July 29th, 2002
By Patrick Thibodeau
Computerworld
Law enforcement and private-sector officials arguing for legislation
to protect data on corporate information security from public disclosure
were accused last week of backing a measure that could be used to hide
dirty corporate secrets.
There is an alternative to trying to entice corporations to share information
security data by means of weakening federal freedom of information laws,
said U.S. Rep. Janice Schakowsky (D-Ill.) at a hearing of the Subcommittee
on Government Efficiency, Financial Management and Intergovernmental Relations.
"That is to say this information isn't voluntary -- that we require it,"she
said. If Schakowsky, a ranking committee Democrat, were to make good on
her threat, she would face opposition from Bush administration officials,
who have repeatedly opposed forcing companies to share information about
threats, software vulnerabilities and other data-security-related information.
Instead, the administration is working to convince private companies to
cooperate voluntarily with the government.
Key to this voluntary sharing effort are provisions in pending legislation
to create a cabinet-level homeland security department.
Fear of Disclosure
That legislation would include new exemptions to the federal Freedom
of Information Act (FOIA) for information security. The intent is to help
the private-sector Information Sharing and Analysis Centers (ISAC), which
are industry-specific groups intended to assist private-sector companies
with protecting themselves from cyberthreats.
Stanley Jarocki, vice president for information security at New York-based
Morgan Stanley Dean Witter &Co. and chairman of the financial services
ISAC, said at the hearing that fear of disclosure "has severely hindered
information sharing efforts." He called for a "narrowly written" exemption.
How narrow an exemption is the point of contention. Schakowsky, as well
as civil liberties groups, have accused the Bush administration of backing
a measure that was overly broad and could conceivably be used by a company
to hide unpleasant information -- a pollution incident, for example --
from public disclosure under the guise of security.
John Tritak, director of the Critical Information Assurance Office,
said the Bush administration wants a narrowly crafted rule. "No one is
talking about a safe haven for illegal activity," he said.
Scott Charney, the chief security strategist at Microsoft Corp., said
the argument that companies will use exemption from FOIA obligations to
hide information "presumes that this information is public information
today. It's not."
Companies involved in an ISAC share threat and suspicious activity data
to detect patterns, software vulnerability information and other intelligence.
The government would like to see more of that data.
|