July 24th, 2002
By Brian Krebs
Washington Post
The White House proposal to create a Homeland Security department could
allow corporate scofflaws to hide nefarious business activities from the
public in the name of national security, critics warned today.
The proposal would permit companies that own and operate critical computer
systems to share information on network vulnerabilities and hacker attacks
with federal investigators without fear that the data could be made public
through Freedom of Information Act (FOIA) requests.
The White House says it needs more cooperation from the private sector
to identify and combat a flood of network attacks on government agencies,
the military and the private sector. The administration believes that changing
FOIA will encourage businesses to share that information.
Opponents claim that such a change would allow companies to justify
shielding nearly anything from public view, including the kinds of accounting
and business practices that brought down Enron and WorldCom.
They also say FOIA already bars the disclosure of information that
reveals trade secrets, and that the new exemption amounts to an industry
ploy to avoid liability for a range of corporate malfeasance.
"The damage this exclusion could do is legion," said Rep. Janice Schakowsky
(D-Ill.), ranking member of the House Government Reform subcommittee, which
hosted a panel of administration officials today.
"It astounds me that in a moment in history when transparency in business
is in the headlines every day ... that we now want to offer a loophole
big enough to drive any corporation and its secrets through," Schakowsky
said.
Schakowsky's sentiments have been echoed in recent weeks by consumer
groups and scores of lawmakers on both sides of the aisle, including House
Majority Leader Dick Armey (R-Texas).
James X. Dempsey, deputy director for the Center for Democracy and
Technology, charged that by dumping information with the Department of
Homeland Security, companies could "shield vital health and safety information
from the public, even if disclosure of the information would pose no threat
whatsoever."
The bill also would allow the administration to grant antitrust immunity
to selected industries that voluntarily share vulnerability and attack
information, Dempsey said.
Administration officials defended the White House plan, saying the
measures are needed to allow the government to respond quickly in the event
of a concerted cyberterrorist attack on the nation's infrastructure.
Ronald Dick, director of the FBI's National Infrastructure Protection
Center, said that if private sector companies don't think the law is clear,
then for all intents and purposes it is not.
"We spend a good deal of time with the private sector trying to explain
how current exemptions will protect the information they provide to us,
but the problem is that if we're not able to convince them that (current
FOIA) exemptions are adequate, that's still of concern to them."
"Nobody intends this to become a mechanism by which people can foist
their responsibilities off, or so that gross negligence can be buried in
government," Tritak said. "The real goal is to create an environment where
dynamic information sharing is taking place and problems can be dealt with
in real time."
Scott Charney, chief security strategist for Microsoft Corp, said his
company and many others fear that under current FOIA law, the hazy definition
of what constitutes a "trade secret" would lead to endless litigation from
FOIA seekers.
Charney said Microsoft would almost certainly share more information
with the federal government if the new exemptions were passed.
"Does that mean if they pass a new FOIA exemption everyone shares every
deepest and darkest secret? Probably not," he said. "Will it increase the
flow of information?"
But Alan Paller, director of research for the SANS Institute, said
most companies still won't share vulnerability and hacker data with the
government, even if the new FOIA exemptions are enacted.
"There's significant evidence that they won't share it unless they
think you're part of the 'fix it immediately' camp, and the federal government
is not usually considered part of that group," Paller said.
Earlier today, the Senate Governmental Affairs Committee added the
new exemptions to its legislation. The House of Representatives is expected
to vote by the end of this week on its version of the bill, which also
includes the changes.
A spokesperson for Schakowsky said she plans to offer an amendment
when the bill hits the floor that would remove the FOIA exceptions altogether.
Schakowsky warned that if pushed into a corner, Congress could make
such information disclosures mandatory.
"I just want to suggest there is another option: that is to say that
this information isn't voluntary -- that we require it," she said. "We
could in fact just say that because this is so critical to national security,
(we will) simply require this, rather than pander to the desires of businesses
to keep information secret."
|