US government wants firms' security secrets
With the publication of proposed rules, the US department devoted to national security hopes to convince tech companies that they are safe sharing information about infrastructure vulnerabilities
The US Department of Homeland Security is hoping to convince technology and telecommunications firms that it's safe to share information about infrastructure vulnerabilities with the federal government.
This week, the new department published a set of proposed regulations designed to convince corporate America to hand over infrastructure information to the government, promising that it will be kept in the strictest confidence.
The proposal sweeps broadly, covering any data submitted to the government about any real or possible attack on "critical infrastructure or protected systems by physical or computer-based attack" or any programming errors, glitches or bugs that could endanger important services like the Internet, utilities or telephone networks.
Industry groups had worried for years about the potential negative consequences of handing over proprietary or embarrassing information to the federal government, fearing it could be leaked to the press or obtained through requests filed under the Freedom of Information Act (FOIA).
Their worries led to an amendment being added to the legislation enacted last year that created the department. It says that critical infrastructure information voluntarily submitted to federal agencies "shall be exempt from disclosure" through FOIA.
Advocates of open government protested the amendment, saying it was unnecessary since FOIA already said that sensitive information could not be disclosed.
David Sobel, general counsel of the Electronic Privacy Information Center, said at a congressional hearing last July that the department should not be completely immune to FOIA requests. "Any claimed private sector reluctance to share important data with the government grows out of, at best, a misperception of current law," Sobel said. "Exemption proponents have not cited a single instance in which a federal agency has disclosed voluntarily submitted data against the express wishes of an industry submitter."
The proposed rules published on Tuesday are the result of the legislation. Comments may be sent to cii.regcomments@DHS.gov on or before 16 June.
In charge of running the department's vulnerability collection and storage programme will be an undersecretary of the information analysis infrastructure protection directorate, who will be chosen by Secretary Tom Ridge. That person will oversee a vulnerability database to be called the Critical Infrastructure Information Management System.
The directorate is allowed to disclose some information in the database to the public when publishing a general alert. "In issuing a warning, the (directorate) shall protect from disclosure the source of any voluntarily submitted (information) that forms the basis for the warning; and any information that is proprietary, business-sensitive, relates specifically to the submitting person or entity, or is otherwise not appropriately in the public domain," the proposal says.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Let the editors know what you think in the Mailroom.