White House signals it won't support CISPA in present form

Calls for more privacy, civil liberties protections in reintriduced Cyber Intelligence Sharing and Protection Act

In what's quickly turning out to be a replay of events from last year, the White House today signaled that it would not support the recently reintroduced Cyber Intelligence Sharing and Protection Act (CISPA) in its present form.

A statement from the White House National Security Council expressed support for CISPA's broad goals but stressed the importance of having adequate privacy protections built into the legislation.

"We continue to believe that information-sharing improvements are essential to effective legislation," NSC spokeswoman Caitlin Hayden said in an emailed statement on Thursday afternoon. "But they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections."

The Obama Administration will continue to work with the bill's authors and build upon the ongoing dialogue that it has had with them over the past several months, Hayden said. However, she made it clear that the bill in its present form does not incorporate the changes that the Administration has been seeking.

"We believe the adopted committee amendments reflect a good faith-effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities," Hayden said.

Similar concerns prompted the White House to issue a veto threat last year after the House approved CISPA amid a maelstrom of protests from digital rights groups.

Hayden's statement comes less than a day after the U.S. House Intelligence Committee voted 18-2 to pass CISPA through committee despite mounting opposition from privacy and rights groups, which see the bill as eviscerating existing privacy laws.

In comments made after the bill was voted to the House floor, the authors of CISPA, House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member C.A. Dutch Ruppersberger (D-MD), pointed to six amendments that have been made to the bill to accommodate privacy concerns.

The amendments included one that would require the government to strip away any private information they receive from companies participating in information sharing, another that would prohibit companies from hacking back at attackers and a third that would strictly limit the use of threat information, gathered via information sharing arrangements, to cybersecurity purposes. The government will also no longer be permitted to use threat information for broader "national security" purposes as provided for under the original bill.

The changes appear to have done little to change attitudes among those opposed to the bill.

CISPA is designed to bolster national cybersecurity by enabling companies and federal agencies to share threat information with others more freely and without fear of legal or liability issues.

Supporters of the measure, which include the U.S. Chamber of Commerce, nearly every major Internet service provider, and scores of technology companies, say that such threat-information sharing is vital to improving security. Many security practitioners insist that the only information they are interested in sharing pertains to non-personal data like IP addresses involved in targeted attacks, the addresses of command-and-control servers used to direct botnets, and breach and vulnerability indicators.

Privacy and rights advocacy groups, however, see CISPA as a looming threat to privacy. Many digital rights groups fear the bill will open up an opportunity for government agencies to collect and monitor vast amounts of Internet user data under the pretext of cybersecurity. They worry that the bill will allow ISPs to share data with the government and others with impunity, and with little fear of legal action.

"The changes to the bill don't address the major privacy problems we have been raising about CISPA for almost a year and a half," American Civil Liberties union (ACLU) legislative council Michelle Richardson said in a statement. "CISPA still permits companies to share sensitive and personal customer information with the government and allows the National Security Agency to collect the Internet records of everyday Americans."

The fact that the bill was voted on on Wednesday, after a markup session in which the media and public was excluded, has only heightened such concerns. "It's a sign that the committee members aren't interested in a vigorous public debate on the bill," said Mark Jaycox, a staff attorney with the Electronic Frontier Foundation (EFF). "With this closed markup Congress is actually making law in secret. It's a step backwards."

The House approved CISPA last year despite such concerns. But attempts to pass a companion bill in the Senate failed amid vocal protests from rights groups and a threat by President Obama to veto the bill if it landed on his desk.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gov't Legislation/RegulationCybercrime and Hackingsecurityregulationgovernmentintelprivacy

More about EFFElectronic Frontier FoundationNational Security AgencyNational Security CouncilNSC GroupTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts