nnyq

Will Bush Say Phooey on FOIA?

While the Senate debates a Homeland Security bill that would create a $38 billion, 170,000-employee department aimed at defending the nation's physical borders and securing the government's computer networks from cyber attacks, corporate America is anxiously awaiting a White House report detailing the private sector's responsibility in protecting the country's IT infrastructure from a possible terrorist attack.

At a reported 2,800 pages in length, the "National Strategy for Securing Cyberspace" is sure to send corporate legal departments into overtime billing as lawyers seek to divine the legal ramifications of the IT security strategy that the Bush Administration hopes can be implemented by voluntary compliance. The implied alternative, of course, is a more heavy-handed government approach.

Since the Homeland Security legislation has been almost a year in the making and still is not likely to reach President Bush's desk until mid-October, no new legislation is an important consideration as the government is anxious to have companies running critical systems speed along information to the government about the private sector's network vulnerabilities and system defense measures.

The government considers this information vital since the private sector controls almost 90 percent of the nation's critical IT infrastructure. Even more sobering, a recent Business Software Alliance (BSA) survey of more than 600 IT professionals found that 60 percent of those surveyed who are directly responsible for their company's network security believe U.S. businesses are at risk for a major cyber attack in the next 12 months.

The BSA survey concluded that U.S. businesses remain ill-prepared to defend themselves despite increased attention to network security.

"Many people think of cyber attacks as relatively harmless intrusions into Web sites. The reality is that the country's information networks are intricately linked and run everything from our financial systems to our power grids and emergency communication systems," said Robert Holleyman, president and CEO of BSA. "A major attack into these systems could yield devastating losses in both the physical and cyber worlds."

Although the Bush plan has not been published, the White House has leaked enough advance information about it to know the administration hopes a "market-driven" approach will convince the private sector to support the proposal and speed compliance.

"If we don't have buy-in from the private sector, we can't get anywhere," Paul B. Kurtz, the administration's director of critical infrastructure protection, said earlier this summer.

For public consumption, the private sector has said throughout the summer that it supports Bush's approach but privately have voiced concerns that if it shares information with the government about network vulnerabilities, that information -- which no company would want floating around in cyberspace -- could be made public through a Freedom of Information Act (FOIA) request.

The Bush plan, though, reportedly will call for an FOIA exemption for sharing certain vital information with the government. That, in turn, has prompted American Civil Liberties Union concerns that the exemption would "drastically" reduce the proposed Department of Homeland Security's "responsibility to answer public questions" about how well the agency it is addressing threats to America's IT infrastructure.

Will Bush Say Phooey to FOIA? Privacy Czar Is Seen As Key to Alleviating FOIA Fears. See Page 2.