Technology

Secrecy Bill Doesn't Go Far Enough


By Mark D. Rasch My fellow columnist David Banisar recently argued against passage of two

bills pending before the Congress that would protect from disclosure under

the Freedom of Information Act information shared by private industries with

the government related to protection of the United States' critical

infrastructure.

As Banisar explains, the bills (HR 2435, the Cyber Security Information Act,

introduced by Reps. Davis and Moran; and S. 1456, the Critical

Infrastructure Information Act, introduced by Senators Bennett and Kyl)

exempts from FOIA, and also prevents the government from using for other

purposes, broad categories of information, including assessments; risk

audits and evaluations; and insurance and recovery plans submitted by

companies about critical infrastructure systems.

Banisar objects to the proposed exemption as corporate secrecy. But I think

the bill does not go far enough to achieve its objectives.

Let's get one thing straight first off: Any information the government

receives in its role as policy maker, regulator, or overseer of the private

sector is fair game for dissemination under the current FOIA and its current

exemptions or exclusions, and should remain so.

If the NRC finds information about vulnerabilities in the safety or security

of computers controlling nuclear power plants as part of its oversight

responsibility, people living near those plants and those with input into

future plants should know about it.

What we are trying to do with these bills is totally new and different.

Under the auspices of Presidential Decision Directive 63 (PDD-63) companies

within the critical infrastructure have been encouraged to voluntarily share

data with other companies in the infrastructure, and with the government, in

order to promote a more secure environment for all.

Such information to be shared includes generally computer security

vulnerabilities discovered, the results of internal corporate information

security audits or examinations, information contained in computer security

incident response plans (including best practices), threat data, incident

data and other similar information.

But information sharing will not work unless private companies within the

critical infrastructure are given incentives to share data. At the very

least, a company should be in no worse position because it chose to share

information than it would have been if the information had never been

shared, unless of course the information shared was willfully false and

intended to harm others.

We are not talking about Enron hiding its fiscal status from investors. At

present, companies within the critical infrastructure are under no general

legal obligation to share information about vulnerabilities, threats or

incidents with each other, much less with the government. How do we best

create an environment where they can share this information to enable all

parties to become more secure?

There are significant institutional and legal barriers to the voluntary

sharing of security related information with the government. These include

fear that, by sharing the information, the reputation or good will of the

company will be tarnished, or that the voluntarily shared information will

be leaked and somehow be used for advantage by a direct competitor. While

non-disclosure agreements generally would prevent this, when the government

is a party and the information is subject to FOIA, such non-disclosure

agreements become effectively a nullity.

A Legal Privilege Is Needed

Companies also fear sharing information with regulators, for fear that the

regulators will use the information voluntarily shared as a back channel for

other regulatory compliance, as opposed to using the information to make

participants more secure. Phrased differently, the gravamen of the

legislation is "should companies in the critical infrastructure be required

under the law to disclose their vulnerabilities to the public?" An

affirmative response would represent a sea change in the law. A negative

response would require some sort of protection for this information, if a

company chooses to share it with others.

Other barriers to information sharing include fear of liability for such

sharing and fear of antitrust liability. Unfortunately, a mere FOIA

exemption does not remove such concerns.

That's why I believe that Congress should take the existing "self-audit"

privilege as an example and create a legal privilege for security

information voluntarily created and voluntarily shared. A legally

recognized privilege -- meaning that the information so created and so

shared could not be used in any proceeding, civil, criminal, administrative

or regulatory -- would encourage companies to take their best efforts to

critically examine their information security practices and share the

results with other companies that could benefit from the experience.

This would parallel the doctor-patient and attorney-client privileges --

both of which protect information that would not exist but for the

privilege.

Many states provide privileges for medical peer review processes, to

encourage physicians to critically analyze their practices with their peers

in full frankness and without fear that the results will be subject to

discovery and inspection. The parallel is obvious.

Congress has been considering creating similar privileges to protect

companies that voluntarily create internal health and safety audit programs.

These statutes encourage not only critical analysis, but also the creation

of information that would not otherwise exist.

Along with this security information sharing privilege, the government

would have to agree to limit its use and disclosure of the information

provided for critical infrastructure protection. For example, the

government would be precluded from using the information so disclosed for

the creation or formulation of public policy or regulatory compliance.

The public has a legitimate interest in knowing the information upon which

the government bases its policy and regulatory practices, and the government

should not be permitted to cloak such policy determinations in the secrecy

afforded by the FOIA exemption. The government should be permitted to use

the information solely to protect its own critical infrastructures from

attack.

Should the government decide it wants similar information for policy

purposes, it must compel the production of this information through other

channels, free from the FOIA exemption. In this way, we can stop punishing

the victim of cyber attacks, and concentrate on protecting all parties. Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive

Systems Inc. in Reston, Virginia, a computer security and network design

consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the head

of the U.S. Department of Justice Computer Crime Unit and prosecuted a

series of high profile computer crime cases from 1984 to 1991.


Tim Cook's Reboot
LIMITED-TIME OFFER SUBSCRIBE NOW

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus