Bush supports limits on disclosing details of hacking

[InfoSec News <isn () c4i org>]

http://www.nandotimes.com/technology/story/147053p-1435336c.html

By TED BRIDIS, Associated Press 

WASHINGTON (October 18, 2001 9:39 p.m. EDT) - An administration expert
in computer security confirmed Thursday that the White House will
support proposals to withhold details about electronic attacks against
the nation's most important computer networks.

The proposed changes, meant to encourage corporate victims of hackers
to report crimes, would restrict government agencies' disclosures
about attacks under the Freedom of Information Act. The proposal seeks
to overcome traditional reluctance by industries, especially
technology, to reveal potentially embarrassing details without fear of
disclosure.

In a letter to the chairman of the National Security and
Telecommunications Advisory Committee, President Bush said he will
"support a narrowly crafted exception ... to protect information about
corporations' and other organizations' vulnerabilities to information
warfare and malicious hacking."

Bush sent the letter three weeks ago to Daniel Burnham, chairman of
Raytheon Co., who heads the advisory committee. The Associated Press
obtained the letter Thursday.

John Tritak, director of the federal Critical Infrastructure Assurance
Office, confirmed during a Thursday speech to technology executives
the administration's support for such a "narrowly crafted" exemption
to the information act. Tritak cautioned that any change must be
"fully protective of open government and privacy."

Other officials, including Ron Dick, director of the FBI's National
Infrastructure Protection Center, privately have expressed support for
an FOIA exemption to encourage broader sharing of threat information
between industries and the government.

"This is a much stronger, more-clear message from the administration,"
said Harris Miller, head of the Information Technology Association of
America, a trade group that supports the new limits.

Support by President Bush marks a shift from the Clinton
administration, which said existing restrictions on FOIA disclosures
were adequate for protecting sensitive corporate information.

In a different move to limit information available under the U.S.
information law, Attorney General John Ashcroft ordered federal
agencies this week to review more closely which documents they
release. Ashcroft's new policy allows officials to withhold
information on any "sound legal basis." Under looser policies issued
in 1993, agencies could hold back information to prevent "foreseeable
harm." Ashcroft cited the Sept. 11 terrorist attacks against New York
and Washington as reasons for the change.

Currently, Sens. Robert Bennett, R-Utah, and Jon Kyl, R-Ariz., and
Reps. Tom Davis, R-Va., and James Moran, D-Va., have introduced bills
to limit government disclosures about hacking attacks.

"If you do not pass this bill, industry will not tell government"
about hacking incidents against important networks, Bennett said
Thursday.

President Bush responded with support for the new FOIA exemption after
a request from Raytheon's Burnham over the summer on behalf of the
telecommunications advisory committee. Burnham wrote that "barriers to
sharing (information) must be removed" and asked the president also to
limit legal liabilities facing companies that make such disclosures.

Burnham's letter to Bush was originally obtained this week by the
Washington-based Electronic Privacy Information Center, which contends
that existing limits under the information law are adequate to
protecting disclosures about hacking attacks.

EPIC lawyer David Sobel charged Thursday that technology companies
want liability protections for hardware and software products that
might be flawed in ways that could allow security breaches. "Most of
us have concluded that companies really want the ability to unload
this information on the government, then wash their hands of it,"
Sobel said.

A White House official, who asked not to be identified, said Bush has
not committed to supporting any liability limits.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.