Skip to main content

Critical Information Infrastructure Protection and the Law An Overview of Key Issues (2003) / Chapter Skim
Currently Skimming:

2 Increasing the Flow of Information
Pages 17-34

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 17...
... Eric Benhamou, chairman of 3Com, suggests that the one thing that would have the greatest return is for firms to begin immediately sharing information about attack scenarios, best practices to protect against attacks, and perpetrators. The most useful thing the government can do, according to Craig Silliman, director of the Network and Facilities Legal Team at WorldCom, is to facilitate the establishment of a single technical point of contact that would enable the administrators at the backbone ISPs to share, in real time, information to combat a cross-industry attack (such as Code Red1 or Nimda2 )
Read the entire page →
From page 18...
... The federal government has made a number of attempts to promote information sharing relevant to critical information infrastructure protection. NIPC created the InfraGard initiative to facilitate the sharing of critical infrastructure information with the private sector.
Read the entire page →
From page 19...
... However, the companies that own and operate the information infrastructures include both regulated telecommunications providers and others, such as cable and other ISPs, who are regulated differently, if at all. Although the traditional telecommunications players have a history of successful information sharing with each other and the government through the NSTAC/ NCC, the telecommunications industry is changing.
Read the entire page →
From page 20...
... They first surfaced in the early 1980s, when the telecommunications industry was transformed by the AT&T modified final judgment, which led to a relatively effective vehicle for government communications with the regulated telecommunications providers (NSTAC) ; government efforts to communicate with 6In 1995, the President directed the National Communications System, in cooperation with industry, to implement a priority access service for wireless NS/EP users.
Read the entire page →
From page 21...
... working group proposed tin a white paper dated September 5, 2001' that information that his into the following categories should be shared: publicized system failures or successful attacks; threats to critical infrastructures; system degradations; vulnerability information; obvious interdependencies [and] incidents of perceived limited impact; other useful information, including remediation methodology, risk management methodology, and research and development goals and needs.
Read the entire page →
From page 22...
... Some people argue that companies are slow to fix vulnerabilities without the threat of publicity. A lag time between private notifications sent to vendors and the public announcements is one approach that would give vendors and private sector entities sufficient time to implement preventative measures without facilitating hacker attacks.
Read the entire page →
From page 23...
... Barriers to Information Sharing," below. While most attention has been focused on sharing information with other members of a given ISAC, information shared across ISACs has the potential to be of much more value in identifying threats to the critical infrastructures of the United States and in analyzing trends.
Read the entire page →
From page 24...
... Fear of FOIA and antitrust concerns are the two main factors often invoked as the reasons for lack of progress on information sharing. Corporations fear that information shared with the government may be released to third parties under a Freedom of Information Act request.
Read the entire page →
From page 25...
... government are accessible to the people.l7 The Supreme Court has said that the motivation behind FOIA is "to ensure an informed citizenry vital to the functioning of a democratic society, and to hold the governors accountable to the governed.''l8 In accomplishing that end, as the Court has also said, "disclosure, not secrecy, is the dominant objective.''l9 FOIA requires all agencies of the U.S. government to disclose information upon receiving a written request, except for information protected from disclosure by nine statutory exemptions.20 Of the nine specific statutory exemptions that are contained in the act, it has been argued that exemption 4 might be available to protect information on critical infrastructure protection disclosed to the government by a private party.
Read the entire page →
From page 26...
... impair the government's ability to obtain the necessary information in the future or (2) cause substantial harm to the competitive position of the person from whom the information was obtained.22 The Argument for Expanding FOIA Exemptions Given that the purpose of FOIA is to ensure that records in the possession of the government are accessible to the public, private sector companies have expressed concern that critical infrastructure information shared with the government might be released to third parties via an FOIA request.
Read the entire page →
From page 27...
... The legislation creating a new Department of Homeland Security exempts "critical infrastructure information voluntarily submitted to a covered Federal agency for its use regarding the security of critical infrastructure and protected systems, analysis, warning, interdependency study, recovery, reconstitution, or other informational purpose"26 from disclosure under FOIA. The Argument Against Expanding FOIA27 Opponents suggest that case law shows that the existing FOIA exemptions are sufficient to protect critical infrastructure information; they say efforts to amend FOIA (e.g., through a new cybersecurity exemption)
Read the entire page →
From page 28...
... This information, revealing potential vulnerabilities at a nuclear power plant, is similar to the types of information involved in critical infrastructure protection. The court in this case concluded that because the nuclear power companies would not voluntarily release to the public this information, which they considered confidential, it was not subject to disclosure.
Read the entire page →
From page 29...
... According to Mr. Sobel, no one has identified what type of critical infrastructure information would escape the protection afforded by FOIA's Exemption 4.
Read the entire page →
From page 30...
... Understanding Antitrust33 The goal of antitrust law is to promote competition in the marketplace. Therefore, to prohibit restraint of trade, the antitrust law seeks to discourage collusion inappropriate collective action and inappropriate exclusion.34 Collusion occurs when rival firms act jointly to raise prices and reduce output, thereby harming consumers and the economy as a whole.
Read the entire page →
From page 31...
... Sharing unique information is more likely to raise concerns than sharing information that is already publicly available. For example, standards setting which can be relevant to critical infrastructure protection illustrates that not all collective action is considered bad from an antitrust perspective.
Read the entire page →
From page 32...
... The Argument That Antitrust Offers Sufficient Protection Opponents to creating a new antitrust exemption argue that a new exemption is not needed to protect firms sharing critical infrastructure protection information from allegations of anticompetitive behavior.39 They further argue that experience with antitrust exemptions in other contexts reveals practical problems with exemptions that may cause more harm than good. For example, if a blanket exemption were granted, people working to protect critical infrastructures could (try to)
Read the entire page →
From page 33...
... relevant to critical infrastructure protection activities, indicating that the proposed information sharing arrangements would not be viewed as a violation of antitrust laws. For example, two business review letters announced that the government had no intention to challenge efforts to develop solutions to Y2K problems, including the sharing of test results and information on proposed solutions.
Read the entire page →
From page 34...
... No major reform to the Freedom of Information Act is explicitly required to allow for CIP-related information sharing between the private sector and the public sector. However, there is some risk and a perception that proprietary CIP-related information shared between private sector firms and federal government entities may be disclosed to third parties under FOIA.
Read the entire page →

Key Terms

  • critical infrastructure
  • infrastructure protection
  • business review
  • infrastructure information
  • sharing information

  • information shared
  • review letter
  • security act
  • homeland security
  • critical information

  • information act
  • antitrust law
  • critical infrastructures
  • antitrust laws
  • review letters

  • information infrastructure
  • antitrust exemptions
  • foia request
  • code red
  • sector submitter

  • analysis centers
  • enforcement actions
  • sector entities
  • public confidence
  • priority service

  • law enforcement
  • third parties
  • available online
  • statutory exemptions
  • share information


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.