Davis revives cyberthreat bill
Bill encourages the private sector to share cybersecurity incidents with federal agencies
Rep. Tom Davis (R-Va.) reintroduced July 10 a bill aimed at encouraging the private sector to share cybersecurity incidents with federal agencies so the government has a better picture of threats to national security.
Davis and co-sponsor Rep. Jim Moran (D-Va.) first introduced the bill last year after the formation of several private-sector information sharing and analysis centers (ISACs).
President Clinton created the centers—designed to share security incidents within a market sector—as part of Presidential Decision Directive 63 in May 1998. PDD 63 requires that the federal government secure the systems that support the nation's critical infrastructure, such as telecommunications and electricity.
The banking and information technology sectors are among those that have already formed ISACs. But although they are sharing information among themselves, private-sector leaders have said they will not pass information on to government incident response organizations. This refusal stems from fears that information held by federal agencies may be exposed through the Freedom of Information Act.
Other sectors have not yet created ISACs because of concerns that sharing information in would violate federal antitrust laws and that it might increase their liability, officials have said.
There already are several exemptions to FOIA, and Davis and Moran's bill would simply create another, limiting information-sharing to national security-related information, said David Marin, Davis' communications director.
Legal and policy experts testified before the House Government Reform Committee last year that the cyberincident information would already be covered by existing FOIA exemptions. But other experts, including Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism at the National Security Council, have said that a new exemption may be necessary to give companies the comfort level needed.
"The fact remains that the companies are not sharing their information with agencies," Marin said.
NEXT STORY: Online monitoring on the rise