[Congressional Record Volume 161, Number 154 (Wednesday, October 21, 2015)]
[Senate]
[Page S7368]
CYBERSECURITY INFORMATION SHARING BILL
Mr. REID. Mr. President, today the Senate turns its attention to the
cybersecurity bill. It is way overdue. The bill, which is OK, is better
than nothing--let's put it that way.
The ranking member of the Intelligence Committee, Senator Feinstein,
and the chairman of that committee, Senator Burr, have worked hard on
this legislation, which addresses a serious national security issue. In
fact, it is so serious that we should have addressed this topic long
ago. We tried to. As Senate Democrats, we tried so very hard. We had a
comprehensive cybersecurity bill on the floor 3 years ago which was
much deeper and better than this one--3 years ago--but our Republican
colleagues blocked us from even debating the bill. We couldn't even
debate the bill. Why? They, the Republicans, were told the chamber of
commerce didn't like it. At about the same time, the chamber of
commerce's whole operation was hacked by the Chinese. The people who
worked down there expected things to come out in English, but they came
out in Chinese. But they didn't like the bill anyway, so they told the
Republicans to oppose it, and they marched over here and opposed it.
Democrats, however, realize cybersecurity is a serious issue. We know
how important cybersecurity is for the national security of our country
and the financial security of our economy.
Even though this bill is not our perfect bill, we are going to
cooperate with our Republican colleagues. Several months ago we reached
an agreement with Republicans to begin debating this legislation, and
now we can process it in an efficient and bipartisan manner.
Would the Chair announce the business of the day.
____________________
[Congressional Record Volume 161, Number 154 (Wednesday, October 21, 2015)]
[Senate]
[Pages S7368-S7369]
CYBERSECURITY INFORMATION SHARING BILL
Mr. McCONNELL. Mr. President, earlier this year, millions of people
were affected when the Obama administration was hit by a devastating
cyber attack. It is an attack that has been described as ``one of the
worst breaches in U.S. history,'' but it is hardly the last one we will
face.
The challenges posed by cyber attacks are real, and they are broad.
They threaten governments, businesses, and individuals. Americans see
these threats in the public sector. For instance, as reports have
indicated, the sensitive personal information of millions who purchase
insurance through ObamaCare is especially vulnerable. Americans see
these threats in the private sector as well. For instance, despite the
cyber deal recently agreed upon between China and the administration,
press reports indicate that Chinese hacking attempts on American
companies and businesses appear to be continuing unabated. Americans
also know that a cyber attack is essentially a personal attack on their
own privacy. It is violating to think of strangers digging through our
medical records and emails. It is worrying to think of criminals
accessing credit card numbers and Social Security information.
That is why the Senate will again consider bipartisan legislation to
help Americans' most private and personal information. It would do so
by defeating cyber attacks through the sharing of information. It
contains modern tools that cybersecurity experts tell us could help
prevent future attacks against both public and private sectors. It
contains important measures to protect individual privacy and civil
liberties. It has been carefully scrutinized by Senators of both
parties. In short, this legislation is strong, transparent, and
bipartisan. Republicans and Democrats joined together to pass this
legislation through committee, the administration supports it, and the
House has already passed similar legislation. With a little
cooperation, we can pass it here shortly as well.
The chair of the Intelligence Committee, Senator Burr, is working to
set votes on pending amendments and has accommodated other Senators in
the form of a substitute amendment. I wish to thank him for his hard
work on this legislation. I wish to also thank
[[Page S7369]]
the vice chair, Senator Feinstein, as well. Every Senator should want
to protect Americans' most private and personal information, which
means every Senator should want to see this bill pass. With a little
cooperation, we will.
____________________
[Congressional Record Volume 161, Number 154 (Wednesday, October 21, 2015)]
[Senate]
[Pages S7374-S7406]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
CYBERSECURITY INFORMATION SHARING ACT OF 2015
The PRESIDING OFFICER. Under the previous order, the Senate will
resume consideration of S. 754, which the clerk will report.
The legislative clerk read as follows:
A bill (S. 754) to improve cybersecurity in the United
States through enhanced sharing of information about
cybersecurity threats, and for other purposes.
Pending:
Burr/Feinstein amendment No. 2716, in the nature of a
substitute.
Burr (for Cotton) modified amendment No. 2581 (to amendment
No. 2716), to exempt from the capability and process within
the Department of Homeland Security communication between a
private entity and the Federal Bureau of Investigation or the
United States Secret Service regarding cybersecurity threats.
Feinstein (for Coons) modified amendment No. 2552 (to
amendment No. 2716), to modify section 5 to require DHS to
review all cyber threat indicators and countermeasures in
order to remove certain personal information.
Burr (for Flake/Franken) amendment No. 2582 (to amendment
No. 2716), to terminate the provisions of the Act after six
years.
Feinstein (for Franken) modified amendment No. 2612 (to
amendment No. 2716), to improve the definitions of
cybersecurity threat and cyber threat indicator.
Burr (for Heller) modified amendment No. 2548 (to amendment
No. 2716), to protect information that is reasonably believed
to be personal information or information that identifies a
specific person.
Feinstein (for Leahy) modified amendment No. 2587 (to
amendment No. 2716), to strike the FOIA exemption.
Burr (for Paul) modified amendment No. 2564 (to amendment
No. 2716), to prohibit liability immunity to applying to
private entities that break user or privacy agreements with
customers.
Feinstein (for Mikulski/Cardin) amendment No. 2557 (to
amendment No. 2716), to provide amounts necessary for
accelerated cybersecurity in response to data breaches.
Feinstein (for Whitehouse/Graham) modified amendment No.
2626 (to amendment No. 2716), to amend title 18, United
States Code, to protect Americans from cybercrime.
Feinstein (for Wyden) modified amendment No. 2621 (to
amendment No. 2716), to improve the requirements relating to
removal of personal information from cyber threat indicators
before sharing.
[...]
The PRESIDING OFFICER. The clerk will call the roll.
The legislative clerk proceeded to call the roll.
Mr. NELSON. Mr. President, I ask unanimous consent that the order for
the quorum call be rescinded.
[[Page S7376]]
The PRESIDING OFFICER. Without objection, it is so ordered.
Mr. NELSON. Mr. President, I will vote for the cyber security bill.
Obviously, this is a whole new era of attack on our country. On
September 11, 2001, we certainly realized that the two big oceans on
either side of our country that had protected us for centuries--the
Atlantic and the Pacific--no longer provided that protection because we
could see, in the case of 2001, an attack from within. Thus, that
revised so much of our defense strategy.
Now we see the other kind of attack from within that is stealthy,
insidious, and it is constant because the cyber attacks are coming to
the U.S. Government as well as the U.S. industry, the business
community, and U.S. citizens. The threat of cyber attack is vast and it
is varied, from cyber criminals who steal personal information such as
credit card and Social Security numbers, to foreign governments or
state-sponsored groups that steal sensitive national security
information, that steal our intellectual property, and that put at risk
our economy and critical infrastructure.
I want to give one example of obtaining Social Security numbers
through cyber attacks or through other means. What we found in Tampa,
FL, is that street crime actually subsided because the criminals had
figured that either by cyber attacks or by other means of getting
Social Security numbers, they could file false income tax returns and
request refunds. So with a laptop, they could do what they had done
previously by breaking into and entering someone's home to steal money,
and it was so much easier. And that is just one small example, but just
the theft of security numbers, which they use on false income tax
returns--we think that is an attack which is costing the U.S.
Government, in income tax, at least $5 billion a year.
We have heard all about these attacks. Some of us in the Senate have
been affected by these attacks. How many times have we heard that
hackers have stolen our names, our addresses, our credit card numbers?
Look what the hackers did to 40 million Target customers and 56 million
Home Depot customers. They accessed checking and savings account
information of 76 million J.P. Morgan Bank customers. They stole the
personal information of 80 million customers of the health insurance
company Anthem. Those are a few examples. Target, Home Depot, J.P.
Morgan, Anthem--that is just a handful of examples. Also, remember that
North Korea hacked Sony. Iran hacked the Sands Casino. China hacked the
U.S. Government Office of Personnel Management. They have your
information and they have my information because our information is
with the Office of Personnel Management.
The attacks keep coming. We are hearing from homeland security,
defense, intelligence, and private sector leaders that we have to take
this threat seriously and do something about it.
I must say that it was one of the most frustrating things for this
Senator, as a former member of the Senate Intelligence Committee, when
we were trying to pass this very same bill 3 and 4 years ago and the
business community, as represented by the U.S. Chamber of Commerce,
wanted nothing to do with it because they thought it was an invasion of
their privacy. Times have changed, and the hacking continues.
We see that finally we are able to get through and put together a
bill on which I think we can get broad support from many different
groups that are concerned about privacy and about sharing of
information in the business community. This bill provides the means for
the government and the private sector to share cyber threat information
while taking care to protect the personal information and privacy of
our people. We all face the same threat, and our adversaries use
similar malware and techniques. Sharing information is critical to our
overall cyber security.
What this does is it directs the Director of National Intelligence,
working with other agencies and building on the information sharing
that is already taking place, to put cyber threat information in the
hands of the private sector to help protect businesses and individuals.
It authorizes private companies to monitor and defend their networks
and share with each other and the government at all levels the cyber
threats and attacks--all levels of government: State, local, tribal,
and Federal. This is a point of contention because these activities are
strictly voluntary. That is part of the problem we had 3 and 4 years
ago in trying to enact this legislation. It is strictly voluntary,
limited to cyber security purposes, and subject to reasonable
restrictions and privacy protections.
The bill also creates the legal certainty and incentives needed to
promote further sharing of information.
So what the legislation does is it sets up a hub or a portal inside
the Department of Homeland Security where cyber threat information
comes in, it is scrubbed of irrelevant personal information, and then
it is shared inside and outside the government quickly and efficiently
because, after all, if you have a cyber attack somewhere in America
that suddenly has the opportunity to explode in its application, you
have to have a central point at which you can coordinate that cyber
attack. That is what this portal, this hub in the Department of
Homeland Security is set up to do.
This Senator feels that this bill balances the urgent need to address
the threat of continued cyber attacks with privacy concerns. As the
vice chair of the Intelligence Committee said yesterday, this bill is
just the first step.
I am delighted that Senator Feinstein just walked onto the floor of
the Senate. I am quoting what the Senator said yesterday: We can and we
ought to do more to improve our Nation's cyber security.
I say through the Chair to the distinguished senior Senator from
California that I have shared with the Senate my frustration over the
last 4 years, as a former member of the Senate Intelligence Committee,
that it was so hard to get people to come together. But now, finally,
even though it is voluntary, we at least have a point at which, when a
cyber attack comes somewhere in America, we can centralize that, it can
be scrubbed of private information, and then it can be shared in our
multiplicity of levels of government and the private sector to help
defend against the cyber attacks.
These cyber attacks are coming every day. They are relentless. If we
don't watch out, what is going to happen has already happened to
someone and it is going to be happening to innumerable American
businesses. I strongly urge the Senate to pass this legislation.
Since the senior Senator from California is on the floor, I wish to
take this opportunity to thank her for her perspicacity, her patience,
and her stick-to-itiveness. Finally, 4 years later, it is here, and we
are going to pass it this week. I thank the Senator from California.
Mr. President, I yield the floor.
The PRESIDING OFFICER. The Senator from California.
Mrs. FEINSTEIN. Mr. President, I would like to respond to what the
distinguished Senator from Florida said.
Senator, you know what a pleasure it was to have you on the
intelligence committee. I think you understand the time that we have
spent to get this bill done, which is now about 6 years, and to take
this first step, not because it is a perfect step but because it is a
first step that is voluntary, with new authorities that people and
companies can use if they want to, and if they don't want to, they
don't have to. If they want to, it can be effective in enabling
companies to share cyber security information and therefore protect
themselves. I know you understand this. I am so grateful for that
understanding and for your help.
Mr. NELSON. Mr. President, will the Senator yield for a question?
Mrs. FEINSTEIN. I will.
Mr. NELSON. Will the Senator share her thoughts with the Senate about
how the Nation's national security defense depends on us being able--we
have the guns, the tanks, the airplanes, the missiles, and all of that,
but there is a new type of threat against the very security of this
Nation, and this legislation is a first step.
Mrs. FEINSTEIN. I can try to. I remember that in 2008 there were two
significant cyber bank robberies: the Royal Bank of Scotland, I think
for $8 million, and Citibank for $10 million. This was not public right
away because nobody wanted it known. Then you see the more recent
attacks of Aramco
[[Page S7377]]
being taken down, Sony, and it goes on and on. The information is not
often shared publicly by companies who should be asking: This happened
to our company; can you share anything that might help us handle this?
That kind of thing doesn't happen because everybody is afraid of
liability, and so it is very concerning.
I remember when Joe Lieberman was chairman of the homeland security
committee, which had a bill. As the Senator will remember, we had the
information sharing part of that bill, and we sat down with the U.S.
Chamber of Commerce, I believe on three occasions, to try to work out
differences, and we couldn't. The U.S. Chamber of Commerce is massive
and all over the United States. It includes small businesses, medium-
sized businesses, and some big businesses, and there was deep concern
among its members. That took years to work out.
Finally, the Senate may be ready to take a first step, and this first
step is to permit the voluntary sharing of cyber information, which, if
it is stripped of private data, will be protected with liability
immunity and protected because it goes through a single DHS portal and
doesn't go directly to the intelligence community, which was a big
concern to the private community. All of this has been worked out in
order to try to come up with a basis for taking this first step.
I am sorry the Senator is no longer on our committee because my
friend was really a great asset, and Florida is lucky to have my friend
and colleague as their Senator.
This is just the beginning. All of the iterations on this cyber
legislation have been bipartisan, so that has to say something to
people. We have learned as we have done the drafting on this, and we
have very good staff who are technically proficient. So they know what
can work and what can't work.
I hope I have answered that question from the Senator from Florida.
If I can, I will go on and make some remarks on the managers'
amendment.
Yesterday Senator Burr and I spoke on this floor to describe the
Cybersecurity Information Sharing Act of 2015, which is now the pending
business. Senator Burr filed a managers' package on behalf of both of
us, and I will quickly run through that package.
This amendment is the product of bipartisan negotiations over the
past several weeks within the Intelligence Committee and with sponsors
of other amendments to the bill. The managers' amendment makes several
key changes to the bill to clarify authorization language, improve
privacy protections, and make technical changes. It also--and I think
this is of note--includes the text of 14 separate amendments. Those
amendments were offered by our colleagues and I am pleased that we are
able to add them to this legislation.
In sum, this amendment has two main components. It makes important
changes to the bill that we announced in August to address privacy
concerns about the legislation. Second, it includes several amendments
authored by our colleagues that had agreement on both sides of the
aisle. I will run through these amendments that will be part of the
managers' package, and I do so hopefully to reassure Members that these
are positive amendments.
First, it eliminates a provision on government use of cyber
information on noncyber crime. The managers' amendment eliminates a
provision in the committee-passed bill that would have allowed the
government to use cyber information to investigate and prosecute
``serious violent felonies.'' Eliminating this provision is a very
significant privacy change. We made this change because it has been a
top bipartisan concern and the provision had been used by privacy
groups to claim that this is a surveillance bill. As the chairman made
clear on the floor yesterday, it is not. One of the reasons it is not
is because it prohibits the government from using information for
crimes unrelated to cyber security.
Let me be clear. The chairman said it, and I will say it today. This
is not a surveillance bill. We have eliminated this provision and
helped, I believe, to eliminate these concerns. So, please, let us not
speak of this bill as something that it isn't.
Second, it limits the authorization to share cyber threat information
to cyber security purposes. The managers' amendment limits the
authorization for sharing cyber threat information provided in the bill
to sharing for cyber security purposes only. This is another
significant privacy change, and it has been another top bipartisan and
privacy group concern.
Third, it eliminates a new FOIA exemption. The managers' amendment
eliminated the creation of a new exemption in the Freedom of
Information Act specific to cyber information that was in the
committee-passed bill. Cyber threat indicators and defensive measures
shared in accordance with the bill's procedures would still be eligible
for existing FOIA exemptions, but it doesn't add new ones.
Four, it ensures that defensive measures are properly limited. The
bill allows a company to take measures to defend itself, as one might
expect, and the managers' amendment clarifies that the authorization to
employ defensive measures does not allow an entity to gain unauthorized
access to a computer network.
Five, it includes the Secretary of Homeland Security as coauthor of
the government-sharing guidelines. The managers' amendment directs both
the Attorney General and the Secretary of Homeland Security, rather
than solely just the Attorney General, to develop policies and
procedures to govern how the government quickly and appropriately
shares information about cyber threats. That should be a no-brainer.
Six, it clarifies exceptions to the Department of Homeland Security's
so-called portal. The managers' amendment clarifies the types of cyber
information sharing that are permitted to occur outside the DHS portal
created by the bill. Specifically, the bill narrows communications
outside of the Department of Homeland Security portal regarding
previously shared cyber threat information.
Seven, it requires procedures for notifying U.S. persons whose
personal information has been shared by a Federal entity in violation
of the bill. The managers' amendment adds a modified version of Wyden
amendment No. 2622, which requires the government to write procedures
for notifying U.S. persons whose personal information is known or
determined to have been shared by the Federal Government in a manner
inconsistent with this act.
Eight, it clarifies the real-time automated process for sharing
through the DHS portal. Here the managers' amendment adds a modified
version of the Carper amendment No. 2615, which clarifies that there
may be situations under which the automated real-time process of the
DHS portal may result in very limited instances of delay, modification
or other action due to the controls established for the process. The
clarification requires that all appropriate Federal entities agree in
advance to the filters, fields or other aspects of the automated
sharing system before such delays, modifications or other actions are
permitted.
Senator Carper has played a very positive role on this issue. He is
the ranking member on the homeland security committee. He sat down with
both Senator Burr and me earlier this year. He has proposed some very
good changes, and this is one of them, which is in the managers'
package.
Also, the clarification ensures that such agreed-upon delays will
apply across the board uniformly to all appropriate Federal entities,
including the Department of Homeland Security.
This was an important change for both Senator Carper and Senator
Coons and for the Department of Homeland Security. I am pleased we were
able to reach agreement on it. Essentially, it will allow a fast real-
time filter--and I understand this can be done--that will do an
additional scrub of information going through that portal before the
cyber information goes to other departments to take out anything that
might be related to personal information, such as a driver's license
number, an account, a Social Security number or whatever it may be. DHS
believes they can put together the technology to be able to do that
scrub in as close to real time as possible.
This should be very meaningful to the privacy community, and I really
hope it is meaningful because I want to believe that their actions are
not just to try to defeat this bill, but that their actions really are
to make the bill better. If I am right, this is a very important
addition.
[[Page S7378]]
Again, I thank Senator Carper and Senator Coons, and I also thank the
chairman for agreeing to put this in.
Nine, it clarifies that private entities are not required to share
information with the Federal Government or another private entity. This
is clear now. This amendment adds the Flake amendment No. 2580, which
reinforces this bill's core voluntary nature by clarifying that private
entities are not required to share information with the Federal
Government or another private entity.
In other words, if you don't like the bill, you don't have to do it.
So it is hard for me to understand why companies are saying they can't
support the bill at this time. There is no reason not to support it
because they don't have to do anything. There are companies by the
hundreds, if not thousands, that want to participate in this, and this
we know.
Ten, it adds a Federal cyber security enhancement title. The
managers' amendment adds a modified version of another Carper
amendment, which is No. 2627, the Federal Cybersecurity Enhancement Act
of 2015, as a new title II of the cyber bill. The amendment seeks to
improve Federal network security and authorize and enhance an existing
intrusion detection and prevention system for civilian Federal
networks.
Eleventh, we add a study on mobile device security. The managers'
amendment adds a modified version of the Coats amendment No. 2604,
which requires the Secretary of Homeland Security to carry out a study
and report to Congress on the cyber security threats to mobile devices
of the Federal Government.
I wish to thank Senator Coats, who is a distinguished member of the
Intelligence Committee and understands this bill well, for this
amendment.
Twelfth, it adds a requirement for the Secretary of State to produce
an international cyber space policy strategy. The managers' amendment
adds Gardner/Cardin amendment No. 2631, which requires the Secretary of
State to produce a comprehensive strategy focused on United States
international policy with regard to cyber space.
It is about time we do something like this. I am personally grateful
to both Senators Gardner and Cardin for this amendment.
Thirteenth, the managers' amendment adds a reporting provision
concerning the apprehension and prosecution of international cyber
criminals. The managers' amendment adds a modified version of Kirk-
Gillibrand amendment No. 2603, which requires the Secretary of State to
engage in consultations with the appropriate government officials of
any country in which one or more cyber criminals are physically present
and to submit an annual report to appropriate congressional committees
on such cyber criminals.
It is about time that we get to the point where we can begin to make
public more about cyber attacks from abroad because it is venal, it is
startling, it is continuing, and in its continuation, it is growing
into a real monster. Let there be no doubt about that.
Fourteenth, it improves the contents of the biennial report on
implementation of the bill. The managers' amendment adds a modified
version of the Tester amendment No. 2632, which requires detailed
reporting on, No. 1, the number of cyber threat indicators received
under the DHS portal process--good, let's know--and, No. 2, the number
of times information shared under this bill is used to prosecute
certain cyber criminals. If we can catch them, we should. We should
know when prosecutions are made. Then, No. 3 is the number of notices
that were issued, if any, for a failure to remove personal information
in accordance with the requirements of this bill.
Mr. President, I am spending a great deal of time on these details
because there are rumors beginning to circulate that the bill does this
or does that, which are not correct. This managers' package is a major
effort to encapsulate what Members on both sides had concerns about.
And I think the numbers of Republican and Democratic amendments that
are incorporated are about equal.
Fifteenth, this managers' amendment improves the periodic sharing of
cyber security best practices with a focus on small businesses. The
managers' amendment adds the Shaheen amendment No. 2597, which promotes
the periodic sharing of cyber security best practices that are
developed in order to assist small businesses as they improve their
cyber security.
I think this is an excellent amendment and Senator Shaheen should be
commended.
Sixteenth, the managers' amendment adds a Federal cyber security
workforce assessment title. The managers' amendment adds Bennet-Portman
amendment No. 2558, the Federal Cybersecurity Workforce Assessment Act,
as a new title III to this bill. The title addresses the need to
recruit a highly qualified cyber workforce across the Federal
Government.
There are just a few more, but, again, I do this to show--and the
chairman is here--that we have listened to the concerns from our
colleagues and we have tried to address them, so nobody should feel we
are ramming through a bill and that we haven't considered the views
from others. The managers' amendment is, in fact, a major change to the
bill that reflects this collegial--sometimes a little more exercised,
but collegial--discussion. Does the chairman agree?
Mr. BURR. Mr. President, I appreciate the opportunity to say that I
totally agree. The vice chairman and I have worked aggressively for the
entirety of the year where we had differences, and we found ways to
bridge those differences, where we heard from Members, where we heard
from associations, where we heard from businesses. We worked with them
to try to accommodate their wishes, as long as it stayed within the
spirit of what we were trying to accomplish, which is information
sharing in a voluntary capacity.
The vice chair and I came to the floor yesterday and said if an
amendment--if an initiative falls outside of that, then we will stand
up and oppose it because we understand the role this legislation should
play in the process.
The vice chairman said this is the first step. I don't want to scare
Members, but there are some other steps. We are not sure what they are
today or we would be on the floor suggesting those, but if we can't
take the first step, then it is hard to figure out what the next and
the next and the next are. So I am committed to continuing to work with
the vice chairman and, more importantly, with all Members to
incorporate their great suggestions as long as we all stay headed in
the same direction, and I know the vice chairman and I are doing that.
Mrs. FEINSTEIN. Mr. President, I thank the chairman very much. If I
may, through the Chair, I want the chairman to know how much I
appreciate this tack he has taken to be flexible and willing throughout
this process, which extends into this managers' package. So I believe--
I truly believe--what we have come up with in this managers' package
and what Members have contributed to it makes it a better cyber bill. I
know the chairman feels the same way. We can just march on shoulder to
shoulder and hopefully get this done.
I will finish up the few other items I have to discuss because I want
people who have concerns to listen to what is being said because these
changes have a major impact on the bill.
Next, No. 17 establishes a process by which data on cyber security
risks or incidents involving emergency response information systems can
be reported. The managers' amendment adds Heitkamp amendment No. 2555,
which requires the Secretary of Homeland Security to establish a
process by which a statewide interoperability coordinator may report
data on any cyber security risk or incident involving emergency
response information systems or networks. This is a process for
reporting, and certainly we need to know more.
Next, No. 18 requires a report on the preparedness of the health care
industry to respond to cyber security threats, and the Secretary of
Health and Human Services to establish a health care industry cyber
security task force. The managers' amendment adds Alexander-Murray
amendment No. 2719. This is a reporting requirement to improve the
cyber security posture of the health care industry.
I don't think anyone wants to have their health care data hacked
into. This is deeply personal material and it should be inviolate.
[[Page S7379]]
The provision requires the Secretary of Health and Human Services to
submit a report to Congress on the preparedness of the health care
industry to respond to cyber security threats. If we really want to
help protect health care information, we have to know what is going on,
and that is what this amendment enables. It also requires the Secretary
to establish a health care industry cyber security task force.
Next is No. 19, which requires new reports by inspectors general. The
managers' amendment adds a modified version of the Hatch amendment No.
2712, which requires relevant agency inspectors general to file reports
with appropriate committees on the logical access standards and
controls within their agencies.
Let's know what standards and what controls they have. I think it is
a very prudent request of the Senator from Utah, and I am glad we were
able to include it.
Next is No. 20, which adds a requirement for the DHS Secretary to
develop a strategy to protect critical infrastructure at the greatest
risk of a cybersecurity attack. The managers' amendment adds the
Collins amendment No. 2623, which requires DHS to identify critical
infrastructure entities at the greatest risk of a catastrophic cyber
security incident.
This is where we have had a number of concerns recently. The
chairman's staff and my staff are working on this. Remember, this is a
voluntary bill, and we do not want any language that might be
interpreted to imply that this is not a voluntary bill. I know Senator
Collins has a lot of knowledge of this area, and I believe we are going
to be able to work this out.
This amendment does not convey any new authorities to the Secretary
of Homeland Security to require that critical infrastructure owners and
operators take action, nor does it mandate reporting to the Federal
Government. Its intent, which I applaud, is for the government to have
a better understanding of those critical infrastructure companies that,
if hacked, could cause extremely significant damage to our Nation.
In conclusion, I would like to thank my colleagues for their
thoughtful and helpful amendments. I am pleased that we have such a
fulsome managers' package. I believe this managers' package strengthens
our bill. It adds important clarifications, including meaningful
privacy protections, it does not do operational harm, and it further
improves the strong bill that the Intelligence Committee passed by a
strong vote of 14 to 1 earlier this year.
I wanted to do this so that all Members know what is in the managers'
package, and both the chairman and I believe that these additions are
in the best interests of making a good bill even better.
I thank the Presiding Officer, and I yield the floor.
The PRESIDING OFFICER (Mr. Sasse). The Senator from Alaska.
Mr. SULLIVAN. Mr. President, I wish to acknowledge the remarks of the
distinguished Senator from California and the Senator from North
Carolina, and I thank them for their important work on the cyber bill.
I know we are going to be discussing a lot of that, and why it is
important to our national security.
[...]
Amendment No. 2612, as Modified
Mrs. FEINSTEIN. Mr. President, I call for the regular order with
respect to the Franken amendment No. 2612.
The PRESIDING OFFICER. The amendment is now pending.
Amendment No. 2612, as Further Modified
Mrs. FEINSTEIN. Mr. President, I ask that the amendment be further
modified to correct the instruction line in the amendment.
The PRESIDING OFFICER. The amendment is so further modified.
The amendment, as further modified, is as follows:
Beginning on page 4, strike line 9 and all that follows
through page 5, line 21, and insert the following:
system that is reasonably likely to result in an unauthorized
effort to adversely impact the security, availability,
confidentiality, or integrity of an information system or
information that is stored on, processed by, or transiting an
information system.
(B) Exclusion.--The term ``cybersecurity threat'' does not
include any action that solely involves a violation of a
consumer term of service or a consumer licensing agreement.
(6) Cyber threat indicator.--The term ``cyber threat
indicator'' means information that is necessary to describe
or identify--
(A) malicious reconnaissance, including anomalous patterns
of communications that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat or security vulnerability;
(B) a method of defeating a security control or
exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous activity
that appears to indicate the existence of a security
vulnerability;
(D) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
unwittingly enable the defeat of a security control or
exploitation of a security vulnerability;
(E) malicious cyber command and control;
(F) the harm caused by an incident, including a description
of the information exfiltrated as a result of a particular
cybersecurity threat;
(G) any other attribute of a cybersecurity threat, if
disclosure of such information is not otherwise prohibited by
law; or
Mrs. FEINSTEIN. Thank you.
The PRESIDING OFFICER. The Senator from North Carolina.
Amendment No. 2581, as Modified
Mr. BURR. Mr. President, I call for the regular order with respect to
the Cotton amendment No. 2581.
The PRESIDING OFFICER. The amendment is now pending.
The Senator from Louisiana.
[...]
Mr. GRASSLEY. Mr. President, I rise to express my strong support for
the
[[Page S7384]]
bill before the Senate, S. 754, the Cybersecurity Information Sharing
Act, and I want to thank the bill's managers for their leadership in
drafting this bill and putting a lot of hard work into the bill.
Cyber security challenges that threaten us are very real challenges.
We receive almost daily reminders of the importance of effective cyber
security to protect our private data and the safety and security of the
entire Nation from cyber attacks. These attacks have compromised the
personal information of so many Americans as well as sensitive national
security information. That national security issue might even be the
biggest of the ones we hope to deal with.
The legislation before us will encourage the government and the
private sector to work together to address these cyber security
challenges. This bill helps create a strong legal framework for
information sharing that will help us respond to these threats. The
bill authorizes private companies to voluntarily share cyber threat
information with each other and with the government. In turn, the bill
permits the government to share this type of information with private
entities.
The bill reduces the uncertainty and, most importantly, the legal
barriers that either limit or prohibit the sharing of cyber threat
information today. At the same time, the bill includes very significant
privacy protections to strike a balance between maintaining security
and protecting our civil liberties. For example, it restricts the
government from acquiring or using cyber threat information except for
limited cyber security purposes.
So, as I did at the beginning, I want to salute the leadership of the
chair and vice chair of the Select Committee on Intelligence, Senator
Burr and Senator Feinstein, for their efforts on this bill. I know from
the last couple of Congresses that this type of legislation isn't easy
to put together. In the 112th Congress, I cosponsored cyber security
legislation along with several of my colleagues. This involved working
across several committees of jurisdiction. Last Congress, as then-
ranking member of the Judiciary Committee, I continued to work with the
Select Committee on Intelligence and others on an earlier version of
this bill. Unfortunately, Democratic leadership never gave the Senate
an opportunity to debate and to vote on that bill in the last Congress.
Senators Burr and Feinstein were undaunted, however, and this
Congress they diligently worked and continued to seek input from
relevant committees of jurisdiction, including the Judiciary Committee
that I chair. They incorporated the views of a broad range of Senators
and worked to address the concerns of stakeholders outside of the
Congress. This has produced their managers' amendment.
This is a bill that enjoys broad bipartisan support. As with most
pieces of legislation that come before the Senate, it is not a perfect
piece of legislation from any individual Senator's point of view, but
in finding common ground, it has turned out to be a good bill that
addresses a very real problem.
It is time for us to do our job and to vote. This is how the Senate
is supposed to work. Now is the time for action because the question
isn't whether there will be another cyber attack, the question is when
that attack will happen.
I yield the floor.
I suggest the absence of a quorum.
The PRESIDING OFFICER. The clerk will call the roll.
The legislative clerk proceeded to call the roll.
Mr. BURR. Mr. President, I ask unanimous consent that the order for
the quorum call be rescinded.
The PRESIDING OFFICER. Without objection, it is so ordered.
Mr. BURR. Mr. President, I am here to briefly talk on S. 754, the
cyber security bill. Yesterday Vice Chairman Dianne Feinstein and I
came to the floor and encouraged our Members who had amendments or who
had an interest in debating the bill to come to the floor. It was my
hope that we could finish in a couple of days with the cooperation of
Members. We have not gotten that level of cooperation. Therefore, this
will take several more days to finish. But it doesn't lessen the
importance for those Members who have amendments in the queue--meaning
they are pending--to come to the floor and talk about their amendments
if they would like to. At some point, we will culminate this process,
and those amendments that have yet to be disposed of will have votes
with a very limited amount of debate time included.
It is my hope that we will have a wholesome debate and that people
will have an opportunity to know what is in this bill if they don't
today. But more importantly, through that debate we are able to share
with the American people why a cyber security bill is so important and,
more importantly, why we have done it in a way that we think it will be
embraced and endorsed by not just corporate America but by individuals
throughout the country.
Let me announce today that this bill will be done either Monday
evening or Tuesday morning based upon what the leadership on both sides
can agree to as it relates to the debate. The Vice Chair and I also
came to the floor and we made this statement: We have worked
aggressively in a bipartisan way to incorporate in the managers'
package, which is currently pending, 14 amendments, and 8 of those
amendments were included in the unanimous consent agreement made
earlier this year when we delayed consideration of the bill until the
day when we moved forward. There were several amendments on which we
weren't able to reach an agreement or that we believed changed the
policy significantly enough that this was not just an information
sharing bill that was voluntary for corporations throughout this
country. In the absence of being able to keep this bill intact in a way
that we thought we needed to, the Vice Chairman and I have agreed to
lock arms and to be opposed to those additional amendments.
Having said that, the debate to date has focused on the fact that
there are technology companies across this country that are opposed to
this bill. Yesterday the Vice Chairman and I repeatedly reminded our
colleagues and the American people that this is a voluntary bill. There
is nothing mandatory in it. The reality is that if you don't like what
is in this, if for some reason you don't want to participate in what I
would refer to as a community watch program--it is real simple; it is
voluntary--do not participate. Choose not to inform the Federal
Government when hackers have penetrated your system and stolen personal
data out of it. Just choose not to tell us. But do not ruin it for
everybody else. In a minute I am going to go through again why I think
the cyber security bill should become law, why I think this is the
first step of how we protect the personal data of the American people,
and why hundreds, if not thousands, of businesses support this
information sharing bill. But I can't stress that enough for those who
oppose this. Most of them are, in fact, companies that hold the most
private data in the world. Let me say that again. Those who are
expressing opposition to this bill hold the largest banks of personal
data in the world.
The decision as to whether they are for the bill or against the bill
is their decision. The decision whether they utilize this voluntary
program to further protect the personal data that is in their system is
between them and their customers. But I have to say that it defies
reason as to why a company that holds that much personal data wouldn't
at least like to have the option of being able to partner with the
Federal Government in an effort to minimize data loss, whether it is at
their company or whether it is in their industry sector or whether it
is in the global economy as a whole.
The last time I checked, the health of U.S. businesses was reliant on
the health of the U.S. economy, and the health of the U.S. economy is
affected by the health of the global economy. I know the Presiding
Officer understands that because he was in business like I was for 17
years.
It really does concern me that one could be opposed to something that
insulates the U.S. economy from having an adverse impact by the cyber
security act and believes that they are OK even though it might tank
the U.S. economy.
At the end of the day, I want to try to put this in 101 terms, the
simplest terms of what the information sharing bill does. I am going to
break it into three baskets. It is about business to
[[Page S7385]]
business. This bill allows a company that has been hacked--where
somebody has penetrated their computer system and has access to their
data--to immediately pick up the phone and call their competitor and
ask their competitor whether they have had a similar penetration of
their system.
It is only reasonable to expect that the first person you would go to
is a company that has a business that looks exactly like yours. In that
particular case, this legislation provides that company with protection
under the anti-trust laws. Anti-trust forbids companies from
collaborating together. What we say is that if it has do with
minimizing the loss of data, we want to allow the collaboration of
competitors for the specific reason of discussing a cyber attack.
The Senate recognizes I have designed something in this that doesn't
require a corporate lawyer to sit in the room when the decision is
made. I have no personal dislike for lawyers other than the fact that
they slow things down. To minimize the loss of data means you have to
have a process that goes in real time from the bottom of the chain all
the way to the decisionmaking and the communication back down, not only
to that business, but to the entire economy. Having a lawyer that has
to think whether we can legally do this defeats the purpose of trying
to minimize data loss. So we give them a blanket exemption under the
anti-trust laws so they know up front that they can pick up the phone
and call their competitor, and there is no Justice Department that will
come down on them as long as they confine it to the discussion of cyber
attack.
At the same time we initiate what I call business to government,
which means that when the IT department is talking to their competitor,
the IT department can put out a notification through the Federal portal
that they have been attacked, and that initiates the exchange of a
limited amount of information that has been predetermined by everybody
in the Federal Government who needs to do the forensics of who
attacked, what tool they used, and what defensive mechanism could be
put up in the way of software that would eliminate the breach.
In the statute we have said, one, you can't transmit personal data
unless it is absolutely crucial to understanding the forensics of the
attack. We have also said in statutory language to the government
agencies: If for some reason personal data makes it through your
filters, you cannot transmit that personal data anywhere else within
the Federal Government or to the public.
We have gone to great lengths to make sure that personal data is not
disclosed through the notification process of a hack. I understand that
the personal data has already been accessed by the individual who
committed the act, but we want to make sure that the government doesn't
contribute to the distribution of that data.
In order to create an incentive in a voluntary program for a business
to initiate that notification to the Federal Government, we provide
liability protection. Anytime a company allows personal data or data on
their business to get out, there could potentially be a shareholder's
suit. What we do is provide a blanket liability protection to make sure
that a company can't be sued for the government notification of a
security breach where data has been removed and it is in the best
interest of the government to know it, to react to it, and for the
general population of businesses in America to understand it.
So we have business-to-business collaboration with your competitor,
anti-trust protection, business-to-government liability protection, no
personal data transmitted, and the last piece is government to
business.
It is hard for me to believe that the government didn't have the
statutory authority to convey to businesses across America when a cyber
attack is in progress. The Federal Government has to be asked to come
in and typically will be asked by the company that has been attacked,
but how about their competitors? How about the industry sector? How
about the whole U.S. economy? There is no authority to do that. This
bill creates the authority in the Federal Government to receive that
information from a company that has been penetrated, to process it, to
understand who did it, to understand the attack tool they used, to
determine the defensive mechanism of software that it can be put on,
and then to notify American businesses that there is an attack
happening now, and here is the attack tool and software you can buy off
the shelf and put on your computer system to protect you. That is it.
That is the entire information sharing bill, and it is voluntary.
I will touch on eight items very briefly. Why is there a need for
cyber legislation? I don't want to state the obvious, but we have
already seen that individuals and nation states penetrate the private
sector and steal personal data, and the Federal Government can steal
personal data. I thought it would hit home with my colleagues when the
Office of Personnel Management was breached, and now we are up to 22 to
24 million individuals who were compromised. More importantly, the
personal data at OPM extended to every individual who had ever applied
for a security clearance, who had ever been granted security clearance,
and who had security clearances and are now retired, but for some
reason that application remained in the database. That application,
which consists of 18 pages, has the most personal information one can
find. It lists your parents and their Social Security numbers, your
brothers, your sisters, where you lived since you graduated from
college. It even has a page that asks you to share the most obvious way
that someone might blackmail you. It has probably some of the most
damaging personal information that one can have breached.
Cyber attacks have harmed multiple U.S. companies. If this weren't
serious, would the President of China and the President of the United
States, when they met several weeks ago, have come to an agreement
about how they would intercede if one country or the other commits a
cyber attack against each other? Probably not.
Our bill is completely voluntary, and I think it is safe to say that
those who want to share data can, in fact, share data on this.
I mentioned the words ``real time.'' What we want to do is create a
real-time system because we want a partnership. We want a partnership
with other private companies and we want a partnership with the private
and public sector, and you can't get a partnership by mandating it. All
you can get is an adversarial relationship. We maintain that voluntary
status in the hope that the sharing of that information is, in fact,
real time. We can control--once you transmit to the Federal
Government--how to define ``real time.'' I have no control over a
private company's decision once they know they have been breached to
the point that they actually make a notification to the Federal
Government, but with the liability protection and anti-trust coverage,
we are convinced that we are structured from the beginning to create an
incentive for real time to take place.
We protect personal privacy. Many have come to the floor and have
suggested that this is a surveillance bill. Let me say to my colleagues
and to the American people: There is no capability for this to become a
surveillance bill. The managers' amendment took those items that people
were concerned with and eliminated it. We can be accused of a lot of
things, but to accuse this of being a surveillance bill is either a
sign of ignorance or a sign that one is being disingenuous. It is not a
surveillance bill. Be critical of what we are attempting to do, be
critical of what we do, but don't use the latitude to suggest that this
is something that it is not.
We require private companies and the government to eliminate any
irrelevant personal, identifiable information before sharing the cyber
threat indicators or putting up defensive mechanisms.
This bill does not allow the government to monitor private networks
or computers. It does not let government shut down Web sites or require
companies to turn over personal information.
This bill does not permit the government to retain or use cyber
threat information for anything other than cyber security purposes,
identifying a cyber security threat, protecting individuals from death
or serious bodily or economic harm, protecting minors, or investigating
limited cyber crime offenses.
This bill provides rigorous oversight and requires a periodic
interagency inspector general's report to assess
[[Page S7386]]
whether the government has violated any of the requirements in this
bill. The report also will assess any impact this bill may have on
privacy and civil liberties. In the report, we require the IG to report
to us whether anybody does anything outside what the statute allows
them to do, but we also ask the IG to make a gut call on whether we
have protected privacy and civil liberties.
Finally, our managers' amendment has incorporated an additional
provision to enhance privacy protections first. Our managers' amendment
omitted the government's ability to use cyber information to
investigate and prosecute serious and violent felonies. Let me raise my
hand and say I am guilty. I felt very strongly that that should have
been in the bill. If we find during an investigation that an individual
has committed a felony that is not related to a cyber attack, I thought
we should turn that information over to law enforcement but, no, we
dropped it. I don't want there to be any question as to whether this is
an effective cyber information sharing bill.
Our managers' amendment limited cyber threat information sharing
authorities to those items that are shared for cyber security purposes.
Both of these changes ensure that nothing in our bill reaches beyond
the focus of cyber security threats that are intended to prevent and
deter an attack, and nothing in this bill creates any potential for
surveillance authorities.
Now, as I said, despite rumors to the contrary, this bill is
voluntary. It is a voluntary threat indicator to share with authorities
and does not provide in any way for the government to spy on or use
library and book records, gun sales, tax records, educational records,
or medical records. There is something in that for every member of
every State.
I can honestly look at my librarians and say we haven't breached the
public libraries' protection of personal data. I will say librarians
are not fans of this legislation. I don't think they have read the
managers' amendment that spells out the concerns we heard and then
said: This can't go there. I am not sure we can statutorily state it
any clearer than what we have done.
Given that cyber attackers have hacked into, stolen, and publicly
disclosed so much private, personal information, it is astounding to me
that privacy groups would oppose this bill. It has nothing to do with
surveillance, and it seeks to protect private information from being
stolen.
There are no offensive measures. This bill ensures that the
government cannot install, employ or otherwise use cyber security
systems on private sector networks. In other words, no one can hack
back into another computer, even if the purpose is to protect against
or squash a cyber attack. It can't be done. It is illegal.
The government cannot retain or use cyber threat information for
anything other than cyber security purposes, including preventing,
investigating, disrupting, and prosecuting limited cyber crimes,
protecting minors, and protecting individuals from death or serious
bodily harm, or economic harm.
The government cannot use cyber threat information in regulatory
proceedings. Let me state that again. The government cannot use cyber
threat information in regulatory proceedings. If somebody believes this
is not voluntary and that there is some attempt to try to get a
mandatory hook in here where regulators can turn around and bypass the
legislative responsibility of the Congress of the United States, let me
just say, we are explicit. It cannot be done. But we are also explicit
that the government cannot retain this information for anything other
than the list of items I discussed. This provides focused liability
protection to private companies that monitor their own systems and
share cyber threat indicators and defensive mechanisms in accordance
with the act, but the liability protection is not open-ended. This
doesn't provide liability protection for a company that engages in
gross negligence or willful misconduct. I am not a lawyer, but I have
been told that ties it up pretty tightly; that it makes a very small,
narrow lane that companies can achieve liability protection, and that
lane means they are transferring that information to the Federal
Government.
Last, independent oversight. This bill provides rigorous oversight.
It requires a periodic interagency inspector general's report to assess
whether the government has violated any of the requirements of this
act. The report also will assess any impact that this bill may have on
privacy and civil liberties as well as an assessment of what the
government has done to reduce any impact.
This bill further requires an independent privacy and civil liberties
oversight board to assess any impact this bill may have on privacy and
civil liberties and is, in fact, reviewed internally by an inspector
general. The inspector general checks to make sure they live by the
letter of the law. The inspector general makes an assessment on the
privacy and civil liberties, and we set up an independent board to look
at whether, in fact, privacy and civil liberties have been protected.
I say to my colleagues, if there is more that they need in here, tell
us what it is. The amendment process is open.
Here is where we are. Privacy folks don't want a bill, period. Some
Members don't want a bill, period. I get it. I am willing to adapt to
that. I only need 60 votes for this to pass, and then I have to
conference it with the House that has two different versions. Then I
have to go to the other end of Pennsylvania Avenue, and I have to
convince the President and his whole administration to support this
bill. Let me quote the Secretary of the Department of Homeland
Security. They support this bill. The National Security Council
tomorrow is going to come out in support of this bill. Why? Because
most people recognize the fact that we need this, that this is the
responsible thing to do. This is why Congress was created.
If, in fact, there are those who object, don't participate. I say to
those businesses around the country, I am not going to get into your
decisionmaking, although I think it is flawed. You hold most of the
personal data of any companies out there. Yet you don't want to see any
coordinated effort to minimize data loss in the U.S. economy. I think
that is extremely shortsighted. I think your customers would disagree
with you, but the legislation was written in a way that allows you to
opt out and to say: I don't want to play in this sandbox.
I say to my colleagues and to the American people: Is that a reason
for us not to allow the thousands of companies that want to do it,
representing hundreds of thousands and millions of customers who want
to protect their credit card number, their health records, all the
personal data that is out there on them--if they want to see that
protected, should they not have that done because some companies say
they don't want to play? No. We make it voluntary, and we allow them to
opt out. They can explain to their customers why. If I am with another
tech company and they are participating in this, they must be more
interested in protecting my data. I think it is a tough sell myself as
a guy in business for 17 years.
I know what is up here. Some are looking at this as a marketing tool.
They are going to go out and say: We don't participate in transferring
data to the Federal Government. Oh, really. Wait until the day you get
penetrated. Wait until the day they download all of that personal
information on all of your customers. You are going to be begging for a
partnership with the Federal Government. Then we are going to extend it
to you, whether you liked it or not, whether you voted for the bill or
supported the bill or spoke in favor of the bill or ever participated
in it. If we pass this bill, which I think we will, they will have an
opportunity to partner with the Federal Government and to do it in an
effective way. In the meantime, I think there will be just as many
businesses using a marketing tool that says: We like the cyber
information sharing bill, and if we ever need to use it, we are looking
forward to partnering with the Department of Homeland Security, the
FBI, and the National Security Agency because we want to minimize the
exposure of the loss of data our customers could have.
Mark my words. There is a real battle getting ready to brew here.
Again, putting on my business hat, I like the idea of being able to go
out and sell the fact that I am going to partner if something happens
much better than selling
[[Page S7387]]
the pitch that I am going to do this alone. Think about it. A high
school student last week hacked the personal email account of the
Secretary of the Department of Homeland Security and the Director of
the CIA. This is almost ``Star Trek.'' ``Beam me up, Scotty.''
There are people who believe that this is just going to go away. It
is not going away. Every day there is an attempt to try to penetrate a
U.S. company, an agency of the Federal Government for one reason: to
access personal data. The intent is there from individuals and from
nation states. For companies that think this is going to go away or
think they are smart enough that it is not going to happen to them, I
have seen some of the best and they are one click away from somebody
downloading and entering their system and that click may not be
protected by technology. It may be the lack of ability of an employee
to make the right decision on whether they open an email, and, boom,
they have just exposed everybody in their system.
So I will wrap up because I see my good friend and colleague Senator
Wyden is here. We will have several days, based upon the process we
have in front of us, to talk about the good, and some will talk about
the bad, which I don't think exists, but let me assure my colleagues
that the ugly part of this--the ugly part of this--is that cyber theft
is real. It doesn't discriminate. It goes to where the richest pool of
data is. In the case of the few companies that are not supportive of
this bill, they are the richest depositories of personal data in the
world. I hope they wake up and smell the roses.
I yield the floor.
The PRESIDING OFFICER (Mr. Scott). The Senator from Oregon.
Mr. WYDEN. Mr. President, I would like to inform my colleague, the
distinguished chairman of our Intelligence Committee, I am always
thinking about the history of the committee. I believe Chairman Burr,
the ranking minority member Senator Feinstein, and I have been on the
Intelligence Committee almost as long as anybody in history.
I always like to work with my colleague. This is an area where we
have a difference of opinion. I am going to try to outline what that is
and still try to describe how we might be able to work it out.
Mr. BURR. May I thank my colleague?
Mr. WYDEN. Of course.
Mr. BURR. Mr. President, I thank my colleague. I think he
diplomatically referred to me as old, but I know that wasn't the case.
He is exactly right. We have served together for a long time. We agree
on most issues. This is one that we disagree on, but we do it in a
genuine and diplomatic way. Contrary to maybe the image that some
portray to the American people, we fight during the day and we can have
a drink or go to dinner at night, and we are just as likely to work on
a piece of legislation together next week. So that is what this
institution is and it is why it is so great.
Mr. WYDEN. Well said. There is nothing better than having Carolina
barbecue unless it is Oregon salmon. Yes, we old jocks, former football
players and basketball players, we have tough debates and then we go
out and enjoy a meal.
Here is how I would like to start this afternoon. The distinguished
chairman of the committee is absolutely correct in saying that cyber
security is a very substantial problem. My constituents know a lot
about that because one of our prominent employers, SolarWorld, a major
manufacturer in renewable energy, was hacked by the Chinese simply
because this employer was trying to protect its rights under trade law.
In fact, our government indicted the People's Liberation Army for their
hacking into this major Oregon employer. So no question that cyber
security is a major problem.
Second, there is no question in my mind that information sharing can
be very valuable in a number of instances. If we know, for example,
someone is associated with hackers, malware, this sort of thing, of
course it is important to promote that kind of sharing. The difference
of opinion is that I believe this bill is badly flawed because it
doesn't pass the test of showing that when we share information, we
have to have robust privacy standards or else millions of Americans are
going to look up and they are going to say that is really not cyber
security. They are going to say it is a surveillance bill. So that is
what the difference of opinion is.
Amendment No. 2621, as Modified
Let me turn to how I have been trying to improve the legislation. I
am going to speak for a few minutes on my amendment No. 2621 to the
bill that we have been discussing and that is now pending in the
Senate. Obviously, anybody who has been watching the debate on this
cyber security bill has seen what we would have to call a spirited
exchange of views. Senators are debating the substance of the
legislation and, as I just indicated to Chairman Burr and I have
indicated to ranking minority member Senator Feinstein, there is
agreement on a wide variety of points and issues.
Both supporters and opponents of the bill agree that sharing
information about cyber security threats, samples of malware,
information about malicious hackers, and all of this makes sense and
one ought to try to promote more of it. Both supporters and opponents
now agree that giving corporations immunity from customer lawsuits
isn't going to stop sophisticated attacks such as the OPM personnel
records breach.
I am very glad that there has been agreement on that point recently,
because proponents of the bill sometimes said that their legislation
would stop hacks such as the one that took place at OPM. When
technologists reviewed it, that was clearly not the case, and the claim
has been withdrawn that somehow this bill would prevent hacks like we
saw at OPM.
The differences of opinion between supporters and opponents of the
bill--who do agree on a variety of these issues--surround the likely
privacy impact of the bill. Supporters have essentially argued that the
benefits of this bill, perhaps, are limited--particularly now that they
have withdrawn the claim that this would help against an OPM attack--
but that every little bit helps. But there is no downside to them to
just pass the bill. It makes sense. Pass the bill. There is no
downside.
Opponents of the bill, who grow in number virtually every day, have
been arguing that the bill is likely to have a significant negative
impact on the personal privacy of a large number of Americans and that
this greatly outweighs the limited security benefits. If an information
sharing bill doesn't include adequate privacy protections, I am telling
you, colleagues, I think those proponents are going to have people wake
up and say: I really don't see this as a cyber security bill, but it
really looks to me like a surveillance bill by another name.
(Mr. TOOMEY assumed the Chair.)
Colleagues who are following this and looking at the bill may be
trying to sort through this discussion between proponents and
opponents. To help clarify the debate, I would like to get into the
text of the bill for just a minute.
If colleagues look at page 17 of the Burr-Feinstein substitute
amendment, which is the latest version with respect to this bill,
Senators are going to see a key section of the bill. This is the
section that discusses the removal of personal information when data is
shared with the government. The section says very clearly that in order
to get immunity from a lawsuit a private company has to review the data
they would provide and remove any information the company knows is
personal information unrelated to a cyber security threat. This
language, in my view, clearly creates an incentive for companies to
dump large quantities of data over to the government with only a
cursory review. As long as that company isn't certain that they are
providing unrelated personal information, that company gets immunity
from lawsuits. Some companies may choose to be more careful than that,
but this legislation and the latest version--the Burr-Feinstein
substitute amendment--would not require it. This bill says with respect
to personal data: When in doubt, you can hand it over.
My amendment No. 2621 is an alternative. It is very simple. It is
less than a page long. It would amend this section that I have just
described to say that when companies review the data they provide, they
ought to ``remove, to the extent feasible, any personal information of
or identifying a specific
[[Page S7388]]
individual that is not necessary to describe or identify a
cybersecurity threat.'' The alternative that I am offering gives
companies a real responsibility to filter out unrelated personal
information before that company hands over large volumes of personal
data about customers or people to the government.
The sponsors of the bill have said that they believe that companies
should only give the government information that is necessary for cyber
security and should remove unrelated personal information. I agree with
them, but for reasons that I have just described, I would say
respectfully that the current version of this legislation does not
accomplish that goal, and that is why I believe the amendment I have
offered is so important.
For an example of how this might work in practice, imagine that a
health insurance company finds out that millions of its customers'
records have been stolen. If that company has any evidence about who
the hackers were or how they stole this information, of course it makes
sense to share that information with the government. But that company
shouldn't simply say here you go, and hand millions of its customers'
medical records over for distribution to a broad array of government
agencies.
The records of the victims of a hack should not be treated the same
way that information about the hacker is treated. Companies should be
required to make a reasonable effort to remove personal information
that is not needed for cyber security before they hand information over
to the government. That is what my amendment seeks to achieve. That is
not what is in the substitute amendment.
Furthermore, if colleagues hear the sponsors of the substitute saying
this bill's privacy protections are strong and you have heard me making
the case that they really don't have any meaningful teeth and they are
too weak, don't just take my word for it. Listen to all of the leading
technology companies that have come out against the current version of
this legislation.
These companies know about the importance of protecting both cyber
security and individual privacy. The reason they know--and this is the
case in Pennsylvania, Oregon, and everywhere else--is that these
companies have to manage the challenge every single day. Companies in
Pennsylvania and Oregon have to ensure they are protecting both cyber
security and individual privacy. Those companies know that customer
confidence is their lifeblood and that the only way to ensure customer
confidence is to convince customers that if their product is going to
be used, their information will be protected, both from malicious
hackers and from unnecessary collections by their government.
I would note that there is another reason why it is important to get
the privacy protections I am offering in my amendment at this time. The
companies that I just described are competing on a global playing
field. These companies have to deal with the impression that U.S. laws
do not adequately protect their customers' information. Right now these
companies--companies that are located in Pennsylvania and Oregon--are
dealing with the fallout of a decision by a European court to strike
down the safe harbor data agreement between the United States and the
European Union. The court's ruling was based on the argument that U.S.
laws in their present form do not adequately protect customer data.
Now, I strongly disagree with this ruling. At the same time, I would
say to my colleagues and to the Presiding Officer--he and I have worked
closely on international trade as members of the Finance Committee--and
I would say to colleagues who are following this international trade
question and the question of the European Union striking down the safe
harbor for our privacy laws, in my view this bill is likely to make
things even more difficult for American companies that are trying to
get access to those customers in Europe.
To give just a sampling of the leading companies that have come out
against the CISA legislation, let me briefly call the roll. There is
the Apple company. They have millions of customers. They know a great
deal about what we have to do to deal with malicious hackers and to
protect privacy. There is also Dropbox, Twitter, Salesforce, Yelp,
Reddit, and the Wikimedia Foundation. I point to the strong statement
by the Computer & Communications Industry Association. Their members
include Google, Amazon, Facebook, Microsoft, Yahoo, Netflix, eBay, and
PayPal. Those individual companies I have mentioned have millions of
customers. The organization that speaks for them says: ``CISA's
prescribed mechanism for sharing of Cyber threat information does not
sufficiently protect users' privacy.''
On top of this, there has been widespread opposition from a larger
spectrum of privacy advocacy organizations. Here the groups range from
the Open Technology Institute to the American Library Association.
I was particularly struck by the American Library Association's
comments in opposition to this bill. I think the leadership said--
paraphrasing--something to the effect of when the American Library
Association opposes legislation that authors say will promote
information sharing, they indicate there was a little something more to
it than what the sponsors are claiming.
Wrapping up, I want to make clear, as I said yesterday, that I
appreciate that the bipartisan leadership of our committee has tried to
respond to these concerns. They know that these large companies with
expertise in collecting data and promoting cyber security have all come
out against the bill. I heard talk about privacy protections. I don't
know of a single organization that is looked to by either side of the
aisle, Democrats and Republicans, for expertise and privacy that has
come out in favor of the bill.
So the sponsors of this legislation and the authors of the substitute
amendment, which I have tried to describe at length here this
afternoon, are correct in saying that they have made some changes, but
those changes do not go to the core of the bill.
For example, the amendment I have described would really, in my view,
fix this bill by ensuring that there was a significant effort to filter
out unrelated personal and private information that was sent to the
government under the bill.
So I hope Senators will listen to what groups and the companies that
have expertise in this field have said. I hope Senators on both sides
of the aisle will support the amendments I and others have offered. The
Senate needs to do better than to produce a bill with minimal effects
on the security of Americans and significant downside for their privacy
and their liberty.
I yield the floor.
The PRESIDING OFFICER. The Senator from Rhode Island.
Amendment No. 2626, as Modified
Mr. WHITEHOUSE. Mr. President, I would like to speak for 5 or 6
minutes on the cyber bill.
Unfortunately, I am here to express my distaste for the manner in
which this bill has proceeded. I have an amendment that is not going to
be voted on. Let me describe some of the characteristics of that
amendment.
First of all, it is bipartisan. It is Senator Graham's and my
amendment.
Second, it has had a hearing. We have had a hearing on it in the
Judiciary Committee. Considerable work has gone into it.
Third, it has the support of the Department of Justice. It repairs
holes in our criminal law for protecting cyber security that we worked
on very carefully with the Department of Justice and which we have had
testimony in support of from our Department of Justice prosecutors.
Last, it was in the queue. It was in the list of amendments that were
agreed to when we agreed to go to the floor with this bill.
So I don't know how I am going to vote on this bill now. But if you
have a bipartisan amendment that has had a hearing, that was in the
queue, and that has the support of the Department of Justice and you
cannot even get a vote on it, then something has gone wrong in the
process.
I remember Senator Sessions coming to the floor and wondering how it
is that certain Senators appoint themselves masters of the universe and
go off in a quiet room someplace and decide that certain amendments
will and will not be heard. I am very sympathetic to Senator Sessions'
concerns right now.
[[Page S7389]]
Let me tell you what the substance of our amendment would do.
First, there are people out there around the world in this cyber
universe of fraud and crime who are trafficking in Americans' financial
information for purposes of fraud and theft. If they don't travel to
America or if they don't have a technical connection to America, we
cannot go after them. There is an American victim, but we cannot go
after them. That is a loophole that harms Americans that this bill
would close.
I cannot believe there is one Member of this institution who would
oppose closing a loophole that allows foreign criminals access to
Americans' financial information for fraudulent purposes but puts them
beyond the reach of our criminal law. That is one part of what our bill
does.
Second, it raises penalties for people who intrude on critical
infrastructure. You can go all around this country, you can go to
military installations that have way less security concerns than our
critical infrastructure, like our electric grid, and you will see
chain-link fences that say department of whatever, U.S. Government,
stay out. You cannot go in there to picnic, you cannot go in there
because you are curious, you cannot go in there for a hike, and the
reason is because there is a national security component to what is
going on in there.
Well, there is a huge national security component to our critical
infrastructure, like our electric grid. All this would do is raise the
penalties. You could still go in, but if you get caught doing something
illegal there, then it is a little different if you are attacking
America's critical infrastructure than if you are just prowling around
in some other portion of the Web that does not have that.
Again, I think if that came to a vote, we would probably get 90
percent of this body in favor. Who is in support of allowing people to
mess around in our critical infrastructure?
The third is botnet brokers. Botnets are out there all over the
Internet. They are a plague on the Internet. There is no such thing as
a good botnet. Everyone would be better off if they were removed. They
are like weeds on the Internet. There are people who are brokers who
allow access to botnets, and because our laws are so out of date, if
you are just brokering access to a botnet for criminal purposes, there
is no offense. Why would we not want to empower our Department of
Justice to be able to go after people who are criminal brokers allowing
access for criminals to botnets to use for criminal purposes against
Americans? I don't understand that.
Lastly, botnet takedowns. A botnet is a weed. We wait until somebody
actually encounters that weed and is harmed by it before we allow our
Department of Justice to act. We should be out there taking down
botnets on a hygiene basis all the time. We are limited because of this
artificiality. That is the fourth piece of the bill. It empowers botnet
takedowns like the Bugat takedown we just did. We should be doing a lot
more of that. Again, unless somebody here is in the botnet caucus and
is in favor of more botnets out there, this is something which would
probably pass unanimously. Yet I cannot get a vote.
It is bipartisan, has had a hearing, is in the queue, is supported by
the Department of Justice, and those are the four sub-elements of it.
For some reason, the masters of the universe have gone off and had a
meeting in which they decided this is not going to be in the queue. I
object to that procedure.
I am sorry we are at this stage at this point because I think that on
the merits this would win. This is a bipartisan, good, Department of
Justice-supported, law enforcement exercise to protect people against
cyber criminals. I don't know what the sense is that there is some
hidden pro-botnet, pro-foreign cyber criminal caucus here that won't
let an amendment like mine get a vote.
I will yield the floor. I see Senator Carper here, and he has done
great work to try to be more productive than my amendment reflects. I
hope we can sort this out to a point where an amendment like mine,
which was in the queue in the original deal that got us to this bill,
can now get back in some kind of a queue so that we can get this done.
I yield the floor.
The PRESIDING OFFICER. The Senator from Delaware.
Mr. CARPER. I appreciate the yielding by Senator Whitehouse. Let me
just say that if your provision, Senator Whitehouse, does not end up in
this bill and we actually do pass it, I am sure we will conference with
the House. There will be an opportunity to revisit this issue. So I
hope you will stay in touch with those of us who might be fortunate
enough to be a conferee.
Mr. WHITEHOUSE. I appreciate that very much, more than the Senator
can know.
Mr. CARPER. Mr. President, I rise today in support of the cyber
security information bill introduced by my colleagues, Senators Burr
and Feinstein. I want to commend my colleagues and their staff for
their leadership and for their tireless efforts on this extremely
important piece of legislation.
As ranking member and former chairman of the Homeland Security and
Governmental Affairs Committee, I have been following cyber security
and this information sharing proposal in particular literally for
years. In fact, when Senator Feinstein first introduced an information
sharing bill in 2012--that was like two or three Congress's ago--it was
referred to Homeland Security and Governmental Affairs, on which I
served. That bill was ultimately folded into a comprehensive cyber
security bill that I had the honor of cosponsoring with Senators Joe
Lieberman, Susan Collins, Jay Rockefeller, and Senator Feinstein. We
were not able to pass that bill, but I think it has paved the way for
other cyber legislation, including the bill that is before us today and
a number of the amendments that are going to be offered to that bill in
the managers' amendment, especially.
Last Congress, I worked with our ranking member on homeland security,
Dr. Tom Coburn, and our House counterparts to get not one, not two, not
three, but four cyber security bills enacted into law, signed by the
President. I believe these four bills laid a very strong foundation for
some significant improvements on how the Department of Homeland
Security carries out its cyber security mission and really for this
bill before us too.
What the legislation Dr. Coburn and I worked on during the last
Congress did, in essence, was to better equip the Department of
Homeland Security to operate at the center of the kind of robust
information sharing program that the Burr-Feinstein bill would set up.
How do they do that? One, make sure the Department of Homeland Security
would have the ability to attract and retain top-flight talent, much
like the National Security Agency already has.
The legislation actually takes something called the cyber ops center,
NCCIC, within the Department of Homeland Security and makes it real and
functional and an entity that people would use and listen to.
Finally, we took an old law called FISMA, the Federal Information
Sharing Management Act--we took something that was just a paperwork
operation, this FISMA legislation--like a once-in-a-year check to see
how good a cyber security agency might be--and turned it into not a
paperwork operation, not a once-every-365-days operation, but a 24/7
surveillance operation on the lookout for intrusions within and across
the Federal Government broadly.
That legislation, affectionally known as FISMA, was also designed to
make clear what the division of labor was between the Office of
Management and Budget, OMB, and the Department of Homeland Security on
protecting the dot.gov domain. We made it clear that the job of OMB is
to, if you will, steer the ship. The job of the Department of Homeland
Security is to row the ship, to row the boat. That is a good division
of labor given that OMB only has six employees who work on this stuff
and the Department of Homeland Security has hundreds. So I think we
figured out the sharing of labor, the division of labor, and also made
sure the Department of Homeland Security has the resources--the horses,
the resources--and the technology they need.
Sharing more cyber security threat information among and between the
private sector and the Federal Government players who are on the
frontline in cyber security is critical for national security. Over the
last couple of
[[Page S7390]]
years, we have witnessed many troubling cyber attacks against our
banks, but not just our banks, against retailers, health providers,
government agencies, and God knows how many others.
Some of those launching these attacks were just criminals. Some of
them were just criminals. They want to steal information. They want to
make money off of our personal information, off our intellectual
property, like our intellectual seed corn, if you will, for companies
large and small and for universities as well. Others just want to be
disruptive or they want to make political points. Some actors, however,
are capable or would like to develop the capability to use a cyber
attack to harm people and cause physical damage.
It is long past time for this body to take action to more effectively
combat these threats we now face in cyber space. That is why earlier
this year I introduced a similar information sharing bill. This bill
largely mirrored the administration's original proposal.
The administration asked me to introduce their information sharing
bill. Before I did that, we actually had a hearing in the committee on
homeland security. Part of the centerpiece of the hearing was the
administration's proposal. We got some good ideas on how to make it
better. We made it better and introduced that bill to use, if you will,
as a point-counter point in a constructive, positive way with the
legislation that worked its way through the Intelligence Committee. But
we did not stop there. We took information from a lot of experts and
stakeholders.
The measure we are discussing today shares the same goals as my
original bill--largely the administration's original bill--to increase
the sharing of cyber threat information between the Federal Government
and the private sector and between different entities within the
private sector. I am pleased that we are finally discussing these
critical issues on the Senate floor.
The substitute amendment we are debating today makes a number of
improvements to the bill that was first made public after the
Intelligence Committee reported it out. It also includes several
changes that I, as well as several of my colleagues, have been calling
for--including the chairman of our committee.
I would like to thank Senators Burr and Feinstein. I thank their
staff for working closely with our staff and others to produce what I
believe is a significantly smarter and stronger bill. Is it perfect?
No, not yet. But I can say there is always room for improvement. That
is why we still have a debate on a number of amendments and those like
the one mentioned by Senator Whitehouse that may be germane in a
different kind of way in conference.
While there may not be agreement on everything in this bill, I
believe most of our colleagues would come to the conclusion that it
really will help to improve our Nation's cyber security and, by
extension, our national security and, by extension, our economic
security.
First, the bill would ensure that the government--our government--is
providing actionable intelligence to private sector entities that are
seeking to better protect themselves in cyber space. Businesses around
our country are hungry for information they can use to fend off attacks
and better protect their systems and their customers. This bill would
make the Federal Government a much stronger partner for them.
Many companies that I have talked to of late also want to share more
information with the Federal Government about what they are seeing
online every day, but they are unsure of the rules of the road. In
other words, companies want more predictability and they want more
certainty when it comes to working with our government. This bill would
give them that by clarifying that they won't be putting themselves in
legal jeopardy if they choose to share cyber threat information with
our Federal Government.
If companies do want to avail themselves of the legal protections the
bill offers, they would have to, with two narrow exceptions, use the
information sharing portal at the Department of Homeland Security. This
puts the Department of Homeland Security, a civilian entity, at the
center of the information sharing process. I think this is smart and
the right thing to do. In fact, many experts and companies that I have
talked to across the country as recently as last week out in Silicone
Valley and out on the west coast--they agree with what I have just
said.
I know many Americans are uneasy with companies they do business with
directly handing over data to an intelligence or law enforcement
agency. The Department of Homeland Security will carry out its
responsibilities under this bill through the cyber ops center I
mentioned earlier called the National Cyber Security and Communications
Integration Center--that is a mouthful. We affectionately call it N-
Kick. It is the cyber ops center. It includes folks from DHS and other
Federal agencies. It includes a number of representatives of financial
services, the utility industry, our retail industry, and so forth, all
together under one roof, talking together and working together to help
us support one another and make it strong and more secure.
One of the bills I worked on with Dr. Coburn last Congress formally,
as I said earlier, authorized this center. We are pleased to see that
this bill would make the most out of the resources we have already
invested in this cyber ops center, NCCIC.
Earlier this month, Secretary Jeh Johnson of the Department of
Homeland Security told our Homeland Security and Governmental Affairs
Committee that beginning in November, the cyber ops center, NCCIC, will
have the capability to automate the distribution and receipt of cyber
threat indicators. I will say that again--to automate the distribution
and the receipt of cyber threat indicators that they receive from
others, including those in the private sector. In other words, the
Department of Homeland Security will have the ability to share
information with other agencies in real time--not next month, not next
week, not tomorrow, not in an hour, but in real time, which is really
what this little bill before us today requires.
I know that the real-time sharing is incredibly important to the
bill's sponsors, and it is important to me and probably to many of our
colleagues and stakeholders. Equally important, however, is the ability
of the Department of Homeland Security to apply what I call a privacy
scrub to the information it receives from industry, the threat
indicators that come from industry--see something, say something--stuff
that they send to the Department of Homeland Security.
In the bill that I authored with others in my committee, including
our chairman, we allow the Department of Homeland Security to, if you
will, receive information through its portal from various entities that
witness threat indicators, to see it and to put it through the portal,
to bring it through the portal to do a privacy scrub. That is one of
the things the Department of Homeland Security has expertise in doing.
I used an example at lunch earlier today. I talked about baseball. I
know the Presiding Officer has some interest in baseball. There are
teams called the Phillies in Philadelphia and the Pirates in
Pittsburgh. I would just say to him, thinking about baseball for a
minute, let's say you are in the playoffs. Let's say you have a team in
the playoffs. You are in the ninth inning, and you need to get somebody
out of the bullpen to close. You have a one-run lead. You look to the
bullpen. He is now retired, but Mariano Rivera was the best closer in
baseball history. You have Mariano Rivera in the bullpen to come in and
close the game, and you have three other guys you just called up from
the Minor League, so maybe from AAA.
You say: Well, whom do I put in to close the game? Do I put in the
best closer we have ever had in baseball history or do I bring in three
rookies, three Minor League guys?
Well, you bring in Mariano Rivera.
When it comes to being able to do privacy scrubs, the Department of
Homeland Security--that is what they do. That is what they do. Now they
have the horses, the ability, and the technology to do it even better.
I know some of my colleagues are concerned that a privacy scrub will
slow down the information sharing process. I share those concerns, but
I have been assured by the Department--the bright, smart people at the
Department of Homeland Security--that less
[[Page S7391]]
than 1 percent of the information it receives would actually ever need
to be reviewed by a human, by a person. The rest--roughly 95 percent to
99 percent--would be shared with other agencies at machine speed.
Bingo.
I am very pleased that DHS has come to an agreement on this process
with its agency partners. We will be up and running with a portal in
the way I have described in the next couple weeks.
One of the amendments I filed speaks to this privacy scrub process.
It would make clear that the Department of Homeland Security could
carry out an automated privacy scrub in real time and without delay. In
fact, my amendment would add just one word to the bill so that DHS
could continue to automatically remove irrelevant or erroneous data
from cyber threat information.
I am very pleased that Senators Burr and Feinstein have taken this
amendment into consideration and have now modified their substitute
amendment to make sure the Department of Homeland Security can do what
it does best, and that is to apply a privacy scrub--pulling out
personally identifiable information that actually shouldn't be passed
on to other Federal agencies. The substitute amendment now calls on DHS
to work with its agency partners to agree on a process to share
information while protecting privacy. This is a process DHS is already
undertaking.
I thank Senators Burr and Feinstein, as well as our friends at the
Department of Homeland Security and other agencies, for working so hard
to find agreement on this language and for working with my staff and me
on this important matter.
Another amendment I put forward with our committee chairman, Senator
Johnson, aims to improve what we call cyber hygiene across the Federal
Government and to prevent attacks against Federal agencies. This
language is based on a bill that Senator Johnson and I introduced and
had reported out of our homeland security committee by a unanimous
vote. The amendment does three main things.
First, it would require all Federal agencies to implement specific
best practices and state-of-the-art technologies to defend against
cyber attacks. For example, we had experts testify about the importance
of strong authentication and data encryption. This amendment would make
sure that agencies are taking these commonsense steps to bolster their
cyber security defenses.
Second, the amendment would accelerate the deployment and adoption of
the Department of Homeland Security's cyber intrusion and detection
program, known as EINSTEIN, as in Albert Einstein, but you don't have
the ``Albert'' in the name of this technology; it is called EINSTEIN.
For my colleagues who may not be familiar with EINSTEIN, with respect
to homeland security and cyber security, let me take a couple of
minutes to describe its main features.
We had EINSTEIN 1 present at the beginning, EINSTEIN 2 was follow-on
technology, and then there is EINSTEIN 3. EINSTEIN basically analyzes
Internet traffic entering and leaving Federal civilian agencies to
identify cyber threats and to try to stop attacks.
This system has been rolled out in phases over the last several
years. EINSTEIN 1 is the first step. It sees and actually records
Internet traffic, much like a guard at a checkpoint watches cars go by
and maybe writes down and records the license plates. EINSTEIN 2
detects anything out of the ordinary and sets off alarms if a piece of
malware is trying to enter a Federal network. For example, a car comes
through and it is not supposed to come through. That would set off an
alarm and enable EINSTEIN 2 to actually detect a cyber intrusion. It
doesn't do anything about blocking. It doesn't block the car, in this
example. It doesn't block anything. EINSTEIN 3A, the latest version,
uses unclassified and classified information to actually block the
cyber attack.
So initially EINSTEIN 1 records basically what is being detected,
EINSTEIN 2 actually detects bad stuff coming through in terms of an
intrusion, and EINSTEIN 3A blocks it. The problem is that less than
half of our Federal civilian agencies actually have EINSTEIN 3A in
place. They have the ability to record an intrusion, the ability to
detect an intrusion, but not the ability to block an intrusion. They
need the ability to block. What our legislation would do would be to
make sure that agencies have EINSTEIN in place, including the ability
to block intrusions, within 1 year.
Finally, our amendment incorporates the language originally drafted
by Senator Susan Collins, the former chair of the homeland security
committee and a great colleague of ours for many years, Senator Mark
Warner, Senator Kelly Ayotte, Senator Claire McCaskill, Senator Dan
Coats, and Senator Barbara Mikulski. They are all cosponsors of the
amendment Senator Collins offered. These provisions would strengthen
the ability of the Department of Homeland Security to shore up cyber
defenses at civilian agencies and to address cyber emergencies across
the Federal Government.
Again, I am incredibly grateful that Senator Feinstein and Senator
Burr agreed to include our language in the substitute amendment
language that worked its way through our committee. We had hearings and
had the opportunity to mark up the legislation. It worked the way it is
supposed to work. And I think that without exception it had bipartisan
support coming through our committee. It is the perfect complement to
the information sharing bill we are discussing this week. I think it
makes a good bill that much better.
I thank the Senators for working with me and Senator Johnson on it.
Just one more thing before I close. I know the Presiding Officer
thinks a lot about root causes, and rather than just address the
symptoms of a problem, let's think about what is the root cause of the
problem. The Senator who is waiting to follow me on the floor, the
former Governor of Maine, thinks similarly. I do too. It is not enough
to just address the symptoms of these problems. A part of what we need
to be thinking about is, How do we get to the root cause?
Until fairly recently, a lot of our financial services institutions
in this country were under constant attack by somebody who was trying
to overload their Web sites and essentially trying to shut them down.
It is sort of like when we were first standing up the Affordable Care
Act, they had so much traffic on their Web site that it would kind of
break down.
There are so many cyber threats from around the world. We think Iran
is behind it. They are trying to do that, to bring down our financial
services business--and sometimes with some success.
About a year ago, when we got very serious about negotiating with the
Iranians and our partners--the French, the Brits, the Germans, the
Russians, and the Chinese--some kind of an agreement where the Iranians
would give up any hope they had of having a nuclear weapon and the
terms for our lifting our economic sanctions--when it became clear that
those were serious negotiations, that something might actually happen
from those negotiations, guess what happened to those attacks. We call
them DDoS. What do you suppose happened? Well, guess what, they started
letting up little by little until the time we actually voted here to
let that agreement be enacted and hopefully be administered and
implemented. That was a root cause being addressed.
Another root cause we had over in China--for years the Chinese have
sought to use cyber attacks to get into our most successful businesses,
some of our research and development operations in those businesses,
and work being done within Federal agencies on research and
development--actually, the intellectual seed corn for creating jobs and
opportunity in this country. The cyber attacks were--we believe it was
China trying to steal information from our universities. They were
doing a lot of research that could lead to economic activity and job
creation. We didn't like it. We don't do that. We don't do that to
them, and we don't want them to do that to us. We complained about it
and complained about it and called out some of the folks whom we
thought were behind this in China.
President Xi visited us in this city about 3 week ago. He and our
President had some tough, direct, and probably not entirely comfortable
conversations. One of them dealt with this
[[Page S7392]]
issue, what we believe is the intrusion by Chinese actors in order to
steal our intellectual seed corn, in order to maybe have a short step,
a shortcut to economic development, economic activity. They would not
have to spend the money, the time, and the energy to do all the
research that would lead to this innovation and job-creation activity.
The agreement that came out of that was the Chinese and our country
have agreed that neither side will knowingly steal this kind of
information from the other. ``Knowingly'' is a very broad term, and so
we have to make sure that ``knowingly'' actually means something.
Secretary Jeh Johnson, the head of the Homeland Security Department,
and Attorney General Loretta Lynch have been assigned to build on this
initial agreement and see what we can make of it.
I will close with this. A lot of people in our country don't
understand what all this cyber security stuff is--intrusion, EINSTEIN,
and all the items we are talking about that are in the legislation
which is before us this week. They do know this: It is not good when
people can steal the kind of information that needs to be protected.
Whether it is part of the government domain, military or intelligence
secrets; whether it is economic secrets or developments that lead to
economic gain; whether it is personally identifiable information that
can be used for blackmail purposes or to monetize and to somehow make
money off of that information, we know it is not good. There is no one
silver bullet to actually stop this kind of activity, but there are a
lot of silver BBs, and some of them are pretty big.
The legislation that is before us today, bolstered by similar
legislation that has come out of the Committee on Homeland Security and
Governmental Affairs, is a pretty good-sized BB. They are not going to
enable us to win this war by themselves, but they will enable us to
make real progress. It will make us feel a good bit more secure than we
have, knowing that this is an enemy across the globe and that a number
of enemies wish us harm. They are not going to give up. There is a lot
of money involved. They will be back at us, and we have to bring our
``A'' game to work every day in the Department of Homeland Security and
other Federal agencies working in tandem with the private sector.
Hopefully, with this information, the folks in the private sector--if
they want to get the liability protection and share information with
the Federal Government, we want them to use the portal through the
Department of Homeland Security. The Department of Homeland Security,
to the extent that privacy scrub is needed--it does not happen often.
It happens less than 1 percent of the time with the information that
comes through the portal. The legislation before us, with the
amendments that are offered, will enable us to have that kind of
security about our private information and at the same time to do a
very good job--a much better job--in protecting what is valuable to us.
Mr. President, I think that is about it for me. I appreciate very
much the opportunity to speak. I appreciate the patience of Senator
King, and I will yield the floor to him.
I will just say in closing--no, Senator Blunt, I will yield to you
next. It is good to be with both of you. I look forward to working with
you on these and, with respect to the Senator gentleman from Missouri,
very closely on related matters.
Thank you so very much.
The PRESIDING OFFICER. The Senator from Missouri.
Mr. BLUNT. Mr. President, I thank the Senator from Delaware. He and I
have worked on legislation together to protect data security, to have
one standard for notifying people whose information has been accessed
by people who shouldn't have it, and we are going to continue to work
on that and look for opportunities, whether it is this bill or some
other bill, to add that important element to what we are doing here.
I come to the floor today, as I am sure many others have, to express
support for this bill--for the Cybersecurity Information Sharing Act--a
bill that gives us tools we don't currently have, and to break down
barriers that we do currently have. This is a bill that would allow
individuals who see the information they are responsible for being
attacked to call others in their same business and say: Here is what is
happening to us right now. If you are not seeing it already, you should
be looking for it. When they do that, it doesn't violate any
competitive sharing of information. What it does is bring everybody
into the loop of defense as quickly as possible and allow them to look
for help from the government as well.
So I express support for this bill. We know that day after day
Americans who read, watch, or listen to the news learn of another cyber
attack. Some involve attacks of government systems, while others
involve the private sector.
In 2012 and 2013, hacker groups linked to Iran targeted American bank
Web sites and sustained an attack on those Web sites in a way that was
designed to disrupt people trying to do business--trying to pay their
own personal bills, trying to do things people should expect to be able
to easily do.
Early in 2014, we learned that cyber criminals had stolen 40 million
credit card numbers from a major retailer and had probably compromised
an additional 70 million accounts. We also have learned that a lot of
times when we hear about these, they seem bad enough at first, but they
seem a whole lot worse later when we find out what really happened,
when we see how deep these criminals were able to go, how deep these
terrorists were able to go, how deep these government-sponsored
entities were able to go to get at information they shouldn't have.
In September of that same year, September 2014, we learned another
major retailer had suffered a data breach. In that case there were 56
million credit card holders.
In February of this year, we learned a health insurance provider's
system had been hacked, and 80 million customers were affected. This
was a data breach that particularly impacted my State--particularly
impacted Missourians--and we saw a huge change in the IRS fraud that
occurred this year because, we believe at least, because criminals
suddenly had all this sensitive personally identifiable information
they had stolen. Suddenly somebody besides you was filing your tax
return. Only later did the people who really had the income tax return
to file find out that somebody had filed it for them.
In June of this year--maybe the most surprising to all of us who have
heard over and over again that the private sector is struggling, we
suddenly found out the U.S. Office of Personnel Management increased a
previous estimate of how many people were affected by its own data
breach. The files of Federal employees and people related to those
files was revised upward to 21.5 million people. Then we found out that
also included roughly 5.5 million sets of fingerprints.
I am not exactly sure what you could do with somebody's fingerprints
on the Internet today. I can only imagine what you might be able to
figure out to do with those fingerprints. Remember, your fingerprints
don't change, and probably the government entity responsible for that
hacking that has those fingerprints is always going to have those
fingerprints as they think of new and malicious ways to use them. So we
are talking about well over 100 million Americans who already have
their personal information in the hands of people it shouldn't be in.
The challenge before us is as clear as it is urgent. Virtually every
aspect of our society and our economy rely on information technology.
It has enabled tremendous economic growth, it has enabled tremendous
efficiencies in every sector, but it has put all kinds of information
out there in ways that, looking back, we are going to wonder why we
made that information so available in so many places and left so
unprotected.
Federal, State, and local governments rely on that information
technology as well. As the technology advances, its widespread adoption
has also opened us to new dangers. Modern cyber security threats are
sophisticated, they are massive, and they are persistent. This doesn't
just happen every day, it happens all the time every day.
The culprits of these attacks and intrusions range in terms of their
motives and their abilities. We just heard of a teenager who figured
out how to
[[Page S7393]]
get into the personal account of the CIA director--at least that is the
public media report--and the homeland security director. This is not a
particularly sophisticated individual, but obviously a pretty capable
person who gets to two individuals that one would think would be the
most cautious.
Some of these people are bent on sheer vandalism--just the thrill of
cyber vandalism--while others are determined to steal intellectual
properties from American companies. The motive there is clear. It is
easier to steal intellectual property than it is to go through the hard
work of creating it. Suddenly that information is out there, and the
people who created it have been robbed.
I hear this all the time when I visit companies in my State. We have
seen cyber intrusions used for espionage. We have seen one major
company attacked for no reason other than to embarrass the company
because a foreign government didn't like something the company had
done. It is quite a way to have a movie review, that we are just going
to destroy as much of your technology as we can by a cyber invasion.
A great many more of these people are motivated by greed--pilfering
other people's identities, getting access to other people's account
information, and selling that information on the black-market. This
becomes a real opportunity for them. The more you remove it from the
person who initially got it, the harder it is to find out who initially
got it and what they did with it.
Underneath all this is the implication of more serious attacks that
can cause physical harm and can cause mass disruption of critical
infrastructure of the country that is very dependent on cyber security.
This really begs the question: What are we doing to protect our country
and our citizens from these cyber adversaries? I have been in Senate
for 5 years. I have had the great opportunity to represent the people
of Missouri here for 5 years. And during every one of those 5 years, we
have been talking about how important it is that we do something about
cyber security. This is the only approach I have seen in those 5 years
that has bipartisan support. It has a bicameral consensus. This is
something that can happen.
This is a problem that it is time to stop talking about. Do we want
some other government to have everybody's fingerprints before we do
something about it? This is the time to do something about it. As a
member of the Senate Select Committee on Intelligence, I am certainly
here to support the chairman of that committee and the vice chairman of
that committee to finally pass this bill, a bill to enhance the public-
private partnerships that can provide the kind of cyber defense we
need.
We need to do that and we need to encourage lots of sharing. We need
to encourage sharing of attacks. We need to encourage early on, as I
said, the ability to call somebody else in your same business and to
contact them and say: This is happening right now. That is the best
time to say it. The other option is to say: This happened to us late
last night or happened yesterday, but this is happening to us. Is it
happening to you?
There is lots of misunderstanding about this concept. Without getting
too technical, cyber threats are the malicious codes and algorithms
used to infect computer systems and attack networks. They are
techniques that use bits and bytes. They are the ones and zeros of the
digital age that allow hackers to intrude upon private systems, steal
information, perpetrate fraud, or disrupt activities over the Internet.
In very dangerous circumstances, these techniques can be used to
remotely control critical infrastructure management systems, such as
supervisory control and data acquisition systems. I saw something on
the news the other day where some hackers, for no intent other than
maybe just to see if they could do it, had figured out how to take over
one of the cars that was driving itself. Suddenly the car wasn't
driving itself; the hacker was driving the car.
When a particular company finds itself subjected to some novel new
approach, the quicker they can share that, the better. When the
government discovers a new method being used to infiltrate information
technology systems abroad or here, they need to be able to share that
with American companies quickly so they can protect themselves. There
are things the private sector sees that the government does not, and
there are things the government sees that the private sector does not.
This legislation gives the obligation and opportunity to both of them
to join together in this important fight. Modern communications
networks move at an incredibly rapid pace. We need to be fighting back
at that same kind of rapid pace.
This bill establishes a strictly voluntary program. Unlike some of
the other programs we have talked about to secure ourselves in a post-
9/11 world, this is a strictly voluntary program that leverages
American ingenuity to unleash the arsenal of democracy against cyber
adversaries.
When it comes to the cyber threat, we have to act for a common
purpose. Throughout this debate there has been a great deal of
discussion about the need to protect liberty in the information age. I
truly think liberty and security are not at odds with one another in
this legislation. When it comes to this bill, it comes the closest to
having the balance we all would like to see. It takes into
consideration the importance of liberty, but it also takes into
consideration what happens as we protect our security.
I would close by saying of all the attacks we have had, and as bad as
they have been, none of them have been the sort of catastrophic
infrastructure attack that we may see that would impact the grid, that
impacts our ability to communicate, impacts our ability to make the
water system work, or impacts our ability to make the electrical system
work. If that happens, the Congress will not only act, the Congress
will overreact.
This is the right time to have this debate. Let's put this
legislation on the books right now. Let's give the people a law that
makes sense at a time when we have the time to debate it, instead of
waiting to see the direction we will turn to when we should have
debated this and moved in this direction right now. I encourage my
colleagues to vote for this bipartisan bill that I think will wind up
on the President's desk and become law.
Mr. President, I yield to my patient friend from Maine, who has been
waiting. He and I serve on the Select Committee on Intelligence
together, and I look forward to his comments.
The PRESIDING OFFICER (Mr. Scott). The Senator from Maine.
Mr. KING. Mr. President, the United States is under attack. We are
under attack--not a week ago, a month ago, September 11 or yesterday,
but right at this moment. We are under attack from state actors, from
terrorist nonstate actors, and from garden-variety criminals. This
cyber issue is one of the most serious that we face.
When I first got here, I was appointed to the Armed Services and
Intelligence Committees. On those two committees over the past 3 years,
at least half of our hearings have touched upon this issue and the
threat that it presents to this country. The leaders of our
intelligence community and our military community, in open session and
in closed session, have sounded the alarm over and over and over. The
most dramatic--I don't remember what the hearing was--was when one of
our witnesses said: ``The next Pearl Harbor will be cyber.''
As the Senator from Missouri just pointed out, we are fortunate that
we have had a number of warning shots but none have been devastating.
But we have had warning shots--at Sony, at Target, at Anthem, at the
Office of Personnel Management of the U.S. Government, and at the home
email of the Director of the CIA. We have had large and small
intrusions and cyber attacks that have been more than annoying, but, so
far, they haven't been catastrophic. That is just a matter of time.
That is why we have to move this bill.
This bill isn't a comprehensive answer to this question, but it is at
least a piece of it. It is a beginning. We are going to have to talk
about other aspects of our cyber strategy, but at least we can pass
this bill, which came out of the committee 14 to 1. It is bipartisan,
and it has support in the House. Let's do something.
I do not want to go home to Maine and try to explain to my
constituents,
[[Page S7394]]
when the natural gas system or the electric system is brought down,
that we couldn't quite get around to it because of the difference of
committee jurisdictions or because we had other priorities or because
we were tied up on the budget. This is a priority. It is something we
should be doing immediately, and I am delighted that we have moved to
it.
Now, as I have sat in the Intelligence Committee every Tuesday and
Thursday afternoon for the past 3 years, it occurred to me several
months into those debates and the discussions of this and other issues
that really we in the Intelligence Committee and also we in this body
really are working with and weighing and balancing two constitutional
provisions.
The first is the preamble of the Constitution. The most basic
responsibility of any government, anywhere, anytime, is to provide for
the common defense. That is why governments are formed, to provide the
security, and also to insure domestic tranquility. Those two together
are the basic functions of why we are here--to protect our people from
harm. And that is clearly what this bill is talking about.
But the other constitutional provision in the picture that we also
have to weigh is the Fourth Amendment: ``The right of the people to be
secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated. . . . ''
That is a fundamental premise of who we are as a people.
These two provisions of the Constitution are intentioned--neither one
dominates, neither one controls the other--and it is our job in this
body to continuously weigh and calibrate these two provisions and their
balance in light of threats and evolving technologies.
When the Fourth Amendment was written, nobody had ever heard of
telephones. They certainly had never heard of the Internet. They never
thought about any of these things. But they said: The rights ``shall
not be violated.'' It is interesting--``unreasonable searches and
seizures.'' They didn't know the threats we would be facing when they
said it was a fundamental premise of the U.S. Constitution that we
should protect against both foreign and domestic enemies. That is what
we have to do, and that is what this bill does.
This bill is very carefully worked up, with a lot of discussion and
negotiation, to be effective in protecting the public, while, at the
same time, to be effective in protecting the public's privacy rights in
respecting these two principles. We have had warning after warning
after warning, and now it is time for us to act.
The good news about the United States is that we are the most wired
nation in the world. Technology has been a huge boon to our economy and
to our people, and we are way ahead of a lot of the rest of the world
in our interrelationship with technology and how we have used it to
enhance our lives. That is the good news. The bad news is that we are
the most wired country in the world, because that means we are the most
vulnerable--asymmetric vulnerability. We are more vulnerable because we
are more connected. That means we have to take great care in this
country to be sure that we don't allow that vulnerability to result in
a catastrophic loss for our people.
Not only are we talking about national security issues, but we are
talking about individual people's lives. If the electric grid went
down, people's lives would and could be lost--in hospitals, at traffic
intersections, across the country. If the natural gas system--the vast
pipeline system that links our country in terms of energy--somehow went
awry because of a cyber intrusion into the operating system, that would
have devastating consequences for human lives and also, of course, for
the economy of our country. Somebody could get into the routing system
of a railroad, and a train carrying hazardous material would be caused
to derail. These are the kinds of things that can happen and will
likely happen unless we take steps to protect ourselves.
Some of these attacks and intrusions are sponsored by nation-states.
We know that. Some of them are sponsored by just garden-variety
criminals who are trying to steal our money. Or some of them are large
international criminal organizations that are trying to steal our
commercial intelligence and how we build our products and how we
compete. Some of them are terrorist organizations that see this as a
cheap way to attack America. Why go to all the trouble to build a bomb
and smuggle it into the country and all the risk that entails, when you
can disrupt the country in just as great a way with a few strokes on a
laptop?
It is economic security, national security, economics. It has been
estimated worldwide that cyber crime costs our country $445 billion a
year. That is to the global economy--a half trillion dollars a year.
Some 200,000 jobs in the United States could be and are being affected,
and 800 million personnel records were stolen, and 40 million were
Americans.
The cost of cyber crime is estimated to be between 15 and 20 percent
of the value created by the Internet. We always talk that we don't want
any taxes on the Internet. This is a tax. This is a tax we are all
paying. The users of the Internet are paying to ward off this epidemic
of cyber crime.
It is not only the government. Of course, it is companies, such as
Sony, Target, Anthem, the industrial base, JP Morgan, Home Depot. The
list goes on and on. Most importantly, it is not just the big guys.
Sometimes we feel that OK, this is the large banks, the large insurance
companies that have to worry about this. In the State of Maine, we have
to worry about it.
My staff and I in Maine have reached out to businesses large and
small across the State. Every single one, with one exception, listed
cyber intrusion as one of their greatest issues.
The Maine Credit Union League, with $2.5 million a year, and local
credit unions are having to deal with cyber intrusion.
One of our Maine health care providers has experienced thousands of
attempts to steal confidential data every year. Keeping the data safe
is costing them more than $1 million. This is costing us real money.
At one of our Maine financial institutions, 60 to 70 percent of the
emails they get in the bank are phishing emails trying to compromise
their secured data.
One of our utilities spent over $1 million a year just on
preventative costs to defend against cyber crime. This is in a State of
1.3 million people. This is real. This is real in our State.
I had a forum over the August break with businesses throughout
Maine--mostly small businesses and homeland security. We had 100
businesses come just to visit and sit for a day to talk about this
issue. These were small businesses, and all of them were seeing these
kinds of problems.
One was a small business with 35 employees that did a deal overseas,
and a cyber criminal in effect stole their payment. They sent a fake
invoice to the customer overseas, the customer paid it, and the money
went to the crook, not to my company in Maine. That is the kind of
thing that is happening, and that is one of the reasons we have to take
action today.
No business is immune. No individual is immune. And, of course, this
country is not immune.
The price of inaction is just too high. This is something we must
attend to. As I mentioned, this bill is not the whole answer, but it is
a part of the answer.
Some people say: Well, it is not broad enough. My answer is this: OK,
I understand that, but let's do what we can do and then take it one
step at a time.
Some people say it compromises privacy. I don't believe that it does.
Extraordinary measures were imported into this bill in order to protect
the privacy of individuals. This is not about individual data. This is
about a company voluntarily telling the government and perhaps some
other companies: Here is what I am seeing as an attack. How can we
collectively defend ourselves against it?
That is what this bill is really all about. We have to take action,
and now is the time.
I thank the chair and the vice chair of the Intelligence Committee,
the members of the Homeland Security and Governmental Affairs
Committee, the members of the Judiciary Committee, and all of those who
have contributed to the finalization of this important piece of
legislation.
There is an attitude out there that we can't get anything done around
[[Page S7395]]
here. I think this gives us an opportunity to prove that idea wrong. We
can get things done. We should get things done. This is a chance for us
to protect our people, to provide for the common defense--which is our
most solemn constitutional responsibility--in a way that also protects
the interests of the Fourth Amendment and individual privacy rights.
I hope we can move swiftly, complete the consideration of this bill
this week, work out our differences with the House, and get this matter
to the President. We have no place to hide if we don't get this done.
This is what we are here for.
Again, I thank my colleagues who worked so hard to bring us to this
point.
I yield the floor.
The PRESIDING OFFICER. The Senator from Arizona.
Mr. McCAIN. Mr. President, before the Senator leaves the floor, I
wish to thank him on a well-planned, well-thought-out, and very
convincing presentation, and an argument that, frankly, I can add very
little to. So I will make my remarks very brief.
I thank the Senator from Maine for highlighting the absolute
importance of the passage of this legislation. And, I might add, he is
one of the most serious and hard-working members of the Senate Armed
Services Committee as well. I won't go any further.
Mr. President, I rise in strong support of S. 754. I thank my
colleagues, Chairman Burr and Vice Chairman Feinstein, for their
ongoing leadership.
In the short 2 months since this bill was last on the Senate floor,
the need for action on information sharing has only increased. It is
not for a lack of trying. We have continuously failed to make progress
on this bill. As the Senator from Maine just made clear, that must
change. Enacting legislation to confront the accumulating dangers of
cyber threats must be among the highest national security priorities of
the Congress.
The need for congressional action, in my view, is also enhanced by
the administration's inability to develop the policies and framework
necessary to deter our adversaries in cyberspace.
Earlier this week we learned just how ineffective the administration
has been in addressing our cyber challenges. Within days of reaching an
agreement to curb the stealing of information for economic gain,
China--China--repeatedly, reportedly, continues its well-coordinated
efforts to steal designs of our critical weapons systems and to wage
economic espionage against U.S. companies. It is not a surprise, but it
serves as yet another sad chapter in this administration's inability to
address the cyber threats.
I guess in the last couple of days it has been made known that some
hacker hacked into the information of both the Director of the CIA and
the chairman of the homeland security committee. That is interesting.
As the President's failed China agreement clearly demonstrates, our
response to cyber attacks has been tepid at best and nonexistent at
worst. Unless and until the President uses the authority he has to
defer, deter, defend, and respond to the growing number in severity of
cyber threats, we will risk not just more of the same but embolden
adversaries in terrorist organizations that will continuously pursue
more severe and destructive attacks.
Addressing our cyber vulnerabilities must be a national security
priority. Just this week, Admiral Rogers, the head of Cyber Command,
reiterated, ``It's only a matter of time before someone uses cyber as a
tool to do damage to critical infrastructure.''
My colleagues don't have to agree with the Senator from Maine or me
or anybody else, but shouldn't we listen to Admiral Rogers, the head of
Cyber Command, probably the most knowledgeable person or one of the
most knowledgeable who said, ``It is only a matter of time before
someone uses cyber as a tool to do damage to critical infrastructure.''
According to the recently retired Chairman of the Joint Chiefs of
Staff, General Martin Dempsey, our military enjoys ``a significant
military advantage'' in every domain except for one--cyber space. As
General Dempsey said, cyber ``is a level playing field. And that makes
this chairman very uncomfortable.''
I will tell you, it makes this chairman very uncomfortable as well.
Efforts are under way to begin addressing some of our strategic
shortfalls in cyber space, including the training of a 6,200-person
cyber force. However, these efforts will be meaningless unless we make
the tough policy decisions to establish meaningful cyber deterrence.
The President must take steps now to demonstrate to our adversaries
that the United States takes cyber attacks seriously and is prepared to
respond.
This legislation is one piece of that overall deterrence strategy,
and it is long past time that Congress move forward on information
sharing legislation. We have been debating similar cyber legislation
since at least 2012. I am glad this body has come a long way since that
time in recognizing that government mandates on the private sector,
which operates the majority of our country's critical infrastructure,
will do more harm than good in cyber space. The voluntary framework in
this legislation properly defines the role of the private sector and
the role of the government in sharing threat information, defending
networks, and deterring cyber attacks.
At the same time, it is unfortunate that it has taken over 3 years to
advance this commonsense legislation. The threats we face in cyber
space are real and imminent, as well as quickly evolving. All aspects
of the Federal Government, including this body, must commit to more
quickly identifying, enacting, and executing solutions to counter cyber
threats. If we do not, we will lose in cyber space.
As chairman of the Armed Services Committee, I consider cyber
security one of the committee's top priorities. That is why the
National Defense Authorization Act provides a number of critical
authorities to ensure that the Department of Defense can develop the
capabilities it needs to deter aggression, defend our national security
interests, and when called upon, defeat our adversaries in cyber space.
I find it unacceptable that the President has signaled his intent to
veto this legislation that, among other key Department of Defense
priorities, authorizes military cyber operations and dramatically
reforms the broken acquisition system that has inhibited the
development and delivery of key cyber capabilities.
More specifically, the National Defense Authorization Act extends
liability protections to Department of Defense contractors who report
on cyber incidents or penetrations, and it authorizes the Secretary of
Defense to develop, prepare, coordinate and, when authorized by the
President, conduct a military cyber operation in response to malicious
cyber activity carried out against the United States or a U.S. person
by a foreign power. The NDAA authorizes $200 million for the Secretary
of Defense to assess the cyber vulnerabilities of every major DOD
weapons system. Finally, Congress required the President to submit an
integrated policy to deter adversaries in cyber space in the fiscal
year 2014 National Defense Authorization Act. I tell my colleagues that
we are still waiting on that policy. This year's NDAA includes funding
restrictions that will remain in place until it is delivered.
As we dither, our Nation grows more vulnerable, our privacy and
security are at greater risk, and our adversaries are further
emboldened. The stakes are high, and it is essential that we pass the
Cybersecurity Information Sharing Act without further delay.
Let me also mention in closing that probably the most disturbing
comment I have heard in a long time on this issue in this challenge is
when Admiral Rogers said that our biggest challenge is we don't know
what we don't know. We don't know what the penetrations have been, what
the attacks have been, whether they have succeeded or not, where they
are in this whole realm of cyber and information at all levels. When
the person we placed in charge of cyber security says we don't know
what we don't know, my friends, that is a very serious situation.
I want to congratulate again both the managers of the bill in their
coordination and their cooperation in this bipartisan effort.
I yield the floor.
Mr. KING. Will the Senator yield for a question?
Mr. McCAIN. I will be pleased to yield.
[[Page S7396]]
Mr. KING. I ask the Senator, would you agree that this bill
represents an important part of our cyber defense but that in order to
deter attacks in the long term, we must have a cyber policy that goes
beyond simple defensive measures?
Mr. McCAIN. I would certainly agree, I would say to my friend from
Maine, because if the adversaries that want to commit cyber attacks
against the United States of America and our allies believe that there
is no price to pay for those attacks, then where is the demotivating
factor in all of this which would, if they failed, then keep them from
doing what they are doing? It seems to me that this is an act of war,
and I don't use that term lightly but I am trying to use it carefully.
If you damage intentionally another nation's military or its economy or
its ability to function as a government--I would ask my friend from
Maine--wouldn't that fit into at least a narrow interpretation of an
act of war? If so, then should we only have defenses? Have we ever been
in a conflict where we only have defenses and not the capability to go
out and deter further aggression?
Mr. KING. I would suggest to the Senator that if you are in a fight
and all you can do is defend and never punch, you are going to
eventually lose that fight. I think this is an important area. The
theory of deterrence, as distasteful as it might have been, the
mutually assured destruction during the nuclear era did in fact prevent
the use of nuclear arms for some 70 years. I think we need to be
thinking about a deterrence that goes beyond simply defensive measures.
I commend the chairman for raising this issue and appreciate your
thoughtful consideration.
Mr. President, I yield the floor.
Mr. LEAHY. Mr. President, it seems as though every week, the American
people learn of yet another data breach in which Americans' sensitive,
private information has been stolen by cyber criminals or foreign
governments. This is a critical national security problem that deserves
action by Congress. But our actions must be thoughtful and responsible,
and we must recognize that strengthening our Nation's cyber security is
a complex endeavor with no single solution.
According to security researchers and technologists, the most
effective action Congress can take to improve our cyber security is to
require better and more comprehensive data security practices. That is
why earlier this year, I introduced the Consumer Privacy Protection
Act. That bill requires companies to utilize strong data security
measures to protect our personal information and to help prevent
breaches in the first place. Companies that benefit financially from
gathering and analyzing our personal information should be obligated to
take meaningful steps to keep it safe.
But rather than taking a comprehensive approach that addresses the
multiple facets of cyber security, the Republican majority appears to
be focused entirely on passing the Senate Intelligence Committee's
cyber security information sharing bill. While legislation to promote
the sharing of cyber threat information could, if done right, be useful
in improving our cyber security, it is a serious mistake to believe
that information sharing alone is the solution. Information sharing
alone would not, for example, have prevented the breach at the Office
of Personnel Management, nor would it have prevented other major
breaches, such as those at Target, Home Depot, Anthem, or Sony.
Instead of ensuring that companies better safeguard Americans' data,
this bill goes in the opposite direction, giving large corporations
more liability protection and even more leeway on how to use and share
our personal information with the government--without adequate privacy
protections.
Also troubling is the fact that the Republican majority has been
intent on jamming this bill through the Senate without any regard for
regular process or opportunity for meaningful public debate. Only last
year, the Republican leader declared his commitment to ``a more robust
committee process'' and plainly stated that ``bills should go through
committee.'' But the bill was drafted behind closed doors by the Senate
Intelligence Committee, and it has not been the subject of any open
hearings or any meaningful public debate. The text of the bill was only
made public after it was reported to the Senate floor, and no other
committee of jurisdiction--including the Judiciary Committee--was
allowed to consider and improve the bill.
The Judiciary Committee was prevented from considering this bill even
though it contains numerous provisions that affect matters squarely
within our jurisdiction. First and foremost, the bill creates a
framework of information sharing that could severely undermine
Americans' privacy. The bill also overrides all existing law to provide
broad liability protections for any company that shares information
with the government. It also overrides important privacy laws such as
the Electronic Communications Privacy Act, ECPA, and the Foreign
Intelligence Surveillance Act, FISA, over which the Judiciary Committee
has long exercised jurisdiction. CISA even amends the Freedom of
Information Act, FOIA, and creates new exemptions from disclosure.
This is just the latest attempt by the majority leader to bypass the
Judiciary Committee and jam a bill through the Senate that contains
provisions within the jurisdiction of the committee. The bill reported
by the Senate Intelligence Committee includes a broad and unnecessary
FOIA exemption. FOIA falls under the exclusive jurisdiction of the
Senate Judiciary Committee and changes affecting this law should not be
enacted without full and careful consideration by the Judiciary
Committee. This important transparency law certainly should not be
amended in closed session by the Senate Intelligence Committee.
Shortly after the text of the bill was released, I shared with
Chairman Grassley my concern that the Judiciary Committee should also
consider this bill. He assured me that there would be a ``robust and
open amendment process'' if this bill were considered on the Senate
floor. But only a few weeks later, the Republican leadership--with
Chairman Grassley's support--attempted to jam the Intelligence
Committee's bill through the Senate as an amendment to the National
Defense Authorization Act, NDAA, without any opportunity for meaningful
debate. Republicans and Democrats joined together to reject the
majority leader's effort to force the cyber security bill onto the
NDAA. Despite this rebuke from both sides of the aisle, just a few
weeks later, the majority leader again attempted to jam the bill
through the Senate in the final days before August recess, without any
serious opportunity to debate and offer amendments.
The majority leader's actions have been part of a consistent
disregard for regular order. He has talked about providing an
opportunity for fair debate, but at the same time, he has used all
procedural mechanisms to stifle process on this bill. Yesterday
afternoon, the Senate moved to consideration of this bill--but then not
even 2 hours later, the majority leader moved to end debate. That
speaks volumes about whether the majority leader is really interested
in a full and open debate, and it is not how the U.S. Senate should
operate--particularly when it comes to a bill with such sweeping
ramifications for Americans' privacy.
Senator Feinstein, the ranking member of the Intelligence Committee,
has consistently said that the Senate ``should have an opportunity to
fully consider the bill and to receive the input of other committees
with jurisdiction in this area.'' She has worked hard to improve the
underlying bill with a managers' amendment that addresses a number of
my concerns, particularly in regard to FOIA, limiting the sharing of
information for cyber security purposes only, and ensuring that the
bill would not allow the government to use information to investigate
crimes completely unrelated to cyber security. I appreciate these
improvements, and Senator Feinstein's efforts to include them in the
bill. But again, this bill still has some serious problems and requires
a full, public debate. The bill still includes, for example, a FOIA
exemption that I believe is overly broad and unnecessary.
In July, the Department of Homeland Security wrote a letter to
Senator Franken stating that in their view the bill raises significant
operational concerns and certain provisions threaten to severely
undermine Americans' privacy. Last week, the Computer & Communications
Industry Association--an
[[Page S7397]]
organization that includes Google, Facebook, and Yahoo!--voiced serious
concerns that the bill fails to protect users' privacy and could
``cause collateral harm'' to ``innocent third parties.'' And this week,
major tech companies such as Apple, Dropbox, Twitter, and Yelp have
vocally opposed the bill citing concerns for their users' privacy.
The latest version of the bill contains a number of improvements that
I and other Senators have been fighting for, and I am glad to see that
we are making progress. But we still have work to do on this bill, and
the Senate must have an open and honest debate about the Senate
Intelligence Committee's bill and its implications for Americans'
privacy. I agree that we must do more to protect our cyber security,
but we must be responsible in our actions. Legislation of this
importance should not be hastily pushed through the Senate, without a
full and fair opportunity for Senators to consider the ramifications of
this bill. Unfortunately, by moving so quickly to end debate, it
appears that the majority leader is trying to do just that.
Ms. MIKULSKI. Mr. President, I wish to support the Cybersecurity
Information Sharing Act of 2015.
Cyber security is the most pressing economic and national security
threat facing our country today. As a member of the Senate Select
Committee on Intelligence, I am keenly aware of the damage cyber
attacks cause on our Nation. As vice chairwoman of the Senate
Appropriations Committee, I believe we must have a clear and
comprehensive approach to funding cyber security.
In boardrooms and around kitchen tables, concern over cyber security
is heightening. It is gaining new traction following the cyber attack
on the Office of Personnel Management, which compromised the personal
information of more than 22 million Federal employees, contractors, and
their families.
The American people expect serious action by Congress. This can and
must be done, while respecting privacy and avoiding data misuse by the
government or businesses. Congress must act with a sense of urgency to
pass the Cybersecurity Information Sharing Act. If we wait for another
major cyber attack, we risk overreacting, overregulating, overspending,
and overlegislating. The time to act is now.
Our Nation is under attack. Every day, cyber attacks are happening.
Cyber terrorists are working to damage critical infrastructure by
taking over the power grid or disrupting air traffic control. Cyber
spies are moving at breakneck speeds to steal state secrets,
intellectual property, and personal information. Cyber criminals are
hacking our networks, stealing financial information, and disrupting
business operations. These cyber attacks can disrupt critical
infrastructure, wipe out a family's entire life savings, take down
entire companies, and put human lives at risk. In the past year alone,
we've seen cyber attacks against Sony, Home Depot, UPS, JP Morgan
Chase, Experian, T-Mobile, Scottrade, and the list goes on. The
economic losses of cyber crime are stunning. In 2014, the Center for
Strategic and International Studies and McAfee estimated the annual
cost from cyber crime to be over $400 billion.
I have been working on cyber issues since I was elected to the
Senate. Our cyber warriors at the National Security Agency are in
Maryland, and I have been working with the NSA to ensure signals
intelligence was a national security focus even before cyber was a
method of warfare.
In my role on the Intelligence Committee, I served on the Cyber
Working Group, which developed findings to guide Congress on getting
cyber governance right, protecting civil liberties, and improving the
cyber workforce.
As vice chairwoman of the Appropriations Committee and the Commerce,
Justice, and Science Subcommittee, I put funds in the Federal checkbook
for critical cyber security agencies. These include the Federal Bureau
of Investigation, which investigates cyber crime; the National
Institute of Standards and Technology, which works with the private
sector to develop standards for cyber security technology; and the
National Science Foundation, which researches ways to secure our
Nation. As a member of the Appropriations Subcommittee on Defense, I
fight for critical funding for the intelligence and cyber agencies,
including the National Security Agency, Central Intelligence Agency,
and Intelligence Advanced Research Projects Activity, who are coming up
with the new ideas to create jobs and keep our country safe. These
funds are critical to building the workforce and providing the
technology and resources to make our cyber security smarter, safer, and
more secure.
This bill does three things from a national security perspective.
First, it allows businesses and government to voluntarily share
information about cyber threats. Second, it requires the Director of
National Intelligence to share more cyber threat information with the
private sector, both classified and unclassified. Third, it establishes
a Department of Homeland Security ``portal'' for cyber info-sharing
with the government to help dot-gov and dot-com in a constitutional
manner. These three provisions are an innovation. Despite all the
amazing talent companies have, many are being attacked and don't even
realize it. This legislation allows unprecedented dot-com and dot-gov
cooperation. There are also key provisions on privacy protections and
liability protection for companies that monitor their own networks or
share information.
Why do we need a bill to make these vital partnerships happen?
America is under attack every second of every day. The threat is here,
and it is now. If we do not act or if we let the perfect be the enemy
of the good, this country will be more vulnerable than ever before, and
Congress will have done nothing.
This bill is not perfect. The Department of Homeland Security's role
has been criticized by many, including myself. I have been skeptical
about their ability to perform some duties assigned in this bill. I am
still skeptical, although less so than before. But this bill takes
important steps to diversify government and private sector actors, so
we are not just focusing on DHS, but also keeping civilian agencies in
charge. We cannot have intelligence agencies leading this effort with
the private sector. Some would like to see that go further, but that is
what the amendment process is for.
People in the civil liberties community worry that this bill could
allow government intrusions into people's privacy. This was of
tantamount concern for me. If we don't protect civil liberties, the
added security is for naught because we lose what we value most: our
freedom. The authors of this bill, especially Senator Feinstein, have
made key improvements on issues of law enforcement powers and
protecting core privacy concerns. While not everyone is entirely
pleased, this bill has made important strides to balance information
sharing and privacy.
The business community is concerned because it fears strangulation
and overregulation. They worry that they will open themselves up to
lawsuits if they participate in the program with the government. I have
heard from Maryland businesses and these are valid concerns.
Importantly, this bill has made strides in accommodating business and
builds a voluntary framework to allow businesses to choose that
protection. Protection does not come without responsibility for
participants, but this bill links the need for cyber security,
appropriate liability protection, and the expertise of our business
community in a way that answers a lot of companies' concerns. We cannot
eliminate all government involvement in this issue because it simply
won't work, and we will lose key government expertise in the Department
of Defense, Federal Bureau of Investigation, and elsewhere. However, we
can work to try to minimize it while maintaining the government's role
in protecting national security.
I am so proud that the Senate came together in a bipartisan way to
draft and pass this legislation. The Senate must pass this legislation
now. Working together, we can make our Nation safer and stronger and
show the American people we can cooperate to get an important job done.
Amendment No. 2557
Mr. President, today I wish to speak about my amendment to the cyber
security bill. This amendment would provide an additional $37 million
for the Office of Personnel Management, OPM,
[[Page S7398]]
to accelerate completion of its information technology, IT,
modernization and thwart future cyber attacks.
This additional funding would allow OPM to make needed upgrades to
cyber security and network systems 1 year ahead of schedule. This means
OPM will not have to wait another year to protect sensitive personnel
data by implementing hardware and software upgrades recommended by
security experts.
The $37 million is designated as an emergency under the Budget
Control Act of 2011.
For over a year, the Office of Personnel Management's systems were
compromised. This hack exposed the financial and personal information
of 22 million Federal employees and their families, contractors, job
candidates and retirees. This is unacceptable.
OPM's retirement services and background investigation databases
contain the most sensitive data OPM holds, including Social Security
numbers, health information and fingerprints.
I have heard from employees across the government. Data breaches
undermine morale and complicate their ability to serve the American
people.
OPM has moved to provide protections, but that is not enough.
Securing these systems must be done now. We can't wait for the next
budget cycle.
I urge support for my amendment. This is a crisis, so we ought to
treat it like one. Twenty-two million Americans who entrusted their
data and fingerprints to the government deserve the highest standard of
protection.
There is a reason OPM was exploited. Federal cyber security has been
weak. The Appropriations Committee has consistently given agencies the
resources they asked for to protect their dot-gov systems. But under
sequester-level budgeting it hasn't been enough. Constrained agencies
don't ask for what is truly needed to do the cyber security job.
Tight budgets mean immediate problems get requested and funded before
other much needed IT protection and maintenance. We aren't even doing
the simple things.
After the OPM breach, the Office of Management and Budget, OMB,
conducted a cyber sprint. OMB asked agencies to take four minimal
steps: No. 1, deploy Department of Homeland Security malicious activity
detectors; No. 2, patch critical vulnerabilities; No. 3, tighten
privileged user policies; and No. 4, accelerate deployment of
multifactor authentication.
While there was improvement, only 14 of the 24 agencies met the
fourth goal. Some of it is a lack of will, but some is a lack of
resources.
OPM knows it needs to harden its information technology.
That is why I am offering this amendment, providing $37 million in
emergency spending to harden OPM systems now--not a year from now.
These funds meet the criteria for being designated as emergency
spending as set out in the Budget Control Act of 2011. OPM's needs are
urgent, temporary, and, regrettably, unforeseen.
What does it mean to designate funds as emergency spending? It means
no offsets, so we don't pay for this amendment by drawing from existing
funding used to defend the Nation or help America's families.
The need is urgent--our adversaries are still trying to attack us.
The need is temporary--these are one-time costs to accelerate IT
reform. And the need is unforeseen which is sadly the reason they were
not requested in the President's fiscal year 2016 budget in February.
Some say this funding is premature, and OPM is not ready to deploy it
effectively. However, those reports were written before Beth Cobert
became OPM Acting Director. She is turning OPM around, but she needs
the resources to secure OPM's IT systems, and cyber security is a
critical issue.
Government can't be reckless with the sensitive data it has. We must
do better with dot-gov and get our own house in order. We know what OPM
needs to do--they have the will, they have a business plan, and now
they need the wallet.
Vote for my amendment No. 2557 to get OPM the resources it needs.
The PRESIDING OFFICER. The Senator from Wisconsin.
[...]
Amendment No. 2582
Mr. FLAKE. Mr. President, I rise to speak in support of the Flake
amendment No. 2582 that is currently pending before the body. This
amendment is very simple. It simply adds a 6-year sunset to the bill.
This amendment also keeps in place the liability protections
established by the Cyber Security and Information Sharing Act for
information that is shared pursuant to the requirements of the bill.
Furthermore, the amendment ensures that the requirements on how the
information is shared under the act is to be handled remain in effect
after the sunset date.
That is all this amendment does. It simply sunsets the bill in 6
years, and it does so in a reasonable and responsible way. I believe in
the sunset provision. It is good for us to consider our past decisions
6 years from now, to determine whether what we enacted is operating
well, and to debate the overall success of the legislation that we
passed 6 years prior. We ought to do that, frankly, on a lot of other
legislation we pass.
I do believe the bill we are currently considering, as it is written,
strikes the right balance. It puts in place the proper privacy
protections, and I plan to support the legislation. However, it is
important to make sure that we are forced to go back and evaluate it in
the years to come to make sure we actually got it right. Given the
nature of the bill being debated before us, it is all the more
important to do so in this instance.
I would also note that this 6-year sunset is similar to sunset
provisions that were included in both House-passed cyber security
bills. So if it is in the House, we ought to have it in the Senate as
well.
Both the Protecting Cyber Networks Act, which passed the House by a
vote
[[Page S7405]]
of 307 to 116, and the National Cybersecurity Protection Advancement
Act, which passed the House by a vote of 355 to 63, include a 7-year
sunset.
I ask my colleagues to support this amendment. I think it does
strengthen the bill. It ensures that we evaluate, as we should, any
legislation that we pass to ensure that it is having its intended
effect.
I yield back the remainder of my time.
I suggest the absence of a quorum.
The PRESIDING OFFICER (Mr. Lee). The clerk will call the roll.
The senior assistant legislative clerk proceeded to call the roll.
The PRESIDING OFFICER. The Senator from Louisiana.
Mr. VITTER. I ask unanimous consent that the order for the quorum
call be rescinded.
The PRESIDING OFFICER. Without objection, it is so ordered.
[...]
