There is an alternative to trying to entice corporations to share information security data by means of weakening federal freedom of information laws, US Representative Janice Schakowsky said at a hearing of the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. "That is to say this information isn't voluntary - we require it," she said.
If Schakowsky, a ranking committee Democrat, were to make good on her threat, she would face opposition from Bush administration officials, who have repeatedly opposed forcing companies to share information about threats, software vulnerabilities and other data-security-related information. Instead, the administration is working to convince private companies to cooperate voluntarily with the government.
Key to this voluntary sharing effort are provisions in pending legislation to create a cabinet-level homeland security department.
That legislation would include new exemptions to the federal Freedom of Information Act (FOIA) for information security. The intention is to help the private-sector Information Sharing and Analysis Centers (ISAC), which are industry-specific groups intended to assist private-sector companies with protecting themselves from cyberthreats.
Stanley Jarocki, vice-president for information security at New York-based Morgan Stanley Dean Witter and chairman of the financial services ISAC, said at the hearing that fear of disclosure "has severely hindered information sharing efforts". He called for a "narrowly written" exemption.
How narrow an exemption is the point of contention. Schakowsky, as well as civil liberties groups, have accused the Bush administration of backing a measure that was overly broad and could conceivably be used by a company to hide unpleasant information - a pollution incident, for example - from public disclosure under the guise of security.
John Tritak, director of the Critical Information Assurance Office, said the Bush administration wants a narrowly crafted rule. "No one is talking about a safe haven for illegal activity," he said.
Scott Charney, the chief security strategist at Microsoft, said the argument that companies will use exemption from FOIA obligations to hide information "presumes that this information is public information today. It's not".
Companies involved in an ISAC share threat and suspicious activity use data to detect patterns, software vulnerability information and other intelligence. The government would like to see more of that data.