[Congressional Record Volume 161, Number 155 (Thursday, October 22, 2015)] [Senate] [Pages S7430-S7439] CYBERSECURITY INFORMATION SHARING ACT OF 2015 The PRESIDING OFFICER. Under the previous order, the Senate will resume consideration of S. 754, which the clerk will report. The senior assistant legislative clerk read as follows: A bill (S. 754) to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. Pending: Burr/Feinstein amendment No. 2716, in the nature of a substitute. Burr (for Cotton) modified amendment No. 2581 (to amendment No. 2716), to exempt from the capability and process within the Department of Homeland Security communication between a private entity and the Federal Bureau of Investigation or the United States Secret Service regarding cybersecurity threats. Feinstein (for Coons) modified amendment No. 2552 (to amendment No. 2716), to modify section 5 to require DHS to review all cyber threat indicators and countermeasures in order to remove certain personal information. Burr (for Flake/Franken) amendment No. 2582 (to amendment No. 2716), to terminate the provisions of the Act after six years. Feinstein (for Franken) further modified amendment No. 2612 (to amendment No. 2716), to improve the definitions of cybersecurity threat and cyber threat indicator. Burr (for Heller) modified amendment No. 2548 (to amendment No. 2716), to protect information that is reasonably believed to be personal information or information that identifies a specific person. Feinstein (for Leahy) modified amendment No. 2587 (to amendment No. 2716), to strike the FOIA exemption. Burr (for Paul) modified amendment No. 2564 (to amendment No. 2716), to prohibit liability immunity to applying to private entities that break user or privacy agreements with customers. Feinstein (for Mikulski/Cardin) amendment No. 2557 (to amendment No. 2716), to provide amounts necessary for accelerated cybersecurity in response to data breaches. Feinstein (for Whitehouse/Graham) modified amendment No. 2626 (to amendment No. 2716), to amend title 18, United States Code, to protect Americans from cybercrime. Feinstein (for Wyden) modified amendment No. 2621 (to amendment No. 2716), to improve the requirements relating to removal of personal information from cyber threat indicators before sharing. The PRESIDING OFFICER. Under the previous order, the time until 11 a.m. will be equally divided between the two leaders or their designees. The Senator from Nevada. Amendment No. 2548, as Modified Mr. HELLER. Mr. President, after my years of growing up in Nevada, I appreciate the values that make Nevadans distinct, fiercely independent, and very diverse--in fact, as diverse as the terrain is in Nevada. But what never ceases to amaze me about Nevadans is our passion for protecting America's privacy from the intrusion of the Federal Government. It is a value that is shared across the entire State and one that I have sworn to uphold. But many Americans have lost faith that their government will uphold their civil liberties. It is Congress's responsibility to ensure that every piece of legislation passed by this body protects the privacy and liberties of all Americans, and I will not accept attempts to diminish these nonnegotiable rights. That is why I am on the floor today to continue protecting Americans' and Nevadans' privacy by pushing for my amendment on the Cybersecurity Information Sharing Act. To begin with, I wish to commend my colleagues, both Chairman Burr and Ranking Member Feinstein, for recognizing the need to address the serious issue of cyber security. As ranking member of the commerce committee's consumer protection subcommittee in the last Congress, I delved into these issues and understand the impact of data breaches and cyber threats. It is an economic concern as well as a national security concern for our country. I share the desire to find a path forward on information sharing between the Federal Government and the private sector as another tool in the cyber security toolbox, but these efforts cannot come at the expense of personal privacy. The bill, including the substitute amendment that I see today, does not do enough to ensure that personal, identifiable information is stripped out before being shared, and that is why I have offered this simple fix. Let's strengthen the standard for stripping out this information. Right now, this legislation says that the Federal Government only has to strip out personal information if they know it is not directly related to cyber threat--that word being ``know.'' My amendment No. 2548, as modified, will ensure that when personal information is being stripped out, it is because the entity reasonably believes it is not related to cyber threat. That is the change--from knowing to reasonably believing. This distinction creates a wider protection for personal information by ensuring that these entities are making an effort to take out personal information that is not necessary. Frankly, I am proud of the support I have from Senators Leahy and Wyden, both great advocates in the Senate for privacy. However, I am disappointed that my amendment was not included in the substitute amendment that we see today. The supporters of this bill talk about how this legislation upholds privacy but couldn't accept a reasonable amendment that complements those privacy provisions. Our friends over in the House of Representatives already agree that the private sector should be held to this standard, which is why they included this language in the cyber security bill they passed. I guess the question is, If this is good enough for the private sector, shouldn't it be good enough for the government sector? Furthermore, DHS has publicly acknowledged the importance of removing personal, identifiable information because it will allow an information sharing regime to function more efficiently. What this has come down to is our Nation's commitment to balancing the needs for sharing cyber security information with the needs to protect Americans' personal information. Like many in the tech community have already stated, security should not come at the expense of privacy. In fact, that was said a couple hundred years ago by Benjamin Franklin. Security should not come at the expense of privacy. I believe my amendment No. 2548 to hold the Federal Government accountable strikes that balance, and I hope this simple fix can be incorporated into the legislation. I encourage my colleagues to support this commonsense effort to strengthen this bill and keep our commitment to upholding the rights of all U.S. citizens. I appreciate Senators Burr and Feinstein's willingness to work with me on this amendment and look forward to continuing this debate. I thank the Presiding Officer, and I yield the floor. The PRESIDING OFFICER. The Senator from North Carolina. [[Page S7431]] Mr. BURR. Mr. President, I thank my colleague from Nevada and say to him generally that we tried to put everything in the managers' amendment that we could, and the threshold was that we had to have total agreement. I know my colleague understands that it is difficult, but we have done everything we can to protect the rights of every individual Member to bring an amendment to the floor, to debate the amendment, and to have an up-or-down vote--even for the ones that were not germane. It is unfortunate that one amendment on both sides will be kicked out because they have to happen before the cloture vote, and that was not allowed to take place. Measure Placed on the Calendar--S. 2193 Mr. President, I understand that there is a bill at the desk that is due for its second reading. The PRESIDING OFFICER. The clerk will report the bill by title for the second time. The senior assistant legislative clerk read as follows: A bill (S. 2193) to amend the Immigration and Nationality Act to increase penalties for individuals who illegally reenter the United States after being removed and for other purposes. Mr. BURR. Mr. President, in order to place the bill on the calendar under the provisions of rule XIV, I object to further proceedings. The PRESIDING OFFICER. Objection is heard. The bill will be placed on the calendar. Mr. BURR. Mr. President, in just shy of 25 minutes, the Senate will have a procedural vote on the Cybersecurity Information Sharing Act of 2015. The committee worked diligently for most of this year in a bipartisan way to achieve a balance of great policy and reported that bill out on a 14-to-1 vote. I say to my colleagues: We have reached a very delicate balance. There have been bending and twisting and giving and taking, and we have done it not only within the Senate of the United States and within the committee, we have done it with stakeholders all around the country. I will remind my colleagues that this bill we are attempting to get through the Senate is a voluntary information sharing bill, and the mere fact that it is voluntary means we have to have in place certain incentives that provide a reason for companies to participate. I commend Chairman Johnson and Ranking Member Carper. Their committee and staff have worked with us side by side to try to incorporate their thoughts and the thoughts of all the agencies and also worked with stakeholders around the country. I am pleased to tell my colleagues today that we received this morning a notice from the U.S. Chamber of Commerce, and it says: ``The Chamber urges the United States Senate to pass CISA expeditiously. There is overwhelming support.'' When the vice chair and I ventured into this, we also made a commitment to lock arms because we thought we found the right balance. Although it may be enticing for Members to support amendments that might come up, there is a reason we didn't incorporate them in the managers' amendment. It may have been due to the differences the vice chair and I had or maybe it was because it would have killed the support we had with the stakeholders around the country. We will have one of those amendments today, and it is going to be inviting for people to do it, but let me say to my colleagues, if do you it, information sharing is over with, and the effort is dead. It has been tried for 3 years, yet we continue to see attacks happen, and massive amounts of personal data go out of the system to be used for criminal or espionage reasons. This is really our last chance. The vice chairman and I have reached what we think is the absolute balance that provides the buy-in of those who will be asked to voluntarily turn over this data and to help minimize the loss of data in our entire economy. I urge my colleagues to support the cloture motion that will happen at 11 a.m. We will have a short debate, and then we will take up an amendment, and the vice chair and I at that time will ask our colleagues not to support that amendment. Mr. President, I ask unanimous consent to waive the mandatory quorum calls with respect to the cloture motions on amendment No. 2716 and S. 754. The PRESIDING OFFICER. Is there objection? Without objection, it is so ordered. Mr. BURR. I yield the floor. The PRESIDING OFFICER. The Senator from California. Mrs. FEINSTEIN. Mr. President, I ask unanimous consent that the following Senators on the Democratic side be permitted to speak for 5 minutes each on our time: Feinstein 5 minutes, Wyden 5 minutes, and Carper 5 minutes. The PRESIDING OFFICER. Without objection, it is so ordered. Mrs. FEINSTEIN. Mr. President, after many years of effort, the Senate is about to take its first vote to move forward on important cyber security legislation. As I stated in my remarks yesterday, this substitute makes 20 changes to the underlying bill. It includes 14 amendments offered by other Senators to improve privacy protections and ensure better cyber security for emergency services, the health care industry, and the Federal Government. As the chairman just said, we have been listening and we have tried to incorporate a substantial number of amendments in the managers' package. This is a good bill. It is a first step. It is not going to prevent all cyber attacks or penetrations, but it will allow companies and the government to share information about the cyber threats they see and the defensive measures to implement in order to protect their networks. Right now--and this is important--the same cyber intrusions are used again and again to penetrate different targets. That shouldn't happen. If someone sees a particular virus or harmful signature, they should be able to tell others so they can protect themselves. That is what this bill does--it clears away the uncertainty and concern that keep companies from sharing this information. It says that two competitors in a market can share information on cyber threats with each other without facing antitrust lawsuits. It says that companies sharing cyber threat information with the government for cyber security purposes have liability protection. The bill is completely voluntary. I don't know how to say that over and over more times than I have. If you don't want to participate, don't. If a company wants to take the position that it can defend itself and doesn't want to participate in real-time sharing with the Department of Homeland Security, that is its right. I thank my colleagues who came to the floor in support of this bill and this managers' amendment yesterday: Senators McConnell, Reid, Grassley, Nelson, McCain, King, Thune, Flake, Senator Carper in particular, Senator Blunt, and others. They have all described the need for this bill, and I so appreciate their support. I urge my colleagues to support cloture on this substitute managers' package so that we can start moving on to other amendments that are pending. I also thank Senator Burr and his staff. Over the past couple of days, they have been going through comments, proposing technical changes, and perfecting changes to the substitute. It is my understanding that Chairman Burr will ask a unanimous consent agreement on that perfecting amendment shortly. I also thank Senator Collins for agreeing to changes in her provision, section 407, to start to address concerns that were raised by its inclusion. I also want to thank Senators Whitehouse, Leahy, and Wyden for reaching an agreement on text that Senator Whitehouse very much wanted to include, and I am pleased we were able to include it in this unanimous consent package. So I appreciate the support of my colleagues. I urge a strong ``yes'' vote on the cloture vote to allow us to proceed to this bill. The PRESIDING OFFICER. The Senator from Oregon. Mr. WYDEN. Mr. President, I rise to speak against cloture on the substitute. This substitute would not have stopped the Target hack, the Anthem hack, the Home Depot hack, or the OPM hack. When it comes to real privacy protection for millions of Americans with this substitute, there is simply no ``there'' there. We see that by looking at page 17 of the substitute. Companies have to remove only personal, unrelated information if they know that it is personal [[Page S7432]] and unrelated. How would they know under this amendment? Under this amendment, they are required to virtually do no looking. It is the most cursory review. That is why the Nation's leading technology companies have come out overwhelmingly against this legislation. They are not satisfied by this substitute. The sponsors of the bill have been pretty vociferous about attacking these companies for coming out against the legislation. These companies know a lot about the importance of protecting both cyber security and individual privacy. These tech companies that are being attacked now have to manage that challenge every single day. The challenge gets harder all the time with things such as the EU ruling that I opposed. These companies know that customer confidence is their lifeblood, and the only way to ensure customer confidence is to convince people that if they use their product, their information is going to be protected both from malicious hackers and from unnecessary collection by the government. The fact is, we have a serious problem with hacking and cyber security threats. The fact is, information sharing can be good, but a cyber security information sharing bill without real and robust privacy protections that this amendment lacks--I would submit millions of Americans are going to look at that, and they are going to say this isn't a cyber security bill, this is yet another surveillance bill. With this amendment, colleagues, the Senate is again missing another opportunity to do this right and promote both security and liberty. Just because a proposal has the words ``cyber security'' in its title doesn't make it good. But that is, of course, why the leading technology companies in this country--companies that make a living every single day by being sensitive to cyber threats and privacy--have come out overwhelmingly against this bill. I know my colleagues have tried to improve this issue, and I appreciate that. But the core privacy protections that America deserves in a bill like this are still lacking, and that is why I oppose cloture. The PRESIDING OFFICER. The Senator from Delaware. Mr. CARPER. Mr. President, I wish to respond very briefly to what our colleague from Oregon has said. Senator Feinstein shared with me a copy of the actual text of the managers' amendment. I would maybe make two points. One, if a private company elects to share information--they don't have to, but if they elect to share information, as Senator Feinstein has said, it is their call. But if they do, there is a requirement under the law that they scrub it. The reporting entity which is submitting the indicator--in this case to DHS, the Federal entity--has to scrub it. They have the responsibility, whoever is initiating this, to scrub and remove that personally identifiable information. If for some reason they don't, the way the legislation comes before us today, in order for a company that chooses to submit threat indicators to the Federal Government, in order to get help on the liability protection they are looking for, they have to submit it through the Department of Homeland Security, through the portal of the Department of Homeland Security, which is literally set up to do privacy scrubs. It is literally set up to do privacy scrubs, and then to share information it wants with other relevant Federal agencies. Very, very infrequently--very infrequently--will there be some reason to--the threat indicators coming through the portal at DHS, maybe less than 1 percent of the time, there might be a need to take a closer look at that information and make sure there is nothing that is personally identifiable or problematic. I think with the compromise that has been worked out, the issue that our colleague has raised has been addressed. Let me just go back in time. Why is this important? We know the situation is grim. When the Secretary of Defense has his emails hacked by an entity, and we know not who, when we have 22 million personal records and background checks hacked by maybe the Chinese or maybe somebody else, that is not good. When companies such as DuPont in my own State and universities all over the country are having their R&D information--their intellectual seed corn upon which our economy is going to grow--stolen, and presumably stolen for bad reasons, so that they can beat us to the bunch in terms of economic opportunity, that is not good. What are we going to do about it? It turns out we did quite a bit about it in the last Congress. Two Congresses ago, Senator Feinstein proposed comprehensive cyber security legislation, the whole kit and caboodle. We tried very hard, as she knows, for a year or two to get that enacted. We couldn't get it done. Finally, we gave up at the end of I think the 112th Congress. We gave it up, and we started again in 2013. Tom Coburn was the ranking member on Homeland Security. I was privileged to be chairman. He and I partnered with people on our committee and, frankly, with a lot of folks outside of the committee, to do three things: To strengthen the capability of the Department of Homeland Security to do its job, a much better job of protecting not just the Federal Government but the country as a whole against cyber attacks. We passed three pieces of legislation. They are helpful; they are not the whole package, but they are three very helpful bills to make DHS a better, more effective partner. This year, the Intel Committee, under the leadership of Senator Burr and Senator Feinstein, came forward with their proposal. The administration, the President, came forward with an information sharing proposal as well. We took it up in a hearing in the committee on homeland security, looking at the President's proposal, trying to figure out what we should retain and what we should change to make it better, and we did. We changed it and we made it better. I introduced it as a standalone bill. The Intel Committee reported out their legislation 14 to 1. We have been working with Senator Burr and Senator Feinstein and their staffs ever since to try to infuse the elements of the President's proposal, modified by us on homeland security, to make a more perfect--not a more perfect union, but a more perfect bill. Is it perfect? No. Is it better? Sure, it is better. I think it is going to enable us to do a much better job protecting that which needs to be protected. The last thing I will say is this: On this floor I have said more than a few times I love to ask people that have been married a long time, what is the secret to a long marriage? The best answer I have ever received is the two C's--communicate and compromise. I would add a third C, which is also important for a vibrant democracy. The third C is collaborate. This legislation is a great example of communicating, talking with own another, with stakeholders on Capitol Hill, off Capitol Hill, across the country and around the world, but at the end of the day to figure out how to compromise and to do so by collaborating. I think we have come up with a very good piece of legislation. At the end of the day, if an entity or business wants to share information--I hope they would, we need them to do that. If they want to share information with the Federal Government, the idea is to get liability protection and share it through the portal of the Department of Homeland Security; that information is scrubbed--cyber security scrubbed, piracy scrubbed. Share with other Federal agencies as appropriate after it has been dutifully scrubbed, and then we are in a better position to defend against those attacks in the future. I think when people send us to work on big problems--and this is a big problem for our country--they want us to work together. They want us to get stuff done. We have been talking about this for 3 or 4 years, and now we have an opportunity to get something done. Let's pass this and accept this managers' amendment, and then let's take up some other amendments, and pass this bill and send it to the House. When they have done their work, let's go to conference. Thank you very much. The PRESIDING OFFICER. The Senator from Wisconsin. Mr. JOHNSON. Mr. President, I rise to support the Cybersecurity Information Sharing Act, long overdue and vital legislation designed to reduce our Nation's vulnerability to cyber attacks. I want to commend the ranking member of my committee, Senator [[Page S7433]] Tom Carper, and Senator Burr and Senator Feinstein, for their collaborative effort. This is an example of when we actually seek to find the areas of agreement that unify us versus exploit our divisions, then we can actually accomplish some pretty good things. This bill is one of those examples. The cyber threat we face today is real and it is growing. Sophisticated nation-state adversaries such as China and North Korea are constantly probing American companies' and Federal agencies' computer networks to steal valuable and sensitive data. International criminal organizations are exploiting our networks to commit financial fraud and health fraud. Cyber crime is so pervasive that the former Director of the National Security Agency described it as the ``greatest transfer of wealth in human history.'' Cyber terrorists are trying to attack cyber-connected critical infrastructure, thereby threatening our very way of life. We have already experienced the impact of this threat. Within the last year and a half alone, more than 20 top American companies and Federal agencies have experienced major breaches. A breach of the Office of Personnel Management allowed a foreign adversary to steal 19.7 million Federal employees' background checks, over 5 million fingerprint files, and 4 million personnel records. A breach at IRS allowed cyber criminals abroad to access over 330,000 taxpayer financial records. A destructive cyber attack from North Korea on Sony Pictures resulted in the destruction of thousands of computers and theft of the company's most valuable intellectual property. Data breaches at both Anthem and JP Morgan resulted in the theft of 80 million health care subscribers' personal data and 83 million banking customers' personal information. Even the White House is not immune from attack. Six months ago, foreign adversaries breached White House networks, compromising the President's nonpublic schedule. Federal agencies are neglecting to protect Americans' data and Federal law is preventing companies from defending their networks. Congressional oversight, including hearings held by my committee, the Senate Committee on Homeland Security and Governmental Affairs, has shown agencies are not doing enough to protect their sensitive data. Our committee's oversight hearings of the IRS and OPM data breaches revealed that basic cyber security hygiene and best practices would have stopped attackers in their tracks had they been in place at these agencies. The Department of Homeland Security has not yet fully implemented the cyber security programs we need to protect Federal agencies' networks. Meanwhile, current law hinders private companies from sharing indicators that can be used to detect and stop attacks against their networks. To be effective, cyber threat indicators must be shared very quickly. The 2015 Verizon data breach investigation report revealed that 75 percent of attacks spread within 24 hours, and 40 percent spread within just 1 hour. Yet our current network of anti-trust and wiretap loss hampers companies from sharing that information quickly, creating a threat of lawsuit and prosecution for sharing that the information companies can use to identify and stop attacks. There is no easy solution, but there are things Congress can do to improve cyber security that might make cyber attacks more difficult. That is why I am proud to have worked with Senator Burr and Senator Feinstein to create the Cybersecurity Information Sharing Act, which takes a significant first step in addressing both of these issues. First, it enables information sharing to improve cyber security within private companies. Second, it improves cyber security at Federal agencies. I especially appreciate the collaboration of Senator Carper in working with me to help craft title II of the bill--the Federal Cybersecurity Enhancement Act--which was unanimously reported out of our committee. This bill will put Federal agencies on track to implement commonsense cyber security solutions already in use in many companies, thereby improving the security of Americans' data at the Federal agencies. The Federal Cybersecurity Enhancement Act will achieve four key goals. The PRESIDING OFFICER. The time of the Senator has expired. Mr. JOHNSON. I ask unanimous consent for 1 more minute. The PRESIDING OFFICER. Without objection, it is so ordered. Mr. JOHNSON. First, it will mandate deployment and implementation of a government-wide intrusion detection and prevention system for Federal networks. Second, it will require OMB to develop an intrusion assessment plan so government agencies can hunt down and eradicate attackers already in their networks. Third, it requires agencies to implement specific cyber security practices, such as multifactor authentication and encryption of sensitive data, which would have stopped previous attacks. Fourth, and finally, it will give the Secretary of Homeland Security and the Director of the Office of Management and Budget the authority they need to oversee cyber security across the Federal Government. In short, the Cybersecurity Information Sharing Act, with the inclusion of the Federal Cybersecurity Enhancement Act, will significantly improve our cyber security posture. This bill will not solve all of our cyber security woes, but it is an important step in the right direction, and I am glad to support it. Thank you, Mr. President, and I yield back. The PRESIDING OFFICER. The Senator from North Carolina. Mr. BURR. Mr. President, I ask unanimous consent for 2 additional minutes before we move to the cloture vote. The PRESIDING OFFICER. Is there objection? Without objection, it is so ordered. Mrs. FEINSTEIN. Mr. President, I believe I have a couple of minutes left after the chairman speaks that I would like to use. Mr. WYDEN. Mr. President, reserving the right to object. The PRESIDING OFFICER. The Senator from Oregon. Mr. WYDEN. Mr. President, reserving the right to object, I am happy to extend the debate for a couple of minutes for each side, but I think it does need, in the interest of fairness for the proponents and opponents, to have equal time for the purposes of wrapping up, if my colleagues want to go further. Mr. BURR. Mr. President, let me modify my request. I ask unanimous consent for 2 additional minutes on both sides. The PRESIDING OFFICER. Without objection, it is so ordered. Mrs. FEINSTEIN. Mr. President, just so the record is clear, I was told I did not utilize my entire 5 minutes, and I want to make a very brief closing statement on my 5 minutes. Mr. BURR. May I modify my request further? My unanimous consent would grant me 2 additional minutes and would grant the vice chair 2 minutes 45 seconds. Mr. WYDEN. Mr. President, I don't want to prolong this. Reserving the right to object--do I have any additional time? I wasn't sure I had used my full 5 minutes. The PRESIDING OFFICER. The Senator from Oregon has 45 seconds remaining in his time from before. Mr. BURR. Mr. President, I ask unanimous consent that each side be given 2 additional minutes. The PRESIDING OFFICER. Is there objection? Mr. McCAIN. I am about to object. Let's get going here. Mrs. FEINSTEIN. I withdraw my request for my 5 minutes, Mr. President. The PRESIDING OFFICER. Is there objection to the request of the Senator from North Carolina for 2 additional minutes for each side? Without objection, it is so ordered. Mr. BURR. Mr. President, I thank my colleagues for allowing me the time. Very quickly, it was said that this bill will not prevent and would not have prevented the attacks that took place at American companies. It is, in fact, right. The vice chair and I have never portrayed that this was a prevention bill. We said it is not a prevention bill. It is a bill designed to share information to minimize the loss of data. As it relates to personal data, my colleague from Oregon forgets that the managers' amendment strengthens by making sure on the government side that they only draw in the fields that [[Page S7434]] the entire government collaborative group agrees need to be used for forensic purposes over and above what Senator Carper pointed out are the responsibilities of the private sector companies. It was said that the vice chair and I have been critical of technology companies that oppose this bill. I don't think we have been critical. We have been confused--confused that the companies that hold the most personal data on the American people in the country want to deprive every other business in America from having the ability to share their information when they are hacked. So I am not critical. I am challenged to figure out why they would take that position, but I have come to the conclusion that there are some questions in life that have no answers, and I have now reached one of those. Given that we are at the end of this debate, let me once again thank Chairman Johnson and Ranking Member Carper for the unbelievable contribution that both of them individually made in their committee, and on behalf of the vice chair and myself, I would urge our colleagues to support cloture and allow this process to move forward so we could conference with the House. I yield the floor. The PRESIDING OFFICER. The Senator from California. Mrs. FEINSTEIN. Mr. President, thank you very much. I just want to urge people to vote yes on cloture. We have been at this for 6 years. This is the third bill. We have been bipartisan. The bill is considered. This is a complicated and difficult arena. The bill is all voluntary. The moaning and groaning of companies, I say, if you don't want to participate, don't participate, but I can give you hundreds and thousands of companies that are desperate to participate to be able to protect themselves without a lawsuit, and this enables that. It is a first-step bill. I particularly wish to thank the chair and ranking on the Homeland Security Committee. I very much appreciate this support and know that Senator Burr, I, and others will continue to work as we recognize this most serious threat on our economy and the privacy of individuals. To do nothing now is to admit that we cannot come up with a bill, and, in fact, we can. Please vote yes. The PRESIDING OFFICER (Mr. Flake). The Senator from Oregon. Mr. WYDEN. Mr. President, I hope colleagues will vote no. I have three quick points. No. 1, the chairman of the committee--and we work together often--acknowledged that this substitute would not have prevented these major hacks that we are all so concerned about. No. 2, once again we have heard an attack on the country's major technology companies. All of them, all of them, colleagues, are opposed to this legislation. We are talking about Apple and Dropbox and Twitter. The list goes on and on. Why? Because these companies have to be concerned about both cyber security and protecting their employees and their customers privacy. Unfortunately, this legislation does very little to protect cyber security, which has now been acknowledged by the lead sponsor of the legislation and has major problems with respect to protecting the liberty of the American people. I urge colleagues to vote no. Mr. CARPER. Mr. President, are we out of time on the Democrats' side? The PRESIDING OFFICER. Twenty seconds remain. Mr. CARPER. Colleagues, keep in mind, EINSTEIN 1 and EINSTEIN 2 are already effective to detect but not block these intrusions. EINSTEIN 3, authorized by our legislation, puts a new player on the field--a defensive player--to be able to block these intrusions. This is new and requires these agencies to implement that. For no other reason than that, it is a good reason to support this proposal. Thank you. The PRESIDING OFFICER. The Senator's time has expired. Cloture Motion The PRESIDING OFFICER. Pursuant to rule XXII, the Chair lays before the Senate the pending cloture motion, which the clerk will state. The legislative clerk read as follows: Cloture Motion We, the undersigned Senators, in accordance with the provisions of rule XXII of the Standing Rules of the Senate, do hereby move to bring to a close debate on amendment No. 2716 to S. 754, a bill to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. Mitch McConnell, John Cornyn, Johnny Isakson, Richard Burr, John McCain, Shelley Moore Capito, Orrin G. Hatch, John Thune, Chuck Grassley, Pat Roberts, John Barrasso, Jeff Flake, Lamar Alexander, Bill Cassidy, Deb Fischer, Susan M. Collins, Patrick J. Toomey. The PRESIDING OFFICER. By unanimous consent, the mandatory quorum call has been waived. The question is, Is it the sense of the Senate that debate on amendment No. 2716, offered by the Senator from North Carolina, Mr. Burr, to S. 754, shall be brought to a close? The yeas and nays are mandatory under the rule. The clerk will call the roll. The legislative clerk called the roll. Mr. CORNYN. The following Senators are necessarily absent: the Senator from South Carolina (Mr. Graham), the Senator from Florida (Mr. Rubio), and the Senator from Louisiana (Mr. Vitter). The PRESIDING OFFICER. Are there any other Senators in the Chamber desiring to vote? The yeas and nays resulted--yeas 83, nays 14, as follows: [Rollcall Vote No. 281 Leg.] YEAS--83 Alexander Ayotte Barrasso Bennet Blumenthal Blunt Boozman Boxer Burr Cantwell Capito Cardin Carper Casey Cassidy Coats Cochran Collins Corker Cornyn Cotton Crapo Cruz Daines Donnelly Durbin Enzi Ernst Feinstein Fischer Flake Gardner Gillibrand Grassley Hatch Heinrich Heitkamp Heller Hirono Hoeven Inhofe Isakson Johnson Kaine King Kirk Klobuchar Lankford Lee Manchin McCain McCaskill McConnell Mikulski Moran Murkowski Murphy Murray Nelson Perdue Peters Portman Reed Reid Risch Roberts Rounds Sasse Schatz Schumer Scott Sessions Shaheen Shelby Stabenow Sullivan Tester Thune Tillis Toomey Warner Whitehouse Wicker NAYS--14 Baldwin Booker Brown Coons Franken Leahy Markey Menendez Merkley Paul Sanders Udall Warren Wyden NOT VOTING--3 Graham Rubio Vitter The PRESIDING OFFICER (Mr. Flake). On this vote, the yeas are 83, the nays are 14. Three-fifths of the Senators duly chosen and sworn having voted in the affirmative, the motion is agreed to. Amendment No. 2564, as Modified There will now be 10 minutes of debate equally divided prior to a vote in relation to amendment No. 2564, offered by the Senator from North Carolina, Mr. Burr, for Mr. Paul. The Senator from North Carolina. Mr. BURR. Mr. President, I wish to say to my colleagues that there is 10 minutes of debate in between these votes, so those Members who have conversations, I wish they would take them off the floor. If they are not going to have conversations, stay and listen to the debate. Mr. President, from the floor, I have said to my colleagues that the information sharing bill is a very delicately balanced piece of legislation. What we have attempted to do is to create a voluntary program that companies around this country can choose to participate in or not. Some have already expressed their opposition to it, and I would say that is very easy--pass the bill, and they just won't participate. There are going to be amendments, though, that change the balance. I don't want to get into the details of every amendment. Let me just say to my colleagues that if we change the balance we have reached not just on both sides of the aisle but with the comfort level of businesses across this country to where they believe they can no longer participate in it, then we won't have a successful information sharing bill. I think every Member of this body and every American knows that cyber attacks are not going to go away. They are going to continue, they are going [[Page S7435]] to become more numerous, and we are going to be on the floor debating something that is probably much more specific in the future. I wish we could prevent it, but right now our only tool is legislation that voluntarily asks companies to participate to minimize the loss of data. I encourage my colleagues, as the vice chair and I have--we are going to oppose all the amendments that come up. We have gone through all the amendments, and those which we could accept and which we felt embraced the balance we had achieved and could still hold together the support across the country--we incorporated those in the managers' amendment, and that managers' amendment will be voted on when we come back on Monday or Tuesday. With that, I yield the floor to my vice chair. The PRESIDING OFFICER. The Senator from California. Mrs. FEINSTEIN. Mr. President, I ask the Senate to vote no on this amendment, and I would like to explain why. This amendment would create an exemption to the bill's narrowly tailored liability protections for companies that take responsible actions to look for cyber threats and share information about them if a company ``breaks a user or privacy agreement with a customer, regardless of how trivial it may be.'' The underlying cyber bill has been carefully drafted to ensure that it is totally voluntary and that activities can only be conducted on a customer's behalf with express authorization. Let me read the language in the bill. The bill reads: Nothing in this title shall be construed-- (1) to amend, repeal, or supersede any current or future contractual agreement, terms of service agreement, or other contractual relationship between any entities, or between any entity and a Federal entity. There is tremendous objection to the Paul amendment that is coming in from the chamber of commerce, various companies, and the health industry. They understand what is in our bill. This amendment would actually fatally disturb what is in the bill, which is clear and concise. I urge a ``no'' vote. The PRESIDING OFFICER. The Senator from Kentucky. Mr. PAUL. Mr. President, this cyber security bill attempts to enhance security for transactions on the Internet but I think actually weakens privacy in the process. The bill would grant legal immunity to companies that, in sharing information, actually violate your privacy. Most companies have a privacy agreement. You see it when you get on the Internet. It is supposed to guarantee that your information, individual choices, and consumer choices on the Internet are not revealed to anyone. This bill says that if the company violates it in sharing your information, there will be legal immunity for that company. I think that weakens privacy. It makes the privacy agreement not really worth the paper it is written on. I think privacy is of great concern to Americans. The government doesn't have a very good record with privacy. In the news today, a teenager is now reading the email of the CIA Director. It doesn't sound as though the government is very good at protecting privacy. I am not really excited about letting them have more information. The government revealed 20 million individual records of their employees, private records of their employees. This is the same government that now says: Trust us, and let's give everybody involved immunity so the consumer has no recourse if their privacy is breached. This is the same government that allowed the ObamaCare Web site to be hacked and looked at. This is a government that doesn't have a lot of concern or ability to protect privacy. We are now asked to entrust this government with volumes and volumes of personal information sent across the vastness of the Internet. There is good reason that many of our largest technological companies oppose this legislation. My amendment will give companies and Internet users clarity on what information is shared with the government, and it will protect the privacy agreement. The PRESIDING OFFICER. The Senator from California. Mrs. FEINSTEIN. Mr. President, I would like to respond to that because we have been told that for the industries that support this bill, this amendment is a bill killer, and the opposition to it has come in far and wide. We have 52 industrial associations in business, finance, banking, petroleum, waterworks, railroads, public power, real estate, and retail--52 associations that are on your desk--supporting it. In particular, the health industry has weighed in against this amendment. We accomplished the purpose in our bill in a way that is acceptable. Please vote no. I yield the floor. The PRESIDING OFFICER. The Senator from Kentucky. Mr. PAUL. Mr. President, let us be clear that most of the high-tech companies that have anything to do with the Internet and anything to do with information sharing oppose this bill. The PRESIDING OFFICER. The Senator from North Carolina. Mr. BURR. Mr. President, I think everybody would like to vote, but I will say one last thing to my colleagues. Any company in America--any company in America--that chooses not to participate, doesn't have to. If for some reason they find there is something in this piece of legislation they are uncomfortable with or they are concerned about with regard to the transfer of any personal data, it is very simple: They do not have to participate. But to deny everybody who would like to participate is wrong. I would encourage my colleagues to defeat the amendment and support moving on. I yield the floor. The PRESIDING OFFICER. The question is on agreeing to amendment No. 2564, as modified. Mr. PAUL. I ask for the yeas and nays. The PRESIDING OFFICER. Is there a sufficient second? There appears to be a sufficient second. The clerk will call the roll. The bill clerk called the roll. Mr. CORNYN. The following Senators are necessarily absent: the Senator from South Carolina (Mr. Graham), the Senator from Florida (Mr. Rubio), and the Senator from Louisiana (Mr. Vitter). The PRESIDING OFFICER (Mrs. Fischer). Are there any other Senators in the Chamber desiring to vote? The result was announced--yeas 32, nays 65, as follows: [Rollcall Vote No. 282 Leg.] YEAS--32 Baldwin Barrasso Bennet Booker Boxer Brown Cantwell Cardin Coons Crapo Cruz Daines Durbin Enzi Franken Gillibrand Heinrich Heller Leahy Lee Markey Menendez Merkley Murkowski Murray Paul Sanders Schumer Sullivan Udall Warren Wyden NAYS--65 Alexander Ayotte Blumenthal Blunt Boozman Burr Capito Carper Casey Cassidy Coats Cochran Collins Corker Cornyn Cotton Donnelly Ernst Feinstein Fischer Flake Gardner Grassley Hatch Heitkamp Hirono Hoeven Inhofe Isakson Johnson Kaine King Kirk Klobuchar Lankford Manchin McCain McCaskill McConnell Mikulski Moran Murphy Nelson Perdue Peters Portman Reed Reid Risch Roberts Rounds Sasse Schatz Scott Sessions Shaheen Shelby Stabenow Tester Thune Tillis Toomey Warner Whitehouse Wicker NOT VOTING--3 Graham Rubio Vitter The amendment (No. 2564), as modified, was rejected. Ms. COLLINS. Madam President, I ask unanimous consent to speak as in morning business for not longer than 10 minutes. The PRESIDING OFFICER. Without objection, it is so ordered. (The remarks of Ms. Collins pertaining to the introduction of S. 2194 are printed in today's Record under ``Statements on Introduced Bills and Joint Resolutions.'') Ms. COLLINS. Madam President, I suggest the absence of a quorum. The PRESIDING OFFICER. The clerk will call the roll. The senior assistant legislative clerk proceeded to call the roll. [[Page S7436]] Mr. MERKLEY. Madam President, I ask unanimous consent that the order for the quorum call be rescinded. The PRESIDING OFFICER. Without objection, it is so ordered. [...] [Congressional Record Volume 161, Number 155 (Thursday, October 22, 2015)] [Senate] [Pages S7452-S7453] CYBERSECURITY INFORMATION SHARING ACT Mr. FRANKEN. Mr. President, I rise today to talk about the Intelligence Committee bill we are currently debating, the Cybersecurity Information Sharing Act of 2015, or CISA. This Chamber sees its fair share of disagreements, so it is worth noting when there is something we can all agree on, and I think we can all agree on the need for congressional action on cyber security. We face ever-increasing cyber attacks from sophisticated individuals, organized crime syndicates, and foreign regimes. These attacks pose a real threat to our economy and to our national security. It is clear that we must respond to these new threats because the cost of complacency is too high, but it is critical, in deciding how we protect our information networks, that we also continue to protect the fundamental privacy rights and civil liberties of Americans. In short, there is a pressing need for meaningful, effective cyber security legislation that balances privacy and security. Unfortunately, as it now stands, the Cybersecurity Information Sharing Act falls short. Since this legislation was first introduced, I and a number of my colleagues on both sides of the aisle have raised serious concerns about the problems the bill presents for Americans' privacy and for the effective operation of our Nation's cyber defense. My colleagues and I are not alone. Serious concerns have been raised by technologists and security experts, civil society organizations from across the political spectrum, and major tech companies, such as Apple, Dropbox, Twitter, Yelp, salesforce.com, and Mozilla. Neither the Business Software Alliance nor the Computer & Communications Industry Association supports CISA as written. In a letter I received from the Department of Homeland Security this summer, the agency--which has a leading role in cyber security for the Federal Government--expressed concern about specific aspects of CISA. DHS explained that under the bill's approach, ``the complexity--for both government and businesses--and inefficiency of any information sharing program will markedly increase.'' The letter explained that CISA would do away with important privacy protections and could make it harder, not easier, to develop ``a single, comprehensive picture of the range of cyber threats faced daily.'' Senator Burr and Senator Feinstein, the bill managers, have worked very hard over the last months to improve various aspects of the bill, and their substitute amendment offers a significantly improved version of CISA. I really appreciate their efforts, but it is clear to me and others that the improvements did not go far enough. Major concerns raised in the letter from DHS and voiced by security experts, privacy advocates, and tech companies still have not been resolved. Let me briefly describe three of them. First, the bill gives companies a free pass to engage in network monitoring and information sharing activities, as well as the operation of defensive measures, in response to anything they deem a ``cyber security threat,'' no matter how improbable it is that it constitutes a risk of any kind. The term ``cyber security threat'' is really the linchpin of this bill. Companies can monitor systems, share cyber threat indicators with one another or with the government, and deploy defensive measures to protect against any cyber security threats. So the definition of ``cyber security threat'' is pretty important, and the bill defines ``cyber security threat'' to include any action that ``may result in an unauthorized effort to adversely impact'' cyber security. Under this definition, companies can take action even if it is unreasonable to think that security might be compromised. This raises serious concerns about the scope of all of the authorities granted by the bill and the privacy implications of those authorities. Security experts and advocates have warned that in this context, establishing the broadest possible definition of ``cyber security threat'' actually threatens to undermine security by increasing the amount of unreliable information shared with the government. I have written an amendment, which is cosponsored by Senators Leahy, Wyden, and Durbin, which would set the bar a bit higher, requiring that a threat be at least ``reasonably likely'' to result in an effort to adversely impact security. This standard gives companies plenty of flexibility. They don't need to be certain that an incident or event is an attack before they share information, but they should have at least determined that it is a plausible threat. The definition of a cyber security threat isn't the only problematic provision of the bill. This brings me to the second concern that I would like to highlight. The bill provides a blanket authorization that allows companies to share information ``notwithstanding any other provision of law.'' As DHS explained this past summer, that statutory language ``sweeps away important privacy protections.'' Indeed, it means that CISA would override all existing privacy laws, from the Electronic Communications Privacy Act, ECPA, to HIPAA, a law that protects sensitive health information. Moreover, this blanket authorization applies to sharing done with any Federal agency. Companies are free to directly share with whomever they may choose, including law enforcement and military intelligence agencies. This means that, unbeknownst to their customers, companies may share information that contains customers' personal information with NSA, FBI, and others. From a security perspective, it also means we are setting up a diffuse system. I want to emphasize this. This is setting up a diffuse system that, as DHS's letter acknowledged, is likely to be complex and inefficient, where it is [[Page S7453]] actually harder for our cyber security experts to connect the dots and keep us safe. These are all reasons why privacy experts, independent security experts, and the Department of Homeland Security have all warned that CISA's blanket authorization is a problem. Earlier this year, the House avoided this problem when they passed the National Cybersecurity Protection Advancement Act by a vote of 355 to 63. That information sharing bill only authorizes sharing with the government through a single civilian hub at the Department of Homeland Security--a move toward efficient streamlining of information that is also good for privacy. But understand that this is the House of Representatives, 355 to 63, saying: Let's make this easier for the government to have all the information in one place. Finally, CISA fails to adequately assure the removal of irrelevant personal information. This, of course, is a major concern. The bill allows personal information to be shared even when there is a high likelihood that the information is not related to a cyber security threat. Combined with the bill's overly broad definition of ``cyber security threat,'' this basically ensures that private entities will share extraneous information from Americans' personal communications. If companies are going to receive the broad liability protection this bill provides, they should be expected to do better than this. Senator Wyden has offered an amendment, which I am proud to be the cosponsor of, which would require companies to be more diligent and to remove ``to the extent feasible'' any personal information that isn't necessary to identify a cyber security threat. The ``extent feasible'' is a crucial improvement, but it is hardly novel; in fact, it is basically the same standard that is in place today when information is shared between private companies and the Department of Homeland Security. There is no justification for lowering that standard in CISA, especially because the bill also provides companies with significant liability protection. Mr. President, the amendments I have talked about today, as well as a number of other pending amendments, would make CISA a better deal, one that is significantly more protective of Americans' privacy and more likely to advance cyber security. I want to encourage my colleagues to support these amendments. Without them, I fear that, however well intentioned, CISA would do a disservice to the American people. I suggest the absence of a quorum. The PRESIDING OFFICER. The clerk will call the roll. The senior assistant legislative clerk proceeded to call the roll. Mr. CARPER. Mr. President, I ask unanimous consent that the order for the quorum call be rescinded. The PRESIDING OFFICER. Without objection, it is so ordered. ____________________