[Congressional Record Volume 159, Number 52 (Wednesday, April 17, 2013)] [House] [Pages H2088-H2103] {time} 1420 CYBER INTELLIGENCE SHARING AND PROTECTION ACT general leave Mr. ROGERS of Michigan. Mr. Speaker, I ask unanimous consent that all Members may have 5 legislative days to revise and extend their remarks and include extraneous material on the bill H.R. 624. The SPEAKER pro tempore. Is there objection to the request of the gentleman from Michigan? There was no objection. The SPEAKER pro tempore. Pursuant to House Resolution 164 and rule XVIII, the Chair declares the House in the Committee of the Whole House on the state of the Union for the consideration of the bill, H.R. 624. The Chair appoints the gentlewoman from Florida (Ms. Ros-Lehtinen) to preside over the Committee of the Whole. {time} 1422 In the Committee of the Whole Accordingly, the House resolved itself into the Committee of the Whole House on the state of the Union for the consideration of the bill (H.R. 624) to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes, with Ms. Ros-Lehtinen in the chair. The Clerk read the title of the bill. The CHAIR. Pursuant to the rule, the bill is considered read the first time. The gentleman from Michigan (Mr. Rogers) and the gentleman from Maryland (Mr. Ruppersberger) each will control 30 minutes. The Chair recognizes the gentleman from Michigan. Mr. ROGERS of Michigan. I yield myself such time as I may consume. I want to thank my ranking member and both the Republican and Democratic staffs and the Republican and Democratic members of the Intelligence Committee for 2 years of long hours in negotiated efforts to reach the point that we are. I want to back up just a little bit and tell you how we got to where we are today. We sat down some 2 years ago when the ranking member and I assumed the leadership of the Intelligence Committee and we looked at the one threat that we knew existed but we were not prepared to handle as Americans, both the private sector and the government. And we knew that we had to do something about this new and growing and misunderstood cyber threat and what it was doing to our intellectual property across the country, what it was doing to the freedom and open Internet that we so enjoy and are increasingly dependent on and the commercial value of our growing economy. And it was at risk. The private sector was at risk because people were stealing their identities, their accounts, their intellectual property, and subsequent to that, their jobs, and people began to question the value of getting on the Internet and using it for commercial purposes. Their trust in the free and open Internet the way we've embraced it in the United States really was at risk. How do we solve that problem? We knew that nation states were investing millions and billions of dollars to generate cyber warriors to go in and crack your computer network. I don't care if you had intellectual property--those blueprints that made your business successful, or maybe it was your bank account, or your ability to have a transaction. If they could interrupt that, they could do great harm to our economy and to the United States. We saw nation-states like Russia and China and now Iran and North Korea and others developing military-style attacks to actually do harm to the U.S. economy, to hurt the very men and women who get up every day and play by the rules and think that the Internet would be a safe place for them to interact when it comes to commerce. We want that to continue. So we sat down and we talked to industry folks, people who are in the business, high-tech industry folks from Silicon Valley, financial services folks from New York City, manufacturers from across the Midwest, who were losing intellectual property due to theft from nation-states like China. We talked to privacy groups. We talked to the executive branch. And over the last 2 years, there were some 19 adjustments to this bill on privacy. We believe this: this bill will not work if Americans don't have confidence that it will protect your privacy and civil liberties while allowing one very simple thing to happen: cyber threat material, that malware that goes on your computer and does bad things, allows somebody else to take over your computer to attack a bank, allows them to go on your computer and steal your personally identifiable information and use it in a crime, allows them to go into your network at work and steal your most valuable company secrets that keep you alive and build great products here in the United States--could we allow the government to share what they know with the private sector and allow the private sector to share when it comes to just that cyber threat, those zeros and ones in a pattern that equates to malicious code traveling at hundreds of millions of times a second the speed of light, can we share that in a way to stop them from getting in and stealing your private information? And the good news is the answer is, yes, we can do this. We can protect privacy and civil liberties, and we can allow this sharing arrangement, but not of your identity, not of your personally identifiable information. As a matter of fact, if that's what's happening, it won't work. But at the speed of light, from machine to machine, from your Internet service provider before it ever gets into your network they bounce out the nastiest stuff that's in there that's going to take over your computer, steal your money, steal your personally identifiable information, steal your company secrets. And they can identify that by a pattern and kick it out. They'll say, Something looks bad about that. Can the government take a look at that and say, you know what? This is a Chinese attack, it's an Iranian attack, it's a North Korean attack--let's defend our networks. It's really very simple. Today, what you see is a collaborative effort. This isn't a bill by Dutch Ruppersberger and Mike Rogers and this is the only way it has to be. We have taken suggestions from all the groups I just talked about, from privacy to the executive branch to industry to other trade associations. And this is the bill that mutually all of those people, representing tens of millions of employees around this country, said this is the way you do this and protect the free and open Internet and you protect civil liberties. And you finally raise that big red sign that tells people like China and Iran and Russia, stop. We're going to prevent you from stealing America's prosperity. I heard a lot of debate earlier on the rule. I've heard a lot of misinformation. There are people who don't like it for whatever reason, maybe it's conviction, maybe it's politics, maybe it's political theater. And I have a feeling there's a little bit of all of that when they talk about this bill. This bill does none of the things I've heard talked about in the rule--that [[Page H2089]] it's an exchange of information that they've never seen with the government. This is not a surveillance bill. It does not allow the national security agencies or the Department of Defense or any of our military organizations to monitor our domestic networks. It does not allow that to happen. We would not allow that to happen. {time} 1430 So some notion that that's happening is just wrong, and some of the folks who are pretending otherwise know it's wrong. This is important. You know, the Iranians, by public report, are laughing at our shores, looking for weaknesses in our financial institutions. They're not doing it for benevolence. They're doing it to try to create chaos in our markets here at home. This isn't 10 years or 20 years. This is today. It's happening today. The average credit card in your purse, Madam Chair, will be hit 300,000 times today by bad actors trying to get in and steal your personal information--all those cardholders' information--and use it to commit a crime. Today, hundreds of millions of times across this great country companies will be besieged by DDoS attacks trying to overwhelm their systems and shut them down and not allow commerce to happen, by people who are trying to get into their networks and steal something valuable. This bill is that right balance between our privacy, civil liberties, and stopping bad guys in their tracks from ruining what is one-sixth of the U.S. economy. It's that important, and it's important that we get at it today. We must do more to improve our cybersecurity, and this bill is that vital first step toward that bill. Our intelligence agencies collect important information overseas about advanced foreign cyber threats that could dramatically assist the private sector. That information is the intelligence community's unique value-added when it comes to our cybersecurity. Unfortunately, we are not getting the full value of those intelligence insights. As I said, the intelligence community is not monitoring the Internet. They don't know what's happening on the domestic Internet. So when there is a nasty piece of source code or malicious source code attacking the private sector, the only way we're going to know that is if we--and these folks are victims of crime, by the way--if we allow them, in a classified environment, to share malicious source codes--zeros and ones in the right pattern--with the government and say, Hey, I am the victim of a crime. Here's what it looks like. Can you help? The government needs to be able to share this threat intelligence so that the private sector can protect its own networks. The government is going to reciprocate. Our intelligence services go overseas. They find out what the bad guys are doing. They come back and protect the government networks. The problem is, because of laws and policies and procedures, we can't share that with the private sector so they can protect their own networks. Wouldn't it be great if they know what's coming? If you know what you're looking for, you can stop it. That's really what we're talking about doing here, Madam Chair. We must also modernize the law to give the private sector clear authority to share cyber threat information within the private sector, as well as the government, on a voluntary, anonymous basis. Again, if you believe in the free and open Internet and you look at all the bills that have been introduced, there is a chomping at the bit in this town to go out and try to put their mitts on the Internet. They want to get in there and start regulating and standards and setting up procedures. They want to get in from business-to-business communication. They want the government to be at every corner of the Internet. I reject that wholly. It's the wrong approach. It will not work. It will bring the Internet to a halt. This is the only bill that doesn't have new mandates, new authorizations for any government involvement in the Internet. It does something very simple. I'm going to repeat it a lot today, Madam Chair. It allows the government to share zeros and ones in the right pattern with the private sector. And zeros and ones from the private sector, when they know it's malicious and attacking their networks, they share it with the government and say, This is a problem. Can you help me? That's what this bill does. And we've got a long list of privacy protections and restrictions to make sure that that's all that this bill does. The bill achieves all of these important goals that I just walked through, and it will empower the private sector, which already does significant work to protect computer networks, to do even more. The bill will allow the government to share cyber threat intelligence more widely with American companies in operationally usable form so they can help prevent state-sponsored cyber spies from stealing American trade secrets. It also provides clear, positive authority to allow companies to share cyber threat information with others in the private sector. It also provides authority to allow those companies to share threat information on a purely voluntary and anonymized basis with the government, meaning no personal identifying information. This bill will not require additional Federal spending. It will not require the creation of a vast new government bureaucracy. It will not impose any Federal regulations or unfunded mandates on the private sector. To the contrary, it will be a critical, bipartisan first step toward enabling America's private sector to better defend itself from the advanced state-sponsored cyber threats in which we live in today. I'm very proud of the open and transparent process that produced this bill. We've had a great conversation over the last 2 years with a broad range of private sector companies, trade groups, privacy and civil liberties advocates, and the executive branch. I appreciate all the constructive input we have received from the process. This bill has been revised every step of the way in this process, and all of that has been based on discussions with all the groups I just mentioned. I just want to cover some of the privacy protections we've added along the way. The bill prohibits the government from requiring private sector entities to provide information to the government. There is nothing in here that has any requirement that the private sector must share cyber threat information. If they don't think it's in their best interest to stop that cyber crime, they don't have to say a word. If they do, they're allowed to share just that cyber threat information with the right agencies in real time. Again, this is machine to machine so that they can deal with the international nature of that threat. It encourages the private sector to anonymize or minimize the information it voluntarily shares with others, including the government. In addition, the bill requires an annual independent inspector general audit and report to Congress of all voluntary information sharing with the government. That's another layer of oversight. We have built multiple layers of oversight into this bill so that we can gain the confidence of the public in its purpose, intent, and success. The bill significantly limits the Federal Government's use of information voluntarily provided by the private sector, including a restriction on the government's ability to search that data--very important. The bill also enforces the restrictions on the government by levying penalties against the government through Federal court lawsuits for any violations of those restrictions. Again, another layer of oversight. In the markup, we've made some progress, as well, between the ranking member and the members on the committee negotiating and working out what changes we can make to, again, improve the confidence that people have in this bill. We have improved this bill every step of the way for the last 2 years, and the markup was no different. At our markup, which voted the bill out of committee on a strong 18-2 vote, we adopted five important amendments to further strengthen the bill's protections and safeguards. We adopted an amendment by Mr. Langevin that made it clear that the bill contained no new authority to allow companies to hack back into networks in other companies. It certainly wasn't intended in the legislation. I thought it was a well-intended amendment. The last thing we want to do is [[Page H2090]] unleash digital vigilantism across the country and what that might do to our ability to continue to rely on the Internet as an engine of commerce. We've put in place the private sector use restriction that limits companies' use of information received to only cybersecurity purposes. Mr. Heck and Mr. Himes worked diligently on this amendment to improve the bill and make it very clear that this is just about cybersecurity and cybersecurity purposes. The bill previously gave the government authorization to create procedures to protect privacy and civil liberties and prevent the government's retention of personal information not necessary to understand a cyber threat. Last week's amendment makes those procedures mandatory. That was by Mr. Himes. We agreed that was the right place to put the burden to make sure there was no personal identifiable information that was not necessary to determine the nature of the attack. We also struck the bill's authorized government ``national security'' use of information received from the private sector. This would have provided the government flexibility in the future to address advanced cybersecurity threats. In conversations with government national security lawyers in recent months, they assured us that this flexibility wouldn't be required in the near future. In light of that, and given the widespread misunderstanding this language was generating, we thought it was prudent to take it out. Ms. Sewell from Alabama offered that amendment and worked with the committee to make sure it was adopted. We also added additional oversight in the already very strong oversight structure in the bill to monitor the government's receipt and use of cyber threat information voluntarily provided by the private sector. We added roles for the Privacy and Civil Liberties Board and the individual agency privacy officers to provide additional oversight of the government's use of information received from the private sector under this bill. I'm also very proud to cosponsor an amendment today with Mr. McCaul and Mr. Thompson of Mississippi, Mr. Ruppersberger and myself that would put a civilian face on the privacy sector cyber information sharing with this government. It was a concern by many. It was something we had long debates and conversations on, and I think we came to an agreement that will at least end that debate. It puts the appropriate civilian face so that, again, people can have confidence in the intention of this bill and what it will do to protect cybersecurity on networks or allow the private sector to protect their own networks and protect civil liberties of Americans. {time} 1440 Other elements of the government, such as the intelligence community, will still receive the information they need to play their important roles, but only after it has been minimized and screened by a civilian entity like the DHS or, in some rare cases, the FBI. This bill already contains several levels of strong protections to ensure that it improves cybersecurity without compromising our important civil liberties, but this bill will add a significant new privacy protection to that existing structure. Again, Madam Chair, you can see the level of effort that we are doing here to protect privacy and civil liberties and still have a workable bill that stops nation-states like China, Russia, Iran, and North Korea from getting into your networks and stealing your property. We have yet to find a single U.S. company that opposes this bill. In fact, we have the enthusiastic support of nearly every sector of the economy, because they are under assault from foreign cyber attacks and they need our help. They need it now. Companies and industry groups from across the country, including Intel, the chip maker, IBM, the Internet Security Alliance, the U.S. Chamber of Commerce, the Business Roundtable, TechAmerica, TechNet, companies of Silicon Valley, the Financial Services Roundtable, U.S. Telecom, the Nuclear Energy Institute, and the National Association of Manufacturers, just to name a few, have sent the committee letters of support. And that list is growing by the day of people who are encouraged by the very light touch of the government; no new programs, no new authorizations, it's not a surveillance bill. This is the only appropriate way to try to deal with this problem. By allowing the private sector to expand its own cyber defense efforts and to employ classified information to protect systems and networks, this bill will harness private-sector drive and innovation while also keeping the government out of the business of monitoring and guarding private-sector networks. This important legislation would enable cyber threat sharing and provide clear authority for the private sector to defend its own networks while providing strong protections for privacy and civil liberties. Madam Chair, with this great collaborative effort, with the effort facing this country, when you see this many Republicans and Democrats coming together, recognizing the threat and crafting a bill that meets that very important standard, this is the bill we should all stand up and enthusiastically support, and I reserve the balance of my time. Mr. RUPPERSBERGER. Madam Chair, I yield to the gentleman from Illinois (Mr. Gutierrez) for the purpose of making a unanimous consent request. (Mr. GUTIERREZ asked and was given permission to revise and extend his remarks.) Mr. GUTIERREZ. I thank the gentleman for yielding. Madam Chair, as a member of the House Permanent Select Committee on Intelligence, I am very familiar with the types of threats that this country faces every day and the serious ramifications of cyber vulnerabilities. This is an issue to which the committee has devoted a great deal of time and energy during the last year. In the cyber security realm these threats are growing in frequency and severity, so much so that the Director of National Intelligence, James Clapper, identified cyber security as a top threat facing this country earlier this year. Director Clapper stated in an open hearing just a month ago that the growing cyber capabilities of both state and non-state actors ``put all sectors of our county at risk, from government and private networks to critical infrastructures.'' We have seen more and more brazen attacks, from financial institutions and banks to news outlets, credit card companies, telecommunications providers and even government entities. I believe that we should make every effort to safeguard the privacy of Americans' personal information even as we take steps to prevent attacks to our electronic networks and attempts to steal trade secrets, facilitate critical information sharing, and protect our critical infrastructure. To that end, the committee made a number of improvements to the bill with bipartisan support during our markup last week. Most notably, we voted to remove the authority for private information to be used for broad non-cyber ``national security'' purposes. We also expanded oversight responsibilities for the Privacy and Civil Liberties Oversight Board and restricted usage of information received by private entities to cyber security information. The bill also requires the government to minimize any personal information that is unrelated to a cyber threat. The bill has improved since the last time it was considered by the House of Representatives in 2012. I understand that there remain areas of concern for some of my colleagues. I share your reservations and am disappointed that we were unable to adopt amendments to address some of the liability issues, require private sector entities to make ``reasonable efforts'' to remove irrelevant personally identifiable information, and establish the Department of Homeland Security as the primary receptor of cyber threat information. An amendment to place DHS as the primary agency was not made in order today and I hope that we can continue to work on an agreement to do that. I am sensitive to these privacy concerns and hope that we can continue to improve the Cyber Intelligence Sharing and Protection Act through amendments today and ongoing dialogue. However, my underlying concerns about the national security implications of ever-present and even escalating cyber attacks compels me to support the bill today. Mr. RUPPERSBERGER. Madam Chair, I yield myself such time as I may consume. Chairman Rogers and I are here today to discuss the Cyber Intelligence Sharing and Protection Act, known as CISPA. The bill simply allows the government to give cyber threat intelligence to the private sector to protect its networks from cyber attacks. I don't want to repeat a lot of what the chairman has said, but the first [[Page H2091]] thing I want to do is to acknowledge the leadership of the chairman. Three years ago, the chairman and I, when we took over the leadership of the House Select Intelligence Committee, realized how serious the threat of cyber attacks were to our country, to our businesses, to our health, safety, and welfare. We decided to pull together a group of representatives from different parts of this issue--we had the administration involved, we had the privacy groups involved, including the ACLU, we brought in the industry--because we knew that we had to put together a bill that would pass the House, the Senate and be signed by the President. So, what we attempted to do was get input, and then we put together a bill. And, by the way, the bill is only 27 pages--it's probably a record in this Congress--and we did read the bill. Now, what we attempted to do in this bill is to address a situation where now, the government cannot really communicate with the private sector to try to help protect our citizens, our businesses from cyber attacks. The reason for that is in 1947, there is a law that says that the intelligence community cannot communicate or pass information to another entity that does not have clearances. So, basically what our bill does is to allow the sharing of information, which we can't do now, to the private sector. Now, why is this important? This is something that is very important because most people don't understand this. In the United States of America we have 10 companies, called the providers, that control 80 percent of our network--80 percent of our network. So in order for us to protect the United States of America from cyber attacks, we need to make sure that the government has a partnership with the private sector and that they can pass the threat information so that the government can help protect. As an example, if your house is being robbed, you call 911 and the police department comes. That's the same scenario that we're looking at here, only it's a lot more sophisticated. Again, as the chairman said, passing information, mostly zeroes and ones, to the government so that we can work together to protect our network. Now, why is this so important? And I think it's important that we get into some of the issues of threats. Just recently, we understand, and we know, that The Washington Post, The New York Times, The Wall Street Journal, were cyber-attacked. And basically, our understanding is that they did this, especially China, to intimidate the paper sources within China. We had our U.S. banks. It is very serious for U.S. banks to be attacked and hacked. Most of what our banks have are records and information. And to be able to shut down a bank or to be able to manipulate or get privacy information could be very destructive to our banks, and yet this is being done, and it's been done for a period of time. Media reports have said that Iran, a rogue country that we know exports terrorism--we know what Iran's beliefs are, and yet reports have said that Iran attacked Saudi Arabia's oil company, one of the largest in the world, Aramco, and wiped out 30,000 computers in a weekend. And let me say this: Iran is not a very sophisticated company as it comes to cyber, but they have the sophistication to be able to knock out 30,000 computers and really shut their businesses down for a period of time. This is what's happening in the United States. Cyber Command, whose job it is to protect our military networks, estimated that in the last couple of years that we have had, the United States of America has had $400 billion--not million, billion--worth of American trade secrets being stolen from U.S. companies every year, costing these companies market share and jobs. That's probably the biggest theft in the history of the world, and yet we still are not able to help government working with business. You have Secretary Napolitano, the Director of the FBI, you have the Director of the NSA, Alexander, and all three have said one of the biggest fears they have now are these attacks, and that unless we have a sharing opportunity between government and between business, they feel that they cannot protect our country from these cyber attacks the way that they should. It's so important that we need to act now on this bill. Now, we can pass bills in the House all day long, but if the Senate doesn't pass a bill and the President doesn't sign it, where are we? We were able to pass our bill last year in a bipartisan manner, and yet our bill went to the Senate and it stalled and the bill didn't go anywhere, so Chairman Rogers and I started again. But, what we said to each other and we discussed was that we need to address the issue of privacy. Even though we felt strongly that our bill does protect privacy, we knew there were groups out there, especially the privacy groups, that felt that there was not enough protection in our bill. So we rolled up our sleeves, we listened to the issues raised by the privacy groups, the administration had issues with respect to privacy, and we changed the bill. Now, I don't want to repeat what the chairman said, but basically we made some significant changes to our bill to deal with the issue of privacy. We provided that first, there's a privacy and civil liberties oversight board, and now that board must review our program. That's one area of oversight. In the intelligence community, we have privacy officers in each department, in each area. And these privacy people have to look at the threat information. They must also conduct a classified and unclassified review. That's the second oversight that was changed in the bill. {time} 1450 An annual report must be sent to Congress. We also have what we call the ``inspector general,'' whose job it is to oversee the different agencies they represent. Those are four areas of oversight just in the bill. Regarding the privacy agreements that we were concerned about, we only have five elements where this bill applies. That means if you're a tax cheat and we pick up some information, that can't be used against you. The privacy agreements were concerned about the issue of national security being one of those elements in this bill. They thought it was too broad. So Chairman Rogers and I got together, and we were able to get the votes from both sides of the aisle, and we were able to take a position that the national security issue is not in the bill anymore. We feel national security is being covered by one of the elements in the bill that says it deals with the issue of protecting people's lives or liberty. So we feel that we have covered national security. One of the most important issues was the issue of minimization. What is minimization? Most people don't know what it is. Basically, minimization is if private information is passed, there needs to be an entity out there that will take that private information out so that it is not used. We've now added to the bill that any of the zeroes and ones that are passed--and that's what's happening--if there was some reason why somebody's personal information is passed when those zeroes and ones are coming back and forth, now we have what we call 100 percent minimization, and the government will make sure that every single entity and all the information that is passed will be 100 percent minimized. If there is any personal information in there at all, it will be knocked out. That's very significant, and that gives a lot of coverage. This is also important: you don't have security if you don't have privacy. That was one of the themes Chairman Rogers and I used in the beginning: if you don't have security, you don't have privacy. Even though we thought our first bill had it, we felt there was a certain perception, we heard what was said and we made these changes. There is one other issue that is out there that's very important that I think is also extremely relevant. That's the issue of when the information is passed when we're attempting to protect our citizens and our businesses from these attacks and hopefully from a destructive attack like Iran did to Aramco in Saudi Arabia, there was a perception out there which, again, had to deal with perceptions. The perception was that if this information of zeroes and ones that are being passed back and forth, what is the point of entry. We did not want the perception to be that the military in any way would be in charge or would [[Page H2092]] be the entity that is overseeing this. We felt very strongly that it had to be civil. So Chairman Rogers and I, along with Chairman McCaul of the Homeland Security Committee and Ranking Member Thompson, have an amendment here today which is very significant. I'm sure it will be very well received by the privacy groups in the White House. What the bill will now say is that when information is passed, it will be the Department of Homeland Security. That is very significant, and we would hope that that would truly deal with the majority of these privacy issues. We know that we have to move and we have to move quickly. We're here today to debate this bill. And, again, Chairman Rogers--he's not listening, but I'll say it anyhow--has shown tremendous leadership. I say this and I say it sometimes in jest, that I was a former investigative prosecutor and he was a former FBI agent and all good FBI agents must listen to their prosecutors, even if we're in the minority. That was a joke. Not withstanding that, he has shown leadership. We threw partisanship out the window. We knew the stakes were high. We have been concerned that we have not been able to protect our country. I believe that Congress needs to act because we're standing in the way of protecting our country. This reminds me of a situation. We know how serious Hurricane Sandy was. It's similar to if you are a meteorologist and Sandy is coming up the east coast and you can't warn your constituents that Sandy is coming. That's why we need to pass this bill tomorrow, and we need to do it for the benefit of our country. And I do want to end with this: you do not have security if you don't have privacy. We feel that this bill, along with the amendments that will be introduced today, will effect that. With that, I reserve the balance of my time. Mr. ROGERS of Michigan. Madam Chair, I yield 3 minutes to a current military officer and great member of the Intelligence Committee, the gentleman from Nevada (Mr. Heck). Mr. HECK of Nevada. I want to begin by thanking both the chairman and the ranking member for their incredible leadership on this very difficult task. It was especially gratifying to work in such a bipartisan manner to come to the final product that we'll be voting on later tomorrow. Madam Chair, our Nation is under attack every day, every hour, every minute. Cyber attacks on our Nation's networks threaten our economic and national security. That is why I rise in support of H.R. 624, the Cyber Intelligence Sharing and Protection Act. Whether it is hacktivists attempting to disrupt services, criminals intent on stealing personal information, spies looking for intellectual property or trade secrets or nation-states searching for military and security vulnerabilities, our networks are at risk. Cyber looting puts U.S. businesses at a competitive disadvantage, threatening jobs and our private information. The same vulnerabilities used to steal intellectual and personality property are also exploited to target America's critical infrastructure, such as our electrical grids and our banking and financial institutions. These cyber weaknesses make the intelligence-sharing provisions within H.R. 624 vitally important. However, as we seek to secure and defend the U.S. economy and our country's critical infrastructure, we must be mindful of our Nation's founding principles. We must ensure that we protect our citizens' privacy and civil liberties. The House Permanent Select Committee on Intelligence has sought the input of and worked closely with privacy and civil liberties groups to strengthen the bill and provide necessary individual protections. These discussions resulted in a number of amendments that were adopted on a broad bipartisan basis during the committee markup. My amendment, offered with my colleague from Connecticut (Mr. Himes), specifically limits the private sector's use of cyber threat intelligence only to a cybersecurity purpose. This provision addresses the concerns and misperceptions that private sector companies could have used this information for marketing and other commercial purposes. Another amendment requires the establishment of minimization procedures to limit the receipt, retention, and use of personally identifiable information, or PII. In the unlikely event that PII is inadvertently shared, this provision will prevent the government from receiving and/or maintaining that information while still ensuring rapid transmission of critical cyber threat intelligence necessary to protect our systems. Yet another amendment narrows the authorized use of shared cyber threat intelligence by striking the provision providing the government broad authority to use this information for national security purposes. All of these bipartisan amendments will provide the private sector the necessary tools to protect its own networks while at the same time providing critical protections for privacy and civil liberties. This legislation represents an important first step toward securing our Nation's intellectual property and critical infrastructure from cyber attack, and I urge my colleagues to support its passage. Again, I thank the chairman and the ranking member for their leadership. Mr. RUPPERSBERGER. Madam Chair, I now yield 2 minutes to a senior member of our committee who worked very hard on this bill, the gentleman from California (Mr. Thompson). He's been with us for the last 3 years attempting to pass a bill that will help our country and protect us. Mr. THOMPSON of California. Madam Chair, I thank the gentleman for yielding, and I thank both the ranking member and the chairman for their good work on this measure and for including all of us in trying to build a better product. Clearly, the threat of a devastating cyber attack is real and, as has been mentioned by a number of previous speakers, can't be understated. Advanced cyber attacks from China and other nation-state actors are stealing hundreds of billions of dollars' worth of cutting-edge research and development from our U.S. companies and even from our Federal Government. That's why it's essential that the business community and the Federal Government work together to share cyber threat information for the purpose of protecting the American people from the fallout of cyber attacks and cyber hackers. While it's important that we protect against the threat of cybersecurity, it's equally as important that we recognize the responsibility to protect the constitutional rights of law-abiding citizens. Though I support H.R. 624, both for the fact that it is important that we address these issues and because I believe it needs to be moved on and we can get it in conference committee with the Senate bill, I remain somewhat concerned that the bill as drafted could lead to the broad sharing of consumer information which in turn could be used in ways unrelated to combating cybersecurity threats. {time} 1500 I emphasize ``could be used.'' Already the chair and the ranking member have accepted and we've incorporated a series of provisions in this bill that I authored that would minimize the sharing of some personally identifiable information, that would limit permissible uses of information which would be shared under this bill, and that would insist on a number of reporting requirements that will ensure Congress' ability to provide the necessary oversight of this program. The CHAIR. The time of the gentleman has expired. Mr. RUPPERSBERGER. I yield the gentleman an additional 30 seconds. Mr. THOMPSON of California. So, taken together, these provisions will improve the transparency and the accountability of this bill. However, notwithstanding these important changes, the bill is not perfect. Given the significance of this threat and the commitment of everyone to continue to work together, I strongly urge my colleagues to support this bill and to move it out of the House. Let's get the thing to conference. Let's get the best bill possible, get it signed into law, and work together to protect the American people. Mr. ROGERS of Michigan. Madam Chair, I am proud to yield 3 minutes to a leader on the Homeland Security [[Page H2093]] Committee and the chair of the House Admin Committee, the gentlelady from Michigan (Mrs. Miller). Mrs. MILLER of Michigan. I thank the gentleman for yielding me time. Madam Chair, let me just read for our colleagues the preamble of our Constitution: We the people of the United States, in order to form a more perfect Union, establish justice, insure domestic tranquility, provide for the common defence, promote the general welfare, and secure the blessings of liberty to ourselves and our posterity, do ordain and establish this Constitution for the United States of America. Madam Chair, this great statement that is the foundation for our Federal Government provides us the direction that we need to our primary responsibilities. I would suggest that this legislation helps us fulfill every one of the responsibilities mandated on us by our Constitution. Now let's just take them one by one. ``Establish justice''--it is just to protect American companies from the theft of their intellectual property by attackers and by competitors. ``Insure domestic tranquility''--can you even imagine the threat to domestic tranquility if our power grid is successfully attacked by a foreign state like North Korea and this Nation is left in the dark? ``Provide for the common defence''--what is more common than our power grid, our financial system and our economy? Are we not required to defend all of that? ``Promote the general welfare''--again, if our power grid is taken down, it is impossible to promote the general welfare. ``Secure the blessings of liberty to ourselves and to our posterity''--our intellectual property, made with American ingenuity, our life savings in banks, under threat from foreign actors, our jobs, our economy. All of these blessings of liberty are currently at risk if we do nothing. I've heard some suggest, Madam Chair, that they have constitutional concerns about passing this bill. I would just suggest to them that I believe strongly that you should have constitutional concerns about not passing this bill. I do not believe that our Constitution gives foreign state actors like China or Russia or North Korea or Iran uncontested access to the critical systems of private American companies. To the contrary, I believe that our Constitution requires us, the Federal Government, to defend them. I certainly want to applaud the great work that has been done by the chairman of the House Intelligence Committee, Mr. Rogers of Michigan, and certainly applaud our ranking member, Mr. Ruppersberger. Gentlemen, you have worked so closely together on your committee and with other committees as well on this great piece of legislation. I would urge all of my colleagues, Madam Chair, to join me in fulfilling our oath and in voting ``yes.'' Mr. RUPPERSBERGER. Madam Chairwoman, I yield 2 minutes to a great Member from the State of Illinois (Mr. Enyart). Mr. ENYART. Madam Chair, I rise today in support of this important legislation. The threat we face today from cyber attacks poses a clear and present danger that must be addressed. When I was sworn in to Congress to represent the people of southern Illinois, I took a vow to protect them from all enemies, both foreign and domestic. It was not the first time I had taken such an oath. By supporting CISPA, we move to fulfill our oath. I know there are good Americans who oppose this legislation because they believe the protections for civil liberties and privacy don't go far enough, but we must not let the perfect be the enemy of the good. This bill prohibits the government from forcing private sector entities to provide information to the government. It places restrictions on the use of any data voluntarily shared. The bill provides for strong congressional oversight. These are tremendous victories to protect our civil liberties. I support this bill because American jobs hang in the balance. Every day, our companies are subject to cyber attacks seeking to steal valuable trade secrets which deprive American citizens of high-paying high-tech jobs. Locally, my hometown grocery store in southern Illinois, Schnucks, was recently hacked, and customers' debit and credit card information was compromised, making many of my constituents vulnerable to theft. I cannot stand by and let an opportunity to prevent such actions pass me by, which is why I stand in support of this legislation. To protect the jobs of those who work to build planes at Boeing in Belleville or workers at Afton Chemical in Sauget, I must support this legislation. To ensure that those who make weapons to defend our country at General Dynamics in Marion, Illinois, don't lose their jobs because some Chinese hacker has stolen proprietary information, I must support this legislation. As the weapons of warfare change and adapt, we must make the necessary adjustments to protect our Nation while adhering to our founding principles. I urge my colleagues to join me in support of this act. The CHAIR. The gentleman from Maryland has 14\1/2\ minutes remaining, and the gentleman from Michigan has 5\1/2\ minutes remaining. Mr. ROGERS of Michigan. Madam Chair, I yield 2 minutes to a former military officer, the distinguished gentleman from Kansas (Mr. Pompeo). Mr. POMPEO. I want to thank Chairman Rogers and Ranking Member Ruppersberger for all of their hard work over many months, now years, in bringing this to where we are today, and I want to thank all of the committee staff who worked so hard to bring it to this point as well. I'd like to keep things pretty simple. If there were a sergeant from the Chinese People's Liberation Army inside one of our power plants or inside one of our banks and if they were trying to steal stuff and if they were looking around, trying to figure out how to get in and how to access our systems or to take property or to do damage to our power grid, the American people would demand that the government do whatever it could, and they would be thrilled to learn that that company was permitted and, indeed, protected if it decided to share with others that potential threat to its piece of the infrastructure. That's what we're doing today. The world has changed just a little bit. In just this last month, the last M-1 tank left Europe. It's the first time we haven't had a tank in Europe since D-day when the great Kansan invaded on the great quest to free us from Nazi totalitarian domination. There are no tanks. We fight in a different world today. We use the word ``cyber,'' and sometimes folks forget what we're really talking about. We're talking about nation-states trying to do terrible harm to American interests, to American property and, indeed, to American civil liberties. Now, in the last minute I have here, I want to talk about a couple of myths that have arisen about this piece of legislation. When I first learned about it, I, too, shared some of the concerns about what might be happening, about what might take place here. I offered an amendment last year, which is now incorporated into the bill, along with dozens of such amendments, to make sure belt-and-suspenders that we protected civil liberties. I've heard the myth propagated that this piece of legislation violates contract rights, that somehow through CISPA we're going to take away the ability of people to negotiate privately for contractual things that they want. I don't know how that could be. This bill is purely voluntary. It mandates that no one participate. It simply allows businesses to voluntarily participate and share information they have about attacks that have been foisted upon them. I've heard a second myth that this will authorize warrantless searches across the United States of America. The CHAIR. The time of the gentleman has expired. Mr. ROGERS of Michigan. I yield an additional 60 seconds to the gentleman. {time} 1510 Mr. POMPEO. There's talk about warrantless searches all across America. The legislation does no such thing. It's a short bill. It's 26 pages. I would urge everyone to go read it for themselves. It fairly clearly limits what government may do, what information government may receive. It limits what private companies can share with government and amongst themselves. It [[Page H2094]] limits what government can do with that information once it is received. It has greatly capped what is going on here. Its design is simple: it is to make sure that all of the information about direct attacks on America are widely known, easily disseminated, and available for all to help in the protection of the American state. I urge my colleagues to support this legislation. Mr. RUPPERSBERGER. Madam Chair, I yield 2 minutes to my good friend, the gentleman from Rhode Island (Mr. Langevin); and I do want to say that we've been working together for years on this issue of cybersecurity, and I consider him to be one of the experts and one of my closest friends working on this issue. (Mr. LANGEVIN asked and was given permission to revise and extend his remarks.) Mr. LANGEVIN. Madam Chair, I thank the gentleman for yielding. I rise in strong support of H.R. 624, and I do thank Chairman Rogers and Ranking Member Ruppersberger for their commitment to a bipartisan and inclusive process on a very, very challenging issue. We know with certainty that cybersecurity threats that we face are real, and they are increasing both in number and sophistication every day. Congress may not have acted last year, but those who would use cyberspace for nefarious purposes certainly did, and they continue to steal intellectual property, identities, funds from bank accounts, and sensitive security information. I know full well that this is not a perfect bill, such is the nature of the legislative process. But we need the authority that CISPA provides to allow the voluntary sharing of cybersecurity threat information. Improvements, I should point out, have been made over last year's bill. Several amendments have already been adopted to alleviate many privacy concerns, and more may be adopted before we are done. I welcome such progress. This bill is an important step, but information-sharing is only one portion of the broader cybersecurity debate. I have long maintained that we must also work to ensure the creation of minimum standards for critical infrastructure; the education of a strong and vibrant future cybersecurity workforce; and effective Federal and military cyber structure, including a Senate-confirmed cybersecurity director with real authority, including comprehensive budgetary authority; and the coordination of research and development on cybersecurity across the Nation. Together with the President's recent executive order, I believe CISPA and the bills this House approved yesterday are a very promising beginning, but there is obviously much more to be done. Again, I want to thank Chairman Rogers and Ranking Member Ruppersberger for their efforts. I commend them on a collaborative approach to a very important issue, and I ask my colleagues to support this important measure. Mr. ROGERS of Michigan. I don't have any further speakers, and so I will continue to reserve the balance of my time to close. Mr. RUPPERSBERGER. I yield 2 minutes to the gentlewoman from Illinois (Ms. Schakowsky), who is a senior member of our committee and has worked very hard on this issue. Ms. SCHAKOWSKY. Madam Chair, I sincerely want to thank the chair and ranking member of the Intelligence Committee and express my appreciation for all of their efforts to work in a bipartisan manner and to address the concerns raised by me, by civil liberties groups, and by the White House. However, I rise today in opposition to the bill. While I strongly believe that we need to address the serious cybersecurity threat--there is no question about that--I think we can do it without compromising our civil liberties. Despite some positive changes, I feel this bill fails to adequately safeguard the privacy of Americans. Cybersecurity and privacy are not mutually exclusive, and this bill fails to achieve a balance between protecting our networks and safeguarding our liberties. Yesterday, I offered an amendment that would have made critical advances toward protecting privacy. My amendment would have required that companies report cyber threat information directly to civilian agencies, maintaining the longstanding tradition that the military doesn't operate on U.S. soil or collect information of American citizens. Another important amendment offered by Congressman Schiff would have required companies to make ``reasonable efforts'' to remove personal information before sharing cyber threat information. Unfortunately, those critical amendments were not made in order. Yesterday, the Obama administration expressed ongoing concerns about this legislation, issuing a veto threat. I share the President's concern--despite positive changes, this bill falls short in several key ways. As written right now, and hopefully there still may be some changes, CISPA allows the military to directly collect personal information on American citizens. It fails to safeguard privacy of Americans and grants sweeping immunity to companies for decisions made based on cyber information, prohibiting consumers from holding companies accountable for reckless actions and negligence. The CHAIR. The time of the gentlewoman has expired. Mr. RUPPERSBERGER. I yield 30 seconds to the gentlewoman. Ms. SCHAKOWSKY. I do urge my colleagues to oppose this bill. We can and should do better, and I'm hopeful that we still will do better. Mr. ROGERS of Michigan. Madam Chair, I yield myself 30 seconds. I just want to make very, very clear--and I thank the gentlelady for working with us, she is a great member of the committee--nowhere in this bill does it allow the military to collect information on private citizens in the United States. This is not a surveillance bill. It does not allow it to happen. That needs to be very, very clear in this debate. It does not allow the military to surveil private networks in the United States. Period. End of story. That's the biggest part of our privacy protections. Again, I want to thank the gentlelady for working with us, but that's just an inaccurate statement, and I want to make that clear for the Record. I reserve the balance of my time. Mr. RUPPERSBERGER. Madam Chair, how much time do I have remaining? The CHAIR. The gentleman from Maryland has 10 minutes remaining. Mr. RUPPERSBERGER. Madam Chair, I yield 2 minutes to the gentlewoman from Texas (Ms. Jackson Lee), a very active member of our caucus. Ms. JACKSON LEE. I thank the distinguished ranking member and the chairman, as well, for working to answer an enormous concern on the question of national and domestic security. Since Robert Tappan Morris in 1988 released one of the first commuter worms, we realized, as the computer and the Internet now have grown, the proliferation of computer malware, or computer programs designed specifically to damage computers or their networks or to co-opt systems or steal data, has attracted public and media attention and that we needed to do something. Now more than ever, cybersecurity impacts every aspect of our lives. As a member of the Homeland Security Committee, I can assure you that my concern about the electric grid utilities, the energy and financial industries, recognize that it is important to act, and to act with speed and understanding. Likewise, I am concerned about the rage in epidemic of hackers and the impact that it has on 85 to 87 percent of the infrastructure in this Nation. For that reason, however, I believe that along with this effort, we should have a lead civilian agency to collect the data. I'm looking forward to the manager's amendment, which I hope will clarify that Homeland Security will be that. In addition, I have offered an amendment. My amendment ensures that if a cloud service provider identifies or detects an attempt by someone to access, to gain unauthorized access to nongovernmental information stored on the system, it would not be required or permitted to report that attempt to the government and it cannot share that information with the government. I thank the Rules Committee for allowing that amendment to be in. I do, however, want to raise the question on privacy. I believe that we could [[Page H2095]] fix this legislation with a small addition dealing with the privacy question as we hopefully address the question dealing with the lead civilian agency. I thank the chairman and the ranking member, and I look forward to further discussion on this legislation. Mr. ROGERS of Michigan. I continue to reserve the balance of my time. Mr. RUPPERSBERGER. Madam Chair, I yield 2 minutes to the gentleman from Colorado (Mr. Polis), a member of the Rules Committee. Mr. POLIS. I thank the gentleman. This bill, unfortunately, hurts what it purports to help. It's detrimental to job growth, innovation, and privacy. {time} 1520 We talked a bit about the process whereby a number of amendments that would have improved it were not allowed to be discussed or voted on on the floor. And there are still enormous flaws with this bill which need to be addressed. Look, to the extent that companies believe that information-sharing is important, it should be done in a way that's consistent with sanctity of contract. If there's something that gets in the way of information-sharing, we need to identify it. That hasn't been identified. Clearly, the answer is not to say whatever a company agrees upon with a personal user, even if explicitly it says we're going to keep your information private, the minute after that's agreed to by a user, the company would be completely indemnified by turning all this information, personal information, credit card information, address, everything, over to the government. Now, why not remove anything? Why not just pass along the parts that are related to cybersecurity? There's no incentive to do so. Had there been a requirement that reasonable efforts were taken to delete personal data, that would have been a step in the right direction. But, again, it's an extra cost with no benefit for the company to delete personal data because they're completely indemnified with regard to this matter without the consent of the user himself. What happens to this information once it reaches the government? It can be shared with any government agency. It can be shared with the Bureau of Alcohol, Tobacco and Firearms, the National Security Agency, the Food and Drug Administration. Again, the limitations are so open-ended that anything that relates even to a minor scratch or a cut, issues completely unrelated to cybersecurity, things that could be related to dog bites, essentially any information. Part of the problem here, there are cyber attacks everywhere. I ran an e-commerce site. Tens of thousand every day. I mean, any e-commerce company experiences this every day, so it's a reality every day. Everything is a potential cybersecurity threat. There's people cracking passwords every day. So all information is affected by this, under this bill, in its present form, turned over to the government, shared with every agency relating to any bodily injury or harm, and we haven't been offered an opportunity to amend that. So I encourage my colleagues to vote ``no'' on this bill. We can and we must do better for our country. Mr. RUPPERSBERGER. I yield 2 minutes to the gentlewoman from Alabama (Ms. Sewell). Is it ``Roll Tide''? She is an outstanding new member of the Intelligence Committee. She's smart. She works hard. She's very dynamic, and she is our closer today. Ms. SEWELL of Alabama. Madam Chair, today I rise to support the bill. I can say, Madam Chair, that I actually voted against the bill last term. But today I am proud to say, because of the hard work of both the chairman and the ranking member and so many members of this committee, that today I stand before you in support of the bill. I am now a new member of the Intelligence Committee and, as I've told my staff, the more you know, the better you can vote. And today, I want to rise to explain why I am voting for this bill. I think that everybody agrees that there are cyber threats each and every day. And, in fact, Director Clapper, the Director of National Intelligence, he actually said his number one thing that keeps him up at night is cyber attacks. And what this bill will do is simply to share information. It is not about releasing personal identifiable information. That is strictly prohibited by this bill. So it is strictly prohibited by this bill. And this bill has been greatly enhanced by so many of my wonderful colleagues who have submitted amendments, many of which I am sure will pass tomorrow, as well as greatly enhanced by the amendments that were brought forth by committee members. I shared some serious concerns about some privacy protections when I came on the committee, and I have to tell you that the committee was gracious enough to listen to the amendments that I offered, as well as other amendments that were offered by my colleagues on this side of the aisle. I was surprised, given the partisan nature of politics here in this House, that the Intelligence Committee really tries, because of our national security, to work together. And in a true bipartisan manner, many of those privacy protections were unanimously agreed to by members of the committee. Once again, I urge my colleagues to vote for this bill, and I urge the President to sign this bill into law. Today, I rise in support of this bill. But Madam Chair, last year, I voted against the cybersecurity bill that was offered in this body. I am now and am honored to serve as a member of the Intelligence Committee and the more you know, the better you can vote. I want to commend the Chairman and the Ranking Member for their leadership to improve this legislation. I also want to thank all of my colleagues who offered amendments to strengthen this bill by providing more privacy protections for our citizens and improving inter-agency coordination. While this is not a perfect bill, this is a step in the right direction and I am hopeful that the Senate will take up this measure and make it even stronger. It is also my hope that the White House will continue to work with us in this body's effort to be proactive instead of reactive. Madam Speaker, we simply cannot afford to wait--The threats against our national and economic security are real. Attacks against our financial, energy and communication sectors are happening every day. We have received dire warnings from our defense and intelligence officials that widespread attacks are the number one threat to our national security above all else. The Director of National Intelligence, James Clapper, has elevated cyber threats to the top of the list of national-security concerns. The National Intelligence Estimate provided evidence of widespread infiltrations of U.S. computer networks. Evidence has also emerged of spying inside the computer networks of major U.S. media, including the Wall Street Journal and New York Times. Defense and intelligence officials have grown increasingly alarmed over a relentless cyber attack campaign against U.S. banks, critical infrastructure and a host of other private entities. We must continue to work together to find a balance between preserving privacy and protecting the security of this country from the danger of cyber attacks. Sharing cyber threat information, as provided for in this bill, is vital for combatting malicious hackers, criminals, and foreign agents. By removing the legal and regulatory barriers currently impeding the free flow of actionable information, the Cyber Intelligence Sharing and Protection Act (CISPA) will promote nimble, adaptive innovation--the best strategy for defending against a rapidly evolving threat landscape. This growing number and complexity of cyber attacks on private and government computers has provided an opportunity for us to join together and pass bipartisan legislation to address the problem. I am committed to finding a workable solution with the Senate and White House, and I believe this bill provides a solid framework on a critical issue for national and economic security. I look forward to considering any amendments my colleagues put forth today to help improve the legislation of this bill. And though I realize this is not a perfect bill, I think the time to act is now to protect our national security. I urge members to vote for this legislation. Mr. RUPPERSBERGER. Madam Chair, I yield myself as much time as I may consume. First thing, we've heard testimony today about how serious the cyber attacks are to our country. We know what has occurred already. We know that our banks have been attacked, our major banks. We know that our newspapers, New York Times, Washington Post, have been attacked. We know that news reports have said that Iran attacked Aramco, Saudi Arabia's largest oil company. They took out 30,000 computers, which means we are subjected to those attacks also. We also know that Cyber Command has said that we, in the United States, [[Page H2096]] have lost, from the attacks on our businesses, approximately $200 billion. Just think what that equates to in jobs, stealing information about trade secrets, about competing globally with a country like China where they have all of our information, where they're able to shut down banks. This is a very serious issue, and we need to do a better job to educate the public on how serious it is. And we just hope that we can pass this bill today in the House, a bill in the Senate, and the President signs the bill, so that we can protect our citizens, we can protect our businesses from these attacks. If we knew that Iran was sending over an airplane with a bomb we would take it out. And yet we have to make sure that we deal with the issue in the United States of America to protect ourselves. Now, there was a major issue raised, and that issue was privacy. And believe me, I want to say this over and over again. You don't have security if you don't have privacy. And we feel very strongly that this bill provides privacy. But we also know, Chairman Rogers and I know, that if we pass a bill here, we need to pass a bill in the Senate, and we need the President to sign it. So we got together, and even though we passed our bill in a bipartisan effort last year and it stalled in the Senate, we now have made the bill what we feel is a lot stronger as it deals with the perception of privacy. And we've added oversight. We have four categories of oversight, privacy. We've made sure that minimization--taking out any privacy information that might pass--we made sure that that is 100 percent minimization so that no one's private information will pass. But the most important thing is that we have to make sure that we pass a bill because of the fact that 80 percent of our network is controlled by 10 companies in the United States of America. And all of our experts in this area have said that if government and business can't share information about these attacks, zeros and ones, if they can't share information, they cannot protect our country from these ongoing attacks that are occurring as we speak right now. So let's act. Let's not wait until we have another catastrophic attack like 9/11. Let's deal with this now. Let's pass the bill and make sure that we protect, again, our citizens. And I want to say it one more time. The issue that you can't have security if you don't have privacy. I do want to also say, I want to thank all those individuals in our government, in the private sector. The privacy groups have all come together. This has been a good debate. It's been a debate about issues that the public needed to know. And I also want to thank the chairman for his leadership, and the fact that he was willing, even though we had our bill passed a year ago, he was willing to deal with the issue of perception and to make sure we made privacy an element that we could deal with, and that we could change our bill to deal with certain perceptions. I feel that we've done that. I also want to thank Chairman McCaul from Homeland Security and Ranking Member Bennie Thompson from Homeland Security, who've worked with us to get an amendment that was very important, as you heard from Jan Schakowsky. That amendment basically says that the point of entry for any communication is on the civil side of our government, Homeland Security, and we hope to pass that amendment. And I feel very strongly that if we do that, we will have addressed the majority of the issues that are so important to this bill and to our security and to our privacy. I yield back the balance of my time. Mr. ROGERS of Michigan. Madam Chair, I yield myself the remaining time. I just want to quickly, Madam Chair, address some of the moving targets on the bill. When we move to change something in the bill, the 19 privacy amendments, people who still decide they don't like it for, again, whatever reason, move their challenges of why they don't like it. The newest, I think, straw man is that this somehow would violate contract law. Nothing in this bill allows you to avoid contract law. Nothing. {time} 1530 It's a red herring. It is not accurate. Nothing in this bill would allow this to happen. The fact that someone who was in the technical business would say this hurts job growth, that's interesting. The sheer number of companies who support this, from the Business Roundtable to the Financial Services Business Group to TechNet, who has companies like Intel Corporation, Symantec, Juniper, Oracle, EMC, social media, all stand up and say this is the right approach. It will allow us to protect our consumers of our product from foreign governments stealing their private information. We need to understand what this bill is and what it is not. It is not a surveillance bill. Nothing in here authorizes surveillance. We're going to have an amendment to clarify that, to say it in the law so people can regain that confidence. We argue, Read the bill. It's 27 pages. It is very clear. It is predominantly protections of your civil liberties, and it also allows companies to voluntarily share malicious source code--and that's source code that's committing a crime against their consumers and their company--with the Federal Government so they can go back overseas and find the Chinese or the Iranians or the Russians or the North Koreans who are perpetrating that crime. This bill is nothing more. It does do that. Thanks to the ranking member and all who have gotten to this point. I look forward, Madam Chair, to the debate on the amendments, and I yield back the balance of my time. Mr. CONYERS. Madam Chair, this week, the House of Representatives is scheduled to take up the Cyber Intelligence Sharing and Protection Act (CISPA). Among other things, the legislation would authorize open-ended sharing of threat information between certain private companies and the federal government, and grant those companies unlimited legal immunity. I--along with more than 30 civil liberties and privacy groups ranging from the ACLU to the Competitive Enterprise Institute--believe the bill is badly flawed, and will harm the privacy and civil liberties of our citizens. While the Intelligence Committee amended CISPA last week, purporting to address privacy-related issues, the changes do not ameliorate the core concerns I have with the bill. CISPA would create a ``Wild West'' of information-sharing, where any ``certified'' private-sector entity could share information with any federal government agency for various ill-defined purposes. By allowing for the direct sharing of information between the private sector and the National Security Agency, as well as other Defense Department agencies, the legislation hastily casts aside time-tested legal prohibitions against intelligence agencies and the military from operating on U.S. soil. The bill should be amended to prevent this direct sharing with non-civilian agencies. CISPA would also create duplicative information-sharing processes with no central oversight or accountability. Successive administrations have expended enormous resources building proper information-sharing programs at the Department of Homeland Security and the FBI; these efforts should be enhanced, not clouded by permitting the proliferation of redundant programs across the federal government. The legislation also removes current legal protections applicable to companies that facilitate and process our private communications and share them with the government and one another. Companies sharing information would be exempt from all privacy statutes and would be relieved of liability for recklessly sharing, or deciding not to share information. Without narrowly defining the information that may be shared, limiting to whom it may be shared and why, and preserving mechanisms to provide accountability for wrongdoing, the privacy of our citizens and confidence in the trustworthiness of our electronic communications networks would be weakened. For example, the bill would not prevent a company sharing cyber threat information from including data not necessary to understanding the threat, such as private emails between family members or personal information such as medical records, in a data dump to the government. The bill should narrowly define the categories of information that may be shared, such as malicious code or methods of defeating cybersecurity controls, and require that companies sharing the data take reasonable steps to remove information identifying individuals not involved in the threat. It is not enough to require government recipients of the data to remove the private information because it should never be sent to the government in the first place. The bill therefore should be amended to require that companies sharing cyber threat information make reasonable efforts to [[Page H2097]] remove such personally identifiable information from the data they share with other companies and the government. The bill's liability protection provisions are also unnecessarily broad and eliminate the ability of aggrieved citizens and companies to protect and secure their privacy, as well as their property and physical well-being. Regardless of whether a company acted recklessly or negligently, the bill would prevent civil or criminal actions for decisions made for cybersecurity purposes ``based on'' cyber threat information. In effect, the legislation removes critical incentives for industry to act reasonably concerning cyber threat information. Consider a situation in which a telecommunications company through its operations becomes aware of a cyber threat directed toward a utility but fails to notify the critical infrastructure company of the threat, denying the utility the opportunity to engage in defensive measures and resulting in a catastrophic event producing substantial property damage and loss of life. Under the legislation, the telecommunications company characterizing its decision not to notify as one made for a cybersecurity purpose would be able to avoid legal liability. The bill's exemption from liability should therefore be narrowed to exclude protection for such decisions. The cyber threats our nation faces are serious, and we need to take action. The president's recent executive order directing the enhanced sharing of cyber threat information by the government to industry is a significant step in the right direction. Legislation encouraging information-sharing by the private sector is also required, but it must be carefully crafted and limited to actual threats. The House version of CISPA is not the right solution to this real problem, and it must be fixed before it reaches the president's desk. The CHAIR. All time for general debate has expired. Pursuant to the rule, the bill shall be considered for amendment under the 5-minute rule. In lieu of the amendment in the nature of a substitute recommended by the Permanent Select Committee on Intelligence, printed in the bill, it shall be in order to consider as an original bill for the purpose of amendment under the 5-minute rule an amendment in the nature of a substitute consisting of the text of Rules Committee Print 113-7. That amendment in the nature of a substitute shall be considered as read. The text of the amendment in the nature of a substitute is as follows: Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, H.R. 624 SECTION 1. SHORT TITLE. This Act may be cited as the ``Cyber Intelligence Sharing and Protection Act''. SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING. (a) In General.--Title XI of the National Security Act of 1947 (50 U.S.C. 442 et seq.) is amended by adding at the end the following new section: ``cyber threat intelligence and information sharing ``Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat Intelligence With Private Sector and Utilities.-- ``(1) In general.--The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and utilities and to encourage the sharing of such intelligence. ``(2) Sharing and use of classified intelligence.--The procedures established under paragraph (1) shall provide that classified cyber threat intelligence may only be-- ``(A) shared by an element of the intelligence community with-- ``(i) a certified entity; or ``(ii) a person with an appropriate security clearance to receive such cyber threat intelligence; ``(B) shared consistent with the need to protect the national security of the United States; and ``(C) used by a certified entity in a manner which protects such cyber threat intelligence from unauthorized disclosure. ``(3) Security clearance approvals.--The Director of National Intelligence shall issue guidelines providing that the head of an element of the intelligence community may, as the head of such element considers necessary to carry out this subsection-- ``(A) grant a security clearance on a temporary or permanent basis to an employee or officer of a certified entity; ``(B) grant a security clearance on a temporary or permanent basis to a certified entity and approval to use appropriate facilities; and ``(C) expedite the security clearance process for a person or entity as the head of such element considers necessary, consistent with the need to protect the national security of the United States. ``(4) No right or benefit.--The provision of information to a private-sector entity or a utility under this subsection shall not create a right or benefit to similar information by such entity or such utility or any other private-sector entity or utility. ``(5) Restriction on disclosure of cyber threat intelligence.--Notwithstanding any other provision of law, a certified entity receiving cyber threat intelligence pursuant to this subsection shall not further disclose such cyber threat intelligence to another entity, other than to a certified entity or other appropriate agency or department of the Federal Government authorized to receive such cyber threat intelligence. ``(b) Use of Cybersecurity Systems and Sharing of Cyber Threat Information.-- ``(1) In general.-- ``(A) Cybersecurity providers.--Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes-- ``(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and ``(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government. ``(B) Self-protected entities.--Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes-- ``(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and ``(ii) share such cyber threat information with any other entity, including the Federal Government. ``(2) Sharing with the federal government.-- ``(A) Information shared with the national cybersecurity and communications integration center of the department of homeland security.--Subject to the use and protection of information requirements under paragraph (3), the head of a department or agency of the Federal Government receiving cyber threat information in accordance with paragraph (1) shall provide such cyber threat information in as close to real time as possible to the National Cybersecurity and Communications Integration Center of the Department of Homeland Security. ``(B) Request to share with another department or agency of the federal government.--An entity sharing cyber threat information that is provided to the National Cybersecurity and Communications Integration Center of the Department of Homeland Security under subparagraph (A) or paragraph (1) may request the head of such Center to, and the head of such Center may, provide such information in as close to real time as possible to another department or agency of the Federal Government. ``(3) Use and protection of information.--Cyber threat information shared in accordance with paragraph (1)-- ``(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing, including appropriate anonymization or minimization of such information and excluding limiting a department or agency of the Federal Government from sharing such information with another department or agency of the Federal Government in accordance with this section; ``(B) may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information; ``(C) may only be used by a non-Federal recipient of such information for a cybersecurity purpose; ``(D) if shared with the Federal Government-- ``(i) shall be exempt from disclosure under section 552 of title 5, United States Code (commonly known as the `Freedom of Information Act'); ``(ii) shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information; ``(iii) shall not be used by the Federal Government for regulatory purposes; ``(iv) shall not be provided by the department or agency of the Federal Government receiving such cyber threat information to another department or agency of the Federal Government under paragraph (2)(A) if-- ``(I) the entity providing such information determines that the provision of such information will undermine the purpose for which such information is shared; or ``(II) unless otherwise directed by the President, the head of the department or agency of the Federal Government receiving such cyber threat information determines that the provision of such information will undermine the purpose for which such information is shared; and ``(v) shall be handled by the Federal Government consistent with the need to protect sources and methods and the national security of the United States; and ``(E) shall be exempt from disclosure under a State, local, or tribal law or regulation that requires public disclosure of information by a public or quasi-public entity. ``(4) Exemption from liability.-- ``(A) Exemption.--No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith-- ``(i) for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or ``(ii) for decisions made for cybersecurity purposes and based on cyber threat information [[Page H2098]] identified, obtained, or shared under this section. ``(B) Lack of good faith.--For purposes of the exemption from liability under subparagraph (A), a lack of good faith includes any act or omission taken with intent to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility. ``(5) Relationship to other laws requiring the disclosure of information.--The submission of information under this subsection to the Federal Government shall not satisfy or affect-- ``(A) any requirement under any other provision of law for a person or entity to provide information to the Federal Government; or ``(B) the applicability of other provisions of law, including section 552 of title 5, United States Code (commonly known as the `Freedom of Information Act'), with respect to information required to be provided to the Federal Government under such other provision of law. ``(6) Rule of construction.--Nothing in this subsection shall be construed to provide new authority to-- ``(A) a cybersecurity provider to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes; or ``(B) a self-protected entity to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by such self-protected entity. ``(c) Federal Government Use of Information.-- ``(1) Limitation.--The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)-- ``(A) for cybersecurity purposes; ``(B) for the investigation and prosecution of cybersecurity crimes; ``(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm; or ``(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in section 2258A(a)(2) of title 18, United States Code. ``(2) Affirmative search restriction.--The Federal Government may not affirmatively search cyber threat information shared with the Federal Government under subsection (b) for a purpose other than a purpose referred to in paragraph (1). ``(3) Anti-tasking restriction.--Nothing in this section shall be construed to permit the Federal Government to-- ``(A) require a private-sector entity or utility to share information with the Federal Government; or ``(B) condition the sharing of cyber threat intelligence with a private-sector entity or utility on the provision of cyber threat information to the Federal Government. ``(4) Protection of sensitive personal documents.--The Federal Government may not use the following information, containing information that identifies a person, shared with the Federal Government in accordance with subsection (b) unless such information is used in accordance with the policies and procedures established under paragraph (7): ``(A) Library circulation records. ``(B) Library patron lists. ``(C) Book sales records. ``(D) Book customer lists. ``(E) Firearms sales records. ``(F) Tax return records. ``(G) Educational records. ``(H) Medical records. ``(5) Notification of non-cyber threat information.--If a department or agency of the Federal Government receiving information pursuant to subsection (b)(1) determines that such information is not cyber threat information, such department or agency shall notify the entity or provider sharing such information pursuant to subsection (b)(1). ``(6) Retention and use of cyber threat information.--No department or agency of the Federal Government shall retain or use information shared pursuant to subsection (b)(1) for any use other than a use permitted under subsection (c)(1). ``(7) Privacy and civil liberties.-- ``(A) Policies and procedures.--The Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, shall establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the Federal Government in accordance with subsection (b)(1). Such policies and procedures shall, consistent with the need to protect systems and networks from cyber threats and mitigate cyber threats in a timely manner-- ``(i) minimize the impact on privacy and civil liberties; ``(ii) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner; ``(iii) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition; ``(iv) protect the confidentiality of cyber threat information associated with specific persons to the greatest extent practicable; and ``(v) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat. ``(B) Submission to congress.--The Director of National Intelligence shall, consistent with the need to protect sources and methods, submit to Congress the policies and procedures required under subparagraph (A) and any updates to such policies and procedures. ``(C) Implementation.--The head of each department or agency of the Federal Government receiving cyber threat information shared with the Federal Government under subsection (b)(1) shall-- ``(i) implement the policies and procedures established under subparagraph (A); and ``(ii) promptly notify the Director of National Intelligence, the Attorney General, and the congressional intelligence committees of any significant violations of such policies and procedures. ``(D) Oversight.--The Director of National Intelligence, in consultation with the Attorney General, the Secretary of Homeland Security, and the Secretary of Defense, shall establish a program to monitor and oversee compliance with the policies and procedures established under subparagraph (A). ``(d) Federal Government Liability for Violations of Restrictions on the Disclosure, Use, and Protection of Voluntarily Shared Information.-- ``(1) In general.--If a department or agency of the Federal Government intentionally or willfully violates subsection (b)(3)(D) or subsection (c) with respect to the disclosure, use, or protection of voluntarily shared cyber threat information shared under this section, the United States shall be liable to a person adversely affected by such violation in an amount equal to the sum of-- ``(A) the actual damages sustained by the person as a result of the violation or $1,000, whichever is greater; and ``(B) the costs of the action together with reasonable attorney fees as determined by the court. ``(2) Venue.--An action to enforce liability created under this subsection may be brought in the district court of the United States in-- ``(A) the district in which the complainant resides; ``(B) the district in which the principal place of business of the complainant is located; ``(C) the district in which the department or agency of the Federal Government that disclosed the information is located; or ``(D) the District of Columbia. ``(3) Statute of limitations.--No action shall lie under this subsection unless such action is commenced not later than two years after the date of the violation of subsection (b)(3)(D) or subsection (c) that is the basis for the action. ``(4) Exclusive cause of action.--A cause of action under this subsection shall be the exclusive means available to a complainant seeking a remedy for a violation of subsection (b)(3)(D) or subsection (c). ``(e) Reports on Information Sharing.-- ``(1) Inspector general report.--The Inspector General of the Intelligence Community, in consultation with the Inspector General of the Department of Justice, the Inspector General of the Department of Defense, and the Privacy and Civil Liberties Oversight Board, shall annually submit to the congressional intelligence committees a report containing a review of the use of information shared with the Federal Government under this section, including-- ``(A) a review of the use by the Federal Government of such information for a purpose other than a cybersecurity purpose; ``(B) a review of the type of information shared with the Federal Government under this section; ``(C) a review of the actions taken by the Federal Government based on such information; ``(D) appropriate metrics to determine the impact of the sharing of such information with the Federal Government on privacy and civil liberties, if any; ``(E) a list of the departments or agencies receiving such information; ``(F) a review of the sharing of such information within the Federal Government to identify inappropriate stovepiping of shared information; and ``(G) any recommendations of the Inspector General for improvements or modifications to the authorities under this section. ``(2) Privacy and civil liberties officers report.--The Civil Liberties Protection Officer of the Office of the Director of National Intelligence and the Chief Privacy and Civil Liberties Officer of the Department of Justice, in consultation with the Privacy and Civil Liberties Oversight Board, the Inspector General of the Intelligence Community, and the senior privacy and civil liberties officer of each department or agency of the Federal Government that receives cyber threat information shared with the Federal Government under this section, shall annually and jointly submit to Congress a report assessing the privacy and civil liberties impact of the activities conducted by the Federal Government under this section. Such report shall include any recommendations the Civil Liberties Protection Officer and Chief Privacy and Civil Liberties Officer consider appropriate to minimize or mitigate the privacy and civil liberties impact of the sharing of cyber threat information under this section. ``(3) Form.--Each report required under paragraph (1) or (2) shall be submitted in unclassified form, but may include a classified annex. ``(f) Federal Preemption.--This section supersedes any statute of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under subsection (b). ``(g) Savings Clauses.-- [[Page H2099]] ``(1) Existing authorities.--Nothing in this section shall be construed to limit any other authority to use a cybersecurity system or to identify, obtain, or share cyber threat intelligence or cyber threat information. ``(2) Limitation on military and intelligence community involvement in private and public sector cybersecurity efforts.--Nothing in this section shall be construed to provide additional authority to, or modify an existing authority of, the Department of Defense or the National Security Agency or any other element of the intelligence community to control, modify, require, or otherwise direct the cybersecurity efforts of a private-sector entity or a component of the Federal Government or a State, local, or tribal government. ``(3) Information sharing relationships.--Nothing in this section shall be construed to-- ``(A) limit or modify an existing information sharing relationship; ``(B) prohibit a new information sharing relationship; ``(C) require a new information sharing relationship between the Federal Government and a private-sector entity or utility; ``(D) modify the authority of a department or agency of the Federal Government to protect sources and methods and the national security of the United States; or ``(E) preclude the Federal Government from requiring an entity to report significant cyber incidents if authorized or required to do so under another provision of law. ``(4) Limitation on federal government use of cybersecurity systems.--Nothing in this section shall be construed to provide additional authority to, or modify an existing authority of, any entity to use a cybersecurity system owned or controlled by the Federal Government on a private-sector system or network to protect such private-sector system or network. ``(5) No liability for non-participation.--Nothing in this section shall be construed to subject a protected entity, self-protected entity, cyber security provider, or an officer, employee, or agent of a protected entity, self- protected entity, or cybersecurity provider, to liability for choosing not to engage in the voluntary activities authorized under this section. ``(6) Use and retention of information.--Nothing in this section shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal Government to retain or use information shared pursuant to subsection (b)(1) for any use other than a use permitted under subsection (c)(1). ``(h) Definitions.--In this section: ``(1) Availability.--The term `availability' means ensuring timely and reliable access to and use of information. ``(2) Certified entity.--The term `certified entity' means a protected entity, self-protected entity, or cybersecurity provider that-- ``(A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and ``(B) is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence. ``(3) Confidentiality.--The term `confidentiality' means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. ``(4) Cyber threat information.-- ``(A) In general.--The term `cyber threat information' means information directly pertaining to-- ``(i) a vulnerability of a system or network of a government or private entity or utility; ``(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network; ``(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or ``(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility. ``(B) Exclusion.--Such term does not include information pertaining to efforts to gain unauthorized access to a system or network of a government or private entity or utility that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access. ``(5) Cyber threat intelligence.-- ``(A) In general.--The term `cyber threat intelligence' means intelligence in the possession of an element of the intelligence community directly pertaining to-- ``(i) a vulnerability of a system or network of a government or private entity or utility; ``(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network; ``(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or ``(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility. ``(B) Exclusion.--Such term does not include intelligence pertaining to efforts to gain unauthorized access to a system or network of a government or private entity or utility that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access. ``(6) Cybersecurity crime.--The term `cybersecurity crime' means-- ``(A) a crime under a Federal or State law that involves-- ``(i) efforts to deny access to or degrade, disrupt, or destroy a system or network; ``(ii) efforts to gain unauthorized access to a system or network; or ``(iii) efforts to exfiltrate information from a system or network without authorization; or ``(B) the violation of a provision of Federal law relating to computer crimes, including a violation of any provision of title 18, United States Code, created or amended by the Computer Fraud and Abuse Act of 1986 (Public Law 99-474). ``(7) Cybersecurity provider.--The term `cybersecurity provider' means a non-Federal entity that provides goods or services intended to be used for cybersecurity purposes. ``(8) Cybersecurity purpose.-- ``(A) In general.--The term `cybersecurity purpose' means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from-- ``(i) a vulnerability of a system or network; ``(ii) a threat to the integrity, confidentiality, or availability of a system or network or any information stored on, processed on, or transiting such a system or network; ``(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network; or ``(iv) efforts to gain unauthorized access to a system or network, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network. ``(B) Exclusion.--Such term does not include the purpose of protecting a system or network from efforts to gain unauthorized access to such system or network that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access. ``(9) Cybersecurity system.-- ``(A) In general.--The term `cybersecurity system' means a system designed or employed to ensure the integrity, confidentiality, or availability of, or safeguard, a system or network, including protecting a system or network from-- ``(i) a vulnerability of a system or network; ``(ii) a threat to the integrity, confidentiality, or availability of a system or network or any information stored on, processed on, or transiting such a system or network; ``(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network; or ``(iv) efforts to gain unauthorized access to a system or network, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network. ``(B) Exclusion.--Such term does not include a system designed or employed to protect a system or network from efforts to gain unauthorized access to such system or network that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access. ``(10) Integrity.--The term `integrity' means guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity. ``(11) Protected entity.--The term `protected entity' means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes. ``(12) Self-protected entity.--The term `self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself. ``(13) Utility.--The term `utility' means an entity providing essential services (other than law enforcement or regulatory services), including electricity, natural gas, propane, telecommunications, transportation, water, or wastewater services.''. (b) Procedures and Guidelines.--The Director of National Intelligence shall-- (1) not later than 60 days after the date of the enactment of this Act, establish procedures under paragraph (1) of section 1104(a) of the National Security Act of 1947, as added by subsection (a) of this section, and issue guidelines under paragraph (3) of such section 1104(a); (2) in establishing such procedures and issuing such guidelines, consult with the Secretary of Homeland Security to ensure that such procedures and such guidelines permit the owners and operators of critical infrastructure to receive all appropriate cyber threat intelligence (as defined in section 1104(h)(5) of such Act, as added by subsection (a)) in the possession of the Federal Government; and (3) following the establishment of such procedures and the issuance of such guidelines, expeditiously distribute such procedures and such guidelines to appropriate departments and agencies of the Federal Government, private-sector entities, and utilities (as defined in section 1104(h)(13) of such Act, as added by subsection (a)). (c) Privacy and Civil Liberties Policies and Procedures.-- Not later than 60 days after the date of the enactment of this Act, the Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, shall establish the policies and procedures required under section 1104(c)(7)(A) of the National Security Act of 1947, as added by subsection (a) of this section. (d) Initial Reports.--The first reports required to be submitted under paragraphs (1) and (2) of subsection (e) of section 1104 of the National Security Act of 1947, as added by subsection (a) of this section, shall be submitted not later than 1 year after the date of the enactment of this Act. (e) Table of Contents Amendment.--The table of contents in the first section of the National Security Act of 1947 is amended by adding at the end the following new item: [[Page H2100]] ``Sec. 1104. Cyber threat intelligence and information sharing.''. SEC. 3. SUNSET. Effective on the date that is 5 years after the date of the enactment of this Act-- (1) section 1104 of the National Security Act of 1947, as added by section 2(a) of this Act, is repealed; and (2) the table of contents in the first section of the National Security Act of 1947, as amended by section 2(d) of this Act, is amended by striking the item relating to section 1104, as added by such section 2(d). The CHAIR. No amendment to that amendment in the nature of a substitute shall be in order except those printed in House Report 113- 41. Each such amendment may be offered only in the order printed in the report, by a Member designated in the report, shall be considered as read, shall be debatable for the time specified in the report equally divided and controlled by the proponent and an opponent, shall not be subject to amendment, and shall not be subject to a demand for division of the question. Amendment No. 1 Offered by Mr. Rogers of Michigan The CHAIR. It is now in order to consider amendment No. 1 printed in House Report 113-41. Mr. ROGERS of Michigan. Madam Chair, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Page 12, beginning line 15, strike ``unless such information is used in accordance with the policies and procedures established under paragraph (7)''. The CHAIR. Pursuant to House Resolution 164, the gentleman from Michigan (Mr. Rogers) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from Michigan. Mr. ROGERS of Michigan. I offer this amendment to ensure that library records, firearm sales records, medical records, and tax returns are not included in any information voluntarily shared with the government under CISPA. Though the underlying bill would not permit this information unless it was cyber threat information, I will support this amendment, as it is a clarification amendment that settles some Members' concerns and reflects an amendment that was passed last year overwhelmingly. With that, Madam Chair, I urge this body's support of this clarification amendment, and I reserve the balance of my time. Mr. RUPPERSBERGER. Madam Chair, I rise to claim the time in opposition, even though I am not opposed. The CHAIR. Without objection, the gentleman from Maryland is recognized for 5 minutes. There was no objection. Mr. RUPPERSBERGER. I support Chairman Rogers' amendment to make a technical change to correct our personal records provision and retain the privacy protections that we had in our bill upon the introduction. I yield back the balance of my time. Mr. ROGERS of Michigan. I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from Michigan (Mr. Rogers). The question was taken; and the Chair announced that the ayes appeared to have it. Mr. ROGERS of Michigan. Madam Chair, I demand a recorded vote. The CHAIR. Pursuant to clause 6 of rule XVIII, further proceedings on the amendment offered by the gentleman from Michigan will be postponed. Amendment No. 2 Offered by Mr. Connolly The CHAIR. It is now in order to consider amendment No. 2 printed in House Report 113-41. Mr. CONNOLLY. Madam Chairwoman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Page 2, line 15, strike ``and''. Page 2, line 18, strike the period and insert ``; and''. Page 2, after line 18, insert the following: ``(D) used, retained, or further disclosed by a certified entity for cybersecurity purposes.''. The CHAIR. Pursuant to House Resolution 164, the gentleman from Virginia (Mr. Connolly) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from Virginia. Mr. CONNOLLY. Madam Chairwoman, this amendment represents a commonsense improvement to H.R. 624, which I support, that simply narrows the scope of the authorization for the intelligence community to share classified--I stress, classified--cyber threat intelligence with private sector entities and utilities. As my colleagues are aware, the administration and some leading voices from the civil liberties and privacy rights communities have raised serious concerns with CISPA as reported out of the Permanent Select Committee on Intelligence. These concerns revolve around the fact that many provisions of CISPA are perhaps perceived as overly vague, or outright silent, with respect to limiting the scope of information sharing and mitigating the risk of unintended consequences. For example, section 2 of CISPA, titled ``Cyber Threat Intelligence and Information Sharing,'' is silent on what specific purposes classified cyber threat intelligence may be used, retained, or further disclosed by a certified entity. As reported, section 2 only requires that the DNI's procedures governing the sharing of classified cyber threat intelligence between the intelligence community and private sector entities be ``consistent with the need to protect the national security of the United States'' and used by certified entities ``in a manner which protects cyber threat intelligence from unauthorized disclosure.'' In this particular instance, I believe the concerns raised over the potential unintentional consequences from vagueness are real, valid, and ought to be addressed. I also believe it's a false choice that we must somehow choose between effective cybersecurity initiatives on the one hand and preserving the sacred civil liberties and privacy rights we hold so dear as a Nation on the other. In many cases, defining or limiting the scope of authority would go a long way toward addressing the privacy concerns that have been raised with respect to this legislation. To be clear, I want to recognize that the sponsors of CISPA have already engaged in good faith efforts to incorporate and address outstanding concerns with respect to the legislation that were held by the administration and other stakeholders, and I think that needs to be recognized. On that note, I am pleased that my amendment that was made in order represents a straightforward improvement, I hope, to CISPA that's consistent with the sponsor's stated commitment to enhancing cybersecurity, safeguarding privacy rights and civil liberties, and ensuring oversight of activity. The amendment simply establishes that, with respect to CISPA's requirements, the DNI establish procedures to govern the sharing of classified cyber threat intelligence--that this classified cyber threat intelligence may only be used, retained, or further disclosed by a certified entity for cybersecurity purposes. As noted by the ACLU in its statement of support for the amendment, it's consistent with similar restrictions limiting the scope of other information sharing activities addressed in other parts of the bill. The straightforward enhancement will be one of many needed improvements to the bill that will ensure it is a targeted, well-defined bill that directly--and only--strengthens our national cybersecurity. With that, I reserve the balance of my time. Mr. ROGERS of Michigan. Madam Chair, while I do not oppose the amendment, I ask unanimous consent to claim the time in opposition. The CHAIR. Without objection, the gentleman is recognized for 5 minutes. Mr. ROGERS of Michigan. Madam Chair, I do not oppose this amendment, which clarifies that classified intelligence shared by the government with a certified cybersecurity entity may only be used, retained, or further disclosed for cybersecurity purposes. The amendment is consistent with language that is already in the bill requiring the DNI, the Director of National Intelligence, to ensure that such classified information is carefully protected. I appreciate the gentleman's working with us and the ACLU to find an amendment that we could all agree on. I do not oppose this further clarification and would urge support by this body of the amendment. I reserve the balance of my time. [[Page H2101]] Mr. CONNOLLY. I would inquire of the Chair how much time is remaining. The CHAIR. The gentleman from Virginia has 2 minutes remaining. Mr. CONNOLLY. Madam Chairwoman, I yield 1 minute to the distinguished ranking member of the committee, the gentleman from Maryland (Mr. Ruppersberger). {time} 1540 Mr. RUPPERSBERGER. I thank the gentleman for yielding. This amendment increases the privacy and civil liberties protections in our bill; therefore, I urge a ``yes'' on Congressman Connolly's amendment. Mr. ROGERS of Michigan. I continue to reserve the balance of my time. Mr. CONNOLLY. Madam Chairwoman, I yield 1 minute to my distinguished colleague and our friend from Georgia (Mr. Johnson). Mr. JOHNSON of Georgia. Madam Chair, I rise in support of this amendment. I would also argue that, in addition to it being vague, it's also overbroad in that it includes investigations for child pornography and child abductions and computer crimes. This means that under CISPA, the NSA could share data with law enforcement to investigate computer crimes, which is so broad and includes even lying about your age on your Facebook page. Are these really cyber threats that this bill claims to fix? We must defend against cyber attacks while protecting the liberties and privacy of Americans. Mr. ROGERS of Michigan. Madam Chair, I yield myself such time as I may consume to clarify that this doesn't call for investigations of those crimes based on this material, but only protection of the individuals that may--and I want to stress ``may,'' because, again, the PII, the personal identifying information, is stripped clean. But in some rare, rare cases, you might find that you have located the child who has been subjugated to child pornography. In those cases, you don't want to throw that away. There are parents out there begging for us to find this child. It's very rare, it's exceptional, doesn't happen often, but in that very rare case--and, remember, there's no personally identifiable information. It would allow for the protection, not investigation. I reserve the balance of my time. Mr. CONNOLLY. Madam Chairwoman, I just want to thank the distinguished chairman and the distinguished ranking member of the committee for their leadership and for their cooperation, and I yield back the balance of my time. Mr. ROGERS of Michigan. Madam Chair, I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from Virginia (Mr. Connolly). The question was taken; and the Chair announced that the ayes appeared to have it. Mr. ROGERS of Michigan. Madam Chair, I demand a recorded vote. The CHAIR. Pursuant to clause 6 of rule XVIII, further proceedings on the amendment offered by the gentleman from Virginia will be postponed. Amendment No. 3 Offered by Mr. Schneider The CHAIR. It is now in order to consider amendment No. 3 printed in House Report 113-41. Mr. SCHNEIDER. Madam Chairman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Page 3, beginning on line 2, strike ``employee or officer'' and insert ``employee, independent contractor, or officer''. The CHAIR. Pursuant to House Resolution 164, the gentleman from Illinois (Mr. Schneider) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from Illinois. Mr. SCHNEIDER. Every day, U.S. Web sites, databases, and operating networks are threatened by foreign governments, criminal organizations, and other groups trying to hack into our systems and wreak havoc. Daily we read about infiltrations of the networks of our banks, newspapers, and even Federal agencies putting sensitive information at risk. These cyber attacks are real, and they can have devastating consequences: billions of dollars a year in stolen intellectual property and the potential to shut down our power grids and financial systems. The Cyber Intelligence Sharing and Protection Act gives the private sector the necessary tools to protect itself and its customers against these cyber attacks. Currently, the intelligence community has the ability to detect cyber threats, but Federal law prohibits the sharing of this information with the very companies whose firewalls are under attack. By sharing this information, private companies can actually prevent these attacks. The amendment I'm offering makes a small, clarifying change to the underlying bill, simply allowing independent contractors to be eligible for security clearances to perform the critical work of handling cyber threat intelligence. This clarification will allow companies--in particular, small and medium-sized businesses without the resources to employ full-time experts--to hire the most capable individuals and organizations to analyze network information, coordinate with the Federal Government, and protect ordinary Americans. We cannot allow ourselves to be in a situation where the Federal Government has available the information to prevent or mitigate a cyber attack, but companies remain defenseless because there was no legal framework to share that critical information. The networks at risk power our homes, our small businesses, and are what allow our banking systems to function. They facilitate nearly every aspect of our daily lives. These networks must be protected as best and responsibly as possible. I urge my colleagues to support both my amendment and final passage of this critically important bill. I reserve the balance of my time. Mr. ROGERS of Michigan. Madam Chairman, while I do not oppose the amendment, I ask unanimous consent to control the time in opposition. The CHAIR. Without objection, the gentleman is recognized for 5 minutes. There was no objection. Mr. ROGERS of Michigan. Madam Chairman, I will support the clarification in this amendment. The amendment clarifies that independent contractors are eligible to receive security clearances to handle cyber threat intelligence and cyber threat information shared under the bill, an important clarification amendment. I appreciate the gentleman's work and effort in offering this amendment; And because the bill was not intended to exclude independent contractors, I will support this important clarification and would reserve the balance of my time. Mr. SCHNEIDER. I yield such time as he may consume to the gentleman from California (Mr. Schiff). Mr. SCHIFF. I thank the gentleman for yielding, and I rise in opposition to the overall measure. There are three concerns that have been raised by the administration about this bill that I share. The first is that it does not include a provision requiring the private sector to make reasonable efforts to remove personal information before they share it with each other or before they share it with the government. This is a bedrock necessity for those who are concerned about the privacy of Americans who may be implicated in this cyber sharing. Second, it's very important that a civilian agency, like the Department of Homeland Security, be the main intake--really, the sole intake--for this domestic data. There was one form of amendment offered in Rules to try to address this problem yesterday, yet another form of that amendment that was ultimately adopted by Rules, and yet a third form of that amendment that was adopted here this morning. None of us know exactly what it does because it has been a moving object. But it is very unclear whether this amendment would make a civilian agency, such as DHS, the sole intake for this domestic data. It should not be a military agency. We shouldn't have the private sector interacting directly with a military agency when it comes to domestic data that may involve the privacy of the American people. Finally, the immunity provisions are very broad and need to be reined in so as to encourage the private sector to take reasonable steps to make sure it [[Page H2102]] does not compromise privacy interests when it is not necessary to do so to protect cybersecurity. Those three issues still must be addressed. I want to compliment the chairman and the ranking member for the work they have done. They have made a very good-faith effort to make progress on many of these issues and in fact have made progress, but the bill still falls short and I must urge a ``no'' vote. Mr. SCHNEIDER. Madam Chairman, may I inquire as to how much time I have remaining. The CHAIR. The gentleman from Illinois has 2 minutes remaining. Mr. SCHNEIDER. I yield such time as he may consume to the ranking member. Mr. RUPPERSBERGER. Madam Chair, our bill now enables companies and the government to have the option to hire independent contractors to handle cyber threat information. It helps bring talented people into our cybersecurity workforce; it provides jobs; it is good for our economy; and it is good for our national security. Therefore, I urge a ``yes'' vote on this amendment. I also want to acknowledge Congressman Schneider for his involvement in this issue. Mr. SCHNEIDER. I reserve the balance of my time. Mr. ROGERS of Michigan. I yield myself such time as I may consume. I just want to address my friend from California, who is a thoughtful member of the intelligence community. This is a position that much has been debated about: Should the government regulate into the private sector their use of the Internet? I argue that is a dangerous place to go. They will have to promulgate rules; they will have to set what reasonable standards are; they will have to determine what the private sector does on the Internet. That's government in the Internet. One of the things that we decided to avoid in this bill was not to make that mandate, the burden to make sure that no PII, personal identifying information, is mandated in this bill; and it's stripped out at the place where the burden should be: on the government. To make sure it happens, we have four different layers of oversight built in just to make sure what we say that they're supposed to do according to the law, they follow the law--four levels of review. {time} 1550 We shouldn't put the burden on the victims. We don't do it if somebody sticks a gun in your face on the street or robs the bank or robs your home. What's the difference if they're robbing your Internet or stealing your blueprints that steals American jobs? The difference? There is none. Theft is theft. Let us not move to get the government into regulating. Aspects of the Internet between private to private has been the explosion of growth in one-sixth of our economy. Keep the government out of it. That's what we decided to do. We came to a very sensible place that protects that PII, that personal identifying information, and allows the government to stay out of regulating the Internet. I think that's the right prudent course. I think most Americans are with us. Certainly the broad specter of industries who have joined this, from the high-tech industry to the financial services to manufacturing, have said, This is the right way to go. You stay out of our business. We'll share with you when we're victims of a crime. With that, I reserve the balance of my time. Mr. SCHNEIDER. Madam Chairman, I just want to thank the ranking member and the chairman for the way you have approached this in a bipartisan effort, and I yield back the balance of my time. Mr. ROGERS of Michigan. I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from Illinois (Mr. Schneider). The amendment was agreed to. Amendment No. 4 Offered by Mr. Langevin The CHAIR. It is now in order to consider amendment No. 4 printed in House Report 113-41. Mr. LANGEVIN. Madam Chair, I rise to offer an amendment, No. 35, listed as No. 4 in the rule. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Page 8, line 16, strike ``a State, local, or tribal law or regulation'' and insert ``a law or regulation of a State, political subdivision of a State, or a tribe''. The CHAIR. Pursuant to House Resolution 164, the gentleman from Rhode Island (Mr. Langevin) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from Rhode Island. Mr. LANGEVIN. Madam Chair, I yield myself such time as I may consume. My amendment ensures that utility districts are not unnecessarily and unintentionally limited from protecting their own information and ultimately will lead to a broader and more effective information sharing structure, leading to better cybersecurity across all critical infrastructure. Specifically, the amendment replaces the word ``local,'' which is typically interpreted to mean city, town, and county by the courts. Such a definition, I believe, could potentially leave out special districts that provide utility services, like the Salt River Project, the Central Arizona Project, the Metropolitan Water District of Southern California, and other smaller special districts. My amendment, Madam Chair, which is supported by the American Public Power Association, changes the bill to read, ``political subdivision,'' allowing more utilities to receive the protections built into our bill. In doing so, it also makes the language consistent with the preemption provision in the bill. If not amended, this legislation could subject utility districts to additional requirements if they share threat information, effectively creating a deterrent to participation--precisely what we want to avoid. We know that myriad threats are arrayed against the networks that run our critical infrastructure, and we must ensure that the utilities, which are the front lines in the cybersecurity fight, are properly protected. I have long advocated for minimum standards for utilities, but absent such standards, I believe that we have to make sure that as many utilities as possible have access to the best possible information to defend their networks and are able to share information about the attacks that they experience. This is an important bill overall. I really do want to applaud, again, Chairman Rogers and Ranking Member Ruppersberger for their outstanding work on the underlying bill. Obviously, the challenges of the threats that we face in cyberspace are growing exponentially every day. It seems like there's not a week that goes by that you don't hear of a new major attack on the critical infrastructure or, in particular, our banking system or major corporations with intellectual property theft, and obviously we have got to take action and do so now. Failure to do so would be a great abdication of our responsibility. I'm disappointed the bill didn't pass last year. I know how hard the chairman and ranking member worked on this legislation, but clearly our adversaries, or enemies, have not taken a hiatus. They are actively engaged in cyber attacks or threats of intellectual property or identity theft, and the list goes on and on. The underlying bill is a major step forward in protecting our cyber networks, allowing classified information to be shared with the private sector, allowing threat information to be shared back with the government to give broader situation awareness, as well as information sharing between both in the private sector among companies. So, again, the underlying bill is a major step forward. I believe this amendment that I'm offering makes the bill even better for making sure that broader utilities are included in allowing for information sharing. I urge my colleagues to support this commonsense amendment and the underlying legislation, and I reserve the balance of my time. Mr. ROGERS of Michigan. Madam Chair, while I do not oppose the amendment, I ask unanimous consent to control the time in opposition. The CHAIR. Without objection, the gentleman is recognized for 5 minutes. Mr. ROGERS of Michigan. Madam Chair, I yield myself such time as I may consume. [[Page H2103]] I want to thank the gentleman from Rhode Island (Mr. Langevin), who has been a tremendous leader on cybersecurity efforts on the Intelligence Committee. Much of our work there is classified and it goes unnoticed, and rightly so. I think it would be wrong for us not to commend in public your great leadership and efforts and work with us to try to make sure that this bill does what we say we want it to do. It has been a great privilege and pleasure to work with you throughout that process, and without that leadership, we wouldn't be standing on the floor today. I want to thank the gentleman for that. I will support the amendment, which clarifies that entities located across multiple localities are intended to be covered by provisions in the bill exempting information shared under the bill from certain disclosures otherwise required of public or quasi-public entities. The amendment replaces the term ``local'' with ``political subdivision.'' Because there is no intention to exclude such entities, this is intended as a clarification, an important clarification, and I will gladly support the amendment, and again thank the gentleman for his work on the totality of both national security issues and cybersecurity. I reserve the balance of my time. Mr. LANGEVIN. Madam Chair, I yield such time as he may consume to the ranking member of the Intelligence Committee, the gentleman from Maryland (Mr. Ruppersberger). Mr. RUPPERSBERGER. I thank the gentleman for yielding. Madam Chair, first, I want to agree with our chairman, and I said it before, that you have been one of the key players in developing legislation to protect our country. From the beginning, when those of us started working on this issue, probably 2006, you were there. You have a tremendous amount of expertise. You have been a great adviser to all of us, and also not only the Intelligence Committee, but the Armed Services Committee, and I appreciate all your work. I also support your amendment to include political subdivisions within the information, use, and protection requirements in our bill. Your amendment ensures that utility districts are not unnecessarily and unintentionally limited from protecting their own information. Therefore, I urge a ``yes'' vote on your amendment. Mr. LANGEVIN. Madam Chair, before I close, I just wanted to thank, again, the chairman and the ranking member for their comments, but, more importantly, their extraordinary collaborative work in trying to protect our Nation's cybersecurity. The work that they did in putting this legislation together, it is a real service to the country what you have done, and I am grateful to have played a part in it with you, and thank you for your friendship. With that, I urge my colleagues to support the amendment, and I yield back the balance of my time. Mr. ROGERS of Michigan. I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from Rhode Island (Mr. Langevin). The question was taken; and the Chair announced that the ayes appeared to have it. Mr. ROGERS of Michigan. Madam Chair, I demand a recorded vote. The CHAIR. Pursuant to clause 6 of rule XVIII, further proceedings on the amendment offered by the gentleman from Rhode Island will be postponed. {time} 1600 Mr. ROGERS of Michigan. Madam Chair, I move that the Committee do now rise. The motion was agreed to. Accordingly, the Committee rose; and the Speaker pro tempore (Mr. Marchant) having assumed the chair, Ms. Ros-Lehtinen, Chair of the Committee of the Whole House on the state of the Union, reported that that Committee, having had under consideration the bill (H.R. 624) to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes, had come to no resolution thereon. ____________________ [Congressional Record Volume 159, Number 52 (Wednesday, April 17, 2013)] [House] [Pages H2103-H2105] CYBER INTELLIGENCE SHARING AND PROTECTION ACT The SPEAKER pro tempore. Pursuant to House Resolution 164 and rule XVIII, the Chair declares the House in the Committee of the Whole House on the state of the Union for the further consideration of the bill, H.R. 624. Will the gentleman from Texas (Mr. Marchant) kindly take the chair. {time} 1631 In the Committee of the Whole Accordingly, the House resolved itself into the Committee of the Whole House on the state of the Union for the further consideration of the bill (H.R. 624) to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes, with Mr. Marchant (Acting Chair) in the chair. The Clerk read the title of the bill. The Acting CHAIR. When the Committee of the Whole rose earlier today, a request for a recorded vote on amendment No. 4 printed in House Report 113-41 offered by the gentleman from Rhode Island (Mr. Langevin) had been postponed. Pursuant to clause 6 of rule XVIII, proceedings will now resume on those amendments printed in House Report 113-41 on which further proceedings were postponed, in the following order: Amendment No. 1 by Mr. Rogers of Michigan. Amendment No. 2 by Mr. Connolly of Virginia. Amendment No. 4 by Mr. Langevin of Rhode Island. The Chair will reduce to 2 minutes the minimum time for any electronic vote after the first vote in this series. Amendment No. 1 Offered by Mr. Rogers of Michigan The Acting CHAIR. The unfinished business is the demand for a recorded vote on the amendment offered by the gentleman from Michigan (Mr. Rogers) on which further proceedings were postponed and on which the ayes prevailed by voice vote. The Clerk will redesignate the amendment. The Clerk redesignated the amendment. Recorded Vote The Acting CHAIR. A recorded vote has been demanded. A recorded vote was ordered. The vote was taken by electronic device, and there were--ayes 418, noes 0, not voting 14, as follows: [Roll No. 110] AYES--418 Aderholt Alexander Amash Amodei Andrews Bachus Barber Barletta Barr Barrow (GA) Barton Bass Beatty Becerra Benishek Bentivolio Bera (CA) Bilirakis Bishop (GA) Bishop (NY) Bishop (UT) Black Blumenauer Bonamici Bonner Boustany Brady (PA) Brady (TX) Braley (IA) Bridenstine Brooks (AL) Brooks (IN) Broun (GA) Brown (FL) Brownley (CA) Buchanan Bucshon Burgess Bustos Butterfield Calvert Camp Campbell Cantor Capito Capps Capuano Cardenas Carney Carson (IN) Carter Cartwright Cassidy Castor (FL) Castro (TX) Chabot Chaffetz Chu Cicilline Clarke Clay Cleaver Clyburn Coble Coffman Cohen Cole Collins (GA) Collins (NY) Conaway Connolly Conyers Cook Cooper Costa Cotton Courtney Cramer Crawford Crenshaw Crowley Cuellar Culberson Cummings Daines Davis (CA) Davis, Danny Davis, Rodney DeFazio DeGette Delaney DeLauro DelBene Denham Dent DeSantis DesJarlais Deutch Diaz-Balart Dingell Doggett Doyle Duckworth Duffy Duncan (SC) Duncan (TN) Edwards Ellison [[Page H2104]] Ellmers Engel Enyart Eshoo Esty Farenthold Farr Fattah Fincher Fitzpatrick Fleischmann Fleming Flores Forbes Fortenberry Foster Foxx Frankel (FL) Franks (AZ) Frelinghuysen Fudge Gabbard Gallego Garamendi Garcia Gardner Garrett Gerlach Gibbs Gibson Gingrey (GA) Gohmert Goodlatte Gosar Gowdy Granger Graves (GA) Graves (MO) Grayson Green, Al Griffin (AR) Griffith (VA) Grijalva Grimm Guthrie Gutierrez Hahn Hall Hanabusa Hanna Harper Harris Hartzler Hastings (FL) Hastings (WA) Heck (NV) Heck (WA) Hensarling Herrera Beutler Higgins Himes Hinojosa Holt Honda Horsford Hoyer Hudson Huelskamp Huffman Huizenga (MI) Hultgren Hunter Hurt Israel Issa Jeffries Jenkins Johnson (GA) Johnson (OH) Johnson, E. B. Johnson, Sam Jones Jordan Joyce Kaptur Keating Kelly (IL) Kelly (PA) Kildee Kilmer Kind King (IA) King (NY) Kingston Kinzinger (IL) Kirkpatrick Kline Kuster Labrador LaMalfa Lamborn Lance Langevin Lankford Larsen (WA) Larson (CT) Latham Latta Lee (CA) Levin Lewis Lipinski LoBiondo Loebsack Lofgren Long Lowenthal Lowey Lucas Luetkemeyer Lujan Grisham (NM) Lujan, Ben Ray (NM) Lummis Maffei Maloney, Carolyn Maloney, Sean Marchant Marino Massie Matheson Matsui McCarthy (CA) McCarthy (NY) McCaul McClintock McCollum McDermott McGovern McHenry McIntyre McKeon McKinley McMorris Rodgers McNerney Meadows Meehan Meeks Meng Messer Mica Michaud Miller (FL) Miller (MI) Miller, George Moran Mullin Mulvaney Murphy (FL) Murphy (PA) Nadler Napolitano Neal Negrete McLeod Neugebauer Noem Nolan Nunes Nunnelee O'Rourke Olson Owens Palazzo Pallone Pascrell Pastor (AZ) Paulsen Payne Pearce Pelosi Perlmutter Perry Peters (CA) Peters (MI) Peterson Petri Pingree (ME) Pittenger Pitts Pocan Poe (TX) Polis Pompeo Posey Price (GA) Price (NC) Quigley Radel Rahall Rangel Reed Reichert Renacci Ribble Rice (SC) Richmond Rigell Roby Roe (TN) Rogers (AL) Rogers (KY) Rogers (MI) Rohrabacher Rokita Rooney Ros-Lehtinen Roskam Ross Rothfus Roybal-Allard Royce Ruiz Runyan Ruppersberger Ryan (OH) Ryan (WI) Salmon Sanchez, Linda T. Sanchez, Loretta Sarbanes Scalise Schakowsky Schiff Schneider Schock Schrader Schwartz Schweikert Scott (VA) Scott, Austin Scott, David Sensenbrenner Serrano Sessions Sewell (AL) Shea-Porter Sherman Shuster Simpson Sinema Sires Slaughter Smith (NE) Smith (NJ) Smith (TX) Smith (WA) Southerland Speier Stewart Stivers Stockman Stutzman Swalwell (CA) Takano Terry Thompson (CA) Thompson (MS) Thompson (PA) Thornberry Tiberi Tierney Tipton Titus Tonko Turner Upton Valadao Van Hollen Vargas Veasey Vela Velazquez Visclosky Wagner Walberg Walden Walorski Walz Wasserman Schultz Waters Watt Waxman Weber (TX) Webster (FL) Welch Wenstrup Westmoreland Whitfield Williams Wilson (FL) Wilson (SC) Wittman Wolf Womack Woodall Yarmuth Yoder Yoho Young (AK) Young (FL) Young (IN) NOT VOTING--14 Bachmann Blackburn Green, Gene Holding Jackson Lee Kennedy Lynch Markey Miller, Gary Moore Nugent Rush Shimkus Tsongas {time} 1656 Mrs. LOWEY and Mr. RANGEL changed their vote from ``no'' to ``aye.'' So the amendment was agreed to. The result of the vote was announced as above recorded. Stated for: Mr. GENE GREEN of Texas. Mr. Chair, on rollcall No. 110, had I been present, I would have voted ``aye.'' Amendment No. 2 Offered by Mr. Connolly The Acting CHAIR. The unfinished business is the demand for a recorded vote on the amendment offered by the gentleman from Virginia (Mr. Connolly) on which further proceedings were postponed and on which the ayes prevailed by voice vote. The Clerk will redesignate the amendment. The Clerk redesignated the amendment. Recorded Vote The Acting CHAIR. A recorded vote has been demanded. A recorded vote was ordered. The Acting CHAIR. This will be a 2-minute vote. The vote was taken by electronic device, and there were--ayes 418, noes 0, not voting 14, as follows: [Roll No. 111] AYES--418 Aderholt Alexander Amash Amodei Andrews Bachus Barber Barletta Barr Barrow (GA) Barton Bass Beatty Becerra Benishek Bentivolio Bera (CA) Bilirakis Bishop (GA) Bishop (NY) Black Blumenauer Bonamici Bonner Boustany Brady (PA) Brady (TX) Braley (IA) Bridenstine Brooks (AL) Brooks (IN) Broun (GA) Brown (FL) Brownley (CA) Buchanan Bucshon Burgess Bustos Butterfield Calvert Camp Campbell Cantor Capito Capps Capuano Cardenas Carney Carson (IN) Carter Cartwright Cassidy Castor (FL) Castro (TX) Chabot Chaffetz Chu Cicilline Clarke Clay Cleaver Clyburn Coble Coffman Cohen Cole Collins (GA) Collins (NY) Conaway Connolly Conyers Cook Cooper Costa Cotton Courtney Cramer Crawford Crenshaw Crowley Cuellar Culberson Cummings Daines Davis (CA) Davis, Danny Davis, Rodney DeFazio DeGette Delaney DeLauro DelBene Denham Dent DeSantis DesJarlais Deutch Diaz-Balart Dingell Doggett Doyle Duckworth Duffy Duncan (SC) Duncan (TN) Edwards Ellison Ellmers Engel Enyart Eshoo Esty Farenthold Farr Fattah Fincher Fitzpatrick Fleischmann Fleming Flores Forbes Fortenberry Foster Foxx Frankel (FL) Franks (AZ) Frelinghuysen Fudge Gabbard Gallego Garamendi Garcia Gardner Garrett Gerlach Gibbs Gibson Gingrey (GA) Gohmert Goodlatte Gosar Gowdy Granger Graves (MO) Grayson Green, Al Green, Gene Griffin (AR) Griffith (VA) Grijalva Grimm Guthrie Gutierrez Hahn Hall Hanabusa Hanna Harper Harris Hartzler Hastings (FL) Hastings (WA) Heck (NV) Heck (WA) Hensarling Herrera Beutler Higgins Himes Hinojosa Holt Honda Horsford Hoyer Hudson Huelskamp Huffman Huizenga (MI) Hultgren Hunter Hurt Israel Issa Jeffries Jenkins Johnson (GA) Johnson (OH) Johnson, E. B. Johnson, Sam Jones Jordan Joyce Kaptur Keating Kelly (IL) Kelly (PA) Kildee Kilmer Kind King (IA) King (NY) Kingston Kinzinger (IL) Kirkpatrick Kline Kuster Labrador LaMalfa Lamborn Lance Langevin Lankford Larsen (WA) Larson (CT) Latham Latta Lee (CA) Levin Lewis Lipinski LoBiondo Loebsack Lofgren Long Lowenthal Lowey Lucas Luetkemeyer Lujan Grisham (NM) Lujan, Ben Ray (NM) Lummis Maffei Maloney, Carolyn Maloney, Sean Marchant Marino Massie Matheson Matsui McCarthy (CA) McCarthy (NY) McCaul McClintock McCollum McDermott McGovern McHenry McIntyre McKeon McKinley McMorris Rodgers McNerney Meadows Meehan Meeks Meng Messer Mica Michaud Miller (FL) Miller (MI) Miller, George Moore Moran Mullin Mulvaney Murphy (FL) Murphy (PA) Nadler Napolitano Neal Negrete McLeod Neugebauer Noem Nolan Nunes Nunnelee O'Rourke Olson Owens Palazzo Pallone Pascrell Pastor (AZ) Paulsen Payne Pearce Pelosi Perlmutter Perry Peters (CA) Peters (MI) Peterson Petri Pingree (ME) Pittenger Pitts Pocan Poe (TX) Polis Pompeo Posey Price (GA) Price (NC) Quigley Radel Rahall Rangel Reed Reichert Renacci Ribble Rice (SC) Richmond Rigell Roby Roe (TN) Rogers (AL) Rogers (KY) Rogers (MI) Rohrabacher Rokita Rooney Ros-Lehtinen Roskam Ross Rothfus Roybal-Allard Royce Ruiz Runyan Ruppersberger Ryan (OH) Ryan (WI) Salmon Sanchez, Linda T. Sanchez, Loretta Sarbanes Scalise Schakowsky Schiff Schneider Schock Schrader Schwartz Schweikert Scott (VA) Scott, Austin Scott, David Sensenbrenner Serrano Sessions Sewell (AL) Shea-Porter Sherman Shuster Simpson Sinema Sires Slaughter Smith (NE) Smith (NJ) Smith (TX) Smith (WA) Southerland Speier Stewart Stivers Stockman Stutzman Swalwell (CA) Takano Terry Thompson (CA) Thompson (MS) Thompson (PA) Thornberry Tiberi Tierney Tipton Titus Tonko Turner Upton Valadao Van Hollen Vargas Veasey Vela Velazquez Visclosky Wagner Walberg Walden Walorski Walz Wasserman Schultz Waters Watt Waxman Weber (TX) Webster (FL) Welch Wenstrup Westmoreland Whitfield Williams Wilson (FL) Wilson (SC) Wittman Wolf Womack [[Page H2105]] Woodall Yarmuth Yoder Yoho Young (AK) Young (FL) Young (IN) NOT VOTING--14 Bachmann Bishop (UT) Blackburn Graves (GA) Holding Jackson Lee Kennedy Lynch Markey Miller, Gary Nugent Rush Shimkus Tsongas {time} 1701 So the amendment was agreed to. The result of the vote was announced as above recorded. Amendment No. 4 Offered by Mr. Langevin The Acting CHAIR. The unfinished business is the demand for a recorded vote on the amendment offered by the gentleman from Rhode Island (Mr. Langevin) on which further proceedings were postponed and on which the ayes prevailed by voice vote. The Clerk will redesignate the amendment. The Clerk redesignated the amendment. Recorded Vote The Acting CHAIR. A recorded vote has been demanded. A recorded vote was ordered. The Acting CHAIR. This is a 2-minute vote. The vote was taken by electronic device, and there were--ayes 411, noes 3, not voting 18, as follows: [Roll No. 112] AYES--411 Aderholt Alexander Amodei Andrews Bachus Barber Barletta Barr Barrow (GA) Barton Bass Beatty Becerra Benishek Bentivolio Bera (CA) Bilirakis Bishop (GA) Bishop (NY) Bishop (UT) Black Blumenauer Bonamici Bonner Boustany Brady (PA) Brady (TX) Braley (IA) Bridenstine Brooks (AL) Brooks (IN) Broun (GA) Brown (FL) Brownley (CA) Buchanan Bucshon Burgess Bustos Butterfield Calvert Camp Campbell Cantor Capito Capps Capuano Cardenas Carney Carson (IN) Carter Cartwright Cassidy Castor (FL) Castro (TX) Chabot Chaffetz Chu Cicilline Clarke Clay Cleaver Clyburn Coble Coffman Cohen Cole Collins (GA) Collins (NY) Conaway Connolly Conyers Cook Cooper Costa Cotton Courtney Cramer Crawford Crenshaw Crowley Cuellar Culberson Cummings Daines Davis (CA) Davis, Danny Davis, Rodney DeFazio DeGette Delaney DeLauro DelBene Denham Dent DeSantis DesJarlais Deutch Diaz-Balart Dingell Doggett Doyle Duckworth Duffy Duncan (SC) Duncan (TN) Edwards Ellison Ellmers Engel Enyart Eshoo Esty Farenthold Farr Fincher Fitzpatrick Fleischmann Fleming Flores Forbes Fortenberry Foster Foxx Frankel (FL) Franks (AZ) Frelinghuysen Fudge Gabbard Gallego Garamendi Garcia Gardner Garrett Gerlach Gibbs Gibson Gingrey (GA) Goodlatte Gosar Gowdy Granger Graves (GA) Graves (MO) Grayson Green, Al Green, Gene Griffin (AR) Griffith (VA) Grijalva Grimm Guthrie Gutierrez Hahn Hall Hanabusa Hanna Harper Harris Hartzler Hastings (FL) Hastings (WA) Heck (NV) Heck (WA) Hensarling Herrera Beutler Higgins Himes Hinojosa Holt Honda Horsford Hoyer Hudson Huelskamp Huffman Huizenga (MI) Hultgren Hunter Hurt Israel Issa Jeffries Jenkins Johnson (GA) Johnson (OH) Johnson, E. B. Johnson, Sam Jones Jordan Joyce Kaptur Keating Kelly (IL) Kelly (PA) Kildee Kilmer Kind King (IA) King (NY) Kingston Kinzinger (IL) Kirkpatrick Kline Kuster Labrador LaMalfa Lamborn Lance Langevin Lankford Larsen (WA) Larson (CT) Latham Latta Lee (CA) Levin Lipinski LoBiondo Loebsack Lofgren Long Lowenthal Lowey Luetkemeyer Lujan Grisham (NM) Lujan, Ben Ray (NM) Lummis Maffei Maloney, Carolyn Maloney, Sean Marchant Marino Massie Matheson Matsui McCarthy (CA) McCarthy (NY) McCaul McCollum McDermott McGovern McHenry McIntyre McKeon McKinley McMorris Rodgers McNerney Meadows Meehan Meeks Meng Messer Mica Michaud Miller (FL) Miller (MI) Miller, George Moore Moran Mulvaney Murphy (FL) Murphy (PA) Nadler Napolitano Neal Negrete McLeod Neugebauer Noem Nolan Nunes Nunnelee O'Rourke Olson Owens Palazzo Pallone Pascrell Pastor (AZ) Paulsen Payne Pearce Pelosi Perlmutter Perry Peters (CA) Peters (MI) Peterson Petri Pingree (ME) Pittenger Pitts Pocan Poe (TX) Polis Pompeo Posey Price (GA) Price (NC) Quigley Radel Rahall Rangel Reed Reichert Renacci Ribble Rice (SC) Richmond Rigell Roby Roe (TN) Rogers (AL) Rogers (KY) Rogers (MI) Rohrabacher Rokita Rooney Ros-Lehtinen Roskam Ross Rothfus Roybal-Allard Royce Ruiz Runyan Ruppersberger Ryan (OH) Ryan (WI) Salmon Sanchez, Linda T. Sanchez, Loretta Sarbanes Scalise Schakowsky Schiff Schneider Schock Schrader Schwartz Schweikert Scott (VA) Scott, Austin Sensenbrenner Serrano Sessions Sewell (AL) Shea-Porter Sherman Shuster Simpson Sinema Sires Slaughter Smith (NE) Smith (NJ) Smith (TX) Smith (WA) Southerland Speier Stewart Stockman Stutzman Swalwell (CA) Takano Terry Thompson (CA) Thompson (MS) Thompson (PA) Thornberry Tiberi Tierney Tipton Titus Tonko Turner Upton Valadao Van Hollen Vargas Veasey Vela Velazquez Visclosky Wagner Walberg Walden Walorski Walz Wasserman Schultz Waters Watt Waxman Weber (TX) Webster (FL) Welch Wenstrup Westmoreland Whitfield Williams Wilson (FL) Wilson (SC) Wittman Wolf Womack Woodall Yarmuth Yoder Yoho Young (AK) Young (FL) Young (IN) NOES--3 Amash Gohmert McClintock NOT VOTING--18 Bachmann Blackburn Fattah Holding Jackson Lee Kennedy Lewis Lucas Lynch Markey Miller, Gary Mullin Nugent Rush Scott, David Shimkus Stivers Tsongas {time} 1707 So the amendment was agreed to. The result of the vote was announced as above recorded. personal explanation Mrs. BACHMANN. Mr. Chair, on April 17, 2013, I was not able to vote on rollcall votes 110, 111 and 112. At the time, I was performing my duties as a designee of the U.S. House of Representatives attending the funeral of Baroness Margaret Thatcher in London. Had I been present for the vote, I would have voted ``aye'' on all three votes.- Mr. SESSIONS. Mr. Chairman, I move that the Committee do now rise. The motion was agreed to. Accordingly, the Committee rose; and the Speaker pro tempore (Mrs. Wagner) having assumed the chair, Mr. Marchant, Acting Chair of the Committee of the Whole House on the state of the Union, reported that that Committee, having had under consideration the bill (H.R. 624) to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes, had come to no resolution thereon. ____________________