Businesses Urged To Share Data About Security HolesBusinesses Urged To Share Data About Security Holes

To protect the nation against cyber-terrorists, the federal government is asking companies to share sensitive data about security holes in their IT infrastructures. Any cyberattack likely would be waged on networks controlled by private companies, which own 85% of the nation's critical IT infrastructure, from banking to telecom networks.

"The future battlefield is in private hands," Sen. Robert Bennett, R.-Utah, said last week at a Senate Governmental Affairs Committee hearing on a bill he's sponsoring, which would exempt from some provisions of the Freedom of Information Act businesses that voluntarily reveal secrets to the government involving IT vulnerabilities.

Citizens can use the Freedom of Information Act to compel the government to provide some confidential data, and companies fear the information they disclose will be available or leak to competitors or--worse yet--lead to criminal or civil lawsuits.

"Companies won't disclose voluntarily if it could bring financial harm to them," says Ty Sagalow, chief operating officer of insurer American International Group's E-Business Risk Solution unit. "The risk is too great. Better to keep your mouth shut."

A Computer Security Institute/FBI survey released last month shows Sagalow isn't the only one who prefers not to share such data with federal authorities. It revealed that 90% of 503 computer security practitioners surveyed detected computer security breaches during the previous 12 months, but only 34% reported them to law enforcement.

The Critical Infrastructure Information Security Act would limit the courtroom use of information disclosed by companies to improve cyberprotection. But that provision worries the Justice Department. Deputy assistant attorney general John Malcom wants the bill changed so such information could be used in criminal cases. "Let me be clear that the Justice Department wouldn't support legislation that would prohibit the government from using voluntarily provided information in a criminal proceeding," he says.

A published report late last week said the senator would change the bill to meet Justice's concern. But at the hearing, Bennett wondered if the nation would be better off letting a few businesses escape legal action, provided that sharing data with the government prevents terrorists from attacking IT networks. "What we're talking about is information that otherwise wouldn't have been known."