Administration urges changes to protect privacy, cement DHS role in public/private information sharing.
The president has warned that he will veto the current version of CISPA unless changes are made to protect privacy and cement the Department of Homeland Security's role in public/private information sharing.
President Barack Obama will veto cybersecurity legislation set to hit the House floor this week unless it is modified to safeguard individuals' privacy and address other concerns, according to a policy statement released April 16. The administration also called for changes that would put civilian agencies on the front lines of policing private-sector cyber breaches and would retain some liability for private firms that share information with the government.
The statement acknowledges that several amendments added to the Cyber Intelligence Sharing and Protection Act (CISPA) by the House Permanent Select Committee on Intelligence made the bill more favorable, including the removal of the "national security exemption" that would have allowed data collected from private companies to be retained indefinitely and used by intelligence agencies. However, the administration said the bill does not go far enough in making sure that data shared between private firms and the government is stripped of personally identifiable information when such information is "irrelevant."
The administration approves of targeted liability protections as an inducement to private industry to share information with the government, but those protections cannot be absolute, according to the statement. "Citizens have a right to know that corporations will be held accountable -- and not granted immunity -- for failing to safeguard personal information adequately," it states.
The administration wants CISPA modified to specify civilian authority over the Internet. Any new information sharing between government and industry "should enter the government through a civilian agency, the Department of Homeland Security."
The guidance also points to the administration's continuing desire for more broad-based cybersecurity legislation. It characterizes the information-sharing provisions of CISPA as "one piece of a larger set of legislative requirements to provide the private sector, the federal government, and law enforcement with the necessary tools to combat the current and emerging cyber threats facing the nation."
The administration is seeking critical infrastructure protections, federal network security upgrades, updated law enforcement rules and a requirement that data breaches must be reported to a government entity.