greater impacts. In Massachusetts, where companies report not just chemical releases but also chemical use, in products or in the workplace, chemical use is down approximately 40% and chemical releases are down nearly 90%. Restricting public access to information restricts opportunities for these kinds of protections of public safety and health and removes accountability for government and corporate actors. Section 204 of the proposed bill would contradict these lessons by creating an unprecedented and unwarranted loophole in the Freedom of Information Act. This section runs counter to the fundamental principle of FOIA: a presumption that the people of the United States have wide-ranging access to their government and that a government of, by, and for the people requires an open_government. In the rare cases where a compelling public interest requires secrecy, FOIA allows carefully limited exceptions for specific documents. The proposed bill runs almost exactly counter to this approach. It does not even define what documents would be exempt from FOIA that could not be covered by current FOIA exemptions (which already exist for national security, trade secrets, and certain voluntarily provided information), much less explain what compelling public interest necessitates this exemption. The requirements for what information could be made exempt are so vague that virtually any information on American industry, including information required to be public under other laws, could potentially be submitted to the new Department, certified as "relating" to critical infrastructure vulnerabilities, and permanently removed from public access. This would be a colossal step backwards for open government, public accountability, and the public's right to know about safety threats. When Congress addressed the security of water supplies, it was first determined that for vulnerability assessments being submitted to the government, current FOIA law may require public disclosure and that such disclosure could be a security threat. Congress then exempted only these documents from disclosure under FOIA. This should be the model for considering any exceptions from FOIA. Because this bill creates no new vulnerability assessments and requires no new information to be submitted to the government, Congress should not consider creating any new FOIA exemptions. Section 204 should be struck from the bill. ENVIRONMENTAL DEFENSE, GREENPEACE, NATIONAL ENVIRONMENTAL DEAR CONGRESSMAN, July 8, 2002 While almost ten months have passed since September 11, a significant vulnerability has yet to be addressed. Across the U.S., thousands of industrial facilities use and store hazardous chemicals in quantities that put large numbers of Americans at risk of serious injury or death in the event of a chemical release. Unfortunately, the administration's Homeland Security Act fails to address these critical safety issues. Moreover, EPA efforts to address the problem have encountered resistance within the administration as well as from some Members of Congress. Under current law, EPA has the expertise and legal authority to address threats posed by major chemical releases at industrial facilities. EPA should act immediately and aggressively to require facilities that store toxic chemicals to assess and reduce their vulnerabilities by eliminating targets (for example, by converting to safer chemicals or processes) and enhancing security. Congress must make it clear that immediate action is expected from EPA to reduce this threat and should amend the Homeland Security Bill to require oversight to ensure that EPA implements a comprehensive hazard assessment and reduction program. In its current form, the Homeland Security Act not only fails to address chemical safety, but instead proposes to create new, far-reaching secrecy provisions. These restrictions have the potential to keep the American public in the dark about potential risks from chemical facilities and hamper efforts to make communities safer. Congressional precedent has been to establish only very limited exemptions to the Freedom of Information Act (FOIA) for specific documents (for example, the recent exemption in the Bioterrorism Response Act of 2001 for water system vulnerability assessments). Section 204 of the administration's HoomHmeland Security Act contains Section 112(r) of the Clean Air Act (CAA) authorizes EPA to issue regulations "to prevent accidental releases of regulated substances," defining such a release as "an unanticipated emission of a regulated substance or other extremely hazardous substance into the ambient air from a stationary source." Likewise, the CAA imposes a "general duty" of precaution on sources, directing them "to design and maintain a safe facility taking such steps as are necessary to prevent releases..." an overly broad exemption from FOIA, not tied to any specific document or mandate. This section should be dropped from the bill. The lack of any action to address risks at chemical plants in communities around the nation is an irresponsible omission. EPA's proposed actions are long overduethe agency should use its existing expertise and authority to act immediately. Efforts to further delay EPA action is unacceptable and contradicts the Administration's promise to quickly address priority threats with existing resources. We urge you to call on EPA to act immediately to require chemical facilities to assess and reduce their vulnerabilities and to eliminate the overly broad secrecy provisions in Section 204 of the Homeland Security Act of 2002. Sincerely, CAROL ANDRESS RICK HIND ANDY IGREJAS National Environmental Trust ALYS CAMPAIGNE Natural Resources Defense Council SEAN MOULTON OMB Watch JEREMIAH BAUMANN U.S. Public Interest Research Group Mr. WHITFIELD. Thank you, Mr. Baumann. Mr. Sobel, you're recognized for 5 minutes. TESTIMONY OF DAVID L. SOBEL Mr. SOBEL. Thank you, Mr. Chairman, for providing me with the opportunity to appear before this subcommittee to discuss the administration's proposed legislation to create a new Department of Homeland Security. I will discuss proposals that would ironically limit public access to crucial data in the name of information sharing. My comments will focus on proposals to create a new Freedom of Information Act exemption for information obtained by the Department of Homeland Security concerning infrastructure protection and counterterrorism efforts, but I would also like to share with the subcommittee some general observations that I have made as the debate over critical infrastructure information has unfolded over the last few years. I believe it is essential to understand the broader context in which the FOIA exemption proposal arises. on First, there appears to be a consensus that the government is not obtaining enough information from information from the private sector vulnerabilities that could adversely affect the infrastructure. It is equally clear that citizens, the ones who will suffer the direct consequences of infrastructure failures, are also receiving inadequate information about these vulnerabilities. Second, there has not yet been a clear vision articulated defining the government's proper role in securing the infrastructure. Despite the emphasis on finding ways to facilitate the government's receipt of information, it remains unclear just what the government will do with the information it receives. The administration's homeland security proposal does not clearly define the new department's role in protecting the infrastructure. Third, rather than seeking ways to hide information, Congress should consider approaches that would make as much information as possible available to the public, consistent with the legitimate interests of the private sector. This is particularly critical in the context of the new department, which will assume an unprecedented range of responsibilities involving public safety. A broad coalition of organizations has serious concerns about various proposals, such as section 204 of the administration's bill to create a broad new FOIA exemption for information relating to security flaws and other vulnerabilities in the infrastructure. Section 204 would cast a shroud of secrecy over one of the new department's critical functions, removing any semblance of meaningful public accountability. If section 204 or a similar secrecy provision such as Representative Davis' bill is enacted, the public will be unable to hold the department accountable should it fail to make effective use of the information it obtains. What did DHS know and when did it know it is a question that will go unanswered. While section 204 is, in my view, exceedingly broad, I would urge the subcommittee to approach more circumspect exemption proposals with skepticism as well. Any new exemption, unless extremely limited, is likely to remove important information from public view and restrict public oversight of critical government operations. Perhaps most importantly, any new exemption designed to protect the voluntarily submitted private sector information is simply not needed. Established case law makes it clear that existing exemptions contained in the FOIA provide adequate protection against harmful disclosures of the type of information we are discussing. Exemption 4, which covers confidential private sector information, provides extensive protection. As my written statement explains in detail, Exemption 4 extends to virtually all of the infrastructure material that properly could be withheld from disclosure. In light of the substantial protections provided by FOIA Exemption 4 and the case law interpreting it, I believe that any claimed private sector reluctance to share important data with the government grows out of at best a misperception of current law. The existing protections for confidential private sector information have been repeatedly-have been cited repeatedly over the past 2 years by those of us who believe that a new exemption is unwarranted. Exemption proponents respond that the FOIA creates a perceived barrier to information sharing. They have not cited a single instance in which a Federal agency has disclosed voluntarily submitted data against the express wishes of an industry submittal. It should be noted that we are discussing the desire of private companies to keep secret potentially embarrassing information at a time when the disclosure practices of many in the business world are being scrutinized. If a company is willing to fudge its financial numbers to maintain its stock price, it would be similarly inclined to hide behind a critical infrastructure FOIA exemption in order to conceal gross negligence in its maintenance and operation of a chemical plant or a transportation system. In summary, overly broad new exemptions could adversely impact the public's right to oversee important and far-reaching governmental functions and remove incentives for remedial private sector action. I urge the Congress to preserve the public's fundamental right to know as it considers the establishment of a Department of Homeland Security, and I thank the subcommittee for considering my views. [The prepared statement of David L. Sobel follows:] PREPARED STATEMENT OF DAVID L. SOBEL, GENERAL COUNSEL, ELECTRONIC PRIVACY INFORMATION CENTER Mr. Chairman and Members of the Subcommittee: Thank you for providing me with the opportunity to appear before the Subcommittee to discuss the Administration's far-reaching proposed legislation to create a new Department of Homeland Security. I will discuss the role that the exchange of information plays in protecting our nation's infrastructure and preventing terrorism, and focus on proposals that would, ironically, limit public access to crucial data in the name of "information sharing." The Electronic Privacy Information Center (EPIC) has a longstanding interest in computer and network security policy and its potential impact on civil liberties, emphasizing full and informed public debate on matters that we all recognize are of critical importance in today's inter-connected world. My comments will focus primarily on proposals to create a new Freedom of Information Act (FOIA) exemption for information obtained by the Department of Homeland Security concerning infrastructure protection and counter-terrorism efforts. But I would also like to share with the Subcommittee some general observations that I have made as the debate over "critical infrastructure information" has unfolded over the past few years. I believe it is essential to understand the broader context in which the FOIA exemption proposal arises. There appears to be a consensus that the government is not obtaining enough information from the private sector on security risks and vulnerabilities that could adversely affect the critical infrastructure. I hasten to add that citizens-the ones who will suffer the direct consequences of infrastructure failures-are also receiving inadequate information about these vulnerabilities. There has not yet been a clear vision articulated defining the government's proper role in securing the infrastructure. While there has been a great deal of emphasis on finding ways to facilitate the government's receipt of information, it remains unclear just what the government will do with the information it receives. In fact, many in the private sector advocate an approach that would render the government virtually powerless to correct even the most egregious security flaws. Despite its ambitious reach, the Administration's homeland security proposal does not clearly define the new Department's role in protecting the infrastructure. • The private sector's lack of progress on security issues appears to be due to a lack of effective incentives to correct existing problems. Congress should consider appropriate incentives to spur action, but secrecy and immunity, which form the basis for many of the proposals put forward to date, remove two of the most powerful incentives-openness and liability. Indeed, many security experts believe that disclosure and potential liability are essential components of any effort to encourage remedial action. 1 • Rather than seeking ways to hide information, Congress should consider approaches that would make as much information as possible available to the public, consistent with the legitimate interests of the private sector. This is particularly critical in the context of the new Department, which will assume an unprecedented range of responsibilities involving public safety. As indicated, I would like to focus my comments on proposals to limit public access to information concerning critical infrastructure protection. EPIC is a strong advocate of open government, and has made frequent use of the FOIA to obtain information from the government about a wide range of policy issues, including (in addition to computer security) consumer privacy, electronic surveillance, encryption controls and Internet content regulation. We firmly believe that public disclosure of this information improves government oversight and accountability. It also helps ensure that the public is fully informed about the activities of government. I have personally been involved with FOIA issues for more than twenty years and have handled information requests on behalf of a wide range of requesters. In 1982, See, e.g., "Counterpane CTO Says Insurance, Liability to Drive Security," InfoWorld (February 20, 2002), <http://www.inforld.com/articles/hn/xml/02/02/20/020220hncounterpane.xml> (According to security expert Bruce Schneier, "[t]he challenges and problems of computer and network security won't be adequately addressed until companies can be held liable for their software and the use of their computer systems"). I assisted in the preparation of a publication titled Former Secrets, which documented 500 instances in which information released under the FOIA served the public interest. I am convinced that an updated version of that publication would today yield thousands of examples of the benefits we all derive from the public access law that has served as a model for other nations around the world. EPIC and other members of the FOIA requester community have, for the past several years, voiced concerns about various proposals to create a broad new FOIA exemption, such as those contained in the Cyber Security Information Act (H.R. 2435) and the Critical Infrastructure Information Security Act (S. 1456), for information relating to security flaws and other vulnerabilities in our critical infrastructures. Section 204 of the Administration's proposed legislation, as I will discuss in more detail, contains an exemption provision that appears to be even more farreaching than those previously proposed. We collectively believe these exemption proposals are fundamentally inconsistent with the basic premise of the FOIA, which, as the Supreme Court has recognized, is "to ensure an informed citizenry, vital to the functioning of a democratic society, needed to check against corruption and to hold the governors accountable to the governed."2 To accomplish that end, "[d]isclosure, not secrecy, is the dominant objective of the Act.” 3 It is clear that, as we simultaneously move further into the electronic age and confront the risks of terrorism, the federal government increasingly will focus on the protection of critical infrastructures. It is equally apparent that government policy in this emerging field will become a matter of increased public interest and debate. The proposal to create a vast Department of Homeland Security raises that debate to a new level of urgency. While reasonable observers can disagree over the merits of specific initiatives, I believe we all agree that infrastructure protection and counter-terrorism activities raise significant public policy issues that deserve full and informed public discussion. The issue is perhaps best illustrated by examining the latest iteration of the "critical infrastructure information" exemption approach-Section 204 of the Administration's proposed Homeland Security Act. In what is surely among the most farreaching one-sentence statutory provisions ever drafted, Section 204 provides: Information provided voluntarily by non-Federal entities or individuals that relates to infrastructure vulnerabilities or other vulnerabilities to terrorism and is or has been in the possession of the Department [of Homeland Security] shall not be subject to [the FOIA]. It should be noted that this provision would conceal from public scrutiny a major component of the Department's statutory mission-the information analysis and infrastructure protection functions set forth in Title II of the Administration's proposed legislation. Indeed, “information analysis and infrastructure protection" is the first of the Department's "primary responsibilities" enumerated in Section 101(b)(2). Section 204 would cast a shroud of secrecy over one of the Department's critical functions, removing any semblance of meaningful public accountability. The tragic events of September 11th illustrate the importance of such accountability mechanisms; the Congress, the media and the public are currently engaged in an examination of possible failures of intelligence or analysis that may have contributed to the tragedy. Indeed, the legislation we are discussing today is a direct outgrowth of that review process and public debate. If Section 204, or a similar secrecy provision, is enacted, the news media and the public will be unable to hold the new Department accountable should it fail to make effective use of information it obtains. "What did DHS know and when did it know it?" is a question that will go unanswered. Such insulation from accountability is clearly the wrong way to go as we seek to create an effective new entity. While Section 204 is, in my view, exceedingly broad, I would urge the Subcommittee to approach more circumscribed exemption proposals with skepticism as well. Any new exemption, unless extremely limited, is likely to remove important information from public view and restrict public oversight of critical government operations. And, perhaps most importantly, any new exemption designed to protect voluntarily-submitted private sector information is simply not needed. It is clear that government activities to protect the infrastructure will be conducted in cooperation with the private sector and, accordingly, will involve extensive sharing of information between the private sector and government. To facilitate the exchange of information, some have advocated enactment of an automatic, wholesale exemption from the FOIA for any information concerning potential vulnerabilities to the infrastructure that may be provided by a private party to a federal agency. Given the breadth of the proposed definitions of the categories of information to be 2 NLRB v. Robbins Tire & Rubber Co., 437 U.S. 214, 242 (1978). 3 Department of the Air Force v. Rose, 425 U.S. 352 (1976). |