[Congressional Record Volume 161, Number 92 (Wednesday, June 10, 2015)] [Senate] [Pages S3986-S4017] NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2016 [...] Cybersecurity Information Sharing Act Mrs. FEINSTEIN. Mr. President, last week we learned of the latest in the string of massive breaches of private information from cyber penetrations, this time of government personnel records held by the Office of Personnel Management. In its annual worldwide threat assessment, the intelligence community this year ranked cyber intrusions and attacks as the No. 1 threat to our Nation's security. Cyber attacks and threats are also a major drag on our economy, with the theft of billions and billions of dollars of intellectual property and actual money from our Nation's businesses. Quite simply, cyber attacks are a major and growing threat to every aspect of our life. It is with that background that Senator Burr and I began working early this year on a new cyber security information-sharing bill. It is a first-step bill, in that for sharing company to company or sharing cyber threat information directly with the government, a company would receive liability protection and therefore feel free to have this kind of constructive interchange. The Senate Select Intelligence Committee produced the bill in the last Congress, but it didn't receive a vote. Chairman Burr and I have been determined not only to get a vote but to get a bill signed into law. It should be evident to everybody that the only way we will get this done is if it is bipartisan. With significant compromises on both sides, we put together the Cybersecurity Information Sharing Act, a bill approved in March by our Intelligence Committee by an overwhelming 14-to-1 vote. That bill has been ready for Senate consideration for nearly 3 months but has not yet been brought to the floor. Last week's attack underscores why such legislation is necessary. The Democratic leader told me many weeks ago that this issue is too important for political wrangling, that he would not seek to block or slow down consideration of the bill and would work to move the bill quickly. So the bill is ready for floor consideration. Now, a number of my colleagues would like to propose amendments--as is their right--and I expect I would support some of them and would oppose some of them. The Senate should have an opportunity to fully consider the bill and to receive the input of other committees with jurisdiction in this area. Unless we do this, we won't have a bipartisan vote, I believe, because, like it or not, no matter how simple--and I have been through two bills now--this was not an easy bill to draft because there are conflicts on both sides. Filing the cyber security bill as an amendment to the Defense authorization bill prompted a lot of legitimate and understandable concern from both sides of the aisle. People want debate on the legislation, and they want an opportunity to offer relevant amendments. To do this as an amendment--when Senator Burr discussed it with me, I indicated I did not want to go on and make that proposal--I think is a mistake. I very much hope that the majority leader will reconsider this path, and that once we have finished with the Defense authorization bill, the Senate can take up, consider, and hopefully approve the cyber security legislation. I think if we do it any other way, we are in for real trouble, and this is the product of experience. So I very much hope that there can be a change in procedure and that this bill--I know our leader will agree--could come up directly following the Defense authorization bill. I thank the Chair, and I yield the floor. [...] Amendment No. 1921 Mr. McCAIN. Madam President, I want to say a few words about the Burr amendment, No. 1921, which has now been made pending. I am thankful for the leadership of Chairman Burr and Vice Chairman Feinstein. The language of this amendment, of which I am an original cosponsor, was overwhelmingly approved by a 14-to-1 vote in the Senate Select Committee on Intelligence in March. Implementing legislation to address a long list of cyber threats that have become all too common is among my highest priorities. Earlier this month, it was the Office of Personnel Management and the Army. A few weeks before that, it was the Pentagon network, the White House, and the State Department. Before that, it was Anthem and Sony. That is just to name a few. I am pleased we are able to consider this amendment on the National Defense Authorization Act. This voluntary information sharing is critical to addressing these threats and ensuring that mechanisms are in place to identify those responsible for costly and crippling cyber attacks and ultimately deterring future attacks. Our current defenses are inadequate, and our overall cyber strategy has failed to deter cyber adversaries from continued attacks of intellectual property theft and cyber espionage against the U.S. Government and American companies. This failure to develop a meaningful cyber deterrent strategy has increased the resolve of our adversaries and will continue to do so at a growing risk to our national security [[Page S3997]] until we demonstrate that the consequences of exploiting the United States through cyber greatly outweigh any perceived benefit. This amendment is a crucial piece of that overall deterrent strategy, and it is long past time that Congress move forward on information- sharing legislation. This legislation--again, 14 to 1 from the Select Committee on Intelligence--complements a number of critical cyber provisions which are already in the bill which will ensure that the Department of Defense has the capabilities it needs to deter aggression, defend our national security interests, and, when called upon, defeat our adversaries in cyber space. The bill authorizes the Secretary of Defense to develop, prepare, coordinate, and, when authorized by the President, conduct a military cyber operation in response to malicious cyber activity carried out against the United States or a U.S. person by a foreign power. The bill includes a provision requiring the Secretary of Defense to conduct biennial exercises on responding to cyber attacks against critical infrastructure. It limits $10 million in funds available to the Department of Defense to provide support services to the Executive Office of the President until the President submits the integrated policy to deter adversaries in cyber space, which was required by the National Defense Authorization Act for Fiscal Year 2014. It authorizes $200 million for a directed evaluation by the Secretary of Defense of the cyber vulnerabilities of every major DOD weapons system by not later than December 31, 2019. It requires an independent panel on DOD war games to assess the ability of the national mission forces of the U.S. Cyber Command to reliably prevent or block large-scale attacks on the United States by foreign powers with capabilities comparable to those expected of China, Iran, North Korea, and Russia in years 2020 and 2025. It establishes a $75 million cyber operations procurement fund for the commander of U.S. Cyber Command to exercise limited acquisition authorities. It directs the Secretary of Defense to designate Department of Defense entities to be responsible for the acquisition of critical cyber capabilities. The cyber security bill was passed through the Select Committee on Intelligence because that is clearly, in many respects, among the responsibilities of the Select Committee on Intelligence. But I think it is obvious to anyone that the Department of Defense is a major player. I just outlined a number of the provisions of the bill which are directly overseen and related to the Department of Defense. So my friends on the other side of the aisle seem to be all torqued- up about the fact that this cyber bill should be divorced from the Department of Defense. I know that my colleagues on the other side of the aisle are very aware that just in the last few days, 4 million Americans--4 million Americans--had their privacy compromised by a cyber attack. The Chairman of the Joint Chiefs of Staff has stated that we are ahead in every aspect of a potential adversary except for one, and that is cyber. There are great threats that are now literally to America's supremacy in space and to many other aspects of technology that have been developed throughout the world and are now part of our daily lives. So I am not quite sure why my friends on the other side of the aisle should take such exception to legislation that addresses our national security and the threats to it, which literally every expert in America has agreed is a major threat to our ability to defend the Nation. So I think there are colleagues who are not on the Intelligence Committee and are not familiar with the provisions of this bill. It clearly is not only Department of Defense-related, but it is Department of Defense-centric, with funds available to DOD to provide services to the Executive Office of the President, $200 million, cyber vulnerabilities of major DOD weapons system, an independent panel on DOD war games, and on and on. It is Department of Defense-related, and it is the whole purpose of the Defense authorization bill, which is to defend the Nation. To leave cyber security out of that--yes, there are some provisions in the underlying bill, but this hones and refines the requirements that we are badly in need of and gives the President of the United States and Secretary of Defense tools to try to limit the damage that is occurring as we speak. I want to repeat--and to my colleague from Indiana who is a member of that committee, I would ask him--4 million Americans recently were compromised by cyber attack. Mr. COATS. In response to my friend from Arizona---- Mr. McCAIN. Madam President, I ask unanimous consent to engage in a colloquy with the Senator from Indiana. The PRESIDING OFFICER. Is there objection? Without objection, it is so ordered. Mr. COATS. Madam President, this is a serious breach, and there is more to the story to be told. It shows the extreme position that we are in here as Americans, as there are those who want to take this country down, those who want to invade privacy of Americans and have the capabilities of breaching this. The legislation before us, and the reason why it is brought here now and, hopefully, will be attached to the Defense bill is that this needs to be done now and not later. How many breaches do we have to hear about--whether it is the private sector or whether it is the government sector--before this Congress and this Senate will stand up and say we have the capability of preventing some of these things from happening, but we need the legislative authority to do it. To delay and not even allow us to go forward with this puts more and more millions of Americans at risk, whether they work for the government or are in private industry. Mr. McCAIN. And isn't it true, I would ask my colleague from Indiana, that the Chairman of the Joint Chiefs of Staff recently stated that in the potential of our adversaries to threaten our security, we have a definite superiority in all areas except for one, which is in the issue of cyber security; is that correct? Mr. COATS. I think that is obvious, because, clearly, while we have the capability to address some of these issues, we are not allowed to use the capability. This legislation gives us the opportunity to have a cooperative effort. Some of those who resist the use of this because they think it is potentially a breach of privacy now understand that breaches are occurring from outside and into the United States, by those who are enemies of the state, those who are criminal groups, those who are terrorist groups. While we may have the capacity to deal with this, without this legislative authority we are not allowed to use it. So what an irony--what an irony that some are saying: We can't trust the government on this to help us. This is defense. This is like saying we can't trust the Department of Defense, we can't trust the Army or the Navy to protect us from attack because it is government-run. Now, they are saying there are some operations in government here that are part of our defenses that can't be used until we have authority. The irony is that people's privacies are being breached by all of these attempts, and we are denying the opportunity to put the tools in place to stop that from happening. Mr. McCAIN. Could I ask my colleague again: The 4 million people whose privacy was just breached--4 million Americans--what potential damage is that to those individual Americans? Mr. COATS. Well, we are just learning what damage this is and how it can be misused in any number of ways. Some of this information is classified. But I can say to my colleague from Arizona, the chairman of the Armed Services Committee, that this puts some of our people and some of our systems in great peril. It is something that needs to be addressed now and not pushed down the line. Mr. McCAIN. So it seems to me that to those 4 million Americans, we owe them and it is our responsibility--in fact, our urgent responsibility--to try to prevent that same kind of breach from being perpetrated on 4 million or 8 million or 10 million more Americans. If they are capable of doing it once to 4 million Americans, what is to keep them from doing the same thing to millions of Americans more, if we sit here idly by and do nothing on the grounds that the objection is that it is not part of the Department of Defense [[Page S3998]] bill, which seems to me almost ludicrous? Mr. COATS. Well, since the Department of Defense is one of those agencies being attacked, I would certainly think this is the appropriate attachment to a bill for which, hopefully, we will be given the opportunity by our friends across the aisle. Hopefully, we will be able to pass it in the Senate, move it on to the House, and get it to the President so that these authorities can be in place. The Senator mentioned 4 million. A company whose headquarters is in the State of Indiana, Anthem insurance company, was breached--and this is public information--of 80 million people on their roles. That is almost one-third of all Americans who have had their private information breached by a cyber attack--not to mention the threat that comes from cyber attack on our critical infrastructure. What if they take down the financial system of one of our major banks or several banks? What if they take down the financial transactions that they place on Wall Street every day? What if they shut down an electric power grid in the middle of February when the temperatures in the Northeast are in minus-Fahrenheit temperatures or when it is 110 degrees in Phoenix and you lose your power and can't turn on air conditioning? People will die. People will be severely impacted by this. To not go forward and give authorization to use the tools to try to better protect American safety is not only unreasonable but is a very serious thing. Mr. McCAIN. I thank my colleague from Indiana for his outstanding work on a very difficult issue that poses a threat to every American and citizens throughout the world. I yield the floor. [...] Cybersecurity Information Sharing Act Mr. WYDEN. Mr. President, I wish to speak this afternoon about a controversial proposal, the Cybersecurity Information Sharing Act, otherwise known as CISA, which was filed yesterday as an amendment to the Defense authorization bill. I want to begin by saying to the Senate that I believe tacking this legislation onto the Defense bill would, in my view, be a significant mistake. I expect our colleagues are going to have a wide range of views about this legislation, and I hope the Senate can agree that bills as controversial as this one ought to be subject to public debate and an open-ended process, not stapled onto unrelated legislation with only a modest amount of discussion. This is particularly true given the issue of cyber security, which is going to have a significant impact on the security and the well-being of the American people and obviously the consumer rights and the privacy of law-abiding Americans. Because it is designed to increase government collection of information from private companies, I am of the view that for the Senate to have this expansion of collecting so much information about the people of the United States, for it to have real legitimacy in the eyes of the public, it is important to have open debate, with votes on amendments from Senators who have a wide variety of opinions on the issue of cyber security. Trying to rush this bill through the Senate, in my view, is not going to increase public confidence. So let me be clear about the process and talk a bit about the substance of the legislation as well. I believe tacking it onto the Defense bill is a flawed process. But I think there are also significant flaws with the substance of the legislation as well. Dozens of independent experts agree this legislation will have serious consequences and do little to make our Nation more secure at a time when cyber threats are very real. The issue of cyber threats requires more than a placebo, and this legislation is a bandaid on a gaping wound. I believe the Senate, having the time for adequate reflection and amendment, can do better. In beginning, I would like the Senate to know just how much controversy and concern this legislation has generated among those who are considered independent experts on cyber security. Shortly before the Intelligence Committee, which I have been honored to serve on for more than 14 years--shortly before the committee marked up this legislation, a coalition of nearly 50 organizations and security experts wrote to the members of the Intelligence Committee expressing serious concerns about the legislation. Mr. President, I ask unanimous consent that this letter be printed in the Record. There being no objection, the material was ordered to be printed in the Record, as follows: Re Cyber Threat Information Sharing Bills April 16, 2015. Senator Dianne Feinstein, Hart Senate Office Building, Washington, DC. Congressman Adam Schiff, Rayburn House Office Building, Washington, DC. Congressman Michael McCaul, Cannon House Office Building, Washington, DC. Senator Richard Burr, Russell Senate Office Building, Washington, DC. Congressman Devin Nunes, Longworth House Office Building, Washington, DC. Dear Senator Burr, Senator Feinstein, and Representatives Nunes, Schiff, and McCaul: We are writing you today as technologists, academics, and computer and network security professionals who research, report on, and defend against Internet security threats. Among us are antivirus and threat signature developers, security researchers and analysts, and system administrators charged with securing networks. We have devoted our careers to building security technologies, and to protecting networks, computers, and critical infrastructure against a wide variety of even highly sophisticated attacks. We do not need new legal authorities to share information that helps us protect our systems from future attacks. When a system is attacked, the compromise will leave a trail, and investigators can collect these bread crumbs. Some of that data empowers other system operators to check and see if they, too, have been attacked, and also to guard against being similarly attacked in the future. Generally speaking, security practitioners can and do share this information with each other and with the federal government while still complying with our obligations under federal privacy law. Significantly, threat data that security professionals use to protect networks from future attacks is a far more narrow category of information than those included in the bills being considered by Congress, and will only rarely contain private information. In those rare cases, we generally scrub the data without losing the effectiveness of the threat signature. These are some common categories of data that we share to figure out if systems have been compromised (indicators of compromise, or IoCs) and to mitigate future threats: Malware file names, code, and hashes Objects (code) that communicate with malware Compile times: data about the conversion of source code to binary code File size File path location: where on the computer system malware files are stored Registry keys: configuration settings for low-level operating system and applications Memory process or running service information Attached to this letter is an actual example of a threat signature containing data that helps system administrators secure their networks. You'll see that the information does not contain users' private information. Waiving privacy rights will not make security sharing better. The more narrowly security practitioners can define these IoCs and the less personal information that is in them, the better. Private information about individual users is often a detriment in developing threat signatures because we need to be able to identify an attack no matter where it comes from and no matter who the target is. Any bill that allows for and results in significant sharing of personal information could decrease the signal-to-noise ratio and make IoCs less actionable. Further, sharing users' private information creates new security risks. Here are just three examples: First, any IoC that contains personal information exacerbates the danger of false-positives, that innocent behavior will erroneously be classified as a threat. Second, distribution of private data like passwords could expose our users to unauthorized access, since, unfortunately, many people use the same password across multiple sites. Third, private data contained in personal emails or other messages can be abused by criminals developing targeted phishing attacks in which they masquerade as known and trusted correspondents. For these reasons, we do not support any of the three information sharing bills currently under consideration--the Cybersecurity Information Sharing Act (CISA), the Protecting Cyber Networks Act (PCNA), or the National Cybersecurity Protection Advancement Act of 2015. These bills permit overbroad sharing far beyond the IoCs described above that are necessary to respond to an attack, including all ``harms'' of an attack. This excess sharing will not aid cybersecurity, but would significantly harm privacy and could actually undermine our ability to effectively respond to threats. As a general rule, when we do need to share addressing information, we are sharing the addresses of servers which are used to host malware, or to which a compromised computer will connect for the exfiltration of data. In these cases, this addressing information helps potential victims block malicious incoming connections. These addresses do not belong to subscribers or customers of the victims of a security breach or of our clients whose systems we are helping to secure. Sharing this kind of addressing is a common current practice. We do not see the need for new authorities to enable this sharing. [[Page S4007]] Before any information sharing bill moves further, it should be improved to contain at least the following three features: 1. Narrowly define the categories of information to be shared as only those needed for securing systems against future attacks; 2. Require firms to effectively scrub all personally identifying information and other private data not necessary to identify or respond to a threat; and 3. Not allow the shared information to be used for anything other than securing systems. We appreciate your interest in making our networks more secure, but the legislation proposed does not materially further that goal, and at the same time it puts our users' privacy at risk. These bills weaken privacy law without promoting security. We urge you to reject them. Sincerely, Ben Adida; Jacob Appelbaum, Security and privacy researcher, The Tor Project; Sergey Bratus, Research Associate Professor, Computer Science Department, Dartmouth College; Eric Brunner-Williams, CTO, Wampumpeag; Dominique Brezinski, Principal Security Engineer, Amazon.com; Jon Callas; Katherine Carpenter, Independent Consultant; Antonios A. Chariton, Security Researcher, Institute of Computer Science, Foundation of Research and Technology--Hellas; Stephen Checkoway, Assistant Research Professor, Johns Hopkins University; Gordon Cook, Technologist, writer, editor and publisher of ``COOK report on Internet Protocol'' since 1992; Shaun Cooley, Distinguished Engineer, Cisco; John Covici, Systems Administrator, Covici Computer Systems; Tom Cross, CTO, Drawbridge Networks; David L. Dill, Professor of Computer Science, Stanford University; A. Riley Eller, Chief Technology Officer, CoCo Communications Corp; Rik Farrow, USENIX. Robert G. Ferrell, Special Agent (retired), U.S. Dept of Defense; Kevin Finisterre, Owner, DigitalMunition; Bryan Ford, Associate Professor of Computer Science, Yale University; Dr. Richard Forno, Affiliate, Stanford Center for Internet and Society; Paul Ferguson, Vice President, Threat Intelligence; Jim Fruchterman, Benetech; Kevin Gennuso, Information Security Professional; Dan Gillmor. Teacher and technology writer; Sharon Goldberg, assistant professor, Computer Science Department, Boston University; Joe Grand, Principal Engineer, Grand Idea Studio, Inc.; Thaddeus T Grugq, independent security researcher; J. Alex Halderman, Morris Wellman Faculty Development Assistant Professor of Computer Science and Engineering, University of Michigan, Director, University of Michigan Center for Computer Security and Society; Professor Carl Hewitt, Emeritus EECS MIT; Gary Knott, PhD (Stanford CS, 1975), CEO, Civilized Software; Rich Kulawiec, Senior Internet Security Architect, Fire on the Mountain, LLC; Ryan Lackey; Product, CloudFlare, Inc. Ronald L. Larsen, Dean and Professor, School of Information Sciences, University of Pittsburgh; Christopher Liljenstolpe, Chief architect for AS3561 (at the time about 30% of the Internet backbone by traffic) and AS1221 (Australia's main Internet infrastructure); Ralph Logan, Partner, Logan Haile, LP; Robert J. Lupo, Senior Security Engineer ``sales team'', IBM inc.; Marc Maiffret, Former CTO BeyondTrust; Steve Manzuik, Director of Security Research, Duo Security; Ryan Maple. Information security professional; Brian Martin, President Open Security Foundation (OSF); Morgan Marquis- Boire; Aaron Massey, Postdoctoral Fellow, School of Interactive Computing, Georgia Institute of Technology; Andrew McConachie. Network engineer with experience working on Internet infrastructure; Daniel L. McDonald, RTI Advocate and Security Point-of-Contact, illumos Project; Alexander McMillen, Mission critical datacenter and cloud services expert; Charlie Miller, Security Engineer at Twitter; HD Moore, Chief Research Officer, Rapid7. Joseph ``Jay'' Moran, Vice President of Cimpress Technology Operations; Peter G. Neumann, Senior Principal Scientist, SRI International Moderator of the ACM Risks Forum (risks.org); Jesus Oquendo, Information Security Researcher, E-Fensive Security Strategies; Ken Pfeil, CISO, Pioneer investments; Benjamin C. Pierce, Professor of Computer and Information Science, University of Pennsylvania; Ryan Rawdon, Network and Security Engineer; Bruce Schneier, security researcher and cryptographer, published seminal works on applied cryptography; Sid Stamm, Ph.D., Principal Engineer, Security and Privacy, Mozilla; Visiting Assistant Professor of Computer Science, Rose-Hulman Institute of Technology; Armando Stettner, Technology Consultant; Matt Suiche, Staff Engineer, VMware. C. Thomas (Space Rogue), Security Strategist Tenable Network Security; Arrigo Triulzi, independent security consultant; Doug Turner, Sr. Director--Privacy, Security, Networking, Mozilla Corporation; Daniel Paul Veditz, Principal Security Engineer, Mozilla, Co-chair Web Application Security Working Group, W3C; David Wagner, Professor of Computer Science, University of California, Berkeley; Dan S. Wallach, Professor, Department of Computer Science and Rice Scholar, Baker Institute for Public Policy, Rice University; Jonathan Weinberg, Professor of Law, Wayne State University; Stephen Wilson, Managing Director and Founder, Lockstep Technologies; Chris Wysopal, CTO and co- founder Veracode, Inc.; Stefano Zanero, Board of Governors member, IEEE Computer Society. Mr. WYDEN. The signers of the letter expressed very serious concerns about the legislation and were particularly concerned it would ``significantly undermine privacy and civil liberties.'' Unfortunately, as the signers of the legislation will report, these concerns were not adequately addressed in the committee markup. Shortly after the committee markup, a group of 65 technologists and cyber security professionals wrote to Chairman Burr and Vice Chairman Feinstein expressing their opposition to this legislation. Mr. President, I ask unanimous consent that this letter be printed in the Record as well. There being no objection, the material was ordered to be printed in the Record, as follows: March 2, 2015. Chairman Richard Burr, Senate Select Committee on Intelligence, U.S. Senate. Vice Chairman, Dianne Feinstein, Senate Select Committee on Intelligence, U.S. Senate. Dear Chairman Burr, Vice Chairman Feinstein, and Members of the Senate Select Committee on Intelligence: We the undersigned civil society organizations, security experts, and academics write to explain how the Cybersecurity Information Sharing Act of 2015 (CISA), would significantly undermine privacy and civil liberties. We now know that the National Security Agency (NSA) has secretly collected the personal information of millions of users, and the revelation of these programs has created a strong need to rein in, rather than expand, government surveillance. CISA disregards the fact that information sharing can--and to be truly effective, must--offer both security and robust privacy protections. The legislation fails to achieve these critical objectives by including: Automatic NSA access to personal information shared with a governmental entity; Inadequate protections prior to sharing; Dangerous authorization for countermeasures; and Overbroad authorization for law enforcement use. For the following reasons, we urge rejection of CISA in its current form: Automatic NSA Access to Personal Information and Communications: Since the summer of 2013, NSA surveillance activities, such as the telephony metadata bulk collection program and the PRISM program, have raised nationwide alarm. CISA ignores these objections, and requires real time dissemination to military and intelligence agencies, including the NSA. Congress should be working to limit the NSA's overbroad authorities to conduct surveillance, rather than passing a bill that would increase the NSA's access to personal information and private communications. Automatic sharing with NSA risks not only privacy, but also effectiveness. During a recent House Intelligence Committee hearing, NSA Director Admiral Mike Rogers stated that sharing threat indicators without filtering out personal data would slow operations and negatively impact NSA's cyber defense activities. Further, in the wake of revelations regarding the PRISM program, major tech companies stated that they would not voluntarily share users' information with the NSA. Automated NSA access could thus disincentivize sharing, undercutting the key goal of the legislation. Inadequate Protections Prior to Sharing: CISA does not effectively require private entities to strip out information that identifies a specific person prior to sharing cyber threat indicators with the government, a fundamental and important privacy protection. While the bill requires that companies ``review'' cyber threat indicators for information that identifies a specific person and sometimes remove it, the bill contains no standard to ensure that this review effort is--at a minimum--reasonable. Further, the bill requires companies to remove that information only for individuals that it knows are ``not directly related to a cybersecurity threat.'' This could encourage companies to retain data by default, unnecessarily exposing the information of innocent bystanders and victims to the government, and making it available to law enforcement for a myriad of investigative uses. Legislation should instead require that prior to sharing, companies make at least a reasonable effort to identify all personally identifiable information and, unless it is necessary to counter the cyber threat before sharing any indicators with the government, remove it. The default should be to preserve privacy, rather than to sacrifice it. Dangerous Authorization for Countermeasures: CISA authorizes countermeasures ``notwithstanding any law,'' including the federal Computer Fraud and Abuse Act. As amended by CISA, federal law would permit companies to retaliate against a perceived threat in a manner that may cause significant harm, and undermine cybersecurity. CISA provides that countermeasures must be ``operated on'' one's own information systems, but may have off-networks effects-- including harmful effects to external systems--so long as the countermeasures do not ``intentionally'' destroy other entities' systems. Given the risks of misattribution and [[Page S4008]] escalation posed by offensive cyber activities--as well as the potential for misappropriation--this is highly inadvisable. CISA permits companies to recklessly deploy countermeasures that damage networks belonging to innocent bystanders, such as a hospital or emergency responders that attackers use as proxies to hide behind, so long as the deploying company does not intend that the countermeasure result in harm. CISA's authorization would not only inadvisably wipe away the Computer Fraud and Abuse Act's current prohibition against these activities, it would be dangerous to internet security. Overbroad Law Enforcement Use: Law enforcement use of information shared for cybersecurity purposes should be limited to prosecuting specific cyber crimes identified in the bill and preventing imminent loss of life or serious bodily harm. CISA goes far beyond this, and permits law enforcement to use information it receives for investigations and prosecutions of a wide range of crimes involving any level of physical force, including those that involve no threat of death or significant bodily harm, as well as for terrorism investigations, which have served as the basis for overbroad collection programs, and any alleged violations of various provisions of the Espionage Act. The lack of use limitations creates yet another loophole for law enforcement to conduct backdoor searches on Americans--including searches of digital communications that would otherwise require law enforcement to obtain a warrant based on probable cause. This undermines Fourth Amendment protections and constitutional principles. Cybersecurity legislation should be designed to increase digital hygiene and identify and remediate advanced threats, not create surveillance authorities that would compromise essential privacy rights, and undermine security. Accordingly, we urge that the Committee not approve this bill without addressing these concerns. Thank you for your consideration, Civil Society Organizations--Access; American-Arab Anti- Discrimination Committee; American Library Association; Advocacy for Principled Action in Government; American Civil Liberties Union; Association of Research Libraries; Bill of Rights Defense Committee; Brennan Center for Justice; Center for Democracy & Technology; Center for National Security Studies; Competitive Enterprise Institute; Constitutional Alliance; The Constitution Project; Council on American Islamic Relations; Cyber Policy Project; Defending Dissent Foundation; Demand Progress; Electronic Frontier Foundation Free Press Action Fund FreedomWorks; Liberty Coalition; National Association of Criminal Defense; Lawyers; New America's Open Technology Institute; Project on Government Oversight; R Street Institute; Sunlight Foundation. Security Experts and Academics--Ben Adida, Cryptographer; Jacob Appelbaum, The Tor Project; Alvaro Bedoya, Center on Privacy and Technology at Georgetown Law; Brian Behlendorf; David J Farber, University of Pennsylvania; J. Alex Halderman, University of Michigan; Joan Feigenbaum, Yale University; Bryan Ford, Yale University; Matthew D. Green, Johns Hopkins University; Daniel Kahn Gillmor, Technologist; Susan Landau, Worcester Polytechnic Institute; Sascha Meinrath, X-Lab; Peter G, Neumann, SRI International; Ronald L. Rivest, Massachusetts Institute of Technology; Phillip Rogaway, University of California, Davis; Bruce Schneier, Cryptographer and Security Specialist; Christopher Soghoian, Technologist; Gene Spafford, Purdue University; Micah Sherr, Georgetown University; Adam Shostack; Dan S. Wallach, Rice University; Nicholas Weaver, University of California at Berkeley. Mr. WYDEN. This is a particularly important letter. We have some of the most distinguished independent experts from across the country-- whether Amazon or Sysco, Stanford University, Dartmouth, some of the leading experts in the private sector and academia--expressing real concerns about this legislation and its House companion. From their letter: We appreciate your interest in making our networks more secure, but the legislation proposed does not materially further that goal, and at the same time it puts our users' privacy at risk. These bills weaken privacy law without promoting security. We urge you to reject them. The reason I want our colleagues to be aware that these distinguished scientists in Silicon Valley, and literally every corner of the country, are so concerned is that the American people want both security and liberty--and they understand the two are not mutually exclusive. What this distinguished group of experts has just said is this ``weaken[s] privacy law without promoting security.'' I hope the Senate will review what these experts are saying. Along the same lines, I note that the Christian Science Monitor recently polled a group of more than 78 high-profile security and privacy experts from across government, think tanks, and the private sector. With these experts, they asked if legislation along the lines of this bill--this bill which has been attached to the Defense authorization. These experts were asked if this legislation would significantly reduce security breaches, and 87 percent said it would not. Many of them noted--a concern I have noted in opposing the legislation--that incentivizing private companies to share information about security threats is a very worthwhile proposition, a worthwhile thing to do. But they go on to say that bills like this are going to have limited value in that area and would have significant negative consequences. Now, many of my colleagues may have some disagreement with some of the dozens and dozens of independent experts I have just mentioned. Some of them may agree with the 13 percent of those experts who said this bill will do a lot to reduce security breaches. That is their right, and that is what a good Senate debate would be all about. But what the Senate should not do is pretend that this legislation is uncontroversial and try to rush it through without substantial revisions and the chance for Senators on both sides of the aisle to be heard. Now, I think we all understand why some in the Senate would feel we have to move immediately on this issue and in effect be tempted to rush to action here. We have all understood there have been a number of recent high-profile hacks that have drawn attention to the need to improve our Nation's cyber security--and I don't disagree with the importance of that at all. For example, a major company in Oregon was hacked by the Chinese simply because they were trying to enforce their rights under trade law. So this is not some abstract issue for the people I represent. We have seen it in my home State. So these high-profile hacks, like the one we saw here recently, is obviously drawing attention to the need to improve cyber security. The recent compromise of a very large amount of Office of Personnel Management data is obviously the latest of these, but it is certainly not going to be the last. Every single time I read about these kind of hacks, what I do is--and I have a very talented staff from the Intelligence Committee and my own office to assist me--I try to reach out and talk to experts in the field about ways to improve cyber security. But that doesn't mean every single piece of legislation with the word ``cyber security'' in it is automatically a good idea that ought to be blessed without revision in the Senate. The fact is, this particular cyber security bill is largely focused on trying to make it more difficult for individuals to be able to take on corporations. I understand why the U.S. Chamber of Commerce likes it so much. They have always been concerned about the rights of the large corporations. Sometimes the inevitable is, well, we are concerned about the large corporations, let's make it harder for individuals to be able to get a fair shake in the marketplace. But in my judgment, the actual cyber security value of this bill would be very limited, and the consequences for those individuals who are trying to get a fair shake would be quite serious. I am going to turn in a moment to the substance of the CISA bill to explain why I consider it so problematic and why it needs a major revision. But first I am going to take just a few minutes to discuss proposals that I believe would actually make a difference in terms of improving American cyber security. First, the most effective way to improve cyber security is to ensure that network owners take responsibility for the security of their networks and effectively implement good security practices. This proposal was the centerpiece of a 2012 bill called the Lieberman- Collins cyber security bill, and in my view that legislation was just a few changes away from being good cyber security law. Unfortunately, the notion of having the government create even voluntary standards for private companies was strongly opposed by the U.S. Chamber of Commerce and the Congress has not revisited it since. Beyond ensuring that network owners take responsibility and implement good security practices, it is also important to ensure that government agencies do not deliberately weaken security standards. I know the Presiding Officer in the Senate has a great interest, as I do, in [[Page S4009]] innovation and American competitiveness. It is pretty hard--when we say the words: The American Government is actually thinking, as the FBI Director has talked about, about requiring companies to build weaknesses into their products--it is pretty hard to get your arms around this theory, not the least of which is the reason that once the good guys have the keys, the bad guys will also have the keys, which will facilitate cyber hacking. I have been skeptical of these statements from senior FBI officials suggesting that U.S. hardware and software companies should be required, as I would characterize it, to weaken the security of their products because encryption and other advanced security measures are a key part, a key compound of actually improving cyber security. I was pleased to see that in the other body, just last week, a new amendment from Representatives Massie and Lofgren to prevent the government from deliberately weakening encryption standards was voted on, and I am very hopeful the Senate will eventually follow suit. In fact, I offered that concept in the Intelligence Committee, and regrettably it did not pass. With regard to government-held data, it is absolutely imperative that Federal agencies receive the funding and expertise they need to develop and implement strong network security programs and to ensure that they have the technical and administrative controls in place to combat a wide range of cyber security threats. I also believe our government needs to be in a stronger position to recruit and retain a capable Federal cyber security workforce by ensuring that cyber security professionals can find opportunities in government that are as rewarding as those in the private sector. In order to ensure that there are enough professionals to fill positions in both the private sector and the government, it is obvious that there is going to need to be an investment in the education of the next generation of cyber security leaders. As we talk about responsible approaches to deal with these cyber issues, I would like to note that I consider the Consumer Privacy Protection Act--a piece of legislation initiated by Senator Leahy--to be another step in the right direction. This legislation creates a comprehensive approach to data security by requiring companies to build a cyber security program that can defend against cyber attacks and prevent data breaches. It also protects a wide range of personal information, not just name or financial account information but also online user names and passwords, information about a person's geolocation, and access to private digital photographs and videos. Unlike CISA, this legislation would, in my view, provide real tools to address the kinds of recent cyber attacks we have seen in the news, such as the celebrity photo hack. Unlike CISA, it would also empower individuals by requiring companies to notify consumers if their information has been lost and would protect the rights offered under some State laws for consumers to sue in the event of a privacy incident. The Consumer Privacy Protection Act is the right kind of responsible, thoughtful approach to cyber security, which is legislation that will help us get an added measure of security and public protection, while at the same time protecting the individual liberties and the privacy of our people. Finally, in my judgment, our country needs to be willing to impose consequences on foreign entities that attempt to hack into American networks and steal large quantities of valuable data. These hacks are undermining our national security, our economic competitiveness, and the personal privacy of huge numbers of Americans. These consequences should draw on the full range of American power, depending on the nature of the hack and the entity responsible. It would be a failure of American imagination to say that the only way to respond to foreign hacking is to have our military and intelligence agencies ``hack back,'' as the concept has been known, at the parties responsible. We are the most powerful country in the world, and our government has a wide variety of tools at its disposal, including economic sanctions, law enforcement, and multilateral diplomacy. And building a multifaceted strategy to deter foreign hacking is going to require all of those kinds of tools I have mentioned by way of articulating responsible steps to deal with cyber security, steps that protect both our security and liberty. All of those tools are ones we will have to draw on. Having laid out ways that the Senate on a bipartisan basis can improve cyber security, I want to turn to the proposal in detail that is now in front of the Senate. As I have said, I believe it makes sense to encourage private companies to share information about cyber security threats. Cyber is a problem. Sharing information can be useful, but it is also vital that information sharing not be bereft of privacy protections for law-abiding Americans. Cyber security is a problem. Information sharing is a plus. But let's make no mistake about it--an information-sharing bill that lacks privacy protections really is not a cyber security bill; it is a surveillance bill. That is what has been one of my major concerns about this legislation, that the legislation in front of the Senate--we talked about the flaws in the process, but substantively, if you have an information-sharing bill that lacks adequate privacy protections, it is a surveillance bill by another name. When the Senate Intelligence Committee voted on the CISA bill, I opposed it. I opposed it because I believe its insufficient privacy protections will lead to large volumes of Americans' personal information, personal information from law-abiding Americans who have done nothing wrong--that they will be faced with the prospect that their information is shared with the government even when that information is not needed for cyber security. When I say ``personal information,'' I am talking about the contents of emails, financial information, and what amounts to any data at all that is stored electronically. Some of my colleagues have stressed that companies will have a choice about whether to participate in this information-sharing part of the legislation. That is true, but while corporations will have a choice about whether to participate, they will be able to do so without the knowledge or consent of their customers, and they will receive broad liability protections when they do so. The CISA bill as written trumps all Federal privacy laws. Furthermore, once this information is shared with the government, government agencies will be permitted to use it for a wide variety of purposes unrelated to cyber security. The bill creates what I consider to be a double standard--really a bizarre double standard in that private information that is shared about individuals can be used for a variety of non-cyber security purposes, including law enforcement action against these individuals, but information about the companies supplying that information generally may not be used to police those companies. I will tell you, I think that will be pretty hard to explain at a townhall meeting in virtually any corner of America because I believe it is wrong to say that the privacy rights of corporations matter more than the privacy rights of individual Americans. I expect that some colleagues will say that it is not their intent to authorize this excessively broad collection. The argument will be that this is legislation to encourage companies to share information about actual cyber security threats, such as lines of malicious code and signatures of hostile cyber actors. Again, I would say to colleagues that I am all for encouraging companies to share information about genuine security threats, but if you read the language that is now before the Senate in the cyber security bill, the language of that bill is much broader than just sharing information about genuine security threats. If Senators want to pass a bill that is focused on real cyber security threats and includes real protection for Americans' privacy, then the Senate should add language specifying that companies should only provide the government with individuals' personal information if it is necessary to describe a cyber security threat. That does not seem to me to be an unreasonable protection for the privacy of Americans, that the Senate would adopt language specifying that the companies provide the government with individuals' personal information if it is necessary to [[Page S4010]] describe a cyber threat. That is pretty obvious. We can explain that, I would say to the distinguished President of the Senate, at a townhall meeting, that if it is related to a cyber security threat, then the companies would provide individuals' personal information. But this would discourage companies from unnecessarily sharing large amounts of their customers' private information with the government. Unfortunately, the cyber security bill in front of the Senate now takes the opposite approach. It only requires companies to withhold information that is known at the time of sharing to be personal information unrelated to cyber security. This approach will clearly discourage companies from closely reviewing the information that they share and will lead to a much greater amount of Americans' personal information being transferred needlessly to government agencies. I hope that here in the Senate there will be an opportunity to carefully consider the potential consequences of this legislation before voting to rush it through by an expedited process. I have said here several times that cyber security is a real problem, and policymakers are going to have to deal with it. In fact, I will go so far as to say that the issue of cyber security is going to be an ongoing and enduring challenge of the digital age. It is my view that every Senator who serves in this body today can expect to deal with cyber security questions for the rest of their career in public service. Voting to rush a bill through, however, is not going to make these problems somehow go away, and it will have real consequences for our constituents for years to come, and in particular, it will not make us safer and will jeopardize the rights of individual Americans. Before I wrap up, I believe it is important and I have an obligation to draw my colleagues' attention to one final issue. As of this afternoon, there is a secret Justice Department legal opinion that is of clear relevance to this debate that continues to be withheld from the public. This opinion remains classified. The Senate rules prohibit me from describing it in detail. But I can say that it interprets common commercial service agreements and that in my judgment is inconsistent with the public's understanding of the law. So this gets back to a question I have talked about on the floor often, which is secret law, when the public reads one thing and there is a secret interpretation that goes in another direction and it contributes to the public's cynicism about Washington. As always, I certainly see it as my job to say that colleagues can decide whether to take my counsel, but I believe any Senator who votes for this legislation, without reading this secret Justice Department legal opinion I have referred to, is voting without a full understanding of the relevant legal landscape. If Senators do not understand how these common commercial service agreements have been interpreted by the executive branch, then it will be harder for the Senate to have a fully informed debate on the cyber security legislation, whether it is considered now or later. I would also like to note for the record that I have repeatedly asked the Justice Department to withdraw this opinion and to make it public so anyone who is party to one of these commercial service agreements can decide whether their agreement ought to be revised. The Justice Department has chosen not to take my advice on either of my suggestions. In public testimony before the Senate Intelligence Committee, the deputy head of the Justice Department's Office of Legal Counsel told me she personally would not rely on this opinion today, and I appreciate her view on that matter. Yet, until the opinion is withdrawn, I believe Senators should be concerned about other government officials choosing to rely on it at any time. In my judgment, that is a very clear instance of the government developing what is essentially secret law-- law that is at variance with what you read if you are in a coffee shop in Arkansas or Utah or anywhere else. The reality is, as I have said often on the floor, operations always have to be secret, as do the sources and methods. Chairman Hatch remembers this from his service on the Intelligence Committee. Operations always have to be secret, but the law ought to be public because that is how the American people have confidence in how we make decisions in our Republic. I will close by saying it is quite obvious at this point that I have significant reservations about the cyber security bill. I believe a number of Senators are going to share these concerns. I will let them speak for themselves, although I believe Senator Leahy's strong statement yesterday was certainly on point. Yet I will also say, even to my colleagues who are inclined to vote for this bill, that I hope all Senators will think about whether this is an appropriate process for this sort of legislation. I have already said I believe Senators are going to be dealing with cyber security questions for the rest of their time in public service, because in the digital age, I think we are going to see a constant evolution in this field with respect to these threats and both the technical and political concerns that are raised by them. Should the Senate be rushing a bill like this through by tacking it onto an unrelated defense measure? Is this the best way to show the American people, once again, that security and liberty are not mutually exclusive and that it is possible to do both? If Senators share the concerns I have raised, I hope they will oppose the cyber security amendment if it is brought up for a vote on the Defense bill. I hope Senators will support this issue, which has been brought to the floor under a different process--a process that involves regular order, so every Senator on both sides of the aisle will have an opportunity to make the revisions I believe it needs and to offer their own ideas. With that, I yield the floor. [...]