A senior Obama administration official says the Cybersecurity Information Sharing Act of 2014, which passed the Senate Intelligence Committee earlier this month, needs to have its privacy and civil liberties protection provisions strengthened to win presidential support.
"Given some issues that the privacy community has raised, we need to take that into account as we ... work on the bill," the senior official, speaking on background, said in a July 25 interview with Information Security Media Group.
The official reiterated that the president will only sign a cyberthreat information sharing bill that "appropriately protects privacy and civil liberties."
The White House has not taken an official stand on CISA, as the bill's known, and the comment from the senior official is among the first public indications that the administration has reservations about the measure.
Last year, the White House issued a threat to veto the House-passed Cyber Intelligence Sharing and Protection Act, or CISPA, which, like CISA is aimed to encourage businesses to share cyberthreat information with the government as well as each other. The administration, in a 2013 Statement of Administration Policy, said CISPA doesn't do enough to protect citizens' privacy rights and civil liberties, a contention rejected by its Republican and Democratic sponsors (see White House Threatens CISPA Veto, Again).
The White House does not issue a Statement of Administration Policy until the House or Senate is set to vote on a bill. That's why the administration has yet to voice officially its opinion on CISA, which passed the Senate Intelligence Committee by a secret 12-3 vote (see Senate Panel OK's Cyberthreat Info Sharing Bill).
Privacy and civil liberties advocates who have reviewed the amended version of CISA that won committee approval contend that it's not substantially different than CISPA. Advocacy groups wrote a letter to President Obama asking him to issue a new veto threat, saying the language in CISA, like CISPA, bypasses the administration's previously stated preference of having a civilian agency lead federal cybersecurity efforts. Instead, the letter says, both bills favor the automatic and simultaneous transfer of cybersecurity information to American intelligence agencies, including the National Security Agency, which CISA opponents say weakens privacy and civil liberties protections.
"Because CISA does not remedy any of the failures the administration previously identified in CISPA and because it fails to adequately protect all users," the letter says, "we request that you promptly pledge to veto this dangerous legislation."
Several influential business groups, including the U.S. Chamber of Commerce and the American Bankers Association, have endorsed the bill because they say it provides liability protections that businesses need to share cyberthreat information with each other and the government.
Fine-Tuning the Measure
The White House hasn't given up on CISA, and is "very engaged" with the Senate bill's sponsors on fine-tuning the legislation, the official says. But the official wouldn't predict whether the president's concerns about privacy and civil liberties will be incorporated in the legislation. "I've really learned to not make those predictions," the official says.
Complicating action on getting CISA passed by the Senate is the possibility that the bill might be considered by another committee. Unlike the House, where more than one committee reviews and votes on a bill during a markup session, it's rare for the Senate to do so. However, the Senate Committee on Homeland Security and Governmental Affairs has not yet decided whether it wants to review CISA.
CISA is on the Senate calendar, though no date for a vote has been scheduled. Still, Homeland Security Chairman Tom Carper, D-Del., late last week told Politico there has been "some preliminary conversation" with the Senate Intelligence Committee about whether his committee will hold a markup of CISA.