Davis revives cyberthreat legislation

Industry letter to House members

Rep. Tom Davis (R-Va.) has reintroduced a bill aimed at encouraging the private sector to share cybersecurity incidents with federal agencies so the government has a better picture of threats to national security.

Davis and co-sponsor Rep. Jim Moran (D-Va.) first introduced the Cyber Security Information Act last year after the formation of several private-sector information sharing and analysis centers.

President Clinton created the centers—designed to share security incidents within a market sector—as part of Presidential Decision Directive 63 in May 1998. PDD 63 requires that the federal government secure systems that support the nation's critical infrastructure. The information technology sector is among those that have already formed such centers. But many in the private sector are concerned that the information they pass on to government incident-response organizations may be open to the public through the Freedom of Information Act. They also worry that sharing information in the centers would violate federal antitrust laws.

"This uncertainty has a chilling effect on the growth of all information- sharing organizations and the quality and quantity of information that they are able to gather and share with the federal government," wrote businesses and industry groups in a July 5 letter to House members. Several exemptions to FOIA already exist, and the new bill would simply create another exemption that would limit the sharing to national security- related information, said David Marin, Davis' communications director. By addressing industry's concerns, "we are removing the primary barrier to information sharing between government and industry," Davis said.