Originally published: April 30, 2013
Last updated: April 30, 2013 - 8:40pm
The White House issued its official response to a We The People petition titled “Stop CISPA (Cyber Intelligence Sharing and Protection Act).”
The White House issued a veto threat for the Cyber Intelligence Sharing and Protection Act (CISPA) on April 16, because the legislation did not fully address our core concerns (especially the protection of privacy). Even though a bill went on to pass the House of Representatives and includes some important improvements over previous versions, this legislation still doesn't adequately address our fundamental concerns. But it's not good enough to just stop things: We've got to work together, with legislators on Capitol Hill, technology experts from the private sector, and engaged advocates like you to advance cybersecurity legislation without compromising privacy.
When it comes to information-sharing, there are three key principles we apply to any legislative proposal:
Does it (1) sufficiently protect privacy and civil liberties,
(2) ensure that a civilian department -- not an intelligence agency -- is the primary point of entry for cybersecurity information sharing, and
(3) provide narrowly tailored liability protections that would allow the private sector to respond to threats (without encouraging reckless behavior).
Here's a bit more detail about each:
- It's important that any information shared under a new cybersecurity law must be limited to what's relevant and necessary for cybersecurity purposes. That also means minimizing information that can be used to identify specific individuals. For example, if a utility company is looking for government assistance to respond to a cyber attack, it is unlikely that it needs to share the personal information of its customers, like contact information or energy-use history, with the government.
- Cybersecurity legislation needs to preserve the traditional roles for civilian and intelligence agencies that we all understand. Specifically, if legislation authorizes new information sharing between the private sector and the government, then that new information should enter the government through a civilian department rather than an intelligence agency. That doesn't mean breaking the existing mechanisms that already work. For example, victims of cyber crime ought to continue to report those violations to federal law enforcement agencies and public-private information-sharing relationships that already exist should be preserved.
- Any new legislation ought to provide legal clarity for companies that follow the rules and appropriately share data with the government. But it should not provide broad immunity for businesses and organizations that act in ways likely to cause damage to third parties or result in the unwarranted disclosure of personal information.
Moving forward, the Obama Administration will continue to advocate vocally for cybersecurity legislation that applies these principles to protect privacy.