APBNews.com WASHINGTON (APBnews.com) -- A U.S. Senate bill would encourage companies to share sensitive information with the government about cyber-security breaches, but civil libertarians say the measure would weaken an important public disclosure law.
October 20, 2000
Critics Blast Cybercrime Bill
By James Gordon MeekThe Cyber Security Enhancement Act is intended to make the private sector more cooperative with federal agents investigating cybercrime.
Sen. Jon Kyl, R-Ariz., who introduced the bill, said many companies already are reluctant to trust the government with confidential proprietary information. But he said the real obstacle to private-sector cooperation is the Freedom of Information Act, which allows the public and press to request once-secret government documents. Companies would be reluctant to have internal documents turned over to federal authorities.
Kyl introduced the bill last week as senators went into the home stretch of the 106th Congress, which could adjourn as early as this weekend.
Protections for companies
In a speech on the floor of the Senate, Kyl said the bill would exempt the government from releasing FOIA requests that contained information about companies. The senator said if private firms know that sensitive information will be protected from public disclosure, they would be more inclined to share it with law enforcement.
But Steven Aftergood, director of the government secrecy project at the Federation of American Scientists, told APBnews.com that the premise of the measure is false.
"I don't think there's any evidence that FOIA has been used to disclose sensitive, private company information," he said. "FOIA isn't a real obstacle to industry cooperation with government."
Instead, the Kyl bill would further weaken FOIA, Aftergood said.
"It's a 'death of a thousand cuts' approach that tends to leave the FOIA diminished and ever less effective," he said.
Cheating the public?
Aftergood conceded that "there is some industry suspicion toward government" that may at times impede investigations of criminal mischief online.
Companies also are often concerned about publicizing issues such as security vulnerabilities in products or internal systems, which can affect stock value and business deals.
But Aftergood said any move to weaken FOIA to alleviate concerns over public disclosure would cheat the public from its right to know.
'Broad exemption'
Even more vexing to some civil libertarians is that there already are exemptions to FOIA on the books that would seem to safeguard exactly the type of proprietary information Kyl wants to protect, said Ari Schwartz, a senior policy analyst at the Center for Democracy and Technology.
Schwartz said confidential business information, national security information and information related to ongoing law enforcement investigations are currently protected from FOIA under U.S. law.
"What could this cybersecurity information be that doesn't fit into those three categories?" he said. "They're creating this broad exemption which could have an impact on FOIA without explaining what the purpose is."
Schwartz said the Kyl bill stems from a similar bipartisan proposal in the House but goes several steps beyond the FOIA exemptions outlined in it.
Subpoena powers for prosecutors
The Senate bill would also grant the U.S. attorney general administrative subpoena powers that Kyl said would be "very narrowly limited to cybercrime investigations involving violations of nine federal statutes that address computer crimes."
The purpose would be to give investigators the ability to quickly trace a hacker's electronic footprints, which typically hop from one computer server to the next. Often, the trail jumps from one company to another, or between large computers at universities, or frequently, across international borders. Under the U.S. Constitution, tracking each step requires cooperation by the computer's host or a search warrant or subpoena.
Kyl's bill also would require the attorney general to standardize requests from law enforcement agencies to private companies for electronic information and records used during a cyber investigation.
A Justice Department official, who asked not to be identified, said the department would review the bill.
Copyright © 2000 APB Multimedia, Inc.