Interesting People mailing list archives
IP: Debate on Privacy Goes Private
From: David Farber <dave () farber net>
Date: Mon, 03 Dec 2001 10:03:17 -0500
http://www.nytimes.com/2001/12/03/technology/ebusiness/03NECO.html?todaysheadlines December 3, 2001 NEW ECONOMY Debate on Privacy Goes Private By MATT RICHTEL In the debate about new surveillance powers for law enforcement officials, Americans, in various ways, are asking a basic question: Are we willing to curtail personal freedom in exchange for greater national security? Now, a debate heating up in Washington puts a twist on the query: Are we willing to curtail access to information in exchange for cybersecurity? The cyberdebate involves legislation intended to assure private companies that if they share information with the government about their experiences with hackers and other types of cyberattacks, the information will be protected from public disclosure. The idea is that such assurances will prompt companies to divulge data that could help in building a national defense for the Internet - without having to worry about alarming the companies' customers, inciting their shareholders or opening themselves up to copycat hackers. "No company is going to voluntarily provide information in a forum where competitors, critics and attackers can get hold of it," said Senator Bob Bennett, a Utah Republican who is a sponsor of the Critical Infrastructure Information Act of 2001. Senator Bennett added that trying to devise Internet defenses without candid information from private industry would be like "trying to run a battle, when 85 percent of the battlefield is blind to you." But opponents say the legislation is unnecessary because other laws already protect sensitive information against public disclosure. The opponents also say the proposed law could block average Americans' access to information crucial to assessing public policy. At least one issue does not appear to be in dispute. When it comes to defending the Internet, the private sector is a critical part of the equation. About 90 percent of the technical underpinnings - whether telephone networks, Internet backbones or antivirus technology - is privately owned and operated. There is much less agreement, though, about how vulnerable the Internet actually is. Given the decentralized nature of the Internet, some experts say there is little chance of the cyberspace equivalent of the Sept. 11 attacks. But Richard Clarke, who is leading the Bush administration's efforts to create a cyberdefense, has been among those warning that the potential threats are as broad as the imagination and could lead to calamities like the disruption of energy grids. Among the solutions Mr. Clarke advocates is greater reliance on organizations called Information Sharing and Analysis Centers, known in the trade as ISAC's. These groups are organized under specific industries - there is already one for financial institutions, for instance, and one for high-technology companies - and collect data on cybervulnerabilities from their members, then share the information with other members. Companies can warn one another about a new computer virus, for example, and suggest antidotes. The government now wants to have access to such information- swapping, so it can better understand patterns of attack and help bolster defenses. Mr. Clarke, along with individual companies and ISAC organizers, say some corporations have been unwilling to share information with the government for fear that competitors or shareholders or other groups could learn potentially compromising information under the Freedom of Information Act. Two bills, Mr. Bennett's in the Senate and a similar measure in the House, would make corporate information about cybervulnerabilities exempt from public disclosure. The Senate bill, for instance, asks for an exemption from the Freedom of Information Act for information pertaining to so-called critical infrastructure, which is defined broadly as "physical and cyberbased systems and services essential to the national defense, government or economy of the United States." The definition includes, but is not limited to, the telecommunications, electrical power, oil and gas, banking and transportation industries. One supporter is Mark Rasch, a vice president at cyberLaw for Predictive Systems (news/quote), a computer security company that oversees ISAC for the financial services industry. Mr. Rasch estimated that the bill might encourage 10 to 15 percent greater cooperation from companies, and a willingness for ISAC to share data with the government. But he added that the real issue was not disclosure of problems, "but a commitment from the government to fix them." Opponents of the bills, meantime, worry about the type of information companies might try to hide behind the cloak of nondisclosure. They fear that industries will ask the government for financing to fight cyberterrorism, without the public's being able to examine the supporting evidence. "On one hand, proponents say it is an area critical to public safety to point to vulnerabilities in critical infrastructure," said David Sobel, general counsel for the Electronic Privacy Information Center. "On the other, they're saying the public has no right whatsoever to oversee the government's actions." Rena Steinzor, academic fellow at the Natural Resources Defense Council, an environmental group, said the exemptions could be so far- reaching as to prevent Freedom of Information Act requests for environmental matters, or other issues unrelated to cyberspace. She noted that Raytheon (news/quote), a major military contractor that had lobbied with President Bush to call for new disclosure exemptions, operates a Superfund environmental-hazard site and could have its environmental track record protected by the new law. She said the law was so vaguely worded that it could enable a company to claim protection for a broad swath of information on grounds that it was part of the critical infrastructure. "This goes way beyond cyberattacks," she said. Opponents argue that there are already sufficient Freedom of Information exemptions in place, including laws that protect trade secrets and that prevent public disclosure of information submitted to the government for purposes of national security. But Mr. Rasch said the current exemptions do not provide sufficient reassurance to companies. Senator Bennett agrees, noting that the legislation is sharpening the focus of the current exemptions. Mr. Clarke, straddling this part of the debate, says that while existing laws are probably sufficient, the problem is that companies do not believe they are. But if the issue is more a matter of perception than of reality, critics of the proposed bills, like Mr. Sobel, say that the proper approach should be educational - not legislative. The potential cost of changing the law, he said, could be more than Americans will be willing to pay over the long run. "It seems like the industry is trying to use this issue as a basis for closing down a whole range of public disclosure," he said. "The people on the Hill don't understand the unintended consequences."
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: Debate on Privacy Goes Private David Farber (Dec 03)