White House Responds to CISPA Petition, Concerned About Privacy

- By Chloe Albanesius

The White House today formally replied to an online petition calling for the demise of CISPA, reiterating that while it supports information sharing in order to stop a cyber attack, it does not believe the bill goes far enough on privacy.

"Even though a bill went on to pass the House of Representatives and includes some important improvements over previous versions, this legislation still doesn't adequately address our fundamental concerns," according to Todd Park, U.S. chief technology officer, and Michael Daniel, cyber-security coordinator.

The petition, calling for a stop to the Cyber Intelligence Sharing and Protection Act (CISPA), earned 117,576 e-signatures via the White House's "We the People" site earlier this year, besting the 100,000-signature threshold required for a formal White House response.

CISPA would allow for voluntary information sharing between private companies and the government in the event of a cyber attack. If the government detects a cyber attack that might take down Facebook or Google, for example, they could notify those companies. At the same time, Facebook or Google could inform the feds if they notice unusual activity on their networks that might suggest a cyber attack.

In their response, Park and Daniel said that if a company discovers "that a hacker has broken into its network and is stealing its customers' information (violating their privacy in the process), that company should be able to share what it learns about the intrusion efficiently - how the hacker got in, what he did while inside, and what he looked for - with the government and other companies. The government and other businesses would then be able to use this information from the hacker, not his victim, to help prevent future intrusions."

This already happens to a certain degree, but the process is inefficient, they said. The administration agrees that there needs to be "clearer rules to promote collaboration and protect privacy." But CISPA does not accomplish that to the White House's satisfaction, they wrote.

Park and Daniel said CISPA needs three things before the White House could consider supporting it: a guarantee that information shared only relates to the cyber attack at hand (a utility company shouldn't have to disclose user information if it's informing the feds about a hack); a provision that says a civilian agency, not an intelligence one, will handle data; and no "broad immunity" for businesses that "act in ways likely to cause damage to third parties or result in the unwarranted disclosure of personal information."

The White House has already formally threatened to veto CISPA, but it might be a moot point. Though the bill passed the House, a Senate Commerce Committee spokesman has said the Senate will not consider the bill and instead craft its own cyber bill, which is exactly what happened with CISPA last year. The Senate, however, failed to agree on that that cyber legislation should include and nothing made its way to Obama's desk in 2012.