|
Good morning
Mr. Chairman and distinguished Members of the Subcommittee.
I am honored to be here today. I
am testifying on behalf of the Information Technology Association of America -
known as ITAA - (http://www.itaa.org/infosec)
where I serve as Co-Chair of the Information Security Committee and Vice Chair
of the Homeland Defense Task Group. I also am a Board Member of the Information
Sharing and Analysis Center for the Information Technology industry sector - the
IT ISAC (http://www.it-isac.org) -
in which my company is a founding member and which ITAA was instrumental in
forming. And I represent Mr.
Van Honeycutt, the CEO of my company, Computer Sciences Corporation, in the
President's National Security Telecommunications Advisory Committee - more
easily pronounced as the acronym NSTAC - (http://www.ncs.gov/nstac/nstac.htm),
a body that provides the President of the United States with industry advice
regarding critical, information and telecommunications services supporting our
national economy and other critical functions of society.
Mr. Honeycutt chaired the NSTAC from September 1998, to September 2000.
During that period I served as the chair of the working body of the NSTAC,
the Industry Executive Subcommittee Working Session. Many of the companies
represented in the NSTAC membership are also members of ITAA.
ITAA represents
a broad spectrum of information technology and communications companies, and
supports the very important goal of increasing information sharing 1.) within
the private sector and 2.) between industry and government in order to better
protect our nation's critical infrastructure and to promote and sustain global
physical and economic security.
Also, Mr.
Chairman, I would like to reference a proposal that ITAA noted in letters to
Commerce Committee Chairman Tauzin and Ranking Member Dingell last week.
As this Subcommittee and the full Committee review the Homeland Security
Act of 2002 or H.R. 5005 and considers possible changes to the bill, ITAA
encourages you and your colleagues to work with the Bush Administration to
highlight information security in the new Department.
Towards this
end, ITAA recommends creating a Bureau of Cyber Security headed by an Assistant
Secretary for Cyber Security. Under
the current proposal, the components that would be merged into the Department of
Homeland Security from other departments and agencies that focus on cyber
security (e.g. NIPC, NCS, CIAO, and Cybercorps) would be included with those
that focus on physical security in the new Information Analysis and
Infrastructure Protection division. This
melding would be a mistake. The
challenges in the cyber world are sufficiently different from those in the
physical world to merit a Bureau that focuses on Cyber Security and that is headed by a
Senate-confirmed public official.
This proposal
would have the Assistant Secretary for Cyber Security reporting to the Under
Secretary for Information Analysis and Infrastructure Protection.
There would be three bureaus in this new bureau under the revised
structure: 1. Bureau of Analysis and Warning, which would analyze all source
intelligence, 2. Bureau of Critical Infrastructure, which would develop
protection for physical assets, and 3. Bureau of Cyber Security, which would
conduct programs within the USG and with the private sector to protect
communications, the Internet, computer systems, and IT networks.
We believe that such a
structure would enhance the internal cohesion of U.S. cyber terrorism fighting
efforts, provide appropriate focus of resources and management visibility, and
lead to better homeland security in cyberspace. This only addresses one piece of the equation, however.
Just as the Internet interconnects a vast array of public institutions
and private entities, so too must the security policies and practices of public
and private domains be linked to bolster the safety of all concerned.
As you may know, Mr. Chairman, ITAA has endorsed H.R.
2435, the Cyber Security Information Act co-sponsored by U.S. Representatives
Tom Davis and Jim Moran, and S. 1456, The Critical Infrastructure Information
Security Act, co-sponsored by Senators Bob Bennett and John Kyl.
Today, we would like to express our support for a proposed amendment to
Title II of H.R. 5005 by Congressman Tom Davis. We
call on this Committee and Members of U.S. Congress that have not already
indicated their support for this legislation to do so today. For
reasons I will outline below, the certainty and trust these bills engender are
key to preventing or at least minimizing future threats to critical
infrastructures.
You may have
heard the numbers before. According
to the 2002 FBI / Computer Security Institute Survey:
A December 2001 ITAA / Tumbleweed Communications survey found:
- 70%
of Americans concerned about Internet and computer security.
- 74%
expressed fears that their personal information on the Internet could be
stolen or used for malicious purposes.
A study released yesterday by
Internet security firm Riptech, Inc. found that "…Internet attacks
against public and private organizations around the world leapt 28 percent in
the past six months, with most targeting technology, financial services and
power companies."
While these
numbers show the magnitude of the economic impact and also the concerns of the
American people about cyber attacks on our critical infrastructure, let me read
a passage from an article in late June 2002 from the Washington Post to
emphasize the sheer magnitude of the threat in this age of terrorism that we are
living in:
"Unsettling signs of al Qaeda's aims and skills in cyberspace have
led some government experts to conclude that terrorists are at the threshold of
using the Internet as a direct instrument of bloodshed.
The new threat bears little resemblance to familiar disruptions by
hackers responsible for viruses and worms.
It comes instead at the meeting points of computers and the physical
structures they control."
Sobering, isn't
it? But, government and industry
can work together to address this threat, reduce the economic impact of cyber
attacks, and help reduce Americans' very understandable and justified concern
about the possibility of cyber attacks on our nation's critical infrastructure.
Information sharing between government and the private sector is a very
important part of detecting and mitigating cyber threats.
As the U.S.
General Accounting Office (GAO) stated in an October 15, 2001 report entitled
"Information Sharing: Practices That Can Benefit Critical Infrastructure
Protection," information sharing and coordination "are key elements in
developing comprehensive and practical approaches to defending against
computer-based, or cyber, attacks which could threaten the national welfare.”
"…The
importance of sharing information and coordinating the response to cyber threats
among various stakeholders has increased as our government and our nation have
become ever more reliant on interconnected computer systems to support critical
operations and infrastructures, such as telecommunications, power distribution,
financial services, national defense, and critical government operations.
Information on threats and incidents experienced by others can help
stakeholders identify trends, better understand the risks they face, and
determine what preventative measures should be implemented."
Many of the
same concerns regarding information sharing existed in the period leading up to
the Year 2000 date rollover, and resulted in an unprecedented effort between
industry, government and the public interest sectors to support the drafting and
passage of Federal legislation to remove legal obstacles—FOIA, antitrust, and
civil liability—from “Y2K readiness disclosures” that were an essential
element of our successful addressing of the date change challenge.
Indeed, many of the same elements in the Year 2000 Information and
Readiness Disclosure Act of 1998 are found in the Davis-Moran and Bennett-Kyl
bills. This is not surprising,
given that many of the same individuals who labored to assure our successful
meeting of the Y2K challenge occurred have been in leading roles among critical
infrastructure providers to assure that terrorism does not succeed where father
time did not, for example, by helping to draft this legislation.
In short, ITAA
joins with our critical infrastructure providers in believing that effective
information sharing can:
1)
reduce the harm and impact of attacks on critical infrastructures;
2)
help the owners and operators of critical infrastructure systems in
multiple sectors to determine the nature of an attack;
3)
provide timely warnings;
4)
provide analysis to both industry and government to prevent future
attacks;
5)
mitigate attacks in real-time; and
6)
assist in re-constitution and recovery efforts.
As I stated at
the outset, ITAA supports the very important goal of information sharing.
Strong and unwavering support of that goal is why ITAA and its members
are cooperating with several other sectors and a variety of government partners
in the National Cyber Security Alliance (http://www.staysafeonline.info),
the Partnership for Critical Infrastructure Security (http://www.pcis.org),
and the CyberCitizen Partnership (http://www.cybercitizenship.org).
Support of that
goal is why ITAA helped found the IT Information Sharing and Analysis Center (http://www.it-isac.org)
and is the reason that ITAA has worked to help develop and facilitate private
sector input for the Information & Communications Sector into the
President's National Strategy for Critical Infrastructure and Cyberspace
Security, a plan that Presidential Advisor Dick Clarke calls "a living
document" that will change as the threats change.
Support of that
goal is why ITAA and its sister associations from around the world have
prioritized e-security and critical infrastructure assurance as public policy
priorities in the 46-country World Information Technology and Services Alliance
or WITSA (http://www.witsa.org), and is why
ITAA and WITSA sponsored the first Global InfoSec Summit now nearly two years
ago.
Support of that
goal is why ITAA continues to raise awareness of critical infrastructure
assurance and e-security challenges as a business continuity issue, if not a
business survivability issue at the CXO (CFO, CTO, etc.) and Board level among
our member companies and throughout the private sector.
Support of that
goal is why ITAA and its members are so committed to building trust-based
relationships with law enforcement officials and agencies at every level of
government and internationally.
Support of that
goal is why ITAA and many of its sister associations -- which represent millions
of small and medium business as well as large corporations -- have been in
strong support of the bi-partisan legislation that I referenced earlier.
H.R. 2435 and S. 1456 were introduced in both the U.S. House of
Representatives and U.S. Senate last year to remove narrowly defined legal
barriers to information sharing within the private sector and between the
private sector and government.
Better
information sharing is a necessary step to leveling the playing field in the
critical infrastructure assurance world. How
so? "Bad actors" have
great advantages when it comes to pooling what they know about hacking tools,
malicious code, network vulnerabilities and the like.
One of the ironies of the Internet is that it can serve as a school for
scoundrels, fostering hacker communities, serving as a classroom for future
attacks and helping cyber-psychos communicate their exploits.
Meanwhile,
sharing information about corporate information security practices is inherently
difficult. Companies are understandably reluctant to share sensitive proprietary
information about prevention practices, intrusions, and actual crimes with
either government agencies or competitors.
Information sharing is a risky proposition with less than clear benefits.
No company wants information to surface that they have given in
confidence, and that may jeopardize -- through misunderstanding or misperception
-- their market position, strategies, customer base, investor confidence or
capital investments, and certainly no company wants information to surface that
could aide terrorists or criminals.
Government
agencies seek detailed data about computer attacks for the purposes of better
law enforcement, earlier detection, and the promotion of best practices in
government and industry. Today,
however, corporate counsels advise their clients not to share voluntarily the
details of computer attacks with government agencies because the risk that such
data could ultimately be divulged through the Freedom of Information Act (FOIA)
– even over the agency’s objections – is unacceptably high.
The bottom
line? Uncertainty. Uncertainty
about whether existing law may expose companies and industries that voluntarily
share sensitive information with the federal government to unintended and
potentially harmful consequences. This
uncertainty has a chilling effect on the growth of all information sharing
organizations and the quality and quantity of information that they are able to
gather and share with the federal government.
We are not talking about a Harvard moot court debate. If we want to improve the way corporate America responds to
the threat of critical infrastructure attacks, government needs to give CEOs and
their corporate counsels the certainty that this legislation would provide.
I would like to
report on steps industry has already taken to promote information sharing and
how this process can be improved; I would also like to emphasize two points
about the proposed legislation:
-
Government partners have come to the private sector to ask for
information concerning current and potential vulnerabilities in various sectors
of our national critical infrastructure. The
private sector wants consistently to provide comprehensive and detailed
information to government on a voluntary basis, but in order to do so have asked
that that information be protected.
-
The private
sector AND the Federal Government both have agreed for years that it is
important to develop and strengthen information sharing processes and
organizations within the private sector since we own and operate the majority of
systems that make up and protect our country's critical infrastructure.
The
IT industry is one of several industries to adopt a formal approach to the
information sharing challenge. In
January 2001, nineteen of the nation’s leading high tech companies announced
the formation of a new Information Technology Information Sharing and Analysis
Center (IT-ISAC) to cooperate on cyber security issues. The objective of the IT-ISAC
is to enhance the availability, confidentiality, and integrity of networked
information systems. The
organization is a not-for-profit corporation that allows the information
technology industry to report and exchange information concerning electronic
incidents, threats, attacks, vulnerabilities, solutions and countermeasures,
best security practices and other protective measures.
I am proud to be a Founding Board Member of that organization.
On the
telecommunications side of the Information and Communications - or
"I&C" -Sector, an ISAC has been formed by the National
Coordinating Center for Telecommunications (NCC). Building on NCC's traditional role as the operational focal
point for the coordination, restoration, and reconstitution of national security
and emergency preparedness - or "NS/EP" - Telecommunications and
facilities, the NCC-ISAC facilitates voluntary collaboration and information
sharing among government and industry participants. The NCC-ISAC gathers
information about network vulnerabilities, threats, intrusions, and anomalies
from various sources, including the telecommunications industry and the U.S.
government. That information is
then analyzed with the goal of averting or mitigating the effects of computer
intrusions on the telecommunications infrastructure.
The
value of the ISAC approach is found in the ability to acquire and share
information with the group in a way that individual group members cannot
accomplish. This process often involves the rapid assessment and conversion of
information that individual ISAC members had held as proprietary and
confidential into a form that can be shared both with ISAC members and with
other affected or interested parties. ISACs are exchanging some
"sanitized" information between sectors and at times, on a very
limited basis, with the National Infrastructure Protection Center or NIPC.
The ISAC information product commonly deals with the provision of early
warnings of impending attacks, and the establishment of trends in types and
severity of attacks. If more legal
protections were in place, there could be more sharing of Internet threat and
solution information among the ISAC membership and other appropriate
organizations, including the Federal Government.
ISACs operate successfully because they are a closed community, founded
on mutual trust, and focused on prevention before a large attack occurs.
They differ markedly from other open communities whose duties are to
alert the more general networked public after a breach has occurred.
As
the world economy continues to become more international in nature, ISACs will
provide a rich source of useful, validated security threat information, for
those enterprises that do not, or are not able to, participate in the
information security structure. It is by sharing security data that the nation
and the world will be able to respond effectively to the continuing and growing
threat, both internally and externally, against critical infrastructures.
Two additional
points need to be made: First, this entire process is just getting underway.
While there are a few examples of the most competitive companies sharing
information within a few ISACs, more time is needed before we will be able to
measure real success. Relationships
of trust and confidence need to be built. That
is why the government, through legislation, has a critical role to play NOW, in
the formation of the process, and its encouragement.
Second, many in
the business community believe that their efforts are hampered by the
government’s apparent desire for a limited, one-way form of information
sharing. The government seems to
conduct much of its internal conversations about critical infrastructure on the
basis of classified information – the kind that can only be shared in very
restricted ways – and yet it expects the business community to share its own
sensitive information without any ironclad assurances of confidentiality,
certainly nothing like the treatment accorded classified information.
We are not seeking that level of protection, but as we encourage greater
sharing we must likewise promote the notion that the communication must flow in
both directions.
A lack of certainty is also a decided impediment to
sharing critical infrastructure information with government.
That kind of information is not “ordinary” and should be entitled to
the extraordinary treatment of a complete ban on FOIA disclosure.
Legislative proposals address this defect by taking the subject
information out of the realm of agency discretion to disclose.
We need to close the gate firmly when this information is shared with
government.
Concerns about
inappropriate release of sensitive infrastructure information via FOIA have
impeded current sharing with government. Dating
to September 1982, the NSTAC is perhaps the oldest and most successful industry
and government partnership to address telecommunications and information systems
issues impacting national security and emergency preparedness (NS/EP).
NSTAC
activities are the genesis for technical reports, recommendations to the
President, and NS/EP operational programs. Showing how industry and government
partnership is an integral part of the success of the NSTAC, the primary working
body of the NSTAC, the Industry Executive Subcommittee (IES) is chaired by a
government executive, the Deputy Manager, National Communications System.
The IES consists of executive representatives appointed by each NSTAC
Principal. The IES holds regular Working Sessions to consider issues,
analyses, or recommendations for presentation to the NSTAC members for their
approval. When an issue requires research or other examination, the IES forms a
task force to address it. For
example, the National Coordinating Center for Telecommunications (NCC), an
industry/Government coordination center for day-to-day operational support to
NS/EP telecommunications, began in 1984 from an NSTAC recommendation. More
recently, the NCC has established an Information Sharing and Analysis Center
(ISAC) function as part of its NS/EP telecommunications mission. The
Telecommunications Service Priority (TSP) System, once an NSTAC issue, is also
now an operational program. TSP is the regulatory, administrative, and
operational authority that enables priority provisioning and restoration of
telecommunications services for Federal, State, and local government users, as
well as nongovernmental users. Also originating from NSTAC activities, an
industry-based Network Security Information Exchange (NSIE) was created and
meets regularly with a Government NSIE in a classified forum to address the
threat posed to the public network as a result of actual or possible electronic
exploitation of system vulnerabilities.
Despite this
track record of success, their past experience with sharing of operational
information, and in light of the need for even more sensitive sharing to address
tomorrow’s threats, the NSTAC is on record as twice endorsing the need for
FOIA protection for voluntarily shared, critical infrastructure information.
Antitrust
concerns are another potential legal hurdle to information sharing.
We understand that the Department of Justice has offered assurances that
its program of business review letters would be forthcoming for information
sharing and analysis centers constituted under the Administration’s policies.
Yet the issuance of even a set of such letters would prove inadequate,
for at least three reasons. First,
such ISACs would have to be constituted with a view toward satisfying the
Department, as opposed to maximally fulfilling their primary mission.
Second, there is the unavoidable negative implication for numerous other
affected parties not in possession of a business review letter.
Third, the ISACs are not the only organizations that have been
constituted to share cyber threat information among industry sector members or
with Federal agencies.
Beyond federal
FOIA and antitrust -- and let me emphasize the ITAA believes that addressing the
FOIA issue is the heart of the proposed legislation -- the current bills go on
to clarify that critical infrastructure threat data shared voluntarily with the
government would not be disclosed either under the Federal Advisory Committee
Act (FACA) or under state FOIA laws. We
do recognize the federalism question that the second provision raises.
At the same time, homeland defense is creating a need for federal, state,
and local bodies to work jointly to a previously unprecedented degree.
In some instances, first responders will not be from federal agencies.
Information sharing ought not to dead-end at the federal level but should
flow all the way down to the first responders.
Without the same protection at the state level as at the federal, state
agencies will face the same lack of revealing detail that federal agencies are
experiencing today. In this regard,
language in §3(e) of H.R. 4598 recently passed by the House dealing with the
sharing among law enforcement agencies of homeland security information may
provide a model for treatment of FOIA-excluded critical infrastructure threat
information moving to the states and local governments.
Finally, the bills also call for limited use protection
-- not immunity -- so that critical infrastructure information disclosed to the
government cannot subsequently be used against the person submitting the
information. Opponents of this
legislation state that the provision is a smokescreen for promising unlimited
liability to the corporate community. Nothing
could be further from the truth. Once again, it bears repeating:
the subject of this legislation is information that the government has
requested informally from the business community. There is ample reason to grant limited use protection in
return for full disclosure of this information intended to help the government
accomplish its mission.
A comparison
with the legislative, public policy and marketplace purposes behind this
legislation and that underlying the Y2K legislation may be instructive.
In 1998, as today, many of the leading proponents of that legislation
were uncertain about the extent of the need to alter FOIA’s exemptions, in
order to assure that information would flow from the private sector custodians
to the government and beyond. But, lacking the luxury of time to wait for a
court test case, consensus in Washington was that a Congressional imprimatur of
approval of limited FOIA, antitrust and civil liability exposure (later provided
in the “Y2K Act of 1999”) was appropriate, indeed, critical, in view of the
scope of risk, and extreme reticence of many corporate holders of information to
share that.
A very similar
situation exists today with regard to custodians of critical infrastructure
threat and risk information. Whatever
position a legal scholar may take on the extent of FOIA’s present shield, an
affirmative statement of Congressional approval of ISACs and other information
sharing organizations is essential to our meeting the challenge of the terrorist
threat.
Attached to my
testimony is a list of several reasons why current FOIA language may
not be sufficient to protect critical infrastructure information from
disclosure. Ambiguity and
discretion remain the order of the day when it comes to agency decisions about
disclosure of any kind of business confidential data, despite its importance and
despite good precedents in some of the Federal Courts.
The lack of certainty is of course acceptable in the ordinary course of
business; it simply reflects the bias of FOIA in favor of disclosure, a bias
with which we do not quarrel. However,
critical infrastructure assurance cannot be considered business as usual.
With the
appropriate protections in place, legitimate businesses, law enforcement
agencies, intelligence agencies, and the Homeland Security organization -- in
whatever form it may take -- can share the information needed to ward off
attacks and track down attackers.
There has been,
in ITAA's view -- and this view has also been expressed by other associations
such as the Edison Electric Institute, the U.S. Chamber of Commerce, the
National Association of Manufacturers, the Financial Services Roundtable,
Americans for Computer Privacy, and the American Chemistry Council
-- a misunderstanding of the legislation by some critics.
Again, we are not calling into question the existing FOIA case law, which
taken together suggests that a federal agency would win a test case. Rather, we
are saying only that the risk of a loss of such a test case – as viewed by the
parties bearing the risk – remains unacceptably high. More importantly,
corporations should not be required to accept such risks, or the cost of
litigation, when reporting significant cyber events in an attempt to protect the
public interest. Second, the
proposed legislation has only to do with disclosure of computer attack data and
critical infrastructure protection. Normal
regulatory information gathering will proceed unimpeded, as it should.
In closing, I
would like to cite another passage from the Washington Post article that
I referred to earlier in my testimony: "We were underestimating the amount
of attention [al Qaeda was] paying to the Internet," said Roger Cressey, a
longtime counterterrorism official who became chief of staff of the President's
Critical Infrastructure Protection Board in October. "Now we know they see it as a potential attack vehicle.
Al Qaeda spent more time mapping our vulnerabilities in cyberspace than
we previously though. An attack is
a question of when, not if."
The threats are
out there. Our critical
infrastructure is vulnerable. The
private sector and public sector must work together to understand, respond to,
and prevent these threats. That
is why there is clear unity in the private sector in favor of removing
disincentives to information sharing and that is why we support legislation in
the U.S. House of Representatives and U.S. Senate -- and specifically, we
recommend adopting Tom Davis' amendment to H.R. 5005, the Homeland Security Act
of 2002. We call on this
Committee and Members of U.S. Congress that have not already indicated their
support for this legislation to do so today.
Thank you, Mr.
Chairman. I would be pleased to
answer any questions that you and/or Members of this Committee may have at this
time.
APPENDIX
1:
Focus
on the Freedom of Information Act
Reasons
Current Law Fails to Adequately Protect Critical Infrastructure Threat
Information
The Freedom of Information Act (FOIA,
5 USC 552) expresses the policy of the United States in favor of disclosure of
information in the government’s possession, to the greatest possible extent.
No one argues with this basic premise of government in America.
Transparency and open government are important parts of the foundation of
our democracy.
At the same time, no one disputes that when the government
engages in strategic planning and discussions about the national security and
national defense in the emerging and dangerous world spawned by the resurgence
of terrorism and the necessity of making war on it, the sensitive information
generated should be exempt from disclosure on grounds of overriding national
defense and foreign policy considerations.
In addition, no one disputes that the “Critical
Infrastructure” of the United States – from pipelines and electric utilities
to information networks and telecommunications, transportation systems for goods
and people and more -- is at risk of attack both prior to, and now, during the
war on terrorism.
The bulk of this critical infrastructure, however, is under
the ownership and control of America’s private sector, not the national
security umbrella of government. It
is time to recognize the important role in national security and foreign policy
that America’s critical infrastructure plays, and treat information related to
“any threat to the security of critical infrastructure” just as any other
information exempt from disclosure as a matter of national security.
That
is not the case today. Information
generated by the government and properly classified under “criteria
established by an Executive order to be kept secret in the interest of national
security or foreign policy” is exempt from disclosure.
Period. 5 USC 552 (b)(1)(A)(B).
Information generated by the private sector owners and operators of the
nation’s critical infrastructure and voluntarily shared with a government
agency may be treated as “confidential business information” ,
but only if the agency makes a number of determinations in its discretion, and
it does not exercise its discretion to change its mind in the future.
Such information may also fit
within the FOIA exclusion for "law enforcement information" when
disclosure "could reasonably be expected to endanger the life or physical
safety of any individual" (5 USC 552(b)(7)(F)), but the
same reservations
about agency discretion apply here as well. Treatment of critical infrastructure threat information
should be “upgraded” by providing that it is specifically exempted from
disclosure by statute (5 USC 552(b)(3)), removing the extra burden of
discretionary treatment.
The change will not open the floodgates to a host of other
exemptions from disclosure. This
change would respond to a limited need for specific relief in the case of
information that rises to the level of a national security concern, but resides
outside the national security umbrella. It
does not seem likely that other requests for new exemption could meet this test.
It should be the case that upgrading this specific type of
information is in the interest not just of the business community, but also of
the government itself and the citizenry in general. It is in everyone’s interest to take the steps reasonably
necessary to protect critical infrastructure from attack, and learn from
incidents and recoveries that have taken place in the past.
What is clear is that current FOIA treatment of critical
infrastructure threat information makes the private sector reluctant to engage
in the full and frank disclosure of information to government that should be
taking place right now. Why is the
current FOIA treatment of critical infrastructure threat information less than
adequate? There are a number of
reasons. Here are several:
-
Under current rules the submitter of
information does not know whether it will be treated as confidential by the
agency, and the agency will not make a commitment at the time of submission.
This lack of certainty alone prevents many disclosures.
-
Current policy requires that agencies not
exercise their discretionary authority unless and until a disclosure request
under FOIA is received. When a
request is received, agencies have discretion to inform the submitter of the
need to defend the confidentiality of their information.
The agencies can decide they have enough information to make the
decision without informing the submitter.
-
Recent precedents (the Critical Mass case
and its progeny) suggest that “voluntarily” submitted “trade secret,
commercial or financial information” may be protected from disclosure if
not “customarily” disclosed by the submitter.
Nevertheless, every word in quotes represents a different
discretionary determination that must be made by the agency at the time of a
FOIA request. Submitters have
their arguments to make, but no assurance that those arguments will be
accepted.
-
Recent precedents are not necessarily accepted
throughout the United States in every judicial circuit.
Submission of critical infrastructure threat information should not
be expected to be limited to agencies in Washington, D.C.
-
Information disclosed to competitors in an ISAC
under the terms of binding non-disclosure agreements (NDA) conditioning ISAC
membership may qualify for confidential treatment under the Critical Mass
case, but absent strict compliance with such formal requirements – as
could happen in the case of an incident recovery crisis or other emergency
– disclosure by the submitter could lead to a finding that Critical
Mass protections do not apply.
-
Agencies always have discretion to decide that,
despite a submitter’s claim of confidentiality and the reasons for it, the
submitter’s claim in light of the passage of time or other considerations
cannot be valid and the policy interests expressed by FOIA are stronger and
enough to justify disclosure. That
is a risk the business community has come to accept in its ongoing dialogue
with government. It is not a
risk that should have to be assumed for the treatment of critical
infrastructure threat information.
-
Some confidential business information turns
stale with the passage of time, justifying the exercise of agency
discretion. Critical infrastructure threat information does not.
That alone should be reason enough to upgrade its treatment under
FOIA.
In sum, it is essential to eliminate discretionary
treatment for this limited class of information.
The owners and operators of the nation’s critical infrastructures
should be able to have confidence that the information they share with
government will not be made public at a later date.
Today they do not have that confidence.
|
