[Congressional Record Volume 158, Number 23 (Monday, February 13, 2012)]
[Senate]
[Pages S568-S569]
STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS
By Mrs. FEINSTEIN (for herself and Ms. Mikulski):
S. 2102. A bill to provide the authority to monitor and defend
against cyber threats, to improve the sharing of cybersecurity
information, and for other purposes; to the Committee on Homeland
Security and Governmental Affairs.
Mrs. FEINSTEIN. Mr. President, I rise to introduce the Cybersecurity
Information Sharing Act of 2012, which will improve the sharing of
cyber threat and cybersecurity information in the private sector and
with the federal government.
We all know that the cyber threat is perhaps the number one threat to
our Nation at this time. It is significant that just last month, at the
Senate Intelligence Committee's hearing on
[[Page S569]]
Worldwide Threats, the U.S. Intelligence Community's official statement
equated cyber threats to terrorism and proliferation as the highest
priority threats to our security.
An unclassified report by the Intelligence Community made public in
November 2011 said cyber intrusions against U.S. companies cost untold
billions of dollars annually and named China and Russia as aggressive
and persistent cyber thieves.
One of the main obstacles to better U.S. cybersecurity is that a
combination of existing law, the threat of litigation, and standard
business practices prevent or deter the private sector from sharing
information about the cyber threats they face and the losses of
information and money they suffer.
We know there have been multi-million dollar cyber thefts from the
Royal Bank of Scotland, Citibank, and other financial institutions. But
companies like these are reticent about making public these cyber
attacks because that could further damage their bottom line.
Even cyber security companies like RSA and national security agencies
like the Federal Bureau of Investigation fall victim to malicious cyber
activity, but the lessons learned from those attacks are generally not
shared with others that face the same threat.
Finally, cyber criminals violate our privacy by hacking into the
computers in our homes. They steal passwords for our bank accounts,
access our private information, and turn our computers into launching
points for further attacks.
These cyber intrusions affect Americans in substantial and real ways,
and the threat is only growing. After reviewing the intelligence for
many years on the cyber threat, it is clear to me that foreign nations
and non-state actors are already causing major damage to our economy. I
am also convinced that these bad actors are capable of causing
potentially catastrophic loss of life and economic damage by opening a
dam, crashing our financial system, or bringing down the electric grid.
For these reasons, I am very pleased that Majority Leader Reid is
bringing comprehensive cybersecurity legislation to the Senate Floor
after the President's Day Recess.
For 2 years, Leader Reid has worked with the Chairmen and Ranking
Members of all the committees of jurisdiction on cybersecurity to
produce this legislation, and Senators Rockefeller, Collins, Lieberman
and Snowe in particular are to be commended for their extensive efforts
in this area.
As the Chairman of the Intelligence Committee, I am particularly
interested in legislation to address the need for better information
sharing.
The intelligence committees in the Senate and House have been working
to improve information sharing on counterterrorism since the terrorist
attacks of September 11. The urgency in the cyber arena is just as
important, but is, if anything, more difficult, as we must coordinate
and protect the sharing of information that will go to a far greater
number of entities, both public and private.
Unfortunately, the private sector entities that operate the critical
networks that control financial markets, power plants, dams, and
communications are prevented in very real ways from sharing information
to warn each other of cyber threats. Barriers to such sharing include
perceived financial and reputational risks; legal barriers in
electronic surveillance laws; liability concerns that arise from
potential lawsuits; and lack of one Federal agency in charge of cyber
information sharing.
The bill I am introducing today will allow for more information
sharing by providing clear authority to share cyber threat information
and by reducing legal barriers to private entities' ability to work
with each other and with the federal government to share cybersecurity
information, in a manner that upholds privacy and civil liberties.
Participation in information sharing in this bill would be voluntary
for companies, but any company that does share threat information will
be protected for doing so, and the information would be subject to
strict privacy controls.
I also want to be very clear that this bill does not give law
enforcement or the Intelligence Community any new authorities for
conducting surveillance.
In an op-ed published in the Wall Street Journal on January 27, 2012,
former Director of National Intelligence Mike McConnell, former
Secretary of Homeland Security Michael Chertoff, and former Deputy
Secretary of Defense Bill Lynn said that the Intelligence Community
needs to make cyber threat information available to other parts of the
government and to commercial entities to maximize our cyber defenses.
The Cybersecurity Information Sharing Act of 2012 would do just that.
Specifically, this legislation requires the Federal government to
designate a single focal point for cybersecurity information sharing.
The bill refers to this focal point as a ``Cybersecurity Exchange''
because with cybersecurity, it's not enough for entities to operate as
``centers'' or ``task forces'' that only receive information; they must
also serve as a hub for appropriately distributing and exchanging cyber
threat information. The bill also requires the government to reduce
bureaucratic obstacles to sharing so that the government can be a more
effective partner for the private sector.
The bill establishes procedures for the government to share
classified cybersecurity threat information with certified private
sector entities. Generally, only government contractors can receive a
security clearance, but other companies, such as Internet Service
Providers, need to receive classified threat information in order to
protect against attacks. This bill makes them eligible to receive
security clearances for that purpose. Those companies would be under
the same restrictions to protect classified information as the
government.
The bill removes legal and policy barriers to information sharing by
affirmatively authorizing private sector entities to monitor and defend
their own networks and to share cyber information.
By creating a robust privacy compliance regime to ensure that
information in the Federal government's hands is protected. Just as the
Foreign Intelligence Surveillance Act, the Privacy Act, and many other
statutes place conditions on the government's ability to use
information it receives, this bill would limit the government's ability
to use private sector cyber information for approved cybersecurity
purposes only.
And also by providing appropriate liability protections for companies
that share cyber information under the terms of the bill. A company
that shares threat information with a cybersecurity exchange or with
other private sector entities is protected under this bill from
litigation for having done so. Many companies have told us that the
threat of litigation deters them from sharing details about cyber
attacks they have faced. In order to assist other companies and the
government to protect against those attacks in the future, that
information needs to be shared and acted upon.
I look forward to the consideration of this bill and the rest of the
cyber legislative package that will be taken up by the Senate soon.
____________________
