CISPA is all but dead once again, and the Senate is moving ahead with its own cybersecurity legislation. That doesn't mean the fight is over though. In fact, the Senate might just propose a bill that's worse, but the White House says that it won't let that happen.
In an official response to the "Stop CISPA" petition on the We The People Web site, the White House says that any new cybersecurity legislation "must not violate Americans' right to privacy." The administration says that's the reason why it issued a veto threat against CISPA earlier this month. That veto threat may led to CISPA's death, but the White House says it's still open to working with everybody to pass cybersecurity legislation.
To that end, the White House says that cybersecurity legislation is a must to counter the "constant threat of cyber crime, espionage, and attacks." The administration, unlike the House, does admit there are already tools in place, however, to facilitate cooperation between the government and private companies to share threat information. It just feels that the current tools in place aren't enough:
But you might ask, "Isn't this collaboration already happening?" The simple answer is yes, but inefficiently. When it comes to information sharing, we need clearer rules to promote collaboration and protect privacy. Right now, each company has to work out an individual arrangement with the government and other companies on what information to share about cyberthreats. This ambiguity can lead to harmful delays.
There is broad consensus on the need for more threat-related information sharing -- including among the leading privacy advocates we regularly engage on the issue. The essential question on which people across the spectrum disagree isn't if we can share cybersecurity information and preserve the principles of privacy and liberty that make the United States a free and open society -- but how.
The White House has admirable goals, but we've heard all of this before from the House. We were promised that CISPA would respect privacy and civil liberties, but that obviously wasn't the case in the end.
To allieve the concerns of citizens, the White House says that it will only support cybersecurity legislation that adheres to these three principles:
It's important that any information shared under a new cybersecurity law must be limited to what's relevant and necessary for cybersecurity purposes. That also means minimizing information that can be used to identify specific individuals. For example, if a utility company is looking for government assistance to respond to a cyber attack, it is unlikely that it needs to share the personal information of its customers, like contact information or energy-use history, with the government.
Cybersecurity legislation needs to preserve the traditional roles for civilian and intelligence agencies that we all understand. Specifically, if legislation authorizes new information sharing between the private sector and the government, then that new information should enter the government through a civilian department rather than an intelligence agency. That doesn't mean breaking the existing mechanisms that already work. For example, victims of cyber crime ought to continue to report those violations to federal law enforcement agencies and public-private information-sharing relationships that already exist should be preserved.
Any new legislation ought to provide legal clarity for companies that follow the rules and appropriately share data with the government. But it should not provide broad immunity for businesses and organizations that act in ways likely to cause damage to third parties or result in the unwarranted disclosure of personal information.
In short, the above takes care of pretty much every complaint privacy advocates had with the original CISPA. The White House says it will continue to apply the above principles in its on-going discussions with those in the Senate currently crafting cybersecurity legislation.
CISPA may be dead, but the issue of cybersecurity is far from over. We'll continue to follow the Senate's efforts as it works on its own cybersecurity legislation.