Todd Park, federal chief technology officer, and Michael Daniel, cybersecurity coordinator, yesterday provided an official White House response to the many calls to stop the Cyber Intelligence Sharing and Protection Act, thanking activists for their engagement and concern.
If passed, CISPA would facilitate information sharing between government and the private sector on cyber-related threats. Because of privacy concerns, the White House threatened April 16 to veto the bill.
Cybersecurity legislation needs to be updated to address modern threats, but new legislation should not come at the expense of privacy protection or other civil liberties, Park and Daniel wrote April 30 in response to a We the People petition. Though the version of CISPA that passed the House contained amendments addressing some privacy issues, the bill in its current form still does not adequately tackle many of the administration’s fundamental concerns, the two officials said.
Yet, current information-sharing capabilities do not adequately protect individual privacy either – hackers who breach industry networks can attain clients’ personally identifiable information, steal intellectual property and access valuable company data in the process. Such concerns make information sharing on cyber threats between industry and government even more critical.
What is the current status of industry and government information sharing? The answer is, it happens, albeit inefficiently. Clear rules and standards do not yet exist, though.
“Right now, each company has to work out an individual arrangement with the government and other companies on what information to share about cyber threats,” according to the White House. “This ambiguity can lead to harmful delays.”
The problem is not a lack of consensus on the need for information sharing; disagreement exists on how threat sharing should occur.
Park and Daniel detailed three key principles to be applied to any legislative proposal on cyber-threat sharing. First, does the proposal sufficiently protect privacy and civil liberties? Does the proposal ensure a civilian department, not an intelligence agency, is the interlocutor for cybersecurity information sharing? Last, does the proposed legislation provide narrow liability protections to allow industry to respond to threats without encouraging reckless behavior?
Moving forward, the White House promised to remain engaged in the legislative process, working to ensure new cyber legislation contains privacy-protecting elements. Outside of engaging in the legislative process, Park and Daniel highlighted steps already taken by the administration outside of the legislative arena – the Improving Critical Infrastructure Cybersecurity Executive Order. The cybersecurity mandate includes privacy and civil liberties protections based upon the Fair Information Practice Principles.
“We face growing threats from bad actors on the Internet, and we need to protect our citizens and empower our critical infrastructure to protect itself,” the White House said. “The United States must update our cybersecurity laws, but we will not sacrifice our values in the process.”