[ISN] Caution Urged On Corporate Exemptions In Security Bill

From: InfoSec News (isnat_private)
Date: Thu May 09 2002 - 00:08:40 PDT

  • Next message: InfoSec News: "[ISN] Social Engineering: The Human Side Of Hacking"

    By Eric Chabrow
    May 8, 2002
    A high-ranking Justice Department official cautions that legislation
    before Congress shouldn't prevent the prosecution of corporate
    offenders who voluntarily provide authorities with company secrets
    that could prevent cyberterrorist attacks on the nation's IT
    The aim of the proposed Critical Infrastructure Information Security
    Act--the subject of a hearing Wednesday before the Senate Governmental
    Affairs Committee--is to exempt businesses that voluntarily reveal
    secrets involving IT or network vulnerabilities from provisions of the
    Freedom of Information Act. The FOIA often is used by citizens to
    compel the government to reveal secrets. The bill would limit the use
    of information disclosed for cyberprotection in potential lawsuits
    against businesses. Several speakers told the committee they believe
    the bill, as written, could prevent legal action against companies
    that voluntarily reveal potentially damning information about their IT
    infrastructure vulnerabilities.
    Deputy Assistant Attorney General John Malcom wants the bill changed
    so such information could be used in criminal cases. "While perhaps
    legitimate concerns," Malcom says, "let me be clear that the Justice
    Department would not support legislation that would prohibit the
    government from using voluntarily provided information in a criminal
    The bill's key sponsor, Sen. Robert Bennett, R.-Utah, said he doesn't
    want to provide cover for illegal activity. Still, he suggested, the
    nation would be better off if a few businesses escaped government
    action if the sharing of information between industry and government
    prevented terrorists from attacking the nation's IT infrastructure.  
    "What we're talking about is information that otherwise wouldn't have
    been known," Bennett said.
    Bennett said potential cyberattacks by American enemies would be waged
    on networks and computers owned by private companies, since they
    control between 85% and 90% of the nation's critical IT
    infrastructure. "The future battlefield is in private hands," he said.
    Most businesses don't share sensitive information about their IT and
    network vulnerabilities with federal authorities. An FBI survey
    released last month revealed that 90% of respondents detected computer
    security breaches in the previous 12 months, but only 34%--up from 16%
    in 1996--reported these intrusions to law enforcement. "The two
    primary reasons for not making a report were negative publicity and
    the recognition that competitors would use the information against
    them," Richard Dick, director of the FBI's National Infrastructure
    Protection Center, told the committee.
    Bennett's bill would not only exempt businesses that voluntarily share
    information from FOIA provisions, but provide exemptions from
    antitrust laws so they could share infrastructure information with
    competitors in industry forums known as ISACs, or Information Sharing
    and Assessment Centers, in efforts to thwart cyberattacks.
    "Companies won't disclose voluntarily if it could bring financial harm
    to them," said bill supporter Ty Sagalow, a board member of the
    financial-services industry's ISAC and chief operating officer of
    insurer American International Group's E-Business Risk Solution unit.  
    "The risk is too great. Better to keep your mouth shut. Better safe
    than sorry."
    But Alan Paller, director of research at the Sans Institute, which
    trains cybersecurity software developers, doubts the bill will get
    companies to share such secrets. "Companies see no advantage in
    reporting," he said. "If government wants companies to report more
    attack data, make reporting mandatory."
    David Sobel, general counsel of the Electronic Privacy Information
    Center, said the Bennett bill is unnecessary, noting that provisions
    in the FOIA and court precedent already provide protections to
    businesses that want to keep sensitive corporate data secret. The bill
    could keep secret unsafe practices engaged by private operators of
    nuclear power plants, water systems, chemical plants, oil refineries,
    and other facilities that could pose a risk to public health and
    safety, Sobel said. "In short," he said, "critical infrastructure
    protection is an issue of concern not just for the government and
    industry, but also for the public."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu May 09 2002 - 03:23:01 PDT