Debate on Privacy Goes Private

[R. A. Hettinga]

http://www.nytimes.com/2001/12/03/technology/ebusiness/03NECO.html?todaysheadlines



December 3, 2001

NEW ECONOMY


Debate on Privacy Goes Private


By MATT RICHTEL


the debate about new surveillance powers for law enforcement officials,
Americans, in various ways, are asking a basic question: Are we willing to
curtail personal freedom in exchange for greater national security?

Now, a debate heating up in Washington puts a twist on the query: Are we
willing to curtail access to information in exchange for cybersecurity?

The cyberdebate involves legislation intended to assure private companies
that if they share information with the government about their experiences
with hackers and other types of cyberattacks, the information will be
protected from public disclosure.

The idea is that such assurances will prompt companies to divulge data that
could help in building a national defense for the Internet - without having
to worry about alarming the companies' customers, inciting their
shareholders or opening themselves up to copycat hackers.

"No company is going to voluntarily provide information in a forum where
competitors, critics and attackers can get hold of it," said Senator Bob
Bennett, a Utah Republican who is a sponsor of the Critical Infrastructure
Information Act of 2001.

Senator Bennett added that trying to devise Internet defenses without
candid information from private industry would be like "trying to run a
battle, when 85 percent of the battlefield is blind to you."

But opponents say the legislation is unnecessary because other laws already
protect sensitive information against public disclosure.

The opponents also say the proposed law could block average Americans'
access to information crucial to assessing public policy.

At least one issue does not appear to be in dispute. When it comes to
defending the Internet, the private sector is a critical part of the
equation. About 90 percent of the technical underpinnings - whether
telephone networks, Internet backbones or antivirus technology - is
privately owned and operated.

There is much less agreement, though, about how vulnerable the Internet
actually is.

Given the decentralized nature of the Internet, some experts say there is
little chance of the cyberspace equivalent of the Sept. 11 attacks. But
Richard Clarke, who is leading the Bush administration's efforts to create
a cyberdefense, has been among those warning that the potential threats are
as broad as the imagination and could lead to calamities like the
disruption of energy grids.

Among the solutions Mr. Clarke advocates is greater reliance on
organizations called Information Sharing and Analysis Centers, known in the
trade as ISAC's.

These groups are organized under specific industries - there is already one
for financial institutions, for instance, and one for high-technology
companies - and collect data on cybervulnerabilities from their members,
then share the information with other members. Companies can warn one
another about a new computer virus, for example, and suggest antidotes.

The government now wants to have access to such information- swapping, so
it can better understand patterns of attack and help bolster defenses. Mr.
Clarke, along with individual companies and ISAC organizers, say some
corporations have been unwilling to share information with the government
for fear that competitors or shareholders or other groups could learn
potentially compromising information under the Freedom of Information Act.

Two bills, Mr. Bennett's in the Senate and a similar measure in the House,
would make corporate information about cybervulnerabilities exempt from
public disclosure.

The Senate bill, for instance, asks for an exemption from the Freedom of
Information Act for information pertaining to so-called critical
infrastructure, which is defined broadly as "physical and cyberbased
systems and services essential to the national defense, government or
economy of the United States."

The definition includes, but is not limited to, the telecommunications,
electrical power, oil and gas, banking and transportation industries.

One supporter is Mark Rasch, a vice president at cyberLaw for Predictive
Systems (news/quote), a computer security company that oversees ISAC for
the financial services industry. Mr. Rasch estimated that the bill might
encourage 10 to 15 percent greater cooperation from companies, and a
willingness for ISAC to share data with the government. But he added that
the real issue was not disclosure of problems, "but a commitment from the
government to fix them."

Opponents of the bills, meantime, worry about the type of information
companies might try to hide behind the cloak of nondisclosure. They fear
that industries will ask the government for financing to fight
cyberterrorism, without the public's being able to examine the supporting
evidence.

"On one hand, proponents say it is an area critical to public safety to
point to vulnerabilities in critical infrastructure," said David Sobel,
general counsel for the Electronic Privacy Information Center. "On the
other, they're saying the public has no right whatsoever to oversee the
government's actions."

Rena Steinzor, academic fellow at the Natural Resources Defense Council, an
environmental group, said the exemptions could be so far- reaching as to
prevent Freedom of Information Act requests for environmental matters, or
other issues unrelated to cyberspace.

She noted that Raytheon (news/quote), a major military contractor that had
lobbied with President Bush to call for new disclosure exemptions, operates
a Superfund environmental-hazard site and could have its environmental
track record protected by the new law.

She said the law was so vaguely worded that it could enable a company to
claim protection for a broad swath of information on grounds that it was
part of the critical infrastructure. "This goes way beyond cyberattacks,"
she said.

Opponents argue that there are already sufficient Freedom of Information
exemptions in place, including laws that protect trade secrets and that
prevent public disclosure of information submitted to the government for
purposes of national security.

But Mr. Rasch said the current exemptions do not provide sufficient
reassurance to companies. Senator Bennett agrees, noting that the
legislation is sharpening the focus of the current exemptions.

Mr. Clarke, straddling this part of the debate, says that while existing
laws are probably sufficient, the problem is that companies do not believe
they are.

But if the issue is more a matter of perception than of reality, critics of
the proposed bills, like Mr. Sobel, say that the proper approach should be
educational - not legislative. The potential cost of changing the law, he
said, could be more than Americans will be willing to pay over the long run.

"It seems like the industry is trying to use this issue as a basis for
closing down a whole range of public disclosure," he said. "The people on
the Hill don't understand the unintended consequences."


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com