White House

Executive Agencies

GAO/CRS Reports

Congress

State Legislation

Judicial- Federal

Judicial-State

Links to Analysis

Contact Information

 

STATEMENT OF
JOHN G. MALCOLM

DEPUTY ASSISTANT ATTORNEY GENERAL
CRIMINAL DIVISION
U.S. DEPARTMENT OF JUSTICE

BEFORE THE COMMITTEE ON
GOVERNMENTAL AFFAIRS
U.S. SENATE

MAY 8, 2002

Mr. Chairman and Members of the Committee, thank you for this opportunity to testify about the Department of Justice’s efforts to protect our nation’s critical infrastructure and about information sharing related to that protection. The issues before this Committee today are of great importance, and I commend the Committee for holding this hearing.

In my testimony today, I would like to outline briefly the nature of critical infrastructure protection, the information sharing problem and the Department’s current efforts to combat that problem. It is clear to the Department that information-sharing is a serious issue, and that its complexity presents a significant challenge to law enforcement.

The nature of the issue
The safety of our nation’s critical infrastructure is of paramount concern to the Justice Department. As you know, the term “critical infrastructure” refers to both the physical and cyber-based resources that make up the backbone of our nation’s telecommunications, energy, transportation, water, emergency services, banking and finance, and information systems.
The problem of ensuring delivery of critical infrastructure services is not new. Indeed, owners and operators of critical infrastructure facilities have been managing risks associated with service disruptions for as long as there have been such facilities. However, the operational challenge of ensuring the delivery of the broad array of services that now depend upon the Internet and other information systems is a challenge that has grown exponentially in the last several years. The burgeoning dependence of the U.S. infrastructure on the Internet has exposed vulnerabilities that have required the U.S. government to mount new initiatives, to create new federal entities to help manage critical infrastructure protection efforts, and to seek prevention, response, and reconstitution solutions.

The safety of our nation is our first and overriding objective. The Justice Department has been working across government to address infrastructure issues for several years. The attacks of September 11 heightened our awareness of these issues and have pushed us closer to resolution on some issues. Following those terrorist attacks, the Congress enacted the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act). That Act, which the President signed into law in October 2001, amended U.S. laws to further critical infrastructure protection efforts by increasing sentences for those committing cyber attacks, improving our ability to use procedural tools to track sources, and enabling law enforcement to share wiretap and grand jury information with others responsible for homeland defense when appropriate.

U.S. infrastructure protection efforts are the shared responsibility of many entities, both public and private. Much of this joint effort is based upon the principle that a robust exchange of information about threats to and actual attacks on critical infrastructures is a critical element for successful infrastructure protection efforts. The following are just a few of the entities dedicated to this principle: the National Infrastructure Protection Center, the Department of Justice’s Computer Crime and Intellectual Property Section, Information Sharing and Analysis Centers, the Critical Infrastructure Assurance Office, the Office of Homeland Security, and the Federal Computer Incident Response Center

To better protect critical infrastructures, government and the private sector must work together to communicate risks and possible solutions. Acquiring information about potential vulnerabilities from the private sector is essential. Doing so better equips us to fix deficiencies before attackers can exploit them. For example, a telephone company might discover a vulnerability in a widely used component of our telephone network that makes the network susceptible to disruption by hackers. If we concentrate our time and energy on remediation of terrorist attacks after they occur, we have already lost. Information is the best friend of both prevention and response. We recognize that we can protect the nation only if the private sector feels free to share information with the government.

However, industry often is reluctant to share information with the Federal Government. One reason given by industry for not sharing information is that the government may later have to disclose that information under the Freedom of Information Act, or FOIA. Industry also is
3
concerned that sharing information among companies will lead to antitrust liability, or that sharing among companies or with government will lead to other civil liabilities (e.g., through a product liability suit or a shareholder suit). Without legal protections regarding information needed by the government in order to safeguard our infrastructure, even the most responsible, civic-minded companies and individuals may hesitate before sharing such crucial information, fearing that competitors may obtain that information and use it to their advantage.

With this in mind, both the Senate and the House of Representatives have actively considered and are currently considering bills that would specifically bar disclosure under the Freedom of Information Act of any information that is voluntarily submitted to government agencies to protect our critical infrastructure. Such a “corporate good Samaritan” law would provide the necessary legal assurance to those parties willing to voluntarily provide sensitive information to the government that they would not otherwise provide.

The Justice Department believes that the sharing of private sector security information on critical infrastructure between private sector entities and with the federal government to avert acts that harm, or threaten to harm, our national security is of the utmost importance. We are prepared to work closely with Congress to pass legislation that provides this important legal protection.

The Freedom of Information Act
Congress passed the Freedom of Information Act more than thirty-five years ago. FOIA established an effective statutory right of access to government information. The principles of government openness and accountability underlying FOIA are inherent in the democratic ideal.

However, achieving an informed citizenry is a goal that is sometimes counterpoised against other vital societal aims. Society's strong interest in an open government sometimes conflicts with other important interests of the public--such as the preservation of the confidentiality of sensitive commercial and governmental information. Though tensions among these competing interests are characteristic of a democratic society, their resolution lies in providing a workable formula that encompasses, balances, and appropriately protects all interests, while maintaining emphasis on the most responsible disclosure possible. It is this accommodation of countervailing public concerns, with disclosure as the predominant objective, that FOIA seeks to achieve.

The Freedom of Information Act generally provides that any person has a right, enforceable in court, to obtain access to federal agency records, except to the extent that one of nine exemptions protects such records (or portions of them) from disclosure or they are protected by one of three special law enforcement record exclusions. Two exemptions are relevant here: 5 U.S.C. §§ 552(b)(3) and (4).

Exemption 4 of FOIA protects "trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential." The exemption affords protection to those business submitters who are required to furnish commercial or financial information to the government, either directly or indirectly, by safeguarding them from the competitive disadvantages that could result from disclosure. That exemption covers two categories of information in federal agency records: (1) trade secrets; and (2) information that is (a) commercial or financial, and (b) obtained from a person, and (c) privileged or confidential. Exemption (3) of FOIA incorporates the disclosure prohibitions contained in various other federal statutes.

Case Law on Exemption 4
Over the years, a considerable body of law has developed, much of it in the form of decisions of the United States District Court for the District of Columbia and the Court of Appeals for the District of Columbia Circuit. In practice, the great majority of FOIA disputes revolve around whether the submitted information qualifies as “confidential” as that term has been judicially interpreted within the context of Exemption 4. It is important to recognize that the courts have regularly rejected any notion that either an information submitter’s request for confidentiality, or an agency's promise that submitted information would not be released, by itself, suffices to insulate such information from disclosure under FOIA.

Under the District of Columbia Court of Appeals decision in Critical Mass Energy Project v. NRC, commercial information or information that is required to be furnished to the Government can be withheld primarily to the extent that the Government can demonstrate that its disclosure would result in “substantial competitive harm.” However, where information is "voluntarily" submitted to the government, such information is protected to the extent that it is not "customarily" disclosed to the public by the submitter, a considerably easier standard to satisfy. It is our expectation that most information regarding critical infrastructure vulnerabilities will fall into the “voluntarily” submitted category and will, therefore, readily qualify for Exemption 4 protection under the DC Circuit’s Critical Mass decision. At the same time, both we and business submitters are aware that this D.C. Circuit Court precedent might not come to be accepted in all other judicial circuits, which gives rise to reasonable concerns.

Were the decision in Critical Mass a definitive legal principle decided by the United States Supreme Court, concerns regarding protection of this information would be greatly reduced. Since that is not the case, the Department recognizes that the broad protection afforded such information by the District of Columbia appellate court does not provide the complete assurances to the submitters of private sector infrastructure that they seek. Nor will protection be categoric in those instances in which information regarding vulnerabilities are included as part of a submission by state and local government entities.

Other Issues
Although FOIA is a major issue, it is not the only issue here. Some companies also claim that sharing information with the government, or each other, will lead to liability and possible antitrust suits by the government or by their competitors.

Legislative Action
The Department appreciates the continuing interest of the Congress. During the 106th Congress, bills were introduced in both the Senate and the House to address these issues. Both bills focused on protecting critical infrastructure information provided to the government from compelled disclosure under FOIA. Both bills also address the antitrust and liability issues.

Last session, Senators Bennett and Kyl again introduced a bill. Key provisions of their bill:
- shield from disclosure under FOIA, with a specific request by the company that submitted the information, critical infrastructure information voluntarily submitted to certain federal agencies;
. - limit use of shared information in civil proceedings; and
- exempt critical infrastructure information-sharing activity from the antitrust laws.

Representatives Davis and Moran also introduced a new version of their bill. Although similar to the Bennett-Kyl bill, it more tightly restricts the government’s use of such information. Later in the session, a consensus bill was developed, but not introduced.

Justice Department Concerns
Under the existing case law on Exemption 4 of FOIA, the Justice Department believes that critical infrastructure information submitted to the government should be protectible from disclosure. However, we realize that some in industry disagree or, at least, are lacking the certainty that allows them to comfortably submit information to the government with complete assurance that it will not be disclosed. Since the goal of our information sharing efforts is to increase information flow to the government, we need to address the concerns of these companies. Indeed, in a letter to the National Security Telecommunications and Advisory Committee last fall the President expressed his support for “a narrowly drafted exception to the Freedom of Information Act to protect information about corporations’ and other organizations’ vulnerabilities to information warfare and malicious hacking.” An important point is that, without such a statutory provision, the government would never obtain the information, and, thus, would not have it to disclose to begin under FOIA. Such a state of affairs, moreover, would not serve our vital national interests.

Scope of the Information Protected
By the same token, it is crucial that any bills be carefully crafted so as not to unnecessarily shield information. Defining critical infrastructure is difficult, and, on balance, the Department believes that a broad definition is better suited to this issue. Our objective is to reassure companies that appropriate information will be protected. Too narrow a definition may leave a company in doubt and result in the information being withheld from the government out of fear of FOIA disclosure, the very result we seek to prevent.

On the other hand, a bill that sweeps in too much information is just as bad. For example, suppose a bill were to protect all information (1) submitted by a person, (2) to a covered Federal agency, and (3) for informational purposes. If that were so, any information obtained by the EPA during a witness interview would likely be covered, since it would constitute information submitted by a person, to a covered Federal agency, for informational purposes. Such a bill would clearly cover too much information, and would not serve our national interests.

Three approaches are available to reduce this problem. First, drafters must make clear that any bill does not cover independently-obtained information. For example, let us suppose that a company submits valid critical infrastructure information to the Office of Homeland Security. Entirely independently, the EPA develops the same information in an investigation. The government should be able to use the EPA’s information without restriction. If this were not so, any information sharing bill would quickly turn into a shield, allowing companies to use the protections of the bill to dump information on the government and thus shield it for all time and for all purposes. In a sense, it is important to protect the “copy” of the information submitted to the government, but not the information itself.

Second, resolve the issue of who may receive the information in favor of designated agencies only. The choice here is between allowing any agency of the government to receive critical infrastructure information, or allowing only designated agencies or departments to receive it. We recommend that agency heads designate which components or bureaus, if any, may actually receive such information. This would provide for flexibility (agency heads could designate any appropriate office) and certainty (designated offices would know how to handle submitted information). This solution would also help prevent use of the Act as a sword–if an agency head did not want a component to receive protected information that might raise a question of immunity or improper use of voluntary submitted information, he or she could not designate that component.

Third, retain the provisions of the existing bills that require companies to voluntarily submit the information in order to obtain the protections of the bill. If the information is not so submitted–if it is instead produced in response to subpoena or a program requirement–the information is not covered. A voluntariness requirement is important because the goal of information sharing efforts is to encourage companies to share information that the government is not otherwise receiving.
We also suggest requiring that the submitter explicitly request the protection of the statute for two reasons. First, some information does not need protection, nor does industry want all information to be protected – yet all information would be automatically protected if no request is required. Second, a request will help the government identify the protected information, especially where such notification appears on the document itself.

Liability
As I mentioned earlier, FOIA is only the first of three issues raised by industry. The second issue relates to liability concerns. Some companies have expressed concern that, should they share information with the government, the government could then use that information in a civil or criminal suit against them. While perhaps legitimate concerns, let me be clear that the Justice Department would not support legislation that would prohibit the government from using voluntarily provided information in a criminal proceeding. Other mechanisms exist to give a company some consideration and possible benefit for voluntarily providing information about criminal violations. Some of these are outlined in the Justice Department’s 1991 Policy on Voluntary Disclosures.

If Congress chooses to include civil liability protections, the protections must be very carefully crafted so as not to hamper, or even eviscerate, law enforcement objectives. The bills already introduced include civil liability provisions. Some drafts of the liability provision have included so-called “indirect” use protections. We strongly believe that, at most, only “direct” use should be prohibited, since indirect or derivative use is extremely difficult to disprove. A similar issue frequently lurks in immunity proceedings in criminal cases, where the Federal government, in order to proceed with a criminal prosecution, may have to disprove derivative use of a defendant’s statements in a so-called Kastigar hearing. In the civil context, for example, should the government receive information about a vulnerability under an information-sharing bill that included indirect civil protection and then seek to sue the submitter, we would be required to prove that the submitted information was not used in any way in the investigation, including developing leads. In essence, we have to prove that all of our evidence came from independent sources. Past experience clearly demonstrates that this is a very difficult burden to meet.

State Laws
As you know, infrastructure protection efforts are a cooperative effort among the Federal Government, industry, and State and local governments. Any information sharing bill needs to consider how and when information may be shared with State and local governments. All States have their own FOIA or sunshine laws, which vary widely. It would make little sense to protect the information federally but leave it subject to disclosure under State FOIA laws once shared with States.

Antitrust Issues
The third of the issues raised by industry are antitrust concerns. Historically, the Justice Department has viewed requests for antitrust exemptions from the private sector as unnecessary, since they are unlikely to violate the antitrust laws. However, an exemption with respect to critical infrastructure protection is being discussed within the Administration.

Conclusion
Mr. Chairman, I want to thank you again for this opportunity to testify about our efforts to protect critical infrastructure. Citizens are deeply concerned about their safety and security of our country. By addressing information sharing, Congress will enhance the ability of law enforcement to fight cybercrime, terrorism, and protect our infrastructure. The Department of Justice stands ready to work with the Members of this Committee to achieve these important goals.

Mr. Chairman, that concludes my prepared statement. I would be pleased to answer any questions that you may have at this time.