Virginia congressmen seek FOIA exemption for cyber-security data

Tuesday, May 2, 2000

Two Virginia congressmen have introduced a bill they say is designed to protect sensitive information about computer networks exchanged between private industry and the federal government.

But open-government advocates fear that the lawmakers’ effort cuts deep into the federal Freedom of Information Act, shuffling information out of public view that could be helpful in combating computer viruses or staving off hacking attempts.

“The sharing of information might be difficult if the group isn’t the organization that originally reported a problem,” said Ari Schwartz, a research analyst for the Center for Democracy and Technology. “And we would want the public to know about it,” so the problem will be addressed immediately.

Concerns about the free flow of cyber-security information grew last year after hackers hit large Web sites such as Yahoo!, eBay and and a number of government sites. In response, President Clinton suggested the building of a public-private partnership to combat cyber-terrorism. Specifically, the administration proposed the creation of an Information Sharing and Analysis Center to serve as a clearinghouse for cyber-threat data.

But industry officials said they feared they would be revealing key trade secrets if they shared information. Some said they were reluctant to offer any information that could become public under FOIA.

In response, Reps. Tom Davis, R-Va., and Jim Moran, D-Va., last month introduced the Cyber Security Information Act of 2000, a measure that would allow federal agencies to deem such information as exempt.

Davis says the act is closely modeled after the Y2K Information and Readiness Disclosure Act approved last year. That legislation created a temporary exemption to FOIA to encourage the private sector to share information about ways to handle a potential crisis with the Y2K computer glitch.

“This will allow us to get a timely and accurate assessment of the vulnerabilities of each sector to cyber attacks and allow for the formulation of proposals to eliminate these vulnerabilities — without increasing government regulation or expanding unfunded federal mandates on the private sector,” Davis said in a statement.

But open-government advocates say the legislation does create new government regulation by carving out yet another FOIA exemption, one they contend is probably not needed.

“I can understand why government wants to know what kind of problems the private sector is having with hackers and other people who can sabotage information. That makes sense,” said Rebecca Daugherty of the Reporters Committee for Freedom of the Press. “But I think there are other exemptions that apply.”

Daugherty says the FOIA is already peppered with exemptions for law enforcement and trade secrets. One of those would likely apply in the exchange of certain cyber-security details.

But Daugherty and others say the exemption proposed by Davis and Moran would likely seal much more information than is necessary.

Analysts with OMB Watch say the legislation has two fundamental flaws: overly broad and vague definitions and a lack of a governmental process.

“The definition of critical infrastructure as facilities or services whose disruption ‘would have a debilitating impact on the defense, security, long-term economic prosperity, or health and safety of the United States’ is so open-ended that virtually anything could come under it,” the OMB Watch report said.

The report also says that “there is virtually no role for any government agency here except to do the bidding of private entities in protecting information from the public. There is no discretion allowed on the part of the government in accepting these requests or in protecting the information.”

Schwartz said officials with the Center for Democracy and Technology met with Davis and Moran last week to encourage the congressmen to find a better balance between security and the public’s right to know.

Steven Aftergood, director of the Federation of American Scientists Project on Government Secrecy, says Congress too often seeks the exemption and not the balance.

“There is a tendency to chip away at the act (FOIA) and — in the worst outcome — to dismember it,” Aftergood said. “It also tends to legitimize the notion among agencies and now private corporations that public access is something to be discouraged and resisted.”

Phillip Taylor, a freelance contributor, works for the Daily Press in Newport News, Va.