Caution Urged On Corporate Exemptions In Security Bill

[InfoSec News <isn () c4i org>]

http://www.informationweek.com/story/IWK20020508S0005

By Eric Chabrow
May 8, 2002

A high-ranking Justice Department official cautions that legislation
before Congress shouldn't prevent the prosecution of corporate
offenders who voluntarily provide authorities with company secrets
that could prevent cyberterrorist attacks on the nation's IT
infrastructure.

The aim of the proposed Critical Infrastructure Information Security
Act--the subject of a hearing Wednesday before the Senate Governmental
Affairs Committee--is to exempt businesses that voluntarily reveal
secrets involving IT or network vulnerabilities from provisions of the
Freedom of Information Act. The FOIA often is used by citizens to
compel the government to reveal secrets. The bill would limit the use
of information disclosed for cyberprotection in potential lawsuits
against businesses. Several speakers told the committee they believe
the bill, as written, could prevent legal action against companies
that voluntarily reveal potentially damning information about their IT
infrastructure vulnerabilities.

Deputy Assistant Attorney General John Malcom wants the bill changed
so such information could be used in criminal cases. "While perhaps
legitimate concerns," Malcom says, "let me be clear that the Justice
Department would not support legislation that would prohibit the
government from using voluntarily provided information in a criminal
proceeding."

The bill's key sponsor, Sen. Robert Bennett, R.-Utah, said he doesn't
want to provide cover for illegal activity. Still, he suggested, the
nation would be better off if a few businesses escaped government
action if the sharing of information between industry and government
prevented terrorists from attacking the nation's IT infrastructure.  
"What we're talking about is information that otherwise wouldn't have
been known," Bennett said.

Bennett said potential cyberattacks by American enemies would be waged
on networks and computers owned by private companies, since they
control between 85% and 90% of the nation's critical IT
infrastructure. "The future battlefield is in private hands," he said.

Most businesses don't share sensitive information about their IT and
network vulnerabilities with federal authorities. An FBI survey
released last month revealed that 90% of respondents detected computer
security breaches in the previous 12 months, but only 34%--up from 16%
in 1996--reported these intrusions to law enforcement. "The two
primary reasons for not making a report were negative publicity and
the recognition that competitors would use the information against
them," Richard Dick, director of the FBI's National Infrastructure
Protection Center, told the committee.

Bennett's bill would not only exempt businesses that voluntarily share
information from FOIA provisions, but provide exemptions from
antitrust laws so they could share infrastructure information with
competitors in industry forums known as ISACs, or Information Sharing
and Assessment Centers, in efforts to thwart cyberattacks.

"Companies won't disclose voluntarily if it could bring financial harm
to them," said bill supporter Ty Sagalow, a board member of the
financial-services industry's ISAC and chief operating officer of
insurer American International Group's E-Business Risk Solution unit.  
"The risk is too great. Better to keep your mouth shut. Better safe
than sorry."

But Alan Paller, director of research at the Sans Institute, which
trains cybersecurity software developers, doubts the bill will get
companies to share such secrets. "Companies see no advantage in
reporting," he said. "If government wants companies to report more
attack data, make reporting mandatory."

David Sobel, general counsel of the Electronic Privacy Information
Center, said the Bennett bill is unnecessary, noting that provisions
in the FOIA and court precedent already provide protections to
businesses that want to keep sensitive corporate data secret. The bill
could keep secret unsafe practices engaged by private operators of
nuclear power plants, water systems, chemical plants, oil refineries,
and other facilities that could pose a risk to public health and
safety, Sobel said. "In short," he said, "critical infrastructure
protection is an issue of concern not just for the government and
industry, but also for the public."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.