Last week, the White House said that CISPA still had some problems that weren't addressed by the amendments added during its markup period. Unfortunately, the administration didn't issue a veto threat at that time, but now it has.
In a statement released by the White House today, the Obama administration laid out its beef with CISPA. The first issue it has with the legislation is that it still doesn't do enough to protect private information:
The Administration, however, remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable – and not granted immunity – for failing to safeguard personal information adequately. The Administration is committed to working with all stakeholders to find a workable solution to this challenge. Moreover, the Administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information.
Now this is huge. The administration is saying that companies should not be granted immunity if it uses your private information in an inappropriate fashion. Corporate immunity is one of the cornerstones of CISPA and one of the main reasons the tech industry is so in love with it. If the immunity provision is removed, the backing of the tech industry will vanish along with it.
The other issue is that it doesn't like how CISPA allows companies to share private information with any agency of its choosing, including the NSA. The White Houses says that all private information should enter government through a civilian agency:
The Administration supports the longstanding tradition to treat the Internet and cyberspace as civilian spheres, while recognizing that the Nation's cybersecurity requires shared responsibility from individual users, private sector network owners and operators, and the appropriate collaboration of civilian, law enforcement, and national security entities in government. H.R. 624 appropriately seeks to make clear that existing public-private relationships – whether 2 voluntary, contractual, or regulatory – should be preserved and uninterrupted by this newly authorized information sharing. However, newly authorized information sharing for cybersecurity purposes from the private sector to the government should enter the government through a civilian agency, the Department of Homeland Security.
So, what does the White House want to see out of CISPA or any other cybersecurity bill? Pretty much what CISPA is now, but with better privacy protections:
The Administration believes that carefully updating laws to facilitate cybersecurity information sharing is one of several legislative changes essential to protect individuals' privacy and improve the Nation's cybersecurity. While there is bipartisan consensus on the need for such legislation, it should adhere to the following priorities: (1) carefully safeguard privacy and civil liberties; (2) preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provide for appropriate sharing with targeted liability protections.
If Congress can't agree on a cybersecurity bill that meets the above criteria, the White House says that "senior advisors would recommend that [the president] veto the bill" if it were presented as it is now.
The threat of a veto might help certain amendments to be added onto CISPA before it goes to the floor for a vote this week, but I wouldn't hold my breath. The bill's authors seem pretty adamant on passing CISPA as is, and it will most likely die another ignoble death in the Senate as its members push for their own cybersecurity bill.[h/t: TechDirt]