The White House has responded to consumer concerns about CISPA, acknowledging that both businesses and government should share cyber-security information, albeit through civilian agencies.
The Obama administation was reacting to a petition to “Stop CISPA,” or the Cyber Intelligence Sharing and Protection Act, which recently passed the House of Representatives. That semi-anonymous protest called out CISPA’s definitions of cyber-threat intelligence and cyber threat sharing: “The problems arise from the definitions of these terms, especially when it comes to companies sharing data with the feds.”
CISPA hasn’t rallied the same kind of response that the SOPA/PIPA legislation did last year, but it has nonetheless earned the ire of Anonymous, the loose collective of hackers that in April tried to “black out the Internet” via online protests on smaller blogs and community sites. Rep. Dutch Ruppersberger (D-Md.), one of the co-sponsors of the bill, was allegedly threatened by Anonymous, he told The Hill recently, claiming that the group was trying to “shut down” people who supported the bill.
Todd Park, assistant to the President and the United States chief technology officer, joined Michael Daniel, special assistant to the President and cybersecurity coordinator, in authoring the response: “The President has been clear that the United States urgently needs to modernize our laws and practices relating to cybersecurity, both for national security and the security of our country’s businesses—but that shouldn’t come at the expense of privacy.”
The Obama administration threatened to veto the proposed bill because it didn’t properly render anonymous the information that would be shared with the government. But Park and Daniel made clear that information would be shared, and that the mechanism for doing so was open to debate.
That collaboration is already happening, the two wrote, in an inefficient way. Right now, each company has to work out an individual arrangement with the government and other companies on what information to share about cyberthreats. “This ambiguity can lead to harmful delays,” they wrote.
From the administration’s view, three principles govern information sharing: it must protect civil liberties; go through a civilian department, not an intelligence agency; and provide “narrowly tailored liability protections that would allow the private sector to respond to threats.” Information shared should be relevant and necessary; if a utility company is hacked, there’s no need to share the energy use of its customers as part of the response. Likewise, a civilian agency (and not an intelligence network) should spearhead this sharing of information, provided that organizations such as the FBI are allowed to bring cyber criminals to justice. Finally, the legislation should provide “legal clarity” to businesses, but not “broad immunity,” Park and Daniel wrote.
The key for businesses will be in the last point. There will undoubtedly be many concerns about the legal liability of disclosing hacks, and what the line is between disclosing a hack and accepting blame. Shareholders and customers will undoubtedly line up on one side, while corporate lawyers man the other side of the fence. If any bill is to have a chance of passage, both interests will have to be represented.
Image: Maksim Kabakou/Shutterstock.com