Sharing seen as critical for security

The private sector manages more than 85 percent of the nation's critical infrastructure and must therefore collaborate with the government to protect those resources, according to government and industry leaders speaking at a May 8 Senate Governmental Affairs Committee hearing.

But such collaboration requires an environment conducive to companies voluntarily sharing vital information and a cultural change on both sides that will take time, they said, leaving numerous seams open to enemy attacks in the meantime.

Sens. Robert Bennett (R-Utah) and Jon Kyl (R-Ariz.) are pushing the Critical Infrastructure Information Security Act to enable the federal government and industry to share information about potential threats to the nation's critical infrastructure without fear that the data would be released under the Freedom of Information Act.

"If the private sector and the government are both targets, they should be talking to each other," Bennett said, acknowledging that industry is skeptical that information can be used against them just like some regulators are skeptical of businesses. "We need to keep understanding that this information would otherwise not be available to anyone. People who wish us ill will take advantage of the seams."

Committee chairman Sen. Joe Lieberman (D-Conn.), ranking member Sen. Fred Thompson (R-Tenn.) and numerous government and industry witnesses agreed that the legislation is on the right track, but they also acknowledged that many issues must be worked through, especially industry's fear that any information companies share with the government could be used against them legally or by competitors.

"You can't legislate trust--and there is no silver bullet," said John Tritak, director of the Critical Infrastructure Assurance Office. "You can't create it with the passage of law, but the goal is to encourage that relationship."

Harris Miller, president of the Information Technology Association of America, said that his organization supports the Critical Infrastructure Information Security Act and the related House legislation, the Cyber Security Information Act, but he noted that "current FOIA language is not sufficient to protect critical infrastructure information from disclosure."

David Sobel, general counsel for the Electronic Privacy Information Center (EPIC), disagreed. "Overly broad new [FOIA] exemptions could adversely impact the public's right to oversee important and far-reaching governmental functions and remove incentives for remedial private-sector action."

Industry and EPIC aren't the only ones with reservations about the Bennett-Kyl legislation, said John Malcolm, deputy assistant attorney general in the Justice Department's Criminal Division. He said as it's written now, the law would "tie the government's hands" by precluding it from taking civil enforcement action against a company by "direct use" of information obtained through critical infrastructure needs.

That loophole would enable a company that was knowingly at fault to do a "document dump" on the government and basically absolve itself of future civil prosecution, Malcolm said.

Both government and industry realize that sharing information is "in the public interest, but industry is reluctant to do that if they feel like their digging themselves a hole," Tritak told Federal Computer Week.

"People expect too much of legislation to fix a cultural problem," he said. "A lack of clarity encourages [conservative] behavior. We're suggesting a real partnering that requires a collaborative relationship with government and industry jointly working for homeland security."

The Bush administration endorses a "narrowly-crafted" FOIA exemption on critical infrastructure information, and the Bennett-Kyl bill is being given "serious consideration," Tritak said.