Environmental groups protest cybersecurity information sharing bill

More than a dozen environmental groups recently have joined civil liberties and consumer protection groups in their longstanding fight against legislation designed to spur the disclosure of cybersecurity information.

The environmental groups' vigorous campaign against the bill, S. 1456, has breathed new life into the opposition and could trigger a fight on Capitol Hill between environmentalists and the technology industry--which in the Clinton era prided themselves on empathy with environmentalists. Industry strongly backs the cybersecurity bill, introduced by Republican Sens. Robert Bennett of Utah and Jon Kyl of Arizona.

The bill would provide businesses with exemptions from the Freedom of Information Act (FOIA), antitrust prosecution, and lawsuits that could stem from the voluntary disclosure of cybersecurity information to regulatory and enforcement agencies. Reps. Tom Davis, R-Va., and James Moran, D-Va., have introduced similar House legislation, but one environmental group said that measure is much narrower than Bennett-Kyl.

Joined by the Electronic Privacy Information Center (EPIC), the Center for Democracy and Technology (CDT), OMB Watch and others, the environmental groups last week sent a letter to senators, saying that the bill "does not fulfill its stated purpose of protecting critical infrastructure information," or the type of cyber information likely to be subject to attack. They urged the body to hold hearings on the bill and not to attach it as an amendment to other fast-moving legislation.

The environmental groups' complaints are more limited than those of open-records advocates; the environmentalists do not protest the legislation's stated intent but argue that it would profoundly undermine the ability of the Environmental Protection Agency to sue polluters.

Bennett spokeswoman Mary Jane Collipriest said the bill would do nothing of the kind. "This applies only to voluntarily shared information and does not supercede information required by the regulatory agency," she said.

The measure would define "critical infrastructure" to include both "physical and cyber-based systems and services," and it specifically would include infrastructures related to electric power, gas and oil production, and other environmental systems.

Advocates of the measure within the technology industry say critical infrastructure information must be broadly defined because such physical facilities increasingly are being controlled remotely via telecommunications networks--and hence are subject to the sort of cyberattacks the legislation is designed to prevent.

But even granting that need, Rena Steinzor, an academic fellow at the Natural Resources Defense Council, protested that the bill's specific inclusion of the EPA in the list of agencies affected means that the bill is designed to serve polluters' interests. "Why send sensitive information about computer intrusions to the EPA?" Steinzor said.

By sending information about physical plants to agencies collecting cyber information, utilities and other power plants could avoid civil actions by the government or by private plaintiffs, she said.

Spokeswomen for Bennett and the Edison Electric Institute, a supporter of the bill, countered that the measure would not exempt utilities from civil liability for submitting information in bad faith.

"It will not impede any civil lawsuits," Collipriest said. "It will not impact rulemaking, nor will it supercede statute or regulation."