Several organizations wrote to express their strong support for two bills that address important cyber-security issues, H.R. 2435 (Davis-Moran) and S. 1456 (Bennett-Kyl). December 21, 2001 The PresidentThe Honorable George W. Bush President The White House 1600 Pennsylvania Ave., NW Washington, DC 20500 Dear Mr. President: We are writing to express our strong support for two bills that address important cyber-security issues, H.R. 2435 (Davis-Moran) and S. 1456 (Bennett-Kyl). This support signals broad recognition by U.S. industry of the need to move from individual defense toward a common defense. Passage of these bills will constitute an important contribution to U.S. homeland security. With the clear support of your Administration, this legislation can be enacted. We wish to draw youR attention to a positive contribution to U.S. homeland defense that, with the clear support of your Administration, is well within reach by the end of this year. Malicious computer attacks are now doubling in frequency every year. Threats are mutating rapidly. Historically, companies have treated their defenses as an individual corporate matter, but the increase in frequency, sophistication, and damage necessitates the sharing of very sensitive data. Simply put, industry and government need to get smarter and act more rapidly to ensure the nation's defensesmarter, faster about common defenses. Our associations and companies have long AND COMPANIES supported the critical infrastructure protection initiatives in the last Administration and and likewise support the recent steps by your Administration to enhance large those policies. Government law enforcement agencies eagerly seek detailed data about computer attacks for the purposes of better law enforcement, earlier detection, and the promotion of best practices in government and industry. Today, however, corporate counsels advise their clients not to share voluntarily the details of computer attacks with government agencies because it could come back to haunt themwith government agencies. In their judgment, the risk that such data could ultimately be divulged through athe Freedom of Information Act (FOIA) lawsuit – even over the agency’s objections – is unacceptably high. We greatly appreciate your letter of September 26, 2001 to the National Security Telecommunications Security Advisory Committee (NSTAC) indicating your understanding of this situation and the corresponding statements by Administration officials. The pending Llegislation to rectify this situation ((H.R. 2435, Davis-Moran, and S. 1456, Bennett-Kyl) corrects this situation by protecting the information from disclosure. The bills also provides limited use protection (not immunity) so that critical infrastructure information disclosed to the government cannot subsequently be used against the person submitting the informationenjoys our strong and unqualified support. Theis legislation to alter the legal risk assessments necessarily carried out by corporate counsel also addresses concerns about sharing information within industry. The legislation includes a limited immunity for antitrust purposes for information shared solely for the purposes of facilitating the protection of critical infrastructures.goes beyond the FOIA, however, to include a limited use protection -- notably, not a complete immunity -- for antitrust purposes. We accept the assurances from the Department of Justice that business review letters would be forthcoming for information sharing and analysis centers (ISACs) constituted under your Administration’s policies. Yet the issuance of even a set of such letters would prove inadequate, for at least three reasons. First, such ISACs would have to be constituted with a view toward satisfying the Department, as opposed to maximally fulfilling their primary mission. Second, there is the unavoidable negative implication for numerous other affected parties not in possession of a business review letter. Third, the ISACs are not the only organizations that have been constituted to share cyber threat information among industry sector members or with Federal agencies. Beyond federal FOIA and antitrust, the proposed legislation goes on to clarify that computer attack data voluntarily shared voluntarily with the government would not be disclosed either under the Federal Advisory Committee Act (FACA) or under state FOIA laws. There is no reason why ISACs that also function as official advisory bodies under the FACA, such as the NSTAC, should face a disclosure requirement not imposed on a special-purpose body. Moreover, wWe do recognize the federalism question which the second provision raises. At the same time, homeland defense is creating a need for federal, state, and local bodies to work jointly to a previously unprecedented degree. In some instances, first responders will not be from federal agencies. Information sharing ought not to dead-end at the federal level but should flow all the way down to the first responders. Without the same protection at the state level as at the federal, state agencies will face the same lack of revealing detail that federal agencies are experiencing today. The planning exercise for a possible terrorist strike at the Salt Lake City Olympics, “Black Ice,” exemplifies the desirability of a suite of targeted legal protections that bring in, rather than leave out, state and local authorities. There has been, in our view, misunderstanding of the legislation by some critics. First, wWe are not calling into question the existing FOIA case law, which taken together suggests that a federal agency would win a test case. Rather, we are saying only that the risk of a loss of such a test case – as viewed by the parties bearing the risk – remains unacceptably high. More importantly, corporations should not be required to accept such risks, or the cost of litigation, when reporting significant cyber events in an attempt to protect the public interest. The way to “buy down” that risk is to take the probable, and correct, result from a test case and put it, in black and white, into the FOIA statute. Second, this legislative package has only to do with disclosure of computer attack data and critical infrastructure protection. Normal regulatory information gathering will proceed unimpeded, as it should. The legislation does not affect any civil litigation – other than FOIA and antitrust – nor should it attempt to do so. Both government agencies and private firms face a high challenge in mounting better defenses and adopting better practices, whether physical or cyber. By way of comparison, the terrorism insurance legislation before Congress reflects an understanding that private parties – here as elsewhere – will have to follow sound practices to qualify for coverage. In that regard, it will promote industry self-regulation, as would cyber disclosure. In each case, the legislation would provide a basis for industry to discover, with minimum time and cost, the best defensive practices, and then disseminate and deploy them. Under wartime conditions, with time, cost, and payback at an especial premium, there is no wiser approach. Our support for cyber disclosure legislation signals a broad recognition by U.S. industry of the need to move from individual defense toward common defense. We supported this legislation before the terrorist attacks of September 11th and strongly feel that the nation’s wartime footing makes such a measure even more urgent. Mr. President, we applaud your bold leadership and urge you to act decisively again with unequivocal support for confidence-building cyber disclosure legislation: a mutually reinforcing suite of targeted legal protections under federal antitrust and FACA statutes, as well as federal and state FOIA statutes, as well as under federal antitrust and FACA statutes. We seek your Administration’s support in bringing such comprehensive legislation to bringing legislation to the floors of the House and Senate as soon as possible. reflecting the best provisions of the respective bills, and a clear Statement of Administration Position in favor of the final measure. Yours truly, Tom Donohue Jerry Jasinowski President President US Chamber of Commerce National Association of Manufacturers Harris Miller Dave McCurdy President President Information Technology Internet Security Alliance Association of America Steve Bartlett Bruce J. Heiman President Executive Director Financial Services Round Table Americans for Computer Privacy Robert, Holleyman II Thomas Kuhn President and CEO President Business Software Alliance Edison Electric Institute CC: The Honorable Condoleezza Rice The Honorable Tom Ridge The Honorable Richard Clarke