Cybersecurity legislation advancing in Congress could create the first brand-new exemption to the Freedom of Information Act in nearly half a century—a prospect that alarms transparency advocates and some lawmakers.
A bill approved by the Senate Intelligence Committee last month would add a new tenth exemption to FOIA, covering all “information shared with or provided to the Federal Government” under the new measure.
Another provision in the legislation would require that “cyber threat indicators and defensive measures” which companies or individuals share with the federal government be “withheld, without discretion, from the public.” The Senate bill, which is expected to come to the floor soon, also seeks to shut off any access to that information under state or local freedom of information laws.
Two cybersecurity bills are expected to be taken up on the House floor as soon as this week. Both contain similar language about keeping confidential threat and defensive measure information turned over to the government. However, a new FOIA exemption that was in the House Intelligence Committee cyber bill was taken out, a spokesman confirmed Friday.
In an official Senate Intelligence Committee report made public over the weekend, two Democratic members of that panel objected to the new FOIA exemption, which would be the first brand-new exemption added to the landmark transparency legislation since 1967.
“We are unconvinced that it is necessary to create an entirely new exemption to the Freedom of Information Act, or FOIA,” Sens. Martin Heinrich (D-N.M.) and Mazie Hirono (D-Hawaii) wrote in a statement accompanying the panel’s report on the cyber bill. “Government transparency is critical in order for citizens to hold their elected officials and bureaucrats accountable; however, the bill’s inclusion of a new FOIA exemption is overbroad and unnecessary as the types of information shared with the government through this bill would already be exempt from unnecessary public release under current FOIA exemptions.”
“To the extent FOIA exemptions need to be updated, those changes should only be made following open hearings in which all stakeholders have an opportunity to have their voices heard,” Heinrich and Hirono added. They also said they might propose a floor amendment to address their concerns.
A spokeswoman for Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said the FOIA language was important to encourage companies to share information on cyber threats and attacks with the government.
“The exemption is one of the bill’s tools meant to encourage as much sharing of cyber-threat indicators as possible in order to reduce cyber-attacks on our homeland. At the core of this legislation is the creation of an environment where individuals and businesses feel safe in sharing information with the government as well as with each other,” Burr spokeswoman Becca Watkins said.
At a Senate Judiciary Committee meeting last week, Sen. Patrick Leahy (D-Vt.) cited the FOIA change as one reason he would like to see the Senate bill sent to the Judiciary Committee for hearings and possible amendments.
“There’s so much that involves our jurisdiciton, I wish that we would have that sequential” referral, Leahy said. As chairman on the committee in 2012, he held a hearing on the freedom-of-information implications of cybersecurity legislation.
Judiciary Committee Chairman Chuck Grassley gave no indication that would happen, saying that a similar bill considered under Democratic-controlled Senate last year wasn’t referred to the panel. That bill died without a floor vote.
Grassley has supported cybersecurity-related FOIA exemptions, but at the 2012 hearing he sounded wary about the idea.
“I have to say that I’m a bit surprised that some open government and privacy groups appear to be accepting the dramatic regulatory power that Homeland Security and Secretary Napolitano will have under the Lieberman-Collins’ cybersecurity bill and under President [Barack] Obama’s proposal. Given the FOIA scandal at Homeland Security, I’d have thought that they’d have more reservations,” Grassley stated, referring to revelations that political appointees at DHS were flagged to planned FOIA releases and sometimes delayed them.
President Barack Obama and his aides have been publicly urging Congress for years to pass cybersecurity legislation. However, a White House spokesman declined to say whether Obama—who famously pledged to oversee the most transparent federal government in U.S. history—backs creation of a new cyber-related FOIA exemption.
A 2012 Senate bill that drew an endorsement from the Obama White House contained a narrower FOIA-related provision, which said threat-related information should be treated confidentially by the government. That bill did not contain a new exemption to FOIA as the current Senate Intelligence Committee measure does.
One transparency advocate said the FOIA language in all the measures is troubling.
“It’s bad….Any way you look at it, these are not good bills in terms of public accountability and various other concerns, including public safety,” said Patrice McDermott of OpenTheGovernment.org.
Critics say the proposed new FOIA exemption could allow companies to block disclosure of virtually any information by anyone in the government simply by submitting that information to the new cybersecurity portal. McDermott said the narrower provisions were also troubling and have mandatory language that could preclude the government from releasing cyber-related information even when needed to warn about a danger to the general public.
McDermott also said it would set a bad precedent if a bill creating an entirely new FOIA exemption made it into law without passing through the panels which oversee that law in each chamber.
“By authorizing a new exemption to the FOIA through a committee other than the committees of jurisdiction….you’ve undermined FOIA,” she warned.