White House just endorsed CISPA measures, two years after veto threat

After last year's hacks and cyberattacks, the U.S. government now supports controversial legislation that indemnifies tech companies from sharing private user data.
Written by Zack Whittaker, Contributor
(Image: CBSN/CBS Interactive)

The White House unveiled Tuesday an updated cybersecurity information-sharing proposal, which critics quickly likened to a controversial bill that failed in Congress two years ago.

With little fanfare, the Obama administration said Tuesday its proposal "encourages the private sector to share appropriate cyber threat information" with the Dept. of Homeland Security, which will then share it with other U.S. government agencies and private sector companies.

The administration said its proposal would "also safeguard Americans' personal privacy by requiring private entities to comply with certain privacy restrictions," a required step for companies to qualify for liability protection.

The law aims to allow technology companies to hand over user data, albeit with "unnecessary personal information" removed, in order to qualify for legal indemnity. The government wants companies to share data in the hope it aims to prevent cyberattacks from crippling tech giant's networks, power grids, and other critical infrastructure.

The renewed call for better cybersecurity legislation comes in the wake of the Sony hacks, along with other high-profile data breaches last year.

The Obama administration has long sought strong cybersecurity legislation, but Congress has over the past three years failed to play ball. Following the Sony hack, the substance of the Obama administration's rhetoric changed. White House press secretary Josh Earnest called the North Korea's alleged actions a "serious national security matter."

But one prominent privacy group warned, even with the privacy protections, the proposal "recycles old ideas" from older legislation -- including one the White House threatened to veto.

"Given that the White House rightly criticized CISPA in 2013 for potentially facilitating the unnecessary transfer of personal information to the government or other private sector entities when sending cybersecurity threat data, we're concerned that the Administration proposal will unintentionally legitimize the approach taken by these dangerous bills," the Electronic Frontier Foundation said in a statement.

CISPA, the bill officially called the Cyber Intelligence Sharing and Protection Act, was earlier this week re-introduced to the US House of Representatives with very few changes from its original text when it was introduced two years ago.

The 2013 version of the bill passed the House, but failed in the Senate.

A copy of the bill has not been uploaded to Congress' website, but it was posted online earlier Tuesday.

The new CISPA bill has vastly the same language as its 2013 version, which aimed to allow private companies to search personal user data of Americans to identify "threat information," which can then be shared with other opt-in firms and the federal government -- without the need for a court-ordered warrant.

Rep. Dutch Ruppersberger (D-MD), who introduced the bill, cited the recent Sony hack as a reason to float the bill's measures again.

"We must stop dealing with cyber attacks after the fact," he said in a statement.

He said the bill aimed to stop cyberattacks in real-time and enable authorities to trace back to the source of the attack.

The reintroduced version of CISPA mandates privacy and civil liberties reports, but government agencies reserve the right to include a "classified annex."

"CISPA 2015 would provide for an even cozier relationship between Silicon Valley and the US government at the detriment of civil liberties and privacy for everyone else," writer Rachael Tackett said on Tuesday.

A similarly-named bill Cybersecurity Information Sharing Act (CISA) made it through one of the Senate's committees, adding yet another legislative voice to the mix. Critics of the bill, however, called it an "even more toxic bill" than CISPA.

While CISPA 2015 has yet to be taken up by a House committee, CISA will be voted on later this year by the Senate.

The White House said it aims to push for further collaboration on the proposals at a cybersecurity summit on February 13.

"As with any legislation, the devil is in the details," the Electronic Frontier Foundation wrote.

Editorial standards