FOIA: Everything You Ever Wanted to Know (But Were Afraid to Ask)

Heard the one about the CSO who declared FOIA his top policy concern;mdash;and then admitted he didn’t really know what FOIA was?

OK, it’s not so funny. But neither is messing with the Freedom of Information Act (FOIA), the 35-year-old rule book on how members of the public can access government records on anything from suspected alien activity to demographics about Zantac.

Well, not just anything. FOIA has its limits: nine of them, to be exact, in the form of exemptions intended to protect national security and other necessarily private machinations of the government. But if businesses get their way, and it looks like they will, a new FOIA exemption will soon be law. In July, as part of the Homeland Defense bill, the House of Representatives passed legislation that would protect companies that voluntarily share physical and computer-related critical infrastructure information with the government. The Senate agreed on a similar provision as an amendment to its Homeland Security bill. At press time, the Senate legislation was stalled because of unrelated concerns, but the FOIA exemption seemed poised to become a reality, if not this year then next.

For people like Bruce Bonsall, CISO of the MassMutual Financial Group in Springfield, Mass. (and one practitioner who does, in fact, understand FOIA), the new exemption can’t come soon enough. “Information is power, and we just don’t want to share powerful information that relates to our vulnerabilities with anyone other than people we’re collaborating with to protect critical infrastructures. That’s tipping our hand,” Bonsall says. He and others fear that if they share details about network threats and vulnerabilities with the government, then journalists, watchdog groups, competitors or even terrorists will use FOIA to access that information. The result? Embarrassment, possible litigation and clues for ne’er-do-wells who want to attack a company’s system or ruin its business plan.

But critics worry that a new exemption would create what Rep. Janice Schakowsky (D-Ill.) has called “a loophole big enough to drive any corporation and its secrets through.” They say companies will misuse the new exemption to hide misdeeds and protect themselves from negligence lawsuitsconcerns underscored by years of tangling between environmental advocates and the energy industry over what public safety records should be made public.

The Bush administration, meanwhile, has taken an odd middle ground, arguing that a new FOIA exemption is at once necessary and unnecessary. “Our lawyers say the law, as currently written, would allow us to protect that information,” says Richard Clarke, President Bush’s top cybersecurity adviser. “But that doesn’t persuade companies to give us the information. Their lawyers believe they need additional protection; therefore we need to get additional protection.”

As the debate rages, CSOseven those who admit privately that they don’t understand FOIAhave been able to use the proposed exemption as an easy excuse for not yet partnering with the government on protecting the nation’s privately held energy, communications, financial and other critical systems.

That won’t be true for long. And only CSOs who understand FOIA and its exemptions, both new and old, will be able to help evaluate their company’s risk of exposure.The People’s History of FOIAEstablished in Section 552 of Title 5 of the United States Code, the Freedom of Information Act (FOIA, sometimes pronounced foy-uh) was passed under the premise that sunlight is the best way to dispel chicanery in every corner of the government. FOIA creates procedures for members of the public to write to a federal department or agency, describe specific information that they believe the agency has on file, and request photocopies of the records. Best known as a tool for gumshoe journalists and conspiracy theorists, FOIA is also used by advocacy groups, government watchdogs, academic researchers, businesses, lawyers and all kinds of curious individuals, U.S. citizens or not. In 2001 alone, 196,917 FOIA requests were filed by people who wanted everything from details about deported refugees to product safety records to, yes, suspected UFOs.

Although current talk about FOIA centers on public access to information, the legislation was born half a century ago in a power struggle between the executive and legislative branches of the U.S. government. When the Eisenhower administration fired alleged Communists in the early ’50s, Rep. John E. Moss (D-Calif.), head of the Special Government Information Subcommittee, asked for details about who was fired and why.

“They wouldn’t tell him,” says Thomas S. Blanton, director of the National Security Archive, an independent research organization at The George Washington University. That was just one of the reasons the Democrat-led Congress began a battle to get the Republican White House to share information with Congress. In hearings held into the next decadeand cheered on by newspapers that argued for the public’s “right to know”members of Congress showed a record of government cover-ups intended to protect not national security but bureaucratic embarrassment.

But when the Democrats took power in 1961, President Kennedy and Vice President Johnson had their own reasons for not wanting FOIA to pass. Legislation stalled until July 4, 1966, when Johnson, by then president, reluctantly signed the FOIA into law. “It was only grudgingly that Johnson signed FOIA,” Blanton says. “One more day and it would have been a pocket veto. There was no signing ceremony, which was unusual.”

FOIA lacked teeth at first, because people whose FOIA requests were denied had no recourse. Then, the Watergate scandal again forced Congress’s hand. In 1974, a Democratic Congress overrode President Ford’s veto and passed an amendment saying that judges must review the claims of FOIA requesters rather than dismissing them on the basis of an affidavit filed by the government agency.

These days, an agency technically has 10 working days to respond to an initial FOIA request. Overloaded FOIA officers might respond that it will take longer, even months, to fill the request. They might respond that the description is inadequate or that the information does not exist. And they might also deny the request on the basis of one of the nine exemptions. For example, records that might damage national security are exempt from FOIA requests, as are details about law enforcement investigations (although court documents are part of the public record). If a FOIA request is denied on the basis of one of the exemptions, the requesting individual can go through an appeals process that could end up with a judge determining whether the information should be released.

The process, while cumbersome, can pay off. In recent years, FOIA requests have led to the disclosure of files about the assassination of President Kennedy, geographical statistics about children who were prescribed Ritalin and details about Vice President Dick Cheney’s task forcein which case two groups, the Natural Resources Defense Council and Judicial Watch, filed suit to get the Department of Energy and White House to release the records.Who Wants What?Although FOIA was intended to let citizens keep an eye on the federal government, during the years it has morphed into a time-consuming process used less often by deadline-driven journalists and more often by businesses doing competitive research. “That was definitely not the intention,” says Herbert Foerstel, a retired librarian who wrote Freedom of Information and the Right to Know: The Origins and Applications of the Freedom of Information Act. “If Pepsi could, they would get Coca-Cola’s formula under the Freedom of Information Act.”

They can’t, of course. Exemption 4 of FOIA protects “trade secrets and commercial or financial information obtained from a person and privileged or confidential.” Government agencies have to warn a business before releasing information identified as confidential, and the business can file a reverse lawsuit to keep the government from releasing it. However, much of the commercial data submitted to the government is not exempt. Companies routinely use FOIA for competitive research to learn about, say, new drug applications filed with the Food and Drug Administration or the winning bid for a NASA contract.

That use of FOIAan act that Supreme Court Justice Antonin Scalia famously criticized as “the Taj Mahal of the Doctrine of Unanticipated Consequences”has led to new concerns about corporate information submitted to the government. Meanwhile, the government has been imploring companies to share information about attacks on the private networks that house 85 percent of the nation’s critical infrastructure.

All of which brings us to the current conundrum. Some companies fear that existing FOIA exemptions do not protect information about security threats and vulnerabilities. This kind of information, although sensitive, “may not be a trade secret,” says Stash Jarocki, chairman emeritus and board member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), one of several industry groups formed to give practitioners a place to exchange information out of reach of regulators. Nonetheless, last summer the FS-ISAC agreed to start sharing limited information with the FBI’s National Infrastructure Protection Center (NIPC) regardless of FOIA concernsa move that put Jarocki in a particularly strategic place to argue for the additional FOIA exemption.

“What if I wanted to sit down with the NIPC and show them all the diagrams of my network? Would I do that without [the new FOIA exemption]? Hell no,” says Jarocki, who’s also vice president of Morgan Stanley’s IT security. “Would I like to share with them single points of attack or exposure, to find out how I could solve it and maybe secure it? Sure I would. But I can’t do that today because the bottom line is that you can FOIA that,” he says, making the act into an action.

Well, you could try, but you probably wouldn’t get far. The act itself may not explicitly protect critical infrastructure information, but legal precedents do. Ron Dick, director of the NIPC, points to a case involving the Nuclear Regulatory Commission and a watchdog group, the Critical Mass Energy Project. In 1984, Critical Mass asked the NRC to disclose public safety reports submitted by the Institute of Nuclear Power Operations, a nonprofit group formed by nuclear plant owners. The NRC refused, and Critical Mass sued. A U.S. District Court in Washington, D.C., eventually decided in favor of the NRC for two reasons: The information had been voluntarily given to the agency, and disclosing it would make companies less likely to volunteer information in the futurethe same arguments that could be used in relation to critical infrastructure protection.

But case law isn’t good enough, Dick says. “Despite this case and others like it, the private sector wants straightforward languagea simple stature they understand.”The Real DealHis work on Y2K legislation finished, Sen. Bob Bennett (R-Utah) had long been talking about the need for legislation that would encourage companies to share critical infrastructure information with the government. After 9/11, he saw an opportunity, as the public’s right to know began to take backstage to fighting terrorism. On Sept. 24, 2001, he and Sen. Jon Kyl (R-Ariz.) formally submitted S. 1456, the Critical Infrastructure Information Security Act of 2001. The bill would have exempted voluntarily submitted information related to critical infrastructure from FOIA requests, prevented the information from being used in civil action and protected information-sharing groups like the ISACs from antitrust laws.

The bill languished until a better opportunity came along. Rather than passing the Critical Infrastructure bill by itself, Congress opted to piggyback the FOIA exemption onto the massive piece of legislation creating the Department of Homeland Security. And here is where the story veers into the unavoidably complicated terrain of how a bill becomes a law. At press time, two different FOIA exemptions were winding their way through the legislative process, and lawmakers were at odds about how to improve critical infrastructure protection without furthering the “doctrine of unanticipated consequences.”

In July, the House of Representatives passed its Homeland Security Act, H.R. 5005. Section 724 would protect voluntarily submitted information about critical infrastructure protection from FOIA requests andmore significantalso prevent that information from being used in civil action.

Meanwhile, the Senate agreed on an amendment to its Homeland Security Act, S. 2452, that included a narrower, less business-friendly version of the FOIA exemption that would not protect businesses from litigation and would apply only to information submitted to Homeland Security. At press time, the Senate legislation was stalled over unrelated issues, but if it passes in November or December, the differences between the two bills will have to be hammered out by a joint conference committee.

“The concern that we see expressed is that we’re trying to cover something like the accidental release of chemicals,” says Bobby R. Gillham, manager of global security for ConocoPhillips and a liaison between the government and the oil and natural gas industry. “That’s not what we’re talking about at all. The only exemptions are just in the critical infrastructure and just in that narrow range of vulnerability, threats and incidents.”

David Sobel, general counsel for the Electronic Privacy Information Center, sees it differently. He says that the FOIA exemption is a red herring, and that the real issue is the possibility that voluntarily submitted information couldn’t be used in litigation. “It’s all about accountability,” he says. “It’s about whether security flaws will ever be made public and whether the government or other interested parties would have the ability to seek corrective action against companies that are negligently ignoring security concerns.”

Even if the FOIA exemption doesn’t become law this year, the debate has clearly shifted from whether the FOIA exemption should become reality to exactly what form it should take. It’s unlikely that President Bush would fail to approve the exemption because the Bush administration has encouraged agencies to give requesters only the bare minimum of required information. (In fact, author Foerstel believes that in some ways, the manner in which exemptions are written is less important than the administrative guidelines issued by the attorney general on how to treat FOIA requests. “With [Attorney General John] Ashcroft, his frame of mind is basically, don’t give them anything,” Foerstel says. “His guidelines are very strong in the direction of discouraging the release of information.”)

Whatever final form the exemption takes, there’s no way to know if it will actually improve information sharing or just change the reasons companies are reluctant to talk to the government about security. “We’ve been building relationships and procedures, so the technical ability to share information is there,” says MassMutual’s Bonsall, a member of the Partnership for Critical Infrastructure Security, which includes both federal agencies and critical infrastructure companies. “We have to get beyond the apprehension, and some exemptions from FOIA will help with that.”

But will it open the floodgates? “Absolutely not,” he says. “[Building trust] is an ongoing process. It just doesn’t start and stop.”