When it emerged less than a decade ago, the World Wide Web was quickly embraced as a bright new medium that could help reinvent government and revitalize democracy.
When it emerged less than a decade ago, the World Wide Web was quickly embraced
as a bright new medium that could help reinvent government and revitalize
democracy. But gradually government policy-makers have also seen that the
Web has a much darker side.
Information once eagerly posted on government Web sites to promote environmental
safety, assist military personnel or help retirees is now being viewed as
dangerous if found by terrorists, hackers and other criminals.
Prompted by fears that easy access to information is putting Americans at
risk, agencies and Congress are tightening controls over federal Internet
sites. Federal Webmasters who once enthusiastically posted information now
anxiously take some of it down.
Congress has even banned some unclassified government information from
federal Web sites — although not from private sites — and is considering
a bill to grant sweeping exemptions to the Freedom of Information Act (FOIA) in
the name of cybersecurity.
"We're becoming afraid of the technology that we invented to make government
more open," said Patrice McDermott, an information policy analyst for OMB
Watch, a public interest organization in Washington, D.C. "What should be
used to make government more open is being used as an excuse for making
it more closed."
"There is a growing sense of caution about what's on the Web," said
Roger Baker, chief information officer at the Commerce Department. "I don't
want to call it a backlash, but it's a bit of a reaction to the push to
get everything out there. It's sort of an "oops — that shouldn't be out
there.'"
"Oops" is probably an understatement to Rep. Thomas Davis (R-Va.), who
sees real danger lurking in the Web.
"Cyberattacks have moved beyond the mischievous teenager and are now
being learned and masterminded by terrorist organizations. It's not difficult
to imagine what could occur if those attacks were focused on our utilities
or emergency services," Davis said as he introduced his Cyber Security Information
Act this spring.
Davis' bill would grant sweeping exemptions from FOIA when private companies
share information about computer vulnerabilities with the federal government.
The bill would also limit companies' legal liability and exempt them from
antitrust violations based on the information they share.
Because it is connected to the Internet, the nation's critical infrastructure — which operates everything from transportation to financial systems — is
in jeopardy, Davis warns. And recent computer virus attacks have added a
tone of urgency to the warnings.
So far, they have not slowed the governmentwide commitment to increased
use of information technology and the Internet. Agencies still aim to meet
the requirement set by the Paperwork Reduction Act of offering all government
services and transactions online, in addition to paper, by 2003. And the
president's e-government goal of having the 500 most-used government forms
online by the end of this year still stands.
The Best Intentions
But fear for the safety of major systems and the public has begun to
force policy-makers to consider significant changes in online practice and
philosophy.
"I would tend to take the view that if it's available through the Freedom
of Information Act, it should be out there. But that's not a well-thought-through
view," said Baker, who heads the Security, Privacy and Critical Infrastructure
Subcommittee of the federal CIO Council. "Some stuff just shouldn't be out
there. You may be legally bound to turn it over, but do you want to call
attention to it?"
That question was at the heart of a debate at the Environmental Protection
Agency over whether to post information on the Internet about industrial
plants and the hazardous chemicals they use.
Openness has been a key EPA strategy for achieving compliance with environmental
regulations. Disclose sources of pollution and potential hazards, and public
pressure often will force cleanups and better safety practices, the agency
has found. But in the Internet Age, openness has yielded to the idea that
secrecy promotes security.
Challenged by the FBI and temporarily forbidden by Congress, the EPA
has decided not to post "risk management plans" on the Internet. The plans
spell out worst-case scenarios that could result from chemical accidents
at more than 15,000 U.S. industrial plants.
The requirement for risk management plans dates to the pre-Internet
era. Horrified when a gas leak at an American-owned insecticide factory
in Bhopal, India, killed 8,000 people and injured 500,000 more in 1984,
Congress ordered the EPA to establish rules to minimize the risk of similar
leaks in the United States.
In amendments to the Clean Air Act, Congress required companies that
handle dangerous chemicals to submit plans to the EPA spelling out what
would happen in a "worst-case" chemical accident and how they would prevent
or at least minimize accidental chemical releases.
Congress also ordered that the risk management plans be disclosed to
the public, hoping to generate public awareness that could pressure companies
to pay greater attention to safety. EPA officials posted the plans on the
Web.
FBI and intelligence agencies argued that posting the risk management
plans would provide "one-stop shopping" for terrorists. The plans, they
said, provided enough detailed information to turn 15,000 businesses and
industrial plants into weapons of mass destruction.
In an assessment conducted this year, the EPA concluded that "the risk
of terrorists attempting in the foreseeable future to cause a potentially
catastrophic chemical release is both real and credible."
Now the EPA proposes to make the plans available to the public on a
limited basis, on paper, at 50 monitored reading rooms across the country.
Personal identification and sign-in sheets would be required. Note-taking
would be allowed, photocopying forbidden.
But deciding to keep the plans off the Internet was not easy for some
at the EPA. "I see us still struggling with the issue," a senior agency
official said.
Some at the agency charge that senior EPA policy-makers have backed
off their commitment to communities' right to know. But others "are coming
to understand that there are aspects to making information available broadly
that we need to be cognizant of. There is an accountability angle," the
official said. "As you look at it from that perspective, it makes you think
more critically and analytically about information and how it might be used."
But a former EPA official admits he is more cynical. "I really think
the motivation is political," he said. "The Republican Congress has attacked
the EPA, and I don't think the Web is the main objection. They're trying
to deter the EPA from being as effective as it can be."
"The practical difficulty with the EPA plan is it attempts to enforce
a distinction between paper documents and electronic documents. It won't
work," said Steven Aftergood, director of the Federation of American Scientists'
Project on Government Secrecy. "There are people who will take the paper
document and post it on a Web site. It's not illegal — yet. If the information
is unclassified and useful, it's going to find its way onto the Web."
To Inform or Promote?
Aftergood has some experience in that regard. About a year ago, the
Marine Corps removed program information from some of its Web sites about
the Marine Corps' Tactical Systems Support Activity, a unit based at Camp
Pendleton, Calif. The information was neither classified nor protected for
reasons of personal privacy. Included in the information were details on
technology the Marines plan to use to support other Corps units in a war.
"All of it was unclassified. It wasn't even sensitive," Aftergood said.
"And there was nothing like Social Security numbers or home addresses" to
warrant keeping it secret, he said.
Aftergood filed a FOIA request for a directory of Web pages that had
been withdrawn. He argued that the Marine Corps had no right to withhold
it.
The Marines agreed. But instead of sending Aftergood a directory of
the suppressed Web material, the Corps handed over a cassette containing
900M of material that it had stricken from the Web.
The data was stored on a "peculiar helical-scan, 4 mm data cartridge,"
Aftergood said. And so far, he has been unable to locate equipment that
can read it.
The Marines' action raises questions about how agencies should use the
Web. Is the Web intended to make government more transparent? Should agencies
routinely post information such as minutes of meetings and texts of policies
so the public can learn more about what the government is doing?
The military, which invented the Internet, has found it extremely valuable
as a fast and efficient global information distribution system. But "in
the rush to take advantage of the Net's timeliness and distribution capabilities,"
personnel have sometimes abandoned caution, a Pentagon official said.
They have posted documents intended for official use only, put personal
information online and disclosed sensitive information about exercises and
operations.
The ease of access to information on the Internet makes even unclassified
information more sensitive. "You can take a lot of miscellaneous facts and
start to piece a picture together," explained a retired Army officer. Collecting
bits of information from many sources and putting them together used to
be a slow, often laborious process. The Internet makes it far easier.
"The interconnectedness of information on the Internet is forcing agencies
to re-examine what they put online," said David McClure, associate director
for governmentwide and defense information systems at the General Accounting
Office. "Information you thought was only within one confine is not, and
it becomes much easier to weave a mosaic of information," he said. And a
congressional requirement that federal agencies keep searchable electronic
archives will create an even greater challenge, he said.
The Defense Department has formed a special unit at the Pentagon called
the Joint Web Risk Assessment Cell to comb military Web sites for information
it thinks should be removed. The primary intent is security, military officials
say. For example, maps of military bases that are helpful to personnel being
transferred to new posts might also prove valuable to terrorists planning
an attack.
Even at the Agriculture Department, "the security posture is changing.
There's a general feeling that the world has become a less friendly place,"
said William Hadesty, information security chief at USDA. "The whole security
thing is under review. We're constantly looking at security here," he said.
Secrecy in the Name of Security
There is a slightly different security concern when it comes to the
critical infrastructure, according to Rep. Davis.
The critical infrastructure is largely owned and operated by the private
sector, and ordinarily, private companies are not subject to most of the
disclosure requirements imposed on government agencies.
While it is widely agreed that government and industry need to work
together to solve the computer security problems that threaten the critical
infrastructure, industry is reluctant to do so, Davis said, because information
shared with the government is subject to disclosure. Davis, who represents
Northern Virginia and its burgeoning high-tech business sector, said he
introduced the Cyber Security Information Act to encourage businesses to
share information about security weaknesses with the federal government
and each other.
Putting limitations on the use of information are necessary to assure
businesses it is safe to share information with the government, said Davis,
who has a seat on the House Government Reform Committee.
He said he modeled the bill after similar legislation that convinced
industry to work with government to solve the Year 2000 computer compliance
problem. Computer security is emerging as a problem of similar magnitude,
Davis contends.
Critics of the legislation complain that it would "cast a blanket of
secrecy over vast amounts of information that the public might have a need
and right to know," OMB Watch's McDermott said. According to OMB Watch,
this bill is part of an ongoing push by industry to carve out exemptions
to FOIA.
The group concedes that there may indeed be information that the government
wants industry to share that should remain secret, but Davis' bill leaves
"virtually no role for any government agency except to do the bidding of
private entities," which want to keep information from the public, McDermott
said.
A Davis aide argues that failing to grant FOIA exemptions will hurt
government more than it hurts industry. Without privacy assurances, companies
will simply refuse to share useful information.
But a "very disturbing idea" embedded in the Davis bill is that information
shared between the private sector and the government should routinely be
kept secret from the public, said Kate Martin, a lawyer for The National
Security Archive, a research institute that specializes in publishing declassified
government documents.
"It is linked to the notion that it will be necessary for the government
to do much more with the private sector than it has in the past. And because
the private sector wishes not to be subject to open government laws," the
Davis bill permits government to become more secretive, she said.
"It turns the basic presumption of freedom of information and open government
on its head," Martin said. "The really dangerous thing is the wholesale
exemption [to FOIA] of all information shared with the government when it's
related to the critical infrastructure."
McDermott said the situation would be similar to a law that forbids
newspapers from reporting on bank robberies because their articles highlight
banks' vulnerabilities. Her point: Shouldn't people be able to learn about
the danger to the bank and their money? And isn't publicity likely to prompt
the bank to invest more in security?
The Internet Changes Everything
Instead of broad FOIA exemptions, information should be carefully evaluated
and exempted from disclosure only when the risk of disclosure is found to
be greater than the value of openness, Martin said.
Yet, she concedes, in some ways the Internet has changed the equation.
Much of the information that has traditionally been "public" has also traditionally
been difficult to obtain. Papers filed in courthouses or buried in agency
file cabinets were simply not readily available. Increasingly, that's no
longer true. If it's on the Web, it can be accessed from virtually anywhere.
"It may be that we need to rethink" policies on privacy and disclosure,
"but it needs to be done very specifically, not with just a blanket blackout"
of information, Martin said.
Aftergood predicts that it is too late for much of a retreat from the
Web. Agencies have found that it is slower and more expensive to provide
information on paper. There is a mounting expectation that if an agency
has useful information, citizens should be able to get it on the Web, he
said.
"I think there will still be a net increase in the amount of information
that is becoming available, notwithstanding these recent efforts to retrench,"
Aftergood said.
NEXT STORY: Microsoft to delay security patch