“The Administration recognizes and appreciates that the House Permanent Select Committee on Intelligence (HPSCI) adopted several amendments to [CISPA] in an effort to incorporate the Administration’s important substantive concerns,” the White House said in a statement. “However, the Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill.”
A new version of CISPA was introduced in the House by Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Rep. Dutch Ruppersberger (D-Md.) earlier in the year. It is primarily an information-sharing initiative, which would make it easier for private corporations and government entities to share information on threats, attacks and remedies in order to shore up defenses. However, at issue is the scope of the roles that the Department of Homeland Security and other government agencies would have, and how personal information will be used and protected.
The House bill as originally written would offer broad protection from lawsuits to companies that give over user data to the Department of Homeland Security, which in turn would share it with intelligence agencies on a need-to-know basis. But parsing out user data only related to specific threats is an onerous process for companies, requiring significant IT investment. Plus, it is likely that a good amount of unrelated personal information could slip through the reporting cracks, which has opened up questions of privacy. Most controversially, it gives legal immunity to corporations should the information they turn over to the government be harmful to individuals.
The White House statement refers to the five amendments that the US House Intelligence Committee introduced to the bill that include ensuring that any cybersecurity information gathered by companies can be used for threat mitigation and protection measures, not for marketing. Most notably, firms’ legal immunity is being minimized. The amended measure would deny that legal protection should they use cyber threat information to hack each other.
A similar joint bill passed the House last year, but died in the Senate amid administration objections over the same kinds of provisions. But Rogers and Ruppersberger recently said that negotiations with the White House over privacy protections (i.e., how to include more of them) were going well and that they were confident that the bill could be tweaked to not only pass, but also gain broad approval in Congress and from President Obama.
Apparently, the negotiations have not gone far enough.
A vote in the House is expected by Thursday.