Officials: Lack of trust undermines security

The private sector manages more than 85 percent of the nation's critical infrastructure and must therefore collaborate with the government to protect those resources, officials said at a Senate hearing last week.

Such collaboration requires an environment conducive to companies voluntarily sharing vital information and a cultural change on both sides that will take time, said government and industry leaders speaking at a May 8 Senate Governmental Affairs Committee hearing. If this doesn't change, numerous gaps in homeland security will remain open to attack.

Sens. Robert Bennett (R-Utah) and Jon Kyl (R-Ariz.) are promoting the Critical Infrastructure Information Security Act to enable the federal government and industry to share information about potential threats to the nation's critical infrastructure without fear that the data would be released under the Freedom of Information Act (FOIA).

"If the private sector and the government are both targets, they should be talking to each other," Bennett said, acknowledging industry worries over shared information being leaked. "We need to keep understanding that this information would otherwise not be available to anyone. People who wish us ill will take advantage of the seams."

Committee chairman Sen. Joe Lieberman (D-Conn.), ranking member Sen. Fred Thompson (R-Tenn.) and numerous government and industry witnesses agreed that the legislation is promising, but also acknowledged that many issues must be worked through, especially industry's fear that any information shared with the government could be used against them legally or by competitors.

"You can't legislate trust...and there is no silver bullet," said John Tritak, director of the Critical Infrastructure Assurance Office. "You can't create it with the passage of law, but the goal is to encourage that relationship."

Bennett's proposed legislation does not override other regulations, and the voluntarily shared information can only be used for the purposes of the act. The Bush administration endorses a "narrowly crafted" FOIA exemption on critical infrastructure information, and the Bennett-Kyl bill is being given "serious consideration," Tritak said.

FOIA has worked well so far, said David Sobel, general counsel for the Electronic Privacy Information Center. "Overly broad new [FOIA] exemptions could...adversely impact the public's right to oversee important and far- reaching governmental functions and remove incentives for remedial private- sector action," he said.

John Malcolm, deputy assistant attorney general in the Justice Department's Criminal Division, also expressed concern about the bill. He said as it is written, it would "tie the government's hands" by preventing it from taking civil enforcement action against a company via "direct use" of information obtained through critical infrastructure needs.

That loophole would enable a company that was knowingly at fault in a matter to do a "document dump" on the government and essentially absolve itself of future civil prosecution, Malcolm said. He added that this is a "gray area," but did not think it was the intent of the bill to preclude prosecutions of infractions.

Both government and industry officials realize that sharing information is "in the public interest, but industry is reluctant to do that if they feel like they're digging themselves a hole," Tritak told Federal Computer Week.

"People expect too much of legislation to fix a cultural problem," he said. "A lack of clarity encourages [conservative] behavior. We're suggesting a real partnering that requires a collaborative relationship with government and industry jointly working for homeland security. The government can't do it alone...end of story."

Ronald Dick, director of the National Infrastructure Protection Center, which coordinates federal, state, local and industry responses, said he recently created an office to work with private-sector information sharing and analysis centers (ISACs), and has already established relationships with several industries, including telecommunications and IT.

ISACs — designed to share security incidents within a market sector — were created under Presidential Decision Directive 63 in May 1998, which requires the federal government to secure systems supporting the nation's critical infrastructure.

***

Securing sharing

Sen. Robert Bennett (R-Utah) co-sponsored a bill that would protect the nation's critical infrastructure, such as telecommunications, transportation and essential government services, by encouraging better information sharing between government and industry. Public- and private-sector witnesses last week debated the merits of the Critical Infrastructure Information Security Act, which Bennett sponsored with Sen. Jon Kyl (R-Ariz.).

The bill would:

* Secure voluntarily shared critical infrastructure information.

* Provide critical infrastructure threat analysis.

* Protect those who share information.