Sen. Wyden on Cybersecurity Legislation

[Congressional Record Volume 158, Number 73 (Monday, May 21, 2012)]
[Senate]
[Pages S3300-S3301]



                              The Internet

  Mr. WYDEN. Mr. President, I believe the development of the Internet, 
its networks, and the digital economy are one of the great achievements 
of our age.
  The Internet links humanity together, facilitating economic growth, 
bringing education and health resources to remote regions, reshaping 
societies and advancing human rights.
  While networks foster innovation, job creation, and political and 
social progress, networks can also be used by actors with nefarious 
motives. It is in our national interest to deter, detect, and destroy 
real and viable cyber threats, to protect Americans and preserve the 
benefits of the Internet. Americans must not be afraid to go online.
  The Internet works not just because it is open to all but because it 
is founded on the principle of trust. Users trust that their browsers 
are visiting real Web sites, not replicated ones. Internet commerce 
succeeds because people trust that their transactions are private and 
their financial information won't be shared with others. People trust 
the Internet because they believe their service providers work for 
them, not for their advertisers, not for scammers, and not for the 
government.
  Congress's effort to develop a comprehensive approach to 
cybersecurity must not erode that trust. When Americans go online to 
consume digital services and goods, they must believe and know with 
some certainty that their privacy is adequately protected. The content 
that Americans consume must be at least as private as their library 
records, their video rentals, and book purchases in the brick-and-
mortar world. Our law enforcement and intelligence agencies should not 
be free to monitor and catalog the speech of Americans just because it 
is online.
  But the legislation passed by the other body, known as CISPA, would 
erode that trust. As an attempt to protect our networks from real cyber 
threats, CISPA is an example of what not to do. CISPA repeals important 
provisions of existing electronic surveillance laws that have been on 
the books for years, without instituting corresponding privacy, 
confidentiality, and civil liberty safeguards. It creates uncertainty 
in place of trust, it erodes statutory and constitutional civil rights 
protections, and it creates a surveillance regime in place of the 
targeted, nimble, cybersecurity program that is needed to truly protect 
our Nation.
  Unfortunately, S. 2105, the bill before the Senate, shares some of 
these defects. Currently, Internet services and service providers have 
agreements with their customers that allow them to police and protect 
their networks and users. Rather than simply allowing these Internet 
companies to share information on users who violate their contracts and 
pose a security threat, the House and Senate proposals regrettably 
authorize a broad-based information-sharing regime that can operate 
with impunity. This would allow the personal data of individual 
Americans to be shared across a multitude of bureaucratic, military, 
and law enforcement agencies. This would take place regardless of the 
privacy agreements individual Americans have with their Internet 
service providers.
  In fact, both the House and Senate bills subordinate all existing 
privacy rules and constitutional principles to the poorly defined 
interests of what is called cybersecurity.
  These bills would allow law enforcement agencies to mine Internet 
users' personal data for evidence of acts entirely unrelated to 
cybersecurity. More than that, they would allow law enforcement to look 
for evidence of future crimes, opening the door to a dystopian world 
where law enforcement evaluates your Internet activities for the 
potential that you might commit a crime.
  In establishing this massive new regime, these bills fail to create 
the necessary incentives for operators of critical networks to keep 
their networks secure.
  It is a fundamental principle of cybersecurity policy that any 
network whose failure could result in a loss of

[[Page S3301]]

life or significant property should be physically isolated from the 
Internet. Unfortunately, many of our critical network operators have 
violated this principle in order to save money or streamline 
operations. This sort of gross negligence ought to be the first target 
in any cybersecurity program--not the privacy of individual Americans.
  Congress could target this behavior with yet one more rule book and 
one more bureaucracy, creating a cybersecurity contractor full 
employment program. I am not, however, convinced this is a problem that 
requires that kind of solution.

  At the same time, Congress should not allow our critical network 
operators to ignore best practices with impunity. It is vital they 
understand that any liability for a preventable cyber attack is their 
responsibility. There is not going to be a governmental bailout after 
the fact in the cybersecurity area. Shareholders and boards of 
directors must be vigilant and understand the risks to their 
investments. Executives must understand that ignoring critical cyber 
threats in the interest of cost savings and convenience will leave them 
personally exposed.
  Internet providers and backbone operators clearly have a role in this 
fight. When they detect abnormal network activity or have a user 
violating their contract in a way that constitutes a cyber threat, they 
can and should inform our cyber defense officials. If it is necessary 
to grant them immunity to share this kind of information, the Congress 
could grant it--narrowly and with careful consideration.
  Mr. President, there would be bipartisan support for the proposition 
that the Federal Government also has a significant role that does not 
necessarily require billing taxpayers for legions of private 
cybersecurity contractors. The Department of Defense, the Department of 
National Intelligence, Homeland Security, and the Justice Department--
four major parts of our government--all have cybersecurity specialists. 
The Congress ought to be promoting the cyber capabilities of these 
agencies and providing the resources that are needed to protect these 
networks. These Federal agencies should do a better job of consulting 
the private Internet companies to better understand the attacks that 
are occurring every day across the net.
  Some of these steps may require legislation, but many can be carried 
out by responsible actors in the public and private sector without 
waiting for the Congress to act. However, the legislation before the 
Senate and the cybersecurity legislation that passed the other body 
leads our country away from the kind of commonsense approach to 
cybersecurity I have outlined this afternoon.
  As they stand, these bills are an overreaction to a legitimate and 
understandable fear. The American people are going to respond by 
limiting their online activities. That would be a recipe to stifle 
speech, innovation, job creation, and social progress. I believe these 
bills will encourage the development of an industry that profits from 
fear and whose currency is Americans' private data. These bills create 
a cyber industrial complex that has an interest in preserving the 
problem to which it is the solution.
  In terms of the process, the Senate ought to proceed in a way that is 
as open and collaborative as the Internet the Congress seeks to promote 
and protect. On substance, any cybersecurity bill must contain specific 
and clear descriptions of what types of data and when such data can be 
captured, with whom it can be shared, and under what circumstances. 
Anything not specifically covered ought to remain private. Privacy in 
the cybersecurity arena should be the default not the exception. Legal 
immunity to corporations that share information should be the exception 
not the rule and void if privacy protections or contracts are 
disregarded.
  The Congress and the public must have the ability to know how any 
cybersecurity program that is established is to be implemented. That 
means routine public and unclassified reports and hearings to examine 
whether there were any unintended privacy or civil liberty impacts 
caused by the program. No secret law, Mr. President.
  Bad Internet policy is increasingly premised on false choices. 
Earlier this year, during the consideration of the Protect IP Act and 
the Stop Online Piracy Act, the Congress was told again it had a false 
choice. The Congress was told it either could protect intellectual 
property or it could protect the integrity of the Internet. This was a 
false choice. I and others said so at the time because achieving one 
should not and does not require sacrificing the other.
  Now the Congress is being asked once again to make a false choice--a 
choice between cybersecurity and privacy--and I don't think these two 
are mutually exclusive. I think we can have both. Our job is to write a 
cybersecurity bill that protects America's security and the fundamental 
right to privacy of our people. There is no sound policy reason to 
sacrifice the privacy rights of law-abiding American citizens in the 
name of cybersecurity. It is my intent to fight any legislation that 
would force Members of the Senate to make that choice.
  Mr. President, with that I yield the floor.