By Mark D. Rasch My fellow columnist David Banisar recently argued against passage of two
bills pending before the Congress that would protect from disclosure under
the Freedom of Information Act information shared by private industries with
the government related to protection of the United States' critical
As Banisar explains, the bills (HR 2435, the Cyber Security Information Act,
introduced by Reps. Davis and Moran; and S. 1456, the Critical
Infrastructure Information Act, introduced by Senators Bennett and Kyl)
exempts from FOIA, and also prevents the government from using for other
purposes, broad categories of information, including assessments; risk
audits and evaluations; and insurance and recovery plans submitted by
companies about critical infrastructure systems.
Banisar objects to the proposed exemption as corporate secrecy. But I think
the bill does not go far enough to achieve its objectives.
Let's get one thing straight first off: Any information the government
receives in its role as policy maker, regulator, or overseer of the private
sector is fair game for dissemination under the current FOIA and its current
exemptions or exclusions, and should remain so.
If the NRC finds information about vulnerabilities in the safety or security
of computers controlling nuclear power plants as part of its oversight
responsibility, people living near those plants and those with input into
future plants should know about it.
What we are trying to do with these bills is totally new and different.
Under the auspices of Presidential Decision Directive 63 (PDD-63) companies
within the critical infrastructure have been encouraged to voluntarily share
data with other companies in the infrastructure, and with the government, in
order to promote a more secure environment for all.
Such information to be shared includes generally computer security
vulnerabilities discovered, the results of internal corporate information
security audits or examinations, information contained in computer security
incident response plans (including best practices), threat data, incident
data and other similar information.
But information sharing will not work unless private companies within the
critical infrastructure are given incentives to share data. At the very
least, a company should be in no worse position because it chose to share
information than it would have been if the information had never been
shared, unless of course the information shared was willfully false and
intended to harm others.
We are not talking about Enron hiding its fiscal status from investors. At
present, companies within the critical infrastructure are under no general
legal obligation to share information about vulnerabilities, threats or
incidents with each other, much less with the government. How do we best
create an environment where they can share this information to enable all
parties to become more secure?
There are significant institutional and legal barriers to the voluntary
sharing of security related information with the government. These include
fear that, by sharing the information, the reputation or good will of the
company will be tarnished, or that the voluntarily shared information will
be leaked and somehow be used for advantage by a direct competitor. While
non-disclosure agreements generally would prevent this, when the government
is a party and the information is subject to FOIA, such non-disclosure
agreements become effectively a nullity.
A Legal Privilege Is Needed
Companies also fear sharing information with regulators, for fear that the
regulators will use the information voluntarily shared as a back channel for
other regulatory compliance, as opposed to using the information to make
participants more secure. Phrased differently, the gravamen of the
legislation is "should companies in the critical infrastructure be required
under the law to disclose their vulnerabilities to the public?" An
affirmative response would represent a sea change in the law. A negative
response would require some sort of protection for this information, if a
company chooses to share it with others.
Other barriers to information sharing include fear of liability for such
sharing and fear of antitrust liability. Unfortunately, a mere FOIA
exemption does not remove such concerns.
That's why I believe that Congress should take the existing "self-audit"
privilege as an example and create a legal privilege for security
information voluntarily created and voluntarily shared. A legally
recognized privilege -- meaning that the information so created and so
shared could not be used in any proceeding, civil, criminal, administrative
or regulatory -- would encourage companies to take their best efforts to
critically examine their information security practices and share the
results with other companies that could benefit from the experience.
This would parallel the doctor-patient and attorney-client privileges --
both of which protect information that would not exist but for the
Many states provide privileges for medical peer review processes, to
encourage physicians to critically analyze their practices with their peers
in full frankness and without fear that the results will be subject to
discovery and inspection. The parallel is obvious.
Congress has been considering creating similar privileges to protect
companies that voluntarily create internal health and safety audit programs.
These statutes encourage not only critical analysis, but also the creation
of information that would not otherwise exist.
Along with this security information sharing privilege, the government
would have to agree to limit its use and disclosure of the information
provided for critical infrastructure protection. For example, the
government would be precluded from using the information so disclosed for
the creation or formulation of public policy or regulatory compliance.
The public has a legitimate interest in knowing the information upon which
the government bases its policy and regulatory practices, and the government
should not be permitted to cloak such policy determinations in the secrecy
afforded by the FOIA exemption. The government should be permitted to use
the information solely to protect its own critical infrastructures from
Should the government decide it wants similar information for policy
purposes, it must compel the production of this information through other
channels, free from the FOIA exemption. In this way, we can stop punishing
the victim of cyber attacks, and concentrate on protecting all parties. Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive
Systems Inc. in Reston, Virginia, a computer security and network design
consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the head
of the U.S. Department of Justice Computer Crime Unit and prosecuted a
series of high profile computer crime cases from 1984 to 1991.