[Congressional Record Volume 161, Number 154 (Wednesday, October 21, 2015)]
[Page S7368]


  Mr. REID. Mr. President, today the Senate turns its attention to the 
cybersecurity bill. It is way overdue. The bill, which is OK, is better 
than nothing--let's put it that way.
  The ranking member of the Intelligence Committee, Senator Feinstein, 
and the chairman of that committee, Senator Burr, have worked hard on 
this legislation, which addresses a serious national security issue. In 
fact, it is so serious that we should have addressed this topic long 
ago. We tried to. As Senate Democrats, we tried so very hard. We had a 
comprehensive cybersecurity bill on the floor 3 years ago which was 
much deeper and better than this one--3 years ago--but our Republican 
colleagues blocked us from even debating the bill. We couldn't even 
debate the bill. Why? They, the Republicans, were told the chamber of 
commerce didn't like it. At about the same time, the chamber of 
commerce's whole operation was hacked by the Chinese. The people who 
worked down there expected things to come out in English, but they came 
out in Chinese. But they didn't like the bill anyway, so they told the 
Republicans to oppose it, and they marched over here and opposed it.
  Democrats, however, realize cybersecurity is a serious issue. We know 
how important cybersecurity is for the national security of our country 
and the financial security of our economy.
  Even though this bill is not our perfect bill, we are going to 
cooperate with our Republican colleagues. Several months ago we reached 
an agreement with Republicans to begin debating this legislation, and 
now we can process it in an efficient and bipartisan manner.
  Would the Chair announce the business of the day.


[Congressional Record Volume 161, Number 154 (Wednesday, October 21, 2015)]
[Pages S7368-S7369]


  Mr. McCONNELL. Mr. President, earlier this year, millions of people 
were affected when the Obama administration was hit by a devastating 
cyber attack. It is an attack that has been described as ``one of the 
worst breaches in U.S. history,'' but it is hardly the last one we will 
  The challenges posed by cyber attacks are real, and they are broad. 
They threaten governments, businesses, and individuals. Americans see 
these threats in the public sector. For instance, as reports have 
indicated, the sensitive personal information of millions who purchase 
insurance through ObamaCare is especially vulnerable. Americans see 
these threats in the private sector as well. For instance, despite the 
cyber deal recently agreed upon between China and the administration, 
press reports indicate that Chinese hacking attempts on American 
companies and businesses appear to be continuing unabated. Americans 
also know that a cyber attack is essentially a personal attack on their 
own privacy. It is violating to think of strangers digging through our 
medical records and emails. It is worrying to think of criminals 
accessing credit card numbers and Social Security information.
  That is why the Senate will again consider bipartisan legislation to 
help Americans' most private and personal information. It would do so 
by defeating cyber attacks through the sharing of information. It 
contains modern tools that cybersecurity experts tell us could help 
prevent future attacks against both public and private sectors. It 
contains important measures to protect individual privacy and civil 
liberties. It has been carefully scrutinized by Senators of both 
parties. In short, this legislation is strong, transparent, and 
bipartisan. Republicans and Democrats joined together to pass this 
legislation through committee, the administration supports it, and the 
House has already passed similar legislation. With a little 
cooperation, we can pass it here shortly as well.
  The chair of the Intelligence Committee, Senator Burr, is working to 
set votes on pending amendments and has accommodated other Senators in 
the form of a substitute amendment. I wish to thank him for his hard 
work on this legislation. I wish to also thank

[[Page S7369]]

the vice chair, Senator Feinstein, as well. Every Senator should want 
to protect Americans' most private and personal information, which 
means every Senator should want to see this bill pass. With a little 
cooperation, we will.


[Congressional Record Volume 161, Number 154 (Wednesday, October 21, 2015)]
[Pages S7374-S7406]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]


  The PRESIDING OFFICER. Under the previous order, the Senate will 
resume consideration of S. 754, which the clerk will report.
  The legislative clerk read as follows:

       A bill (S. 754) to improve cybersecurity in the United 
     States through enhanced sharing of information about 
     cybersecurity threats, and for other purposes.


       Burr/Feinstein amendment No. 2716, in the nature of a 
       Burr (for Cotton) modified amendment No. 2581 (to amendment 
     No. 2716), to exempt from the capability and process within 
     the Department of Homeland Security communication between a 
     private entity and the Federal Bureau of Investigation or the 
     United States Secret Service regarding cybersecurity threats.
       Feinstein (for Coons) modified amendment No. 2552 (to 
     amendment No. 2716), to modify section 5 to require DHS to 
     review all cyber threat indicators and countermeasures in 
     order to remove certain personal information.
       Burr (for Flake/Franken) amendment No. 2582 (to amendment 
     No. 2716), to terminate the provisions of the Act after six 
       Feinstein (for Franken) modified amendment No. 2612 (to 
     amendment No. 2716), to improve the definitions of 
     cybersecurity threat and cyber threat indicator.
       Burr (for Heller) modified amendment No. 2548 (to amendment 
     No. 2716), to protect information that is reasonably believed 
     to be personal information or information that identifies a 
     specific person.
       Feinstein (for Leahy) modified amendment No. 2587 (to 
     amendment No. 2716), to strike the FOIA exemption.
       Burr (for Paul) modified amendment No. 2564 (to amendment 
     No. 2716), to prohibit liability immunity to applying to 
     private entities that break user or privacy agreements with 
       Feinstein (for Mikulski/Cardin) amendment No. 2557 (to 
     amendment No. 2716), to provide amounts necessary for 
     accelerated cybersecurity in response to data breaches.
       Feinstein (for Whitehouse/Graham) modified amendment No. 
     2626 (to amendment No. 2716), to amend title 18, United 
     States Code, to protect Americans from cybercrime.
       Feinstein (for Wyden) modified amendment No. 2621 (to 
     amendment No. 2716), to improve the requirements relating to 
     removal of personal information from cyber threat indicators 
     before sharing.


  The PRESIDING OFFICER. The clerk will call the roll.
  The legislative clerk proceeded to call the roll.
  Mr. NELSON. Mr. President, I ask unanimous consent that the order for 
the quorum call be rescinded.

[[Page S7376]]

  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mr. NELSON. Mr. President, I will vote for the cyber security bill. 
Obviously, this is a whole new era of attack on our country. On 
September 11, 2001, we certainly realized that the two big oceans on 
either side of our country that had protected us for centuries--the 
Atlantic and the Pacific--no longer provided that protection because we 
could see, in the case of 2001, an attack from within. Thus, that 
revised so much of our defense strategy.
  Now we see the other kind of attack from within that is stealthy, 
insidious, and it is constant because the cyber attacks are coming to 
the U.S. Government as well as the U.S. industry, the business 
community, and U.S. citizens. The threat of cyber attack is vast and it 
is varied, from cyber criminals who steal personal information such as 
credit card and Social Security numbers, to foreign governments or 
state-sponsored groups that steal sensitive national security 
information, that steal our intellectual property, and that put at risk 
our economy and critical infrastructure.
  I want to give one example of obtaining Social Security numbers 
through cyber attacks or through other means. What we found in Tampa, 
FL, is that street crime actually subsided because the criminals had 
figured that either by cyber attacks or by other means of getting 
Social Security numbers, they could file false income tax returns and 
request refunds. So with a laptop, they could do what they had done 
previously by breaking into and entering someone's home to steal money, 
and it was so much easier. And that is just one small example, but just 
the theft of security numbers, which they use on false income tax 
returns--we think that is an attack which is costing the U.S. 
Government, in income tax, at least $5 billion a year.
  We have heard all about these attacks. Some of us in the Senate have 
been affected by these attacks. How many times have we heard that 
hackers have stolen our names, our addresses, our credit card numbers? 
Look what the hackers did to 40 million Target customers and 56 million 
Home Depot customers. They accessed checking and savings account 
information of 76 million J.P. Morgan Bank customers. They stole the 
personal information of 80 million customers of the health insurance 
company Anthem. Those are a few examples. Target, Home Depot, J.P. 
Morgan, Anthem--that is just a handful of examples. Also, remember that 
North Korea hacked Sony. Iran hacked the Sands Casino. China hacked the 
U.S. Government Office of Personnel Management. They have your 
information and they have my information because our information is 
with the Office of Personnel Management.
  The attacks keep coming. We are hearing from homeland security, 
defense, intelligence, and private sector leaders that we have to take 
this threat seriously and do something about it.
  I must say that it was one of the most frustrating things for this 
Senator, as a former member of the Senate Intelligence Committee, when 
we were trying to pass this very same bill 3 and 4 years ago and the 
business community, as represented by the U.S. Chamber of Commerce, 
wanted nothing to do with it because they thought it was an invasion of 
their privacy. Times have changed, and the hacking continues.
  We see that finally we are able to get through and put together a 
bill on which I think we can get broad support from many different 
groups that are concerned about privacy and about sharing of 
information in the business community. This bill provides the means for 
the government and the private sector to share cyber threat information 
while taking care to protect the personal information and privacy of 
our people. We all face the same threat, and our adversaries use 
similar malware and techniques. Sharing information is critical to our 
overall cyber security.
  What this does is it directs the Director of National Intelligence, 
working with other agencies and building on the information sharing 
that is already taking place, to put cyber threat information in the 
hands of the private sector to help protect businesses and individuals. 
It authorizes private companies to monitor and defend their networks 
and share with each other and the government at all levels the cyber 
threats and attacks--all levels of government: State, local, tribal, 
and Federal. This is a point of contention because these activities are 
strictly voluntary. That is part of the problem we had 3 and 4 years 
ago in trying to enact this legislation. It is strictly voluntary, 
limited to cyber security purposes, and subject to reasonable 
restrictions and privacy protections.
  The bill also creates the legal certainty and incentives needed to 
promote further sharing of information.
  So what the legislation does is it sets up a hub or a portal inside 
the Department of Homeland Security where cyber threat information 
comes in, it is scrubbed of irrelevant personal information, and then 
it is shared inside and outside the government quickly and efficiently 
because, after all, if you have a cyber attack somewhere in America 
that suddenly has the opportunity to explode in its application, you 
have to have a central point at which you can coordinate that cyber 
attack. That is what this portal, this hub in the Department of 
Homeland Security is set up to do.
  This Senator feels that this bill balances the urgent need to address 
the threat of continued cyber attacks with privacy concerns. As the 
vice chair of the Intelligence Committee said yesterday, this bill is 
just the first step.
  I am delighted that Senator Feinstein just walked onto the floor of 
the Senate. I am quoting what the Senator said yesterday: We can and we 
ought to do more to improve our Nation's cyber security.
  I say through the Chair to the distinguished senior Senator from 
California that I have shared with the Senate my frustration over the 
last 4 years, as a former member of the Senate Intelligence Committee, 
that it was so hard to get people to come together. But now, finally, 
even though it is voluntary, we at least have a point at which, when a 
cyber attack comes somewhere in America, we can centralize that, it can 
be scrubbed of private information, and then it can be shared in our 
multiplicity of levels of government and the private sector to help 
defend against the cyber attacks.
  These cyber attacks are coming every day. They are relentless. If we 
don't watch out, what is going to happen has already happened to 
someone and it is going to be happening to innumerable American 
businesses. I strongly urge the Senate to pass this legislation.
  Since the senior Senator from California is on the floor, I wish to 
take this opportunity to thank her for her perspicacity, her patience, 
and her stick-to-itiveness. Finally, 4 years later, it is here, and we 
are going to pass it this week. I thank the Senator from California.
  Mr. President, I yield the floor.
  The PRESIDING OFFICER. The Senator from California.
  Mrs. FEINSTEIN. Mr. President, I would like to respond to what the 
distinguished Senator from Florida said.
  Senator, you know what a pleasure it was to have you on the 
intelligence committee. I think you understand the time that we have 
spent to get this bill done, which is now about 6 years, and to take 
this first step, not because it is a perfect step but because it is a 
first step that is voluntary, with new authorities that people and 
companies can use if they want to, and if they don't want to, they 
don't have to. If they want to, it can be effective in enabling 
companies to share cyber security information and therefore protect 
themselves. I know you understand this. I am so grateful for that 
understanding and for your help.
  Mr. NELSON. Mr. President, will the Senator yield for a question?
  Mrs. FEINSTEIN. I will.
  Mr. NELSON. Will the Senator share her thoughts with the Senate about 
how the Nation's national security defense depends on us being able--we 
have the guns, the tanks, the airplanes, the missiles, and all of that, 
but there is a new type of threat against the very security of this 
Nation, and this legislation is a first step.
  Mrs. FEINSTEIN. I can try to. I remember that in 2008 there were two 
significant cyber bank robberies: the Royal Bank of Scotland, I think 
for $8 million, and Citibank for $10 million. This was not public right 
away because nobody wanted it known. Then you see the more recent 
attacks of Aramco

[[Page S7377]]

being taken down, Sony, and it goes on and on. The information is not 
often shared publicly by companies who should be asking: This happened 
to our company; can you share anything that might help us handle this? 
That kind of thing doesn't happen because everybody is afraid of 
liability, and so it is very concerning.

  I remember when Joe Lieberman was chairman of the homeland security 
committee, which had a bill. As the Senator will remember, we had the 
information sharing part of that bill, and we sat down with the U.S. 
Chamber of Commerce, I believe on three occasions, to try to work out 
differences, and we couldn't. The U.S. Chamber of Commerce is massive 
and all over the United States. It includes small businesses, medium-
sized businesses, and some big businesses, and there was deep concern 
among its members. That took years to work out.
  Finally, the Senate may be ready to take a first step, and this first 
step is to permit the voluntary sharing of cyber information, which, if 
it is stripped of private data, will be protected with liability 
immunity and protected because it goes through a single DHS portal and 
doesn't go directly to the intelligence community, which was a big 
concern to the private community. All of this has been worked out in 
order to try to come up with a basis for taking this first step.
  I am sorry the Senator is no longer on our committee because my 
friend was really a great asset, and Florida is lucky to have my friend 
and colleague as their Senator.
  This is just the beginning. All of the iterations on this cyber 
legislation have been bipartisan, so that has to say something to 
people. We have learned as we have done the drafting on this, and we 
have very good staff who are technically proficient. So they know what 
can work and what can't work.
  I hope I have answered that question from the Senator from Florida. 
If I can, I will go on and make some remarks on the managers' 
  Yesterday Senator Burr and I spoke on this floor to describe the 
Cybersecurity Information Sharing Act of 2015, which is now the pending 
business. Senator Burr filed a managers' package on behalf of both of 
us, and I will quickly run through that package.
  This amendment is the product of bipartisan negotiations over the 
past several weeks within the Intelligence Committee and with sponsors 
of other amendments to the bill. The managers' amendment makes several 
key changes to the bill to clarify authorization language, improve 
privacy protections, and make technical changes. It also--and I think 
this is of note--includes the text of 14 separate amendments. Those 
amendments were offered by our colleagues and I am pleased that we are 
able to add them to this legislation.
  In sum, this amendment has two main components. It makes important 
changes to the bill that we announced in August to address privacy 
concerns about the legislation. Second, it includes several amendments 
authored by our colleagues that had agreement on both sides of the 
aisle. I will run through these amendments that will be part of the 
managers' package, and I do so hopefully to reassure Members that these 
are positive amendments.
  First, it eliminates a provision on government use of cyber 
information on noncyber crime. The managers' amendment eliminates a 
provision in the committee-passed bill that would have allowed the 
government to use cyber information to investigate and prosecute 
``serious violent felonies.'' Eliminating this provision is a very 
significant privacy change. We made this change because it has been a 
top bipartisan concern and the provision had been used by privacy 
groups to claim that this is a surveillance bill. As the chairman made 
clear on the floor yesterday, it is not. One of the reasons it is not 
is because it prohibits the government from using information for 
crimes unrelated to cyber security.
  Let me be clear. The chairman said it, and I will say it today. This 
is not a surveillance bill. We have eliminated this provision and 
helped, I believe, to eliminate these concerns. So, please, let us not 
speak of this bill as something that it isn't.
  Second, it limits the authorization to share cyber threat information 
to cyber security purposes. The managers' amendment limits the 
authorization for sharing cyber threat information provided in the bill 
to sharing for cyber security purposes only. This is another 
significant privacy change, and it has been another top bipartisan and 
privacy group concern.
  Third, it eliminates a new FOIA exemption. The managers' amendment 
eliminated the creation of a new exemption in the Freedom of 
Information Act specific to cyber information that was in the 
committee-passed bill. Cyber threat indicators and defensive measures 
shared in accordance with the bill's procedures would still be eligible 
for existing FOIA exemptions, but it doesn't add new ones.
  Four, it ensures that defensive measures are properly limited. The 
bill allows a company to take measures to defend itself, as one might 
expect, and the managers' amendment clarifies that the authorization to 
employ defensive measures does not allow an entity to gain unauthorized 
access to a computer network.
  Five, it includes the Secretary of Homeland Security as coauthor of 
the government-sharing guidelines. The managers' amendment directs both 
the Attorney General and the Secretary of Homeland Security, rather 
than solely just the Attorney General, to develop policies and 
procedures to govern how the government quickly and appropriately 
shares information about cyber threats. That should be a no-brainer.
  Six, it clarifies exceptions to the Department of Homeland Security's 
so-called portal. The managers' amendment clarifies the types of cyber 
information sharing that are permitted to occur outside the DHS portal 
created by the bill. Specifically, the bill narrows communications 
outside of the Department of Homeland Security portal regarding 
previously shared cyber threat information.
  Seven, it requires procedures for notifying U.S. persons whose 
personal information has been shared by a Federal entity in violation 
of the bill. The managers' amendment adds a modified version of Wyden 
amendment No. 2622, which requires the government to write procedures 
for notifying U.S. persons whose personal information is known or 
determined to have been shared by the Federal Government in a manner 
inconsistent with this act.
  Eight, it clarifies the real-time automated process for sharing 
through the DHS portal. Here the managers' amendment adds a modified 
version of the Carper amendment No. 2615, which clarifies that there 
may be situations under which the automated real-time process of the 
DHS portal may result in very limited instances of delay, modification 
or other action due to the controls established for the process. The 
clarification requires that all appropriate Federal entities agree in 
advance to the filters, fields or other aspects of the automated 
sharing system before such delays, modifications or other actions are 
  Senator Carper has played a very positive role on this issue. He is 
the ranking member on the homeland security committee. He sat down with 
both Senator Burr and me earlier this year. He has proposed some very 
good changes, and this is one of them, which is in the managers' 
  Also, the clarification ensures that such agreed-upon delays will 
apply across the board uniformly to all appropriate Federal entities, 
including the Department of Homeland Security.
  This was an important change for both Senator Carper and Senator 
Coons and for the Department of Homeland Security. I am pleased we were 
able to reach agreement on it. Essentially, it will allow a fast real-
time filter--and I understand this can be done--that will do an 
additional scrub of information going through that portal before the 
cyber information goes to other departments to take out anything that 
might be related to personal information, such as a driver's license 
number, an account, a Social Security number or whatever it may be. DHS 
believes they can put together the technology to be able to do that 
scrub in as close to real time as possible.
  This should be very meaningful to the privacy community, and I really 
hope it is meaningful because I want to believe that their actions are 
not just to try to defeat this bill, but that their actions really are 
to make the bill better. If I am right, this is a very important 

[[Page S7378]]

  Again, I thank Senator Carper and Senator Coons, and I also thank the 
chairman for agreeing to put this in.
  Nine, it clarifies that private entities are not required to share 
information with the Federal Government or another private entity. This 
is clear now. This amendment adds the Flake amendment No. 2580, which 
reinforces this bill's core voluntary nature by clarifying that private 
entities are not required to share information with the Federal 
Government or another private entity.
  In other words, if you don't like the bill, you don't have to do it. 
So it is hard for me to understand why companies are saying they can't 
support the bill at this time. There is no reason not to support it 
because they don't have to do anything. There are companies by the 
hundreds, if not thousands, that want to participate in this, and this 
we know.
  Ten, it adds a Federal cyber security enhancement title. The 
managers' amendment adds a modified version of another Carper 
amendment, which is No. 2627, the Federal Cybersecurity Enhancement Act 
of 2015, as a new title II of the cyber bill. The amendment seeks to 
improve Federal network security and authorize and enhance an existing 
intrusion detection and prevention system for civilian Federal 
  Eleventh, we add a study on mobile device security. The managers' 
amendment adds a modified version of the Coats amendment No. 2604, 
which requires the Secretary of Homeland Security to carry out a study 
and report to Congress on the cyber security threats to mobile devices 
of the Federal Government.
  I wish to thank Senator Coats, who is a distinguished member of the 
Intelligence Committee and understands this bill well, for this 
  Twelfth, it adds a requirement for the Secretary of State to produce 
an international cyber space policy strategy. The managers' amendment 
adds Gardner/Cardin amendment No. 2631, which requires the Secretary of 
State to produce a comprehensive strategy focused on United States 
international policy with regard to cyber space.
  It is about time we do something like this. I am personally grateful 
to both Senators Gardner and Cardin for this amendment.
  Thirteenth, the managers' amendment adds a reporting provision 
concerning the apprehension and prosecution of international cyber 
criminals. The managers' amendment adds a modified version of Kirk-
Gillibrand amendment No. 2603, which requires the Secretary of State to 
engage in consultations with the appropriate government officials of 
any country in which one or more cyber criminals are physically present 
and to submit an annual report to appropriate congressional committees 
on such cyber criminals.
  It is about time that we get to the point where we can begin to make 
public more about cyber attacks from abroad because it is venal, it is 
startling, it is continuing, and in its continuation, it is growing 
into a real monster. Let there be no doubt about that.
  Fourteenth, it improves the contents of the biennial report on 
implementation of the bill. The managers' amendment adds a modified 
version of the Tester amendment No. 2632, which requires detailed 
reporting on, No. 1, the number of cyber threat indicators received 
under the DHS portal process--good, let's know--and, No. 2, the number 
of times information shared under this bill is used to prosecute 
certain cyber criminals. If we can catch them, we should. We should 
know when prosecutions are made. Then, No. 3 is the number of notices 
that were issued, if any, for a failure to remove personal information 
in accordance with the requirements of this bill.
  Mr. President, I am spending a great deal of time on these details 
because there are rumors beginning to circulate that the bill does this 
or does that, which are not correct. This managers' package is a major 
effort to encapsulate what Members on both sides had concerns about. 
And I think the numbers of Republican and Democratic amendments that 
are incorporated are about equal.
  Fifteenth, this managers' amendment improves the periodic sharing of 
cyber security best practices with a focus on small businesses. The 
managers' amendment adds the Shaheen amendment No. 2597, which promotes 
the periodic sharing of cyber security best practices that are 
developed in order to assist small businesses as they improve their 
cyber security.
  I think this is an excellent amendment and Senator Shaheen should be 
  Sixteenth, the managers' amendment adds a Federal cyber security 
workforce assessment title. The managers' amendment adds Bennet-Portman 
amendment No. 2558, the Federal Cybersecurity Workforce Assessment Act, 
as a new title III to this bill. The title addresses the need to 
recruit a highly qualified cyber workforce across the Federal 
  There are just a few more, but, again, I do this to show--and the 
chairman is here--that we have listened to the concerns from our 
colleagues and we have tried to address them, so nobody should feel we 
are ramming through a bill and that we haven't considered the views 
from others. The managers' amendment is, in fact, a major change to the 
bill that reflects this collegial--sometimes a little more exercised, 
but collegial--discussion. Does the chairman agree?
  Mr. BURR. Mr. President, I appreciate the opportunity to say that I 
totally agree. The vice chairman and I have worked aggressively for the 
entirety of the year where we had differences, and we found ways to 
bridge those differences, where we heard from Members, where we heard 
from associations, where we heard from businesses. We worked with them 
to try to accommodate their wishes, as long as it stayed within the 
spirit of what we were trying to accomplish, which is information 
sharing in a voluntary capacity.
  The vice chair and I came to the floor yesterday and said if an 
amendment--if an initiative falls outside of that, then we will stand 
up and oppose it because we understand the role this legislation should 
play in the process.
  The vice chairman said this is the first step. I don't want to scare 
Members, but there are some other steps. We are not sure what they are 
today or we would be on the floor suggesting those, but if we can't 
take the first step, then it is hard to figure out what the next and 
the next and the next are. So I am committed to continuing to work with 
the vice chairman and, more importantly, with all Members to 
incorporate their great suggestions as long as we all stay headed in 
the same direction, and I know the vice chairman and I are doing that.
  Mrs. FEINSTEIN. Mr. President, I thank the chairman very much. If I 
may, through the Chair, I want the chairman to know how much I 
appreciate this tack he has taken to be flexible and willing throughout 
this process, which extends into this managers' package. So I believe--
I truly believe--what we have come up with in this managers' package 
and what Members have contributed to it makes it a better cyber bill. I 
know the chairman feels the same way. We can just march on shoulder to 
shoulder and hopefully get this done.
  I will finish up the few other items I have to discuss because I want 
people who have concerns to listen to what is being said because these 
changes have a major impact on the bill.
  Next, No. 17 establishes a process by which data on cyber security 
risks or incidents involving emergency response information systems can 
be reported. The managers' amendment adds Heitkamp amendment No. 2555, 
which requires the Secretary of Homeland Security to establish a 
process by which a statewide interoperability coordinator may report 
data on any cyber security risk or incident involving emergency 
response information systems or networks. This is a process for 
reporting, and certainly we need to know more.
  Next, No. 18 requires a report on the preparedness of the health care 
industry to respond to cyber security threats, and the Secretary of 
Health and Human Services to establish a health care industry cyber 
security task force. The managers' amendment adds Alexander-Murray 
amendment No. 2719. This is a reporting requirement to improve the 
cyber security posture of the health care industry.
  I don't think anyone wants to have their health care data hacked 
into. This is deeply personal material and it should be inviolate.

[[Page S7379]]

  The provision requires the Secretary of Health and Human Services to 
submit a report to Congress on the preparedness of the health care 
industry to respond to cyber security threats. If we really want to 
help protect health care information, we have to know what is going on, 
and that is what this amendment enables. It also requires the Secretary 
to establish a health care industry cyber security task force.
  Next is No. 19, which requires new reports by inspectors general. The 
managers' amendment adds a modified version of the Hatch amendment No. 
2712, which requires relevant agency inspectors general to file reports 
with appropriate committees on the logical access standards and 
controls within their agencies.
  Let's know what standards and what controls they have. I think it is 
a very prudent request of the Senator from Utah, and I am glad we were 
able to include it.
  Next is No. 20, which adds a requirement for the DHS Secretary to 
develop a strategy to protect critical infrastructure at the greatest 
risk of a cybersecurity attack. The managers' amendment adds the 
Collins amendment No. 2623, which requires DHS to identify critical 
infrastructure entities at the greatest risk of a catastrophic cyber 
security incident.
  This is where we have had a number of concerns recently. The 
chairman's staff and my staff are working on this. Remember, this is a 
voluntary bill, and we do not want any language that might be 
interpreted to imply that this is not a voluntary bill. I know Senator 
Collins has a lot of knowledge of this area, and I believe we are going 
to be able to work this out.
  This amendment does not convey any new authorities to the Secretary 
of Homeland Security to require that critical infrastructure owners and 
operators take action, nor does it mandate reporting to the Federal 
Government. Its intent, which I applaud, is for the government to have 
a better understanding of those critical infrastructure companies that, 
if hacked, could cause extremely significant damage to our Nation.
  In conclusion, I would like to thank my colleagues for their 
thoughtful and helpful amendments. I am pleased that we have such a 
fulsome managers' package. I believe this managers' package strengthens 
our bill. It adds important clarifications, including meaningful 
privacy protections, it does not do operational harm, and it further 
improves the strong bill that the Intelligence Committee passed by a 
strong vote of 14 to 1 earlier this year.
  I wanted to do this so that all Members know what is in the managers' 
package, and both the chairman and I believe that these additions are 
in the best interests of making a good bill even better.
  I thank the Presiding Officer, and I yield the floor.
  The PRESIDING OFFICER (Mr. Sasse). The Senator from Alaska.
  Mr. SULLIVAN. Mr. President, I wish to acknowledge the remarks of the 
distinguished Senator from California and the Senator from North 
Carolina, and I thank them for their important work on the cyber bill. 
I know we are going to be discussing a lot of that, and why it is 
important to our national security.


                    Amendment No. 2612, as Modified

  Mrs. FEINSTEIN. Mr. President, I call for the regular order with 
respect to the Franken amendment No. 2612.
  The PRESIDING OFFICER. The amendment is now pending.

                Amendment No. 2612, as Further Modified

  Mrs. FEINSTEIN. Mr. President, I ask that the amendment be further 
modified to correct the instruction line in the amendment.
  The PRESIDING OFFICER. The amendment is so further modified.
  The amendment, as further modified, is as follows:

       Beginning on page 4, strike line 9 and all that follows 
     through page 5, line 21, and insert the following:

     system that is reasonably likely to result in an unauthorized 
     effort to adversely impact the security, availability, 
     confidentiality, or integrity of an information system or 
     information that is stored on, processed by, or transiting an 
     information system.
       (B) Exclusion.--The term ``cybersecurity threat'' does not 
     include any action that solely involves a violation of a 
     consumer term of service or a consumer licensing agreement.
       (6) Cyber threat indicator.--The term ``cyber threat 
     indicator'' means information that is necessary to describe 
     or identify--
       (A) malicious reconnaissance, including anomalous patterns 
     of communications that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat or security vulnerability;
       (B) a method of defeating a security control or 
     exploitation of a security vulnerability;
       (C) a security vulnerability, including anomalous activity 
     that appears to indicate the existence of a security 
       (D) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     unwittingly enable the defeat of a security control or 
     exploitation of a security vulnerability;
       (E) malicious cyber command and control;
       (F) the harm caused by an incident, including a description 
     of the information exfiltrated as a result of a particular 
     cybersecurity threat;
       (G) any other attribute of a cybersecurity threat, if 
     disclosure of such information is not otherwise prohibited by 
     law; or

  Mrs. FEINSTEIN. Thank you.
  The PRESIDING OFFICER. The Senator from North Carolina.

                    Amendment No. 2581, as Modified

  Mr. BURR. Mr. President, I call for the regular order with respect to 
the Cotton amendment No. 2581.
  The PRESIDING OFFICER. The amendment is now pending.
  The Senator from Louisiana.


  Mr. GRASSLEY. Mr. President, I rise to express my strong support for 

[[Page S7384]]

bill before the Senate, S. 754, the Cybersecurity Information Sharing 
Act, and I want to thank the bill's managers for their leadership in 
drafting this bill and putting a lot of hard work into the bill.
  Cyber security challenges that threaten us are very real challenges. 
We receive almost daily reminders of the importance of effective cyber 
security to protect our private data and the safety and security of the 
entire Nation from cyber attacks. These attacks have compromised the 
personal information of so many Americans as well as sensitive national 
security information. That national security issue might even be the 
biggest of the ones we hope to deal with.
  The legislation before us will encourage the government and the 
private sector to work together to address these cyber security 
challenges. This bill helps create a strong legal framework for 
information sharing that will help us respond to these threats. The 
bill authorizes private companies to voluntarily share cyber threat 
information with each other and with the government. In turn, the bill 
permits the government to share this type of information with private 
  The bill reduces the uncertainty and, most importantly, the legal 
barriers that either limit or prohibit the sharing of cyber threat 
information today. At the same time, the bill includes very significant 
privacy protections to strike a balance between maintaining security 
and protecting our civil liberties. For example, it restricts the 
government from acquiring or using cyber threat information except for 
limited cyber security purposes.
  So, as I did at the beginning, I want to salute the leadership of the 
chair and vice chair of the Select Committee on Intelligence, Senator 
Burr and Senator Feinstein, for their efforts on this bill. I know from 
the last couple of Congresses that this type of legislation isn't easy 
to put together. In the 112th Congress, I cosponsored cyber security 
legislation along with several of my colleagues. This involved working 
across several committees of jurisdiction. Last Congress, as then-
ranking member of the Judiciary Committee, I continued to work with the 
Select Committee on Intelligence and others on an earlier version of 
this bill. Unfortunately, Democratic leadership never gave the Senate 
an opportunity to debate and to vote on that bill in the last Congress.
  Senators Burr and Feinstein were undaunted, however, and this 
Congress they diligently worked and continued to seek input from 
relevant committees of jurisdiction, including the Judiciary Committee 
that I chair. They incorporated the views of a broad range of Senators 
and worked to address the concerns of stakeholders outside of the 
Congress. This has produced their managers' amendment.
  This is a bill that enjoys broad bipartisan support. As with most 
pieces of legislation that come before the Senate, it is not a perfect 
piece of legislation from any individual Senator's point of view, but 
in finding common ground, it has turned out to be a good bill that 
addresses a very real problem.
  It is time for us to do our job and to vote. This is how the Senate 
is supposed to work. Now is the time for action because the question 
isn't whether there will be another cyber attack, the question is when 
that attack will happen.
  I yield the floor.
  I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The legislative clerk proceeded to call the roll.
  Mr. BURR. Mr. President, I ask unanimous consent that the order for 
the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mr. BURR. Mr. President, I am here to briefly talk on S. 754, the 
cyber security bill. Yesterday Vice Chairman Dianne Feinstein and I 
came to the floor and encouraged our Members who had amendments or who 
had an interest in debating the bill to come to the floor. It was my 
hope that we could finish in a couple of days with the cooperation of 
Members. We have not gotten that level of cooperation. Therefore, this 
will take several more days to finish. But it doesn't lessen the 
importance for those Members who have amendments in the queue--meaning 
they are pending--to come to the floor and talk about their amendments 
if they would like to. At some point, we will culminate this process, 
and those amendments that have yet to be disposed of will have votes 
with a very limited amount of debate time included.
  It is my hope that we will have a wholesome debate and that people 
will have an opportunity to know what is in this bill if they don't 
today. But more importantly, through that debate we are able to share 
with the American people why a cyber security bill is so important and, 
more importantly, why we have done it in a way that we think it will be 
embraced and endorsed by not just corporate America but by individuals 
throughout the country.
  Let me announce today that this bill will be done either Monday 
evening or Tuesday morning based upon what the leadership on both sides 
can agree to as it relates to the debate. The Vice Chair and I also 
came to the floor and we made this statement: We have worked 
aggressively in a bipartisan way to incorporate in the managers' 
package, which is currently pending, 14 amendments, and 8 of those 
amendments were included in the unanimous consent agreement made 
earlier this year when we delayed consideration of the bill until the 
day when we moved forward. There were several amendments on which we 
weren't able to reach an agreement or that we believed changed the 
policy significantly enough that this was not just an information 
sharing bill that was voluntary for corporations throughout this 
country. In the absence of being able to keep this bill intact in a way 
that we thought we needed to, the Vice Chairman and I have agreed to 
lock arms and to be opposed to those additional amendments.
  Having said that, the debate to date has focused on the fact that 
there are technology companies across this country that are opposed to 
this bill. Yesterday the Vice Chairman and I repeatedly reminded our 
colleagues and the American people that this is a voluntary bill. There 
is nothing mandatory in it. The reality is that if you don't like what 
is in this, if for some reason you don't want to participate in what I 
would refer to as a community watch program--it is real simple; it is 
voluntary--do not participate. Choose not to inform the Federal 
Government when hackers have penetrated your system and stolen personal 
data out of it. Just choose not to tell us. But do not ruin it for 
everybody else. In a minute I am going to go through again why I think 
the cyber security bill should become law, why I think this is the 
first step of how we protect the personal data of the American people, 
and why hundreds, if not thousands, of businesses support this 
information sharing bill. But I can't stress that enough for those who 
oppose this. Most of them are, in fact, companies that hold the most 
private data in the world. Let me say that again. Those who are 
expressing opposition to this bill hold the largest banks of personal 
data in the world.
  The decision as to whether they are for the bill or against the bill 
is their decision. The decision whether they utilize this voluntary 
program to further protect the personal data that is in their system is 
between them and their customers. But I have to say that it defies 
reason as to why a company that holds that much personal data wouldn't 
at least like to have the option of being able to partner with the 
Federal Government in an effort to minimize data loss, whether it is at 
their company or whether it is in their industry sector or whether it 
is in the global economy as a whole.
  The last time I checked, the health of U.S. businesses was reliant on 
the health of the U.S. economy, and the health of the U.S. economy is 
affected by the health of the global economy. I know the Presiding 
Officer understands that because he was in business like I was for 17 
  It really does concern me that one could be opposed to something that 
insulates the U.S. economy from having an adverse impact by the cyber 
security act and believes that they are OK even though it might tank 
the U.S. economy.
  At the end of the day, I want to try to put this in 101 terms, the 
simplest terms of what the information sharing bill does. I am going to 
break it into three baskets. It is about business to

[[Page S7385]]

business. This bill allows a company that has been hacked--where 
somebody has penetrated their computer system and has access to their 
data--to immediately pick up the phone and call their competitor and 
ask their competitor whether they have had a similar penetration of 
their system.

  It is only reasonable to expect that the first person you would go to 
is a company that has a business that looks exactly like yours. In that 
particular case, this legislation provides that company with protection 
under the anti-trust laws. Anti-trust forbids companies from 
collaborating together. What we say is that if it has do with 
minimizing the loss of data, we want to allow the collaboration of 
competitors for the specific reason of discussing a cyber attack.
  The Senate recognizes I have designed something in this that doesn't 
require a corporate lawyer to sit in the room when the decision is 
made. I have no personal dislike for lawyers other than the fact that 
they slow things down. To minimize the loss of data means you have to 
have a process that goes in real time from the bottom of the chain all 
the way to the decisionmaking and the communication back down, not only 
to that business, but to the entire economy. Having a lawyer that has 
to think whether we can legally do this defeats the purpose of trying 
to minimize data loss. So we give them a blanket exemption under the 
anti-trust laws so they know up front that they can pick up the phone 
and call their competitor, and there is no Justice Department that will 
come down on them as long as they confine it to the discussion of cyber 
  At the same time we initiate what I call business to government, 
which means that when the IT department is talking to their competitor, 
the IT department can put out a notification through the Federal portal 
that they have been attacked, and that initiates the exchange of a 
limited amount of information that has been predetermined by everybody 
in the Federal Government who needs to do the forensics of who 
attacked, what tool they used, and what defensive mechanism could be 
put up in the way of software that would eliminate the breach.
  In the statute we have said, one, you can't transmit personal data 
unless it is absolutely crucial to understanding the forensics of the 
attack. We have also said in statutory language to the government 
agencies: If for some reason personal data makes it through your 
filters, you cannot transmit that personal data anywhere else within 
the Federal Government or to the public.
  We have gone to great lengths to make sure that personal data is not 
disclosed through the notification process of a hack. I understand that 
the personal data has already been accessed by the individual who 
committed the act, but we want to make sure that the government doesn't 
contribute to the distribution of that data.
  In order to create an incentive in a voluntary program for a business 
to initiate that notification to the Federal Government, we provide 
liability protection. Anytime a company allows personal data or data on 
their business to get out, there could potentially be a shareholder's 
suit. What we do is provide a blanket liability protection to make sure 
that a company can't be sued for the government notification of a 
security breach where data has been removed and it is in the best 
interest of the government to know it, to react to it, and for the 
general population of businesses in America to understand it.
  So we have business-to-business collaboration with your competitor, 
anti-trust protection, business-to-government liability protection, no 
personal data transmitted, and the last piece is government to 
  It is hard for me to believe that the government didn't have the 
statutory authority to convey to businesses across America when a cyber 
attack is in progress. The Federal Government has to be asked to come 
in and typically will be asked by the company that has been attacked, 
but how about their competitors? How about the industry sector? How 
about the whole U.S. economy? There is no authority to do that. This 
bill creates the authority in the Federal Government to receive that 
information from a company that has been penetrated, to process it, to 
understand who did it, to understand the attack tool they used, to 
determine the defensive mechanism of software that it can be put on, 
and then to notify American businesses that there is an attack 
happening now, and here is the attack tool and software you can buy off 
the shelf and put on your computer system to protect you. That is it. 
That is the entire information sharing bill, and it is voluntary.
  I will touch on eight items very briefly. Why is there a need for 
cyber legislation? I don't want to state the obvious, but we have 
already seen that individuals and nation states penetrate the private 
sector and steal personal data, and the Federal Government can steal 
personal data. I thought it would hit home with my colleagues when the 
Office of Personnel Management was breached, and now we are up to 22 to 
24 million individuals who were compromised. More importantly, the 
personal data at OPM extended to every individual who had ever applied 
for a security clearance, who had ever been granted security clearance, 
and who had security clearances and are now retired, but for some 
reason that application remained in the database. That application, 
which consists of 18 pages, has the most personal information one can 
find. It lists your parents and their Social Security numbers, your 
brothers, your sisters, where you lived since you graduated from 
college. It even has a page that asks you to share the most obvious way 
that someone might blackmail you. It has probably some of the most 
damaging personal information that one can have breached.
  Cyber attacks have harmed multiple U.S. companies. If this weren't 
serious, would the President of China and the President of the United 
States, when they met several weeks ago, have come to an agreement 
about how they would intercede if one country or the other commits a 
cyber attack against each other? Probably not.
  Our bill is completely voluntary, and I think it is safe to say that 
those who want to share data can, in fact, share data on this.
  I mentioned the words ``real time.'' What we want to do is create a 
real-time system because we want a partnership. We want a partnership 
with other private companies and we want a partnership with the private 
and public sector, and you can't get a partnership by mandating it. All 
you can get is an adversarial relationship. We maintain that voluntary 
status in the hope that the sharing of that information is, in fact, 
real time. We can control--once you transmit to the Federal 
Government--how to define ``real time.'' I have no control over a 
private company's decision once they know they have been breached to 
the point that they actually make a notification to the Federal 
Government, but with the liability protection and anti-trust coverage, 
we are convinced that we are structured from the beginning to create an 
incentive for real time to take place.
  We protect personal privacy. Many have come to the floor and have 
suggested that this is a surveillance bill. Let me say to my colleagues 
and to the American people: There is no capability for this to become a 
surveillance bill. The managers' amendment took those items that people 
were concerned with and eliminated it. We can be accused of a lot of 
things, but to accuse this of being a surveillance bill is either a 
sign of ignorance or a sign that one is being disingenuous. It is not a 
surveillance bill. Be critical of what we are attempting to do, be 
critical of what we do, but don't use the latitude to suggest that this 
is something that it is not.
  We require private companies and the government to eliminate any 
irrelevant personal, identifiable information before sharing the cyber 
threat indicators or putting up defensive mechanisms.
  This bill does not allow the government to monitor private networks 
or computers. It does not let government shut down Web sites or require 
companies to turn over personal information.
  This bill does not permit the government to retain or use cyber 
threat information for anything other than cyber security purposes, 
identifying a cyber security threat, protecting individuals from death 
or serious bodily or economic harm, protecting minors, or investigating 
limited cyber crime offenses.
  This bill provides rigorous oversight and requires a periodic 
interagency inspector general's report to assess

[[Page S7386]]

whether the government has violated any of the requirements in this 
bill. The report also will assess any impact this bill may have on 
privacy and civil liberties. In the report, we require the IG to report 
to us whether anybody does anything outside what the statute allows 
them to do, but we also ask the IG to make a gut call on whether we 
have protected privacy and civil liberties.
  Finally, our managers' amendment has incorporated an additional 
provision to enhance privacy protections first. Our managers' amendment 
omitted the government's ability to use cyber information to 
investigate and prosecute serious and violent felonies. Let me raise my 
hand and say I am guilty. I felt very strongly that that should have 
been in the bill. If we find during an investigation that an individual 
has committed a felony that is not related to a cyber attack, I thought 
we should turn that information over to law enforcement but, no, we 
dropped it. I don't want there to be any question as to whether this is 
an effective cyber information sharing bill.
  Our managers' amendment limited cyber threat information sharing 
authorities to those items that are shared for cyber security purposes. 
Both of these changes ensure that nothing in our bill reaches beyond 
the focus of cyber security threats that are intended to prevent and 
deter an attack, and nothing in this bill creates any potential for 
surveillance authorities.
  Now, as I said, despite rumors to the contrary, this bill is 
voluntary. It is a voluntary threat indicator to share with authorities 
and does not provide in any way for the government to spy on or use 
library and book records, gun sales, tax records, educational records, 
or medical records. There is something in that for every member of 
every State.
  I can honestly look at my librarians and say we haven't breached the 
public libraries' protection of personal data. I will say librarians 
are not fans of this legislation. I don't think they have read the 
managers' amendment that spells out the concerns we heard and then 
said: This can't go there. I am not sure we can statutorily state it 
any clearer than what we have done.
  Given that cyber attackers have hacked into, stolen, and publicly 
disclosed so much private, personal information, it is astounding to me 
that privacy groups would oppose this bill. It has nothing to do with 
surveillance, and it seeks to protect private information from being 
  There are no offensive measures. This bill ensures that the 
government cannot install, employ or otherwise use cyber security 
systems on private sector networks. In other words, no one can hack 
back into another computer, even if the purpose is to protect against 
or squash a cyber attack. It can't be done. It is illegal.
  The government cannot retain or use cyber threat information for 
anything other than cyber security purposes, including preventing, 
investigating, disrupting, and prosecuting limited cyber crimes, 
protecting minors, and protecting individuals from death or serious 
bodily harm, or economic harm.
  The government cannot use cyber threat information in regulatory 
proceedings. Let me state that again. The government cannot use cyber 
threat information in regulatory proceedings. If somebody believes this 
is not voluntary and that there is some attempt to try to get a 
mandatory hook in here where regulators can turn around and bypass the 
legislative responsibility of the Congress of the United States, let me 
just say, we are explicit. It cannot be done. But we are also explicit 
that the government cannot retain this information for anything other 
than the list of items I discussed. This provides focused liability 
protection to private companies that monitor their own systems and 
share cyber threat indicators and defensive mechanisms in accordance 
with the act, but the liability protection is not open-ended. This 
doesn't provide liability protection for a company that engages in 
gross negligence or willful misconduct. I am not a lawyer, but I have 
been told that ties it up pretty tightly; that it makes a very small, 
narrow lane that companies can achieve liability protection, and that 
lane means they are transferring that information to the Federal 
  Last, independent oversight. This bill provides rigorous oversight. 
It requires a periodic interagency inspector general's report to assess 
whether the government has violated any of the requirements of this 
act. The report also will assess any impact that this bill may have on 
privacy and civil liberties as well as an assessment of what the 
government has done to reduce any impact.
  This bill further requires an independent privacy and civil liberties 
oversight board to assess any impact this bill may have on privacy and 
civil liberties and is, in fact, reviewed internally by an inspector 
general. The inspector general checks to make sure they live by the 
letter of the law. The inspector general makes an assessment on the 
privacy and civil liberties, and we set up an independent board to look 
at whether, in fact, privacy and civil liberties have been protected.
  I say to my colleagues, if there is more that they need in here, tell 
us what it is. The amendment process is open.
  Here is where we are. Privacy folks don't want a bill, period. Some 
Members don't want a bill, period. I get it. I am willing to adapt to 
that. I only need 60 votes for this to pass, and then I have to 
conference it with the House that has two different versions. Then I 
have to go to the other end of Pennsylvania Avenue, and I have to 
convince the President and his whole administration to support this 
bill. Let me quote the Secretary of the Department of Homeland 
Security. They support this bill. The National Security Council 
tomorrow is going to come out in support of this bill. Why? Because 
most people recognize the fact that we need this, that this is the 
responsible thing to do. This is why Congress was created.
  If, in fact, there are those who object, don't participate. I say to 
those businesses around the country, I am not going to get into your 
decisionmaking, although I think it is flawed. You hold most of the 
personal data of any companies out there. Yet you don't want to see any 
coordinated effort to minimize data loss in the U.S. economy. I think 
that is extremely shortsighted. I think your customers would disagree 
with you, but the legislation was written in a way that allows you to 
opt out and to say: I don't want to play in this sandbox.
  I say to my colleagues and to the American people: Is that a reason 
for us not to allow the thousands of companies that want to do it, 
representing hundreds of thousands and millions of customers who want 
to protect their credit card number, their health records, all the 
personal data that is out there on them--if they want to see that 
protected, should they not have that done because some companies say 
they don't want to play? No. We make it voluntary, and we allow them to 
opt out. They can explain to their customers why. If I am with another 
tech company and they are participating in this, they must be more 
interested in protecting my data. I think it is a tough sell myself as 
a guy in business for 17 years.
  I know what is up here. Some are looking at this as a marketing tool. 
They are going to go out and say: We don't participate in transferring 
data to the Federal Government. Oh, really. Wait until the day you get 
penetrated. Wait until the day they download all of that personal 
information on all of your customers. You are going to be begging for a 
partnership with the Federal Government. Then we are going to extend it 
to you, whether you liked it or not, whether you voted for the bill or 
supported the bill or spoke in favor of the bill or ever participated 
in it. If we pass this bill, which I think we will, they will have an 
opportunity to partner with the Federal Government and to do it in an 
effective way. In the meantime, I think there will be just as many 
businesses using a marketing tool that says: We like the cyber 
information sharing bill, and if we ever need to use it, we are looking 
forward to partnering with the Department of Homeland Security, the 
FBI, and the National Security Agency because we want to minimize the 
exposure of the loss of data our customers could have.
  Mark my words. There is a real battle getting ready to brew here. 
Again, putting on my business hat, I like the idea of being able to go 
out and sell the fact that I am going to partner if something happens 
much better than selling

[[Page S7387]]

the pitch that I am going to do this alone. Think about it. A high 
school student last week hacked the personal email account of the 
Secretary of the Department of Homeland Security and the Director of 
the CIA. This is almost ``Star Trek.'' ``Beam me up, Scotty.''
  There are people who believe that this is just going to go away. It 
is not going away. Every day there is an attempt to try to penetrate a 
U.S. company, an agency of the Federal Government for one reason: to 
access personal data. The intent is there from individuals and from 
nation states. For companies that think this is going to go away or 
think they are smart enough that it is not going to happen to them, I 
have seen some of the best and they are one click away from somebody 
downloading and entering their system and that click may not be 
protected by technology. It may be the lack of ability of an employee 
to make the right decision on whether they open an email, and, boom, 
they have just exposed everybody in their system.
  So I will wrap up because I see my good friend and colleague Senator 
Wyden is here. We will have several days, based upon the process we 
have in front of us, to talk about the good, and some will talk about 
the bad, which I don't think exists, but let me assure my colleagues 
that the ugly part of this--the ugly part of this--is that cyber theft 
is real. It doesn't discriminate. It goes to where the richest pool of 
data is. In the case of the few companies that are not supportive of 
this bill, they are the richest depositories of personal data in the 
world. I hope they wake up and smell the roses.
  I yield the floor.
  The PRESIDING OFFICER (Mr. Scott). The Senator from Oregon.
  Mr. WYDEN. Mr. President, I would like to inform my colleague, the 
distinguished chairman of our Intelligence Committee, I am always 
thinking about the history of the committee. I believe Chairman Burr, 
the ranking minority member Senator Feinstein, and I have been on the 
Intelligence Committee almost as long as anybody in history.
  I always like to work with my colleague. This is an area where we 
have a difference of opinion. I am going to try to outline what that is 
and still try to describe how we might be able to work it out.
  Mr. BURR. May I thank my colleague?
  Mr. WYDEN. Of course.
  Mr. BURR. Mr. President, I thank my colleague. I think he 
diplomatically referred to me as old, but I know that wasn't the case. 
He is exactly right. We have served together for a long time. We agree 
on most issues. This is one that we disagree on, but we do it in a 
genuine and diplomatic way. Contrary to maybe the image that some 
portray to the American people, we fight during the day and we can have 
a drink or go to dinner at night, and we are just as likely to work on 
a piece of legislation together next week. So that is what this 
institution is and it is why it is so great.
  Mr. WYDEN. Well said. There is nothing better than having Carolina 
barbecue unless it is Oregon salmon. Yes, we old jocks, former football 
players and basketball players, we have tough debates and then we go 
out and enjoy a meal.
  Here is how I would like to start this afternoon. The distinguished 
chairman of the committee is absolutely correct in saying that cyber 
security is a very substantial problem. My constituents know a lot 
about that because one of our prominent employers, SolarWorld, a major 
manufacturer in renewable energy, was hacked by the Chinese simply 
because this employer was trying to protect its rights under trade law. 
In fact, our government indicted the People's Liberation Army for their 
hacking into this major Oregon employer. So no question that cyber 
security is a major problem.
  Second, there is no question in my mind that information sharing can 
be very valuable in a number of instances. If we know, for example, 
someone is associated with hackers, malware, this sort of thing, of 
course it is important to promote that kind of sharing. The difference 
of opinion is that I believe this bill is badly flawed because it 
doesn't pass the test of showing that when we share information, we 
have to have robust privacy standards or else millions of Americans are 
going to look up and they are going to say that is really not cyber 
security. They are going to say it is a surveillance bill. So that is 
what the difference of opinion is.

                    Amendment No. 2621, as Modified

  Let me turn to how I have been trying to improve the legislation. I 
am going to speak for a few minutes on my amendment No. 2621 to the 
bill that we have been discussing and that is now pending in the 
Senate. Obviously, anybody who has been watching the debate on this 
cyber security bill has seen what we would have to call a spirited 
exchange of views. Senators are debating the substance of the 
legislation and, as I just indicated to Chairman Burr and I have 
indicated to ranking minority member Senator Feinstein, there is 
agreement on a wide variety of points and issues.
  Both supporters and opponents of the bill agree that sharing 
information about cyber security threats, samples of malware, 
information about malicious hackers, and all of this makes sense and 
one ought to try to promote more of it. Both supporters and opponents 
now agree that giving corporations immunity from customer lawsuits 
isn't going to stop sophisticated attacks such as the OPM personnel 
records breach.
  I am very glad that there has been agreement on that point recently, 
because proponents of the bill sometimes said that their legislation 
would stop hacks such as the one that took place at OPM. When 
technologists reviewed it, that was clearly not the case, and the claim 
has been withdrawn that somehow this bill would prevent hacks like we 
saw at OPM.
  The differences of opinion between supporters and opponents of the 
bill--who do agree on a variety of these issues--surround the likely 
privacy impact of the bill. Supporters have essentially argued that the 
benefits of this bill, perhaps, are limited--particularly now that they 
have withdrawn the claim that this would help against an OPM attack--
but that every little bit helps. But there is no downside to them to 
just pass the bill. It makes sense. Pass the bill. There is no 
  Opponents of the bill, who grow in number virtually every day, have 
been arguing that the bill is likely to have a significant negative 
impact on the personal privacy of a large number of Americans and that 
this greatly outweighs the limited security benefits. If an information 
sharing bill doesn't include adequate privacy protections, I am telling 
you, colleagues, I think those proponents are going to have people wake 
up and say: I really don't see this as a cyber security bill, but it 
really looks to me like a surveillance bill by another name.
  (Mr. TOOMEY assumed the Chair.)
  Colleagues who are following this and looking at the bill may be 
trying to sort through this discussion between proponents and 
opponents. To help clarify the debate, I would like to get into the 
text of the bill for just a minute.
  If colleagues look at page 17 of the Burr-Feinstein substitute 
amendment, which is the latest version with respect to this bill, 
Senators are going to see a key section of the bill. This is the 
section that discusses the removal of personal information when data is 
shared with the government. The section says very clearly that in order 
to get immunity from a lawsuit a private company has to review the data 
they would provide and remove any information the company knows is 
personal information unrelated to a cyber security threat. This 
language, in my view, clearly creates an incentive for companies to 
dump large quantities of data over to the government with only a 
cursory review. As long as that company isn't certain that they are 
providing unrelated personal information, that company gets immunity 
from lawsuits. Some companies may choose to be more careful than that, 
but this legislation and the latest version--the Burr-Feinstein 
substitute amendment--would not require it. This bill says with respect 
to personal data: When in doubt, you can hand it over.
  My amendment No. 2621 is an alternative. It is very simple. It is 
less than a page long. It would amend this section that I have just 
described to say that when companies review the data they provide, they 
ought to ``remove, to the extent feasible, any personal information of 
or identifying a specific

[[Page S7388]]

individual that is not necessary to describe or identify a 
cybersecurity threat.'' The alternative that I am offering gives 
companies a real responsibility to filter out unrelated personal 
information before that company hands over large volumes of personal 
data about customers or people to the government.
  The sponsors of the bill have said that they believe that companies 
should only give the government information that is necessary for cyber 
security and should remove unrelated personal information. I agree with 
them, but for reasons that I have just described, I would say 
respectfully that the current version of this legislation does not 
accomplish that goal, and that is why I believe the amendment I have 
offered is so important.
  For an example of how this might work in practice, imagine that a 
health insurance company finds out that millions of its customers' 
records have been stolen. If that company has any evidence about who 
the hackers were or how they stole this information, of course it makes 
sense to share that information with the government. But that company 
shouldn't simply say here you go, and hand millions of its customers' 
medical records over for distribution to a broad array of government 
  The records of the victims of a hack should not be treated the same 
way that information about the hacker is treated. Companies should be 
required to make a reasonable effort to remove personal information 
that is not needed for cyber security before they hand information over 
to the government. That is what my amendment seeks to achieve. That is 
not what is in the substitute amendment.
  Furthermore, if colleagues hear the sponsors of the substitute saying 
this bill's privacy protections are strong and you have heard me making 
the case that they really don't have any meaningful teeth and they are 
too weak, don't just take my word for it. Listen to all of the leading 
technology companies that have come out against the current version of 
this legislation.
  These companies know about the importance of protecting both cyber 
security and individual privacy. The reason they know--and this is the 
case in Pennsylvania, Oregon, and everywhere else--is that these 
companies have to manage the challenge every single day. Companies in 
Pennsylvania and Oregon have to ensure they are protecting both cyber 
security and individual privacy. Those companies know that customer 
confidence is their lifeblood and that the only way to ensure customer 
confidence is to convince customers that if their product is going to 
be used, their information will be protected, both from malicious 
hackers and from unnecessary collections by their government.
  I would note that there is another reason why it is important to get 
the privacy protections I am offering in my amendment at this time. The 
companies that I just described are competing on a global playing 
field. These companies have to deal with the impression that U.S. laws 
do not adequately protect their customers' information. Right now these 
companies--companies that are located in Pennsylvania and Oregon--are 
dealing with the fallout of a decision by a European court to strike 
down the safe harbor data agreement between the United States and the 
European Union. The court's ruling was based on the argument that U.S. 
laws in their present form do not adequately protect customer data. 
Now, I strongly disagree with this ruling. At the same time, I would 
say to my colleagues and to the Presiding Officer--he and I have worked 
closely on international trade as members of the Finance Committee--and 
I would say to colleagues who are following this international trade 
question and the question of the European Union striking down the safe 
harbor for our privacy laws, in my view this bill is likely to make 
things even more difficult for American companies that are trying to 
get access to those customers in Europe.
  To give just a sampling of the leading companies that have come out 
against the CISA legislation, let me briefly call the roll. There is 
the Apple company. They have millions of customers. They know a great 
deal about what we have to do to deal with malicious hackers and to 
protect privacy. There is also Dropbox, Twitter, Salesforce, Yelp, 
Reddit, and the Wikimedia Foundation. I point to the strong statement 
by the Computer & Communications Industry Association. Their members 
include Google, Amazon, Facebook, Microsoft, Yahoo, Netflix, eBay, and 
PayPal. Those individual companies I have mentioned have millions of 
customers. The organization that speaks for them says: ``CISA's 
prescribed mechanism for sharing of Cyber threat information does not 
sufficiently protect users' privacy.''
  On top of this, there has been widespread opposition from a larger 
spectrum of privacy advocacy organizations. Here the groups range from 
the Open Technology Institute to the American Library Association.
  I was particularly struck by the American Library Association's 
comments in opposition to this bill. I think the leadership said--
paraphrasing--something to the effect of when the American Library 
Association opposes legislation that authors say will promote 
information sharing, they indicate there was a little something more to 
it than what the sponsors are claiming.
  Wrapping up, I want to make clear, as I said yesterday, that I 
appreciate that the bipartisan leadership of our committee has tried to 
respond to these concerns. They know that these large companies with 
expertise in collecting data and promoting cyber security have all come 
out against the bill. I heard talk about privacy protections. I don't 
know of a single organization that is looked to by either side of the 
aisle, Democrats and Republicans, for expertise and privacy that has 
come out in favor of the bill.
  So the sponsors of this legislation and the authors of the substitute 
amendment, which I have tried to describe at length here this 
afternoon, are correct in saying that they have made some changes, but 
those changes do not go to the core of the bill.
  For example, the amendment I have described would really, in my view, 
fix this bill by ensuring that there was a significant effort to filter 
out unrelated personal and private information that was sent to the 
government under the bill.
  So I hope Senators will listen to what groups and the companies that 
have expertise in this field have said. I hope Senators on both sides 
of the aisle will support the amendments I and others have offered. The 
Senate needs to do better than to produce a bill with minimal effects 
on the security of Americans and significant downside for their privacy 
and their liberty.
  I yield the floor.
  The PRESIDING OFFICER. The Senator from Rhode Island.

                    Amendment No. 2626, as Modified

  Mr. WHITEHOUSE. Mr. President, I would like to speak for 5 or 6 
minutes on the cyber bill.
  Unfortunately, I am here to express my distaste for the manner in 
which this bill has proceeded. I have an amendment that is not going to 
be voted on. Let me describe some of the characteristics of that 
  First of all, it is bipartisan. It is Senator Graham's and my 
  Second, it has had a hearing. We have had a hearing on it in the 
Judiciary Committee. Considerable work has gone into it.
  Third, it has the support of the Department of Justice. It repairs 
holes in our criminal law for protecting cyber security that we worked 
on very carefully with the Department of Justice and which we have had 
testimony in support of from our Department of Justice prosecutors.
  Last, it was in the queue. It was in the list of amendments that were 
agreed to when we agreed to go to the floor with this bill.
  So I don't know how I am going to vote on this bill now. But if you 
have a bipartisan amendment that has had a hearing, that was in the 
queue, and that has the support of the Department of Justice and you 
cannot even get a vote on it, then something has gone wrong in the 
  I remember Senator Sessions coming to the floor and wondering how it 
is that certain Senators appoint themselves masters of the universe and 
go off in a quiet room someplace and decide that certain amendments 
will and will not be heard. I am very sympathetic to Senator Sessions' 
concerns right now.

[[Page S7389]]

  Let me tell you what the substance of our amendment would do.
  First, there are people out there around the world in this cyber 
universe of fraud and crime who are trafficking in Americans' financial 
information for purposes of fraud and theft. If they don't travel to 
America or if they don't have a technical connection to America, we 
cannot go after them. There is an American victim, but we cannot go 
after them. That is a loophole that harms Americans that this bill 
would close.
  I cannot believe there is one Member of this institution who would 
oppose closing a loophole that allows foreign criminals access to 
Americans' financial information for fraudulent purposes but puts them 
beyond the reach of our criminal law. That is one part of what our bill 
  Second, it raises penalties for people who intrude on critical 
infrastructure. You can go all around this country, you can go to 
military installations that have way less security concerns than our 
critical infrastructure, like our electric grid, and you will see 
chain-link fences that say department of whatever, U.S. Government, 
stay out. You cannot go in there to picnic, you cannot go in there 
because you are curious, you cannot go in there for a hike, and the 
reason is because there is a national security component to what is 
going on in there.
  Well, there is a huge national security component to our critical 
infrastructure, like our electric grid. All this would do is raise the 
penalties. You could still go in, but if you get caught doing something 
illegal there, then it is a little different if you are attacking 
America's critical infrastructure than if you are just prowling around 
in some other portion of the Web that does not have that.
  Again, I think if that came to a vote, we would probably get 90 
percent of this body in favor. Who is in support of allowing people to 
mess around in our critical infrastructure?
  The third is botnet brokers. Botnets are out there all over the 
Internet. They are a plague on the Internet. There is no such thing as 
a good botnet. Everyone would be better off if they were removed. They 
are like weeds on the Internet. There are people who are brokers who 
allow access to botnets, and because our laws are so out of date, if 
you are just brokering access to a botnet for criminal purposes, there 
is no offense. Why would we not want to empower our Department of 
Justice to be able to go after people who are criminal brokers allowing 
access for criminals to botnets to use for criminal purposes against 
Americans? I don't understand that.
  Lastly, botnet takedowns. A botnet is a weed. We wait until somebody 
actually encounters that weed and is harmed by it before we allow our 
Department of Justice to act. We should be out there taking down 
botnets on a hygiene basis all the time. We are limited because of this 
artificiality. That is the fourth piece of the bill. It empowers botnet 
takedowns like the Bugat takedown we just did. We should be doing a lot 
more of that. Again, unless somebody here is in the botnet caucus and 
is in favor of more botnets out there, this is something which would 
probably pass unanimously. Yet I cannot get a vote.
  It is bipartisan, has had a hearing, is in the queue, is supported by 
the Department of Justice, and those are the four sub-elements of it. 
For some reason, the masters of the universe have gone off and had a 
meeting in which they decided this is not going to be in the queue. I 
object to that procedure.
  I am sorry we are at this stage at this point because I think that on 
the merits this would win. This is a bipartisan, good, Department of 
Justice-supported, law enforcement exercise to protect people against 
cyber criminals. I don't know what the sense is that there is some 
hidden pro-botnet, pro-foreign cyber criminal caucus here that won't 
let an amendment like mine get a vote.
  I will yield the floor. I see Senator Carper here, and he has done 
great work to try to be more productive than my amendment reflects. I 
hope we can sort this out to a point where an amendment like mine, 
which was in the queue in the original deal that got us to this bill, 
can now get back in some kind of a queue so that we can get this done.
  I yield the floor.
  The PRESIDING OFFICER. The Senator from Delaware.
  Mr. CARPER. I appreciate the yielding by Senator Whitehouse. Let me 
just say that if your provision, Senator Whitehouse, does not end up in 
this bill and we actually do pass it, I am sure we will conference with 
the House. There will be an opportunity to revisit this issue. So I 
hope you will stay in touch with those of us who might be fortunate 
enough to be a conferee.
  Mr. WHITEHOUSE. I appreciate that very much, more than the Senator 
can know.
  Mr. CARPER. Mr. President, I rise today in support of the cyber 
security information bill introduced by my colleagues, Senators Burr 
and Feinstein. I want to commend my colleagues and their staff for 
their leadership and for their tireless efforts on this extremely 
important piece of legislation.
  As ranking member and former chairman of the Homeland Security and 
Governmental Affairs Committee, I have been following cyber security 
and this information sharing proposal in particular literally for 
years. In fact, when Senator Feinstein first introduced an information 
sharing bill in 2012--that was like two or three Congress's ago--it was 
referred to Homeland Security and Governmental Affairs, on which I 
served. That bill was ultimately folded into a comprehensive cyber 
security bill that I had the honor of cosponsoring with Senators Joe 
Lieberman, Susan Collins, Jay Rockefeller, and Senator Feinstein. We 
were not able to pass that bill, but I think it has paved the way for 
other cyber legislation, including the bill that is before us today and 
a number of the amendments that are going to be offered to that bill in 
the managers' amendment, especially.
  Last Congress, I worked with our ranking member on homeland security, 
Dr. Tom Coburn, and our House counterparts to get not one, not two, not 
three, but four cyber security bills enacted into law, signed by the 
President. I believe these four bills laid a very strong foundation for 
some significant improvements on how the Department of Homeland 
Security carries out its cyber security mission and really for this 
bill before us too.
  What the legislation Dr. Coburn and I worked on during the last 
Congress did, in essence, was to better equip the Department of 
Homeland Security to operate at the center of the kind of robust 
information sharing program that the Burr-Feinstein bill would set up. 
How do they do that? One, make sure the Department of Homeland Security 
would have the ability to attract and retain top-flight talent, much 
like the National Security Agency already has.
  The legislation actually takes something called the cyber ops center, 
NCCIC, within the Department of Homeland Security and makes it real and 
functional and an entity that people would use and listen to.
  Finally, we took an old law called FISMA, the Federal Information 
Sharing Management Act--we took something that was just a paperwork 
operation, this FISMA legislation--like a once-in-a-year check to see 
how good a cyber security agency might be--and turned it into not a 
paperwork operation, not a once-every-365-days operation, but a 24/7 
surveillance operation on the lookout for intrusions within and across 
the Federal Government broadly.
  That legislation, affectionally known as FISMA, was also designed to 
make clear what the division of labor was between the Office of 
Management and Budget, OMB, and the Department of Homeland Security on 
protecting the dot.gov domain. We made it clear that the job of OMB is 
to, if you will, steer the ship. The job of the Department of Homeland 
Security is to row the ship, to row the boat. That is a good division 
of labor given that OMB only has six employees who work on this stuff 
and the Department of Homeland Security has hundreds. So I think we 
figured out the sharing of labor, the division of labor, and also made 
sure the Department of Homeland Security has the resources--the horses, 
the resources--and the technology they need.
  Sharing more cyber security threat information among and between the 
private sector and the Federal Government players who are on the 
frontline in cyber security is critical for national security. Over the 
last couple of

[[Page S7390]]

years, we have witnessed many troubling cyber attacks against our 
banks, but not just our banks, against retailers, health providers, 
government agencies, and God knows how many others.
  Some of those launching these attacks were just criminals. Some of 
them were just criminals. They want to steal information. They want to 
make money off of our personal information, off our intellectual 
property, like our intellectual seed corn, if you will, for companies 
large and small and for universities as well. Others just want to be 
disruptive or they want to make political points. Some actors, however, 
are capable or would like to develop the capability to use a cyber 
attack to harm people and cause physical damage.
  It is long past time for this body to take action to more effectively 
combat these threats we now face in cyber space. That is why earlier 
this year I introduced a similar information sharing bill. This bill 
largely mirrored the administration's original proposal.
  The administration asked me to introduce their information sharing 
bill. Before I did that, we actually had a hearing in the committee on 
homeland security. Part of the centerpiece of the hearing was the 
administration's proposal. We got some good ideas on how to make it 
better. We made it better and introduced that bill to use, if you will, 
as a point-counter point in a constructive, positive way with the 
legislation that worked its way through the Intelligence Committee. But 
we did not stop there. We took information from a lot of experts and 
  The measure we are discussing today shares the same goals as my 
original bill--largely the administration's original bill--to increase 
the sharing of cyber threat information between the Federal Government 
and the private sector and between different entities within the 
private sector. I am pleased that we are finally discussing these 
critical issues on the Senate floor.
  The substitute amendment we are debating today makes a number of 
improvements to the bill that was first made public after the 
Intelligence Committee reported it out. It also includes several 
changes that I, as well as several of my colleagues, have been calling 
for--including the chairman of our committee.
  I would like to thank Senators Burr and Feinstein. I thank their 
staff for working closely with our staff and others to produce what I 
believe is a significantly smarter and stronger bill. Is it perfect? 
No, not yet. But I can say there is always room for improvement. That 
is why we still have a debate on a number of amendments and those like 
the one mentioned by Senator Whitehouse that may be germane in a 
different kind of way in conference.
  While there may not be agreement on everything in this bill, I 
believe most of our colleagues would come to the conclusion that it 
really will help to improve our Nation's cyber security and, by 
extension, our national security and, by extension, our economic 
  First, the bill would ensure that the government--our government--is 
providing actionable intelligence to private sector entities that are 
seeking to better protect themselves in cyber space. Businesses around 
our country are hungry for information they can use to fend off attacks 
and better protect their systems and their customers. This bill would 
make the Federal Government a much stronger partner for them.
  Many companies that I have talked to of late also want to share more 
information with the Federal Government about what they are seeing 
online every day, but they are unsure of the rules of the road. In 
other words, companies want more predictability and they want more 
certainty when it comes to working with our government. This bill would 
give them that by clarifying that they won't be putting themselves in 
legal jeopardy if they choose to share cyber threat information with 
our Federal Government.
  If companies do want to avail themselves of the legal protections the 
bill offers, they would have to, with two narrow exceptions, use the 
information sharing portal at the Department of Homeland Security. This 
puts the Department of Homeland Security, a civilian entity, at the 
center of the information sharing process. I think this is smart and 
the right thing to do. In fact, many experts and companies that I have 
talked to across the country as recently as last week out in Silicone 
Valley and out on the west coast--they agree with what I have just 
  I know many Americans are uneasy with companies they do business with 
directly handing over data to an intelligence or law enforcement 
agency. The Department of Homeland Security will carry out its 
responsibilities under this bill through the cyber ops center I 
mentioned earlier called the National Cyber Security and Communications 
Integration Center--that is a mouthful. We affectionately call it N-
Kick. It is the cyber ops center. It includes folks from DHS and other 
Federal agencies. It includes a number of representatives of financial 
services, the utility industry, our retail industry, and so forth, all 
together under one roof, talking together and working together to help 
us support one another and make it strong and more secure.

  One of the bills I worked on with Dr. Coburn last Congress formally, 
as I said earlier, authorized this center. We are pleased to see that 
this bill would make the most out of the resources we have already 
invested in this cyber ops center, NCCIC.
  Earlier this month, Secretary Jeh Johnson of the Department of 
Homeland Security told our Homeland Security and Governmental Affairs 
Committee that beginning in November, the cyber ops center, NCCIC, will 
have the capability to automate the distribution and receipt of cyber 
threat indicators. I will say that again--to automate the distribution 
and the receipt of cyber threat indicators that they receive from 
others, including those in the private sector. In other words, the 
Department of Homeland Security will have the ability to share 
information with other agencies in real time--not next month, not next 
week, not tomorrow, not in an hour, but in real time, which is really 
what this little bill before us today requires.
  I know that the real-time sharing is incredibly important to the 
bill's sponsors, and it is important to me and probably to many of our 
colleagues and stakeholders. Equally important, however, is the ability 
of the Department of Homeland Security to apply what I call a privacy 
scrub to the information it receives from industry, the threat 
indicators that come from industry--see something, say something--stuff 
that they send to the Department of Homeland Security.
  In the bill that I authored with others in my committee, including 
our chairman, we allow the Department of Homeland Security to, if you 
will, receive information through its portal from various entities that 
witness threat indicators, to see it and to put it through the portal, 
to bring it through the portal to do a privacy scrub. That is one of 
the things the Department of Homeland Security has expertise in doing.
  I used an example at lunch earlier today. I talked about baseball. I 
know the Presiding Officer has some interest in baseball. There are 
teams called the Phillies in Philadelphia and the Pirates in 
Pittsburgh. I would just say to him, thinking about baseball for a 
minute, let's say you are in the playoffs. Let's say you have a team in 
the playoffs. You are in the ninth inning, and you need to get somebody 
out of the bullpen to close. You have a one-run lead. You look to the 
bullpen. He is now retired, but Mariano Rivera was the best closer in 
baseball history. You have Mariano Rivera in the bullpen to come in and 
close the game, and you have three other guys you just called up from 
the Minor League, so maybe from AAA.
  You say: Well, whom do I put in to close the game? Do I put in the 
best closer we have ever had in baseball history or do I bring in three 
rookies, three Minor League guys?
  Well, you bring in Mariano Rivera.
  When it comes to being able to do privacy scrubs, the Department of 
Homeland Security--that is what they do. That is what they do. Now they 
have the horses, the ability, and the technology to do it even better.
  I know some of my colleagues are concerned that a privacy scrub will 
slow down the information sharing process. I share those concerns, but 
I have been assured by the Department--the bright, smart people at the 
Department of Homeland Security--that less

[[Page S7391]]

than 1 percent of the information it receives would actually ever need 
to be reviewed by a human, by a person. The rest--roughly 95 percent to 
99 percent--would be shared with other agencies at machine speed. 
  I am very pleased that DHS has come to an agreement on this process 
with its agency partners. We will be up and running with a portal in 
the way I have described in the next couple weeks.
  One of the amendments I filed speaks to this privacy scrub process. 
It would make clear that the Department of Homeland Security could 
carry out an automated privacy scrub in real time and without delay. In 
fact, my amendment would add just one word to the bill so that DHS 
could continue to automatically remove irrelevant or erroneous data 
from cyber threat information.
  I am very pleased that Senators Burr and Feinstein have taken this 
amendment into consideration and have now modified their substitute 
amendment to make sure the Department of Homeland Security can do what 
it does best, and that is to apply a privacy scrub--pulling out 
personally identifiable information that actually shouldn't be passed 
on to other Federal agencies. The substitute amendment now calls on DHS 
to work with its agency partners to agree on a process to share 
information while protecting privacy. This is a process DHS is already 
  I thank Senators Burr and Feinstein, as well as our friends at the 
Department of Homeland Security and other agencies, for working so hard 
to find agreement on this language and for working with my staff and me 
on this important matter.
  Another amendment I put forward with our committee chairman, Senator 
Johnson, aims to improve what we call cyber hygiene across the Federal 
Government and to prevent attacks against Federal agencies. This 
language is based on a bill that Senator Johnson and I introduced and 
had reported out of our homeland security committee by a unanimous 
vote. The amendment does three main things.
  First, it would require all Federal agencies to implement specific 
best practices and state-of-the-art technologies to defend against 
cyber attacks. For example, we had experts testify about the importance 
of strong authentication and data encryption. This amendment would make 
sure that agencies are taking these commonsense steps to bolster their 
cyber security defenses.
  Second, the amendment would accelerate the deployment and adoption of 
the Department of Homeland Security's cyber intrusion and detection 
program, known as EINSTEIN, as in Albert Einstein, but you don't have 
the ``Albert'' in the name of this technology; it is called EINSTEIN.
  For my colleagues who may not be familiar with EINSTEIN, with respect 
to homeland security and cyber security, let me take a couple of 
minutes to describe its main features.
  We had EINSTEIN 1 present at the beginning, EINSTEIN 2 was follow-on 
technology, and then there is EINSTEIN 3. EINSTEIN basically analyzes 
Internet traffic entering and leaving Federal civilian agencies to 
identify cyber threats and to try to stop attacks.
  This system has been rolled out in phases over the last several 
years. EINSTEIN 1 is the first step. It sees and actually records 
Internet traffic, much like a guard at a checkpoint watches cars go by 
and maybe writes down and records the license plates. EINSTEIN 2 
detects anything out of the ordinary and sets off alarms if a piece of 
malware is trying to enter a Federal network. For example, a car comes 
through and it is not supposed to come through. That would set off an 
alarm and enable EINSTEIN 2 to actually detect a cyber intrusion. It 
doesn't do anything about blocking. It doesn't block the car, in this 
example. It doesn't block anything. EINSTEIN 3A, the latest version, 
uses unclassified and classified information to actually block the 
cyber attack.
  So initially EINSTEIN 1 records basically what is being detected, 
EINSTEIN 2 actually detects bad stuff coming through in terms of an 
intrusion, and EINSTEIN 3A blocks it. The problem is that less than 
half of our Federal civilian agencies actually have EINSTEIN 3A in 
place. They have the ability to record an intrusion, the ability to 
detect an intrusion, but not the ability to block an intrusion. They 
need the ability to block. What our legislation would do would be to 
make sure that agencies have EINSTEIN in place, including the ability 
to block intrusions, within 1 year.
  Finally, our amendment incorporates the language originally drafted 
by Senator Susan Collins, the former chair of the homeland security 
committee and a great colleague of ours for many years, Senator Mark 
Warner, Senator Kelly Ayotte, Senator Claire McCaskill, Senator Dan 
Coats, and Senator Barbara Mikulski. They are all cosponsors of the 
amendment Senator Collins offered. These provisions would strengthen 
the ability of the Department of Homeland Security to shore up cyber 
defenses at civilian agencies and to address cyber emergencies across 
the Federal Government.
  Again, I am incredibly grateful that Senator Feinstein and Senator 
Burr agreed to include our language in the substitute amendment 
language that worked its way through our committee. We had hearings and 
had the opportunity to mark up the legislation. It worked the way it is 
supposed to work. And I think that without exception it had bipartisan 
support coming through our committee. It is the perfect complement to 
the information sharing bill we are discussing this week. I think it 
makes a good bill that much better.
  I thank the Senators for working with me and Senator Johnson on it.
  Just one more thing before I close. I know the Presiding Officer 
thinks a lot about root causes, and rather than just address the 
symptoms of a problem, let's think about what is the root cause of the 
problem. The Senator who is waiting to follow me on the floor, the 
former Governor of Maine, thinks similarly. I do too. It is not enough 
to just address the symptoms of these problems. A part of what we need 
to be thinking about is, How do we get to the root cause?
  Until fairly recently, a lot of our financial services institutions 
in this country were under constant attack by somebody who was trying 
to overload their Web sites and essentially trying to shut them down. 
It is sort of like when we were first standing up the Affordable Care 
Act, they had so much traffic on their Web site that it would kind of 
break down.
  There are so many cyber threats from around the world. We think Iran 
is behind it. They are trying to do that, to bring down our financial 
services business--and sometimes with some success.
  About a year ago, when we got very serious about negotiating with the 
Iranians and our partners--the French, the Brits, the Germans, the 
Russians, and the Chinese--some kind of an agreement where the Iranians 
would give up any hope they had of having a nuclear weapon and the 
terms for our lifting our economic sanctions--when it became clear that 
those were serious negotiations, that something might actually happen 
from those negotiations, guess what happened to those attacks. We call 
them DDoS. What do you suppose happened? Well, guess what, they started 
letting up little by little until the time we actually voted here to 
let that agreement be enacted and hopefully be administered and 
implemented. That was a root cause being addressed.
  Another root cause we had over in China--for years the Chinese have 
sought to use cyber attacks to get into our most successful businesses, 
some of our research and development operations in those businesses, 
and work being done within Federal agencies on research and 
development--actually, the intellectual seed corn for creating jobs and 
opportunity in this country. The cyber attacks were--we believe it was 
China trying to steal information from our universities. They were 
doing a lot of research that could lead to economic activity and job 
creation. We didn't like it. We don't do that. We don't do that to 
them, and we don't want them to do that to us. We complained about it 
and complained about it and called out some of the folks whom we 
thought were behind this in China.
  President Xi visited us in this city about 3 week ago. He and our 
President had some tough, direct, and probably not entirely comfortable 
conversations. One of them dealt with this

[[Page S7392]]

issue, what we believe is the intrusion by Chinese actors in order to 
steal our intellectual seed corn, in order to maybe have a short step, 
a shortcut to economic development, economic activity. They would not 
have to spend the money, the time, and the energy to do all the 
research that would lead to this innovation and job-creation activity. 
The agreement that came out of that was the Chinese and our country 
have agreed that neither side will knowingly steal this kind of 
information from the other. ``Knowingly'' is a very broad term, and so 
we have to make sure that ``knowingly'' actually means something. 
Secretary Jeh Johnson, the head of the Homeland Security Department, 
and Attorney General Loretta Lynch have been assigned to build on this 
initial agreement and see what we can make of it.
  I will close with this. A lot of people in our country don't 
understand what all this cyber security stuff is--intrusion, EINSTEIN, 
and all the items we are talking about that are in the legislation 
which is before us this week. They do know this: It is not good when 
people can steal the kind of information that needs to be protected. 
Whether it is part of the government domain, military or intelligence 
secrets; whether it is economic secrets or developments that lead to 
economic gain; whether it is personally identifiable information that 
can be used for blackmail purposes or to monetize and to somehow make 
money off of that information, we know it is not good. There is no one 
silver bullet to actually stop this kind of activity, but there are a 
lot of silver BBs, and some of them are pretty big.
  The legislation that is before us today, bolstered by similar 
legislation that has come out of the Committee on Homeland Security and 
Governmental Affairs, is a pretty good-sized BB. They are not going to 
enable us to win this war by themselves, but they will enable us to 
make real progress. It will make us feel a good bit more secure than we 
have, knowing that this is an enemy across the globe and that a number 
of enemies wish us harm. They are not going to give up. There is a lot 
of money involved. They will be back at us, and we have to bring our 
``A'' game to work every day in the Department of Homeland Security and 
other Federal agencies working in tandem with the private sector.
  Hopefully, with this information, the folks in the private sector--if 
they want to get the liability protection and share information with 
the Federal Government, we want them to use the portal through the 
Department of Homeland Security. The Department of Homeland Security, 
to the extent that privacy scrub is needed--it does not happen often. 
It happens less than 1 percent of the time with the information that 
comes through the portal. The legislation before us, with the 
amendments that are offered, will enable us to have that kind of 
security about our private information and at the same time to do a 
very good job--a much better job--in protecting what is valuable to us.
  Mr. President, I think that is about it for me. I appreciate very 
much the opportunity to speak. I appreciate the patience of Senator 
King, and I will yield the floor to him.
  I will just say in closing--no, Senator Blunt, I will yield to you 
next. It is good to be with both of you. I look forward to working with 
you on these and, with respect to the Senator gentleman from Missouri, 
very closely on related matters.
  Thank you so very much.
  The PRESIDING OFFICER. The Senator from Missouri.
  Mr. BLUNT. Mr. President, I thank the Senator from Delaware. He and I 
have worked on legislation together to protect data security, to have 
one standard for notifying people whose information has been accessed 
by people who shouldn't have it, and we are going to continue to work 
on that and look for opportunities, whether it is this bill or some 
other bill, to add that important element to what we are doing here.
  I come to the floor today, as I am sure many others have, to express 
support for this bill--for the Cybersecurity Information Sharing Act--a 
bill that gives us tools we don't currently have, and to break down 
barriers that we do currently have. This is a bill that would allow 
individuals who see the information they are responsible for being 
attacked to call others in their same business and say: Here is what is 
happening to us right now. If you are not seeing it already, you should 
be looking for it. When they do that, it doesn't violate any 
competitive sharing of information. What it does is bring everybody 
into the loop of defense as quickly as possible and allow them to look 
for help from the government as well.
  So I express support for this bill. We know that day after day 
Americans who read, watch, or listen to the news learn of another cyber 
attack. Some involve attacks of government systems, while others 
involve the private sector.
  In 2012 and 2013, hacker groups linked to Iran targeted American bank 
Web sites and sustained an attack on those Web sites in a way that was 
designed to disrupt people trying to do business--trying to pay their 
own personal bills, trying to do things people should expect to be able 
to easily do.
  Early in 2014, we learned that cyber criminals had stolen 40 million 
credit card numbers from a major retailer and had probably compromised 
an additional 70 million accounts. We also have learned that a lot of 
times when we hear about these, they seem bad enough at first, but they 
seem a whole lot worse later when we find out what really happened, 
when we see how deep these criminals were able to go, how deep these 
terrorists were able to go, how deep these government-sponsored 
entities were able to go to get at information they shouldn't have.
  In September of that same year, September 2014, we learned another 
major retailer had suffered a data breach. In that case there were 56 
million credit card holders.
  In February of this year, we learned a health insurance provider's 
system had been hacked, and 80 million customers were affected. This 
was a data breach that particularly impacted my State--particularly 
impacted Missourians--and we saw a huge change in the IRS fraud that 
occurred this year because, we believe at least, because criminals 
suddenly had all this sensitive personally identifiable information 
they had stolen. Suddenly somebody besides you was filing your tax 
return. Only later did the people who really had the income tax return 
to file find out that somebody had filed it for them.
  In June of this year--maybe the most surprising to all of us who have 
heard over and over again that the private sector is struggling, we 
suddenly found out the U.S. Office of Personnel Management increased a 
previous estimate of how many people were affected by its own data 
breach. The files of Federal employees and people related to those 
files was revised upward to 21.5 million people. Then we found out that 
also included roughly 5.5 million sets of fingerprints.
  I am not exactly sure what you could do with somebody's fingerprints 
on the Internet today. I can only imagine what you might be able to 
figure out to do with those fingerprints. Remember, your fingerprints 
don't change, and probably the government entity responsible for that 
hacking that has those fingerprints is always going to have those 
fingerprints as they think of new and malicious ways to use them. So we 
are talking about well over 100 million Americans who already have 
their personal information in the hands of people it shouldn't be in.
  The challenge before us is as clear as it is urgent. Virtually every 
aspect of our society and our economy rely on information technology. 
It has enabled tremendous economic growth, it has enabled tremendous 
efficiencies in every sector, but it has put all kinds of information 
out there in ways that, looking back, we are going to wonder why we 
made that information so available in so many places and left so 
  Federal, State, and local governments rely on that information 
technology as well. As the technology advances, its widespread adoption 
has also opened us to new dangers. Modern cyber security threats are 
sophisticated, they are massive, and they are persistent. This doesn't 
just happen every day, it happens all the time every day.
  The culprits of these attacks and intrusions range in terms of their 
motives and their abilities. We just heard of a teenager who figured 
out how to

[[Page S7393]]

get into the personal account of the CIA director--at least that is the 
public media report--and the homeland security director. This is not a 
particularly sophisticated individual, but obviously a pretty capable 
person who gets to two individuals that one would think would be the 
most cautious.
  Some of these people are bent on sheer vandalism--just the thrill of 
cyber vandalism--while others are determined to steal intellectual 
properties from American companies. The motive there is clear. It is 
easier to steal intellectual property than it is to go through the hard 
work of creating it. Suddenly that information is out there, and the 
people who created it have been robbed.
  I hear this all the time when I visit companies in my State. We have 
seen cyber intrusions used for espionage. We have seen one major 
company attacked for no reason other than to embarrass the company 
because a foreign government didn't like something the company had 
done. It is quite a way to have a movie review, that we are just going 
to destroy as much of your technology as we can by a cyber invasion.
  A great many more of these people are motivated by greed--pilfering 
other people's identities, getting access to other people's account 
information, and selling that information on the black-market. This 
becomes a real opportunity for them. The more you remove it from the 
person who initially got it, the harder it is to find out who initially 
got it and what they did with it.
  Underneath all this is the implication of more serious attacks that 
can cause physical harm and can cause mass disruption of critical 
infrastructure of the country that is very dependent on cyber security. 
This really begs the question: What are we doing to protect our country 
and our citizens from these cyber adversaries? I have been in Senate 
for 5 years. I have had the great opportunity to represent the people 
of Missouri here for 5 years. And during every one of those 5 years, we 
have been talking about how important it is that we do something about 
cyber security. This is the only approach I have seen in those 5 years 
that has bipartisan support. It has a bicameral consensus. This is 
something that can happen.
  This is a problem that it is time to stop talking about. Do we want 
some other government to have everybody's fingerprints before we do 
something about it? This is the time to do something about it. As a 
member of the Senate Select Committee on Intelligence, I am certainly 
here to support the chairman of that committee and the vice chairman of 
that committee to finally pass this bill, a bill to enhance the public-
private partnerships that can provide the kind of cyber defense we 
  We need to do that and we need to encourage lots of sharing. We need 
to encourage sharing of attacks. We need to encourage early on, as I 
said, the ability to call somebody else in your same business and to 
contact them and say: This is happening right now. That is the best 
time to say it. The other option is to say: This happened to us late 
last night or happened yesterday, but this is happening to us. Is it 
happening to you?
  There is lots of misunderstanding about this concept. Without getting 
too technical, cyber threats are the malicious codes and algorithms 
used to infect computer systems and attack networks. They are 
techniques that use bits and bytes. They are the ones and zeros of the 
digital age that allow hackers to intrude upon private systems, steal 
information, perpetrate fraud, or disrupt activities over the Internet.
  In very dangerous circumstances, these techniques can be used to 
remotely control critical infrastructure management systems, such as 
supervisory control and data acquisition systems. I saw something on 
the news the other day where some hackers, for no intent other than 
maybe just to see if they could do it, had figured out how to take over 
one of the cars that was driving itself. Suddenly the car wasn't 
driving itself; the hacker was driving the car.
  When a particular company finds itself subjected to some novel new 
approach, the quicker they can share that, the better. When the 
government discovers a new method being used to infiltrate information 
technology systems abroad or here, they need to be able to share that 
with American companies quickly so they can protect themselves. There 
are things the private sector sees that the government does not, and 
there are things the government sees that the private sector does not. 
This legislation gives the obligation and opportunity to both of them 
to join together in this important fight. Modern communications 
networks move at an incredibly rapid pace. We need to be fighting back 
at that same kind of rapid pace.
  This bill establishes a strictly voluntary program. Unlike some of 
the other programs we have talked about to secure ourselves in a post-
9/11 world, this is a strictly voluntary program that leverages 
American ingenuity to unleash the arsenal of democracy against cyber 
  When it comes to the cyber threat, we have to act for a common 
purpose. Throughout this debate there has been a great deal of 
discussion about the need to protect liberty in the information age. I 
truly think liberty and security are not at odds with one another in 
this legislation. When it comes to this bill, it comes the closest to 
having the balance we all would like to see. It takes into 
consideration the importance of liberty, but it also takes into 
consideration what happens as we protect our security.
  I would close by saying of all the attacks we have had, and as bad as 
they have been, none of them have been the sort of catastrophic 
infrastructure attack that we may see that would impact the grid, that 
impacts our ability to communicate, impacts our ability to make the 
water system work, or impacts our ability to make the electrical system 
work. If that happens, the Congress will not only act, the Congress 
will overreact.
  This is the right time to have this debate. Let's put this 
legislation on the books right now. Let's give the people a law that 
makes sense at a time when we have the time to debate it, instead of 
waiting to see the direction we will turn to when we should have 
debated this and moved in this direction right now. I encourage my 
colleagues to vote for this bipartisan bill that I think will wind up 
on the President's desk and become law.
  Mr. President, I yield to my patient friend from Maine, who has been 
waiting. He and I serve on the Select Committee on Intelligence 
together, and I look forward to his comments.
  The PRESIDING OFFICER (Mr. Scott). The Senator from Maine.
  Mr. KING. Mr. President, the United States is under attack. We are 
under attack--not a week ago, a month ago, September 11 or yesterday, 
but right at this moment. We are under attack from state actors, from 
terrorist nonstate actors, and from garden-variety criminals. This 
cyber issue is one of the most serious that we face.
  When I first got here, I was appointed to the Armed Services and 
Intelligence Committees. On those two committees over the past 3 years, 
at least half of our hearings have touched upon this issue and the 
threat that it presents to this country. The leaders of our 
intelligence community and our military community, in open session and 
in closed session, have sounded the alarm over and over and over. The 
most dramatic--I don't remember what the hearing was--was when one of 
our witnesses said: ``The next Pearl Harbor will be cyber.''
  As the Senator from Missouri just pointed out, we are fortunate that 
we have had a number of warning shots but none have been devastating. 
But we have had warning shots--at Sony, at Target, at Anthem, at the 
Office of Personnel Management of the U.S. Government, and at the home 
email of the Director of the CIA. We have had large and small 
intrusions and cyber attacks that have been more than annoying, but, so 
far, they haven't been catastrophic. That is just a matter of time. 
That is why we have to move this bill.
  This bill isn't a comprehensive answer to this question, but it is at 
least a piece of it. It is a beginning. We are going to have to talk 
about other aspects of our cyber strategy, but at least we can pass 
this bill, which came out of the committee 14 to 1. It is bipartisan, 
and it has support in the House. Let's do something.
  I do not want to go home to Maine and try to explain to my 

[[Page S7394]]

when the natural gas system or the electric system is brought down, 
that we couldn't quite get around to it because of the difference of 
committee jurisdictions or because we had other priorities or because 
we were tied up on the budget. This is a priority. It is something we 
should be doing immediately, and I am delighted that we have moved to 
  Now, as I have sat in the Intelligence Committee every Tuesday and 
Thursday afternoon for the past 3 years, it occurred to me several 
months into those debates and the discussions of this and other issues 
that really we in the Intelligence Committee and also we in this body 
really are working with and weighing and balancing two constitutional 
  The first is the preamble of the Constitution. The most basic 
responsibility of any government, anywhere, anytime, is to provide for 
the common defense. That is why governments are formed, to provide the 
security, and also to insure domestic tranquility. Those two together 
are the basic functions of why we are here--to protect our people from 
harm. And that is clearly what this bill is talking about.
  But the other constitutional provision in the picture that we also 
have to weigh is the Fourth Amendment: ``The right of the people to be 
secure in their persons, houses, papers, and effects, against 
unreasonable searches and seizures, shall not be violated. . . . '' 
That is a fundamental premise of who we are as a people.
  These two provisions of the Constitution are intentioned--neither one 
dominates, neither one controls the other--and it is our job in this 
body to continuously weigh and calibrate these two provisions and their 
balance in light of threats and evolving technologies.
  When the Fourth Amendment was written, nobody had ever heard of 
telephones. They certainly had never heard of the Internet. They never 
thought about any of these things. But they said: The rights ``shall 
not be violated.'' It is interesting--``unreasonable searches and 
seizures.'' They didn't know the threats we would be facing when they 
said it was a fundamental premise of the U.S. Constitution that we 
should protect against both foreign and domestic enemies. That is what 
we have to do, and that is what this bill does.
  This bill is very carefully worked up, with a lot of discussion and 
negotiation, to be effective in protecting the public, while, at the 
same time, to be effective in protecting the public's privacy rights in 
respecting these two principles. We have had warning after warning 
after warning, and now it is time for us to act.
  The good news about the United States is that we are the most wired 
nation in the world. Technology has been a huge boon to our economy and 
to our people, and we are way ahead of a lot of the rest of the world 
in our interrelationship with technology and how we have used it to 
enhance our lives. That is the good news. The bad news is that we are 
the most wired country in the world, because that means we are the most 
vulnerable--asymmetric vulnerability. We are more vulnerable because we 
are more connected. That means we have to take great care in this 
country to be sure that we don't allow that vulnerability to result in 
a catastrophic loss for our people.
  Not only are we talking about national security issues, but we are 
talking about individual people's lives. If the electric grid went 
down, people's lives would and could be lost--in hospitals, at traffic 
intersections, across the country. If the natural gas system--the vast 
pipeline system that links our country in terms of energy--somehow went 
awry because of a cyber intrusion into the operating system, that would 
have devastating consequences for human lives and also, of course, for 
the economy of our country. Somebody could get into the routing system 
of a railroad, and a train carrying hazardous material would be caused 
to derail. These are the kinds of things that can happen and will 
likely happen unless we take steps to protect ourselves.
  Some of these attacks and intrusions are sponsored by nation-states. 
We know that. Some of them are sponsored by just garden-variety 
criminals who are trying to steal our money. Or some of them are large 
international criminal organizations that are trying to steal our 
commercial intelligence and how we build our products and how we 
compete. Some of them are terrorist organizations that see this as a 
cheap way to attack America. Why go to all the trouble to build a bomb 
and smuggle it into the country and all the risk that entails, when you 
can disrupt the country in just as great a way with a few strokes on a 
  It is economic security, national security, economics. It has been 
estimated worldwide that cyber crime costs our country $445 billion a 
year. That is to the global economy--a half trillion dollars a year. 
Some 200,000 jobs in the United States could be and are being affected, 
and 800 million personnel records were stolen, and 40 million were 
  The cost of cyber crime is estimated to be between 15 and 20 percent 
of the value created by the Internet. We always talk that we don't want 
any taxes on the Internet. This is a tax. This is a tax we are all 
paying. The users of the Internet are paying to ward off this epidemic 
of cyber crime.
  It is not only the government. Of course, it is companies, such as 
Sony, Target, Anthem, the industrial base, JP Morgan, Home Depot. The 
list goes on and on. Most importantly, it is not just the big guys. 
Sometimes we feel that OK, this is the large banks, the large insurance 
companies that have to worry about this. In the State of Maine, we have 
to worry about it.
  My staff and I in Maine have reached out to businesses large and 
small across the State. Every single one, with one exception, listed 
cyber intrusion as one of their greatest issues.
  The Maine Credit Union League, with $2.5 million a year, and local 
credit unions are having to deal with cyber intrusion.
  One of our Maine health care providers has experienced thousands of 
attempts to steal confidential data every year. Keeping the data safe 
is costing them more than $1 million. This is costing us real money.
  At one of our Maine financial institutions, 60 to 70 percent of the 
emails they get in the bank are phishing emails trying to compromise 
their secured data.
  One of our utilities spent over $1 million a year just on 
preventative costs to defend against cyber crime. This is in a State of 
1.3 million people. This is real. This is real in our State.
  I had a forum over the August break with businesses throughout 
Maine--mostly small businesses and homeland security. We had 100 
businesses come just to visit and sit for a day to talk about this 
issue. These were small businesses, and all of them were seeing these 
kinds of problems.
  One was a small business with 35 employees that did a deal overseas, 
and a cyber criminal in effect stole their payment. They sent a fake 
invoice to the customer overseas, the customer paid it, and the money 
went to the crook, not to my company in Maine. That is the kind of 
thing that is happening, and that is one of the reasons we have to take 
action today.
  No business is immune. No individual is immune. And, of course, this 
country is not immune.
  The price of inaction is just too high. This is something we must 
attend to. As I mentioned, this bill is not the whole answer, but it is 
a part of the answer.
  Some people say: Well, it is not broad enough. My answer is this: OK, 
I understand that, but let's do what we can do and then take it one 
step at a time.
  Some people say it compromises privacy. I don't believe that it does. 
Extraordinary measures were imported into this bill in order to protect 
the privacy of individuals. This is not about individual data. This is 
about a company voluntarily telling the government and perhaps some 
other companies: Here is what I am seeing as an attack. How can we 
collectively defend ourselves against it?
  That is what this bill is really all about. We have to take action, 
and now is the time.
  I thank the chair and the vice chair of the Intelligence Committee, 
the members of the Homeland Security and Governmental Affairs 
Committee, the members of the Judiciary Committee, and all of those who 
have contributed to the finalization of this important piece of 
  There is an attitude out there that we can't get anything done around

[[Page S7395]]

here. I think this gives us an opportunity to prove that idea wrong. We 
can get things done. We should get things done. This is a chance for us 
to protect our people, to provide for the common defense--which is our 
most solemn constitutional responsibility--in a way that also protects 
the interests of the Fourth Amendment and individual privacy rights.
  I hope we can move swiftly, complete the consideration of this bill 
this week, work out our differences with the House, and get this matter 
to the President. We have no place to hide if we don't get this done. 
This is what we are here for.
  Again, I thank my colleagues who worked so hard to bring us to this 
  I yield the floor.
  The PRESIDING OFFICER. The Senator from Arizona.
  Mr. McCAIN. Mr. President, before the Senator leaves the floor, I 
wish to thank him on a well-planned, well-thought-out, and very 
convincing presentation, and an argument that, frankly, I can add very 
little to. So I will make my remarks very brief.
  I thank the Senator from Maine for highlighting the absolute 
importance of the passage of this legislation. And, I might add, he is 
one of the most serious and hard-working members of the Senate Armed 
Services Committee as well. I won't go any further.
  Mr. President, I rise in strong support of S. 754. I thank my 
colleagues, Chairman Burr and Vice Chairman Feinstein, for their 
ongoing leadership.
  In the short 2 months since this bill was last on the Senate floor, 
the need for action on information sharing has only increased. It is 
not for a lack of trying. We have continuously failed to make progress 
on this bill. As the Senator from Maine just made clear, that must 
change. Enacting legislation to confront the accumulating dangers of 
cyber threats must be among the highest national security priorities of 
the Congress.
  The need for congressional action, in my view, is also enhanced by 
the administration's inability to develop the policies and framework 
necessary to deter our adversaries in cyberspace.
  Earlier this week we learned just how ineffective the administration 
has been in addressing our cyber challenges. Within days of reaching an 
agreement to curb the stealing of information for economic gain, 
China--China--repeatedly, reportedly, continues its well-coordinated 
efforts to steal designs of our critical weapons systems and to wage 
economic espionage against U.S. companies. It is not a surprise, but it 
serves as yet another sad chapter in this administration's inability to 
address the cyber threats.
  I guess in the last couple of days it has been made known that some 
hacker hacked into the information of both the Director of the CIA and 
the chairman of the homeland security committee. That is interesting. 
As the President's failed China agreement clearly demonstrates, our 
response to cyber attacks has been tepid at best and nonexistent at 
worst. Unless and until the President uses the authority he has to 
defer, deter, defend, and respond to the growing number in severity of 
cyber threats, we will risk not just more of the same but embolden 
adversaries in terrorist organizations that will continuously pursue 
more severe and destructive attacks.
  Addressing our cyber vulnerabilities must be a national security 
priority. Just this week, Admiral Rogers, the head of Cyber Command, 
reiterated, ``It's only a matter of time before someone uses cyber as a 
tool to do damage to critical infrastructure.''
  My colleagues don't have to agree with the Senator from Maine or me 
or anybody else, but shouldn't we listen to Admiral Rogers, the head of 
Cyber Command, probably the most knowledgeable person or one of the 
most knowledgeable who said, ``It is only a matter of time before 
someone uses cyber as a tool to do damage to critical infrastructure.''
  According to the recently retired Chairman of the Joint Chiefs of 
Staff, General Martin Dempsey, our military enjoys ``a significant 
military advantage'' in every domain except for one--cyber space. As 
General Dempsey said, cyber ``is a level playing field. And that makes 
this chairman very uncomfortable.''
  I will tell you, it makes this chairman very uncomfortable as well.
  Efforts are under way to begin addressing some of our strategic 
shortfalls in cyber space, including the training of a 6,200-person 
cyber force. However, these efforts will be meaningless unless we make 
the tough policy decisions to establish meaningful cyber deterrence. 
The President must take steps now to demonstrate to our adversaries 
that the United States takes cyber attacks seriously and is prepared to 
  This legislation is one piece of that overall deterrence strategy, 
and it is long past time that Congress move forward on information 
sharing legislation. We have been debating similar cyber legislation 
since at least 2012. I am glad this body has come a long way since that 
time in recognizing that government mandates on the private sector, 
which operates the majority of our country's critical infrastructure, 
will do more harm than good in cyber space. The voluntary framework in 
this legislation properly defines the role of the private sector and 
the role of the government in sharing threat information, defending 
networks, and deterring cyber attacks.
  At the same time, it is unfortunate that it has taken over 3 years to 
advance this commonsense legislation. The threats we face in cyber 
space are real and imminent, as well as quickly evolving. All aspects 
of the Federal Government, including this body, must commit to more 
quickly identifying, enacting, and executing solutions to counter cyber 
threats. If we do not, we will lose in cyber space.
  As chairman of the Armed Services Committee, I consider cyber 
security one of the committee's top priorities. That is why the 
National Defense Authorization Act provides a number of critical 
authorities to ensure that the Department of Defense can develop the 
capabilities it needs to deter aggression, defend our national security 
interests, and when called upon, defeat our adversaries in cyber space. 
I find it unacceptable that the President has signaled his intent to 
veto this legislation that, among other key Department of Defense 
priorities, authorizes military cyber operations and dramatically 
reforms the broken acquisition system that has inhibited the 
development and delivery of key cyber capabilities.
  More specifically, the National Defense Authorization Act extends 
liability protections to Department of Defense contractors who report 
on cyber incidents or penetrations, and it authorizes the Secretary of 
Defense to develop, prepare, coordinate and, when authorized by the 
President, conduct a military cyber operation in response to malicious 
cyber activity carried out against the United States or a U.S. person 
by a foreign power. The NDAA authorizes $200 million for the Secretary 
of Defense to assess the cyber vulnerabilities of every major DOD 
weapons system. Finally, Congress required the President to submit an 
integrated policy to deter adversaries in cyber space in the fiscal 
year 2014 National Defense Authorization Act. I tell my colleagues that 
we are still waiting on that policy. This year's NDAA includes funding 
restrictions that will remain in place until it is delivered.
  As we dither, our Nation grows more vulnerable, our privacy and 
security are at greater risk, and our adversaries are further 
emboldened. The stakes are high, and it is essential that we pass the 
Cybersecurity Information Sharing Act without further delay.
  Let me also mention in closing that probably the most disturbing 
comment I have heard in a long time on this issue in this challenge is 
when Admiral Rogers said that our biggest challenge is we don't know 
what we don't know. We don't know what the penetrations have been, what 
the attacks have been, whether they have succeeded or not, where they 
are in this whole realm of cyber and information at all levels. When 
the person we placed in charge of cyber security says we don't know 
what we don't know, my friends, that is a very serious situation.
  I want to congratulate again both the managers of the bill in their 
coordination and their cooperation in this bipartisan effort.
  I yield the floor.
  Mr. KING. Will the Senator yield for a question?
  Mr. McCAIN. I will be pleased to yield.

[[Page S7396]]


  Mr. KING. I ask the Senator, would you agree that this bill 
represents an important part of our cyber defense but that in order to 
deter attacks in the long term, we must have a cyber policy that goes 
beyond simple defensive measures?
  Mr. McCAIN. I would certainly agree, I would say to my friend from 
Maine, because if the adversaries that want to commit cyber attacks 
against the United States of America and our allies believe that there 
is no price to pay for those attacks, then where is the demotivating 
factor in all of this which would, if they failed, then keep them from 
doing what they are doing? It seems to me that this is an act of war, 
and I don't use that term lightly but I am trying to use it carefully. 
If you damage intentionally another nation's military or its economy or 
its ability to function as a government--I would ask my friend from 
Maine--wouldn't that fit into at least a narrow interpretation of an 
act of war? If so, then should we only have defenses? Have we ever been 
in a conflict where we only have defenses and not the capability to go 
out and deter further aggression?
  Mr. KING. I would suggest to the Senator that if you are in a fight 
and all you can do is defend and never punch, you are going to 
eventually lose that fight. I think this is an important area. The 
theory of deterrence, as distasteful as it might have been, the 
mutually assured destruction during the nuclear era did in fact prevent 
the use of nuclear arms for some 70 years. I think we need to be 
thinking about a deterrence that goes beyond simply defensive measures. 
I commend the chairman for raising this issue and appreciate your 
thoughtful consideration.
  Mr. President, I yield the floor.
  Mr. LEAHY. Mr. President, it seems as though every week, the American 
people learn of yet another data breach in which Americans' sensitive, 
private information has been stolen by cyber criminals or foreign 
governments. This is a critical national security problem that deserves 
action by Congress. But our actions must be thoughtful and responsible, 
and we must recognize that strengthening our Nation's cyber security is 
a complex endeavor with no single solution.
  According to security researchers and technologists, the most 
effective action Congress can take to improve our cyber security is to 
require better and more comprehensive data security practices. That is 
why earlier this year, I introduced the Consumer Privacy Protection 
Act. That bill requires companies to utilize strong data security 
measures to protect our personal information and to help prevent 
breaches in the first place. Companies that benefit financially from 
gathering and analyzing our personal information should be obligated to 
take meaningful steps to keep it safe.
  But rather than taking a comprehensive approach that addresses the 
multiple facets of cyber security, the Republican majority appears to 
be focused entirely on passing the Senate Intelligence Committee's 
cyber security information sharing bill. While legislation to promote 
the sharing of cyber threat information could, if done right, be useful 
in improving our cyber security, it is a serious mistake to believe 
that information sharing alone is the solution. Information sharing 
alone would not, for example, have prevented the breach at the Office 
of Personnel Management, nor would it have prevented other major 
breaches, such as those at Target, Home Depot, Anthem, or Sony.
  Instead of ensuring that companies better safeguard Americans' data, 
this bill goes in the opposite direction, giving large corporations 
more liability protection and even more leeway on how to use and share 
our personal information with the government--without adequate privacy 
  Also troubling is the fact that the Republican majority has been 
intent on jamming this bill through the Senate without any regard for 
regular process or opportunity for meaningful public debate. Only last 
year, the Republican leader declared his commitment to ``a more robust 
committee process'' and plainly stated that ``bills should go through 
committee.'' But the bill was drafted behind closed doors by the Senate 
Intelligence Committee, and it has not been the subject of any open 
hearings or any meaningful public debate. The text of the bill was only 
made public after it was reported to the Senate floor, and no other 
committee of jurisdiction--including the Judiciary Committee--was 
allowed to consider and improve the bill.
  The Judiciary Committee was prevented from considering this bill even 
though it contains numerous provisions that affect matters squarely 
within our jurisdiction. First and foremost, the bill creates a 
framework of information sharing that could severely undermine 
Americans' privacy. The bill also overrides all existing law to provide 
broad liability protections for any company that shares information 
with the government. It also overrides important privacy laws such as 
the Electronic Communications Privacy Act, ECPA, and the Foreign 
Intelligence Surveillance Act, FISA, over which the Judiciary Committee 
has long exercised jurisdiction. CISA even amends the Freedom of 
Information Act, FOIA, and creates new exemptions from disclosure.
  This is just the latest attempt by the majority leader to bypass the 
Judiciary Committee and jam a bill through the Senate that contains 
provisions within the jurisdiction of the committee. The bill reported 
by the Senate Intelligence Committee includes a broad and unnecessary 
FOIA exemption. FOIA falls under the exclusive jurisdiction of the 
Senate Judiciary Committee and changes affecting this law should not be 
enacted without full and careful consideration by the Judiciary 
Committee. This important transparency law certainly should not be 
amended in closed session by the Senate Intelligence Committee.
  Shortly after the text of the bill was released, I shared with 
Chairman Grassley my concern that the Judiciary Committee should also 
consider this bill. He assured me that there would be a ``robust and 
open amendment process'' if this bill were considered on the Senate 
floor. But only a few weeks later, the Republican leadership--with 
Chairman Grassley's support--attempted to jam the Intelligence 
Committee's bill through the Senate as an amendment to the National 
Defense Authorization Act, NDAA, without any opportunity for meaningful 
debate. Republicans and Democrats joined together to reject the 
majority leader's effort to force the cyber security bill onto the 
NDAA. Despite this rebuke from both sides of the aisle, just a few 
weeks later, the majority leader again attempted to jam the bill 
through the Senate in the final days before August recess, without any 
serious opportunity to debate and offer amendments.
  The majority leader's actions have been part of a consistent 
disregard for regular order. He has talked about providing an 
opportunity for fair debate, but at the same time, he has used all 
procedural mechanisms to stifle process on this bill. Yesterday 
afternoon, the Senate moved to consideration of this bill--but then not 
even 2 hours later, the majority leader moved to end debate. That 
speaks volumes about whether the majority leader is really interested 
in a full and open debate, and it is not how the U.S. Senate should 
operate--particularly when it comes to a bill with such sweeping 
ramifications for Americans' privacy.
  Senator Feinstein, the ranking member of the Intelligence Committee, 
has consistently said that the Senate ``should have an opportunity to 
fully consider the bill and to receive the input of other committees 
with jurisdiction in this area.'' She has worked hard to improve the 
underlying bill with a managers' amendment that addresses a number of 
my concerns, particularly in regard to FOIA, limiting the sharing of 
information for cyber security purposes only, and ensuring that the 
bill would not allow the government to use information to investigate 
crimes completely unrelated to cyber security. I appreciate these 
improvements, and Senator Feinstein's efforts to include them in the 
bill. But again, this bill still has some serious problems and requires 
a full, public debate. The bill still includes, for example, a FOIA 
exemption that I believe is overly broad and unnecessary.
  In July, the Department of Homeland Security wrote a letter to 
Senator Franken stating that in their view the bill raises significant 
operational concerns and certain provisions threaten to severely 
undermine Americans' privacy. Last week, the Computer & Communications 
Industry Association--an

[[Page S7397]]

organization that includes Google, Facebook, and Yahoo!--voiced serious 
concerns that the bill fails to protect users' privacy and could 
``cause collateral harm'' to ``innocent third parties.'' And this week, 
major tech companies such as Apple, Dropbox, Twitter, and Yelp have 
vocally opposed the bill citing concerns for their users' privacy.
  The latest version of the bill contains a number of improvements that 
I and other Senators have been fighting for, and I am glad to see that 
we are making progress. But we still have work to do on this bill, and 
the Senate must have an open and honest debate about the Senate 
Intelligence Committee's bill and its implications for Americans' 
privacy. I agree that we must do more to protect our cyber security, 
but we must be responsible in our actions. Legislation of this 
importance should not be hastily pushed through the Senate, without a 
full and fair opportunity for Senators to consider the ramifications of 
this bill. Unfortunately, by moving so quickly to end debate, it 
appears that the majority leader is trying to do just that.
  Ms. MIKULSKI. Mr. President, I wish to support the Cybersecurity 
Information Sharing Act of 2015.
  Cyber security is the most pressing economic and national security 
threat facing our country today. As a member of the Senate Select 
Committee on Intelligence, I am keenly aware of the damage cyber 
attacks cause on our Nation. As vice chairwoman of the Senate 
Appropriations Committee, I believe we must have a clear and 
comprehensive approach to funding cyber security.
  In boardrooms and around kitchen tables, concern over cyber security 
is heightening. It is gaining new traction following the cyber attack 
on the Office of Personnel Management, which compromised the personal 
information of more than 22 million Federal employees, contractors, and 
their families.
  The American people expect serious action by Congress. This can and 
must be done, while respecting privacy and avoiding data misuse by the 
government or businesses. Congress must act with a sense of urgency to 
pass the Cybersecurity Information Sharing Act. If we wait for another 
major cyber attack, we risk overreacting, overregulating, overspending, 
and overlegislating. The time to act is now.
  Our Nation is under attack. Every day, cyber attacks are happening. 
Cyber terrorists are working to damage critical infrastructure by 
taking over the power grid or disrupting air traffic control. Cyber 
spies are moving at breakneck speeds to steal state secrets, 
intellectual property, and personal information. Cyber criminals are 
hacking our networks, stealing financial information, and disrupting 
business operations. These cyber attacks can disrupt critical 
infrastructure, wipe out a family's entire life savings, take down 
entire companies, and put human lives at risk. In the past year alone, 
we've seen cyber attacks against Sony, Home Depot, UPS, JP Morgan 
Chase, Experian, T-Mobile, Scottrade, and the list goes on. The 
economic losses of cyber crime are stunning. In 2014, the Center for 
Strategic and International Studies and McAfee estimated the annual 
cost from cyber crime to be over $400 billion.
  I have been working on cyber issues since I was elected to the 
Senate. Our cyber warriors at the National Security Agency are in 
Maryland, and I have been working with the NSA to ensure signals 
intelligence was a national security focus even before cyber was a 
method of warfare.
  In my role on the Intelligence Committee, I served on the Cyber 
Working Group, which developed findings to guide Congress on getting 
cyber governance right, protecting civil liberties, and improving the 
cyber workforce.
  As vice chairwoman of the Appropriations Committee and the Commerce, 
Justice, and Science Subcommittee, I put funds in the Federal checkbook 
for critical cyber security agencies. These include the Federal Bureau 
of Investigation, which investigates cyber crime; the National 
Institute of Standards and Technology, which works with the private 
sector to develop standards for cyber security technology; and the 
National Science Foundation, which researches ways to secure our 
Nation. As a member of the Appropriations Subcommittee on Defense, I 
fight for critical funding for the intelligence and cyber agencies, 
including the National Security Agency, Central Intelligence Agency, 
and Intelligence Advanced Research Projects Activity, who are coming up 
with the new ideas to create jobs and keep our country safe. These 
funds are critical to building the workforce and providing the 
technology and resources to make our cyber security smarter, safer, and 
more secure.
  This bill does three things from a national security perspective. 
First, it allows businesses and government to voluntarily share 
information about cyber threats. Second, it requires the Director of 
National Intelligence to share more cyber threat information with the 
private sector, both classified and unclassified. Third, it establishes 
a Department of Homeland Security ``portal'' for cyber info-sharing 
with the government to help dot-gov and dot-com in a constitutional 
manner. These three provisions are an innovation. Despite all the 
amazing talent companies have, many are being attacked and don't even 
realize it. This legislation allows unprecedented dot-com and dot-gov 
cooperation. There are also key provisions on privacy protections and 
liability protection for companies that monitor their own networks or 
share information.
  Why do we need a bill to make these vital partnerships happen? 
America is under attack every second of every day. The threat is here, 
and it is now. If we do not act or if we let the perfect be the enemy 
of the good, this country will be more vulnerable than ever before, and 
Congress will have done nothing.
  This bill is not perfect. The Department of Homeland Security's role 
has been criticized by many, including myself. I have been skeptical 
about their ability to perform some duties assigned in this bill. I am 
still skeptical, although less so than before. But this bill takes 
important steps to diversify government and private sector actors, so 
we are not just focusing on DHS, but also keeping civilian agencies in 
charge. We cannot have intelligence agencies leading this effort with 
the private sector. Some would like to see that go further, but that is 
what the amendment process is for.
  People in the civil liberties community worry that this bill could 
allow government intrusions into people's privacy. This was of 
tantamount concern for me. If we don't protect civil liberties, the 
added security is for naught because we lose what we value most: our 
freedom. The authors of this bill, especially Senator Feinstein, have 
made key improvements on issues of law enforcement powers and 
protecting core privacy concerns. While not everyone is entirely 
pleased, this bill has made important strides to balance information 
sharing and privacy.
  The business community is concerned because it fears strangulation 
and overregulation. They worry that they will open themselves up to 
lawsuits if they participate in the program with the government. I have 
heard from Maryland businesses and these are valid concerns. 
Importantly, this bill has made strides in accommodating business and 
builds a voluntary framework to allow businesses to choose that 
protection. Protection does not come without responsibility for 
participants, but this bill links the need for cyber security, 
appropriate liability protection, and the expertise of our business 
community in a way that answers a lot of companies' concerns. We cannot 
eliminate all government involvement in this issue because it simply 
won't work, and we will lose key government expertise in the Department 
of Defense, Federal Bureau of Investigation, and elsewhere. However, we 
can work to try to minimize it while maintaining the government's role 
in protecting national security.
  I am so proud that the Senate came together in a bipartisan way to 
draft and pass this legislation. The Senate must pass this legislation 
now. Working together, we can make our Nation safer and stronger and 
show the American people we can cooperate to get an important job done.

                           Amendment No. 2557

  Mr. President, today I wish to speak about my amendment to the cyber 
security bill. This amendment would provide an additional $37 million 
for the Office of Personnel Management, OPM,

[[Page S7398]]

to accelerate completion of its information technology, IT, 
modernization and thwart future cyber attacks.
  This additional funding would allow OPM to make needed upgrades to 
cyber security and network systems 1 year ahead of schedule. This means 
OPM will not have to wait another year to protect sensitive personnel 
data by implementing hardware and software upgrades recommended by 
security experts.
  The $37 million is designated as an emergency under the Budget 
Control Act of 2011.
  For over a year, the Office of Personnel Management's systems were 
compromised. This hack exposed the financial and personal information 
of 22 million Federal employees and their families, contractors, job 
candidates and retirees. This is unacceptable.
  OPM's retirement services and background investigation databases 
contain the most sensitive data OPM holds, including Social Security 
numbers, health information and fingerprints.
  I have heard from employees across the government. Data breaches 
undermine morale and complicate their ability to serve the American 
  OPM has moved to provide protections, but that is not enough. 
Securing these systems must be done now. We can't wait for the next 
budget cycle.
  I urge support for my amendment. This is a crisis, so we ought to 
treat it like one. Twenty-two million Americans who entrusted their 
data and fingerprints to the government deserve the highest standard of 
  There is a reason OPM was exploited. Federal cyber security has been 
weak. The Appropriations Committee has consistently given agencies the 
resources they asked for to protect their dot-gov systems. But under 
sequester-level budgeting it hasn't been enough. Constrained agencies 
don't ask for what is truly needed to do the cyber security job.
  Tight budgets mean immediate problems get requested and funded before 
other much needed IT protection and maintenance. We aren't even doing 
the simple things.
  After the OPM breach, the Office of Management and Budget, OMB, 
conducted a cyber sprint. OMB asked agencies to take four minimal 
steps: No. 1, deploy Department of Homeland Security malicious activity 
detectors; No. 2, patch critical vulnerabilities; No. 3, tighten 
privileged user policies; and No. 4, accelerate deployment of 
multifactor authentication.
  While there was improvement, only 14 of the 24 agencies met the 
fourth goal. Some of it is a lack of will, but some is a lack of 
  OPM knows it needs to harden its information technology.
  That is why I am offering this amendment, providing $37 million in 
emergency spending to harden OPM systems now--not a year from now. 
These funds meet the criteria for being designated as emergency 
spending as set out in the Budget Control Act of 2011. OPM's needs are 
urgent, temporary, and, regrettably, unforeseen.
  What does it mean to designate funds as emergency spending? It means 
no offsets, so we don't pay for this amendment by drawing from existing 
funding used to defend the Nation or help America's families.
  The need is urgent--our adversaries are still trying to attack us. 
The need is temporary--these are one-time costs to accelerate IT 
reform. And the need is unforeseen which is sadly the reason they were 
not requested in the President's fiscal year 2016 budget in February.
  Some say this funding is premature, and OPM is not ready to deploy it 
effectively. However, those reports were written before Beth Cobert 
became OPM Acting Director. She is turning OPM around, but she needs 
the resources to secure OPM's IT systems, and cyber security is a 
critical issue.
  Government can't be reckless with the sensitive data it has. We must 
do better with dot-gov and get our own house in order. We know what OPM 
needs to do--they have the will, they have a business plan, and now 
they need the wallet.
  Vote for my amendment No. 2557 to get OPM the resources it needs.
  The PRESIDING OFFICER. The Senator from Wisconsin.


                           Amendment No. 2582

  Mr. FLAKE. Mr. President, I rise to speak in support of the Flake 
amendment No. 2582 that is currently pending before the body. This 
amendment is very simple. It simply adds a 6-year sunset to the bill. 
This amendment also keeps in place the liability protections 
established by the Cyber Security and Information Sharing Act for 
information that is shared pursuant to the requirements of the bill. 
Furthermore, the amendment ensures that the requirements on how the 
information is shared under the act is to be handled remain in effect 
after the sunset date.
  That is all this amendment does. It simply sunsets the bill in 6 
years, and it does so in a reasonable and responsible way. I believe in 
the sunset provision. It is good for us to consider our past decisions 
6 years from now, to determine whether what we enacted is operating 
well, and to debate the overall success of the legislation that we 
passed 6 years prior. We ought to do that, frankly, on a lot of other 
legislation we pass.
  I do believe the bill we are currently considering, as it is written, 
strikes the right balance. It puts in place the proper privacy 
protections, and I plan to support the legislation. However, it is 
important to make sure that we are forced to go back and evaluate it in 
the years to come to make sure we actually got it right. Given the 
nature of the bill being debated before us, it is all the more 
important to do so in this instance.

  I would also note that this 6-year sunset is similar to sunset 
provisions that were included in both House-passed cyber security 
bills. So if it is in the House, we ought to have it in the Senate as 
  Both the Protecting Cyber Networks Act, which passed the House by a 

[[Page S7405]]

of 307 to 116, and the National Cybersecurity Protection Advancement 
Act, which passed the House by a vote of 355 to 63, include a 7-year 
  I ask my colleagues to support this amendment. I think it does 
strengthen the bill. It ensures that we evaluate, as we should, any 
legislation that we pass to ensure that it is having its intended 
  I yield back the remainder of my time.
  I suggest the absence of a quorum.
  The PRESIDING OFFICER (Mr. Lee). The clerk will call the roll.
  The senior assistant legislative clerk proceeded to call the roll.
  The PRESIDING OFFICER. The Senator from Louisiana.
  Mr. VITTER. I ask unanimous consent that the order for the quorum 
call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.