Compromise Sought on Cyber Info-Sharing BillsObama Offers Carrot, Not Stick, on Threat Info-Sharing Measures
How badly does President Obama want a cyberthreat information-sharing bill? Despite reservations about two cyberthreat information-sharing bills the House of Representatives is set to vote on this week, the White House did not threaten to veto either of them, as it did in the past two congresses when the administration raised similar objections to legislation known as the Cyber Intelligence Sharing and Protection Act, or CISPA.
Instead, the White House on April 21 issued two similarly worded Statements of Administration Policy offering a carrot - suggestions on how Congress could meet Obama administration reservations about the measures - rather than a stick, or veto threats. "The administration believes that a reasonable solution that strikes an appropriate balance can be found," both SAPs state.
The White House issued the SAPs shortly after the House Rules Committee cleared both bills - the Intelligence Committee-approved Protecting Cyber Networks Act (HR 1560) and Homeland Security Committee-passed National Cybersecurity Protection Advancement Act (HR 1731) - for votes by the full House.
Each measure would provide liability protections against civil and criminal legal actions to incentivize businesses to share voluntarily cyberthreat information with the government and with each other. The administration contends the liability safeguards found in both bills are too broad and would allow the protecting of some enterprises that don't share cyberthreat information, a similar complaint the White House had with CISPA when it issued veto threats.
Appropriate Liability Protections
In nearly mirror language, the SAPs state: "While the bill has improved significantly (over CISPA), the administration still has concerns with HR 1560's (HR 1731's) sweeping liability protections. Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks. Such a provision would remove incentives for companies to protect their customers' personal information and may weaken cybersecurity writ large."
The SAPs state that the legislation would offer more privacy and civil liberties safeguards than did CISPA, although the administration said those protections could be strengthened.
The administration also expressed concerns regarding the authorization for businesses to use "certain potentially disruptive measures" to respond to cyber-attacks in the Protecting Cyber Networks Act. "The use of defensive measures without appropriate safeguards raises significant legal, policy and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity," the SAP states.
Without veto threats, both bills are expected to be approved. The Senate also is considering cyberthreat information-sharing legislation, passed by the Senate Intelligence Committee, but no date has been scheduled for a vote, although Senate Majority Leader Mitch McConnell, R-Ky., has said a vote could occur shortly. The differences among the bills would eventually be worked out in a House-Senate conference committee, provided the Senate approves cyberthreat sharing legislation.
The 'Stop Cyber' Battle
Privacy groups haven't given up on blocking passage of current cyberthreat information sharing legislation. As the administration issued its SAPs, a coalition of 13 digital rights groups initiated a Web campaign titled Stop Cyber Surveillance. In a message to Obama, the group writes: "These cyber sharing bills would allow surveillance at the expense of our privacy and undermine network security. Please make clear that you will veto any cyber sharing legislation that fails to protect our fundamental rights. Mass digital surveillance must end."
This campaign comes days after the Financial Services Roundtable, a banking industry lobbying group, posted a Web advertisement - Stop Cyber Threats - that called on Congress to swiftly enact cyberthreat sharing legislation.