Information Security News mailing list archives
Access denied
From: William Knowles <wk () C4I ORG>
Date: Wed, 31 May 2000 12:52:29 -0500
http://www.fcw.com/fcw/articles/2000/0529/cov-access-05-29-00.asp BY William Matthews 05/29/2000 When it emerged less than a decade ago, the World Wide Web was quickly embraced as a bright new medium that could help reinvent government and revitalize democracy. But gradually government policy-makers have also seen that the Web has a much darker side. Information once eagerly posted on government Web sites to promote environmental safety, assist military personnel or help retirees is now being viewed as dangerous if found by terrorists, hackers and other criminals. Prompted by fears that easy access to information is putting Americans at risk, agencies and Congress are tightening controls over federal Internet sites. Federal Webmasters who once enthusiastically posted information now anxiously take some of it down. Congress has even banned some unclassified government information from federal Web sites although not from private sites and is considering a bill to grant sweeping exemptions to the Freedom of Information Act (FOIA) in the name of cybersecurity. "Were becoming afraid of the technology that we invented to make government more open," said Patrice McDermott, an information policy analyst for OMB Watch, a public interest organization in Washington, D.C. "What should be used to make government more open is being used as an excuse for making it more closed." "There is a growing sense of caution about whats on the Web," said Roger Baker, chief information officer at the Commerce Department. "I dont want to call it a backlash, but its a bit of a reaction to the push to get everything out there. Its sort of an "oops that shouldnt be out there." "Oops" is probably an understatement to Rep. Thomas Davis (R-Va.), who sees real danger lurking in the Web. "Cyberattacks have moved beyond the mischievous teenager and are now being learned and masterminded by terrorist organizations. Its not difficult to imagine what could occur if those attacks were focused on our utilities or emergency services," Davis said as he introduced his Cyber Security Information Act this spring. Davis bill would grant sweeping exemptions from FOIA when private companies share information about computer vulnerabilities with the federal government. The bill would also limit companies legal liability and exempt them from antitrust violations based on the information they share. Because it is connected to the Internet, the nations critical infrastructure which operates everything from transportation to financial systems is in jeopardy, Davis warns. And recent computer virus attacks have added a tone of urgency to the warnings. So far, they have not slowed the governmentwide commitment to increased use of information technology and the Internet. Agencies still aim to meet the requirement set by the Paperwork Reduction Act of offering all government services and transactions online, in addition to paper, by 2003. And the presidents e-government goal of having the 500 most-used government forms online by the end of this year still stands. The Best Intentions But fear for the safety of major systems and the public has begun to force policy-makers to consider significant changes in online practice and philosophy. "I would tend to take the view that if its available through the Freedom of Information Act, it should be out there. But thats not a well-thought-through view," said Baker, who heads the Security, Privacy and Critical Infrastructure Subcommittee of the federal CIO Council. "Some stuff just shouldnt be out there. You may be legally bound to turn it over, but do you want to call attention to it?" That question was at the heart of a debate at the Environmental Protection Agency over whether to post information on the Internet about industrial plants and the hazardous chemicals they use. Openness has been a key EPA strategy for achieving compliance with environmental regulations. Disclose sources of pollution and potential hazards, and public pressure often will force cleanups and better safety practices, the agency has found. But in the Internet Age, openness has yielded to the idea that secrecy promotes security. Challenged by the FBI and temporarily forbidden by Congress, the EPA has decided not to post "risk management plans" on the Internet. The plans spell out worst-case scenarios that could result from chemical accidents at more than 15,000 U.S. industrial plants. The requirement for risk management plans dates to the pre-Internet era. Horrified when a gas leak at an American-owned insecticide factory in Bhopal, India, killed 8,000 people and injured 500,000 more in 1984, Congress ordered the EPA to establish rules to minimize the risk of similar leaks in the United States. In amendments to the Clean Air Act, Congress required companies that handle dangerous chemicals to submit plans to the EPA spelling out what would happen in a "worst-case" chemical accident and how they would prevent or at least minimize accidental chemical releases. Congress also ordered that the risk management plans be disclosed to the public, hoping to generate public awareness that could pressure companies to pay greater attention to safety. EPA officials posted the plans on the Web. FBI and intelligence agencies argued that posting the risk management plans would provide "one-stop shopping" for terrorists. The plans, they said, provided enough detailed information to turn 15,000 businesses and industrial plants into weapons of mass destruction. In an assessment conducted this year, the EPA concluded that "the risk of terrorists attempting in the foreseeable future to cause a potentially catastrophic chemical release is both real and credible." Now the EPA proposes to make the plans available to the public on a limited basis, on paper, at 50 monitored reading rooms across the country. Personal identification and sign-in sheets would be required. Note-taking would be allowed, photocopying forbidden. But deciding to keep the plans off the Internet was not easy for some at the EPA. "I see us still struggling with the issue," a senior agency official said. Some at the agency charge that senior EPA policy-makers have backed off their commitment to communities right to know. But others "are coming to understand that there are aspects to making information available broadly that we need to be cognizant of. There is an accountability angle," the official said. "As you look at it from that perspective, it makes you think more critically and analytically about information and how it might be used." But a former EPA official admits he is more cynical. "I really think the motivation is political," he said. "The Republican Congress has attacked the EPA, and I dont think the Web is the main objection. Theyre trying to deter the EPA from being as effective as it can be." "The practical difficulty with the EPA plan is it attempts to enforce a distinction between paper documents and electronic documents. It wont work," said Steven Aftergood, director of the Federation of American Scientists Project on Government Secrecy. "There are people who will take the paper document and post it on a Web site. Its not illegal yet. If the information is unclassified and useful, its going to find its way onto the Web." To Inform or Promote? Aftergood has some experience in that regard. About a year ago, the Marine Corps removed program information from some of its Web sites about the Marine Corps Tactical Systems Support Activity, a unit based at Camp Pendleton, Calif. The information was neither classified nor protected for reasons of personal privacy. Included in the information were details on technology the Marines plan to use to support other Corps units in a war. "All of it was unclassified. It wasnt even sensitive," Aftergood said. "And there was nothing like Social Security numbers or home addresses" to warrant keeping it secret, he said. Aftergood filed a FOIA request for a directory of Web pages that had been withdrawn. He argued that the Marine Corps had no right to withhold it. The Marines agreed. But instead of sending Aftergood a directory of the suppressed Web material, the Corps handed over a cassette containing 900M of material that it had stricken from the Web. The data was stored on a "peculiar helical-scan, 4 mm data cartridge," Aftergood said. And so far, he has been unable to locate equipment that can read it. The Marines action raises questions about how agencies should use the Web. Is the Web intended to make government more transparent? Should agencies routinely post information such as minutes of meetings and texts of policies so the public can learn more about what the government is doing? The military, which invented the Internet, has found it extremely valuable as a fast and efficient global information distribution system. But "in the rush to take advantage of the Nets timeliness and distribution capabilities," personnel have sometimes abandoned caution, a Pentagon official said. They have posted documents intended for official use only, put personal information online and disclosed sensitive information about exercises and operations. The ease of access to information on the Internet makes even unclassified information more sensitive. "You can take a lot of miscellaneous facts and start to piece a picture together," explained a retired Army officer. Collecting bits of information from many sources and putting them together used to be a slow, often laborious process. The Internet makes it far easier. "The interconnectedness of information on the Internet is forcing agencies to re-examine what they put online," said David McClure, associate director for governmentwide and defense information systems at the General Accounting Office. "Information you thought was only within one confine is not, and it becomes much easier to weave a mosaic of information," he said. And a congressional requirement that federal agencies keep searchable electronic archives will create an even greater challenge, he said. The Defense Department has formed a special unit at the Pentagon called the Joint Web Risk Assessment Cell to comb military Web sites for information it thinks should be removed. The primary intent is security, military officials say. For example, maps of military bases that are helpful to personnel being transferred to new posts might also prove valuable to terrorists planning an attack. Even at the Agriculture Department, "the security posture is changing. Theres a general feeling that the world has become a less friendly place," said William Hadesty, information security chief at USDA. "The whole security thing is under review. Were constantly looking at security here," he said. Secrecy in the Name of Security There is a slightly different security concern when it comes to the critical infrastructure, according to Rep. Davis. The critical infrastructure is largely owned and operated by the private sector, and ordinarily, private companies are not subject to most of the disclosure requirements imposed on government agencies. While it is widely agreed that government and industry need to work together to solve the computer security problems that threaten the critical infrastructure, industry is reluctant to do so, Davis said, because information shared with the government is subject to disclosure. Davis, who represents Northern Virginia and its burgeoning high-tech business sector, said he introduced the Cyber Security Information Act to encourage businesses to share information about security weaknesses with the federal government and each other. Putting limitations on the use of information are necessary to assure businesses it is safe to share information with the government, said Davis, who has a seat on the House Government Reform Committee. He said he modeled the bill after similar legislation that convinced industry to work with government to solve the Year 2000 computer compliance problem. Computer security is emerging as a problem of similar magnitude, Davis contends. Critics of the legislation complain that it would "cast a blanket of secrecy over vast amounts of information that the public might have a need and right to know," OMB Watchs McDermott said. According to OMB Watch, this bill is part of an ongoing push by industry to carve out exemptions to FOIA. The group concedes that there may indeed be information that the government wants industry to share that should remain secret, but Davis bill leaves "virtually no role for any government agency except to do the bidding of private entities," which want to keep information from the public, McDermott said. A Davis aide argues that failing to grant FOIA exemptions will hurt government more than it hurts industry. Without privacy assurances, companies will simply refuse to share useful information. But a "very disturbing idea" embedded in the Davis bill is that information shared between the private sector and the government should routinely be kept secret from the public, said Kate Martin, a lawyer for The National Security Archive, a research institute that specializes in publishing declassified government documents. "It is linked to the notion that it will be necessary for the government to do much more with the private sector than it has in the past. And because the private sector wishes not to be subject to open government laws," the Davis bill permits government to become more secretive, she said. "It turns the basic presumption of freedom of information and open government on its head," Martin said. "The really dangerous thing is the wholesale exemption [to FOIA] of all information shared with the government when its related to the critical infrastructure." McDermott said the situation would be similar to a law that forbids newspapers from reporting on bank robberies because their articles highlight banks vulnerabilities. Her point: Shouldnt people be able to learn about the danger to the bank and their money? And isnt publicity likely to prompt the bank to invest more in security? The Internet Changes Everything Instead of broad FOIA exemptions, information should be carefully evaluated and exempted from disclosure only when the risk of disclosure is found to be greater than the value of openness, Martin said. Yet, she concedes, in some ways the Internet has changed the equation. Much of the information that has traditionally been "public" has also traditionally been difficult to obtain. Papers filed in courthouses or buried in agency file cabinets were simply not readily available. Increasingly, thats no longer true. If its on the Web, it can be accessed from virtually anywhere. "It may be that we need to rethink" policies on privacy and disclosure, "but it needs to be done very specifically, not with just a blanket blackout" of information, Martin said. Aftergood predicts that it is too late for much of a retreat from the Web. Agencies have found that it is slower and more expensive to provide information on paper. There is a mounting expectation that if an agency has useful information, citizens should be able to get it on the Web, he said. "I think there will still be a net increase in the amount of information that is becoming available, notwithstanding these recent efforts to retrench," Aftergood said. *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Access denied William Knowles (May 31)