July 29th, 2002
By Christopher J. Dorobek
Federal Computer Week
The long-time debate over whether information on system vulnerabilities
that industry shares with the government should be exempted from the Freedom
of Information Act may be finally coming to a head.
A House hearing July 24 was dominated by debate about a Bush administration
proposal that would create what one lawmaker called a loophole in the Freedom
of Information Act.
The proposal, a part of the bill to create a Homeland Security Department,
would permit companies that own and operate systems that manage critical
infrastructures to share information on vulnerabilities and attacks with
federal officials without fear that the data would be made public through
a FOIA request.
Industry officials are leery about sharing information without protections
and do not believe that the current FOIA exemptions offer enough protection,
officials testified. Administration officials said that companies participating
in the Information Sharing and Analysis Centers (ISACs) have been reluctant
to share any sensitive data.
Rep. Janice Schakowsky (D-Ill.), ranking member of the House Government
Reform Committee's Government Efficiency, Financial Management and Intergovernmental
Relations Subcommittee, said it is shocking that businesses are unwilling
to share information that could protect the nation. "We could in fact just
say that because this is so critical to national security, simply require
this, rather than pander to the desires of businesses to keep information
secret," she argued.
But Ronald Dick, director of the FBI's National Infrastructure Protection
Center, said the private sector does not believe that the law is clear.
The administration's goal is to create a narrowly focused exemption,
said John Tritak, director of the Critical Infrastructure Assurance Office.
"The real goal is to create an environment where dynamic information sharing
is taking place and problems can be dealt with in real time."
But Stanley Jarocki, chairman of Financial Services ISAC and vice president
of information technology security for Morgan Stanley, said that many businesses
believe that sharing such critical and sensitive information is too risky.
Legislation may help change that.
Although "legislation alone will not solve all challenges in information
sharing, it will go a long way in providing the protections industry needs
as well as demonstrating the government's commitment and desire to be an
active member of the information sharing process," he said.
But James Dempsey, deputy director for the Center for Democracy and
Technology, a Washington, D.C., group, urged lawmakers to reject the legislation.
Dempsey noted that the provision carries criminal penalties for officials
who disclose information about critical infrastructure vulnerabilities.
As the House panel was discussing the issue, the Senate Governmental
Affairs Committee approved the homeland security bill that includes the
administration's FOIA exemption.
|