Freedom of Information in an Era of Cyber-Threats: Your Right to Know vs. Your Safety

As citizens in a democracy, we value transparency in government. The Freedom of Information Act (FOIA) aims to do just that by giving citizens the right to access information from the federal government. And in theory, the FOIA is a good idea. In practice, the law, which was signed into law 50 years ago this summer, has had a controversial and tumultuous history.

In an era of cyber-attacks, the “right to access information” has become a critical issue. Events such as the hacker who published the personal information of 20,000 FBI agents have made cybersecurity a top-of-mind issue for the federal government.

How ‘Critical’ Is Your Need to Know?

The FOIA has exemptions to protect personal privacy, law enforcement, national security, and other interests. But when national security depends on computer codes and not nuclear codes, which information to make available becomes a little muddier.

In Virginia, for example, a new bill would change the state’s definition of “critical infrastructure” to match the federal code. This would allow the state to keep private details about water pipes, electricity transformers, broadband cables, and the like. According to The News Virginian, private companies have not shared information with the government because the state’s FOIA would make it available to the public.

The bill “helps…to define the categories of the critical infrastructure…and continues on the work…to secure cyber information,” said state Senator Jeremy McPike, who introduced the bill. “This extends to cyber as well as physical infrastructure and provides a framework to protect that information…and to increase information sharing amongst our public safety entities….”

Had he been alive, Supreme Court Justice Antonin Scalia may have approved of this bill. “When the act was passed, it was seen as a means of revealing what the government was doing, for the benefit of the public at large,” he said in a U.S. News debate back in 1982. “But in operation, it has been used largely as a means of revealing what private companies are doing, for the benefit of their adversaries and competitors.”

Cyber-threats to our national security are not hypothetical. Information Security Buzz reported that according to Verizon’s Data breach digest, hackers infiltrated a computer system at a water treatment plant. They changed the settings that controlled the amount of chemicals used in treating tap water.

Monzy Merza, Splunk’s director of cyber research and chief security evangelist, told Information Security Buzz, “Working collectively is our best route to getting ahead of attackers.” One could argue that companies are more apt to cooperate if they know their proprietary information is not accessible under FOIA.

An Information Energy Drain

On a more frightening scale, USA Today reported last September that attackers had successfully compromised the U.S. Department of Energy’s computer systems 159 times between 2010 and 2014. The National Nuclear Security Administration, an agency within the Energy Department that is responsible for managing and securing the nation’s nuclear weapons, suffered 19 successful attacks during that time. (These statistics are based on records that USA Today obtained, ironically, thanks to FOIA.)

“The potential for an adversary to disrupt, shut down (power systems), or worse…is real here,” Scott White, professor of Homeland Security and Security Management and Director of the Computing Security and Technology program at Drexel University, told USA Today. “It’s absolutely real.”

A FOIA Reality Check

That’s not to say that we as citizens shouldn’t have access to government information. Quite the contrary. To “celebrate” access to public information, the American Society of News Editors and Reporters Committee for Freedom of the Press held its annual Sunshine Week last month. The FOIA IT Working Group, a forum for agencies to discuss how to use technology to administer FOIA, held its annual meeting during Sunshine Week.

The use of technology to facilitate FOIA in its mission to provide information is apt. According to an Associated Press analysis, in more than one in six requests for information last year, federal employees told citizens, journalists, and others “that despite searching they couldn’t find a single page of files requested under the Freedom of Information Act.”

The quality of these searches has been questioned. “It seems like they’re doing the minimal amount of work they need to do,” Jason Leopold, an investigative reporter at Vice News and a leading expert on the records law, told the Associated Press. “I just don’t believe them. I really question the integrity of their search.”

Despite these challenges, journalists and others are using state and federal Freedom of Information laws to uncover stories about everything from the number of school bus accidents in New York City to the public health of Seattle’s coffee shops. And the National Security Archive, which houses a massive collection of declassified U.S. documents, makes use of FOIA to bulk up its newly launched Cyber Vault—an online resource that documents the cyber activities of the U.S. and foreign governments and international organizations.

A Balancing Act

The Freedom of Information Act is important. A government that operates in secrecy is not a democracy. Yet cyber-attacks raise the stakes for national security; hostile nation-states or other threat actors can more easily wreak havoc and maintain secrecy. And as technology advances, the conflict between these two competing interests will only sharpen.