[Congressional Record Volume 161, Number 155 (Thursday, October 22, 2015)]
[Senate]
[Pages S7430-S7439]




             CYBERSECURITY INFORMATION SHARING ACT OF 2015

  The PRESIDING OFFICER. Under the previous order, the Senate will 
resume consideration of S. 754, which the clerk will report.
  The senior assistant legislative clerk read as follows:

       A bill (S. 754) to improve cybersecurity in the United 
     States through enhanced sharing of information about 
     cybersecurity threats, and for other purposes.

  Pending:

       Burr/Feinstein amendment No. 2716, in the nature of a 
     substitute.
       Burr (for Cotton) modified amendment No. 2581 (to amendment 
     No. 2716), to exempt from the capability and process within 
     the Department of Homeland Security communication between a 
     private entity and the Federal Bureau of Investigation or the 
     United States Secret Service regarding cybersecurity threats.
       Feinstein (for Coons) modified amendment No. 2552 (to 
     amendment No. 2716), to modify section 5 to require DHS to 
     review all cyber threat indicators and countermeasures in 
     order to remove certain personal information.
       Burr (for Flake/Franken) amendment No. 2582 (to amendment 
     No. 2716), to terminate the provisions of the Act after six 
     years.
       Feinstein (for Franken) further modified amendment No. 2612 
     (to amendment No. 2716), to improve the definitions of 
     cybersecurity threat and cyber threat indicator.
       Burr (for Heller) modified amendment No. 2548 (to amendment 
     No. 2716), to protect information that is reasonably believed 
     to be personal information or information that identifies a 
     specific person.
       Feinstein (for Leahy) modified amendment No. 2587 (to 
     amendment No. 2716), to strike the FOIA exemption.
       Burr (for Paul) modified amendment No. 2564 (to amendment 
     No. 2716), to prohibit liability immunity to applying to 
     private entities that break user or privacy agreements with 
     customers.
       Feinstein (for Mikulski/Cardin) amendment No. 2557 (to 
     amendment No. 2716), to provide amounts necessary for 
     accelerated cybersecurity in response to data breaches.
       Feinstein (for Whitehouse/Graham) modified amendment No. 
     2626 (to amendment No. 2716), to amend title 18, United 
     States Code, to protect Americans from cybercrime.
       Feinstein (for Wyden) modified amendment No. 2621 (to 
     amendment No. 2716), to improve the requirements relating to 
     removal of personal information from cyber threat indicators 
     before sharing.

  The PRESIDING OFFICER. Under the previous order, the time until 11 
a.m. will be equally divided between the two leaders or their 
designees.
  The Senator from Nevada.


                    Amendment No. 2548, as Modified

  Mr. HELLER. Mr. President, after my years of growing up in Nevada, I 
appreciate the values that make Nevadans distinct, fiercely 
independent, and very diverse--in fact, as diverse as the terrain is in 
Nevada. But what never ceases to amaze me about Nevadans is our passion 
for protecting America's privacy from the intrusion of the Federal 
Government. It is a value that is shared across the entire State and 
one that I have sworn to uphold. But many Americans have lost faith 
that their government will uphold their civil liberties.
  It is Congress's responsibility to ensure that every piece of 
legislation passed by this body protects the privacy and liberties of 
all Americans, and I will not accept attempts to diminish these 
nonnegotiable rights. That is why I am on the floor today to continue 
protecting Americans' and Nevadans' privacy by pushing for my amendment 
on the Cybersecurity Information Sharing Act.
  To begin with, I wish to commend my colleagues, both Chairman Burr 
and Ranking Member Feinstein, for recognizing the need to address the 
serious issue of cyber security. As ranking member of the commerce 
committee's consumer protection subcommittee in the last Congress, I 
delved into these issues and understand the impact of data breaches and 
cyber threats. It is an economic concern as well as a national security 
concern for our country.
  I share the desire to find a path forward on information sharing 
between the Federal Government and the private sector as another tool 
in the cyber security toolbox, but these efforts cannot come at the 
expense of personal privacy. The bill, including the substitute 
amendment that I see today, does not do enough to ensure that personal, 
identifiable information is stripped out before being shared, and that 
is why I have offered this simple fix.
  Let's strengthen the standard for stripping out this information. 
Right now, this legislation says that the Federal Government only has 
to strip out personal information if they know it is not directly 
related to cyber threat--that word being ``know.'' My amendment No. 
2548, as modified, will ensure that when personal information is being 
stripped out, it is because the entity reasonably believes it is not 
related to cyber threat. That is the change--from knowing to reasonably 
believing. This distinction creates a wider protection for personal 
information by ensuring that these entities are making an effort to 
take out personal information that is not necessary.
  Frankly, I am proud of the support I have from Senators Leahy and 
Wyden, both great advocates in the Senate for privacy. However, I am 
disappointed that my amendment was not included in the substitute 
amendment that we see today.
  The supporters of this bill talk about how this legislation upholds 
privacy but couldn't accept a reasonable amendment that complements 
those privacy provisions.
  Our friends over in the House of Representatives already agree that 
the private sector should be held to this standard, which is why they 
included this language in the cyber security bill they passed. I guess 
the question is, If this is good enough for the private sector, 
shouldn't it be good enough for the government sector?
  Furthermore, DHS has publicly acknowledged the importance of removing 
personal, identifiable information because it will allow an information 
sharing regime to function more efficiently.
  What this has come down to is our Nation's commitment to balancing 
the needs for sharing cyber security information with the needs to 
protect Americans' personal information. Like many in the tech 
community have already stated, security should not come at the expense 
of privacy. In fact, that was said a couple hundred years ago by 
Benjamin Franklin. Security should not come at the expense of privacy. 
I believe my amendment No. 2548 to hold the Federal Government 
accountable strikes that balance, and I hope this simple fix can be 
incorporated into the legislation.
  I encourage my colleagues to support this commonsense effort to 
strengthen this bill and keep our commitment to upholding the rights of 
all U.S. citizens.
  I appreciate Senators Burr and Feinstein's willingness to work with 
me on this amendment and look forward to continuing this debate.
  I thank the Presiding Officer, and I yield the floor.
  The PRESIDING OFFICER. The Senator from North Carolina.

[[Page S7431]]

  

  Mr. BURR. Mr. President, I thank my colleague from Nevada and say to 
him generally that we tried to put everything in the managers' 
amendment that we could, and the threshold was that we had to have 
total agreement. I know my colleague understands that it is difficult, 
but we have done everything we can to protect the rights of every 
individual Member to bring an amendment to the floor, to debate the 
amendment, and to have an up-or-down vote--even for the ones that were 
not germane. It is unfortunate that one amendment on both sides will be 
kicked out because they have to happen before the cloture vote, and 
that was not allowed to take place.


                Measure Placed on the Calendar--S. 2193

  Mr. President, I understand that there is a bill at the desk that is 
due for its second reading.
  The PRESIDING OFFICER. The clerk will report the bill by title for 
the second time.
  The senior assistant legislative clerk read as follows:

       A bill (S. 2193) to amend the Immigration and Nationality 
     Act to increase penalties for individuals who illegally 
     reenter the United States after being removed and for other 
     purposes.

  Mr. BURR. Mr. President, in order to place the bill on the calendar 
under the provisions of rule XIV, I object to further proceedings.
  The PRESIDING OFFICER. Objection is heard.
  The bill will be placed on the calendar.
  Mr. BURR. Mr. President, in just shy of 25 minutes, the Senate will 
have a procedural vote on the Cybersecurity Information Sharing Act of 
2015. The committee worked diligently for most of this year in a 
bipartisan way to achieve a balance of great policy and reported that 
bill out on a 14-to-1 vote.
  I say to my colleagues: We have reached a very delicate balance. 
There have been bending and twisting and giving and taking, and we have 
done it not only within the Senate of the United States and within the 
committee, we have done it with stakeholders all around the country.
  I will remind my colleagues that this bill we are attempting to get 
through the Senate is a voluntary information sharing bill, and the 
mere fact that it is voluntary means we have to have in place certain 
incentives that provide a reason for companies to participate.
  I commend Chairman Johnson and Ranking Member Carper. Their committee 
and staff have worked with us side by side to try to incorporate their 
thoughts and the thoughts of all the agencies and also worked with 
stakeholders around the country.
  I am pleased to tell my colleagues today that we received this 
morning a notice from the U.S. Chamber of Commerce, and it says: ``The 
Chamber urges the United States Senate to pass CISA expeditiously. 
There is overwhelming support.''
  When the vice chair and I ventured into this, we also made a 
commitment to lock arms because we thought we found the right balance. 
Although it may be enticing for Members to support amendments that 
might come up, there is a reason we didn't incorporate them in the 
managers' amendment. It may have been due to the differences the vice 
chair and I had or maybe it was because it would have killed the 
support we had with the stakeholders around the country. We will have 
one of those amendments today, and it is going to be inviting for 
people to do it, but let me say to my colleagues, if do you it, 
information sharing is over with, and the effort is dead. It has been 
tried for 3 years, yet we continue to see attacks happen, and massive 
amounts of personal data go out of the system to be used for criminal 
or espionage reasons.
  This is really our last chance. The vice chairman and I have reached 
what we think is the absolute balance that provides the buy-in of those 
who will be asked to voluntarily turn over this data and to help 
minimize the loss of data in our entire economy.
  I urge my colleagues to support the cloture motion that will happen 
at 11 a.m. We will have a short debate, and then we will take up an 
amendment, and the vice chair and I at that time will ask our 
colleagues not to support that amendment.
  Mr. President, I ask unanimous consent to waive the mandatory quorum 
calls with respect to the cloture motions on amendment No. 2716 and S. 
754.
  The PRESIDING OFFICER. Is there objection?
  Without objection, it is so ordered.
  Mr. BURR. I yield the floor.
  The PRESIDING OFFICER. The Senator from California.
  Mrs. FEINSTEIN. Mr. President, I ask unanimous consent that the 
following Senators on the Democratic side be permitted to speak for 5 
minutes each on our time: Feinstein 5 minutes, Wyden 5 minutes, and 
Carper 5 minutes.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mrs. FEINSTEIN. Mr. President, after many years of effort, the Senate 
is about to take its first vote to move forward on important cyber 
security legislation. As I stated in my remarks yesterday, this 
substitute makes 20 changes to the underlying bill. It includes 14 
amendments offered by other Senators to improve privacy protections and 
ensure better cyber security for emergency services, the health care 
industry, and the Federal Government. As the chairman just said, we 
have been listening and we have tried to incorporate a substantial 
number of amendments in the managers' package.
  This is a good bill. It is a first step. It is not going to prevent 
all cyber attacks or penetrations, but it will allow companies and the 
government to share information about the cyber threats they see and 
the defensive measures to implement in order to protect their networks.
  Right now--and this is important--the same cyber intrusions are used 
again and again to penetrate different targets. That shouldn't happen. 
If someone sees a particular virus or harmful signature, they should be 
able to tell others so they can protect themselves. That is what this 
bill does--it clears away the uncertainty and concern that keep 
companies from sharing this information. It says that two competitors 
in a market can share information on cyber threats with each other 
without facing antitrust lawsuits. It says that companies sharing cyber 
threat information with the government for cyber security purposes have 
liability protection.
  The bill is completely voluntary. I don't know how to say that over 
and over more times than I have. If you don't want to participate, 
don't. If a company wants to take the position that it can defend 
itself and doesn't want to participate in real-time sharing with the 
Department of Homeland Security, that is its right.
  I thank my colleagues who came to the floor in support of this bill 
and this managers' amendment yesterday: Senators McConnell, Reid, 
Grassley, Nelson, McCain, King, Thune, Flake, Senator Carper in 
particular, Senator Blunt, and others. They have all described the need 
for this bill, and I so appreciate their support.
  I urge my colleagues to support cloture on this substitute managers' 
package so that we can start moving on to other amendments that are 
pending.
  I also thank Senator Burr and his staff. Over the past couple of 
days, they have been going through comments, proposing technical 
changes, and perfecting changes to the substitute. It is my 
understanding that Chairman Burr will ask a unanimous consent agreement 
on that perfecting amendment shortly.
  I also thank Senator Collins for agreeing to changes in her 
provision, section 407, to start to address concerns that were raised 
by its inclusion.
  I also want to thank Senators Whitehouse, Leahy, and Wyden for 
reaching an agreement on text that Senator Whitehouse very much wanted 
to include, and I am pleased we were able to include it in this 
unanimous consent package.
  So I appreciate the support of my colleagues. I urge a strong ``yes'' 
vote on the cloture vote to allow us to proceed to this bill.
  The PRESIDING OFFICER. The Senator from Oregon.
  Mr. WYDEN. Mr. President, I rise to speak against cloture on the 
substitute. This substitute would not have stopped the Target hack, the 
Anthem hack, the Home Depot hack, or the OPM hack. When it comes to 
real privacy protection for millions of Americans with this substitute, 
there is simply no ``there'' there.
  We see that by looking at page 17 of the substitute. Companies have 
to remove only personal, unrelated information if they know that it is 
personal

[[Page S7432]]

and unrelated. How would they know under this amendment? Under this 
amendment, they are required to virtually do no looking. It is the most 
cursory review. That is why the Nation's leading technology companies 
have come out overwhelmingly against this legislation. They are not 
satisfied by this substitute.
  The sponsors of the bill have been pretty vociferous about attacking 
these companies for coming out against the legislation. These companies 
know a lot about the importance of protecting both cyber security and 
individual privacy. These tech companies that are being attacked now 
have to manage that challenge every single day. The challenge gets 
harder all the time with things such as the EU ruling that I opposed. 
These companies know that customer confidence is their lifeblood, and 
the only way to ensure customer confidence is to convince people that 
if they use their product, their information is going to be protected 
both from malicious hackers and from unnecessary collection by the 
government.
  The fact is, we have a serious problem with hacking and cyber 
security threats. The fact is, information sharing can be good, but a 
cyber security information sharing bill without real and robust privacy 
protections that this amendment lacks--I would submit millions of 
Americans are going to look at that, and they are going to say this 
isn't a cyber security bill, this is yet another surveillance bill.
  With this amendment, colleagues, the Senate is again missing another 
opportunity to do this right and promote both security and liberty. 
Just because a proposal has the words ``cyber security'' in its title 
doesn't make it good. But that is, of course, why the leading 
technology companies in this country--companies that make a living 
every single day by being sensitive to cyber threats and privacy--have 
come out overwhelmingly against this bill.
  I know my colleagues have tried to improve this issue, and I 
appreciate that. But the core privacy protections that America deserves 
in a bill like this are still lacking, and that is why I oppose 
cloture.
  The PRESIDING OFFICER. The Senator from Delaware.
  Mr. CARPER. Mr. President, I wish to respond very briefly to what our 
colleague from Oregon has said.
  Senator Feinstein shared with me a copy of the actual text of the 
managers' amendment. I would maybe make two points. One, if a private 
company elects to share information--they don't have to, but if they 
elect to share information, as Senator Feinstein has said, it is their 
call. But if they do, there is a requirement under the law that they 
scrub it. The reporting entity which is submitting the indicator--in 
this case to DHS, the Federal entity--has to scrub it. They have the 
responsibility, whoever is initiating this, to scrub and remove that 
personally identifiable information. If for some reason they don't, the 
way the legislation comes before us today, in order for a company that 
chooses to submit threat indicators to the Federal Government, in order 
to get help on the liability protection they are looking for, they have 
to submit it through the Department of Homeland Security, through the 
portal of the Department of Homeland Security, which is literally set 
up to do privacy scrubs. It is literally set up to do privacy scrubs, 
and then to share information it wants with other relevant Federal 
agencies. Very, very infrequently--very infrequently--will there be 
some reason to--the threat indicators coming through the portal at DHS, 
maybe less than 1 percent of the time, there might be a need to take a 
closer look at that information and make sure there is nothing that is 
personally identifiable or problematic. I think with the compromise 
that has been worked out, the issue that our colleague has raised has 
been addressed.
  Let me just go back in time. Why is this important? We know the 
situation is grim. When the Secretary of Defense has his emails hacked 
by an entity, and we know not who, when we have 22 million personal 
records and background checks hacked by maybe the Chinese or maybe 
somebody else, that is not good. When companies such as DuPont in my 
own State and universities all over the country are having their R&D 
information--their intellectual seed corn upon which our economy is 
going to grow--stolen, and presumably stolen for bad reasons, so that 
they can beat us to the bunch in terms of economic opportunity, that is 
not good.
  What are we going to do about it? It turns out we did quite a bit 
about it in the last Congress. Two Congresses ago, Senator Feinstein 
proposed comprehensive cyber security legislation, the whole kit and 
caboodle. We tried very hard, as she knows, for a year or two to get 
that enacted. We couldn't get it done. Finally, we gave up at the end 
of I think the 112th Congress. We gave it up, and we started again in 
2013.
  Tom Coburn was the ranking member on Homeland Security. I was 
privileged to be chairman. He and I partnered with people on our 
committee and, frankly, with a lot of folks outside of the committee, 
to do three things: To strengthen the capability of the Department of 
Homeland Security to do its job, a much better job of protecting not 
just the Federal Government but the country as a whole against cyber 
attacks. We passed three pieces of legislation. They are helpful; they 
are not the whole package, but they are three very helpful bills to 
make DHS a better, more effective partner.
  This year, the Intel Committee, under the leadership of Senator Burr 
and Senator Feinstein, came forward with their proposal. The 
administration, the President, came forward with an information sharing 
proposal as well. We took it up in a hearing in the committee on 
homeland security, looking at the President's proposal, trying to 
figure out what we should retain and what we should change to make it 
better, and we did. We changed it and we made it better. I introduced 
it as a standalone bill. The Intel Committee reported out their 
legislation 14 to 1.
  We have been working with Senator Burr and Senator Feinstein and 
their staffs ever since to try to infuse the elements of the 
President's proposal, modified by us on homeland security, to make a 
more perfect--not a more perfect union, but a more perfect bill. Is it 
perfect? No. Is it better? Sure, it is better. I think it is going to 
enable us to do a much better job protecting that which needs to be 
protected.
  The last thing I will say is this: On this floor I have said more 
than a few times I love to ask people that have been married a long 
time, what is the secret to a long marriage? The best answer I have 
ever received is the two C's--communicate and compromise. I would add a 
third C, which is also important for a vibrant democracy. The third C 
is collaborate.
  This legislation is a great example of communicating, talking with 
own another, with stakeholders on Capitol Hill, off Capitol Hill, 
across the country and around the world, but at the end of the day to 
figure out how to compromise and to do so by collaborating.
  I think we have come up with a very good piece of legislation. At the 
end of the day, if an entity or business wants to share information--I 
hope they would, we need them to do that. If they want to share 
information with the Federal Government, the idea is to get liability 
protection and share it through the portal of the Department of 
Homeland Security; that information is scrubbed--cyber security 
scrubbed, piracy scrubbed. Share with other Federal agencies as 
appropriate after it has been dutifully scrubbed, and then we are in a 
better position to defend against those attacks in the future.

  I think when people send us to work on big problems--and this is a 
big problem for our country--they want us to work together. They want 
us to get stuff done. We have been talking about this for 3 or 4 years, 
and now we have an opportunity to get something done. Let's pass this 
and accept this managers' amendment, and then let's take up some other 
amendments, and pass this bill and send it to the House. When they have 
done their work, let's go to conference.
  Thank you very much.
  The PRESIDING OFFICER. The Senator from Wisconsin.
  Mr. JOHNSON. Mr. President, I rise to support the Cybersecurity 
Information Sharing Act, long overdue and vital legislation designed to 
reduce our Nation's vulnerability to cyber attacks.
  I want to commend the ranking member of my committee, Senator

[[Page S7433]]

Tom Carper, and Senator Burr and Senator Feinstein, for their 
collaborative effort. This is an example of when we actually seek to 
find the areas of agreement that unify us versus exploit our divisions, 
then we can actually accomplish some pretty good things. This bill is 
one of those examples.
  The cyber threat we face today is real and it is growing. 
Sophisticated nation-state adversaries such as China and North Korea 
are constantly probing American companies' and Federal agencies' 
computer networks to steal valuable and sensitive data. International 
criminal organizations are exploiting our networks to commit financial 
fraud and health fraud. Cyber crime is so pervasive that the former 
Director of the National Security Agency described it as the ``greatest 
transfer of wealth in human history.'' Cyber terrorists are trying to 
attack cyber-connected critical infrastructure, thereby threatening our 
very way of life.
  We have already experienced the impact of this threat. Within the 
last year and a half alone, more than 20 top American companies and 
Federal agencies have experienced major breaches. A breach of the 
Office of Personnel Management allowed a foreign adversary to steal 
19.7 million Federal employees' background checks, over 5 million 
fingerprint files, and 4 million personnel records. A breach at IRS 
allowed cyber criminals abroad to access over 330,000 taxpayer 
financial records. A destructive cyber attack from North Korea on Sony 
Pictures resulted in the destruction of thousands of computers and 
theft of the company's most valuable intellectual property. Data 
breaches at both Anthem and JP Morgan resulted in the theft of 80 
million health care subscribers' personal data and 83 million banking 
customers' personal information. Even the White House is not immune 
from attack. Six months ago, foreign adversaries breached White House 
networks, compromising the President's nonpublic schedule.
  Federal agencies are neglecting to protect Americans' data and 
Federal law is preventing companies from defending their networks. 
Congressional oversight, including hearings held by my committee, the 
Senate Committee on Homeland Security and Governmental Affairs, has 
shown agencies are not doing enough to protect their sensitive data. 
Our committee's oversight hearings of the IRS and OPM data breaches 
revealed that basic cyber security hygiene and best practices would 
have stopped attackers in their tracks had they been in place at these 
agencies. The Department of Homeland Security has not yet fully 
implemented the cyber security programs we need to protect Federal 
agencies' networks.
  Meanwhile, current law hinders private companies from sharing 
indicators that can be used to detect and stop attacks against their 
networks. To be effective, cyber threat indicators must be shared very 
quickly. The 2015 Verizon data breach investigation report revealed 
that 75 percent of attacks spread within 24 hours, and 40 percent 
spread within just 1 hour. Yet our current network of anti-trust and 
wiretap loss hampers companies from sharing that information quickly, 
creating a threat of lawsuit and prosecution for sharing that the 
information companies can use to identify and stop attacks.
  There is no easy solution, but there are things Congress can do to 
improve cyber security that might make cyber attacks more difficult. 
That is why I am proud to have worked with Senator Burr and Senator 
Feinstein to create the Cybersecurity Information Sharing Act, which 
takes a significant first step in addressing both of these issues.
  First, it enables information sharing to improve cyber security 
within private companies.
  Second, it improves cyber security at Federal agencies.
  I especially appreciate the collaboration of Senator Carper in 
working with me to help craft title II of the bill--the Federal 
Cybersecurity Enhancement Act--which was unanimously reported out of 
our committee. This bill will put Federal agencies on track to 
implement commonsense cyber security solutions already in use in many 
companies, thereby improving the security of Americans' data at the 
Federal agencies.
  The Federal Cybersecurity Enhancement Act will achieve four key 
goals.
  The PRESIDING OFFICER. The time of the Senator has expired.
  Mr. JOHNSON. I ask unanimous consent for 1 more minute.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mr. JOHNSON. First, it will mandate deployment and implementation of 
a government-wide intrusion detection and prevention system for Federal 
networks.
  Second, it will require OMB to develop an intrusion assessment plan 
so government agencies can hunt down and eradicate attackers already in 
their networks.
  Third, it requires agencies to implement specific cyber security 
practices, such as multifactor authentication and encryption of 
sensitive data, which would have stopped previous attacks.
  Fourth, and finally, it will give the Secretary of Homeland Security 
and the Director of the Office of Management and Budget the authority 
they need to oversee cyber security across the Federal Government.
  In short, the Cybersecurity Information Sharing Act, with the 
inclusion of the Federal Cybersecurity Enhancement Act, will 
significantly improve our cyber security posture. This bill will not 
solve all of our cyber security woes, but it is an important step in 
the right direction, and I am glad to support it.
  Thank you, Mr. President, and I yield back.
  The PRESIDING OFFICER. The Senator from North Carolina.
  Mr. BURR. Mr. President, I ask unanimous consent for 2 additional 
minutes before we move to the cloture vote.
  The PRESIDING OFFICER. Is there objection?
  Without objection, it is so ordered.
  Mrs. FEINSTEIN. Mr. President, I believe I have a couple of minutes 
left after the chairman speaks that I would like to use.
  Mr. WYDEN. Mr. President, reserving the right to object.
  The PRESIDING OFFICER. The Senator from Oregon.
  Mr. WYDEN. Mr. President, reserving the right to object, I am happy 
to extend the debate for a couple of minutes for each side, but I think 
it does need, in the interest of fairness for the proponents and 
opponents, to have equal time for the purposes of wrapping up, if my 
colleagues want to go further.
  Mr. BURR. Mr. President, let me modify my request. I ask unanimous 
consent for 2 additional minutes on both sides.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mrs. FEINSTEIN. Mr. President, just so the record is clear, I was 
told I did not utilize my entire 5 minutes, and I want to make a very 
brief closing statement on my 5 minutes.
  Mr. BURR. May I modify my request further? My unanimous consent would 
grant me 2 additional minutes and would grant the vice chair 2 minutes 
45 seconds.
  Mr. WYDEN. Mr. President, I don't want to prolong this. Reserving the 
right to object--do I have any additional time? I wasn't sure I had 
used my full 5 minutes.
  The PRESIDING OFFICER. The Senator from Oregon has 45 seconds 
remaining in his time from before.
  Mr. BURR. Mr. President, I ask unanimous consent that each side be 
given 2 additional minutes.
  The PRESIDING OFFICER. Is there objection?
  Mr. McCAIN. I am about to object. Let's get going here.
  Mrs. FEINSTEIN. I withdraw my request for my 5 minutes, Mr. 
President.
  The PRESIDING OFFICER. Is there objection to the request of the 
Senator from North Carolina for 2 additional minutes for each side?
  Without objection, it is so ordered.
  Mr. BURR. Mr. President, I thank my colleagues for allowing me the 
time.
  Very quickly, it was said that this bill will not prevent and would 
not have prevented the attacks that took place at American companies. 
It is, in fact, right. The vice chair and I have never portrayed that 
this was a prevention bill. We said it is not a prevention bill. It is 
a bill designed to share information to minimize the loss of data.
  As it relates to personal data, my colleague from Oregon forgets that 
the managers' amendment strengthens by making sure on the government 
side that they only draw in the fields that

[[Page S7434]]

the entire government collaborative group agrees need to be used for 
forensic purposes over and above what Senator Carper pointed out are 
the responsibilities of the private sector companies.
  It was said that the vice chair and I have been critical of 
technology companies that oppose this bill. I don't think we have been 
critical. We have been confused--confused that the companies that hold 
the most personal data on the American people in the country want to 
deprive every other business in America from having the ability to 
share their information when they are hacked. So I am not critical. I 
am challenged to figure out why they would take that position, but I 
have come to the conclusion that there are some questions in life that 
have no answers, and I have now reached one of those.
  Given that we are at the end of this debate, let me once again thank 
Chairman Johnson and Ranking Member Carper for the unbelievable 
contribution that both of them individually made in their committee, 
and on behalf of the vice chair and myself, I would urge our colleagues 
to support cloture and allow this process to move forward so we could 
conference with the House.
  I yield the floor.
  The PRESIDING OFFICER. The Senator from California.
  Mrs. FEINSTEIN. Mr. President, thank you very much.
  I just want to urge people to vote yes on cloture. We have been at 
this for 6 years. This is the third bill. We have been bipartisan. The 
bill is considered. This is a complicated and difficult arena. The bill 
is all voluntary. The moaning and groaning of companies, I say, if you 
don't want to participate, don't participate, but I can give you 
hundreds and thousands of companies that are desperate to participate 
to be able to protect themselves without a lawsuit, and this enables 
that. It is a first-step bill.
  I particularly wish to thank the chair and ranking on the Homeland 
Security Committee. I very much appreciate this support and know that 
Senator Burr, I, and others will continue to work as we recognize this 
most serious threat on our economy and the privacy of individuals. To 
do nothing now is to admit that we cannot come up with a bill, and, in 
fact, we can. Please vote yes.
  The PRESIDING OFFICER (Mr. Flake). The Senator from Oregon.
  Mr. WYDEN. Mr. President, I hope colleagues will vote no. I have 
three quick points. No. 1, the chairman of the committee--and we work 
together often--acknowledged that this substitute would not have 
prevented these major hacks that we are all so concerned about. No. 2, 
once again we have heard an attack on the country's major technology 
companies. All of them, all of them, colleagues, are opposed to this 
legislation. We are talking about Apple and Dropbox and Twitter. The 
list goes on and on. Why? Because these companies have to be concerned 
about both cyber security and protecting their employees and their 
customers privacy. Unfortunately, this legislation does very little to 
protect cyber security, which has now been acknowledged by the lead 
sponsor of the legislation and has major problems with respect to 
protecting the liberty of the American people. I urge colleagues to 
vote no.
  Mr. CARPER. Mr. President, are we out of time on the Democrats' side?
  The PRESIDING OFFICER. Twenty seconds remain.
  Mr. CARPER. Colleagues, keep in mind, EINSTEIN 1 and EINSTEIN 2 are 
already effective to detect but not block these intrusions. EINSTEIN 3, 
authorized by our legislation, puts a new player on the field--a 
defensive player--to be able to block these intrusions. This is new and 
requires these agencies to implement that. For no other reason than 
that, it is a good reason to support this proposal.
  Thank you.
  The PRESIDING OFFICER. The Senator's time has expired.


                             Cloture Motion

  The PRESIDING OFFICER. Pursuant to rule XXII, the Chair lays before 
the Senate the pending cloture motion, which the clerk will state.
  The legislative clerk read as follows:

                             Cloture Motion

       We, the undersigned Senators, in accordance with the 
     provisions of rule XXII of the Standing Rules of the Senate, 
     do hereby move to bring to a close debate on amendment No. 
     2716 to S. 754, a bill to improve cybersecurity in the United 
     States through enhanced sharing of information about 
     cybersecurity threats, and for other purposes.
         Mitch McConnell, John Cornyn, Johnny Isakson, Richard 
           Burr, John McCain, Shelley Moore Capito, Orrin G. 
           Hatch, John Thune, Chuck Grassley, Pat Roberts, John 
           Barrasso, Jeff Flake, Lamar Alexander, Bill Cassidy, 
           Deb Fischer, Susan M. Collins, Patrick J. Toomey.

  The PRESIDING OFFICER. By unanimous consent, the mandatory quorum 
call has been waived.
  The question is, Is it the sense of the Senate that debate on 
amendment No. 2716, offered by the Senator from North Carolina, Mr. 
Burr, to S. 754, shall be brought to a close?
  The yeas and nays are mandatory under the rule.
  The clerk will call the roll.
  The legislative clerk called the roll.
  Mr. CORNYN. The following Senators are necessarily absent: the 
Senator from South Carolina (Mr. Graham), the Senator from Florida (Mr. 
Rubio), and the Senator from Louisiana (Mr. Vitter).
  The PRESIDING OFFICER. Are there any other Senators in the Chamber 
desiring to vote?
  The yeas and nays resulted--yeas 83, nays 14, as follows:

                      [Rollcall Vote No. 281 Leg.]

                                YEAS--83

     Alexander
     Ayotte
     Barrasso
     Bennet
     Blumenthal
     Blunt
     Boozman
     Boxer
     Burr
     Cantwell
     Capito
     Cardin
     Carper
     Casey
     Cassidy
     Coats
     Cochran
     Collins
     Corker
     Cornyn
     Cotton
     Crapo
     Cruz
     Daines
     Donnelly
     Durbin
     Enzi
     Ernst
     Feinstein
     Fischer
     Flake
     Gardner
     Gillibrand
     Grassley
     Hatch
     Heinrich
     Heitkamp
     Heller
     Hirono
     Hoeven
     Inhofe
     Isakson
     Johnson
     Kaine
     King
     Kirk
     Klobuchar
     Lankford
     Lee
     Manchin
     McCain
     McCaskill
     McConnell
     Mikulski
     Moran
     Murkowski
     Murphy
     Murray
     Nelson
     Perdue
     Peters
     Portman
     Reed
     Reid
     Risch
     Roberts
     Rounds
     Sasse
     Schatz
     Schumer
     Scott
     Sessions
     Shaheen
     Shelby
     Stabenow
     Sullivan
     Tester
     Thune
     Tillis
     Toomey
     Warner
     Whitehouse
     Wicker

                                NAYS--14

     Baldwin
     Booker
     Brown
     Coons
     Franken
     Leahy
     Markey
     Menendez
     Merkley
     Paul
     Sanders
     Udall
     Warren
     Wyden

                             NOT VOTING--3

     Graham
     Rubio
     Vitter
  The PRESIDING OFFICER (Mr. Flake). On this vote, the yeas are 83, the 
nays are 14.
  Three-fifths of the Senators duly chosen and sworn having voted in 
the affirmative, the motion is agreed to.


                    Amendment No. 2564, as Modified

  There will now be 10 minutes of debate equally divided prior to a 
vote in relation to amendment No. 2564, offered by the Senator from 
North Carolina, Mr. Burr, for Mr. Paul.
  The Senator from North Carolina.
  Mr. BURR. Mr. President, I wish to say to my colleagues that there is 
10 minutes of debate in between these votes, so those Members who have 
conversations, I wish they would take them off the floor. If they are 
not going to have conversations, stay and listen to the debate.
  Mr. President, from the floor, I have said to my colleagues that the 
information sharing bill is a very delicately balanced piece of 
legislation.
  What we have attempted to do is to create a voluntary program that 
companies around this country can choose to participate in or not. Some 
have already expressed their opposition to it, and I would say that is 
very easy--pass the bill, and they just won't participate.
  There are going to be amendments, though, that change the balance. I 
don't want to get into the details of every amendment. Let me just say 
to my colleagues that if we change the balance we have reached not just 
on both sides of the aisle but with the comfort level of businesses 
across this country to where they believe they can no longer 
participate in it, then we won't have a successful information sharing 
bill.
  I think every Member of this body and every American knows that cyber 
attacks are not going to go away. They are going to continue, they are 
going

[[Page S7435]]

to become more numerous, and we are going to be on the floor debating 
something that is probably much more specific in the future. I wish we 
could prevent it, but right now our only tool is legislation that 
voluntarily asks companies to participate to minimize the loss of data.
  I encourage my colleagues, as the vice chair and I have--we are going 
to oppose all the amendments that come up. We have gone through all the 
amendments, and those which we could accept and which we felt embraced 
the balance we had achieved and could still hold together the support 
across the country--we incorporated those in the managers' amendment, 
and that managers' amendment will be voted on when we come back on 
Monday or Tuesday.
  With that, I yield the floor to my vice chair.
  The PRESIDING OFFICER. The Senator from California.
  Mrs. FEINSTEIN. Mr. President, I ask the Senate to vote no on this 
amendment, and I would like to explain why. This amendment would create 
an exemption to the bill's narrowly tailored liability protections for 
companies that take responsible actions to look for cyber threats and 
share information about them if a company ``breaks a user or privacy 
agreement with a customer, regardless of how trivial it may be.''
  The underlying cyber bill has been carefully drafted to ensure that 
it is totally voluntary and that activities can only be conducted on a 
customer's behalf with express authorization.
  Let me read the language in the bill. The bill reads:

       Nothing in this title shall be construed--
       (1) to amend, repeal, or supersede any current or future 
     contractual agreement, terms of service agreement, or other 
     contractual relationship between any entities, or between any 
     entity and a Federal entity.

  There is tremendous objection to the Paul amendment that is coming in 
from the chamber of commerce, various companies, and the health 
industry. They understand what is in our bill. This amendment would 
actually fatally disturb what is in the bill, which is clear and 
concise.
  I urge a ``no'' vote.
  The PRESIDING OFFICER. The Senator from Kentucky.
  Mr. PAUL. Mr. President, this cyber security bill attempts to enhance 
security for transactions on the Internet but I think actually weakens 
privacy in the process. The bill would grant legal immunity to 
companies that, in sharing information, actually violate your privacy.
  Most companies have a privacy agreement. You see it when you get on 
the Internet. It is supposed to guarantee that your information, 
individual choices, and consumer choices on the Internet are not 
revealed to anyone. This bill says that if the company violates it in 
sharing your information, there will be legal immunity for that 
company. I think that weakens privacy. It makes the privacy agreement 
not really worth the paper it is written on.
  I think privacy is of great concern to Americans. The government 
doesn't have a very good record with privacy. In the news today, a 
teenager is now reading the email of the CIA Director. It doesn't sound 
as though the government is very good at protecting privacy. I am not 
really excited about letting them have more information.
  The government revealed 20 million individual records of their 
employees, private records of their employees. This is the same 
government that now says: Trust us, and let's give everybody involved 
immunity so the consumer has no recourse if their privacy is breached. 
This is the same government that allowed the ObamaCare Web site to be 
hacked and looked at. This is a government that doesn't have a lot of 
concern or ability to protect privacy. We are now asked to entrust this 
government with volumes and volumes of personal information sent across 
the vastness of the Internet. There is good reason that many of our 
largest technological companies oppose this legislation.
  My amendment will give companies and Internet users clarity on what 
information is shared with the government, and it will protect the 
privacy agreement.
  The PRESIDING OFFICER. The Senator from California.
  Mrs. FEINSTEIN. Mr. President, I would like to respond to that 
because we have been told that for the industries that support this 
bill, this amendment is a bill killer, and the opposition to it has 
come in far and wide. We have 52 industrial associations in business, 
finance, banking, petroleum, waterworks, railroads, public power, real 
estate, and retail--52 associations that are on your desk--supporting 
it. In particular, the health industry has weighed in against this 
amendment.
  We accomplished the purpose in our bill in a way that is acceptable. 
Please vote no.
  I yield the floor.
  The PRESIDING OFFICER. The Senator from Kentucky.
  Mr. PAUL. Mr. President, let us be clear that most of the high-tech 
companies that have anything to do with the Internet and anything to do 
with information sharing oppose this bill.
  The PRESIDING OFFICER. The Senator from North Carolina.
  Mr. BURR. Mr. President, I think everybody would like to vote, but I 
will say one last thing to my colleagues.
  Any company in America--any company in America--that chooses not to 
participate, doesn't have to. If for some reason they find there is 
something in this piece of legislation they are uncomfortable with or 
they are concerned about with regard to the transfer of any personal 
data, it is very simple: They do not have to participate. But to deny 
everybody who would like to participate is wrong.
  I would encourage my colleagues to defeat the amendment and support 
moving on.
  I yield the floor.
  The PRESIDING OFFICER. The question is on agreeing to amendment No. 
2564, as modified.
  Mr. PAUL. I ask for the yeas and nays.
  The PRESIDING OFFICER. Is there a sufficient second?
  There appears to be a sufficient second.
  The clerk will call the roll.
  The bill clerk called the roll.
  Mr. CORNYN. The following Senators are necessarily absent: the 
Senator from South Carolina (Mr. Graham), the Senator from Florida (Mr. 
Rubio), and the Senator from Louisiana (Mr. Vitter).
  The PRESIDING OFFICER (Mrs. Fischer). Are there any other Senators in 
the Chamber desiring to vote?
  The result was announced--yeas 32, nays 65, as follows:

                      [Rollcall Vote No. 282 Leg.]

                                YEAS--32

     Baldwin
     Barrasso
     Bennet
     Booker
     Boxer
     Brown
     Cantwell
     Cardin
     Coons
     Crapo
     Cruz
     Daines
     Durbin
     Enzi
     Franken
     Gillibrand
     Heinrich
     Heller
     Leahy
     Lee
     Markey
     Menendez
     Merkley
     Murkowski
     Murray
     Paul
     Sanders
     Schumer
     Sullivan
     Udall
     Warren
     Wyden

                                NAYS--65

     Alexander
     Ayotte
     Blumenthal
     Blunt
     Boozman
     Burr
     Capito
     Carper
     Casey
     Cassidy
     Coats
     Cochran
     Collins
     Corker
     Cornyn
     Cotton
     Donnelly
     Ernst
     Feinstein
     Fischer
     Flake
     Gardner
     Grassley
     Hatch
     Heitkamp
     Hirono
     Hoeven
     Inhofe
     Isakson
     Johnson
     Kaine
     King
     Kirk
     Klobuchar
     Lankford
     Manchin
     McCain
     McCaskill
     McConnell
     Mikulski
     Moran
     Murphy
     Nelson
     Perdue
     Peters
     Portman
     Reed
     Reid
     Risch
     Roberts
     Rounds
     Sasse
     Schatz
     Scott
     Sessions
     Shaheen
     Shelby
     Stabenow
     Tester
     Thune
     Tillis
     Toomey
     Warner
     Whitehouse
     Wicker

                             NOT VOTING--3

     Graham
     Rubio
     Vitter
  The amendment (No. 2564), as modified, was rejected.
  Ms. COLLINS. Madam President, I ask unanimous consent to speak as in 
morning business for not longer than 10 minutes.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  (The remarks of Ms. Collins pertaining to the introduction of S. 2194 
are printed in today's Record under ``Statements on Introduced Bills 
and Joint Resolutions.'')
  Ms. COLLINS. Madam President, I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The senior assistant legislative clerk proceeded to call the roll.

[[Page S7436]]

  

  Mr. MERKLEY. Madam President, I ask unanimous consent that the order 
for the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.

[...]


[Congressional Record Volume 161, Number 155 (Thursday, October 22, 2015)]
[Senate]
[Pages S7452-S7453]


                 CYBERSECURITY INFORMATION SHARING ACT

  Mr. FRANKEN. Mr. President, I rise today to talk about the 
Intelligence Committee bill we are currently debating, the 
Cybersecurity Information Sharing Act of 2015, or CISA.
  This Chamber sees its fair share of disagreements, so it is worth 
noting when there is something we can all agree on, and I think we can 
all agree on the need for congressional action on cyber security. We 
face ever-increasing cyber attacks from sophisticated individuals, 
organized crime syndicates, and foreign regimes. These attacks pose a 
real threat to our economy and to our national security. It is clear 
that we must respond to these new threats because the cost of 
complacency is too high, but it is critical, in deciding how we protect 
our information networks, that we also continue to protect the 
fundamental privacy rights and civil liberties of Americans. In short, 
there is a pressing need for meaningful, effective cyber security 
legislation that balances privacy and security. Unfortunately, as it 
now stands, the Cybersecurity Information Sharing Act falls short.
  Since this legislation was first introduced, I and a number of my 
colleagues on both sides of the aisle have raised serious concerns 
about the problems the bill presents for Americans' privacy and for the 
effective operation of our Nation's cyber defense. My colleagues and I 
are not alone. Serious concerns have been raised by technologists and 
security experts, civil society organizations from across the political 
spectrum, and major tech companies, such as Apple, Dropbox, Twitter, 
Yelp, salesforce.com, and Mozilla. Neither the Business Software 
Alliance nor the Computer & Communications Industry Association 
supports CISA as written.
  In a letter I received from the Department of Homeland Security this 
summer, the agency--which has a leading role in cyber security for the 
Federal Government--expressed concern about specific aspects of CISA. 
DHS explained that under the bill's approach, ``the complexity--for 
both government and businesses--and inefficiency of any information 
sharing program will markedly increase.'' The letter explained that 
CISA would do away with important privacy protections and could make it 
harder, not easier, to develop ``a single, comprehensive picture of the 
range of cyber threats faced daily.''
  Senator Burr and Senator Feinstein, the bill managers, have worked 
very hard over the last months to improve various aspects of the bill, 
and their substitute amendment offers a significantly improved version 
of CISA. I really appreciate their efforts, but it is clear to me and 
others that the improvements did not go far enough. Major concerns 
raised in the letter from DHS and voiced by security experts, privacy 
advocates, and tech companies still have not been resolved. Let me 
briefly describe three of them.
  First, the bill gives companies a free pass to engage in network 
monitoring and information sharing activities, as well as the operation 
of defensive measures, in response to anything they deem a ``cyber 
security threat,'' no matter how improbable it is that it constitutes a 
risk of any kind.
  The term ``cyber security threat'' is really the linchpin of this 
bill. Companies can monitor systems, share cyber threat indicators with 
one another or with the government, and deploy defensive measures to 
protect against any cyber security threats. So the definition of 
``cyber security threat'' is pretty important, and the bill defines 
``cyber security threat'' to include any action that ``may result in an 
unauthorized effort to adversely impact'' cyber security. Under this 
definition, companies can take action even if it is unreasonable to 
think that security might be compromised.
  This raises serious concerns about the scope of all of the 
authorities granted by the bill and the privacy implications of those 
authorities. Security experts and advocates have warned that in this 
context, establishing the broadest possible definition of ``cyber 
security threat'' actually threatens to undermine security by 
increasing the amount of unreliable information shared with the 
government.

  I have written an amendment, which is cosponsored by Senators Leahy, 
Wyden, and Durbin, which would set the bar a bit higher, requiring that 
a threat be at least ``reasonably likely'' to result in an effort to 
adversely impact security. This standard gives companies plenty of 
flexibility. They don't need to be certain that an incident or event is 
an attack before they share information, but they should have at least 
determined that it is a plausible threat.
  The definition of a cyber security threat isn't the only problematic 
provision of the bill. This brings me to the second concern that I 
would like to highlight. The bill provides a blanket authorization that 
allows companies to share information ``notwithstanding any other 
provision of law.'' As DHS explained this past summer, that statutory 
language ``sweeps away important privacy protections.'' Indeed, it 
means that CISA would override all existing privacy laws, from the 
Electronic Communications Privacy Act, ECPA, to HIPAA, a law that 
protects sensitive health information.
  Moreover, this blanket authorization applies to sharing done with any 
Federal agency. Companies are free to directly share with whomever they 
may choose, including law enforcement and military intelligence 
agencies. This means that, unbeknownst to their customers, companies 
may share information that contains customers' personal information 
with NSA, FBI, and others. From a security perspective, it also means 
we are setting up a diffuse system. I want to emphasize this. This is 
setting up a diffuse system that, as DHS's letter acknowledged, is 
likely to be complex and inefficient, where it is

[[Page S7453]]

actually harder for our cyber security experts to connect the dots and 
keep us safe.
  These are all reasons why privacy experts, independent security 
experts, and the Department of Homeland Security have all warned that 
CISA's blanket authorization is a problem.
  Earlier this year, the House avoided this problem when they passed 
the National Cybersecurity Protection Advancement Act by a vote of 355 
to 63. That information sharing bill only authorizes sharing with the 
government through a single civilian hub at the Department of Homeland 
Security--a move toward efficient streamlining of information that is 
also good for privacy. But understand that this is the House of 
Representatives, 355 to 63, saying: Let's make this easier for the 
government to have all the information in one place.
  Finally, CISA fails to adequately assure the removal of irrelevant 
personal information. This, of course, is a major concern. The bill 
allows personal information to be shared even when there is a high 
likelihood that the information is not related to a cyber security 
threat. Combined with the bill's overly broad definition of ``cyber 
security threat,'' this basically ensures that private entities will 
share extraneous information from Americans' personal communications. 
If companies are going to receive the broad liability protection this 
bill provides, they should be expected to do better than this.
  Senator Wyden has offered an amendment, which I am proud to be the 
cosponsor of, which would require companies to be more diligent and to 
remove ``to the extent feasible'' any personal information that isn't 
necessary to identify a cyber security threat. The ``extent feasible'' 
is a crucial improvement, but it is hardly novel; in fact, it is 
basically the same standard that is in place today when information is 
shared between private companies and the Department of Homeland 
Security. There is no justification for lowering that standard in CISA, 
especially because the bill also provides companies with significant 
liability protection.
  Mr. President, the amendments I have talked about today, as well as a 
number of other pending amendments, would make CISA a better deal, one 
that is significantly more protective of Americans' privacy and more 
likely to advance cyber security. I want to encourage my colleagues to 
support these amendments. Without them, I fear that, however well 
intentioned, CISA would do a disservice to the American people.

  I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The senior assistant legislative clerk proceeded to call the roll.
  Mr. CARPER. Mr. President, I ask unanimous consent that the order for 
the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.

                          ____________________