Stevan Mitchell U.S. Department of Justice Dear Mr. Mitchell, We have reviewed the draft you shared with us of legislation intended to exempt from public disclosure information about critical infrastructures submitted to the government by private sector entities. The draft was prepared by the Critical Infrastructure Information Sharing Drafting Group and is dated 11/29/1999. First, we would like to thank you for taking a consultative approach to working with public interest groups by providing us a draft of the proposed legislation. We believe that this was a sincere attempt at meaningful consultation and hope that it will continue, leading to a greater understanding on all sides of the infrastructure protection issue and other issues as well. However, we have many serious reservations about the legislative proposal and, more fundamentally, the approach to critical infrastructure protection that it implies. FOIA Exemption Your specific proposal involves creating a statutory exemption to the Freedom of Information Act (FOIA). The draft bill would create a new category of information: "critical infrastructure information provided voluntarily by a non-Federal source" to a government office involved in infrastructure protection and marked by the submitter as confidential. Such information would be exempt from public disclosure by virtue of section (b)(3) of FOIA, which exempts from FOIA's general rule of openness information that some other statute specifically requires the government to withhold. FOIA is a law of central importance to our system of accountable, democratic government. It should not be subject to carve-outs for special interests or special categories of information. FOIA already has nine exemptions, including ones for national defense and foreign policy; trade secrets and proprietary information; and records compiled for law enforcement purposes. Your proposal would go beyond these exemptions by removing from the purview of FOIA a broad new category of information, loosely defined as "voluntarily submitted critical infrastructure information." We see no compelling reason why the existing exemptions are not adequate to protect critical infrastructure information. In fact, the memo explaining and supporting the draft cites a recent DC Circuit Court decision showing that sensitive critical infrastructure information would already most likely be exempt from FOIA. If, as your memo states, the draft is "entirely consistent with prior precedent construing exemption (b)(4) protections for all types of confidential financial and commercial information" (p.4), then the proposal is simply not necessary. We are especially wary of (b)(3) exemptions: too often the courts have read them as broad mandates to not review withholding decisions, undermining FOIA's crucial principle of judicial review. The current draft is not narrowly tailored. The bill would essentially delegate to private sector companies the ability to decide what information in government files gets made public. There would be no room for agencies to reject industry claims of confidentiality even if the agency concluded that the information was not sensitive or not even relevant to infrastructure protection and no opportunity to challenge the industry designation, as is the case when access is blocked through one of the traditional FOIA exemptions. Once a company submits a document marked with the magic words prescribed by the bill, government officials are deprived of any authority to make that information public, even if they conclude that it is not sensitive, or, moreover, even if they conclude that the critical infrastructure interests of the government would be served by making the information public. The bill could diminish the amount of information currently available to the public by giving companies the ability to claim a new "voluntary submission" exception. Some of the bill's loopholes are especially troubling:

• While the exemption has a time limit of five years, companies have the ability to extend the exemption in perpetuity. A company could voluntarily submit information and then, under the proposal, renew its FOIA exemption every five years. This recalls abuse of the "OADR" designation on national security information.
• Information otherwise in the public arena would not be available through the government. Even if the company selectively made the same or similar information public on its own, the information in government files would still be unavailable to the public through a FOIA request, breeding an air of mistrust between the government and its citizens. We also have some outstanding questions regarding two other issues:
• "Independently obtained information" (page 3) - While the draft does address this issue, it is unclear to us how this process would work, since the draft would create information that is exempt from FOIA in one instance and not in another. Would agencies check the information as it comes in against all current information held regarding a particular company or would FOIA officers be instructed to continue looking for information in other places even if it has been voluntarily submitted? We also assume that information that may fit into this category would be open for judicial review.
• "Limited disclosure" (page 3) -- What is the process for establishing procedures? Would this be an independent rulemaking process?

Secrecy and Critical Infrastructure Protection We also object to the proposal because it would contribute to the counterproductive concept that more secrecy about computer security flaws will lead to improvements in computer security. The modern-day problems of infrastructure vulnerability flow from the fact that critical infrastructures are dependent upon networked computers and the software running those computers is vulnerable to outside attack, due to design failures. Trying to hide those design failures is not the best way to promote protection of critical infrastructures. Given the global, decentralized, user-controlled nature of the Internet and the technologies that support it, the most effective approach to computer security is greater openness, not greater secrecy. Center for Democracy and Technology Center for National Security Studies Federation of American Scientists National Security Archive OMB Watch