The Obama administration is threatening to veto legislation that would give private companies broad legal immunity for sharing cybersecurity information with the government. The White House detailed the changes it is seeking to the Cyber Intelligence Sharing and Protection Act (CISPA) in a Tuesday statement.
The legislation, which was sponsored by Rep Mike Rogers (R-MI), is due for a vote in the House of Representatives this week. A version of the legislation passed the House a year ago, but companion legislation was defeated by a Senate filibuster.
Rather than giving the government the power to directly regulate private networks, CISPA focuses on encouraging private companies to share security-related information with each other and the government. The legislation limits the liability of private companies that engage in such information-sharing.
More safeguards needed?
Civil liberties groups such as the American Civil Liberties Union oppose the legislation. Supporters have made changes to the bill to mollify critics. But in a Friday blog post, the ACLU described the latest version as "fatally flawed." They worry that the broad limitations on liability offered by CISPA will undermine legal safeguards for Americans' privacy. The bill would essentially give corporations a blank check to allow for widespread sharing of all kinds of information—including personal information—with other companies, or with the government, as long as it "pertains" to cybersecurity.
The White House's Tuesday statement echoes many of the ACLU's concerns. "The bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities," the administration said. "Citizens have a right to know that corporations will be held accountable—and not granted immunity—for failing to safeguard personal information adequately."
Another hot-button issue is whether information will be shared with civilian bureaucrats at the Department of Homeland Security or with military agencies such as the National Security Agency. The current draft of CISPA would have companies share information with the NSA. But in the Obama administration's view, "newly authorized information sharing for cybersecurity purposes from the private sector to the government should enter the government through a civilian agency, the Department of Homeland Security."
Finally, the White House expressed concern about the "broad scope" of the immunity CISPA grants to companies sharing information. "The law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage," the Obama administration argues.
Ryan Radia, a policy analyst at the libertarian Competitive Enterprise Institute, is also skeptical of the legislation. In a phone interview with Ars, Radia questioned the legislation's basic approach. Radia doesn't object to making it easier for companies to share security information. But he believes that rather than offering firms blanket immunity from all of the nation's privacy laws, Congress should identify and amend specific privacy laws, like the Wiretap Act and the Stored Communications Act, that could hinder information sharing. In his view, this case-by-case approach is less likely to eviscerate important privacy safeguards.
Some House Democrats also oppose the legislation. Four of them penned a "dear colleague" letter arguing that CISPA "unacceptably and unnecessarily compromises the privacy interests of Americans online."
“We have come a long way”
Informed of the White House's veto threat, the bill's sponsor described it as "flabbergasting."
"I do not believe the administration knows how to work with a legislative body," Rep. Rogers said. "We have come a long way on some of their points."
In comments widely reported on Twitter, Rogers emphasized that the proposal was supported by Silicon Valley CEOs. And he suggested that the typical opponent was a "14-year-old tweeter in the basement." The Electronic Frontier Foundation seized on the statement, urging its more than 112,000 followers to "tell him how wrong he is by tweeting to @RepMikeRogers."
reader comments
76