White House wants better privacy in cyber intelligence sharing plan
In what's quickly turning out to be a replay of events from last year, the White House last week signaled that it will not support the recently reintroduced Cyber Intelligence Sharing and Protection Act (CISPA) in its present form.
A statement from the White House National Security Council expressed support for CISPA's broad goals but stressed the importance of having adequate privacy protections built into the legislation.
"We continue to believe that information-sharing improvements are essential to effective legislation," NSC spokesperson Caitlin Hayden said in an emailed statement. "But they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections."
The Obama Administration will continue to work with the bill's authors and build upon the ongoing dialogue that it has had with them over the past several months, Hayden said. However, she made it clear that the bill in its present form does not incorporate the changes that the Administration has been seeking.
"We believe the adopted committee amendments reflect a good faith-effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities," Hayden said.
Plan killed last year
Hayden's statement came less than a day after the U.S. House Intelligence Committee voted 18-2 to pass CISPA through committee despite mounting opposition from privacy and rights groups, which see the bill as eviscerating existing privacy laws.
In comments made after the bill was voted to the House floor, the authors of CISPA, House Intelligence Committee Chair Mike Rogers (R-Michigan) and Ranking Member C.A. Dutch Ruppersberger (D-Maryland), pointed to six amendments that have been made to the bill to accommodate privacy concerns.
The amendments included one that would require the government to strip away any private information they receive from companies participating in information sharing, another that would prohibit companies from hacking back at attackers and a third that would strictly limit the use of threat information, gathered via information sharing arrangements, to cybersecurity purposes. The government will also no longer be permitted to use threat information for broader "national security" purposes as provided for under the original bill.
The changes appear to have done little to change attitudes among those opposed to the bill.
CISPA is designed to bolster national cybersecurity by enabling companies and federal agencies to share threat information with others more freely and without fear of legal or liability issues.
Supporters of the measure, which include the U.S. Chamber of Commerce, nearly every major Internet service provider, and scores of technology companies, say that such threat-information sharing is vital to improving security. Many security practitioners insist that the only information they are interested in sharing pertains to non-personal data like IP addresses involved in targeted attacks, the addresses of command-and-control servers used to direct botnets, and breach and vulnerability indicators.
Privacy and rights advocacy groups, however, see CISPA as a looming threat to privacy. Many digital rights groups fear the bill will open up an opportunity for government agencies to collect and monitor vast amounts of Internet user data under the pretext of cybersecurity. They worry that the bill will allow ISPs to share data with the government and others with impunity, and with little fear of legal action.
"The changes to the bill don't address the major privacy problems we have been raising about CISPA for almost a year and a half," American Civil Liberties union (ACLU) legislative council Michelle Richardson said in a statement. "CISPA still permits companies to share sensitive and personal customer information with the government and allows the National Security Agency to collect the Internet records of everyday Americans."
The fact that the bill was voted on on Wednesday, after a markup session in which the media and public was excluded, has only heightened such concerns. "It's a sign that the committee members aren't interested in a vigorous public debate on the bill," said Mark Jaycox, a staff attorney with the Electronic Frontier Foundation (EFF). "With this closed markup Congress is actually making law in secret. It's a step backwards."
The House approved CISPA last year despite such concerns. But attempts to pass a companion bill in the Senate failed amid vocal protests from rights groups and a threat by President Obama to veto the bill if it landed on his desk.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.