Both the White House and Secretary of Homeland Security Jeh Johnson announced support this week for the Cybersecurity Information Sharing Act of 2015 (CISA, S.754), currently under consideration in the Senate (Defense Daily, Oct. 22).
In an official Statement of Administration Policy supporting CISA, the White House on Thursday reiterated previously stated concerns about privacy considerations in the bill.
“As the Administration has previously stated, information sharing legislation must carefully safeguard privacy, confidentiality, and civil liberties, preserve the long-standing respective roles and missions of civilian and intelligence agencies, and provide for appropriate sharing with targeted liability protections,” the White House Office of Management and Budget (OMB) said.
However, the White House said it appreciated amendments to the bill adopted by the Senate Select Committee on Intelligence to address the administration’s most significant concerns. It is also encouraged the bill’s sponsor has proposed additional changes on the Senate floor.
“This work has strengthened the legislation and incorporated important modifications to better protect privacy. As such, the Administration supports Senate passage of S. 754, while continuing to work with the Congress as S.754 moves through the legislative process to ensure further important changes are made to the bill, including, but not limited to, preserving the leadership of civilian agencies in domestic cybersecurity,” the statement said.
The administration also supports CISA funneling private entity information sharing through the Department of Homeland Security (DHS) to receive liability protections and that the sharing is governed by privacy protections guidelines. To these ends, “in order to ensure a focused approach and to facilitate streamlined information sharing while ensuring robust privacy protections, the Administration will strongly oppose any amendments that would provide additional liability-protected sharing channels, including expanding any exceptions to the DHS portal,” the White House said.
Another administration concern is the bill’s authorization to share information with any federal entity weakens the bill’s requirement that information be shared with a civilian entity, notwithstanding other provision of law. The White House called this significant but is “is eager to work with Congress to seek a workable solution.”
It is also has reservations with how CISA authorizes the use of potentially disruptive defensive measures in response to network incidents, which “raises significant legal, policy, and diplomatic concerns and, without appropriate safeguards, can have a direct deleterious impact on foreign policy, the integrity of information systems, and cybersecurity.”
Alternatively, the White House is encouraged bill co-sponsor Sen. Richard Burr (R-N.C.), proposed changes that would limit an entity employing a defensive measure that would provide unauthorized access to another entity’s network.
“Though the Administration remains concerned that the bill’s authorization to operate defensive measures may prevent the application of other laws such as State common-law tort remedies, it is encouraged that the additional changes will help to appropriately constrain the use of defensive measures,” the White House said.
The White House commended the Senate Intelligence Committee on several measures: recognizing cybersecurity requires a whole-of-government approach with information sharing, requiring intra-governmental sharing be governed by policies and procedures to protect privacy and civil liberties, and including provisions that will improve the cybersecurity of federal networks and systems.
On privacy protections, the focus of several opponents of the bill, the White House said it is encouraged by changes to CISA by the sponsor to ensure the information sharing is narrowly focused on cybersecurity threats and security vulnerabilities.
“In addition to updating information sharing statutes, the Congress should incorporate privacy, confidentiality protection, and civil liberties safeguards into all aspects of cybersecurity legislation,” the statement said.
Separately Secretary Johnson said he is pleased the full Senate is considering CISA. “As currently written, I support this bill,” Johnson said in a statement Thursday.
Johnson praised co-sponsors Burr (R-N.C.) and Sen. Diane Feinstein (D-Calif.), noting they “deserve enormous credit for, in bipartisan fashion, taking on the complex subject of cybersecurity legislation, accounting for the numerous and varied interests, and writing a good bill.”
“Now that they have done the hard work to get S. 754 to this point, this is an opportunity that cannot be missed. I urge their Senate colleagues to carefully consider the bill, but then pass it and proceed to conference with the earlier-passed House version of cybersecurity legislation,” Johnson said.