The reasons companies give in this article for not participating are similar to why organizations weren't more forthcoming with information last year about their Y2K efforts and readiness.

http://dailynews.yahoo.com/h/ap/20000622/tc/cybersecurity_1.html

Thursday June 22 4:18 PM ET

Cos. Wary of Sharing Cybersecurity

By JESSE J. HOLLAND, Associated Press Writer

WASHINGTON (AP) - Corporations insist they won't fully participate in any national cybersecurity efforts unless they get Freedom of Information Act waivers and lawsuit protection.

Businesses say they're afraid that if they share private information with the federal government to help fight off hacker attacks, it would be made public with an FOI request and used against them.

``Fears of publicity, fears of inviting additional attacks, fears of confidentiality and fears of antitrust liabilities have limited the willingness of industry members to share information,'' said Daniel Woolley, president of the Global Integrity Corp., an information security company.

``This is the major reason why they say they can't cooperate,'' said Rep. James Moran, R-Va. He is one of the sponsors of the cybersecurity information bill, which would exempt the private company computer information from FOI requests and provide them with some antitrust liability protection, similar to what was done during the Y2K preparations.

However, FOIA advocates told a House Government Reform subcommittee that the current FOIA provides all the protection businesses need and any changes would just lead to lengthy lawsuits.

``If it's not broken, why fix it? You might cause an unintended problem,'' said David Sobel, lawyer for the Electronic Privacy Information Center. He pointed out that the current FOI law already has 25 years of solid litigation behind it, and adding a new provision only ensures years of additional litigation.

Moran said he had hoped adding an FOI provision clarifying the law on volunteered information would help stem lawsuits attempting to get that information from the government. That won't work, Sobel said.

``I don't think it's a question of litigation versus non-litigation,'' Sobel said. ``It's a question of how protracted that litigation is.''

Whether the current FOIA protects companies' information doesn't matter, Moran said. They don't think it does, he said, ``and perception is reality. If the general counsel of that company is not sure ... they are simply not going to participate (in a national security plan).''

The General Accounting Office, Congress' watchdog agency, said a national cybersecurity plan is becoming increasingly important as the possibility of an attack on the nation's critical infrastructure increases.

The government must have assistance from the private sector, though, because companies run 80 percent of the nation's telecommunications, financial services, information technology, transportation and electric power, as well as the gas and oil sectors, advocates said.

``We have a national security challenge that our national security establishment cannot handle alone,'' said John Tritak, director of the Critical Infrastructure Assurance Office.

And the government is in no position to tell companies about computer security, said Joel Willemssen, the GAO's director of civil agencies information systems.

Companies will have a hard time working with the government until federal agencies become serious about their own computer security, he said. ``The federal government does not have its house in order,'' Willemssen said. -

On the Net: House Government Reform subcommittee on government management, information and technology: http://www.house.gov/reform/gmit

-- News (from@the.wires), June 26, 2000

Answers

Don't agree with your comment. Companies don't want to share security features because that presents vulnerabilities to would-be hackers.

Last year companies shared their remediation efforts and consultants were free to sell their "shortcuts". You probably didn't want to see companies as forthcoming. But I found companies did speak up about their Y2K efforts.

-- Maria (anon@ymous.com), June 26, 2000.