[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Access denied
From:       William Knowles <wk () C4I ! ORG>
Date:       2000-05-31 17:52:29
[Download RAW message or body]

http://www.fcw.com/fcw/articles/2000/0529/cov-access-05-29-00.asp

BY William Matthews
05/29/2000

When it emerged less than a decade ago, the World Wide Web was quickly
embraced as a bright new medium that could help reinvent government
and revitalize democracy. But gradually government policy-makers have
also seen that the Web has a much darker side.

Information once eagerly posted on government Web sites to promote
environmental safety, assist military personnel or help retirees is
now being viewed as dangerous if found by terrorists, hackers and
other criminals. Prompted by fears that easy access to information is
putting Americans at risk, agencies and Congress are tightening
controls over federal Internet sites. Federal Webmasters who once
enthusiastically posted information now anxiously take some of it
down.

Congress has even banned some unclassified government information from
federal Web sites although not from private sites and is considering a
bill to grant sweeping exemptions to the Freedom of Information Act
(FOIA) in the name of cybersecurity.

"Were becoming afraid of the technology that we invented to make
government more open," said Patrice McDermott, an information policy
analyst for OMB Watch, a public interest organization in Washington,
D.C. "What should be used to make government more open is being used
as an excuse for making it more closed."

"There is a growing sense of caution about whats on the Web," said
Roger Baker, chief information officer at the Commerce Department. "I
dont want to call it a backlash, but its a bit of a reaction to the
push to get everything out there. Its sort of an "oops that shouldnt
be out there."

"Oops" is probably an understatement to Rep. Thomas Davis (R-Va.), who
sees real danger lurking in the Web.

"Cyberattacks have moved beyond the mischievous teenager and are now
being learned and masterminded by terrorist organizations. Its not
difficult to imagine what could occur if those attacks were focused on
our utilities or emergency services," Davis said as he introduced his
Cyber Security Information Act this spring.

Davis bill would grant sweeping exemptions from FOIA when private
companies share information about computer vulnerabilities with the
federal government. The bill would also limit companies legal
liability and exempt them from antitrust violations based on the
information they share.

Because it is connected to the Internet, the nations critical
infrastructure which operates everything from transportation to
financial systems is in jeopardy, Davis warns. And recent computer
virus attacks have added a tone of urgency to the warnings.

So far, they have not slowed the governmentwide commitment to
increased use of information technology and the Internet. Agencies
still aim to meet the requirement set by the Paperwork Reduction Act
of offering all government services and transactions online, in
addition to paper, by 2003. And the presidents e-government goal of
having the 500 most-used government forms online by the end of this
year still stands.

The Best Intentions

But fear for the safety of major systems and the public has begun to
force policy-makers to consider significant changes in online practice
and philosophy.

"I would tend to take the view that if its available through the
Freedom of Information Act, it should be out there. But thats not a
well-thought-through view," said Baker, who heads the Security,
Privacy and Critical Infrastructure Subcommittee of the federal CIO
Council. "Some stuff just shouldnt be out there. You may be legally
bound to turn it over, but do you want to call attention to it?"

That question was at the heart of a debate at the Environmental
Protection Agency over whether to post information on the Internet
about industrial plants and the hazardous chemicals they use.

Openness has been a key EPA strategy for achieving compliance with
environmental regulations. Disclose sources of pollution and potential
hazards, and public pressure often will force cleanups and better
safety practices, the agency has found. But in the Internet Age,
openness has yielded to the idea that secrecy promotes security.

Challenged by the FBI and temporarily forbidden by Congress, the EPA
has decided not to post "risk management plans" on the Internet. The
plans spell out worst-case scenarios that could result from chemical
accidents at more than 15,000 U.S. industrial plants.

The requirement for risk management plans dates to the pre-Internet
era. Horrified when a gas leak at an American-owned insecticide
factory in Bhopal, India, killed 8,000 people and injured 500,000 more
in 1984, Congress ordered the EPA to establish rules to minimize the
risk of similar leaks in the United States.

In amendments to the Clean Air Act, Congress required companies that
handle dangerous chemicals to submit plans to the EPA spelling out
what would happen in a "worst-case" chemical accident and how they
would prevent or at least minimize accidental chemical releases.

Congress also ordered that the risk management plans be disclosed to
the public, hoping to generate public awareness that could pressure
companies to pay greater attention to safety. EPA officials posted the
plans on the Web.

FBI and intelligence agencies argued that posting the risk management
plans would provide "one-stop shopping" for terrorists. The plans,
they said, provided enough detailed information to turn 15,000
businesses and industrial plants into weapons of mass destruction.

In an assessment conducted this year, the EPA concluded that "the risk
of terrorists attempting in the foreseeable future to cause a
potentially catastrophic chemical release is both real and credible."

Now the EPA proposes to make the plans available to the public on a
limited basis, on paper, at 50 monitored reading rooms across the
country. Personal identification and sign-in sheets would be required.
Note-taking would be allowed, photocopying forbidden.

But deciding to keep the plans off the Internet was not easy for some
at the EPA. "I see us still struggling with the issue," a senior
agency official said.

Some at the agency charge that senior EPA policy-makers have backed
off their commitment to communities right to know. But others "are
coming to understand that there are aspects to making information
available broadly that we need to be cognizant of. There is an
accountability angle," the official said. "As you look at it from that
perspective, it makes you think more critically and analytically about
information and how it might be used."

But a former EPA official admits he is more cynical. "I really think
the motivation is political," he said. "The Republican Congress has
attacked the EPA, and I dont think the Web is the main objection.
Theyre trying to deter the EPA from being as effective as it can be."

"The practical difficulty with the EPA plan is it attempts to enforce
a distinction between paper documents and electronic documents. It
wont work," said Steven Aftergood, director of the Federation of
American Scientists Project on Government Secrecy. "There are people
who will take the paper document and post it on a Web site. Its not
illegal yet. If the information is unclassified and useful, its going
to find its way onto the Web."

To Inform or Promote?

Aftergood has some experience in that regard. About a year ago, the
Marine Corps removed program information from some of its Web sites
about the Marine Corps Tactical Systems Support Activity, a unit based
at Camp Pendleton, Calif. The information was neither classified nor
protected for reasons of personal privacy. Included in the information
were details on technology the Marines plan to use to support other
Corps units in a war.

"All of it was unclassified. It wasnt even sensitive," Aftergood said.
"And there was nothing like Social Security numbers or home addresses"
to warrant keeping it secret, he said.

Aftergood filed a FOIA request for a directory of Web pages that had
been withdrawn. He argued that the Marine Corps had no right to
withhold it.

The Marines agreed. But instead of sending Aftergood a directory of
the suppressed Web material, the Corps handed over a cassette
containing 900M of material that it had stricken from the Web.

The data was stored on a "peculiar helical-scan, 4 mm data cartridge,"
Aftergood said. And so far, he has been unable to locate equipment
that can read it.

The Marines action raises questions about how agencies should use the
Web. Is the Web intended to make government more transparent? Should
agencies routinely post information such as minutes of meetings and
texts of policies so the public can learn more about what the
government is doing?

The military, which invented the Internet, has found it extremely
valuable as a fast and efficient global information distribution
system. But "in the rush to take advantage of the Nets timeliness and
distribution capabilities," personnel have sometimes abandoned
caution, a Pentagon official said.

They have posted documents intended for official use only, put
personal information online and disclosed sensitive information about
exercises and operations.

The ease of access to information on the Internet makes even
unclassified information more sensitive. "You can take a lot of
miscellaneous facts and start to piece a picture together," explained
a retired Army officer. Collecting bits of information from many
sources and putting them together used to be a slow, often laborious
process. The Internet makes it far easier.

"The interconnectedness of information on the Internet is forcing
agencies to re-examine what they put online," said David McClure,
associate director for governmentwide and defense information systems
at the General Accounting Office. "Information you thought was only
within one confine is not, and it becomes much easier to weave a
mosaic of information," he said. And a congressional requirement that
federal agencies keep searchable electronic archives will create an
even greater challenge, he said.

The Defense Department has formed a special unit at the Pentagon
called the Joint Web Risk Assessment Cell to comb military Web sites
for information it thinks should be removed. The primary intent is
security, military officials say. For example, maps of military bases
that are helpful to personnel being transferred to new posts might
also prove valuable to terrorists planning an attack.

Even at the Agriculture Department, "the security posture is changing.
Theres a general feeling that the world has become a less friendly
place," said William Hadesty, information security chief at USDA. "The
whole security thing is under review. Were constantly looking at
security here," he said.

Secrecy in the Name of Security

There is a slightly different security concern when it comes to the
critical infrastructure, according to Rep. Davis.

The critical infrastructure is largely owned and operated by the
private sector, and ordinarily, private companies are not subject to
most of the disclosure requirements imposed on government agencies.

While it is widely agreed that government and industry need to work
together to solve the computer security problems that threaten the
critical infrastructure, industry is reluctant to do so, Davis said,
because information shared with the government is subject to
disclosure. Davis, who represents Northern Virginia and its burgeoning
high-tech business sector, said he introduced the Cyber Security
Information Act to encourage businesses to share information about
security weaknesses with the federal government and each other.

Putting limitations on the use of information are necessary to assure
businesses it is safe to share information with the government, said
Davis, who has a seat on the House Government Reform Committee.

He said he modeled the bill after similar legislation that convinced
industry to work with government to solve the Year 2000 computer
compliance problem. Computer security is emerging as a problem of
similar magnitude, Davis contends.

Critics of the legislation complain that it would "cast a blanket of
secrecy over vast amounts of information that the public might have a
need and right to know," OMB Watchs McDermott said. According to OMB
Watch, this bill is part of an ongoing push by industry to carve out
exemptions to FOIA.

The group concedes that there may indeed be information that the
government wants industry to share that should remain secret, but
Davis bill leaves "virtually no role for any government agency except
to do the bidding of private entities," which want to keep information
from the public, McDermott said.

A Davis aide argues that failing to grant FOIA exemptions will hurt
government more than it hurts industry. Without privacy assurances,
companies will simply refuse to share useful information.

But a "very disturbing idea" embedded in the Davis bill is that
information shared between the private sector and the government
should routinely be kept secret from the public, said Kate Martin, a
lawyer for The National Security Archive, a research institute that
specializes in publishing declassified government documents.

"It is linked to the notion that it will be necessary for the
government to do much more with the private sector than it has in the
past. And because the private sector wishes not to be subject to open
government laws," the Davis bill permits government to become more
secretive, she said.

"It turns the basic presumption of freedom of information and open
government on its head," Martin said. "The really dangerous thing is
the wholesale exemption [to FOIA] of all information shared with the
government when its related to the critical infrastructure."

McDermott said the situation would be similar to a law that forbids
newspapers from reporting on bank robberies because their articles
highlight banks vulnerabilities. Her point: Shouldnt people be able to
learn about the danger to the bank and their money? And isnt publicity
likely to prompt the bank to invest more in security?

The Internet Changes Everything

Instead of broad FOIA exemptions, information should be carefully
evaluated and exempted from disclosure only when the risk of
disclosure is found to be greater than the value of openness, Martin
said.

Yet, she concedes, in some ways the Internet has changed the equation.
Much of the information that has traditionally been "public" has also
traditionally been difficult to obtain. Papers filed in courthouses or
buried in agency file cabinets were simply not readily available.
Increasingly, thats no longer true. If its on the Web, it can be
accessed from virtually anywhere.

"It may be that we need to rethink" policies on privacy and
disclosure, "but it needs to be done very specifically, not with just
a blanket blackout" of information, Martin said.

Aftergood predicts that it is too late for much of a retreat from the
Web. Agencies have found that it is slower and more expensive to
provide information on paper. There is a mounting expectation that if
an agency has useful information, citizens should be able to get it on
the Web, he said.

"I think there will still be a net increase in the amount of
information that is becoming available, notwithstanding these recent
efforts to retrench," Aftergood said.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".

[prev in list] [next in list] [prev in thread] [next in thread]