Industry's FOIA shield debated

House members on Thursday stood behind their bill to give companies an exemption

from the Freedom of Information Act when sharing information about cybersecurity.

However, critics say the bill is unnecessary and that the government cannot

handle the information that industry would provide.

The Cyber Security Information Act, co-sponsored by Reps. Tom Davis (R-Va.)

and James Moran (D-Va.), is designed to promote the sharing of cybersecurity

information between the private sector and government.

The administration has asked agencies to work with industry and form information

sharing and analysis centers (ISACs). The financial services sector has

started its ISAC, and the telecommunications and information technology

sectors are working on ISACs. But businesses consistently have raised questions

about the sharing of security information, Moran said before the House Government

Management, Information and Technology Subcommittee on Thursday.

"Their concerns stemmed from the lack of clarity in antitrust laws and concerns

related to disclosures the government would have to make based on [FOIA],"

he said.

The Davis-Moran bill is based on the Year 2000 Information and Readiness

Disclosure Act. It will provide a limited FOIA exemption, protecting companies

from civil litigation over shared information, and it establishes an antitrust

exemption for information shared within an ISAC, Davis said.

However, David Sobel, general counsel for the Electronic Privacy Information

Center, said that existing FOIA exemptions already protect information that

would be shared in an ISAC. "The courts have really bent over backwards

to make sure private-sector companies do feel comfortable sharing information

with the government," he said.

Davis said companies perceive those protections as not enough, and they

will not share information with government until they have "ironclad assurance"

that it will not be released.

The bill could provide agencies with a better picture of information security

threats across the country because it "creates an additional protected channel

for potent, valuable information," said Joel Willemssen, director of civil

agencies information systems at the General Accounting Office.

But regardless of whether the bill succeeds, the government may not be prepared

to deal with the information, Willemssen said. Agencies don't have a process

to ensure that they are collecting the correct information, nor is there

evidence the organizations in place can analyze and share this information

in a timely manner, he said.