White House threatens veto against CISPA, citing privacy concerns

The White House on Tuesday threatened to veto a cybersecurity bill the House will vote on this week, citing concerns it lacks vital privacy protections.

{mosads}In a statement of administration policy, the White House said it seeks additional improvements to the Cyber Intelligence Sharing and Protection Act, or CISPA. And it adds, “if the bill, as currently crafted, were presented to the president, his senior advisors would recommend that he veto the bill.”

CISPA aims to encourage industry and the government to share information about malicious source code and other cyber threats with each other in real time so firms can thwart cyberattacks. 

But the White House listed a set of outstanding privacy concerns it has with the bill, many which have been voiced by privacy advocates in recent weeks. 

Among them, the White House noted that the bill does not include a measure that would require companies to take “reasonable steps to remove irrelevant personal information” from cyber threat data prior to sharing it with the government and other peers in the private sector. 

In recent weeks, privacy groups have argued that companies could share people’s personal information — including their email and IP addresses —inadvertently with the government when passing cyber threat data to the government. 

“Citizens have a right to know that corporations will be held accountable – and not granted immunity – for failing to safeguard personal information adequately,” the administration’s statement reads. “Moreover, the administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information.”

Similar to privacy groups, the White House also argued that “newly authorized information sharing for cybersecurity purposes from the private sector to the government should enter the government through a civilian agency, the Department of Homeland Security (DHS).”   

The White House issued the veto threat as the House Rules Committee is meeting to discuss which amendments will be voted on the House floor for CISPA. The administration issued a veto threat against the bill by House Intelligence Committee leaders Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) last year due in part to privacy concerns.

Rogers said he is “disappointed” with the administration’s veto threat, but said he will continue to push for bill’s passage in the House this week.

“We are going to continue to move forward,” Rogers said when testifying before the Rules Committee. 

Caitlin Hayden, a spokeswoman for the White House, said in a statement that the administration commends the two House Intelligence leaders for “working to find a common ground on a bill that would strengthen our cybersecurity efforts.” Still, CISPA as written does not address the administration’s privacy concerns with the bill, Hayden added.  

“We have long said that information sharing improvements are essential to effective legislation, but they must include proper privacy and civil liberties protections, reinforce the appropriate roles of civilian and intelligence agencies, and include targeted liability protections,” Hayden said. 

The administration said it “stands ready” to work with the House Intelligence Committee and other lawmakers to “incorporate our core priorities” into cybersecurity legislation that addresses its concerns. 

“The administration recognizes and appreciates that the House Permanent Select Committee on Intelligence adopted several amendments to H.R. 624 in an effort to incorporate the administration’s important substantive concerns,” the statement reads.

The American Civil Liberties Union, Center for Democracy and Technology,
the Electronic Frontier Foundation and other privacy advocates have
urged lawmakers to vote against CISPA. One of their chief concerns with
the bill is that it would allow companies to share threat information
directly with the military, including the National Security Agency,
without being required to take steps to remove personally identifiable
information from that data.

Privacy groups have said DHS should be the first recipient of cyber threat data
from companies because it is subject to more oversight than military agencies.

In its statement, the White House said it will continue its push for cybersecurity legislation that will stiffen penalties for cyber crime, address security gaps in the computer systems that run critical infrastructure and create a national standard that guides companies about when they need to notify the government about when their computer networks have suffered a data breach. 

Last week the House Intelligence panel adopted a set of amendments into the bill that were intended to allay the concerns of privacy advocates and the White House. Rogers and Ruppersberger had backed those amendments and said they were intended to correct the misperceptions about their bill.
“You can’t get more oversight on making sure that people’s personally identifiable information is protected than the way we structured it in this bill,” Rogers said after the House Intelligence panel marked up the bill last week.

— This post was updated at 4:58 p.m. Brendan Sasso contributed to this report.