By Mark D. Rasch
My fellow columnist David Banisar recently argued against passage of two bills pending before the Congress that would protect from disclosure under the Freedom of Information Act information shared by private industries with the government related to protection of the United States' critical infrastructure.
As Banisar explains, the bills (HR 2435, the Cyber Security Information Act, introduced by Reps. Davis and Moran; and S. 1456, the Critical Infrastructure Information Act, introduced by Senators Bennett and Kyl) exempts from FOIA, and also prevents the government from using for other purposes, broad categories of information, including assessments; risk audits and evaluations; and insurance and recovery plans submitted by companies about critical infrastructure systems.
Banisar objects to the proposed exemption as corporate secrecy. But I think the bill does not go far enough to achieve its objectives.
Let's get one thing straight first off: Any information the government receives in its role as policy maker, regulator, or overseer of the private sector is fair game for dissemination under the current FOIA and its current exemptions or exclusions, and should remain so.
If the NRC finds information about vulnerabilities in the safety or security of computers controlling nuclear power plants as part of its oversight responsibility, people living near those plants and those with input into future plants should know about it.
What we are trying to do with these bills is totally new and different.
Under the auspices of Presidential Decision Directive 63 (PDD-63) companies within the critical infrastructure have been encouraged to voluntarily share data with other companies in the infrastructure, and with the government, in order to promote a more secure environment for all.
Such information to be shared includes generally computer security vulnerabilities discovered, the results of internal corporate information security audits or examinations, information contained in computer security incident response plans (including best practices), threat data, incident data and other similar information.
But information sharing will not work unless private companies within the critical infrastructure are given incentives to share data. At the very least, a company should be in no worse position because it chose to share information than it would have been if the information had never been shared, unless of course the information shared was willfully false and intended to harm others.
We are not talking about Enron hiding its fiscal status from investors. At present, companies within the critical infrastructure are under no general legal obligation to share information about vulnerabilities, threats or incidents with each other, much less with the government. How do we best create an environment where they can share this information to enable all parties to become more secure?
There are significant institutional and legal barriers to the voluntary sharing of security related information with the government. These include fear that, by sharing the information, the reputation or good will of the company will be tarnished, or that the voluntarily shared information will be leaked and somehow be used for advantage by a direct competitor. While non-disclosure agreements generally would prevent this, when the government is a party and the information is subject to FOIA, such non-disclosure agreements become effectively a nullity.
Companies also fear sharing information with regulators, for fear that the regulators will use the information voluntarily shared as a back channel for other regulatory compliance, as opposed to using the information to make participants more secure. Phrased differently, the gravamen of the legislation is "should companies in the critical infrastructure be required under the law to disclose their vulnerabilities to the public?" An affirmative response would represent a sea change in the law. A negative response would require some sort of protection for this information, if a company chooses to share it with others.
Other barriers to information sharing include fear of liability for such sharing and fear of antitrust liability. Unfortunately, a mere FOIA exemption does not remove such concerns.
That's why I believe that Congress should take the existing "self-audit" privilege as an example and create a legal privilege for security information voluntarily created and voluntarily shared. A legally recognized privilege -- meaning that the information so created and so shared could not be used in any proceeding, civil, criminal, administrative or regulatory -- would encourage companies to take their best efforts to critically examine their information security practices and share the results with other companies that could benefit from the experience.
This would parallel the doctor-patient and attorney-client privileges -- both of which protect information that would not exist but for the privilege.
Many states provide privileges for medical peer review processes, to encourage physicians to critically analyze their practices with their peers in full frankness and without fear that the results will be subject to discovery and inspection. The parallel is obvious.
Congress has been considering creating similar privileges to protect companies that voluntarily create internal health and safety audit programs. These statutes encourage not only critical analysis, but also the creation of information that would not otherwise exist.
Along with this security information sharing privilege, the government would have to agree to limit its use and disclosure of the information provided for critical infrastructure protection. For example, the government would be precluded from using the information so disclosed for the creation or formulation of public policy or regulatory compliance.
The public has a legitimate interest in knowing the information upon which the government bases its policy and regulatory practices, and the government should not be permitted to cloak such policy determinations in the secrecy afforded by the FOIA exemption. The government should be permitted to use the information solely to protect its own critical infrastructures from attack.
Should the government decide it wants similar information for policy purposes, it must compel the production of this information through other channels, free from the FOIA exemption. In this way, we can stop punishing the victim of cyber attacks, and concentrate on protecting all parties.
Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive Systems Inc. in Reston, Virginia, a computer security and network design consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the head of the U.S. Department of Justice Computer Crime Unit and prosecuted a series of high profile computer crime cases from 1984 to 1991.