President Obama Should Stick to His Principles and Veto CISA

Congress has
been trying to pass cybersecurity information sharing legislation for years. All
of these bills have failed to become law because they universally unnecessarily
undermined privacy and civil liberties and simultaneously empowered law
enforcement and intelligence community agencies like the National Security
Agency (NSA).

The
President made clear from the beginning of this debate that addressing privacy
concerns in legislation was essential, and threatened to veto the House
Intelligence Committee’s bill, (H.R. 3523), twice. Now more than
ever, he should stand firm to those priorities.

CISPA first debuted
in 2011 and privacy groups immediately cried foul, arguing that it would “needlessly
impinge on Americans’ privacy” because it would “allow[] the transfer of vast
amounts of data, including sensitive information like internet use history or
the content of emails, to any agency in the government including…the National
Security Agency,” and it lacked “meaningful use restrictions” for the
information once in the government’s hands. The President heard the privacy
community’s concerns and agreed. He threatened to veto CISPA because it failed to “preserve[] Americans’
privacy, data confidentiality, and civil liberties and recognize[] the civilian
nature of cyberspace.”

CISPA’s
proponents reintroduced the failed bill in 2013, and were met with the same pushback from the privacy community and from the Administration. This time, the
White House set forth three overarching priorities that information sharing legislation must
meet in order for the President to sign it into law:

(1)
carefully safeguard privacy and civil liberties; (2) preserve the
long-standing, respective roles and missions of civilian and intelligence
agencies; and (3) provide for appropriate sharing with targeted liability
protections.

Congress has
moved on from CISPA, but a new and equally concerning bill has taken its place:
CISA (S. 754).
This Senate Intelligence Committee bill is poised for a vote as soon as next
week. The President should again threaten a veto, as CISA suffers from many
same fatal flaws that caused him to oppose CISPA.

The President Has Demanded Adequate Privacy
Protections

The
President has stated that information sharing legislation must provide “sufficient limitations on the sharing of
personally identifiable information”
and require companies to “take reasonable steps to remove” it.
CISA fails to put in place that reasonable privacy protection. It would
increase government access to innocent Americans’ personal data by authorizing
companies to share vaguely-defined “cyber threat indicators” that could include
private communications content and sensitive, personally identifiable
information, even when that data is unnecessary to identify or protect against
to a threat.

The President Has Demanded Narrow Use
Restrictions

The
President has also stated that information “sharing must be consistent with cybersecurity use restrictions, the cybersecurity responsibilities of the
agencies involved, as well as privacy and civil liberties protections and
transparent oversight.” CISA does not put in place meaningful use restrictions
that would be adequate to protect civil liberties. Instead, CISA would allow the FBI and other
federal, state, and local law enforcement agencies to use information they
receive for investigations that have nothing to do with cybersecurity, such as
investigations into garden variety violent crimes, drug crimes, arson,
carjacking, and extortion.

The President Has Demanded Civilian Control
of Domestic Cybersecurity

Finally, the
President has consistently advocated for “the longstanding tradition to treat
the Internet and cyberspace as civilian spheres” and
opposed CISPA because it “effectively treat[ed] domestic cybersecurity as an
intelligence activity” by
allowing companies to share information directly with the NSA and failing to
place reasonable restrictions on the government’s use of that information.
CISA, like CISPA, empowers the NSA and fails to establish civilian
control. It would allow companies to
share information directly with the NSA. If a company shares with a civilian
agency instead, that agency would be required to automatically disseminate it
to the NSA, and would even be prohibited from scrubbing the information to
remove unnecessary personal information.

These are
just a few of the many flaws that have caused OTI
to strongly oppose CISA. Yesterday, a coalition of over 68
civil society groups, companies, and security experts wrote to the President
and urged him to issue a veto threat. It
does not meet the bare minimum requirements for information sharing legislation
that the President has laid out. Now is
not the time for the him to back away from the principles he set forth,
requiring adequate protections for privacy and civil liberties, and civilian
control, by allowing CISA to become law.
President Obama should defend those principles and threaten to veto
CISA.