Access denied

When it emerged less than a decade ago, the World Wide Web was quickly embraced

as a bright new medium that could help reinvent government and revitalize

democracy. But gradually government policy-makers have also seen that the

Web has a much darker side.

Information once eagerly posted on government Web sites to promote environmental

safety, assist military personnel or help retirees is now being viewed as

dangerous if found by terrorists, hackers and other criminals.

Prompted by fears that easy access to information is putting Americans at

risk, agencies and Congress are tightening controls over federal Internet

sites. Federal Webmasters who once enthusiastically posted information now

anxiously take some of it down.

Congress has even banned some unclassified government information from

federal Web sites — although not from private sites — and is considering

a bill to grant sweeping exemptions to the Freedom of Information Act (FOIA) in

the name of cybersecurity.

"We're becoming afraid of the technology that we invented to make government

more open," said Patrice McDermott, an information policy analyst for OMB

Watch, a public interest organization in Washington, D.C. "What should be

used to make government more open is being used as an excuse for making

it more closed."

"There is a growing sense of caution about what's on the Web," said

Roger Baker, chief information officer at the Commerce Department. "I don't

want to call it a backlash, but it's a bit of a reaction to the push to

get everything out there. It's sort of an "oops — that shouldn't be out

there.'"

"Oops" is probably an understatement to Rep. Thomas Davis (R-Va.), who

sees real danger lurking in the Web.

"Cyberattacks have moved beyond the mischievous teenager and are now

being learned and masterminded by terrorist organizations. It's not difficult

to imagine what could occur if those attacks were focused on our utilities

or emergency services," Davis said as he introduced his Cyber Security Information

Act this spring.

Davis' bill would grant sweeping exemptions from FOIA when private companies

share information about computer vulnerabilities with the federal government.

The bill would also limit companies' legal liability and exempt them from

antitrust violations based on the information they share.

Because it is connected to the Internet, the nation's critical infrastructure — which operates everything from transportation to financial systems — is

in jeopardy, Davis warns. And recent computer virus attacks have added a

tone of urgency to the warnings.

So far, they have not slowed the governmentwide commitment to increased

use of information technology and the Internet. Agencies still aim to meet

the requirement set by the Paperwork Reduction Act of offering all government

services and transactions online, in addition to paper, by 2003. And the

president's e-government goal of having the 500 most-used government forms

online by the end of this year still stands.

The Best Intentions

But fear for the safety of major systems and the public has begun to

force policy-makers to consider significant changes in online practice and

philosophy.

"I would tend to take the view that if it's available through the Freedom

of Information Act, it should be out there. But that's not a well-thought-through

view," said Baker, who heads the Security, Privacy and Critical Infrastructure

Subcommittee of the federal CIO Council. "Some stuff just shouldn't be out

there. You may be legally bound to turn it over, but do you want to call

attention to it?"

That question was at the heart of a debate at the Environmental Protection

Agency over whether to post information on the Internet about industrial

plants and the hazardous chemicals they use.

Openness has been a key EPA strategy for achieving compliance with environmental

regulations. Disclose sources of pollution and potential hazards, and public

pressure often will force cleanups and better safety practices, the agency

has found. But in the Internet Age, openness has yielded to the idea that

secrecy promotes security.

Challenged by the FBI and temporarily forbidden by Congress, the EPA

has decided not to post "risk management plans" on the Internet. The plans

spell out worst-case scenarios that could result from chemical accidents

at more than 15,000 U.S. industrial plants.

The requirement for risk management plans dates to the pre-Internet

era. Horrified when a gas leak at an American-owned insecticide factory

in Bhopal, India, killed 8,000 people and injured 500,000 more in 1984,

Congress ordered the EPA to establish rules to minimize the risk of similar

leaks in the United States.

In amendments to the Clean Air Act, Congress required companies that

handle dangerous chemicals to submit plans to the EPA spelling out what

would happen in a "worst-case" chemical accident and how they would prevent

or at least minimize accidental chemical releases.

Congress also ordered that the risk management plans be disclosed to

the public, hoping to generate public awareness that could pressure companies

to pay greater attention to safety. EPA officials posted the plans on the

Web.

FBI and intelligence agencies argued that posting the risk management

plans would provide "one-stop shopping" for terrorists. The plans, they

said, provided enough detailed information to turn 15,000 businesses and

industrial plants into weapons of mass destruction.

In an assessment conducted this year, the EPA concluded that "the risk

of terrorists attempting in the foreseeable future to cause a potentially

catastrophic chemical release is both real and credible."

Now the EPA proposes to make the plans available to the public on a

limited basis, on paper, at 50 monitored reading rooms across the country.

Personal identification and sign-in sheets would be required. Note-taking

would be allowed, photocopying forbidden.

But deciding to keep the plans off the Internet was not easy for some

at the EPA. "I see us still struggling with the issue," a senior agency

official said.

Some at the agency charge that senior EPA policy-makers have backed

off their commitment to communities' right to know. But others "are coming

to understand that there are aspects to making information available broadly

that we need to be cognizant of. There is an accountability angle," the

official said. "As you look at it from that perspective, it makes you think

more critically and analytically about information and how it might be used."

But a former EPA official admits he is more cynical. "I really think

the motivation is political," he said. "The Republican Congress has attacked

the EPA, and I don't think the Web is the main objection. They're trying

to deter the EPA from being as effective as it can be."

"The practical difficulty with the EPA plan is it attempts to enforce

a distinction between paper documents and electronic documents. It won't

work," said Steven Aftergood, director of the Federation of American Scientists'

Project on Government Secrecy. "There are people who will take the paper

document and post it on a Web site. It's not illegal — yet. If the information

is unclassified and useful, it's going to find its way onto the Web."

To Inform or Promote?

Aftergood has some experience in that regard. About a year ago, the

Marine Corps removed program information from some of its Web sites about

the Marine Corps' Tactical Systems Support Activity, a unit based at Camp

Pendleton, Calif. The information was neither classified nor protected for

reasons of personal privacy. Included in the information were details on

technology the Marines plan to use to support other Corps units in a war.

"All of it was unclassified. It wasn't even sensitive," Aftergood said.

"And there was nothing like Social Security numbers or home addresses" to

warrant keeping it secret, he said.

Aftergood filed a FOIA request for a directory of Web pages that had

been withdrawn. He argued that the Marine Corps had no right to withhold

it.

The Marines agreed. But instead of sending Aftergood a directory of

the suppressed Web material, the Corps handed over a cassette containing

900M of material that it had stricken from the Web.

The data was stored on a "peculiar helical-scan, 4 mm data cartridge,"

Aftergood said. And so far, he has been unable to locate equipment that

can read it.

The Marines' action raises questions about how agencies should use the

Web. Is the Web intended to make government more transparent? Should agencies

routinely post information such as minutes of meetings and texts of policies

so the public can learn more about what the government is doing?

The military, which invented the Internet, has found it extremely valuable

as a fast and efficient global information distribution system. But "in

the rush to take advantage of the Net's timeliness and distribution capabilities,"

personnel have sometimes abandoned caution, a Pentagon official said.

They have posted documents intended for official use only, put personal

information online and disclosed sensitive information about exercises and

operations.

The ease of access to information on the Internet makes even unclassified

information more sensitive. "You can take a lot of miscellaneous facts and

start to piece a picture together," explained a retired Army officer. Collecting

bits of information from many sources and putting them together used to

be a slow, often laborious process. The Internet makes it far easier.

"The interconnectedness of information on the Internet is forcing agencies

to re-examine what they put online," said David McClure, associate director

for governmentwide and defense information systems at the General Accounting

Office. "Information you thought was only within one confine is not, and

it becomes much easier to weave a mosaic of information," he said. And a

congressional requirement that federal agencies keep searchable electronic

archives will create an even greater challenge, he said.

The Defense Department has formed a special unit at the Pentagon called

the Joint Web Risk Assessment Cell to comb military Web sites for information

it thinks should be removed. The primary intent is security, military officials

say. For example, maps of military bases that are helpful to personnel being

transferred to new posts might also prove valuable to terrorists planning

an attack.

Even at the Agriculture Department, "the security posture is changing.

There's a general feeling that the world has become a less friendly place,"

said William Hadesty, information security chief at USDA. "The whole security

thing is under review. We're constantly looking at security here," he said.

Secrecy in the Name of Security

There is a slightly different security concern when it comes to the

critical infrastructure, according to Rep. Davis.

The critical infrastructure is largely owned and operated by the private

sector, and ordinarily, private companies are not subject to most of the

disclosure requirements imposed on government agencies.

While it is widely agreed that government and industry need to work

together to solve the computer security problems that threaten the critical

infrastructure, industry is reluctant to do so, Davis said, because information

shared with the government is subject to disclosure. Davis, who represents

Northern Virginia and its burgeoning high-tech business sector, said he

introduced the Cyber Security Information Act to encourage businesses to

share information about security weaknesses with the federal government

and each other.

Putting limitations on the use of information are necessary to assure

businesses it is safe to share information with the government, said Davis,

who has a seat on the House Government Reform Committee.

He said he modeled the bill after similar legislation that convinced

industry to work with government to solve the Year 2000 computer compliance

problem. Computer security is emerging as a problem of similar magnitude,

Davis contends.

Critics of the legislation complain that it would "cast a blanket of

secrecy over vast amounts of information that the public might have a need

and right to know," OMB Watch's McDermott said. According to OMB Watch,

this bill is part of an ongoing push by industry to carve out exemptions

to FOIA.

The group concedes that there may indeed be information that the government

wants industry to share that should remain secret, but Davis' bill leaves

"virtually no role for any government agency except to do the bidding of

private entities," which want to keep information from the public, McDermott

said.

A Davis aide argues that failing to grant FOIA exemptions will hurt

government more than it hurts industry. Without privacy assurances, companies

will simply refuse to share useful information.

But a "very disturbing idea" embedded in the Davis bill is that information

shared between the private sector and the government should routinely be

kept secret from the public, said Kate Martin, a lawyer for The National

Security Archive, a research institute that specializes in publishing declassified

government documents.

"It is linked to the notion that it will be necessary for the government

to do much more with the private sector than it has in the past. And because

the private sector wishes not to be subject to open government laws," the

Davis bill permits government to become more secretive, she said.

"It turns the basic presumption of freedom of information and open government

on its head," Martin said. "The really dangerous thing is the wholesale

exemption [to FOIA] of all information shared with the government when it's

related to the critical infrastructure."

McDermott said the situation would be similar to a law that forbids

newspapers from reporting on bank robberies because their articles highlight

banks' vulnerabilities. Her point: Shouldn't people be able to learn about

the danger to the bank and their money? And isn't publicity likely to prompt

the bank to invest more in security?

The Internet Changes Everything

Instead of broad FOIA exemptions, information should be carefully evaluated

and exempted from disclosure only when the risk of disclosure is found to

be greater than the value of openness, Martin said.

Yet, she concedes, in some ways the Internet has changed the equation.

Much of the information that has traditionally been "public" has also traditionally

been difficult to obtain. Papers filed in courthouses or buried in agency

file cabinets were simply not readily available. Increasingly, that's no

longer true. If it's on the Web, it can be accessed from virtually anywhere.

"It may be that we need to rethink" policies on privacy and disclosure,

"but it needs to be done very specifically, not with just a blanket blackout"

of information, Martin said.

Aftergood predicts that it is too late for much of a retreat from the

Web. Agencies have found that it is slower and more expensive to provide

information on paper. There is a mounting expectation that if an agency

has useful information, citizens should be able to get it on the Web, he

said.

"I think there will still be a net increase in the amount of information

that is becoming available, notwithstanding these recent efforts to retrench,"

Aftergood said.