Industry's FOIA shield debated
- By Diane Frank
- Jun 23, 2000
House members on Thursday stood behind their bill to give companies an exemption
from the Freedom of Information Act when sharing information about cybersecurity.
However, critics say the bill is unnecessary and that the government cannot
handle the information that industry would provide.
The Cyber Security Information Act, co-sponsored by Reps. Tom Davis (R-Va.)
and James Moran (D-Va.), is designed to promote the sharing of cybersecurity
information between the private sector and government.
The administration has asked agencies to work with industry and form information
sharing and analysis centers (ISACs). The financial services sector has
started its ISAC, and the telecommunications and information technology
sectors are working on ISACs. But businesses consistently have raised questions
about the sharing of security information, Moran said before the House Government
Management, Information and Technology Subcommittee on Thursday.
"Their concerns stemmed from the lack of clarity in antitrust laws and concerns
related to disclosures the government would have to make based on [FOIA],"
The Davis-Moran bill is based on the Year 2000 Information and Readiness
Disclosure Act. It will provide a limited FOIA exemption, protecting companies
from civil litigation over shared information, and it establishes an antitrust
exemption for information shared within an ISAC, Davis said.
However, David Sobel, general counsel for the Electronic Privacy Information
Center, said that existing FOIA exemptions already protect information that
would be shared in an ISAC. "The courts have really bent over backwards
to make sure private-sector companies do feel comfortable sharing information
with the government," he said.
Davis said companies perceive those protections as not enough, and they
will not share information with government until they have "ironclad assurance"
that it will not be released.
The bill could provide agencies with a better picture of information security
threats across the country because it "creates an additional protected channel
for potent, valuable information," said Joel Willemssen, director of civil
agencies information systems at the General Accounting Office.
But regardless of whether the bill succeeds, the government may not be prepared
to deal with the information, Willemssen said. Agencies don't have a process
to ensure that they are collecting the correct information, nor is there
evidence the organizations in place can analyze and share this information
in a timely manner, he said.