from disclosure, and whether legal tools can be used by the government and private parties against those sharing information) among those sharing information is the most important prerequisite for achieving successful protection of the nation’s critical information infrastructure. The development of trust is necessary to achieve an atmosphere of openness and cooperation that can lead to sharing of vulnerabilities, best practices, and other critical information. While the passage of legislation will not automatically create trust, many believe it would create an environment where trust could develop.
Mr. Sobel argues that passing legislation to remove a perceived (as opposed to a real) barrier is a bad way to make policy, and the Antitrust Section of the American Bar Association’s steady opposition to antitrust exemptions, for example, corroborates that point of view. Legislation carries risks and costs as well as benefits, and the changes over the past year underscore the importance of considering the total effect, as well as the implications of any one piece of legislation.
No major reform to the Freedom of Information Act is explicitly required to allow for CIP-related information sharing between the private sector and the public sector. However, there is some risk and a perception that proprietary CIP-related information shared between private sector firms and federal government entities may be disclosed to third parties under FOIA. The new HSA provision reduces any such risk. There needs to be greater education and awareness on FOIA in the federal agencies when staff are responding to FOIA requests and in the private sector where this information is held. To lower apprehension in the private sector, the government should examine its processes and monitor them to ensure they will protect private information and should make sure its employees are appropriately trained.
Like FOIA, the existing antitrust law does not prevent the private sector from sharing information on cyberthreats within and between sectors. However, also as with FOIA, there are persistent perception problems and the need for better education and awareness about the law.