Statement for the Record Concerning Public-Private Information Sharing and Critical Infrastructure Security

Hon. Joseph I. Lieberman
Chairman
Senate Governmental Affairs Committee
340 Dirksen Senate Office Building
Washington, DC, 20510

Hon. Fred Thompson
Ranking Member
Senate Governmental Affairs Committee
605 Hart Senate Office Building
Washington, DC, 20510

Re: Statement for the Record Concerning Public-Private Information Sharing and Critical Infrastructure Security

Dear Chairman Lieberman and Senator Thompson:

On behalf of the American Civil Liberties Union (ACLU) and its approximately 300,000 members, we welcome this opportunity to discuss proposals for information sharing between the public and private sectors with respect to critical infrastructure systems. We commend you for examining these issues in a hearing before your committee on May 8, and we ask that this submission be made a part of the record of that hearing.

The ACLU is a non-partisan, non-profit organization dedicated to preserving the principles of our constitutional democracy, including open and accountable government. We support legislative and administrative efforts to encourage greater information sharing about cyber-vulnerabilities in critical infrastructure systems, such as electricity grids, banking systems, and water systems. Such efforts are needed in order to ensure that critical systems are made secure from hackers and others who desire to do harm to the United States and its economy.

However, the ACLU strongly opposes proposals[1];to create a broad new exemption to the Freedom of Information Act (FOIA), 5 U.S.C. § 552 for information that companies provide about their ""critical infrastructure"" systems. The FOIA is the bedrock statute designed to preserve openness and accountability in government and new exemptions to its provisions should not be created lightly.

Last year, special interest efforts to add a ""critical infrastructure"" exemption to the FOIA, without debate and without adequate consideration, were wisely shelved. Yet, following intense industry lobbying, these proposals have now been revived, even though:

• There is a virtual consensus in government and industry, even among supporters of a critical infrastructure exemption, that the current FOIA exemptions are sufficient to protect any confidential information about critical infrastructure that is voluntarily shared with the government.

• There is little confidence that creating a new exemption would be effective in encouraging greater information sharing, because many experts, including many industry experts, believe that to the extent companies are choosing not to share such information, it is for reasons other than a (wholly unfounded) fear of disclosure under the FOIA.
• Current proposals to create a new FOIA exemption are overbroad because they would protect not only those responsible corporate citizens who are attempting to address a vulnerability, but could shield both government and industry from scrutiny even if they fail to do anything to fix the problem.

This last concern is not theoretical. Earlier this year in Israel, the media obtained a government report that discussed the vulnerability of a fuel depot to terrorists. Military censors blocked publication of the report, and persuaded the mayor of Tel Aviv not to go public with a campaign to fix the problem. Nothing was done. Terrorists then attacked the fuel depot. In that case, public debate might well have forced action to address the problem. [2] Likewise, Soviet secrecy concerning its nuclear weapons program has hindered efforts to account for all of its nuclear missiles, seriously increasing the risk that terrorists will succeed in acquiring such weapons.

All too often, secrecy simply provides a shield for public and private incomptence. We are convinced that security and liberty need not be at odds.

The Freedom of Information Act: Essential to an Accountable Democracy

The FOIA is the bedrock statute that preserves government accountability by requiring government agencies to disclose information to requesters in a timely manner. The basic open government policy of the FOIA has worked well since the statute's enactment and has served as a model for both state and foreign governments' open records laws. As the Supreme Court has made clear, ""Disclosure, not secrecy, is the dominant objective of the Act.[3]

The disclosure of information pursuant to the FOIA has for over three decades helped citizens protect the health and safety of their communities against environmental hazards. Of course, while certain information that is highly sensitive can and should be kept from public view, one cannot safely assume that is the case whenever the government invokes ""terrorism."" For example, disclosure laws, including the FOIA, have helped ACLU and other civil rights organizations obtain information about abusive government practices, such as arbitrary arrests and secretive detentions, information of vital interest to the public.

Since the attacks of September 11, 2001, a number of steps have been taken, many without adequate deliberation, to increase government secrecy and to reduce public access to government records.[4] As with other proposals that negatively impact civil liberties, many of these new policies have been proposed more out of a desire to take advantage of the public's fears of terrorism than from a genuine desire to make America safer. A sober second look has proven many to be unnecessary.

For example, both President Bush's executive order restricting access to presidential records and Attorney General Ashcroft's ill-advised memorandum discouraging agencies from releasing information under the FOIA have now been firmly rejected, on a bipartisan basis, by Chairman Burton and Ranking Member Waxman, of the House Government Reform Committee.

At the state level, a number of proposals have been advanced to weaken open records laws. In Florida, for example, over 160 proposals were advanced earlier this year to create new exemptions to that state's strong open records policy, embodied in its state constitution. Following a public outcry and after taking the time to deliberate, only a handful were enacted, and the legislature agreed to submit to the voters a proposal to require a two thirds vote of each chamber before any new exemptions are created.

Open government is a core American value. It should not be set aside for reasons other than genuine necessity.

Congress should ask three questions before enacting any proposed exemption. First, is a new exemption necessary? Second, will it work (i.e., will it actually encourage greater information sharing)? Third, will it backfire (e.g., by allowing companies and the government to hide their failures)?>

Is a New Exemption Necessary?

If a proposed exemption for critical infrastructure information is not necessary, it should not be adopted out of a misguided effort to reassure private sector submitters that already exempt information ""really"" is exempt from disclosure. The FOIA is simply too important to the functioning of our democracy and accountability in government for exemptions to its provisions to be created for symbolic, rather than substantive, reasons.

The FOIA already contains a number of common sense exemptions that would cover critical infrastructure information the disclosure of which could result in harm. The FOIA does not require the disclosure of national security information (exemption 1), sensitive law enforcement information (exemption 7), or confidential business information (exemption 4).

Courts have carefully weighed the public's need for disclosure against the possible harms of disclosure under FOIA's traditional exemptions. In deciding whether to disclose technical information voluntarily submitted by private industry, courts have given substantial - many in the public interest and FOIA requester community would say excessive - deference to industry demands for confidentiality of business information under exemption 4.

Generally, information that a business voluntarily submits to the government on the basis that it be kept confidential is already exempt from disclosure if the company does not customarily release such information to the public and preserving confidentiality is necessary to ensure that the government will continue to receive industry's cooperation. See, e.g., Critical Mass Energy Project v. Nuclear Regulatory Commission, 975 F.2d 871 (D.C. Cir. 1992). It is difficult to see how any truly sensitive business information that was voluntarily submitted by a company concerning the vulnerabilities of its critical infrastructure could be released under this standard.

Indeed, supporters of a new FOIA exemption have, when pressed, been forthright in admitting that such legislation simply is not needed to protect sensitive information from disclosure. For example,

• Senator Bennett, chief sponsor of the FOIA exemption legislation, has admitted that ""[t]he Freedom of Information Act itself"" currently allows sensitive information to be protected. ""That is, there are provisions in the Act that say information need not be shared"" with the public.[5]
• John S. Tritak, Director of the Critical Infrastructure Assurance Office of the U.S. Chamber of Commerce, says ""You could say that [in the] current environment, if you're very careful and you watch out, the old existing exemptions will cover any concerns that may arise under FOIA, not to worry.""[6]
• Ronald L. Dick, Director of the National Infrastructure Protection Center of the Federal Bureau of Investigation (FBI), has said ""[M]any legal authorities have agreed that the federal government has the ability to protect information from mandatory disclosure under the current statutory framework."[7]
• VeriSign public policy director Michael Aisenberg has said worries about disclosure were overblown because FOIA already protects sensitive information, and new legislation is simply not needed ""substantively.""[8]

Rather than put forward evidence that some information about critical infrastructure exists that is not adequately protected, supporters of a new exemption have said ""it doesn't matter"" whether current law provides adequate protection. Rather, it is said, a new exemption is needed because of a ""perception"" in private industry that there is some risk, however remote, that information that is voluntarily submitted to the government might be at risk of disclosure under FOIA.

If industry is unwilling to provide information to the government, despite adequate legal protection, the solution is not to change the law but to change the misperception by issuing legal guidance making clear the parameters of the FOIA as it currently exists. If a misperception exists that truly sensitive information that is given to the government cannot be protected from disclosure, it is hard to see how that will change if another exemption is enacted.

Would a New Exemption Actually Facilitate Greater Information Sharing?

There is a consensus that while much information is shared between industry and government concerning the vulnerabilities of their systems to cyber-attacks, more needs to be done. For example, much has been made of the fact that while 90% of respondents to an FBI survey on computer crime said they had security breaches, only 34% of these were reported to law enforcement.[9]

Fear of adverse publicity and its effect on a company's image undoubtedly plays a role in companies' reluctance to come forward. Yet there is no evidence that the reason for such reluctance is fear of disclosure of such information under the FOIA. Indeed, there is much reason for skepticism that FOIA plays any substantial role in causing industry to hesitate in reporting cyber-attacks to the government.

After all, if a company does report a cyber-attack to law enforcement, the company knows such a report could result in a prosecution in open court, revealing at the least the fact that an attack occurred and at most substantial technical details the company would prefer to keep secret. Law enforcement officials make clear that a number of factors result in industry reluctance to report cyber-attacks. Chief among these are ""concerns about whether the Justice Department would pursue prosecutions at the expense of private sector business interest[s].""[10]

Again, industry sources themselves make this clear:

• Alan Paller, Director of Research, the SANS Institute says quite simply, ""[A] clarification of the FOIA exemption is not going to cause companies to share cyber attack data with the government... [E]ven if you provide a perfect FOIA exemption, the companies under attack are unlikely to share the data.""[11]
• John S. Tritak of the U.S. Chamber of Commerce: ""I don't think we're going to solve this problem . . . with a passage of legislation . . . You're not going to get an avalanche of information being shared with the government just because you have this.""[12]
• Harris N. Miller of the Information Technology Association of America: ""[W]e all remember the old adage, Macy's doesn't tell Gimble's . . . . And particularly Macy's and Gimble's don't go tell the cops.""[13]

If there is a consensus that (1) a new exemption is not necessary ""substantively,"" and (2) a new exemption would not be effective in causing companies to share information they are currently reluctant to share, why risk it? Why risk the chance that a new exemption would allow important information that the public should have a right to know be made secret so that industry and government can evade accountability?

Would a New Exemption Backfire, By Hiding the Need for Corrective Action?

Creating an overbroad exemption for ""critical infrastructure information"" would undermine, rather than enhance, security. Such an exemption would permit private industry and the government to shield from the public the actions they are taking - and, more importantly, the actions they are not taking - to protect the public from attacks on critical infrastructures.

It would obviously be counterproductive for government to shield information currently subject to public scrutiny if such scrutiny would prod companies and the government to take corrective action. As the examples of the Israeli fuel dump and the Soviet Union's potential ""loose nukes"" demonstrate, such incentives are vital to protecting our nation's security.

Supporters of an exemption often cite the example of legislation adopted to deal with the ""Y2K"" computer problem, which also contained an exemption and is said to have worked well. This example of a discrete, widely known computer problem simply shows why a broader exemption would not work. Put simply, everyone knew about the Y2K problem, and there was enormous public pressure to fix non-compliant computer systems before it was too late. The proposed legislation, however, does not provide a FOIA exemption merely for information about how a specific widely-known problem - with a natural and inexorable time limit - might be fixed, but permits the very fact that a vulnerability exists to be kept secret indefinitely. Such secrecy undercuts the very incentive - public pressure - that worked so well to encourage efforts to fix Y2K before it was too late.

For the all of the above reasons, ACLU opposes the enactment of a new FOIA exemption for critical infrastructure information. At the very least, however, any new exemption that Congress enacts should be subject to the following responsible limits:

First, any new exemption must be limited to clearly marked cyber-security documents, i.e., reports that describe cyber-attacks on a company's computer systems that have resulted or could result in some harm to its critical infrastructure. It should not apply to information about all vulnerabilities in critical infrastructure. Proposals to exempt information that is voluntarily shared with the government were developed to deal with the discrete and relatively new problem of cyber-attacks. To expand the scope of information that is exempted to include information about vulnerabilities to traditional physical attacks would interfere with a host of environmental and public safety regulatory regimes that have been developed over decades.

Second, any new exemption must be for written documents only, not ""information"" of all sorts. It would be virtually impossible to determine if information possessed by the government was the result of some oral conversation with a private sector company, making a FOIA exemption that covered such information unworkable and potentially devastating to the public's right to know.

Third, any new exemption must be limited in time, and should last for months, not years. A company which controls infrastructure that is vital to the public must have an incentive not only to share information, but also to do something to make itself less vulnerable to such attacks. A time limited exemption will give responsible companies and government agencies an incentive to fix their problem with due speed. Without a time limit, companies and the government can simply sit on the problem without any pressure to act.

Fourth, a new exemption should be an alternative to existing FOIA protections, not a new club to wield against FOIA requesters. Companies that wish to take advantage of the new exemption should clearly state on the relevant document they are requesting confidentiality under that exemption. Companies that fail to fix their vulnerabilities within a reasonable time limit, even with the protection of the new exemption, should not be allowed to take advantage of FOIA's other potentially applicable exemptions to cover up their failure to act after that time limit has expired. If companies believe the information they desire to share is protected under another FOIA exemption, they should be required instead to rely on that other exemption at the time of submission.

Finally, strict reporting requirements and a sunset clause should be included in the legislation to determine whether the new regime is working.

Conclusion

It is well known that many computer systems that control infrastructure that is vital to America's national and economic security have significant vulnerabilities. The threat of cyber-terrorism is very real. Nevertheless, Congress must tread cautiously as it considers wide-ranging proposals that could have unintended consequences for civil liberties and the public's right to know and could actually undermine, rather than enhance security.

We urge Congress to reject proposals to create yet another FOIA exemption because they are not needed, would not facilitate greater information sharing, and could actually undermine security. Even supporters concede that current law already exempts sensitive information from disclosure. Furthermore, disclosure under the FOIA is simply not the primary reason companies have been reluctant at times to report cyber-attacks to the government. Finally, if Congress is intent on pressing forward, we strongly urge responsible limits on any such exemption to make sure it protects companies that are doing what they must to fix their vulnerabilities, rather than shielding public and private incompetence from view.

Sincerely,

Laura W. Murphy
Director, ACLU Washington National Office

Timothy H. Edgar
ACLU Legislative Counsel

ENDNOTES

[1] Two bills that contain broad FOIA exemptions for ""critical infrastucture"" or ""cyber-security"" information are currently pending in the House and Senate: S. 1456, the Critical Infrastructure Information Security Act of 2001 and H.R. 2435, the Open Government and the Cyber Security Information Act. Recently, during markup of another, unproblematic critical infrastructure bill, S. 1989, an amendment was offered to enact FOIA exemption language. The amendment was withdrawn.

[2] See Aviv Lavie, Media: Sensing the Censor, Ha'aretz (Tel Aviv, Israel), May 29, 2002.

[3] Department of the Air Force v. Rose, 425 U.S. 352 (1976).

[4] For an overview, see Homefront Confidential: How the War on Terrorism Affects Access to Information and the Public's Right to Know, Reporters Committee for Freedom of the Press (March 2002), available at http://www.rcfp.org/news/documents/Homefront_Confidential.pdf.

[5] Senate Governmental Affairs Committee Holds Hearing on Private and Public Information Sharing and Infrastructure Security (FDCH Transcripts), May 8, 2002.

[6] Id.

[7] Id.

[8] Washington Internet Daily, April 18, 2002

[9] These figures were reported as part of the annual Computer Security Institute/FBI Computer Crime and Security Survey, released in April 2002. Statement for the Record of Ronald K. Dick, Director, National Infrastructure Protection Center, Federal Bureau of Investigation, on Critical Infrastructure Information Sharing Before the Senate Committee on Governmental Affairs, May 8, 2002.

[10] Ronald K. Dick, Director, National Infrastructure Protection Center, Federal Bureau of Investigation, Senate Governmental Affairs Committee Holds Hearing on Private and Public Information Sharing and Infrastructure Security (FDCH Transcripts), May 8, 2002.

[11] Senate Governmental Affairs Hearing, supra..

[12] Id.

[13] Id