Relax Laws to Boost Web Security, Officials Say

July 24, 2002

Type: discussion

Technology - Reuters Internet Report
Relax Laws to Boost Web Security, Officials Say
Wed Jul 24, 8:34 PM ET

By Andy Sullivan

WASHINGTON (Reuters) - Bush administration officials called on
Congress to relax open-government laws on Wednesday to help fight
computer crime, drawing a sharp response from a Democratic lawmaker
who said the move would create a haven for corporate abuses.

Computer security experts from the FBI ( news - web sites) and the
Commerce Department ( news - web sites) told a House of
Representatives subcommittee that the move was necessary to encourage
private firms to share information about Internet-based attacks.

Although 5,000 companies have agreed to disclose information about
Web site hacks, denial-of-service ( news - web sites) attacks and
other online intrusions with law enforcement authorities, many are
still reluctant to participate due to fears that
freedom-of-information laws could expose corporate secrets, they told
the House subcommittee on government efficiency, financial management
and intergovernmental relations.

Information submitted to the government about attacks on business
computer systems or other "critical infrastructure" would be exempt
from public disclosure, and could not be used in any lawsuit, under
sweeping legislation that would create a new Department of Homeland
Security.

Illinois Rep. Jan Schakowsky said the measure would enable companies
to hide information about polluting facilities and other undesirable
secrets.

"If a company wants to protect information from public view, they
could dump it in the Department of Homeland Security and say, 'We
don't want anybody to have access to it," the Illinois Democrat said.

The House is expected to take up debate on the bill Thursday.

REPORTING NECESSARY TO DETER CYBER ATTACKS

Fears of an Internet-based attack that could debilitate power plants,
airports or other vital facilities have increased exponentially since
Sept. 11.

Law enforcement authorities say it is vital for these facilities to
let authorities know when they detect an intrusion, so government can
analyze the attacks and other businesses can defend against them.

Corporate trade secrets provided to the government are already exempt
from disclosure under the Freedom of Information Act, known as FOIA,
and receive further protection from a directive issued by President
Reagan.

But many businesses deem the exemptions too vague, and decline to
share information with law-enforcement authorities, said Ronald Dick,
director of the FBI's National Infrastructure Protection Center. A
recent survey found that although 90 percent of companies suffered
Internet-based attacks, only 34 percent reported the attacks to law
enforcement, he said.

"They want a simple statute they can understand. Without that many
companies will not share information," Dick said.

Dick's testimony was echoed by John Tritak, director of a Commerce
Department cybercrime office, and by computer security experts from
the private sector.

The testimony drew an irate response from Schakowsky, who said that
private industry was exploiting fears of terrorism to create a
loophole that would allow them to hide sensitive information from
public scrutiny.

"It astounds me that in a moment in history when transparency in
business is in the headlines every day … we want to offer, in my
view, not a narrowly offered exemption to FOIA but a loophole big
enough to drive any corporation and its secrets through," the
Illinois Democrat said.

Schakowsky said she would try to remove the provision when the bill
comes up for debate, and suggested that perhaps companies should be
required to report Internet intrusions.