Some Businesses Balk at Giving Secrets for U.S. Terrorism Fight

Prominent business groups, usually allied with the Bush administration, are showing unexpected resistance to government efforts to gauge the nation’s vulnerability to terrorism.

While the White House says private-public cooperation has blossomed since the Sept. 11 attacks, representatives of banking, information technology, utilities and other industries in recent months have declined to share crucial details of how their systems work and where they might be compromised. They say that sensitive data shared with Washington could quickly become public, undercutting corporate trade secrets, scaring off customers or providing would-be terrorists with valuable clues about targets.

The motives for withholding data vary from sector to sector and business to business. Without exception, industry leaders say they want to help the government. But Shannon L. Kellogg, a vice president for security at the Information Technology Assn. of America trade group, said, “The bottom line is, the information is not flowing.”

In response, the Bush administration has proposed exempting from the federal public disclosure law much of the information it wants private industry to voluntarily supply to the new Department of Homeland Security. Critics attack this proposal as an unwarranted break for big business. And they charge that, because some of its records would not be subject to public review, the department would be effectively “above the law.”

But advocates say the government can’t fend off terrorists without winning cooperation from private industry. “The best scenario is for the government and all the [business] players to be connected with full information but for the terrorists to still be in the dark,” said Sen. Robert F. Bennett (R-Utah).

The dispute shows anew how the challenge of securing America from terrorist attack in a post-Sept. 11 world raises fundamental questions about how much information can and should be shared with the government.

At issue is how the government can help protect what has come to be known as “critical infrastructure”: telecommunication networks, information systems, financial service links, utility grids, power plants, chemical depots, transportation hubs and so on.

Many of those assets are in private hands.

And the government, with some exceptions, cannot compel the owners to disclose systemic weaknesses or even to report threats and attacks.

Bennett recounts one incident to prove the point. After Sept. 11, he said, a financial institution called him for advice on how to handle a serious terrorist threat it had received against its internal systems. But the company’s officers did not want to relay the threat to government agencies for fear that it would become public and spark employee or customer panic.

The threat turned out to be a hoax, but Bennett called it “a classic example of something that the Homeland Security Department would want to know.”

In April, an FBI survey of businesses and other institutions found that 90% of respondents had experienced significant computer security breaches within a one-year period, most of them causing financial loss, but that only 34% had reported the incidents to law enforcement.

At a hearing in May before the Senate Governmental Affairs Committee, Ronald L. Dick, director of the FBI’s National Infrastructure Protection Center, explained why.

“The two primary reasons for not making a report were negative publicity and the recognition that competitors would use the information against them,” Dick said.

The Office of Homeland Security, a White House unit formed after Sept. 11, also has found resistance.

Laurence W. Brown, legal affairs director for the Edison Electric Institute, which represents investor-owned utilities, said he attended a conference in April in which homeland security officials asked industry representatives for security information.

Brown said the officials were told: “We’d love to tell you where our critical facilities are, but we’re not going to because you can’t keep a secret.”

Tom Ridge, the White House homeland security director, acknowledged in testimony before Congress last week that getting information from private industry is “a problem that’s been experienced by a lot of the Cabinet secretaries and even during the work of the Office of Homeland Security.”

But solving that problem is especially tricky for a Republican administration that aims simultaneously to expand government’s anti-terrorism powers and curb government’s regulation of private enterprise.

Rather than passing new laws or issuing executive orders requiring business to hand over critical information, the White House has concluded that a voluntary approach will work best.

To that end, Ridge argues that businesses should be granted the exemption to the government’s Freedom of Information Act, a goal supported by a loose coalition of industries and prominent companies. Microsoft Corp., for instance, purchased a newspaper advertisement last month calling for an FOIA exemption for sensitive security information.

Enacted in 1966, the FOIA enables interest groups, journalists and others to petition the government for access to its records. While the act is meant to promote open and accountable government, many types of records already are exempt from disclosure.

For example, the act allows federal agencies to shield from public view records related to national defense, foreign policy, law enforcement, trade secrets and certain kinds of commercial or financial information, among other categories.

The Bush administration’s proposed homeland security exemption would go further, exempting from disclosure information voluntarily provided to the new agency in connection with “infrastructure vulnerabilities or other vulnerabilities to terrorism.”

Some critics, including the American Civil Liberties Union, contend no changes to the law are needed to protect the sort of records industry leaders claim would be vulnerable to public disclosure. Others say the proposal is too broad.

What, they ask, is “infrastructure”? What are “vulnerabilities”?

Rena Steinzor, an attorney for the Natural Resources Defense Council, an environmental group, said the proposed exemption could shield from public view an application to expand a power plant. Or data from a chemical plant on real or potential toxic leaks. Or any other information a business considers embarrassing or a liability.

Mark Tapscott, a scholar at the conservative Heritage Foundation think tank who served in the Reagan administration, called the proposed exemption “overly broad.” Congress appears split, which could slow legislation the administration wants passed this year to create the Cabinet-level Department of Homeland Security.

Sen. Patrick J. Leahy (D-Vt.), chairman of the Senate Judiciary Committee, chastised Ridge last month, saying that the FOIA exemption and other provisions of the administration’s homeland security bill seek to place the new agency “above the law.” He called that “very troubling.”

But Rep. W.J. “Billy” Tauzin (R-La.), chairman of the House Energy and Commerce Committee, applauded the proposal.

“We ought to cut a delicate balance here, because we are a free society and we want people to know what our government is doing,” Tauzin said. “But there’s a line we have to draw when it comes to providing free to anybody who wants it a road map of how to get into a nuclear plant.... “