The long-time debate over whether information on system vulnerabilities that industry shares with the government should be exempted from the Freedom of Information Act may be finally coming to a head.
A House hearing July 24 was dominated by debate about a Bush administration proposal that would create what one lawmaker called a loophole in the Freedom of Information Act.
The proposal, a part of the bill to create a Homeland Security Department, would permit companies that own and operate systems that manage critical infrastructures to share information on vulnerabilities and attacks with federal officials without fear that the data would be made public through a FOIA request.
Industry officials are leery about sharing information without protections and do not believe that the current FOIA exemptions offer enough protection, officials testified. Administration officials said that companies participating in the Information Sharing and Analysis Centers (ISACs) have been reluctant to share any sensitive data.
Rep. Janice Schakowsky (D-Ill.), ranking member of the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee, said it is shocking that businesses are unwilling to share information that could protect the nation. "We could in fact just say that because this is so critical to national security, simply require this, rather than pander to the desires of businesses to keep information secret," she argued.
But Ronald Dick, director of the FBI's National Infrastructure Protection Center, said the private sector does not believe that the law is clear.
The administration's goal is to create a narrowly focused exemption, said John Tritak, director of the Critical Infrastructure Assurance Office. "The real goal is to create an environment where dynamic information sharing is taking place and problems can be dealt with in real time."
But Stanley Jarocki, chairman of Financial Services ISAC and vice president of information technology security for Morgan Stanley, said that many businesses believe that sharing such critical and sensitive information is too risky. Legislation may help change that. 
Although "legislation alone will not solve all challenges in information sharing, it will go a long way in providing the protections industry needs as well as demonstrating the government's commitment and desire to be an active member of the information sharing process," he said.
But James Dempsey, deputy director for the Center for Democracy and Technology, a Washington, D.C., group, urged lawmakers to reject the legislation. Dempsey noted that the provision carries criminal penalties for officials who disclose information about critical infrastructure vulnerabilities.
As the House panel was discussing the issue, the Senate Governmental Affairs Committee approved the homeland security bill that includes the administration's FOIA exemption.