[Congressional Record Volume 161, Number 153 (Tuesday, October 20, 2015)] [Senate] [Pages S7332-S7342] CYBERSECURITY INFORMATION SHARING ACT of 2015 Mr. McCONNELL. Mr. President, under the order of August 5, 2015, I ask that the Chair lay before the Senate S. 754. The PRESIDING OFFICER. Under the previous order, the Senate will proceed to the consideration of S. 754, which the clerk will report. The senior assistant legislative clerk read as follows: A bill (S. 754) to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. [[Page S7333]] The PRESIDING OFFICER. The Senator from North Carolina. Amendment No. 2716 (Purpose: In the nature of a substitute) Mr. BURR. Mr. President, as under the previous order, I call up the Burr-Feinstein amendment, which is at the desk, and I ask unanimous consent that it be reported by number. The PRESIDING OFFICER. Without objection, the clerk will report the amendment by number. The senior assistant legislative clerk read as follows: The Senator from North Carolina [Mr. Burr] proposes an amendment numbered 2716. (The amendment is printed in today's Record under ``Text of Amendments.'') Mr. BURR. Mr. President, for the information of all Senators, this substitute includes agreed-upon language on the following amendments: Carper, No. 2615; Carper, No. 2627; Coats, No. 2604; Flake, No. 2580; Gardner, No. 2631; Kirk, No. 2603; Tester, No. 2632; Wyden, No. 2622, and, I might add, a handful of amendments that have been worked out in addition to those which were part of that unanimous consent agreement by both the vice chair and myself. The vice chair and I have a number of amendments to be made pending under the previous consent order, and I ask unanimous consent that they be called up and reported by number. The PRESIDING OFFICER. Without objection, it is so ordered. Amendment No. 2581, as Modified, to Amendment No. 2716 Mr. BURR. Mr. President, I call up the Cotton amendment No. 2581, as modified, to correct the instruction line. The PRESIDING OFFICER. The clerk will report the amendment by number. The bill clerk read as follows: The Senator from North Carolina [Mr. Burr], for Mr. Cotton, proposes an amendment numbered 2581, as modified, to amendment No. 2716. The amendment is as follows: (Purpose: To exempt from the capability and process within the Department of Homeland Security communication between a private entity and the Federal Bureau of Investigation or the United States Secret Service regarding cybersecurity threats) On page 31, strike line 13 and insert the following: authority regarding a cybersecurity threat; and (iii) communications between a private entity and the Federal Bureau of Investigation or the United States Secret Service regarding a cybersecurity threat; The PRESIDING OFFICER. The Senator from North Carolina. Mr. BURR. Mr. President, let me add at this time that the vice chairman and I have worked aggressively, as have our staffs, to incorporate the suggestions and the concerns Members and companies have raised with us. If we believed they made the legislation stronger-- stronger from the standpoint of minimizing data loss and stronger from the standpoint of the privacy concerns--let me assure my colleagues we have accepted those and we have incorporated them in the managers' amendment. If, in fact, we couldn't agree or felt that it in any way was detrimental to the legislation, the vice chair and I have agreed to oppose those amendments. I think it is important that this bill represent exactly what we have sold: an information sharing bill, a bill that is voluntary. So I would suggest to those who hear this debate and say ``I don't really understand all this cyber stuff. I hear about it and don't really understand it,'' let me put it in these terms. What this legislation does is it creates a community watch program, and like any neighborhood watch program, the spirit of what we are trying to do is to protect the neighborhood. It doesn't mean that every resident on every street in that community in that neighborhood is going to be a participant, but it means that neighborhood is committed to making sure that if crimes are happening, they are out there to stop them, to report them, and maybe through reporting them, the number of crimes over time will continue to decrease. Well, I would share with you that is what we are doing with the cyber security bill. We are out now trying to set up the framework for a community watch program, one that is voluntary, that doesn't require every person to participate, but it says: For those of you who can embrace this and can report the crimes, it is not only beneficial to you, it is beneficial to everybody. So I respect the fact there are a few companies out there saying: This is no good; we shouldn't have this. Really? Do you want to deny this to everybody? There are a heck of a lot of businesses that have made the determination that this is beneficial to their business, that it is beneficial to their sector. This is beneficial to the overall U.S. economy. That is what the Senate is here to do. We are not here to pick winners and losers; we are here to create a framework everybody can operate in that advances the United States in the right direction. Shortly we will have an opportunity to make pending some additional amendments, and I encourage all Members, if your amendment is pending, to come down and debate it. If you have additional amendments, please come down and offer them and debate them. With the cooperation of Members, we can process these in a matter of days and we can then send this out of the Senate and be at a point where we could conference with the House. With that, I suggest the absence of a quorum. The PRESIDING OFFICER. The clerk will call the roll. The senior assistant legislative clerk proceeded to call the roll. Mrs. FEINSTEIN. Madam President, I ask unanimous consent that the order for the quorum call be rescinded. The PRESIDING OFFICER (Ms. Ayotte). Without objection, it is so ordered. Amendment No. 2552, as Modified, to Amendment No. 2716 Mrs. FEINSTEIN. Madam President, I call up the Coons amendment No. 2552, as modified. The PRESIDING OFFICER. The clerk will report the amendment by number. The bill clerk read as follows: The Senator from California [Mrs. Feinstein], for Mr. Coons, proposes an amendment numbered 2552, as modified, to amendment No. 2716. The amendment, as modified, is as follows: (Purpose: To modify section 5 to require DHS to review all cyber threat indicators and countermeasures in order to remove certain personal information) Beginning on page 23, strike line 3 and all that follows through page 33, line 10 and insert the following: (3) Requirements concerning policies and procedures.-- Consistent with the guidelines required by subsection (b), the policies and procedures developed and promulgated under this subsection shall-- (A) ensure that cyber threat indicators shared with the Federal Government by any entity pursuant to section 4 that are received through the process described in subsection (c) of this section and that satisfy the requirements of the guidelines developed under subsection (b)-- (i) are shared in an automated manner with all of the appropriate Federal entities; (ii) are not subject to any unnecessary delay, interference, or any other action that could impede receipt by all of the appropriate Federal entities; and (iii) may be provided to other Federal entities; (B) ensure that cyber threat indicators shared with the Federal Government by any entity pursuant to section 4 in a manner other than the process described in subsection (c) of this section-- (i) are shared as quickly as operationally practicable with all of the appropriate Federal entities; (ii) are not subject to any unnecessary delay, interference, or any other action that could impede receipt by all of the appropriate Federal entities; and (iii) may be provided to other Federal entities; (C) consistent with this Act, any other applicable provisions of law, and the fair information practice principles set forth in appendix A of the document entitled ``National Strategy for Trusted Identities in Cyberspace'' and published by the President in April 2011, govern the retention, use, and dissemination by the Federal Government of cyber threat indicators shared with the Federal Government under this Act, including the extent, if any, to which such cyber threat indicators may be used by the Federal Government; and (D) ensure there is-- (i) an audit capability; and (ii) appropriate sanctions in place for officers, employees, or agents of a Federal entity who knowingly and willfully conduct activities under this Act in an unauthorized manner. (4) Guidelines for entities sharing cyber threat indicators with federal government.-- [[Page S7334]] (A) In general.--Not later than 60 days after the date of the enactment of this Act, the Attorney General shall develop and make publicly available guidance to assist entities and promote sharing of cyber threat indicators with Federal entities under this Act. (B) Contents.--The guidelines developed and made publicly available under subparagraph (A) shall include guidance on the following: (i) Identification of types of information that would qualify as a cyber threat indicator under this Act that would be unlikely to include personal information of or identifying a specific person not necessary to describe or identify a cyber security threat. (ii) Identification of types of information protected under otherwise applicable privacy laws that are unlikely to be necessary to describe or identify a cybersecurity threat. (iii) Such other matters as the Attorney General considers appropriate for entities sharing cyber threat indicators with Federal entities under this Act. (b) Privacy and Civil Liberties.-- (1) Guidelines of attorney general.--Not later than 60 days after the date of the enactment of this Act, the Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1), develop, submit to Congress, and make available to the public interim guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act. (2) Final guidelines.-- (A) In general.--Not later than 180 days after the date of the enactment of this Act, the Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1) and such private entities with industry expertise as the Attorney General considers relevant, promulgate final guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act. (B) Periodic review.--The Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers and private entities described in subparagraph (A), periodically review the guidelines promulgated under subparagraph (A). (3) Content.--The guidelines required by paragraphs (1) and (2) shall, consistent with the need to protect information systems from cybersecurity threats and mitigate cybersecurity threats-- (A) limit the impact on privacy and civil liberties of activities by the Federal Government under this Act; (B) limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal information of or identifying specific persons, including by establishing-- (i) a process for the timely destruction of such information that is known not to be directly related to uses authorized under this Act; and (ii) specific limitations on the length of any period in which a cyber threat indicator may be retained; (C) include requirements to safeguard cyber threat indicators containing personal information of or identifying specific persons from unauthorized access or acquisition, including appropriate sanctions for activities by officers, employees, or agents of the Federal Government in contravention of such guidelines; (D) include procedures for notifying entities and Federal entities if information received pursuant to this section is known or determined by a Federal entity receiving such information not to constitute a cyber threat indicator; (E) protect the confidentiality of cyber threat indicators containing personal information of or identifying specific persons to the greatest extent practicable and require recipients to be informed that such indicators may only be used for purposes authorized under this Act; and (F) include steps that may be needed so that dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information. (c) Capability and Process Within the Department of Homeland Security.-- (1) In general.--Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security, in coordination with the heads of the appropriate Federal entities, shall develop and implement a capability and process within the Department of Homeland Security that-- (A) shall accept from any entity in real time cyber threat indicators and defensive measures, pursuant to this section; (B) shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates as described in such paragraph, be the process by which the Federal Government receives cyber threat indicators and defensive measures under this Act that are shared by a private entity with the Federal Government through electronic mail or media, an interactive form on an Internet website, or a real time, automated process between information systems except-- (i) communications between a Federal entity and a private entity regarding a previously shared cyber threat indicator; and (ii) communications by a regulated entity with such entity's Federal regulatory authority regarding a cybersecurity threat; (C) shall require the Department of Homeland Security to review all cyber threat indicators and defensive measures received and remove any personal information of or identifying a specific person not necessary to identify or describe the cybersecurity threat before sharing such indicator or defensive measure with appropriate Federal entities; (D) ensures that all of the appropriate Federal entities receive in an automated manner such cyber threat indicators as quickly as operationally possible from the Department of Homeland Security; (E) is in compliance with the policies, procedures, and guidelines required by this section; and (F) does not limit or prohibit otherwise lawful disclosures of communications, records, or other information, including-- (i) reporting of known or suspected criminal activity, by an entity to any other entity or a Federal entity; (ii) voluntary or legally compelled participation in a Federal investigation; and (iii) providing cyber threat indicators or defensive measures as part of a statutory or authorized contractual requirement. (2) Certification.--Not later than 10 days prior to the implementation of the capability and process required by paragraph (1), the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, certify to Congress whether such capability and process fully and effectively operates-- (A) as the process by which the Federal Government receives from any entity a cyber threat indicator or defensive measure under this Act; and (B) in accordance with the policies, procedures, and guidelines developed under this section. (3) Public notice and access.--The Secretary of Homeland Security shall ensure there is public notice of, and access to, the capability and process developed and implemented under paragraph (1) so that-- (A) any entity may share cyber threat indicators and defensive measures through such process with the Federal Government; and (B) all of the appropriate Federal entities receive such cyber threat indicators and defensive measures as quickly as operationally practicable with receipt through the process within the Department of Homeland Security. The PRESIDING OFFICER. The Senator from North Carolina. Amendment No. 2582 to Amendment No. 2716 Mr. BURR. Madam President, I call up the Flake amendment No. 2582. The PRESIDING OFFICER. The clerk will report the amendment by number. The bill clerk read as follows: The Senator from North Carolina [Mr. Burr], for Mr. Flake, proposes an amendment numbered 2582 to amendment No. 2716. The amendment is as follows: (Purpose: To terminate the provisions of the Act after six years) At the end, add the following: SEC. 11. EFFECTIVE PERIOD. (a) In General.--Except as provided in subsection (b), this Act and the amendments made by this Act shall be in effect during the 6-year period beginning on the date of the enactment of this Act. (b) Exception.--With respect to any action authorized by this Act or information obtained pursuant to an action authorized by this Act, which occurred before the date on which the provisions referred to in subsection (a) cease to have effect, the provisions of this Act shall continue in effect. The PRESIDING OFFICER. The Senator from California. Amendment No. 2612, as Modified, to Amendment No. 2716 Mrs. FEINSTEIN. Madam President, I call up the Franken amendment No. 2612, as modified. The PRESIDING OFFICER. The clerk will report the amendment by number. The bill clerk read as follows: The Senator from California [Mrs. Feinstein], for Mr. Franken, proposes an amendment numbered 2612, as modified, to amendment No. 2716. The amendment, as modified, is as follows: (Purpose: To improve the definitions of cybersecurity threat and cyber threat indicator) Beginning on page 4, strike line 12 and all that follows through page 5, line 21, and insert the following: system that is reasonably likely to result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system. (B) Exclusion.--The term ``cybersecurity threat'' does not include any action that [[Page S7335]] solely involves a violation of a consumer term of service or a consumer licensing agreement. (6) Cyber threat indicator.--The term ``cyber threat indicator'' means information that is necessary to describe or identify-- (A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability; (B) a method of defeating a security control or exploitation of a security vulnerability; (C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability; (D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability; (E) malicious cyber command and control; (F) the harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat; (G) any other attribute of a cybersecurity threat, if disclosure of such information is not otherwise prohibited by law; or The PRESIDING OFFICER. The Senator from North Carolina. Amendment No. 2548, as Modified, to Amendment No. 2716 Mr. BURR. Madam President, I call up the Heller amendment No. 2548, as modified, to correct the instruction line. The PRESIDING OFFICER. The clerk will report the amendment by number. The bill clerk read as follows: The Senator from North Carolina [Mr. Burr], for Mr. Heller, proposes an amendment numbered 2548, as modified, to amendment No. 2716. The amendment, as modified, is as follows: (Purpose: To protect information that is reasonably believed to be personal information or information that identifies a specific person) On page 12, line 19, strike ``knows'' and insert ``reasonably believes''. The PRESIDING OFFICER. The Senator from California. Amendment No. 2587, as Modified, to Amendment No. 2716 Mrs. FEINSTEIN. Madam President, I call up the Leahy amendment No. 2587, as modified. The PRESIDING OFFICER. The clerk will report the amendment by number. The bill clerk read as follows: The Senator from California [Mrs. Feinstein], for Mr. Leahy, proposes an amendment numbered 2587, as modified, to amendment No. 2716. The amendment, as modified, is as follows: (Purpose: To strike the FOIA exemption) Beginning on page 35, strike line 1 and all that follows through page 35, line 13. The PRESIDING OFFICER. The Senator from North Carolina. Amendment No. 2564, as Modified, to Amendment No. 2716 Mr. BURR. Madam President, I call up the Paul amendment No. 2564, as modified, to correct the instruction line. The PRESIDING OFFICER. The clerk will report the amendment by number. The bill clerk read as follows: The Senator from North Carolina [Mr. Burr], for Mr. Paul, proposes an amendment numbered 2564, as modified, to amendment No. 2716. The amendment, as modified, is as follows: (Purpose: To prohibit liability immunity to applying to private entities that break user or privacy agreements with customers) On page 40, after line 24, insert the following: (d) Exception.--This section shall not apply to any private entity that, in the course of monitoring information under section 4(a) or sharing information under section 4(c), breaks a user agreement or privacy agreement with a customer of the private entity. The PRESIDING OFFICER. The Senator from California. Amendment No. 2557 to Amendment No. 2716 Mrs. FEINSTEIN. Madam President, I call up the Mikulski amendment No. 2557. The PRESIDING OFFICER. The clerk will report the amendment by number. The bill clerk read as follows: The Senator from California [Mrs. Feinstein], for Ms. Mikulski, proposes an amendment numbered 2557 to amendment No. 2716. The amendment is as follows: (Purpose: To provide amounts necessary for accelerated cybersecurity in response to data breaches) At the appropriate place, insert the following: SEC. ___. FUNDING. (a) In General.--Effective on the date of enactment of this Act, there is appropriated, out of any money in the Treasury not otherwise appropriated, for the fiscal year ending September 30, 2015, an additional amount for the appropriations account appropriated under the heading ``salaries and expenses'' under the heading ``Office of Personnel Management'', $37,000,000, to remain available until September 30, 2017, for accelerated cybersecurity in response to data breaches. (b) Emergency Designation.--The amount appropriated under subsection (a) is designated by the Congress as an emergency requirement pursuant to section 251(b)(2)(A)(i) of the Balanced Budget and Emergency Deficit Control Act of 1985, and shall be available only if the President subsequently so designates such amount and transmits such designation to the Congress. Amendment No. 2626 to Amendment No. 2716 Mrs. FEINSTEIN. Madam President, I call up the Whitehouse amendment No. 2626. The PRESIDING OFFICER. The clerk will report the amendment by number. The bill clerk read as follows: The Senator from California [Mrs. Feinstein], for Mr. Whitehouse, proposes an amendment numbered 2626 to amendment No. 2716. The amendment is as follows: (Purpose: To amend title 18, United States Code, to protect Americans from cybercrime) At the end, add the following: SEC. __. STOPPING THE SALE OF AMERICANS' FINANCIAL INFORMATION. Section 1029(h) of title 18, United States Code, is amended by striking ``if--'' and all that follows through ``therefrom.'' and inserting ``if the offense involves an access device issued, owned, managed, or controlled by a financial institution, account issuer, credit card system member, or other entity organized under the laws of the United States, or any State, the District of Columbia, or other Territory of the United States.''. SEC. __. SHUTTING DOWN BOTNETS. (a) Amendment.--Section 1345 of title 18, United States Code, is amended-- (1) in the heading, by inserting ``and abuse'' after ``fraud''; (2) in subsection (a)-- (A) in paragraph (1)-- (i) in subparagraph (B), by striking ``or'' at the end; (ii) in subparagraph (C), by inserting ``or'' after the semicolon; and (iii) by inserting after subparagraph (C) the following: ``(D) violating or about to violate paragraph (1), (4), (5), or (7) of section 1030(a) where such conduct would affect 100 or more protected computers (as defined in section 1030) during any 1-year period, including by denying access to or operation of the computers, installing malicious software on the computers, or using the computers without authorization;''; and (B) in paragraph (2), by inserting ``, a violation described in subsection (a)(1)(D),'' before ``or a Federal''; and (3) by adding at the end the following: ``(c) A restraining order, prohibition, or other action described in subsection (b), if issued in circumstances described in subsection (a)(1)(D), may, upon application of the Attorney General-- ``(1) specify that no cause of action shall lie in any court against a person for complying with the restraining order, prohibition, or other action; and ``(2) provide that the United States shall pay to such person a fee for reimbursement for such costs as are reasonably necessary and which have been directly incurred in complying with the restraining order, prohibition, or other action.''. (b) Technical and Conforming Amendment.--The table of section for chapter 63 is amended by striking the item relating to section 1345 and inserting the following: ``1345. Injunctions against fraud and abuse.''. SEC. __. AGGRAVATED DAMAGE TO A CRITICAL INFRASTRUCTURE COMPUTER. (a) In General.--Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following: ``Sec. 1030A. Aggravated damage to a critical infrastructure computer ``(a) Offense.--It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer, if such damage results in (or, in the case of an attempted offense, would, if completed have resulted in) the substantial impairment-- ``(1) of the operation of the critical infrastructure computer; or ``(2) of the critical infrastructure associated with such computer. ``(b) Penalty.--Any person who violates subsection (a) shall, in addition to the term of punishment provided for the felony violation of section 1030, be fined under this title, imprisoned for not more than 20 years, or both. ``(c) Consecutive Sentence.--Notwithstanding any other provision of law-- [[Page S7336]] ``(1) a court shall not place any person convicted of a violation of this section on probation; ``(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for the felony violation of section 1030; ``(3) in determining any term of imprisonment to be imposed for the felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such violation to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and ``(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, if such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28. ``(d) Definitions.--In this section ``(1) the terms `computer' and `damage' have the meanings given the terms in section 1030; and ``(2) the term `critical infrastructure' has the meaning given the term in section 1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)).''. (b) Table of Sections.--The table of sections for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following: ``1030A. Aggravated damage to a critical infrastructure computer.''. SEC. __. STOPPING TRAFFICKING IN BOTNETS. (a) In General.--Section 1030 of title 18, United States Code, is amended-- (1) in subsection (a), by striking paragraph (6) and inserting the following: ``(6) knowing such conduct to be wrongful, intentionally traffics in any password or similar information, or any other means of access, further knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking;''; (2) in subsection (c)-- (A) in paragraph (2), by striking ``, (a)(3), or (a)(6)'' each place it appears and inserting ``or (a)(3)''; and (B) in paragraph (4)-- (i) in subparagraph (C)(i), by striking ``or an attempt to commit an offense''; and (ii) in subparagraph (D), by striking clause (ii) and inserting the following: ``(ii) an offense, or an attempt to commit an offense, under subsection (a)(6);''; and (3) in subsection (g), in the first sentence, by inserting ``, except for a violation of subsection (a)(6),'' after ``of this section''. Amendment No. 2621, as Modified, to Amendment No. 2716 Mrs. FEINSTEIN. Madam President, I call up the Wyden amendment No. 2621, as modified. The PRESIDING OFFICER. The clerk will report the amendment by number. The bill clerk read as follows: The Senator from California [Mrs. Feinstein], for Mr. Wyden, proposes an amendment numbered 2621, as modified, to amendment No. 2716. The amendment, as modified, is as follows: (Purpose: To improve the requirements relating to removal of personal information from cyber threat indicators before sharing) On page 17, strike lines 9 through 22 and insert the following: (A) review such cyber threat indicator and remove, to the extent feasible, any personal information of or identifying a specific individual that is not necessary to describe or identity a cybersecurity threat; or (B) implement and utilize a technical capability configured to remove, to the extent feasible, any personal information of or identifying a specific individual contained within such indicator that is not necessary to describe or identify a cybersecurity threat. The PRESIDING OFFICER. The Senator from North Carolina. Mr. BURR. Madam President, as the vice chair and I have said numerous times this afternoon, nothing would make us happier than for Members to come to the floor. We have amendments pending. We have a managers' amendment. Everybody knows exactly what is in this bill. Let's start the debate. Let's vote on amendments. Let's end this process in a matter of days. We are prepared to vote on every amendment. So at this time, I ask unanimous consent that on Thursday, October 22, at 11 a.m., the Senate vote on the pending amendments to the Burr- Feinstein substitute to S. 754, with a 60-vote threshold for those amendments that are not germane; and that following the disposition of the amendments, the substitute, as amended, if amended, be agreed to, the bill, as amended, be read a third time, and the Senate vote on passage with a 60-vote threshold for passage. The PRESIDING OFFICER. Is there objection? Mr. WYDEN. Reserving the right to object. The PRESIDING OFFICER. The Senator from Oregon. Mr. WYDEN. Madam President, I certainly support most of the amendments that were just described. However, I am especially troubled about amendment No. 2626, which would significantly expand a badly outdated Computer Fraud and Abuse Act. I have sought to modernize the Computer Fraud and Abuse Act, and I believe that amendment No. 2626 would take that law--the Computer Fraud and Abuse Act--in the wrong direction. I would object to any unanimous consent request that includes that amendment. Therefore, I object to this request. The PRESIDING OFFICER. Objection is heard. The Senator from North Carolina. Mr. BURR. Madam President, the Senate functions best when Members are free to come to the floor and offer amendments, debate the amendments, and have a vote on the amendments. I might even share Senator Wyden's concerns about that particular piece of legislation. I am not sure. It is a judiciary issue. The vice chair is on the Judiciary Committee. It is an amendment that we were not able to pass in the managers' amendment. But as the vice chair and I said at the beginning of this process, we would like the Senate to function like it is designed, where every Member feels invested, and if they have a great idea, come down, introduce it as an amendment, debate it, and let your colleagues vote up or down against it. If we can't move forward with a process like that, then it is difficult to see how in a reasonable amount of time we are going to complete this agenda. So I would only urge my colleague from Oregon that there is nothing to be scared about. This is a process we will go through, and a nongermane amendment, which I think this would be listed as--I look for my staff. It would be a nongermane amendment--requiring 60 votes, a threshold that the Senate designed to pass practically anything. So I urge him to reconsider at some point, and I will make a similar unanimous consent request once he has had an opportunity to think about it. But also, we will work to see if in fact that amendment might be modified in a way that might make it a little more acceptable for the debate and for colleagues to vote on it. With that, I yield the floor. The PRESIDING OFFICER. The Senator from Utah. Mr. HATCH. Madam President, as the Senate turns its focus to legislation related to the critical issue of our Nation's cyber security and in the light of Chinese President Xi Jinping's state visit last month, I would like to reflect on America's security in cyber space. As the global economy becomes increasingly dependent on the Internet, the exponential increase in the number and scale of cyber attacks and cyber thefts are straining our relationship with international trading partners throughout the world. This is especially true for our important trade relationship with China. This year alone, the United States has experienced some of the largest cyber attacks in our Nation's history--many of which are believed to have been perpetrated by the Chinese. Just last February, hackers breached the customer records of the health insurance company Anthem Blue Cross Blue Shield. Many news sources reported that China was responsible for the attack. This cyber attack resulted in the theft of approximately 80 million customers' personally identifiable information, including Social Security numbers and information that can be used for identity theft. In the early summer, cyber criminals also hacked United Airlines, compromising manifest data that detailed the movement of millions of Americans. According to the news media, China was again believed to have been responsible. But the most devastating cyber attack this year was on the U.S. Government's Office of Personnel Management. This past June, sources report that the OPM data breach, considered the worst cyber intrusion ever perpetrated against the U.S. Government, [[Page S7337]] affected about 21.5 million Federal employees and contractors. Hackers successfully accessed sensitive personal information, including security clearance files, Social Security numbers, and information about employees' contacts and families. Again, China was the suspected culprit. Most troubling, the OPM breach included over 19.7 million background investigation records for cleared U.S. Government employees. The exposure of this highly sensitive information not only puts our national security at risk but also raises concern that foreign governments may be keeping detailed databases on Federal workers and their associations. I was pleased during the Chinese President's visit to Washington last month that President Obama expressed his ``very serious concerns about growing cyber threats'' and stated that the cyber theft of intellectual property and commercial trade secrets ``has to stop.'' President Obama and President Xi Jinping came to an agreement not to ``conduct or knowingly support'' cyber theft of intellectual property or commercial trade secrets. Even so, Director of Intelligence James Clapper expressed doubts about the agreement in a hearing before the Senate Armed Services Committee last week. When Chairman McCain asked Mr. Clapper if he was optimistic about the deal, he told members of the committee he was not. I add my skepticism of this agreement to the growing chorus of lawmakers, military leaders, and intelligence community personnel who have voiced similar concerns. As Admiral Rogers, head of the National Security Agency and U.S. Cyber Command, has said, ``China is the biggest proponent of cyberattacks being waged against the U.S.'' We must do more to defend ourselves against this growing threat. Unfortunately, I have been disappointed in this administration's inability to protect our Federal computer systems from cyber intrusions and to hold criminals accountable for their participation in cyber attacks committed against the United States. Sadly, the cyber threats facing our Nation are not limited to China. Investigators believe Russia, North Korea, Iran, and several other nations have also launched cyber attacks against our government, U.S. citizens, and of course companies. These attacks are increasing both in severity and in number. In April, Russian hackers accessed White House networks containing sensitive information, including emails sent and received by the President himself. In May, hackers breached IRS servers to gain access to 330,000 American taxpayers' tax returns. That same month a fraudulent stock trader manipulated U.S. markets, costing the stock exchange an estimated $1 trillion in just 36 minutes. In July, it was reported that a Russian spear phishing attack shut down the Joint Chiefs of Staff email system for 11 days. Just 1 month ago, hackers stole the personal data of 15 million T-Mobile customers by breaching Experian, the company that processes credit checks for prospective customers. This stolen data includes names, birth dates, addresses, Social Security numbers, and credit card information. These breaches have a serious and real cost for the victims. According to the Federal Trade Commission, the average identity fraud victim in 2012 incurred an average of $365 in losses. Incredibly, all of these high-profile breaches have occurred this year, making 2015 perhaps the worst year ever in terms of attacks on our national cyber security. Prior to 2015, we also saw several high-profile breaches at large American corporations, including Target, Home Depot, Sony, and others. Our lack of effective cyber security policies and procedures threatens the safety of our people, the strength of our national defense, and the future of our economy. We must be more vigilant in reinforcing our cyber infrastructure to better defend ourselves against these attacks. In doing so, Congress must create a deterrent for those who seek to commit cyber attacks against our Nation. Our adversaries must know they will suffer dire consequences if they attack the United States. Finding a solution to this critical problem must be an urgent priority for the Senate. I agree with Leader McConnell that we must move forward in the Senate with legislation to improve our Nation's cyber security practices and policies. I am supportive of the objectives outlined in Chairman Burr and Vice Chairperson Feinstein's bipartisan Cybersecurity Information Sharing Act, CISA. I was pleased to see the Senate Select Committee on Intelligence pass the Burr-Feinstein CISA bill out of the committee by an overwhelming bipartisan vote of 14 to 1. This important legislation incentivizes and authorizes private sector companies to voluntarily share cyber threat information in real time that can be useful in detecting cyber attacks and in preventing future cyber intrusions. I also commend Chairman Burr and Vice Chairman Feinstein's efforts to include provisions in CISA to protect personal privacy, including a measure that prevents a user's personally identifiable information from being shared with government agencies. Additionally, CISA sets limits on information that can be collected or monitored by allowing information to be used only for cyber security purposes. As the American economy grows ever more dependent on the Internet, I believe CISA represents an important first step in protecting our Nation's critical infrastructure from the devastating impact of cyber attacks. Congress must do more to adequately protect and secure America's presence in cyber space. In light of recent revelations highlighting our Federal Government's inability to adequately protect and secure classified data and other sensitive information, I joined Senator Carper, the ranking member of the Homeland Security and Governmental Affairs Committee, in introducing the Federal Computer Security Act. The Hatch-Carper bill shines light on whether our Federal Government is using the most up-to-date cyber security practices and software to protect Federal computer systems and databases from both external cyber attackers and insider threats. Specifically, this legislation requires Federal agency inspectors general to report to Congress on the security practices and software used to safeguard classified and personally identifiable information on Federal computer systems themselves. This bill also requires each Federal agency to submit a report to each respective congressional committee with oversight jurisdiction describing in detail to each committee which security access controls the agency is implementing to protect unauthorized access to classified and sensitive, personally identifiable information on government computers. Requiring an accounting of each Federal agency's security practices, software, and technology is a logical first step in bolstering our Nation's cyber infrastructure. These reports will guide Congress in crafting legislation to prevent future large-scale data breaches and ensure that unauthorized users are not able to access classified and sensitive information. Agencies should be employing multifactor authentication policies and should be implementing software to detect and monitor cyber security threats. They should also be using the most up-to-date technology and security controls. The future of our Nation's cyber security starts with our Federal Government practicing good cyber hygiene. In strengthening our security infrastructure, the Federal Government should be accountable to the American people, especially when cyber attacks affect millions of taxpayers. I have heard from many constituents who have expressed concerns about the state of America's cyber security. I am honored to represent a State that is an emerging center of technological advancement and innovation, with the growing hub of computer companies expanding across a metropolitan area known as Silicon Slopes. The people of Utah recognize that our Nation's future depends on America's ability to compete in the digital area. They understand we must create effective cyber security policies so we can continue to lead the world in innovation and technology advancement. I am pleased to announce that an amended version of the Federal Computer Security Act is included in Chairman Burr and Vice Chairman [[Page S7338]] Feinstein's managers' package. I wish to express my appreciation to both the chairman and vice chairman for their willingness to work with me in fine-tuning this legislation. I appreciate it. I wish to also thank Chairman Ron Johnson and Ranking Member Tom Carper of the Homeland Security and Governmental Affairs Committee for their efforts in this endeavor as well. In addition to broad bipartisan support in the Senate, the Federal Computer Security Act enjoys support from key industry stakeholders. Some of our Nation's largest computer security firms support the bill, including Symantec, Adobe, and CA Technologies. Several industry groups have also voiced their support, including the Business Software Alliance and the IT Alliance for the Public Sector. I commend Intelligence Committee Chairman Burr and Vice Chairman Feinstein for their leadership in managing this critical cyber security legislation. As Leader McConnell works to restore the Senate to its proper function, I am grateful we have been able to consider this legislation in an open and transparent fashion. By reinstating the open amendment process, we have not only been able to vote on dozens of amendments this year, we have been able to refine legislation through robust consideration and debate. I think we voted on approximately 160- plus amendments so far this year, and they are about evenly split between Democrats and Republicans. With the renewal of longstanding Senate practices, we are passing meaningful laws that will better serve the needs of the American people. May we build on the foundation of success as we work to improve this critically important Cybersecurity Information Sharing Act. I wish to again thank the distinguished leaders of this Intelligence Committee. Having served 18 years on the Intelligence Committee, I really appreciate the work that both of them have done, especially on this bill, and I look forward to its passage. With that, I yield the floor. The PRESIDING OFFICER. The Senator from California. Mrs. FEINSTEIN. Madam President, I thank the distinguished Senator from Utah for his words. They are much appreciated, as is his friendship as well. I think he knows that. I believe the chairman feels certainly as strongly if not more strongly than I do. I rose to be able to make a brief statement about the sanctuary bill as in morning business, if that is possible. The PRESIDING OFFICER. Without objection, it is so ordered. Stop Sanctuary Policies and Protect Americans Bill Mrs. FEINSTEIN. Madam President, I voted against Senator Vitter's bill. I believe it goes much too far. My longer statement is in the Record, but I want to respond to some of what I heard today. I do believe we should ensure that there is a notification prior to release of a dangerous individual with a criminal record, just as Senator Schumer said on this floor. I do believe we could take a narrow action to do just that. We could focus on dangerous individuals and not on all undocumented immigrants who happen to be taken into State or local custody. We could require notification without threatening vital law enforcement and local government funding, as Senator Vitter's bill does. I had an amendment prepared for the Judiciary Committee's consideration when the committee had scheduled the bill for markup over a series of weeks, but the committee canceled its markup, so we were on the floor today with a bill that has never been heard in full by the Judiciary Committee. Senator Vitter's bill includes a notification requirement and a detention requirement. It is not limited to those who are dangerous or have particular criminal records. It would cover a farmworker who was detained for a broken taillight or a mother who was detained for similar reasons, taking her away from her children. This is a standard that could be abused in another administration, and it is potentially a huge unfunded mandate to impose on States and localities. The bill would also impose lengthy criminal sentences at the Federal level for individuals coming across the border to see their families or to perform work that is vital to the economy of California and the Nation. For example, in California, virtually the majority, if not all, of the farmworkers are undocumented. It happens to be a fact. It is why the agriculture jobs bill was part of the immigration reform act which was before this body and passed this body and went to the House and had no action. Although Members on the other side state that this bill has support among law enforcement, I will note that the Major Cities Chiefs Association, the Major County Sheriffs' Association, the Fraternal Order of Police, the United States Conference of Mayors, and the National League of Cities are opposed to this bill or have submitted letters opposing threats to Federal law enforcement funding over this issue. So, bottom line, I do believe we should do something about the circumstance that led to the tragic murder of Kate Steinle, which occurred in my city and State, and the tragic murder of Marilyn Pharis, which happened in the middle part of my State. I will support a reasonable effort to do just that, but this is not a targeted effort. It is too broad, and so I opposed it. My full statement is in the Record, but because it was spoken about on the floor, I did want to add these words. I thank the Presiding Officer, and I yield the floor. The PRESIDING OFFICER. The Senator from North Carolina. Mr. BURR. Madam President, moving back to cyber security, we now have S. 754 before the Senate, and we have a managers' package that is pending. We have a number of amendments that have been accepted and incorporated in the managers' package. We have several amendments that we could not reach agreement on, but those Members have the opportunity to come to the Senate floor. The amendments are already pending. They can debate those amendments, and they can have a vote on their amendment. For Members who might just now be engaging or who have had an opportunity to further read the bill, there are still present opportunities to offer perfecting amendments. Let me suggest to my colleagues that when the vice chairman and I started down this road, we knew we couldn't reach unanimous consent of every company in the country and every Member of Congress. It was our goal, and I think we are pretty close to it when we look at the numbers. But there will be companies that object to this bill for some reason that I might not recognize. The vice chairman has said this and I have said it and I want to reiterate it another time: This bill is voluntary. It does not require any company in America to participate in this. It does not require any entity to turn over information to the Federal Government for purposes of the Federal Government partnering with that company to determine who hacked their system, who penetrated, and who exfiltrated personal data. If a company has made the determination that they don't want to support this bill for whatever reason, I am resigned to the fact that that is a debate between their customers and themselves. It is, in fact, their customers that have to question the actions of the company. I can confidently tell my colleagues that Senator Feinstein and I have done everything to make sure there is wholesome participation by companies on a voluntary basis. We see tremendous value in those parts of our government that are experts at processing attacks like this to be able to identify who did it and what tools were used but, more importantly, what software defensive mechanism we can put on our systems to limit any additional exfiltration of data and, more broadly, to the rest of the business community say: Here is an attack that is in progress. Here is the tool they are using. Here is how you defend your data. Now, we leave open, if we pass it, that there may be a company that decides they don't support this legislation. They can still participate in this program. Do we think if they get a call from the Department of Homeland Security or from the National Security Agency saying ``Here is an attack that is happening; here is the tool they are using,'' they are going to look at their system and say ``Is it in our system?'' They get the benefit of still participating and partnering with the Federal Government, even though they didn't support the legislation. [[Page S7339]] I know over the next day or so the vice chairman and I will concentrate on sharing with Members what is actually in the managers' package. We don't leave it up to staff just to cover it. Let me just briefly share 15 points that I would make about the managers' package. No. 1, it eliminates the government's uses for noncyber crimes; in other words, a removal of the serious violent felonies. No. 2, it limits the authorizations to share cyber threat information for cyber security purposes, period. No. 3, it eliminates new FOIA exemptions. In other words, everybody is under the same FOIA regulations that existed prior to this legislation being enacted. No. 4, it ensures defensive measures are properly limited. We can't get wild and put these things in places that government shouldn't be, regardless of what the threat is. No. 5, it includes the Secretary of Homeland Security as coauthor-- coauthor--of government-sharing guidelines. I think this is an incredibly important part. The individual who is in charge of Homeland Security, that Secretary, is actively involved in the guidelines that are written. No. 6, it clarifies exceptions to the DHS portal entry point for the transfer of information. No. 7, it adds a requirement that the procedures for government sharing include procedures for notifying U.S. persons whose personal information is known to have been shared in violation--in violation--of this act. In other words, if a company mistakenly transmits information, the government is required to notify that individual. But, additionally, the government is statutorily required not to disseminate that information to any other Federal agency once it comes in and is identified. No. 8, it clarifies the real-time automated process for sharing through that DHS portal. No. 9, it clarifies that private entities are not required to share information with the Federal Government or another private entity. No. 10, it adds a Federal cyber security enhancement title. No. 11, it adds a study on mobile device security. No. 12, it adds a requirement for the Secretary of State to produce an international cyber space policy strategy. No. 13, it adds a reporting provision concerning the apprehension and prosecution of international cyber criminals. No. 14, it improves the contents of the biannual report on CISA's implementation. My colleagues might remember, as some have raised issues on this, they have said: Why are there not more reports? There are biannual reports on the implementation and how it is done. No. 15, and last, is additional technical and conforming edits. Now, we didn't get into detail. We will get into detail later, but I say that because if that has in any way triggered with somebody who felt they were opposed to the bill because of something they were told was in it, maybe it was covered by one of those 15 things that I just talked about. They are things that were brought to the attention of the vice chairman and me, and we sat down and looked at it. If we didn't feel as though it changed the intent of the bill--and we have always erred on the side of protecting personal data, of not letting this legislation extend outside of what it was intended to do. Where we have drawn the line is when we believed that the effort was to thwart the effectiveness of this legislation. I will remind my colleagues one last time: This legislation does not prevent cyber attacks. This legislation is designed to minimize the loss of the personal data of the customers of the companies that are penetrated by these cyber actors. As we stand here today, we have had some rather significant breaches within the United States. I remind my colleagues that just today it was proposed that a high school student has hacked the unclassified accounts, the personal email, of the Secretary of the Department of Homeland Security and the Director of the CIA. Is there anybody who really thinks that this is going to go away because we are having a debate in the Senate and in the Congress of the United States, that the people who commit these acts and go without any identification are going to quit? No. It is going to become more rampant and more rampant and more rampant. From the standpoint of 2 of 15 Members who are designated by the U.S. Senate and its leadership to, on behalf of the other 85, look at the most sensitive information that our country can accumulate about threats, as many threads of threats as we look at today on the security of the American people, I think I can speak for the vice chairman: We are just as concerned about the economic security of the United States based upon the threat that we are faced with from cyber actors here at home and, more importantly, around the world. I urge my colleagues, if you have something to contribute, come to the floor and contribute it. If you have an amendment already pending, come to the floor and debate it and vote on it. Give us the ability to work through the great thoughts of all 100 Members, but recognize the fact that those individuals whom you have entrusted to represent you with the most sensitive information that exists in our country came to a 14-to-1 vote when they passed this originally out of the Intelligence Committee. That is because of how grave we see the threat and how real the attackers are. I thank the vice chairman. She has been absolutely wonderful to work with through this process. We are going to have a long couple of days if we process all of this, but I am willing to be here as long as it takes so that we can move on to conference with the House. I yield the floor. The PRESIDING OFFICER. The Senator from California. Mrs. FEINSTEIN. Madam President, I thank the chairman for those words. I have one little duty left. Amendment No. 2626 Madam President, I call for the regular order with respect to Whitehouse amendment No. 2626. The PRESIDING OFFICER. The amendment is now pending. Amendment No. 2626, as Modified Mrs. FEINSTEIN. I ask that the amendment be modified with the changes that are at the desk. The PRESIDING OFFICER. The amendment is so modified. The amendment, as modified, is as follows: At the end, add the following: SEC. __. STOPPING THE SALE OF AMERICANS' FINANCIAL INFORMATION. Section 1029(h) of title 18, United States Code, is amended by striking ``title if--'' and all that follows through ``therefrom.'' and inserting ``title if the offense involves an access device issued, owned, managed, or controlled by a financial institution, account issuer, credit card system member, or other entity organized under the laws of the United States, or any State, the District of Columbia, or other Territory of the United States.''. SEC. __. SHUTTING DOWN BOTNETS. (a) Amendment.--Section 1345 of title 18, United States Code, is amended-- (1) in the heading, by inserting ``and abuse'' after ``fraud''; (2) in subsection (a)-- (A) in paragraph (1)-- (i) in subparagraph (B), by striking ``or'' at the end; (ii) in subparagraph (C), by inserting ``or'' after the semicolon; and (iii) by inserting after subparagraph (C) the following: ``(D) violating or about to violate section 1030(a)(5) where such conduct has caused or would cause damage (as defined in section 1030) without authorization to 100 or more protected computers (as defined in section 1030) during any 1-year period, including by-- ``(i) impairing the availability or integrity of the protected computers without authorization; or ``(ii) installing or maintaining control over malicious software on the protected computers that, without authorization, has caused or would cause damage to the protected computers;''; and (B) in paragraph (2), by inserting ``, a violation described in subsection (a)(1)(D),'' before ``or a Federal''; and (3) by adding at the end the following: ``(c) A restraining order, prohibition, or other action described in subsection (b), if issued in circumstances described in subsection (a)(1)(D), may, upon application of the Attorney General-- ``(1) specify that no cause of action shall lie in any court against a person for complying with the restraining order, prohibition, or other action; and ``(2) provide that the United States shall pay to such person a fee for reimbursement for such costs as are reasonably necessary and which have been directly incurred in [[Page S7340]] complying with the restraining order, prohibition, or other action.''. (b) Technical and Conforming Amendment.--The table of section for chapter 63 is amended by striking the item relating to section 1345 and inserting the following: ``1345. Injunctions against fraud and abuse.''. SEC. __. AGGRAVATED DAMAGE TO A CRITICAL INFRASTRUCTURE COMPUTER. (a) In General.--Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following: ``Sec. 1030A. Aggravated damage to a critical infrastructure computer ``(a) Offense.--It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer, if such damage results in (or, in the case of an attempted offense, would, if completed have resulted in) the substantial impairment-- ``(1) of the operation of the critical infrastructure computer; or ``(2) of the critical infrastructure associated with such computer. ``(b) Penalty.--Any person who violates subsection (a) shall, in addition to the term of punishment provided for the felony violation of section 1030, be fined under this title, imprisoned for not more than 20 years, or both. ``(c) Consecutive Sentence.--Notwithstanding any other provision of law-- ``(1) a court shall not place any person convicted of a violation of this section on probation; ``(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for the felony violation of section 1030; ``(3) in determining any term of imprisonment to be imposed for the felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such violation to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and ``(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, if such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28. ``(d) Definitions.--In this section ``(1) the terms `computer' and `damage' have the meanings given the terms in section 1030; and ``(2) the term `critical infrastructure' means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have catastrophic regional or national effects on public health or safety, economic security, or national security.''. (b) Table of Sections.--The table of sections for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following: ``1030A. Aggravated damage to a critical infrastructure computer.''. SEC. __. STOPPING TRAFFICKING IN BOTNETS. (a) In General.--Section 1030 of title 18, United States Code, is amended-- (1) in subsection (a)-- (A) in paragraph (7), by adding ``or'' at the end; and (B) by inserting after paragraph (7) the following: ``(8) intentionally traffics in the means of access to a protected computer, if-- ``(A) the trafficker knows or has reason to know the protected computer has been damaged in a manner prohibited by this section; and ``(B) the promise or agreement to pay for the means of access is made by, or on behalf of, a person the trafficker knows or has reason to know intends to use the means of access to-- ``(i) damage the protected computer in a manner prohibited by this section; or ``(ii) violate section 1037 or 1343;''; (2) in subsection (c)(3)-- (A) in subparagraph (A), by striking ``(a)(4) or (a)(7)'' and inserting ``(a)(4), (a)(7), or (a)(8)''; and (B) in subparagraph (B), by striking ``(a)(4), or (a)(7)'' and inserting ``(a)(4), (a)(7), or (a)(8)''; (3) in subsection (e)-- (A) in paragraph (11), by striking ``and'' at the end; (B) in paragraph (12), by striking the period at the end and inserting ``; and''; and (C) by adding at the end the following: ``(13) the term `traffic', except as provided in subsection (a)(6), means transfer, or otherwise dispose of, to another as consideration for the receipt of, or as consideration for a promise or agreement to pay, anything of pecuniary value.''; and (4) in subsection (g), in the first sentence, by inserting ``, except for a violation of subsection (a)(8),'' after ``of this section''. Mrs. FEINSTEIN. I thank the Chair and yield the floor. Mr. BURR. I suggest the absence of a quorum. The PRESIDING OFFICER. The clerk will call the roll. The legislative clerk proceeded to call the roll. Mr. PERDUE. Madam President, I ask unanimous consent that the order for the quorum call be rescinded. The PRESIDING OFFICER. Without objection, it is so ordered. Sanctuary Cities Bill Mr. PERDUE. Madam President, I rise to speak very briefly about the Stop Sanctuary Cities Act, which I was proud to cosponsor in the Senate. Simply put, this legislation protects American citizens from criminal illegal immigrants. Today, at least 340 cities across our country are choosing not to enforce our Nation's immigration laws. These sanctuary cities have become a safe haven for criminals who are not only in the United States illegally but also are committing additional crimes and repeatedly reentering trying our country after being deported. This summer we witnessed the tragic impact this lawlessness has on American citizens when Kate Steinle was murdered in San Francisco, a sanctuary city, by a felon living in our country illegally and who was previously deported five separate times. Three months prior to Kate's tragic death, the Department of Homeland Security actually asked San Francisco to detain her murderer, but the sanctuary city refused to cooperate and released the criminal back into the community. Had they not done that, had they turned that person over to Homeland Security as they were requested, Kate might still be with us. This is unconscionable. I do not think I can overstate the importance of this Stop Sanctuary Cities Act to the American people and to the people of my home State of Georgia. The fact is that Kate Steinle did not have to die at the hands of a seven-time convicted felon and a five-time deportee. Kate and many others would not have died if our country had a functional immigration system and a government that actually enforces our laws. This is why it is absolutely crucial that we stop sanctuary cities and address this illegal immigration crisis, which has also become a national security crisis. This bill would have done just that, and yet we were not able to even get it on the floor to have a debate. This is what drives people in my home State absolutely apoplectic. We want to get these bills to the floor, have an open debate, and let's let Americans see how we all vote on critical issues like this. It is a very sad day, indeed, when this body cannot come together to stop rogue cities from breaking our Nation's laws, protecting the livelihood of American citizens, and support our law enforcement officials. I thank Senator Vitter and Chairman Grassley for working closely with the victims' families and law enforcement to produce this legislation. I hope we can continue to debate this and get this bill back on the floor. I will keep fighting to stop this lawlessness and protect all Americans. I yield the floor. I suggest the absence of a quorum. The PRESIDING OFFICER (Mr. Gardner). The clerk will call the roll. The legislative clerk proceeded to call the roll. Mr. WHITEHOUSE. Mr. President, I ask unanimous consent that the order for the quorum call be rescinded. The PRESIDING OFFICER. Without objection, it is so ordered. Mr. WHITEHOUSE. Mr. President, I ask unanimous consent to speak as in morning business for up to 20 minutes. The PRESIDING OFFICER. Without objection, it is so ordered. [...] Cloture Motion Mr. McCONNELL. Mr. President, I send a cloture motion to the desk for the Burr-Feinstein amendment No. 2716. The PRESIDING OFFICER. The cloture motion having been presented under rule XXII, the Chair directs the clerk to read the motion. The bill clerk read as follows: Cloture Motion We, the undersigned Senators, in accordance with the provisions of rule XXII of the Standing Rules of the Senate, do hereby move to bring to a close debate on the amendment No. 2716 to S. 754, a bill to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. Mitch McConnell, John Cornyn, Johnny Isakson, Richard Burr, John McCain, Shelley Moore Capito, Orrin G. Hatch, John Thune, Chuck Grassley, Pat Roberts, John Barrasso, Jeff Flake, Lamar Alexander, Bill Cassidy, Deb Fischer, Susan M. Collins, Patrick J. Toomey. Cloture Motion Mr. McCONNELL. Mr. President, I send a cloture motion to the desk for the underlying bill, S. 754. The PRESIDING OFFICER. The cloture motion having been presented under rule XXII, the Chair directs the clerk to read the motion. The bill clerk read as follows: Cloture Motion We, the undersigned Senators, in accordance with the provisions of rule XXII of the Standing Rules of the Senate, do hereby move to bring to a close debate on S. 754, an original bill to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. Mitch McConnell, John Cornyn, Johnny Isakson, Richard Burr, John McCain, Shelley Moore Capito, Orrin G. Hatch, John Thune, Chuck Grassley, Pat Roberts, John Barrasso, Jeff Flake, Lamar Alexander, Bill Cassidy, Deb Fischer, Susan M. Collins, Patrick J. Toomey. ____________________