According to government officials in both the executive and legislative branches, there is a growing concern among businesses that information businesses want to be able to share with government about vulnerabilities in the nation's critical infrastructure will not be held confidential by the government once it is in the government's hands. "Critical Infrastructure" and Vulnerabilities The first problems arise with the definitions of Critical Infrastructure (is a hack on Goldman Sachs a CI threat?) and with the definitions of vulnerabilities (does potential political embarrassment count, as some have suggested?). Further issue arise with questions of whether Critical Infrastructure includes physical infrastructure (bridges, highways, water systems) or whether the sought-after protection should apply only to computer/telecommunications-related infrastructure (some of which is also physical). Some of the issues here have to do with the balancing of the public's right to know about unsafe practices engaged in by water systems, chemical plants, oil refineries, and so on versus the ostensible need to prevent these unsafe practices from providing objects of opportunity for would-be terrorists. This issue becomes even more significant when the proposals include liability immunity of unspecified duration for conduct of the parties submitting the information. The concern is that, particularly where physical infrastructure is the consideration, there may be financial disincentives to fixing problems but great financial and legal incentives to shielding information about problems. And, indeed, there is concern that some companies would use the CI designation to pre-emptorily shield information that might be collected and disclosed by the government. Critical Infrastructure Information A second set of problems arise with the types of information for which protection is sought (do we need to protect the information that there is a software vulnerability or just the details of that vulnerability? the information that there is a switch or just the configuration of the switch?), the duration of the protection, and the process (or lack thereof) for applying a CI confidentiality protection to that information. Just as no clear and delimited definition of critical infrastructure has been given, so, too, there are no readily available examples of critical infrastructure information that was shared with government and then released through FOIA. Instead, we are being asked to trust their word about this and to rely on the industry's judgment about what information needs to be protected. To put it plainly, our concern is that if CI information is given an expansive definition (or a vague one), this could lead to a significant erosion of FOIA-- with all this implies for government accountability and public oversight. Everything turns on the precision of the definition of CI and the information concerned — exemptions to the FOI Act should protect only limited and clearly described categories of information or we lose our freedom of information. Moreover, we do not think that addressing liability issues is necessary to effectuate the information-sharing goal. Recommendations There may be legitimate concern that some of this information would be vulnerable to disclosure, and government FOI attorneys have not given industry any assurance that they would protect the information. The openness community recognizes that there may, indeed, be kinds of information that are important for the government to receive and that may need some protection from disclosure. So, we urge that any proposal address five key dimensions of the problem:

• Scope

The definitions of CI and CI information must be narrowly drawn. Any exemption statute should be easy to understand, clearly defined, and predictable.

• Process

A specific process must be laid out for the designation of protected CI information.

• Oversight

A oversight body — with significant opportunity for public participation — must be created for the appeal of the designation of protected CI information to ensure its limited and proper use.

• Duration

The exemption must have time limits (along the line of Y2K information protection). The exemption per se should be revisited in a few years' time to assess the need and use of it.

• Purpose

The government should work to identify in this process what kinds of information on CI that businesses should be required to share with the government in order to limit our nation's vulnerabilities while protecting the public's right to know.