Information Resilience and Homeland Security

Richard Forno

Freedom of information may be a double-edged sword, but restricting information has only one edge - and it cuts off the lifeblood of a healthy democracy.



 The public has a right to know information that may directly affect their lives. 







Post September 11, there has been a strong push by government security and law enforcement agencies to restrict or withhold any sort of information that could possibly used to engage in or further terrorist activities. Of course, in a society whose primary political and legal principle is supposed to be freedom of speech, this can quickly become problematic.



Particularly problematic is the fact that much of the contentious information is available on the Web sites of some of the large corporations that operate America’s critical infrastructures. Why is this a concern? Because the government is currently proposing laws that will give such companies exemption from Freedom of Information Act (FOIA) requests for certain information. In other words, the government is proposing protecting certain corporate information from prying eyes, including yours and mine.



Sound far-fetched? Remember the weeks after 9/11 when news reports surfaced that the



For example, chemical plants and nuclear power facilities removed ‘sensitive’ reports and documentation about public health, environmental safety, and facility security from their websites, allegedly to preclude a terrorist from obtaining information for malicious purposes. Absent many such reports, how will the public, watchdog groups, or regulatory or enforcement agencies be able to monitor for potential problems that affect the public? The fear here is that, under the guise of ‘national security’ the government is actually allowing corporations to avoid scrutiny by and accountability to the taxpaying public that is, in effect, paying for the critical infrastructures. Come to think of it, perhaps Enron was getting a head start by shredding documents in the name of homeland security to avoid anyone discovering how it really operated large parts of America’s critical energy infrastructures?



The attempt to provide national security by obscuring corporate information has resonance in the information security world. It brings to mind the full disclosure debate, which pits the security community’s need to know about problems as quickly as possible against corporations’ interests in maintaining positive public perception and market share. Without the real-time information-sharing ventures that full disclosure enables, system administrators are placed in a ‘holding pattern’, and are kept in the dark until (umm, errr, if…) a vendor decides to acknowledge and address a reported problem.



Both the attempt to circumvent the FOIA and to muzzle full disclosure sound very effective at thwarting evil, but in reality neither effectively enhances public security. The community in general – be it computer users or society at large – must be able to obtain raw information about issues that potentially affect their well-being, whether that means chemical spills or the latest Windows exploits. The general public cannot be solely dependent on any one entity for information. Going down that path creates an environment of security through ignorance.



Despite the sensational management hype calling for this approach, it rarely works in reality. People quickly forget that anything that a person can use (from a knife to airplanes to automobiles and knowledge) can be used to endanger others, provided malicious intent is present. However, dealing with the tiny number of people capable of such malice should not mean forcing the remaining majority into a society in which information of public interest is withheld out of fear. Law abiding citizens in a healthy democracy should not be destined to live in ignorance that is encouraged by corporations and enforced by governments.



In the United States, and elsewhere in the world, the public has a right to know information that may directly affect their lives. If a GAO report says airport security is bad, travelers should know about it. If a safety report says that it’s too easy for someone to break into a chemical plant and cause an accident, the local residents should know about it. If a dangerous vulnerability is discovered in a widely utilized operating system, systems administrators should know about it. The list goes on. The right to self-protection is fundamental to the right to self-determination. By allowing corporations to withhold crucial infrastructure information, the government may be complicitous in depriving its citizenry of its most fundamental right. Indeed, as Paul McMasters wrote in a



Terrorism, by its very definition, is unconventional. Contrary to popular belief, there’s no way to guard against every single form of attack. Nor is it possible, or desirable, to withhold from public view all knowledge that could be used for malfeasance. Information - like knowledge - is a double-edged sword. The vast majority of those interested in information regarding America’s critical infrastructures are not terrorists. They should not be branded as potential terrorists or evildoers by government actions that restrict their ability to access such materials. It may be trite to say it at this point in time, nearly eight months after the September attacks, but it is true nevertheless: if we use the events of September 11 to deny the basics rights and freedoms of a healthy democracy, the terrorists will have won.





Further Reading:





Whitehouse Memo Orders Review of Information Procedures

OMB Watch



Announces Plans to Restrict Access to Envirofacts

OMB Watch



Reject the Corporate Secrecy Grab

David Banisar, SecurityFocus



Examples of “Information Resiliency”

InfoWarrior.org



The Freedom of Information Center



Journalist Resources for Reporting on Terrorism

InfoWarrior.org

In the current security-conscious environment, many people seem willing to sacrifice their most fundamental democratic rights to support anything that is promoted as good for homeland security. In many cases, an unwillingness to do so is perceived as being ‘unpatriotic’. However, as has been pointed out in this column many times since September 11, we must make sure that we are not throwing out the baby with the bathwater. More to the point, while fulfilling reasonable patriotic duty, we must be sure that we continue to hold our government and corporations accountable for their actions, despite the fact that current challenges may appear to demand unflappable unity in the face of external attack.Post September 11, there has been a strong push by government security and law enforcement agencies to restrict or withhold any sort of information that could possibly used to engage in or further terrorist activities. Of course, in a society whose primary political and legal principle is supposed to be freedom of speech, this can quickly become problematic.Particularly problematic is the fact that much of the contentious information is available on the Web sites of some of the large corporations that operate America’s critical infrastructures. Why is this a concern? Because the government is currently proposing laws that will give such companies exemption from Freedom of Information Act (FOIA) requests for certain information. In other words, the government is proposing protecting certain corporate information from prying eyes, including yours and mine.Sound far-fetched? Remember the weeks after 9/11 when news reports surfaced that the US government was asking libraries to destroy CDs and databases that contained information about various critical infrastructures in America. How about when the Bush Administration asked federal agencies to review and remove potentially damaging information from their Web sites? Or when the government asked watchdog groups like the Federation of American Scientists to remove sensitive information from their sites.For example, chemical plants and nuclear power facilities removed ‘sensitive’ reports and documentation about public health, environmental safety, and facility security from their websites, allegedly to preclude a terrorist from obtaining information for malicious purposes. Absent many such reports, how will the public, watchdog groups, or regulatory or enforcement agencies be able to monitor for potential problems that affect the public? The fear here is that, under the guise of ‘national security’ the government is actually allowing corporations to avoid scrutiny by and accountability to the taxpaying public that is, in effect, paying for the critical infrastructures. Come to think of it, perhaps Enron was getting a head start by shredding documents in the name of homeland security to avoid anyone discovering how it really operated large parts of America’s critical energy infrastructures?The attempt to provide national security by obscuring corporate information has resonance in the information security world. It brings to mind the full disclosure debate, which pits the security community’s need to know about problems as quickly as possible against corporations’ interests in maintaining positive public perception and market share. Without the real-time information-sharing ventures that full disclosure enables, system administrators are placed in a ‘holding pattern’, and are kept in the dark until (umm, errr, if…) a vendor decides to acknowledge and address a reported problem.Both the attempt to circumvent the FOIA and to muzzle full disclosure sound very effective at thwarting evil, but in reality neither effectively enhances public security. The community in general – be it computer users or society at large – must be able to obtain raw information about issues that potentially affect their well-being, whether that means chemical spills or the latest Windows exploits. The general public cannot be solely dependent on any one entity for information. Going down that path creates an environment of security through ignorance.Despite the sensational management hype calling for this approach, it rarely works in reality. People quickly forget that anything that a person can use (from a knife to airplanes to automobiles and knowledge) can be used to endanger others, provided malicious intent is present. However, dealing with the tiny number of people capable of such malice should not mean forcing the remaining majority into a society in which information of public interest is withheld out of fear. Law abiding citizens in a healthy democracy should not be destined to live in ignorance that is encouraged by corporations and enforced by governments.In the United States, and elsewhere in the world, the public has a right to know information that may directly affect their lives. If a GAO report says airport security is bad, travelers should know about it. If a safety report says that it’s too easy for someone to break into a chemical plant and cause an accident, the local residents should know about it. If a dangerous vulnerability is discovered in a widely utilized operating system, systems administrators should know about it. The list goes on. The right to self-protection is fundamental to the right to self-determination. By allowing corporations to withhold crucial infrastructure information, the government may be complicitous in depriving its citizenry of its most fundamental right. Indeed, as Paul McMasters wrote in a Freedom Forum article , denial of access shushes the democratic dialogue that is part of what makes America so attractive to its citizens and those wishing to come here.Terrorism, by its very definition, is unconventional. Contrary to popular belief, there’s no way to guard against every single form of attack. Nor is it possible, or desirable, to withhold from public view all knowledge that could be used for malfeasance. Information - like knowledge - is a double-edged sword. The vast majority of those interested in information regarding America’s critical infrastructures are not terrorists. They should not be branded as potential terrorists or evildoers by government actions that restrict their ability to access such materials. It may be trite to say it at this point in time, nearly eight months after the September attacks, but it is true nevertheless: if we use the events of September 11 to deny the basics rights and freedoms of a healthy democracy, the terrorists will have won.



Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area.



