 |
|
 | technology > computing |
![[CNN Money]](http://i.cnn.net/cnn/images/main/fn.logo.newsnet.gif){kind=logo}
![[SI.com]](http://i.cnn.net/cnn/images/main/si.logo.gif){kind=logo}
( | |
 |
|
| |
| |
EDITIONS: | |
MULTIMEDIA: | |
E-MAIL: |
Subscribe to one of our news e-mail lists. Enter your address: |
DISCUSSION: |
CNN WEB SITES: |
 |
TIME INC. SITES: |
CNN NETWORKS: |
|
SITE INFO: |
WEB SERVICES: |
Proposed computer security bill under fire
(CNN) -- A bill designed to protect confidential company information is under fire from critics who characterize it as unnecessary and an invitation to abuse.
The Cyber Security Information Act would exempt confidential data of private computer companies shared through a public-private partnership from the requirements of the Freedom of Information Act (FOIA), the Sherman Antitrust Act and civil litigation.
The bill, introduced Wednesday by Reps. Tom Davis, R-Virginia, and Jim Moran, D-Virginia, comes in response to the Clinton administration's call for more cooperation between the public and private sectors in order to increase the security of computer networks.
 | QUICKVOTE | |
| ||
 | MESSAGE BOARD | |
|
| ||
The bill is modeled after a similar law that exempted some companies from repercussions during Y2K preparations.
"Many in the private sector have expressed strong support for this model but have also expressed concerns about voluntarily sharing information with the government and the unintended consequences they could face for acting in good faith," Davis said in a statement.
Davis said companies were concerned that information shared with the government as part of a cooperation effort would find its way elsewhere, through an FOIA request, or could become the center of an antitrust or civil legal action.
The FOIA is used frequently by journalists and in connection with civil litigation.
David Sobel, general counsel for the Electronic Privacy Information Center, calls the bill "unnecessary" and objects to yet more protection for companies.
"The FOIA already contains an exemption, as it has for the last 25 years, that protects confidential business information if the release of the information could create some harm or damage to the submitting company," Sobel said. "The courts have interpreted that the exemption is adequate."
Sobel says this issue, coming quickly after several high-profile computer intrusions such as February's denial of service attacks, isn't new and doesn't deserve special consideration. He argues that a company's data deemed valuable to hackers may also be valuable to a consumer group seeking reparations from a company. If it is kept private, it would be inaccessible to both groups.
"There are some very legitimate community concerns that a lot of companies would like to conceal in the name of fighting cyber-terrorism," Sobel said. "It will become too easy to hide behind the shield of critical infrastructure protection in the same way that organizations in the past hid behind 'national security' to protect information that they didn't want to have disclosed."
But Davis' office likens this situation to national security, too, in that there is no comprehensive assessment of vulnerabilities in critical infrastructure.
"These industries do in fact constitute a large portion of our nation's national security," says the congressman's communications director, Dave Marin, "because they manage our economic well-being, health and safety."
The FOIA does mention an exemption of "trade secrets and commercial or financial information obtained from a person and privileged or confidential," but Marin says the FOIA exemption isn't specific enough.
"FOIA does protect proprietary information and information that is being obtained as part of a law enforcement investigation, but not information on vulnerabilities within operating systems," he said.
The bill is a part of the ongoing work to resolve suspicions and develop more personal relationships between government agencies and high-tech companies. President Clinton recently called for the creation of Information Sharing and Analysis Centers for each critical infrastructure field. A federal agency representative and a private-sector official will jointly head these groups, assessing threats and protecting computer systems from both internal and external attack.
A lack of understanding isn't the only hurdle for better infrastructure security. In even the smallest computer intrusions, companies are wary of working with law enforcement, fearing public embarrassment and the loss of valuable computer secrets. For its part, the Federal Bureau of Investigation continues to set up meet-and-greet sessions, dubbed INFRAGARD chapters, in order to break down those barriers.
RELATED STORIES:
Geeks, spies debate Web privacy
April 12, 2000
Feds ask Congress for help in trapping hackers
April 10, 2000
Can you counter-attack hackers?
April 7, 2000
Census tests security
March 28, 2000
FTC official: Net privacy violators not immune
April 10, 2000
RELATED SITES:
USDA's FOIA main page
United States House of Representatives - 106th Congress
Electronic Privacy Information Center
Outreach/Infragard
Federal Bureau of Investigation
Congressman Tom Davis - 11th District of Virginia
Rep. Jim Moran
Note: Pages will open in a new browser windowExternal sites are not endorsed by CNN Interactive.