Groups call proposed cybersecurity bill a 'smokescreen'
Consumer protection and privacy groups are raising opposition to elements of a draft computer security bill that Republican Sens. Robert Bennett of Utah and Jon Kyl of Arizona had planned to introduce Thursday but postponed until September to woo more cosponsors.
The draft legislation, which provides businesses with exemptions from the Freedom of Information Act (FOIA), antitrust prosecution, and lawsuits that could stem from the disclosure of cybersecurity information, parallels many provisions in a bill, H.R. 2435, introduced by Virginia Reps. Tom Davis, a Republican, and James Moran, a Democrat. Consumer protection and watchdog organizations said the bills' real intent is to exempt businesses from liability. David Sobel, general counsel to the Electronic Privacy Information Center, described the oft-mentioned concern about FOIA as a "smokescreen" for the anti-liability provisions. "Many of us have concluded that the industry is looking for a very broad immunity," Sobel said. "What they are asking for is that [information shared with the government] could never be used against them." Consumer groups paint a scenario in which businesses engaged in computer security and others would share information about potential negligence with the government. Under a July 30 draft of the Bennett-Kyl bill, which Sobel made available, such voluntarily submitted information may not be used in lawsuits by government agencies or by third parties. "If a power plant turns over information about security problems and later has a disaster as a result of that vulnerability, anyone injured by that failure apparently can't use that information given to the government in a civil suit against the company" should the bill pass, Sobel said. Business groups that support the legislation described such scenarios as far-fetched and said both the House bill and draft Senate bill are narrowly tailored to protect companies from liability--not immunity--for computer security information. "Today they are not sharing that information with anyone," said Bruce Heiman of Americans for Computer Privacy. "The government has said they want [businesses] to share information. Industry is trying to respond." "The idea behind the [legislation] is that [businesses] are not going to share information if it is going to come back to haunt them," Heiman said. "The reason we are so supportive of this legislation is because it gets rid of the disincentives to information sharing between industry and government," said Shannon Kellogg, vice president for information security at the Information Technology Association of America. Press groups argue that the legislation would keep the public from obtaining information under FOIA. "We have no problem with private information sharing, but the second they bring the government in on this process, it becomes the public's information," said Kevin Goldberg, counsel to the American Society of Newspaper Editors. "The more distressing part is that the companies say [the problem] is big enough for the government to be consulted but not important enough for the public to be involved," Goldberg said. "Someone has to act as a check on the company's own remedy process. If not the press and the public, then who? And if not through FOIA, then what?"