The White House says the nation needs new laws to reinforce its cyber defenses but that the push should not come at the cost of privacy.
The House of Representatives on April 18 passed the Cyber Intelligence Sharing and Protection Act, or CISPA, which would encourage owners of financial networks, utility grids and other critical infrastructure to share information about digital threats with the government and one another.
The White House has threatened to veto the bill, saying it lacks sufficient privacy protections. Civil liberties groups and other critics of the measure charge that it would allow companies to share people's emails and text messages with U.S. intelligence agencies.
"The President has been clear that the United States urgently needs to modernize our laws and practices relating to cybersecurity, both for national security and the security of our country's businesses — but that shouldn't come at the expense of privacy," Todd Park, the White House’s chief technology officer, and cybersecurity coordinator Michael Daniel, wrote on Tuesday in response to a petition posted in February on the administration’s "We the People" online site.
The petition, which called on the administration to oppose CISPA, had garnered 117,576 signatures as of Thursday afternoon.
Companies should be able to share information about cyberattacks with the government and each other, according to the officials, who said the government would use the information to help prevent future intrusions.
"When it comes to information sharing, we need clearer rules to promote collaboration and protect privacy," Park and Daniel wrote. "Right now, each company has to work out an individual arrangement with the government and other companies on what information to share about cyber threats. This ambiguity can lead to harmful delays."
The officials said the White House would assess any legislation to promote information sharing according to whether the information to be shared with the government minimizes data that can be used to identify specific individuals. "For example, if a utility company is looking for government assistance to respond to a cyberattack, it is unlikely that it needs to share the personal information of its customers, like contact information or energy-use history, with the government," they wrote.
The White House says legislation "should not provide broad immunity" for businesses that act in ways likely to reveal personal information, and that information from companies should enter the government through a civilian agency like the Department of Homeland Security, as opposed to a spy agency.
Civil liberties groups agree. They say companies that share cyber threat information with the government should receive immunity from any resulting legal liability only if the companies send the information to the Department of Homeland Security, a civilian agency, not to the National Security Agency or other spy bodies.
Debate over legislation to strengthen the nation’s cyber defenses has moved to the Senate, where efforts to pass cybersecurity legislation stalled twice last year.
Senator Saxby Chambliss, R-Ga., the top Republican on the Intelligence Committee, told The Hill recently he is working with Chairman Dianne Feinstein, D-Calif., on a bill to encourage sharing of information about cyber threats.
Other senators, including Commerce Committee Chairman Jay Rockefeller, D-W.Va., and Homeland Security Chairman Tom Carper, D-Del., say they expect to advance legislation that bolsters cybersecurity while addressing privacy concerns.