Hacks? What Hacks?

Sen. Robert Bennett (R-Utah), the Senate’s computer security point man, wants you to start reporting hacks of your company networks to the government. But he thinks you need a little incentive. His plan? To pass a new law that exempts any information that businesses share on hacks from disclosure under the Freedom of Information Act (FOIA).

It sounds reasonable enough. The government needs this information to understand why attacks occur and to develop better security protections. FOIA is a law that lets the public request internal government documents?like memos about Gulf War veterans’ illnesses or FBI files about criminal gangs. Companies fear that if reports of their security weaknesses are aired publicly (the press is a major FOIA user), the information would cast doubt on their future health and their stock prices could slide.

Bennett’s critics, however, see a slippery slope, leading to companies covering up problems that investors and customers should know about. Scott Armstrong, a journalist and founder of the National Security Archive, says it’s not clear how the government would define what constitutes protected information about a network intrusion. Hypothetically, a software company could use such a law to cover up that it knew there were vulnerabilities in its product before it was sold but did nothing about it.

Armstrong thinks most information that companies would legitimately want to keep secret is already protected by existing FOIA exemptions. The statute shields proprietary information about companies and data about law enforcement investigations.

At press time, Bennett was planning to introduce his bill this summer. Similar legislation sponsored by Reps. Tom Davis (R-Va.) and Jim Moran (D-Va.) went nowhere last year, but the idea has influential friends. Backers include companies in the banking, telecommunications, electricity and IT industries. For more on this issue, see "Break Glass, Pull Handle, Call FBI" (June 1, 2001).

-Stephanie Viscasillas

The Man to See About IT Policy

John Graham, head of The Harvard Center for Risk Analysis, is a leading skeptic of the value of government regulation. And he’s the man President Bush hopes to put in charge of deciding which regulations?including those relating to IT policy?go on the books. If he’s instated he’ll pass judgment on everything from whether agencies will put their forms online to what companies have to do to protect the privacy of financial or medical data they keep about customers.

Graham, whose confirmation by the Senate as head of the Office of Information and Regulatory Affairs (OIRA) was imminent at press time, is controversial. He’s taken strong stands against some regulations, like proposals to prohibit using cell phones while driving, arguing their costs outweigh their benefits. And he’s been criticized for kowtowing to companies that fund his research (consumer advocates jumped on the fact that AT&T had funded his cell phone research). Meanwhile, some detractors contend he’s ill-qualified to make IT policy. Gary Bass, executive director of OMB Watch, a government watchdog group, thinks the OIRA head should have some technology expertise (Graham is a professor of policy and decision sciences). No past OIRA administrators have been technologists, though former Presi-dent Clinton’s appointee, Sally Katzen, was an expert in telecommunications law. At his confirmation hearings in May, Graham said he simply calls things as he sees them. No senators on the Governmental Affairs Committee asked for his views on IT issues during the confirmation hearings, and he didn’t volunteer any.