, SecurityFocus 2000-04-11
The "Cyber Security Information Act," to be announced Wednesday, would keep vulnerability information away from the public.
Sensitive information about computer network vulnerabilities and intrusions transferred from the private sector to the federal government would be shielded from public disclosure, under a bill set to be announced Wednesday by Representatives Tom Davis (R-Va.) and Jim Moran (D-Va.).The proposed legislation would carve out a new exemption to the Freedom of Information Act (FOIA), a law used primarily by journalists which allows a certain degree of public access to government files.
Companies have cited FOIA as a roadblock to the public-private partnership envisioned by President Clinton's
According to a draft of the proposed "Cyber Security Information Act" obtained by SecurityFocus.com, the bill would allow federal agencies to specifically designate requests for information as FOIA exempt. Anything obtained in response to such a request would be kept confidential, and "may not be used by any Federal entity, agency or authority or by any third party, directly or indirectly, in any civil action."
The bill also clears the way for government participation in ISACs, by automatically protecting any information obtained from such participation. Data obtained through independent channels, by the government or third parties, would not be covered.
The Davis-Moran bill was originally set for formal submission last month, but was delayed after industry and public interest groups intervened, according to a congressional source close to the proposal. In addition to the FOIA exemption, the bill would also exempt companies from any antitrust action based on their sharing of cyberterror information with each other.
Unlike a broader, executive branch proposal, the bill would not cover information about physical vulnerabilities and threats, only electronic ones. Steve Aftergood, head of the
"At some point the FOIA will suffer a death from a thousand cuts," said Aftergood. "There is an alarming tendency to carve out exemptions to FOIA at the drop of any hat you may have. At some point the FOIA will lose its utility if it's not treated with some more respect."
"To the extent that fear of FOIA is a deterrent to sharing information, I support this effort to remove that barrier," says Mark Rasch, an attorney with Virginia-based Global Integrity who consulted on the bill. But Rasch warns that a new FOIA exemption will not abolish all tension between private companies and government agencies.
Global Integrity runs the
Rasch says that the multiple roles played by the government -- customer, law enforcer, and regulator -- will remain an obstacle to private sector cooperation. "People think the only reason companies aren't sharing information with the government is because of antitrust and FOIA, but those are not the only concerns." Companies are reluctant to give the government information on attacks and vulnerabilities that regulators may use against them later, Rasch says. "What's needed is an immunity, not just an exemption."