http://www.informationweek.com/story/IWK20020508S0005 By Eric Chabrow May 8, 2002 A high-ranking Justice Department official cautions that legislation before Congress shouldn't prevent the prosecution of corporate offenders who voluntarily provide authorities with company secrets that could prevent cyberterrorist attacks on the nation's IT infrastructure. The aim of the proposed Critical Infrastructure Information Security Act--the subject of a hearing Wednesday before the Senate Governmental Affairs Committee--is to exempt businesses that voluntarily reveal secrets involving IT or network vulnerabilities from provisions of the Freedom of Information Act. The FOIA often is used by citizens to compel the government to reveal secrets. The bill would limit the use of information disclosed for cyberprotection in potential lawsuits against businesses. Several speakers told the committee they believe the bill, as written, could prevent legal action against companies that voluntarily reveal potentially damning information about their IT infrastructure vulnerabilities. Deputy Assistant Attorney General John Malcom wants the bill changed so such information could be used in criminal cases. "While perhaps legitimate concerns," Malcom says, "let me be clear that the Justice Department would not support legislation that would prohibit the government from using voluntarily provided information in a criminal proceeding." The bill's key sponsor, Sen. Robert Bennett, R.-Utah, said he doesn't want to provide cover for illegal activity. Still, he suggested, the nation would be better off if a few businesses escaped government action if the sharing of information between industry and government prevented terrorists from attacking the nation's IT infrastructure. "What we're talking about is information that otherwise wouldn't have been known," Bennett said. Bennett said potential cyberattacks by American enemies would be waged on networks and computers owned by private companies, since they control between 85% and 90% of the nation's critical IT infrastructure. "The future battlefield is in private hands," he said. Most businesses don't share sensitive information about their IT and network vulnerabilities with federal authorities. An FBI survey released last month revealed that 90% of respondents detected computer security breaches in the previous 12 months, but only 34%--up from 16% in 1996--reported these intrusions to law enforcement. "The two primary reasons for not making a report were negative publicity and the recognition that competitors would use the information against them," Richard Dick, director of the FBI's National Infrastructure Protection Center, told the committee. Bennett's bill would not only exempt businesses that voluntarily share information from FOIA provisions, but provide exemptions from antitrust laws so they could share infrastructure information with competitors in industry forums known as ISACs, or Information Sharing and Assessment Centers, in efforts to thwart cyberattacks. "Companies won't disclose voluntarily if it could bring financial harm to them," said bill supporter Ty Sagalow, a board member of the financial-services industry's ISAC and chief operating officer of insurer American International Group's E-Business Risk Solution unit. "The risk is too great. Better to keep your mouth shut. Better safe than sorry." But Alan Paller, director of research at the Sans Institute, which trains cybersecurity software developers, doubts the bill will get companies to share such secrets. "Companies see no advantage in reporting," he said. "If government wants companies to report more attack data, make reporting mandatory." David Sobel, general counsel of the Electronic Privacy Information Center, said the Bennett bill is unnecessary, noting that provisions in the FOIA and court precedent already provide protections to businesses that want to keep sensitive corporate data secret. The bill could keep secret unsafe practices engaged by private operators of nuclear power plants, water systems, chemical plants, oil refineries, and other facilities that could pose a risk to public health and safety, Sobel said. "In short," he said, "critical infrastructure protection is an issue of concern not just for the government and industry, but also for the public." - ISN is currently hosted by Attrition.org To unsubscribe email email@example.com with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu May 09 2002 - 03:23:01 PDT