Analysis of Cyber Security Information Act
by Guest Blogger, 2/26/2002
HR 4246, the "Cyber Security Information Act" is the first volley coming from a push by industry over the last year or two to carve out an exemption to the Freedom of Information Act. The bill reflects the concerns of industry to protect information about vulnerabilities from those who would use or exploit that information.
What The Bill Does
The bill creates five new definitions and a new FOIA exemption.
Definitions
Critical Infrastructure is defined as "facilities or services so vital to the nation or its economy that their disruption, incapacity, or destruction would have a debilitating impact on the defense, security, long-term economic prosperity, or health or safety of the United States."
Cyber Security is defined as "the vulnerability of any computing system, software program, or critical infrastructure to, or their ability to resist, intentional interference, compromise, or incapacitation through the misuse of, or by unauthorized means of, the Internet, public or private telecommunications systems or other similar conduct that violates Federal, State, or international law, that harms interstate commerce of the United States, or that threatens public health or safety.
A Cyber Security Internet Website is "an Internet website or other similarly electronically accessible service, clearly designated ...by the person or entity creating or controlling the content...as an area where cyber security statements are posted or otherwise made accessible to appropriate entities."
A Cyber Security Statement is "any communication or other conveyance of information by a party to another, in any form or medium, including by means of a cyber security Internet website" concerning:
- an assessment, projection or estimate concerning the cyber security of that entity, its computer systems, its software programs, or similar facilities of its own;
- plans, objectives, or timetables for implementing or verifying the cyber security thereof;
- test plans, test dates, test results, or operational problems or solutions related to the cyber security thereof; or
- reviewing, commenting on, or otherwise directly or indirectly relating to the cyber security thereof
- A Cyber Security Data Gathering is a "request for the voluntary provision of information relating to cyber security, including cyber security statements." Any Federal entity, agency, or authority may make the designation.