Obama Threatens to Veto Cybersecurity BillThreat Comes a Day After Sponsors Promises Changes to Bill
The White House has issued a statement saying President Obama would veto a bipartisan House bill that civil libertarians contend would threaten individual privacy but many businesses contend is needed to defend against cyber attacks.
The measure, the Cyber Intelligence Sharing and Protection Act, known by its acronym CISPA, encourages network operators to share cyberthreat information with the government. But, as written, it worries those who fear the legislation would allow Internet service providers and other online service providers to spy on their customers.
A Statement of Administration Policy issued by the White House on April 25 said the bill, HR 3523, fails to provide authorities with a way to ensure that the nation's core critical infrastrucure is protected and repeals important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality and civil liberties safeguards.
The bill's sponsors - House Intelligence Committee Chairman Mike Rogers, R-Mich., and Ranking Member C.A. Dutch Ruppersberger, D-Md. - announced a day earlier they they would amend the legislation to address privacy concerns. Those changes include limiting the use of gathered information, prohibiting the retention of information for purposes other than the described security use and tightening the bill's definitions to narrow what cyberthreat information may be identified, obtained and shared. House Republican leaders had planned to have a vote on the bill this week.
Still, those changes didn't satisfy the White House. The SAP said the bill would allow broad sharing of information with governmental entities without establishing requirements for industry and the government to minimize and protect personally identifiable information. "Such sharing should be accomplished in a way that permits appropriate sharing within the government without undue restrictions imposed by private sector companies that share information," the statement says.
The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes, the statement says. "Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately," the SAP said. "The government, rather than establishing a new anti-trust exemption under this bill, should ensure that information is not shared for anti-competitive purposes."
The SAP said the bill would inappropriately shield companies from any suits where a company's actions are based on cyberthreat information identified, obtained or shared under this bill, regardless of whether that action otherwise violated federal criminal law or results in damage or loss of life. "This broad liability protection not only removes a strong incentive to improving cybersecurity," the SAP said, "it also potentially undermines our nation's economic, national security and public safety interests."