“Even though a bill went on to pass the House of Representatives and includes some important improvements over previous versions, this legislation still doesn’t adequately address our fundamental concerns,” the response reads. 

“But it’s not good enough to just stop things: We’ve got to work together, with legislators on Capitol Hill, technology experts from the private sector, and engaged advocates like you to advance cybersecurity legislation without compromising privacy.”

The White House issued a veto threat against the bill before it went to the floor for a vote.

When reviewing legislative proposals that deal with cybersecurity information-sharing efforts, the administration looks at whether the measure requires companies to share data that’s only “limited to what’s relevant and necessary for cybersecurity purposes,” the White House officials said. 

The White House designates a civilian department — “not an intelligence agency” — as the first recipient of cybersecurity data. Proposals should also provide a narrow set of liability protections that encourage the private sector to respond to cyber threats “without encouraging reckless behavior,” Daniel and Park write.

“The essential question on which people across the spectrum disagree isn’t if we can share cybersecurity information and preserve the principles of privacy and liberty that make the United States a free and open society — but how,” the two officials say.

CISPA, authored by House Intelligence Chairman Mike Rogers (R-Mich.) and ranking member Rep. Dutch Ruppersberger (D-Md.), was designed to make information-sharing about malicious source code and other cyber threats between industry and the government easier, so companies can thwart cyberattacks faster. 

However, the final version of the bill did not satisfy the White House’s key principles because it would allow companies to share cyber threat information directly with the military, including the National Security Agency (NSA), without being required to remove personal information from that data first.

Under the bill, companies are not required to remove information that could be used to identify a specific person — such as email addresses and names— before sharing cyber threat information with the government. CISPA requires the government to strip that personal information from the cyber threat data it receives from companies instead.

Despite the White House’s veto threat and outcry from privacy advocates, the bill overwhelmingly passed the House on a 288-127 vote. A last-minute amendment adopted to the bill proposed to establish a center within the Department of Homeland Security, a civilian agency, as the federal hub for cyber threat information-sharing efforts.

Despite the amendment, some privacy advocates say the bill would still allow companies to share information directly with the secretive NSA.

In the upper chamber, Senate Intelligence Chairman Dianne Feinstein (D-Calif.) and ranking member Sen. Saxby Chambliss (R-Ga.) are working on a cybersecurity information-sharing measure, which is intended to be the Senate counterpart to CISPA.

“Just like you, we will continue to closely monitor and engage in that process,” the officials write. 

The officials also note that President Obama’s cybersecurity executive
order released earlier this year directs the government to share more
cybersecurity information with the private sector.

In its response, the White House officials said existing information-sharing efforts need to be improved so companies can relay threat information more quickly with the government. Companies currently have to establish individual arrangements with the government and other private sector peers about what cyber threat data they can legally share, they write.

“We face growing threats from bad actors on the Internet, and we need to protect our citizens and empower our critical infrastructure to protect itself,” Park and Daniel write. “The United States must update our cybersecurity laws, but we will not sacrifice our values in the process.”