2
INCREASING THE FLOW OF INFORMATION

The sharing of information has been the centerpiece of both the government’s and the private sector’s efforts over the past several years to protect the information systems underlying our critical infrastructures. The assumption is that information sharing can help crystallize the threat, identify vulnerabilities, devise better defenses, establish best practices, and detect and mitigate attacks. Eric Benhamou, chairman of 3Com, suggests that the one thing that would have the greatest return is for firms to begin immediately sharing information about attack scenarios, best practices to protect against attacks, and perpetrators. The most useful thing the government can do, according to Craig Silliman, director of the Network and Facilities Legal Team at WorldCom, is to facilitate the establishment of a single technical point of contact that would enable the administrators at the backbone ISPs to share, in real time, information to combat a cross-industry attack (such as Code Red1 or Nimda2). Coordi

1  

Code Red was a worm that exploited buffer overflow vulnerabilities in unpatched versions of Internet Information Server (IIS) Web software. Several variants of the worm spread throughout the world in the summer of 2001. Infected hosts were used to launch distributed denial-of-service attacks and deface Web pages. Information about the vulnerability was released in mid-June of 2001 and the worm began spreading in mid-July. The Cooperative Association for Internet Data Analysis (CAIDA) provides an analysis of the Code Red worm at <http://www.caida.org/analysis/security/code-red/>.

2  

The Nimda worm exploited the same vulnerability in IIS Web servers that Code Red used. Nimda, which spread via e-mail, network scanning, and Web surfing, modified files on the infected systems and caused denial of service. See the CERT Advisory for more information, <http://www.cert.org/advisories/CA-2001-26.html>.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues 2 INCREASING THE FLOW OF INFORMATION The sharing of information has been the centerpiece of both the government’s and the private sector’s efforts over the past several years to protect the information systems underlying our critical infrastructures. The assumption is that information sharing can help crystallize the threat, identify vulnerabilities, devise better defenses, establish best practices, and detect and mitigate attacks. Eric Benhamou, chairman of 3Com, suggests that the one thing that would have the greatest return is for firms to begin immediately sharing information about attack scenarios, best practices to protect against attacks, and perpetrators. The most useful thing the government can do, according to Craig Silliman, director of the Network and Facilities Legal Team at WorldCom, is to facilitate the establishment of a single technical point of contact that would enable the administrators at the backbone ISPs to share, in real time, information to combat a cross-industry attack (such as Code Red1 or Nimda2). Coordi 1   Code Red was a worm that exploited buffer overflow vulnerabilities in unpatched versions of Internet Information Server (IIS) Web software. Several variants of the worm spread throughout the world in the summer of 2001. Infected hosts were used to launch distributed denial-of-service attacks and deface Web pages. Information about the vulnerability was released in mid-June of 2001 and the worm began spreading in mid-July. The Cooperative Association for Internet Data Analysis (CAIDA) provides an analysis of the Code Red worm at <http://www.caida.org/analysis/security/code-red/>. 2   The Nimda worm exploited the same vulnerability in IIS Web servers that Code Red used. Nimda, which spread via e-mail, network scanning, and Web surfing, modified files on the infected systems and caused denial of service. See the CERT Advisory for more information, <http://www.cert.org/advisories/CA-2001-26.html>.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues nation among the technical experts during a distributed denial-of-service (DDOS) attack, for example, would help them to identify the source of an attack, identify potential solutions to block the attack, and restore the network to operational capacity more quickly.3 Informal communication and coordination do take place, but there is interest in increasing the scope and scale of such activity, in tandem with the evolution of the Internet itself. The federal government has made a number of attempts to promote information sharing relevant to critical information infrastructure protection. NIPC created the InfraGard initiative to facilitate the sharing of critical infrastructure information with the private sector. Ronald Dick suggests that confidentiality in the reporting of incidents is one of the key elements in the InfraGard program that help to build trust between the government and private sector entities. However, the General Accounting Office (GAO) reported4 that NIPC has had mixed success in forming partnerships with private industry and other government agencies. The President’s Commission on Critical Infrastructure Protection recommended industry-based vehicles known as information sharing and analysis centers (ISACs, see Box 2.1). While several ISACs have been created, many are still in their infancy and many others are in the planning stages. GAO notes that only three ISACs had been created before December 2000.5 Although formal information-sharing arrangements are slowly being established, most information sharing occurs through informal channels. One deterrent, according to private industry representatives, has been the lack of clarity regarding the benefits and associated liabilities in sharing information with one another and with the government. Whitfield Diffie, Distinguished Engineer at Sun Microsystems, notes that regulated industries have a tradition of sharing some information with the government and the public, even when disclosure puts them at a disadvantage from a business viewpoint. For example, airlines are required (upon request) to disclose arrival and departure times of all flights, even though it is clearly a disadvantage to have the customers know that they are frequently late. Retailers and credit card issuers worry that disclosing any loss of online transactional security (e.g., hackers gaining access to 3   Because an attacker has the advantage of being able to deliberately exploit any weakness that he can identify, network administrators need to be able to rapidly disseminate any information while the attack is under way to recapture the advantage and prevent the attack from succeeding. 4   U.S. General Accounting Office, “Critical Infrastructure Protection: Significant Challenges in Developing National Capabilities,” GAO-01-323, April 25, 2001. 5   U.S. General Accounting Office, “Information Sharing Practices That Can Benefit Critical Infrastructure Protection,” GAO-02-24, October 15, 2001.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues BOX 2.1 Information Sharing and Analysis Centers PDD-63 called for the creation of sector-specific information sharing and analysis centers (ISACs) to encourage industry to gather, analyze, sanitize, and disseminate information to both industry and, as deemed appropriate, the government. ISACs have now been created in several industry sectors, including financial services, information technology, electric power, telecommunications, chemical, and surface transportation (rail industry). Each ISAC operates independently and determines what corporate structure to adopt, how it should operate, and how it should share information with its own members, with other ISACs, and with the government. For example, the financial services ISAC (FS-ISAC) is a nonprofit corporation open to eligible members of the banking, securities, and insurance industries.1 FS-ISAC members can submit either anonymous or attributed reports about information security threats, vulnerabilities, incidents, and solutions. Members have access to information provided by other members and analysis of information obtained from other sources (including the U.S. government and law enforcement agencies and the CERT Coordination Center). Although the FS-ISAC does not allow any U.S. government agency, regulator, or law enforcement agency to access their members’ information, it does share information with the government and other ISACs through meetings and other arrangements.2 By contrast, the National Coordinating Center for Telecommunications ISAC (NCC-ISAC) brings together industry and government participants in a government facility. 1   According to the FS-ISAC Web site, “[m]embership is open to the following categories of U.S. entities registered, and in good standing, with their appropriate regulators: FDIC Insured Bank, NASD Licensed investment firm, Designated Financial Services exchanges and finance sector utilities, Specialized U.S. or state-licensed banking companies, U.S. or state-licensed Insurance companies.” See <http://www.fsisac.com/faq.cfm>. 2   See <http://www.fsisac.com/aboutus.cfm>. credit card numbers or purchase history) may undermine public confidence in Internet commerce, to the detriment of their businesses. However, the companies that own and operate the information infrastructures include both regulated telecommunications providers and others, such as cable and other ISPs, who are regulated differently, if at all. Although the traditional telecommunications players have a history of successful information sharing with each other and the government through the NSTAC/NCC, the telecommunications industry is changing. The convergence of voice and data networks is enlarging the number of players involved in the telecommunications sector. W. David Sincoskie, committee member and vice president of the Internet Architecture Research Laboratory at Telcordia Technologies, noted that the Internet now carries more traffic than the public switched telephone network (PSTN). Captain J. Katharine

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues Burton (U.S. Navy), assistant deputy manager at the National Communications System, noted that wireless networks, a new and important component of national security and emergency preparedness activities, did not have the ability to give priority to national security applications during the September 11, 2001, crisis.6 A lesson from the wireless experience on 9/11 may be to think early about how to incorporate new and emerging media into emergency response. Unlike the traditional telecommunications players, these new players (including the owners and operators of the Internet, wireless networks, and the underlying transmission networks)7 do not have 40 years of established history, nor do they have a culture of sharing information for national security purposes. INFORMATION SHARING FRAMEWORK Information sharing remains an ambiguous, even an opportunistic concept. One reason progress may be slow is that what it means depends on what is asked of whom. Fundamental questions persist about who should share what information, when, how, and why—as well as with whom. Note that in the middle of the last century, these questions were obviated by the domination of the telecommunications and computer industries by single large players with whom the government could—and did—communicate in the event of a crisis. They first surfaced in the early 1980s, when the telecommunications industry was transformed by the AT&T modified final judgment, which led to a relatively effective vehicle for government communications with the regulated telecommunications providers (NSTAC); government efforts to communicate with 6   In 1995, the President directed the National Communications System, in cooperation with industry, to implement a priority access service for wireless NS/EP users. The FCC responded in July 2000 with a “Report and Order” that made wireless access priority service voluntary (see <ftp://www.fcc.gov/pub/Bureaus/Wireless/Orders/2000/fcc00242.txt>). In response to the events of September 11, the National Security Council issued guidance to the National Communication System to provide immediate wireless priority access service to limited geographic areas. Initial operating capability for the NCS Wireless Priority Service (WPS) was achieved in December 2002. Nationwide end-to-end wireless priority communications capability for all NS/EP personnel is scheduled for December 2003. WPS complements the Government Emergency Telecommunications Service (GETS), which provides landline priority service to NS/EP personnel. More information is available online at <http://63.121.95.245/wps/> and <http://gets.ncs.gov/>. 7   There are also many more of these actors than there were before, and there are practically no barriers to entry. Because a potential attacker could easily establish an ISP (either within U.S. territory or outside it), information sharing among ISPs (or between ISPs and the government) might result in unfortunate or even damaging disclosures. The increasing number of players in the telecommunications sector needs to be considered when developing information-sharing strategies.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues the computer industries about computer security risks in the 1980s did not fare as well, for a variety of reasons, including difficulties in formulating a compelling message and in reaching and persuading an increasingly diffuse set of industries. Many of these problems persist in today’s CIIP efforts. In thinking about what information should be shared,8 Lieutenant General (retired) David J. Kelley, vice president of Information Operations at Lockheed Martin, suggested that threats, vulnerabilities, network status, intrusion reports, best practices, and tools should all be shared. Companies need to be able to share information in ways that (and whose nature) may not be predictable in advance. Like Sherlock Holmes solving a difficult case, seemingly unconnected bits of information, when ingeniously combined, produce clues and evidence that can help to detect, prevent, and mitigate network attacks. If companies are not sure what information can and should be shared, they risk losing the potential for identifying large-scale, cross-cutting attacks—essentially putting an adversary at a great advantage. On the other hand, sharing critical infrastructure information raises interest-balancing challenges because the information can carry with it additional risks9 to public and private interests. Information sharing could be construed as price fixing, unreasonable restraint of trade, or systematic exclusion of or discrimination against certain customers. It also could raise privacy concerns, expose proprietary corporate secrets, and reveal weaknesses and vulnerabilities that erode public confidence and invite hackers. Erosion of public confidence could be particularly damaging to a publicly traded corporation, so information sharing could constitute a breach of fiduciary duty in some cases. For example, Craig Silliman noted that releasing a top ten vulnerabilities list to the public could provide hackers with the information they need to successfully attack at-risk networks.10 However, vendors need to be 8   For example, a Partnership for Critical Infrastructure Security (PCIS) working group proposed (in a white paper dated September 5, 2001) that information that fits into the following categories should be shared: publicized system failures or successful attacks; threats to critical infrastructures; system degradations; vulnerability information; obvious interdependencies [and] incidents of perceived limited impact; other useful information, including remediation methodology, risk management methodology, and research and development goals and needs. 9   For a discussion of the inherent tension between the benefits and risks of disclosing information on critical infrastructure vulnerabilities, see Computer Science and Telecommunications Board, National Research Council. 1990. Computers at Risk: Safe Computing in the Information Age. National Academy Press, Washington, D.C., pp.20-21. 10   The SANS Institute and the FBI maintain a prioritized list of the top 20 security vulnerabilities. The list is intended to help systems administrators focus on correcting the flaws that are most often targeted in computer network attacks. See <http://www.sans.org/top20/> for more information.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues informed of vulnerabilities to create patches. Private companies also rely on the alerts to implement timely preventative measures. Some people argue that companies are slow to fix vulnerabilities without the threat of publicity. A lag time between private notifications sent to vendors and the public announcements is one approach that would give vendors and private sector entities sufficient time to implement preventative measures without facilitating hacker attacks. This example also highlights the importance of analyzing both benefits and risks in determining when to release sensitive information. Since many of the ISACs were established only in the last couple of years, they are still troubled by the difficult question, With whom should information be shared? Each ISAC needs to create a process that outlines how decisions are made regarding the sharing of information collected by the ISAC. Most ISACs are funded through membership fees. Should the information collected by an ISAC be shared only with paid members? When should information be shared with other companies in the same industry sector (e.g., smaller businesses who may not have the resources to become a full ISAC member)? Most of the current members of ISACs are large, multinational corporations. What should the ISACs do to encourage small and medium-size businesses to participate in information-sharing activities? Who should fund these efforts? If ISACs choose to share information with the government, they must decide which agencies should receive the information (e.g., DHS and agencies that have regulatory authority over that industry). Should all information be shared with the government, and if so, should it be anonymized first? What measures do the ISACs need to put in place to encourage the government to provide (possibly classified) information on suspected pending attacks? Information-sharing models must also consider the public interest. Does the general public have a right to information about the infrastructure(s) on which it depends? Is it sufficient for the government to hold that information as the public’s representative? One reason why debates over the scope and barriers to information sharing seem to elude resolution is that the fundamental issues outlined above remain to be worked through. Selecting the appropriate information-sharing model requires ascertaining the costs and benefits. ISACs can add value by providing an analysis of the information gathered from their members. For example, ISACs can use aggregated time series data to identify attack patterns. ISACs also can use the data to develop guidelines for security best practices. In spite of the benefits of doing so, companies are reluctant to share information. They are concerned that shared information may be disclosed, causing irreparable harm—financial harm, public relations damage, competitive damage, litigation liability, or possible government intervention/investigation. Underlying the reluctance is a lack of trust.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues Lack of trust has been an issue in both the public and private sectors (e.g., historically, the government has been reluctant to share with industry information that is classified). Companies often do not trust each other (or the government) with sensitive corporate information.11 Anonymizing information is one way to alleviate concerns and build trust both between the government and industry and within industry. Issues such as these are crystallized in debates over the implications for information sharing of antitrust and freedom of information laws, which are covered in “(Perceived) Barriers to Information Sharing,” below. While most attention has been focused on sharing information with other members of a given ISAC, information shared across ISACs has the potential to be of much more value in identifying threats to the critical infrastructures of the United States and in analyzing trends. The PCIS has organized joint public-private meetings and developed white papers to highlight cross-sector information-sharing issues.12 Identification of the key common elements in sharing might be a first step toward the development of a cross-industry sharing mechanism, since differences in jargon and culture across industries will compound the information sharing challenges that already exist. With all of this uncertainty, it is not surprising that information sharing is evolving only slowly. Progress may also be constrained by the vehicles launched to achieve it: Both the ISACs and PCIS are limited by their membership, which includes private sector representatives who registered an early interest in critical infrastructure protection and early willingness to engage with the government on CIP issues. The ISACs and PCIS both include primarily large firms with much at stake—either from critical infrastructure risks or from the direction that CIP policy might take. The symposium’s broad range of participants underscored that making progress on information sharing calls for addressing multiple issues affecting the public and private interests. 11   The weak security of the government’s own computer systems is often cited as a deterrent to information sharing. Many companies in the private sector fear that sensitive corporate information shared with the government may be compromised by hackers able to break into the government’s computer systems. 12   A PCIS working group has proposed the creation of an ISAC policy management board, to be staffed with representatives from each ISAC that will “facilitate the coordination and dissemination of the standardized information sharing documentation” (Information Sharing White Paper, September 5, 2001).

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues (PERCEIVED) BARRIERS TO INFORMATION SHARING Phil Reitinger laments, “I wish that government and industry were as good at sharing information as hackers are.” Corporations point to a number of legal concerns that hinder full participation in information-sharing activities. Corporations fear they could be liable if they provide flawed information to the ISAC. What happens if the information is valid but the ISAC prepares a flawed analysis that causes harm to members? What happens if a member of the ISAC fails to protect anonymous or proprietary data? What if a member fails to share or disclose information that could have prevented or minimized an attack? What happens if one member fails to implement adequate security measures and by that failure causes harm to another member of the ISAC? These difficult questions have raised awareness about the importance of ISAC membership agreements and the need to allocate risk among the ISAC, its members, and the service provider. While these issues are being examined in the context of ISAC formation and operation, two other legal concerns are perceived as impediments to successful information sharing between the private sector and the government and within the private sector: (1) the Freedom of Information Act (FOIA) and (2) antitrust laws. Fear of FOIA and antitrust concerns are the two main factors often invoked as the reasons for lack of progress on information sharing. Corporations fear that information shared with the government may be released to third parties under a Freedom of Information Act request. Most FOIA concerns are based on an unwillingness to trust the government with information provided to it. Antitrust concerns stem from the potential for collaborative exchanges of information among competitors on pricing or production levels or customer allocation, joint endorsement of particular suppliers/vendors, or singling out or otherwise damaging a particular competitor. Public interest advocates, however, are skeptical that these barriers really stand in the way of information sharing. They believe that the current FOIA and antitrust laws are adequate to protect industry and the general public and that they encourage information sharing. This section outlines both sides of the FOIA and antitrust debates. Since drafting of this report began, a provision of the Homeland Security Act of 2002 (HSA)13 protects some critical information infrastructure data from disclosure under FOIA. It is too soon to know what this will mean in practice, but it makes some of the discussion moot. Nevertheless, the fundamental issues remain, and there is always the possibility of new legislation.14 13   PL 107-296. 14   On March 12, 2003, the Restoration of Freedom of Information Act of 2003 (S. 609) was introduced in the Senate. Supporters of the bill argue that “FOIA provisions passed last year as part of the Homeland Security Act are too broad and could undermine public access

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues Freedom of Information Act15 What Is the Freedom of Information Act?16 Congress enacted the FOIA (5 U.S.C. 552) in 1966. FOIA is an information disclosure mechanism whose basic purpose is to ensure that certain records in the possession of the U.S. government are accessible to the people.17 The Supreme Court has said that the motivation behind FOIA is “to ensure an informed citizenry vital to the functioning of a democratic society, and to hold the governors accountable to the governed.”18 In accomplishing that end, as the Court has also said, “[d]isclosure, not secrecy, is the dominant objective.”19 FOIA requires all agencies of the U.S. government to disclose information upon receiving a written request, except for information protected from disclosure by nine statutory exemptions.20 Of the nine specific statutory exemptions that are contained in the act, it has been argued that exemption 4 might be available to protect information on critical infrastructure protection disclosed to the government by a private party. For information to come within the scope of exemption 4, it must be shown that the information is (A) a trade secret or (B) information that is (1) commercial or financial, (2) obtained from a person, and (3) privileged or confidential.21 The latter category of information (commercial information that is privileged or confidential) is directly relevant to the issue of cybersecurity information. Opponents to creating an additional FOIA exemption for cybersecurity information argue that exemption 4 should be sufficient because most information submitted by the private sector to     to information about the government and public safety” (Dan Verton, 2003, “Progress on Info Sharing Threatened by Changes to FOIA Law,” Computerworld. March 19). 15   The focus in this report is information voluntarily provided by the private sector to the federal government. 16   This section is largely adapted from a presentation by David Sobel at the symposium. 17   See <http://www.usdoj.gov/04foia/referenceguidemay99.htm#intro>. 18   NLRB v. Robbins Tire & Rubber Co., 437 U.S. 214, 242 (1978). 19   Department of the Air Force v. Rose, 425 U.S. 352 (1976). 20   The nine statutory exemptions are classified documents; internal agency rules and practices; information that is prohibited from disclosure by another law; trade secrets and other confidential business information; interagency or intra-agency communications that are protected by legal privileges; information involving matters of personal privacy; certain information compiled for law enforcement purposes; information relating to the supervision of financial institutions; and geological information on wells. See <http://www.pueblo.gsa.gov/cic_text/fed_prog/foia/foia.pdf>. 21   Exemption 4 is described in the Department of Justice’s Freedom of Information Act Guide, May 2002, available online at <http://www.usdoj.gov/oip/exemption4.htm>.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues a government agency is assumed to be commercial information, broadly defined. Cybersecurity-related information may be commercial in nature, but is it always “privileged or confidential”? According to the D.C. Circuit Court decision in the National Parks case, commercial or financial information is deemed to be confidential if disclosure would (1) impair the government’s ability to obtain the necessary information in the future or (2) cause substantial harm to the competitive position of the person from whom the information was obtained.22 The Argument for Expanding FOIA Exemptions Given that the purpose of FOIA is to ensure that records in the possession of the government are accessible to the public, private sector companies have expressed concern that critical infrastructure information shared with the government might be released to third parties via an FOIA request. Attempts to prevent disclosure by private entities could result in disclosure—for instance, an FOIA request for information on all entities with a certain type of vulnerability—and could not be responded to with a reverse FOIA suit without the plaintiff implicitly identifying itself as having the vulnerability. A recent letter from the National Security Telecommunications Advisory Committee (NSTAC) to the President said, “to properly protect our critical national infrastructure and respond to attacks in a timely manner, private sector entities must be able to freely exchange critical infrastructure protection information with each other and the government. Real or perceived barriers to sharing the information must be removed.”23 Some companies, such as those represented on NSTAC, argue that it is not clear that the existing exemptions (exemption 4 in particular) would provide the certainty of protection needed before they would release sensitive information to the government. Even if the information is protected, companies argue that it requires costly legal action to block the intended disclosure of the information—this represents money, time, and resources spent (see below for actions available to requesters of information). They do not have confidence that information shared with the government—including sensitive or proprietary information and vulnerabilities—will be kept secure. Finally, because past court rulings and interpretations can be reversed and do not stay constant over time, companies tend not to trust case law even though it may seem to protect the information today. In addition, companies fear that future 22   National Parks and Conservation Association v. Morton, 498 F.2d 765, 770 (D.C. Cir. 1974). 23   Copy of letter shown by David Sobel at the symposium.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues rulings and interpretations could result in the release of previously submitted information. The President’s Commission on Critical Infrastructure Protection, realizing that companies might not be willing to participate in information sharing activities without special protection, called for a new statutory exemption from the FOIA for critical infrastructure information.24 Congress has considered two bills to respond to the concerns of the private sector. Senator Bennett introduced S. 1456,25 the Critical Infrastructure Information Security Act of 2001. One of the goals of the bill is to “encourage the secure disclosure and protected exchange of critical infrastructure information.” Section 5 of that bill states that critical infrastructure information shall not be made available under section 552 of title 5, U.S. Code (FOIA). Representatives Davis and Moran introduced the Cyber Security Information Act of 2001 (H.R. 2435) to “encourage the secure disclosure and protected exchange of information about cybersecurity problems, solutions, test practices and test results, and related matters in connection with critical infrastructure protection.” Section 4 states that cybersecurity information shall be exempt from disclosure under section 552(a) of title 5, United States Code (FOIA), by any federal entity, agency, and authority. The legislation creating a new Department of Homeland Security exempts “critical infrastructure information voluntarily submitted to a covered Federal agency for its use regarding the security of critical infrastructure and protected systems, analysis, warning, interdependency study, recovery, reconstitution, or other informational purpose”26 from disclosure under FOIA. The Argument Against Expanding FOIA27 Opponents suggest that case law shows that the existing FOIA exemptions are sufficient to protect critical infrastructure information; they say efforts to amend FOIA (e.g., through a new cybersecurity exemption) are based largely on a misperception of the current law. Many would argue that ensuring the government is able to obtain critical infrastructure information from the private sector on a voluntary basis comes within 24   President’s Commission on Critical Infrastructure Protection. 1997. Critical Foundations. Washington, D.C., p. 32. 25   Both bills are pending in committee. The latest major action on the Senate bill was October 9, 2001, and July 10, 2001, for the House bill. 26   CRS Summary of Homeland Security Act of 2002, available at <http://thomas.loc.gov/cgi-bin/bdquery/z?d107:HR05005:@@@D&summ2=m&>. 27   This section largely adapted from a presentation by David Sobel at the symposium.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues the purview of exemption 4. The courts have found that where information is voluntarily submitted to a government agency, it is exempt from the disclosure if the submitter can show that it does not customarily release the information to the public.28 David Sobel, general counsel of the Electronic Privacy Information Center, argues that the case law indicates that courts tend to defer to the wishes of the private sector submitter of the information and will protect the confidentiality of information that the submitter does not itself make public. Even before the new Homeland Security Act of 2002, the legal protections available to the private sector submitter did not end with the above case law. Because of general industry concerns about disclosure of information submitted to government agencies, President Reagan in 1987 issued Executive Order 12600 (Pre-disclosure Notification Procedures for Confidential Commercial Information). This EO requires all federal agencies to implement regulations that provide procedures for the notification to the submitter of private sector information if a FOIA request is received for that information. Once that procedure is triggered, if a request is received for the information and the agency decides that there is no legal basis for withholding it, the agency is required to provide an opportunity for the submitter to offer objections to the proposed release. EO 12600 is yet another layer of protection (and at least a delay) that is available to private sector submitters under existing law. In addition, the Supreme Court has recognized that the private sector submitter has standing to file what is called a “reverse FOIA” lawsuit to block the intended disclosure of the information.29 Finally, the U.S. Attorney General issued a new FOIA guidance memorandum30 on October 12, 2001, that establishes a new standard that the Justice Department will apply when determining whether or not to defend agency decisions to withhold requests for information. That standard states that when there is a “sound legal basis” (in contrast to “foreseeable harm,” as stated in the earlier standard) for with 28   Critical Mass Energy Project v. Nuclear Regulatory Commission, 975 F.2d 871 (D.C. Cir. 1992) (en banc), cert. Denied, 113 S.Ct. 1579 (1993). In this case, Critical Mass had requested information from the Nuclear Regulatory Commission concerning the results of inspection reports dealing with nuclear plant safety compliance. This information, revealing potential vulnerabilities at a nuclear power plant, is similar to the types of information involved in critical infrastructure protection. The court in this case concluded that because the nuclear power companies would not voluntarily release to the public this information, which they considered confidential, it was not subject to disclosure. This was an en banc decision of the full D.C. Circuit and further appellate review was denied by the Supreme Court, which is significant because the D.C. Circuit is where 95 percent of the FOIA litigation takes place, and this is the circuit court that is deferred to by all of the other circuits. 29   GTE Sylvania, Inc. v. Consumers Union, 445 U.S. 375 (1980). 30   The FOIA Post is available online at <http://www.usdoj.gov/oip/foiapost/2001foiapost19.htm>.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues holding the information, the Justice Department will defend that agency determination in court. The American Civil Liberties Union (ACLU) sent a letter to Senators Lieberman and Thompson urging them to oppose Senator Bennett’s bill to amend the FOIA.31 The ACLU argues that when the courts have debated the public’s need for disclosure against the harms of disclosure under FOIA, they have shown deference to industry concerns for confidentiality. They suggest further that an all-encompassing CIP exemption would undermine security, rather than enhance it, because it would allow companies to shield from the public the actions they are not taking to protect their infrastructures from attack. According to Mr. Sobel, no one has identified what type of critical infrastructure information would escape the protection afforded by FOIA’s Exemption 4. He asserts that the current FOIA law is sufficient both to enable CIP-related information sharing between the private and public sectors and to protect collected information. Can the Government Protect CIP Information? Glenn Schlarman, from the Office of Management and Budget, argues that the Bennett bill and the Davis-Moran bill were not addressing (at least on the FOIA exemption side) the reality of the issue that information can be protected once it is in the government’s possession. These bills—and presumably the Homeland Security Act of 2002—address the perception that the government will not protect it or cannot protect it. He argues that the Critical Mass case is the “law of the land,” which means that voluntarily provided, customarily protected industry information is exempt under FOIA. The problem, according to Mr. Schlarman, is that government personnel who respond to FOIA requests do not read the Department of Justice Office of Information and Privacy case law on FOIA to know what is exempt today. Although the (pre-HSA) law has been sufficient to protect CIP-related information, he suggests it is not clear that agencies know how to protect it. A key issue is whether government agencies have processes in place to protect the information from inappropriate or accidental disclosure.32 Hence, Mr. Sobel suggests that a better 31   See <http://www.aclu.org/congress/l040302b.html>. The ACLU sent a similar letter to Representatives Burton and Waxman urging them to oppose H.R. 2435; see <http://www.aclu.org/congress/l040302c.html>. 32   For example, corporations fear that their sensitive proprietary information shared with the government might be leaked or misused by a government employee who migrates to a job with the corporation’s competitor.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues approach is to educate the employees in federal agencies who respond to the FOIA requests about the types of information that cannot be released under existing law. Antitrust Many companies fear that sharing CIP-related data with competitors could be viewed as a violation of the antitrust provisions of the Sherman Antitrust Act (15 U.S.C.). Understanding Antitrust33 The goal of antitrust law is to promote competition in the marketplace. Therefore, to prohibit restraint of trade, the antitrust law seeks to discourage collusion—inappropriate collective action—and inappropriate exclusion.34 Collusion occurs when rival firms act jointly to raise prices and reduce output, thereby harming consumers and the economy as a whole. Exclusion occurs when competitive constraints normally offered by rivals are removed, thus making it possible for a firm to exercise market power. While information sharing among competitors in its own right is not illegal, it can be unlawful if it contributes to anticompetitive conduct either through an actual agreement (e.g., on price) or to the facilitation of coordinated behavior. For example, a joint venture of competitors could establish a standard for computer security that excluded one provider.35 The “Antitrust Guidelines for Collaborations Among Competitors,” issued in 2000 by the Federal Trade Commission and the Department of Justice, stressed that the sharing of information among competitors may be procompetitive and may be reasonably necessary to achieve a procompetitive benefit. If the information is reasonably necessary for achieving procompetitive efficiencies, those efficiencies are taken into account in assessing the overall effect on competition. If the information to be shared could be competitively sensitive—typically that means information on price, costs, future business initiatives, and the like—then certain factors can serve as guideposts in trying to determine whether information sharing is likely to facilitate collusion. 33   This section, “Understanding Antitrust,” is excerpted from a presentation by William E. Cohen at the symposium. 34   Some forms of exclusion are acceptable under the law, such as protection of intellectual property rights to prevent their use by others, or not permitting access to valuable assets, which is permitted in all but a few circumstances. 35   See Addamax v. Open Software Foundation, Inc., 152 F.3d 48 (1st Cir. 1998).

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues Who is receiving the information? If only one side of the partnership is using the information, then collusion concerns might have merit. How old is the information? Sharing contingent or future information is generally more troubling than sharing historical information, since it could be used to help in achieving agreement among competitors or in coordinating their conduct. How specific is the information? Information that identifies the conduct of individual firms is likely to raise greater concern than information that is aggregated. For example, information reviewing a particular firm’s pricing conduct may identify individual disclaimers and discourage them from cutting a collusive price. Finally, how accessible is the information? Sharing unique information is more likely to raise concerns than sharing information that is already publicly available. For example, standards setting—which can be relevant to critical infrastructure protection—illustrates that not all collective action is considered bad from an antitrust perspective. Setting standards is, by its nature, inherently a collective activity carried out industry-wide, but how it is done determines whether it serves to facilitate price setting or other anticompetitive behavior, which may be aimed against the buying public or a competitor. The Argument That an Antitrust Exemption Is Needed Many in the private sector are concerned that sharing CIP-related information may expose participating companies to antitrust enforcement actions. In addition, many are concerned that determination of the safe harbors for CIP-related information sharing is a complex, expensive, and risky process that will discourage smaller firms from CIP-related information sharing. Further, although formal advice from the government can be obtained in the form of a “business review letter” (see next section), that mechanism has its limitations36 and does not provide absolute immunity from government enforcement actions or private litigation. Concerns of this nature have led Congress occasionally to pass limited antitrust exemptions to combat perceived antitrust risk. One example is 36   First, over time, a business review letter can become outdated and may no longer be relied on. Second, the letter is only as good as the facts presented. If a firm departs from the stated facts, it would be required to get a supplemental letter or risk losing protection. Finally, while the letter may provide substantial protection with regard to federal enforcement agencies, there is always the possibility of private litigation. A business review letter is not binding on any private litigants. A clear statement from the federal government that it does not view a particular set of facts as being in violation of antitrust laws will strengthen the case of a firm in antitrust litigation. However, even if a firm wins in litigation, it still has to bear the transaction costs of the lawsuit.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues the National Cooperative Research Act of 1984,37 amended and renamed the National Cooperative Research and Production Act of 1993. The President’s Commission on Critical Infrastructure Protection suggested that firms should be offered limited assurances and guidelines to protect them from antitrust enforcement actions.38 The congressional bills mentioned earlier (H.R. 2435 and S. 1456) include language that would exempt companies that share information about computer viruses and other network vulnerabilities from antitrust prosecution. The Argument That Antitrust Offers Sufficient Protection Opponents to creating a new antitrust exemption argue that a new exemption is not needed to protect firms sharing critical infrastructure protection information from allegations of anticompetitive behavior.39 They further argue that experience with antitrust exemptions in other contexts reveals practical problems with exemptions that may cause more harm than good. For example, if a blanket exemption were granted, people working to protect critical infrastructures could (try to) agree to raise prices 20 percent. They could also (try to) agree to share relevant technology only with each other and not with anyone offering a competing product. Although most industry officials would agree that such conduct is not protected by a new exemption, it is important to recognize the possibility of such consequences. Past efforts to develop exemptions from antitrust (e.g., research cooperation) indicate that conduct can be exempt so long as it does not involve price fixing or boycott activities. The American Bar Association’s Antitrust Section has voiced its opposition to further narrowing of exemptions.40 Some decrease in uncertainty can be obtained via a business review letter. This procedure allows firms to get formal advice from the Department of Justice (DOJ) on whether proposed future conduct would be viewed as anticompetitive. Under this procedure, DOJ indicates whether, on the basis of the facts presented in the request, it currently has any 37   15 U.S.C. §§ 4301-05. 38   President’s Commission on Critical Infrastructure Protection. 1997. Critical Foundations. Washington, D.C., p. 32. 39   For examples of authority addressing the antitrust treatment of the type of information exchange or standard setting discussed in the text, see Antitrust Law Developments (5th ed.) 114. 40   See, for example, <http://www.abanet.org/antitrust/tele97.html>, which notes that “the American Bar Association Section of Antitrust Law disfavors antitrust exemptions directed to narrow industry categories.” See also <http://www.abanet.org/antitrust/coalitionact.html>; <http://www.abanet.org/antitrust/agmerger.html>; <http://www.abanet.org/antitrust/basebl97.html>; and <http://www.abanet.org/antitrust/hcact97.html>.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues BOX 2.2 EPRI Business Review Letter In October 2000, the Electric Power Research Institute, Inc. (EPRI) received a business review letter from the Department of Justice regarding a proposed information exchange program designed to reduce computer-based security risks posed by the increasing interconnection, interdependence, and computerization of their systems. EPRI indicated that the energy companies planned to exchange two principal types of information: best practices (including methodologies for conducting vulnerability assessments, stress tests, and plans to identify, alert, and prevent cybersecurity breaches) and product vulnerability information. The business review letter announced that the DOJ had no intention to challenge the information-sharing arrangements proposed by EPRI. DOJ found that anticompetitive harm was unlikely, provided that the information was confined to physical and cybersecurity issues and did not provide company-specific information related to pricing or any agreements on purchasing decisions or any recommendations in favor of or against the products of particular vendors. The letter adds, “To the extent that the information exchanges result in more efficient means of reducing cybersecurity costs, and thus savings redound to the benefit of consumers, the information exchanges could be procompetitive in effect.”1 1   The U.S. DOJ business review letter to EPRI is available online at <http://www.usdoj.gov/atr/public/busreview/6614.htm>. intention of bringing an enforcement action. DOJ has issued several business review letters41 (see Box 2.2) relevant to critical infrastructure protection activities, indicating that the proposed information sharing arrangements would not be viewed as a violation of antitrust laws. For example, two business review letters announced that the government had no intention to challenge efforts to develop solutions to Y2K problems, including the sharing of test results and information on proposed solutions. Several DOJ business review letters noted the potential procompetitive benefits of information sharing that created databases to help industry members avoid fraud or high credit risks. CONCLUDING OBSERVATIONS Symposium participants noted that trust (with respect to how the information will be used, how it will not be used, how it will be protected 41   A list of the business review letters issued by the Department of Justice is available online at <http://www.usdoj.gov/atr/public/busreview/letters.htm>.

OCR for page 17
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues from disclosure, and whether legal tools can be used by the government and private parties against those sharing information) among those sharing information is the most important prerequisite for achieving successful protection of the nation’s critical information infrastructure. The development of trust is necessary to achieve an atmosphere of openness and cooperation that can lead to sharing of vulnerabilities, best practices, and other critical information. While the passage of legislation will not automatically create trust, many believe it would create an environment where trust could develop. Mr. Sobel argues that passing legislation to remove a perceived (as opposed to a real) barrier is a bad way to make policy, and the Antitrust Section of the American Bar Association’s steady opposition to antitrust exemptions, for example, corroborates that point of view. Legislation carries risks and costs as well as benefits, and the changes over the past year underscore the importance of considering the total effect, as well as the implications of any one piece of legislation. No major reform to the Freedom of Information Act is explicitly required to allow for CIP-related information sharing between the private sector and the public sector. However, there is some risk and a perception that proprietary CIP-related information shared between private sector firms and federal government entities may be disclosed to third parties under FOIA. The new HSA provision reduces any such risk. There needs to be greater education and awareness on FOIA in the federal agencies when staff are responding to FOIA requests and in the private sector where this information is held. To lower apprehension in the private sector, the government should examine its processes and monitor them to ensure they will protect private information and should make sure its employees are appropriately trained. Like FOIA, the existing antitrust law does not prevent the private sector from sharing information on cyberthreats within and between sectors. However, also as with FOIA, there are persistent perception problems and the need for better education and awareness about the law.