From the Winter 2002 issue of The News Media & The Law, page 26.
After the Sept. 11 attacks, the federal government faced unprecedented pressure to protect the country from terrorists. Often the action it took — or considered taking — was to close off information, even though there was no evidence that terrorists had used government information in any way to carry out the attacks.
Government agencies pulled information off Web sites. Congress and President Bush heightened efforts to close off information about the nation’s critical infrastructure. Officials ordered librarians to destroy CD-ROMs containing government data on reservoirs and dams.
Even the Federation of American Scientists, a public interest group that actively promotes access to government records, cleared information from its own Web site, reviewed it and, in some cases, did not repost items such as floor plans of nuclear facilities.
Government officials reasoned that if less information were public, then terrorists would have less access to information. If vulnerabilities were not exposed, then terrorists could not take advantage of them.
But public-interest advocates, such as Paul Orum, coordinator of the Working Group on Community Right-to-Know in Washington, D.C., point out that if the public cannot know where weaknesses exist, it cannot insist that they be corrected.
The idea that secrecy could be an antidote to terrorism circulated through government long before Sept. 11.
For example, in 1999, Congress followed suggestions from the chemical industry, the CIA and the FBI and amended the Clean Air Act to prohibit government officials from posting information online about risks posed by the nation’s chemical plants. That information, Congress was told, could be used by terrorists.
The Clean Air Act of 1990, passed in the wake of the 1984 pesticide leak disaster in Bhopal, India, required chemical manufacturers to tell state governments the “worst case scenarios” that could occur from accidents at their plants. But when many states found it difficult to publicize the information, the Environmental Protection Agency offered to help by posting that information on its Web sites.
Manufacturers and the FBI insisted that the information on the EPA Web sites come down. After Congress changed the law, the EPA and the Justice Department in 2000 issued joint regulations that made “worst case scenarios” available only in local reading rooms and only to readers who could identify themselves.
And long before Sept. 11, industry officials asked the federal government to make illegal the disclosure of information industries shared with agencies about “critical infrastructure.” They said hackers and terrorists could misuse that information and wanted assurances placed in law that exempted all the information they gave the government from any public disclosure.
The Bush administration and the 107th Congress have continued to pursue confidential treatment of critical infrastructure information.
FBI issues Internet warning
In late January, the FBI’s National Infrastructure Protection Center in Washington, D.C., warned that providers of “critical infrastructure” services such as water, energy, transportation and finance should consider “the unintended audience” and apply “common sense” when posting messages to the Internet.
“This advisory,” the center wrote, “serves as a reminder to the community of how the events of September 11, 2001 have shed new light on our security considerations.”
But Web sites started coming down even before the FBI warning.
Shortly after Sept. 11, at the request of the Department of Defense, the Nuclear Regulatory Commission pulled its entire Web site down. Although the agency began restoring portions of the site a week later, it awaits guidance from its five-member board as to what kinds of information should be restored.
For now, the commission has not restored and has no plans to restore lists of the exact latitude and longitude of nuclear power plants.
Public affairs officer Victor Dricks said the agency prided itself on its openness.
“It was disappointing to us,” Dricks said. “We have made a strong effort to put information up, and we feel strongly about that mission.”
The NRC also has not restored individual plant operating reports despite regular complaints from both the energy industry and news media. Although those reports might show some market vulnerabilities, Dricks said the reports might also help the local public keep tabs on plant safety. But complaints about the absence of the reports have only come from industry and news media hoping to report on business matters, he said.
Elsewhere, OMB Watch, a public interest organization that monitors information resources at agencies, created a Web site documenting government information pulled from Web sites. Its list includes the Department of Energy, the Interior Department’s Geological Survey, the Federal Energy Regulatory Commission and the Department of Transportation’s Office of Pipeline Safety.
Although unrelated to terrorism, the security question loomed on Dec. 5 when Judge Royce Lamberth of the federal district court in Washington, D.C., ordered the Department of the Interior to protect Indian trust funds from possible attacks by hackers. The agency temporarily disconnected itself from the Internet.
Library CD ordered destroyed
In October, acting on a direction from the U.S. Geological Survey, the superintendent of documents for the Federal Depository Library Program told the program’s 335 libraries to destroy a CD-ROM containing government data on reservoirs and dams.
The Government Printing Office in January defended the destruction, saying the superintendent followed policy for recalling records considered the property of the federal government.
The office noted that it had been assured that the CD-ROM contained sensitive information that needed to be removed. In a statement, the office said the destruction or withdrawal of items occurs only at the request of an agency — usually because information is erroneous or has been superseded. The CD-ROM item, the statement said, is the only one that was requested to be withdrawn as a result of the Sept. 11 attacks.
‘Infrastructure’ secrecy sought
Meanwhile, the U.S. Chamber of Commerce and others representing the private sector continue to fight for legislation to exempt from the federal FOI Act information industry shares with the government. They say that to protect information systems essential to telecommunications, energy, financial services, manufacturing, water, transportation, health care and emergency services sectors, they must be able to keep what they tell the government secret from those outside government.
According to the Associated Press, President Bush wrote to the chairman of his National Security Telecommunications Advisory Committee in late September that he would support a narrowly crafted exception to the FOI Act for information that would expose vulnerabilities of corporations and other organizations to “information warfare.”
In October, Bush signed a lengthy executive order directing his administration to protect the “critical infrastructure” including providing help to Congress in passing legislation to protect it. (Exec. Order 13130)
One such bill, the Critical Infrastructure Information Security Act introduced in late September by Bob Bennett (R-Utah), is designed to foster “secure disclosure and protected exchange” of critical infrastructure information between government and industry. The Bennett bill contained some elements of another bill, the Cyber Security Information Act introduced in July by Rep. Tom Davis (R-Va.) and Rep. Jim Moran (D-Va.). (S. 1456; H.R. 2435)
In Access Reports, editor Harry Hammitt quoted David Martin, legislative director and spokesman for Davis, as saying “we simply can’t imagine that critical infrastructure protection will not be part of the congressional response to September 11 in the long run.”
In December, 26 public interest organizations including the Reporters Committee for Freedom of the Press asked senators to reject the Bennett bill, saying that in practice it could have devastating effects. It could bar the federal government from disclosing information about spills, fires and explosions without obtaining written consent from a company experiencing the accident. It could give the manufacturing community immunity from the violation of laws. It could sweep aside record-keeping and disclosure requirements under federal laws.
Later that month, the National Association of Manufacturers and several other commercial associations wrote to Bush urging his support for “confidence-building cyber-disclosure legislation.” They said that even though government law enforcement agencies need information about malicious computer attacks and threats in order to ensure the nation’s defense, corporate counsels advise their clients not to share details of computer attacks with government agencies because of a risk that the information would be disclosed under the FOI Act. — RD