As the Committee on Governmental Affairs proceeds with markup of S. 2452, legislation to establish the Department of Homeland Security, we urge you to support measures that will encourage the private sector to share critical infrastructure information by protecting such information from unnecessary public disclosure.
Nearly 90 percent of the nation's critical infrastructure - physical and computer networks for production and delivery of energy, food, water, telecommunications, financial services, health care, chemicals and other raw materials, essential products and services - are owned and controlled by the private sector. Furthermore, they are largely interconnected with, and interdependent upon, each other. The new Department of Homeland Security and other agencies obviously need to know more about these facilities in order to evaluate threats and vulnerabilities, and take necessary actions. Thousands of companies want to help in this effort by sharing critical infrastructure threat and vulnerability information with the government.
But the government is not getting that information. The risk is too great that such information will fall into the wrong hands. Current Freedom of Information Act (FOIA) exemptions are too narrowly drawn and would not protect this information. Most in industry are not willing to voluntarily share this information because those who wish to do harm can use FOIA or similar requirements to get access to it. No one wants to provide a "road map" or "target list" for terrorists. Congress can remove those security risks by ensuring there is no disclosure of voluntarily submitted information regarding threats to, and vulnerabilities and restoration of, critical facilities, networks, and supporting systems. Until that happens, it is simply too risky for industry to share such information with any government agency.
We urge Congress to address this situation and encourage a public-private information sharing partnership. We support a narrow, specific FOIA exemption for critical infrastructure information voluntarily shared with the government.
In congressional testimony on July 15, Homeland Security Director Ridge endorsed such a proposal as, "[recognizing] the need for an exemption while ensuring that the federal government's regulatory and enforcement efforts are in no way undermined. The Administration supports the intent and purpose of this amendment."
None of the proposals under consideration would allow companies to evade existing legal or regulatory disclosure requirements. They seek to protect only certain information that is voluntarily shared with the government. FOIA would still apply to information required under important health, safety and environmental laws, and the proposals specifically allow the continued use of such information for government enforcement actions.
The undersigned associations, representing a broad range of the nation's critical infrastructures, urge you to support legislation to ensure that the private sector can voluntarily share critical infrastructure threat and vulnerability information.
American Chemistry Council
Americans for Computer Privacy
Association for Competitive Technology
American Gas Association
American Petroleum Institute
American Society for Industrial Security
Business Software Alliance
Edison Electric Institute
Financial Services Roundtable
Information Technology Association of America
Internet Security Alliance
Interstate Natural Gas Association of America
National Association of Manufacturers
U.S. Chamber of Commerce