The cybersecurity legislation does not adequately protect Americans’ personal data, the administration says.
The White House is threatening to veto a House cybersecurity bill that critics have condemned for encroaching on Americans’ online privacy and not going far enough to regulate critical infrastructure networks.
The Cyber Intelligence Sharing and Protection Act, or CISPA, would allow businesses to share data broadly with intelligence and other federal agencies without setting rules to protect customers’ personal information, argues a statement of Obama administration policy released Wednesday afternoon. Additionally, firms would be able to disclose data about their own security lapses without fear of punishment, White House officials said.
“The sharing of information must be conducted in a manner that preserves Americans’ privacy, data confidentiality and civil liberties, and recognizes the civilian nature of cyberspace,” the statement says.
Some free speech activists and hacker groups have likened CISPA, H.R. 3523, to an intellectual property bill, called the Stop Online Piracy Act, that died in the House amid similar criticism.
“If H.R. 3523 were presented to the president, his senior advisers would recommend that he veto the bill,” White House officials stated.
The administration goes on to say information sharing is inadequate to stanch the flow of trade secrets, personal information and other sensitive information into the hands of hackers. “Information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the nation's core critical infrastructure from cyber threats,” the statement says.
The White House and a Senate cohort led by Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, want Congress to let the Homeland Security Department regulate the security policies of firms running networks vital to Americans, such as telecommunications lines, transit ways and water distribution systems.
Congress must require that critical infrastructure companies “are properly protected by meeting minimum cybersecurity performance standards” developed jointly by the firms and DHS, administration officials state, adding “voluntary measures alone are insufficient responses to the growing danger of cyber threats.”
The legislation “would inappropriately shield companies from any suits where a company's actions are based on cyber threat information identified, obtained or shared under this bill, regardless of whether that action otherwise violated federal criminal law or results in damage or loss of life,” White House officials state. “This broad liability protection not only removes a strong incentive to improving cybersecurity, it also potentially undermines our nation's economic, national security and public safety interests.”