White House Threatens CISPA Veto, AgainFurther Changes Sought in Cyberthreat Info Sharing Bill
On the day the House of Representatives unanimously passed major reform of the Federal Information Security Management Act, the White House threatened a presidential veto of another significant cybersecurity bill, the Cyber Intelligence Sharing and Protection Act.
It's the second year in a row that the White House issued a veto threat on the bill aimed to create a mechanism for the government and industry to share cyberthreat information [see Obama Threatens to Veto Cybersecurity Bill]. And, like last year, the administration contends CISPA, as the bill's known, doesn't go far enough to safeguard privacy and civil liberties, preserve long-standing roles of civilian and intelligence agencies and provide for appropriate sharing with targeted liability protections.
CISPA is scheduled for debate and a vote in the House of Representatives on April 17. The bipartisan bill passed the House last year, despite the veto threat. The measure never came up for a vote in the Senate in the last Congress.
Aware of White House concerns, the House Permanent Select Committee on Intelligence amended the bill earlier this month, and approved it with all members except for two Democrats voting for it [see CISPA Clears House Intelligence Panel]. Still, the administration seeks additional changes.
"Under the leadership of the chairman and ranking member, the committee adopted several amendments in a good faith effort to incorporate some of the administration's important substantive concerns," White House spokeswoman Caitlin Hayden says. "However, CISPA as reported still does not address these fundamental priorities adequately."
The White House is concerned that the bill does not:
- Require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities.
- Explicitly ensure that cybercrime victims continue to report crimes directly to federal law enforcement agencies and continue to receive the same protections that they do today.
- Assure that newly authorized information sharing for cybersecurity purposes from the private sector to the government should enter the government through a civilian agency, the Department of Homeland Security. Critics of the bill contend the Defense Department's National Security Agency would have access to information.
- Provide enough transparency to protect privacy and civil liberties when information is shared among government agencies.
- Curb the scope of liability protection afforded businesses that sharing cyberthreat information.
"The administration supports incentivizing industry to share appropriate cybersecurity information by providing the private sector with targeted liability protections," the White House statement says. "However, the administration is concerned about the broad scope of liability limitations in H.R. 624. Specifically, even if there is no clear intent to do harm, the law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage or otherwise injure or endanger other entities or individuals."