[iwar] [fc:Critics.Blast.IT.Loophole.in.Homeland.Security.Plan]

From: Fred Cohen (fc@all.net)
Date: 2002-07-27 10:36:12


Return-Path: <sentto-279987-5055-1027791240-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 27 Jul 2002 10:37:09 -0700 (PDT)
Received: (qmail 18106 invoked by uid 510); 27 Jul 2002 17:33:02 -0000
Received: from n30.grp.scd.yahoo.com (66.218.66.87) by all.net with SMTP; 27 Jul 2002 17:33:02 -0000
X-eGroups-Return: sentto-279987-5055-1027791240-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.201] by n30.grp.scd.yahoo.com with NNFMP; 27 Jul 2002 17:34:00 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_7_4); 27 Jul 2002 17:34:00 -0000
Received: (qmail 21192 invoked from network); 27 Jul 2002 17:33:59 -0000
Received: from unknown (66.218.66.216) by m9.grp.scd.yahoo.com with QMQP; 27 Jul 2002 17:33:59 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 27 Jul 2002 17:34:00 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g6RHaDo31260 for iwar@onelist.com; Sat, 27 Jul 2002 10:36:13 -0700
Message-Id: <200207271736.g6RHaDo31260@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sat, 27 Jul 2002 10:36:12 -0700 (PDT)
Subject: [iwar] [fc:Critics.Blast.IT.Loophole.in.Homeland.Security.Plan]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

Critics Blast IT Loophole in Homeland Security Plan

By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, July 24, 2002; 4:48 PM

The White House proposal to create a Homeland Security department could
allow corporate scofflaws to hide nefarious business activities from the
public in the name of national security, critics warned today. 

The proposal would permit companies that own and operate critical
computer systems to share information on network vulnerabilities and
hacker attacks with federal investigators without fear that the data
could be made public through Freedom of Information Act (FOIA) requests. 

The White House says it needs more cooperation from the private sector
to identify and combat a flood of network attacks on government
agencies, the military and the private sector.  The administration
believes that changing FOIA will encourage businesses to share that
information. 

Opponents claim that such a change would allow companies to justify
shielding nearly anything from public view, including the kinds of
accounting and business practices that brought down Enron and WorldCom. 

They also say FOIA already bars the disclosure of information that
reveals trade secrets, and that the new exemption amounts to an industry
ploy to avoid liability for a range of corporate malfeasance. 

"The damage this exclusion could do is legion," said Rep.  Janice
Schakowsky (D-Ill.), ranking member of the House Government Reform
subcommittee, which hosted a panel of administration officials today. 

"It astounds me that in a moment in history when transparency in
business is in the headlines every day ...  that we now want to offer a
loophole big enough to drive any corporation and its secrets through,"
Schakowsky said. 

Schakowsky's sentiments have been echoed in recent weeks by consumer
groups and scores of lawmakers on both sides of the aisle, including
House Majority Leader Dick Armey (R-Texas). 

James X.  Dempsey, deputy director for the Center for Democracy and
Technology, charged that by dumping information with the Department of
Homeland Security, companies could "shield vital health and safety
information from the public, even if disclosure of the information would
pose no threat whatsoever."

The bill also would allow the administration to grant antitrust immunity
to selected industries that voluntarily share vulnerability and attack
information, Dempsey said. 

Administration officials defended the White House plan, saying the
measures are needed to allow the government to respond quickly in the
event of a concerted cyberterrorist attack on the nation's
infrastructure. 

Ronald Dick, director of the FBI's National Infrastructure Protection
Center, said that if private sector companies don't think the law is
clear, then for all intents and purposes it is not. 

"We spend a good deal of time with the private sector trying to explain
how current exemptions will protect the information they provide to us,
but the problem is that if we're not able to convince them that (current
FOIA) exemptions are adequate, that's still of concern to them."

"Nobody intends this to become a mechanism by which people can foist
their responsibilities off, or so that gross negligence can be buried in
government," said John Tritak, director of the Commerce Department's
Critical Infrastructure Assurance Office.  "The real goal is to create
an environment where dynamic information sharing is taking place and
problems can be dealt with in real time."

Scott Charney, chief security strategist for Microsoft Corp, said his
company and many others fear that under current FOIA law, the hazy
definition of what constitutes a "trade secret" would lead to endless
litigation from FOIA seekers. 

Charney said Microsoft would almost certainly share more information
with the federal government if the new exemptions were passed. 

"Does that mean if they pass a new FOIA exemption everyone shares every
deepest and darkest secret? Probably not," he said.  "Will it increase
the flow of information? Yes."

But Alan Paller, director of research for the SANS Institute, said most
companies still won't share vulnerability and hacker data with the
government, even if the new FOIA exemptions are enacted. 

"There's significant evidence that they won't share it unless they think
you're part of the 'fix it immediately' camp, and the federal government
is not usually considered part of that group," Paller said. 

Earlier today, the Senate Governmental Affairs Committee added the new
exemptions to its legislation.  The House of Representatives is expected
to vote by the end of this week on its version of the bill, which also
includes the changes. 

A spokesperson for Schakowsky said she plans to offer an amendment when
the bill hits the floor that would remove the FOIA exceptions
altogether. 

Schakowsky warned that if pushed into a corner, Congress could make such
information disclosures mandatory. 

"I just want to suggest there is another option: that is to say that
this information isn't voluntary -- that we require it," she said.  "We
could in fact just say that because this is so critical to national
security, (we will) simply require this, rather than pander to the
desires of businesses to keep information secret."

© 2002 TechNews.com

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Will You Find True Love?
Will You Meet the One?
Free Love Reading by phone!
http://us.click.yahoo.com/7dY7FD/R_ZEAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:31 PDT