|
 |
|
|||||
 |
Davis-Moran Cyber Security Information Act - H.R. 4246
May 5, 2000
The bill has four main components: an antitrust exemption, a FOIA exemption, a disclosure and use limitation, and an exemption from the Federal Advisory Committee Act. The first is easily dealt with: The antitrust exemption, Sec. 6 of the bill, is probably as harmless as it is unnecessary, although the Antitrust Division may worry that the exception to the exemption, Sec. 6(b), by being too narrow, creates an implication that the exemption is broader than intended.
The FOIA and disclosure/use issues are far more complicated. They are quite separate issues too: While the FOIA exemption has attracted the most attention, and while the assertion of need for the bill is based on stated concerns that the FOIA will expose to terrorists and hackers vulnerabilities in power grids and other key infrastructures, the disclosure/use limitations are limits on the government and on other businesses. They are very broad and, as drafted, could have many unforeseen consequences, including unintended negative effects on the very companies they are meant to protect.
What is the national goal: immunity or accountability?
The disclosure and use limitations, which are intended to shield companies from liability exposure based on shared information, seem to run counter to other cyber security initiatives that seek to use the liability/insurance system, auditing standards, and disclosure processes such as those of the SEC to promote accountability and therefore encourage cyber security remedial measures.
FOIA Issues:
Is the government the clearinghouse?
Some of the questions posed by H.R. 4246 stem from the fact that it is not clear what model for information-sharing it seeks to promote: will a government agency serve as the information clearinghouse, or will the sharing occur within industry. The sponsors of the bill cite the industry ISAC ("information sharing and analysis center") model. But the financial services industry has created an ISAC without FOIA concerns since the government is not a participant and therefore nothing is subject to FOIA.
Sharing versus nondisclosure
Whether or not the government is the clearinghouse, the bill's drafting raises a host of questions: The bill says that, except with the express consent or permission of the provider, covered information "shall not be disclosed to or by any third party." Sec. 4(c)(2). This basically gives the submitter of the information control over its use and disclosure. Presumably, most submitters would specify that the information could be disclosed to other members of a trusted network. The bill doesn't say who will decide who is in and who is outside that network. With respect to vulnerabilities in widely-used computer systems, limiting disclosure to a small network poses a risk that the information will not get to all those who would benefit from it. It is one thing for industry to form sectoral or regional sharing systems - it is different to enshrine non-disclosure as a Federal legal mandate.
A "submitter controls" approach has appeal, but it poses some problems. What if information is submitted anonymously, so that the recipient (governmental or not) cannot go back and seek permission to disclose? This would mean that the recipient would be prohibited from disclosing this information even to the intended target of an attack. Similarly, if the information comes from an informant, who said he didn't want it disclosed, again the government would be precluded from overriding the desire of the informant, even to the extent of sharing the information with the intended target.
Could the nondisclosure and nonuse provisions prevent companies from defending themselves against false accusations? If a claim is made that Windows has a vulnerability, doesn't Microsoft deserve to know that somebody is claiming that its product is faulty? Shouldn't the government be able to share that allegation with Microsoft and get Microsoft's response? Yet under the bill, if the submitter of vulnerability information gives consent to share it with anybody except Microsoft, that restriction controls.
If the allegation is untrue, shouldn't Microsoft be able to seek remedies against the person who disparaged its product? The civil litigation prohibition restricts Microsoft and other companies from defending themselves against false allegations.
Do the nondisclosure and nonuse provisions preclude standard contract remedies? For example, if a government vendor admits that one of its systems is insecure, shouldn't the government agency that has a contract to purchase and use the system be able to cancel its contract and defend itself against a breach of contract suit on the ground that the supplier admitted that the system was insecure? Yet Sec. 4(c)(3) says that the information may not be used by any Federal or State entity, agency of authority or by any third party, directly or indirectly, in any civil action arising under any Federal or State law.
Definitions: What information is covered?
A very difficult issue is defining what information is covered.
A central term in the bill is "cyber security statement," defined as "any communication ... by a party to another, in any form or medium including ... a website ... concerning the cyber security of that entity." Sec. 3(5). On the one hand, that seems too narrow, since, if the words "of that entity" refer to the party making the statement, the bill would not include a statement by one entity about the cyber security of another entity. Thus, if a security expert finds a flaw in the system or program of another company, and warns the government, that information is not covered, since it is not a statement about the cyber security of the entity making the communication. Also not covered are in-house assessments that are not communicated "to another." Therefore, if the FAA discovers a vulnerability in its air traffic computers but doesn't tell "another," the information sitting in the FAA files is still subject to FOIA.
Compounding this problem, the bill only covers "cyber statements or other such information provided by a party in response to a special cyber security data gathering request made under this section." This means that any information not communicated "in response to a special cyber security data gathering request" is not covered. Unless every Federal agency with CIP responsibilities immediately issues a blanket special data gathering request for any and all cyber security information, this will create confusion as FOIA processors try to determine whether cyber security information was obtained in response to a designated request or came into the government's possession independently. This provision may actually curtail disclosure to the government, since companies may hesitate to share cyber security information with agencies that have not issued "special cyber security data gathering requests." Also, the bill doesn't seem to cover information in government files before date of enactment, since it would not be information provided in response to a "special cyber security data gathering request made under this [bill]."
On the other hand, the definitions seem overbroad. They cover "any communication by a party to another ... concerning an assessment ... concerning the cyber security of that entity, its computer systems, its software programs ... or commenting on ... the cyber security thereof." This means that a statement by a Microsoft engineer commenting on a news report about an alleged security flaw in Windows is a covered "cyber security statement." It is subject to the restrictions of the bill "except with the express consent or permission of the provider." Does that mean that one hearing that comment shall not disclose it unless the engineer expressly gave permission to do so?
The bill includes statements posted on cyber security Internet website, a defined term. Sec. 3(4). There are hundreds, perhaps thousands, of such sites in existence now, run by the FBI, the CERT at Carnegie-Mellon, Cisco, L0pht, and many others. Attrition.org lists 3027 onsite and offsite security advisories. There is no reason to cover these and then exempt them under the public disclosure exception of Sec. 4(d)(2). (The exception requires "the express consent of the party." Is that the express consent of the party owning the system to which the information relates, the party making the statement, or the party posting it online?) Anyhow, as pointed out below, the website provision is drawn from the Y2K Act, where it served a very different function. It is inapplicable here.
Any Federal agency may expressly designate a request for information as a "cyber security data gathering request," but the bill goes on to say that a cyber security data gathering request "shall be a request from a private entity ... to a Federal entity." It goes further to say that a cyber security data gathering request "shall be deemed to have been made ... when the Federal entity ... has voluntarily been given cyber security information gathered by a private entity ... including by means of a cyber security Internet website." This seems to say that "a cyber security data gathering request ... shall be deemed to have been made" whenever the government is given information. Is the government "given" information when it is published on a website, printed in the newspaper, sent to a government employee who subscribes to a cybersecurity mailing list, or otherwise provided to the government?
Is the bill necessary?
The Justice Department has determined that it could successfully defend against FOIA requests for cyber security information under the (b)(4) FOIA exemption for proprietary information. See Critical Mass Energy Project v. Nuclear Regulatory Commn, 975 F.2d 871, 880 (D.C. Cir. 1992 (en banc), cert denied, 507 U.S. 984 (1993) ("Exemption 4 protects any financial or commercial information provided to the government on a voluntary basis if it is of a kind that the provider would not customarily release to the public."). In some cases, the FOIA exemptions for national security information (b)(1) and law enforcement information (b)(7) would also be available.
But some argue that the bill is necessary to overcome industry reluctance (however unjustified legally) to share information with the government. Yet given the issues raised above, a FOIA exemption and/or a disclosure and liability exclusion could serve to shield information that one party in a business-to-business dispute would want to obtain and use.
Y2K precedent not applicable
H.R. 4246 is loosely, but only loosely, patterned on the Y2K Information and Readiness Disclosure Act, Pub. L. 105-271. The Y2K Act addressed such a different problem and from such a different perspective that it is probably not a useful model for the cyber security issue. Y2K involved a known problem that was going to cause unpredictable damage unless fixed. It made no sense to hide the problem out of fear that it could be exploited by terrorists. The main focus of the Y2K Act was liability associated with the disclosure and exchange of Y2K readiness information. FOIA was a minor concern. The goal was not to keep Y2K information secret, but to disclose it, so the public could know whether the problem was being solved.
Compare the purposes section of the Y2K bill ("to promote the free disclosure" of Y2K information and "to assist consumers, small businesses and local governments") with the purposes section of H.R. 4246 ("to promote the secure disclosure" of cyber security information and "to assist private industry and the government") (emphasis added). Compare also Sen. Bennett's statement on introduction of the Y2K legislation, where he explained that the Y2K bill "attempts to limit the legal liability of corporations and other organizations who in good faith openly share information about computer and technology processing problems and related matters in connection with the transition to the Year 2000." (Emphasis added.) Similarly, lead co-sponsor in the House, Rep. Eshoo, said: "This legislation frees organizations to communicate more openly with the public and, just as importantly, with each other, about the status of Year 2000 work on critical systems." (Emphasis added.)
The Y2K bill ended up as a very complicated law of short term duration. There are many details in the Y2K Act missing from H.R. 4246. Most notably, theY2K Act's FOIA exemption stated that Y2K statements were exempt under (b)(4) of the FOIA, the exemption for proprietary data, while H.R. 4246 contains no reference to (b)(4). A bill that fits within the preexisting framework of exemption (b)(4) is less likely to given an overbroad interpretation than a free-standing or (b)(3) exemption.
For further information, contact Jim Dempsey (202) 637-9800 jdempsey@cdt.org
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |