Industry counters criticism of cybersecurity info-sharing bills
The heads of eight technology and other industry groups seeking legislation designed to spur the disclosure of cybersecurity information are pushing the Bush administration to play a more active role in supporting the measure.
In a letter late last year to President Bush, the groups--which include the U.S. Chamber of Commerce, Americans for Computer Privacy, the Information Technology Association of America and the National Association of Manufacturers--attempted to counter what they termed "misunderstandings of the legislation by some critics."
Groups that favor open public records and defend civil liberties have protested the pair of bills, S. 1456 and H.R. 2435, each of which would grant businesses exemptions from the Freedom of Information Act (FOIA), antitrust prosecution and lawsuits that could stem from the voluntary disclosure of cybersecurity information to regulatory and enforcement agencies.
In December, more than a dozen environmental groups joined in that criticism and sent a letter to senators arguing that the bill "does not fulfill its stated purpose of protecting critical infrastructure information."
Instead, they said it would profoundly undermine the ability of the Environmental Protection Agency to sue polluters and argued that Congress should not append the bill to other legislation, a strategy being pondered by bill sponsors, without a hearing.
The bill would apply to information about power plants' physical, as well as cyber, security. But technology industry groups have been nonplussed at criticisms of the measure, arguing that the scenarios critics imagine are far-fetched and extremely unlikely.
"This legislative package has only to do with disclosure of computer-attack data and critical infrastructure protection," read the letter, addressing the environmental groups' criticisms. "Normal regulatory information-gathering will proceed unimpeded, as it should."
The executives also argued that even though they believe existing FOIA law would protect cyber-attack information provided to the federal government from further disclosure, the risk that a judge could rule against them and mandate its disclosure under FOIA was "unacceptably high. Corporations should not be required to accept such risks, or the costs of litigation, when reporting significant cyber events in an attempt to protect the public interest."
The White House is "supportive in concept, but we haven't had any indication that they are supportive of the specific language," said Joe Rubin, director of congressional affairs for the U.S. Chamber of Commerce. "So we are working with them to get support for specific language."
The letter also outlines why the legislation's antitrust exemption would facilitate information sharing within industry. Although the Justice Department already has said that businesses' cooperation with Information Sharing and Analysis Centers (ISACs) does not violate the law, a change is necessary to protect corporations that participate rather than the ISAC itself.
The letter also was signed by the heads of the Edison Electric Institute, the Financial Services Roundtable and the Internet Security Alliance, a partnership of the Electronic Industries Alliance at Carnegie Mellon University's Software Engineering Institute and its CERT Coordination Center.