[Congressional Record Volume 158, Number 23 (Monday, February 13, 2012)] [Senate] [Pages S568-S569] STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS By Mrs. FEINSTEIN (for herself and Ms. Mikulski): S. 2102. A bill to provide the authority to monitor and defend against cyber threats, to improve the sharing of cybersecurity information, and for other purposes; to the Committee on Homeland Security and Governmental Affairs. Mrs. FEINSTEIN. Mr. President, I rise to introduce the Cybersecurity Information Sharing Act of 2012, which will improve the sharing of cyber threat and cybersecurity information in the private sector and with the federal government. We all know that the cyber threat is perhaps the number one threat to our Nation at this time. It is significant that just last month, at the Senate Intelligence Committee's hearing on [[Page S569]] Worldwide Threats, the U.S. Intelligence Community's official statement equated cyber threats to terrorism and proliferation as the highest priority threats to our security. An unclassified report by the Intelligence Community made public in November 2011 said cyber intrusions against U.S. companies cost untold billions of dollars annually and named China and Russia as aggressive and persistent cyber thieves. One of the main obstacles to better U.S. cybersecurity is that a combination of existing law, the threat of litigation, and standard business practices prevent or deter the private sector from sharing information about the cyber threats they face and the losses of information and money they suffer. We know there have been multi-million dollar cyber thefts from the Royal Bank of Scotland, Citibank, and other financial institutions. But companies like these are reticent about making public these cyber attacks because that could further damage their bottom line. Even cyber security companies like RSA and national security agencies like the Federal Bureau of Investigation fall victim to malicious cyber activity, but the lessons learned from those attacks are generally not shared with others that face the same threat. Finally, cyber criminals violate our privacy by hacking into the computers in our homes. They steal passwords for our bank accounts, access our private information, and turn our computers into launching points for further attacks. These cyber intrusions affect Americans in substantial and real ways, and the threat is only growing. After reviewing the intelligence for many years on the cyber threat, it is clear to me that foreign nations and non-state actors are already causing major damage to our economy. I am also convinced that these bad actors are capable of causing potentially catastrophic loss of life and economic damage by opening a dam, crashing our financial system, or bringing down the electric grid. For these reasons, I am very pleased that Majority Leader Reid is bringing comprehensive cybersecurity legislation to the Senate Floor after the President's Day Recess. For 2 years, Leader Reid has worked with the Chairmen and Ranking Members of all the committees of jurisdiction on cybersecurity to produce this legislation, and Senators Rockefeller, Collins, Lieberman and Snowe in particular are to be commended for their extensive efforts in this area. As the Chairman of the Intelligence Committee, I am particularly interested in legislation to address the need for better information sharing. The intelligence committees in the Senate and House have been working to improve information sharing on counterterrorism since the terrorist attacks of September 11. The urgency in the cyber arena is just as important, but is, if anything, more difficult, as we must coordinate and protect the sharing of information that will go to a far greater number of entities, both public and private. Unfortunately, the private sector entities that operate the critical networks that control financial markets, power plants, dams, and communications are prevented in very real ways from sharing information to warn each other of cyber threats. Barriers to such sharing include perceived financial and reputational risks; legal barriers in electronic surveillance laws; liability concerns that arise from potential lawsuits; and lack of one Federal agency in charge of cyber information sharing. The bill I am introducing today will allow for more information sharing by providing clear authority to share cyber threat information and by reducing legal barriers to private entities' ability to work with each other and with the federal government to share cybersecurity information, in a manner that upholds privacy and civil liberties. Participation in information sharing in this bill would be voluntary for companies, but any company that does share threat information will be protected for doing so, and the information would be subject to strict privacy controls. I also want to be very clear that this bill does not give law enforcement or the Intelligence Community any new authorities for conducting surveillance. In an op-ed published in the Wall Street Journal on January 27, 2012, former Director of National Intelligence Mike McConnell, former Secretary of Homeland Security Michael Chertoff, and former Deputy Secretary of Defense Bill Lynn said that the Intelligence Community needs to make cyber threat information available to other parts of the government and to commercial entities to maximize our cyber defenses. The Cybersecurity Information Sharing Act of 2012 would do just that. Specifically, this legislation requires the Federal government to designate a single focal point for cybersecurity information sharing. The bill refers to this focal point as a ``Cybersecurity Exchange'' because with cybersecurity, it's not enough for entities to operate as ``centers'' or ``task forces'' that only receive information; they must also serve as a hub for appropriately distributing and exchanging cyber threat information. The bill also requires the government to reduce bureaucratic obstacles to sharing so that the government can be a more effective partner for the private sector. The bill establishes procedures for the government to share classified cybersecurity threat information with certified private sector entities. Generally, only government contractors can receive a security clearance, but other companies, such as Internet Service Providers, need to receive classified threat information in order to protect against attacks. This bill makes them eligible to receive security clearances for that purpose. Those companies would be under the same restrictions to protect classified information as the government. The bill removes legal and policy barriers to information sharing by affirmatively authorizing private sector entities to monitor and defend their own networks and to share cyber information. By creating a robust privacy compliance regime to ensure that information in the Federal government's hands is protected. Just as the Foreign Intelligence Surveillance Act, the Privacy Act, and many other statutes place conditions on the government's ability to use information it receives, this bill would limit the government's ability to use private sector cyber information for approved cybersecurity purposes only. And also by providing appropriate liability protections for companies that share cyber information under the terms of the bill. A company that shares threat information with a cybersecurity exchange or with other private sector entities is protected under this bill from litigation for having done so. Many companies have told us that the threat of litigation deters them from sharing details about cyber attacks they have faced. In order to assist other companies and the government to protect against those attacks in the future, that information needs to be shared and acted upon. I look forward to the consideration of this bill and the rest of the cyber legislative package that will be taken up by the Senate soon. ____________________