affairs Committee added the new exemptions to its legislation. The House of Representatives is expected to vote by the end of this week on its version of the bill, which also includes the changes.
A spokesperson for Schakowsky said she plans to offer an amendment when the bill hits the floor that would remove the FOIA exceptions altogether.
Schakowsky warned that if pushed into a corner, Congress could make such information disclosures mandatory.
"I just want to suggest there is another option: that is to say that this information isn't voluntary -- that we require it," she said. "We could in fact just say that because this is so critical to national security, (we will) simply require this, rather than pander to the desires of businesses to keep information secret."