Obama Sides with Anti-CISPA Petitioners
White House Uses Petition to Reiterate Its Veto ThreatThe Obama administration is using a White House petition process to re-emphasize its opposition to the Cyber Intelligence Sharing and Protection Act.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
The latest administration comment on CISPA came April 30 in response to an online petition initiative known as We the People, in which any citizen can petition the White House on any topic. If a petition meets a threshold of 100,000 signatures within 30 days, the administration will post a response.
That's what happened with a petition called Stop CISPA, a reference to the House-passed bill that promotes cyberthreat information sharing among the government and business [see House Handily Passes CISPA]. The CISPA bill, which the president threatens to veto, is sitting in the Senate Selected Permanent Committee on Intelligence, where it's expected to die [see White House Threatens CISPA Veto, Again].
The petition response, written by White House Cybersecurity Coordinator Michael Daniel and Federal Chief Technology Officer Todd Park, says that the Obama administration will vocally advocate for cybersecurity legislation that protects privacy, which it contends CISPA doesn't go far enough in doing. "It's important to keep in mind that there is a larger legislative process that is ongoing as we speak, including efforts in the Senate," Daniel and Park write.
The reference to the Senate hints of a cybersecurity legislative redux. Last year, all sides bungled attempts to compromise and get significant cybersecurity legislation enacted. And the White House backed Senate Democrats, who refused to consider House-approved bills in favor of their own, more comprehensive legislation, which couldn't muster enough votes to overcome a Senate filibuster [see Senate, Again, Fails to Halt Filibuster].
3 Key Information-Sharing Precepts
The petition response essentially reiterates the veto threat, but in more citizen-friendly prose. Here's how Daniel and Park address the administration's three key principles it seeks in any information sharing legislation: (1) privacy and civil liberties protections, (2) ensuring a civilian department (read: Department of Homeland Security) - not intelligence agency - receives cyberthreat information from industry and (3) narrowly tailored liability protections for businesses sharing threat information:
"It's important that any information shared under a new cybersecurity law must be limited to what's relevant and necessary for cybersecurity purposes. That also means minimizing information that can be used to identify specific individuals. For example, if a utility company is looking for government assistance to respond to a cyberattack, it is unlikely that it needs to share the personal information of its customers, like contact information or energy-use history, with the government.
"Cybersecurity legislation needs to preserve the traditional roles for civilian and intelligence agencies that we all understand. Specifically, if legislation authorizes new information sharing between the private sector and the government, then that new information should enter the government through a civilian department rather than an intelligence agency. That doesn't mean breaking the existing mechanisms that already work. For example, victims of cybercrime ought to continue to report those violations to federal law enforcement agencies, and public-private information-sharing relationships that already exist should be preserved.
"Any new legislation ought to provide legal clarity for companies that follow the rules and appropriately share data with the government. But it should not provide broad immunity for businesses and organizations that act in ways likely to cause damage to third parties or result in the unwarranted disclosure of personal information."
117,000-Plus Signatures
An individual from New York City identified as T.B. [the last name was redacted] created the petition on Feb. 13. The Stop CISPA Petition topped 117,576 signatures as of the end of April. Here's what the petition states:
"CISPA is about information sharing. It creates broad legal exemptions that allow the government to share "cyberthreat intelligence" with private companies, and companies to share 'cyberthreat information' with the government, for the purposes of enhancing cybersecurity. The problems arise from the definitions of these terms, especially when it comes to companies sharing data with the feds.
"Please sign and share this petition so that we can protect the Internet and our privacy."
President Obama has been very vocal about cybersecurity this year. During his State of the Union address, Obama announced an executive order aimed at sharing cyberthreat information as well as establishing IT security best practices that critical infrastructure owners could voluntarily adopt [see Obama Issues Cybersecurity Executive Order].
And the partisan rhetoric has been somewhat tempered, suggesting that some type of compromise could be reached this year on cyberthreat information sharing as well as establishing IT security standards [see Is Compromise in Offing for CISPA?]. Still, the script that's being followed in 2013 seems to being playing out as if it were still 2012.