President Barack Obama’s administration threatened to veto revised cybersecurity legislation backed by AT&T Inc. (T) and Boeing Co. (BA), saying it doesn’t do enough to protect the privacy of U.S. citizens.
The bill, scheduled to be debated in the House tomorrow, would give companies immunity from lawsuits if they share information with each other and with the U.S. government about threats to computer networks.
“Citizens have a right to know that corporations will be held accountable -- and not granted immunity -- for failing to safeguard personal information adequately,” the White House said today in a statement. “The Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill.”
Congress is renewing a push to pass cybersecurity legislation following warnings by U.S. intelligence officials that electronic attacks could disrupt the nation’s banks, utilities, telecommunications networks and other essential services.
The threat of cyber attacks has for the first time become a greater concern than terrorism, James Clapper, the top U.S. intelligence official, told the House Intelligence Committee during an April 11 hearing.
The Chinese army may be behind the hacking of at least 141 companies worldwide since 2006, according to a Feb. 19 report from Alexandria, Virginia-based Mandiant Corp.
The House measure, H.R. 624, would authorize the government to share classified cyberthreat data with companies that own or operate vital computer networks.
Those companies would be guaranteed legal protections when it comes to sharing cybersecurity information with each other and the government, including the National Security Agency. Shared information would be exempt from public disclosure, according to the bill.
The Intelligence Committee voted 18-2 to approve the bill April 10 after making changes designed to safeguarding privacy and aimed at winning over the White House and some lawmakers.
The changes included requiring the government to minimize collection of information that could identify citizens, and clarifying that companies could use cybersecurity data only to protect their networks, not for marketing purposes.
Other changes included denying firms legal protections if they use cyberthreat information to hack each other, and dropping language allowing agencies to use the information for national security purposes.
“We have produced a balanced bill that provides strong protections for privacy and civil liberties, while enabling effective cyberthreat sharing,” Representative Mike Rogers, a Michigan Republican and chairman of the intelligence panel, said in a statement after last week’s vote.
The House passed a version of the bill 248-168 a year ago in April after the White House threatened to veto it. The legislation died when the Senate didn’t take it up. A different cybersecurity bill in the Senate was blocked by Republicans who said it would lead to regulation.
Obama issued an executive order Feb. 12 outlining policies for wider sharing of government data on cyber attacks. The order directs the government to develop voluntary cybersecurity standards for businesses and instructs U.S. agencies to consider adding the standards to existing rules.
Rogers has said Obama’s executive order, because it promotes information sharing, could encourage the Senate to take up and pass the House bill.
The bill “has major shortcomings and would undermine the interests of citizens and their privacy,” the lawmakers wrote in an April 15 letter to all members of the House.
They said the bill doesn’t require companies sharing information to remove data that could identify citizens; would let companies share data about citizens with the National Security Agency; and won’t stop companies from hacking each other.
To contact the reporter on this story: Chris Strohm in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Bernard Kohn at email@example.com