A cyber security analyst at the watch and warning center of the Department… (Mark J. Terrill / Associated…)
This is a bit of an eye-opener: the Obama administration threatened Wednesday to veto HR 3523, the Cyber Intelligence Sharing and Protection Act, because of concerns about the bill's impact on privacy.
Sponsored by the top Republican and Democrat on the House Intelligence committee, CISPA would let federal agents share classified information about hackers with Internet service providers, utilities and online networks. More controversially, it would also encourage online services to share information about cyber threats with the federal government.
The administration had previously indicated that it was concerned about the measure, but that was before sponsors made or pledged to make a series of changes to limit the type of information shared with the feds, restrict what the government could do with that information and narrow the immunity given services that share information about threats.
Nevertheless, on Thursday the White House issued a Statement of Administration Policy saying the administration "strongly opposes" the bill "in its current form." The requirements laid out in the statement appear to go beyond the changes that the sponsors announced Tuesday. For example, the administration wants the measure to require companies to minimize personally identifiable information before sharing it with the government and each other. It also warns that by giving a key role to the National Security Agency, "H.R. 3523 effectively treats domestic cybersecurity as an intelligence activity."
A third complaint is that the bill ignores the administration's main cyber security proposal: requiring operators of "critical infrastructure" (such as power grids and electronic payment systems) to meet industry standards for securing their networks. "Voluntary measures alone are insufficient responses to the growing danger of cyber threats," the statement contends.
The chairman of the House Intelligence committee, Rep. Mike Rogers (R-Mich.), and the committee's top Democrat, Rep. C.A. Dutch Ruppersberger (D-Md.), responded by saying their committee has no jurisdiction over "critical infrastructure regulation." They also said the changes announced Tuesday "address nearly every single one of the criticisms leveled by the administration, particularly those regarding privacy and civil liberties of Americans."
I haven't seen the language of the latest amendment, but the outline that Rogers and Ruppersberger offered suggests there's still a gap between what the administration wants and what the new version of the bill proposes. For example, the outline says the amendment will "provide clear authority to the federal government to undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the government." That's hardly the same as requiring companies to minimize personal information before sharing data.
The White House's stance in favor of stronger privacy protections, more limited immunity and civilian oversight puts the administration squarely on the side of civil libertarians and advocacy groups such as the Electronic Frontier Foundation, as opposed to the many tech companies that are backing the bill. Maybe President Obama has decided to go after the Ron Paul vote.
Here's the full text of the Statement of Administration Policy:
The Administration is committed to increasing public-private sharing of information about cybersecurity threats as an essential part of comprehensive legislation to protect the Nation's vital information systems and critical infrastructure. The sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation's core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.
H.R. 3523 fails to provide authorities to ensure that the Nation's core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards. For example, the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information. Moreover, such sharing should be accomplished in a way that permits appropriate sharing within the Government without undue restrictions imposed by private sector companies that share information.