Analysis of Cyber Security Information Act

by Guest Blogger, 2/26/2002

Congress, Freedom of Information, Secrecy Labeling
HR 4246, the "Cyber Security Information Act" is the first volley coming from a push by industry over the last year or two to carve out an exemption to the Freedom of Information Act. The bill reflects the concerns of industry to protect information about vulnerabilities from those who would use or exploit that information. What The Bill Does The bill creates five new definitions and a new FOIA exemption. Definitions Critical Infrastructure is defined as "facilities or services so vital to the nation or its economy that their disruption, incapacity, or destruction would have a debilitating impact on the defense, security, long-term economic prosperity, or health or safety of the United States." Cyber Security is defined as "the vulnerability of any computing system, software program, or critical infrastructure to, or their ability to resist, intentional interference, compromise, or incapacitation through the misuse of, or by unauthorized means of, the Internet, public or private telecommunications systems or other similar conduct that violates Federal, State, or international law, that harms interstate commerce of the United States, or that threatens public health or safety. A Cyber Security Internet Website is "an Internet website or other similarly electronically accessible service, clearly designated ...by the person or entity creating or controlling the content...as an area where cyber security statements are posted or otherwise made accessible to appropriate entities." A Cyber Security Statement is "any communication or other conveyance of information by a party to another, in any form or medium, including by means of a cyber security Internet website" concerning:
  • an assessment, projection or estimate concerning the cyber security of that entity, its computer systems, its software programs, or similar facilities of its own;
  • plans, objectives, or timetables for implementing or verifying the cyber security thereof;
  • test plans, test dates, test results, or operational problems or solutions related to the cyber security thereof; or
  • reviewing, commenting on, or otherwise directly or indirectly relating to the cyber security thereof
It does not include statements contained in documents or materials filed with the Securities and Exchange Commission or with federal banking regulators.
  • A Cyber Security Data Gathering is a "request for the voluntary provision of information relating to cyber security, including cyber security statements." Any Federal entity, agency, or authority may make the designation.
The request for a cyber security data gathering "shall be a request from a private entity, agency, or authority to a Federal entity, agency or authority." The responses can be gathered by "a Federal entity, agency, or authority, or, with its consent, another public or private entity, agency, or authority." When a Federal entity... has voluntarily been given cyber security information gathered by a private entity..., including by means of a cyber security Internet website, a cyber security data gathering "shall be deemed to have been made and to have specified such a private entity [as the response gatherer]" Exemption Having created a definition of "cyber security statements," the bill exempts "any cyber security statements or other such information provided by a party in response to a special cyber security data gathering request" from disclosure under the FOIA, its disclosure "to or by any third party," and its use "by any Federal or State entity, agency, or authority or by any third party, directly or indirectly, in any civil action arising under any Federal or State law. The bill does except information separately obtained by a Federal entity...or any third party through the use of independent legal authorities, and does not preclude information so obtained from being used in any action. And the restriction on use or disclosure cannot be applied to information "disclosed generally or broadly to the public with the express consent of the party." Cyber Security Working Groups The bill also states that the President may establish and terminate working groups composed of federal employees who will engage with outside organizations in discussions to address cyber security, and to share information related to cyber security. The Presidents is to maintain and "make available to the public" a printed and electronic list of such working groups and a point of contact with each, and is to seek to "achieve a balance of participation and representation among the working groups." The President is also to establish procedures for announcing in advance each meeting of a working group. BILL ANALYSIS This bill is the first volley coming from a push by industry over the last year or two to carve out an exemption to the Freedom of Information Act. The bill reflects the concerns of industry to protect information about vulnerabilities from those who would use or exploit that information. While, as the openness community has noted to both the Executive Branch and some members of Congress, there are indeed specific types of information that industry may need and want to share with specific agencies about specified threats and vulnerabilities, this bill casts a blanket of secrecy over potentially vast amounts of information that the public may have a need and a right to know. And it is not that they are keeping it secret from everyone — they are happy to share it with others inside the Information Sharing and Analysis Centers (ISACs) created by Presidential Decision Directive 63. There are two fundamental flaws in this proposed legislation: overly-broad and vague definitions; and a lack of a governmental process. Overly Broad and Vague Definitions The definition of critical infrastructure as facilities or services whose "disruption" "would have a debilitating impact on the defense, security, long-term economic prosperity, or health or safety of the United States" is so open-ended that virtually anything could come under it. Similarly, the definition of cyber security to include the vulnerability of any computing system, software program or, of course, critical infrastructure potentially encompasses every computer in the world — not to mention the facilities and services pulled in through the term "critical infrastructure." Further issues arise with questions of whether critical infrastructure includes physical infrastructure (bridges, highways, water systems) or whether the sought-after protection should apply only to computer/telecommunications-related infrastructure (some of which is also physical). Some of the issues here have to do with the balancing of the public's right to know about unsafe practices engaged in by water systems, chemical plants, oil refineries, and so on versus the ostensible need to prevent these unsafe practices from providing objects of opportunity for would-be terrorists. Particularly where physical infrastructure is the consideration, there may be financial disincentives to fixing problems but great financial and legal incentives to shielding information about problems. The definition of cyber security goes on to specify that the vulnerability is through the misuse or unauthorized means of the Internet,[or] public... telecommunications sytems. What are "unauthorized means"of the Internet or public telecommunications systems; what is the legal definition of "misuse of the Internet"? The definition does not stop there, though. It goes on to state that the vulnerability can be occasioned by "other similar conduct" that "harms interstate commerce." What do either of these phrases mean? A cyber security statement is similarly overly-broad in its definition. It is any communication or other conveyance of information in any form or medium by a party to another concerning specified types of information. The types of information covered in this definition do begin to lay out the specific types of information for which some protection from immediate disclosure might be warranted. However, the over-reaching found elsewhere in the definitions continues here under (iv) "reviewing, commenting on, or otherwise directly or indirectly relating to the cyber security thereof." So, this language could be read to bring within the compass of protection from public disclosure communications anywhere that reviewed, commented on, or were "otherwise directly or indirectly relating to" the security or other practices of any company which wished to invoke the designation. No Government Process The process created by this bill for designating the information to be exempted from the FOIA is unique. Basically, a private entity asks a federal entity for a "cyber security data gathering request" and then can designate (specify) itself as the gatherer of responses to the request. Any "cyber security statements or other such information" provided in response to such a request is exempted from disclosure under the FOIA. There is virtually no role for any government agency here except to do the bidding of private entities in protecting information from the public — other than the other private entities in the ISACs. There is no discretion allowed on the part of the government in accepting these requests or in protecting the information. FACA The bill also exempts the Working Groups it authorizes from the Federal Advisory Committee Act (FACA). This is inappropriate if the government is going to be creating policy on the basis of the information that is shared with it. Text of Bill HR4246
back to Blog
  • ©2015 Center for Effective Government
  • All Rights Reserved.
  • This an archive site of the materials produced by the Center for Effective Government (formerly OMB Watch) and is maintained by the Project On Government Oversight.