[Congressional Record Volume 161, Number 92 (Wednesday, June 10, 2015)]
[Senate]
[Pages S3986-S4017]
NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2016
[...]
Cybersecurity Information Sharing Act
Mrs. FEINSTEIN. Mr. President, last week we learned of the latest in
the string of massive breaches of private information from cyber
penetrations, this time of government personnel records held by the
Office of Personnel Management.
In its annual worldwide threat assessment, the intelligence community
this year ranked cyber intrusions and attacks as the No. 1 threat to
our Nation's security. Cyber attacks and threats are also a major drag
on our economy, with the theft of billions and billions of dollars of
intellectual property and actual money from our Nation's businesses.
Quite simply, cyber attacks are a major and growing threat to every
aspect of our life.
It is with that background that Senator Burr and I began working
early this year on a new cyber security information-sharing bill. It is
a first-step bill, in that for sharing company to company or sharing
cyber threat information directly with the government, a company would
receive liability protection and therefore feel free to have this kind
of constructive interchange.
The Senate Select Intelligence Committee produced the bill in the
last Congress, but it didn't receive a vote. Chairman Burr and I have
been determined not only to get a vote but to get a bill signed into
law. It should be evident to everybody that the only way we will get
this done is if it is bipartisan.
With significant compromises on both sides, we put together the
Cybersecurity Information Sharing Act, a bill approved in March by our
Intelligence Committee by an overwhelming 14-to-1 vote. That bill has
been ready for Senate consideration for nearly 3 months but has not yet
been brought to the floor.
Last week's attack underscores why such legislation is necessary.
The Democratic leader told me many weeks ago that this issue is too
important for political wrangling, that he would not seek to block or
slow down consideration of the bill and would work to move the bill
quickly. So the bill is ready for floor consideration.
Now, a number of my colleagues would like to propose amendments--as
is their right--and I expect I would support some of them and would
oppose some of them. The Senate should have an opportunity to fully
consider the bill and to receive the input of other committees with
jurisdiction in this area. Unless we do this, we won't have a
bipartisan vote, I believe, because, like it or not, no matter how
simple--and I have been through two bills now--this was not an easy
bill to draft because there are conflicts on both sides.
Filing the cyber security bill as an amendment to the Defense
authorization bill prompted a lot of legitimate and understandable
concern from both sides of the aisle. People want debate on the
legislation, and they want an opportunity to offer relevant amendments.
To do this as an amendment--when Senator Burr discussed it with me, I
indicated I did not want to go on and make that proposal--I think is a
mistake.
I very much hope that the majority leader will reconsider this path,
and that once we have finished with the Defense authorization bill, the
Senate can take up, consider, and hopefully approve the cyber security
legislation. I think if we do it any other way, we are in for real
trouble, and this is the product of experience. So I very much hope
that there can be a change in procedure and that this bill--I know our
leader will agree--could come up directly following the Defense
authorization bill.
I thank the Chair, and I yield the floor.
[...]
Amendment No. 1921
Mr. McCAIN. Madam President, I want to say a few words about the Burr
amendment, No. 1921, which has now been made pending. I am thankful for
the leadership of Chairman Burr and Vice Chairman Feinstein.
The language of this amendment, of which I am an original cosponsor,
was overwhelmingly approved by a 14-to-1 vote in the Senate Select
Committee on Intelligence in March.
Implementing legislation to address a long list of cyber threats that
have become all too common is among my highest priorities. Earlier this
month, it was the Office of Personnel Management and the Army. A few
weeks before that, it was the Pentagon network, the White House, and
the State Department. Before that, it was Anthem and Sony. That is just
to name a few.
I am pleased we are able to consider this amendment on the National
Defense Authorization Act. This voluntary information sharing is
critical to addressing these threats and ensuring that mechanisms are
in place to identify those responsible for costly and crippling cyber
attacks and ultimately deterring future attacks.
Our current defenses are inadequate, and our overall cyber strategy
has failed to deter cyber adversaries from continued attacks of
intellectual property theft and cyber espionage against the U.S.
Government and American companies. This failure to develop a meaningful
cyber deterrent strategy has increased the resolve of our adversaries
and will continue to do so at a growing risk to our national security
[[Page S3997]]
until we demonstrate that the consequences of exploiting the United
States through cyber greatly outweigh any perceived benefit.
This amendment is a crucial piece of that overall deterrent strategy,
and it is long past time that Congress move forward on information-
sharing legislation. This legislation--again, 14 to 1 from the Select
Committee on Intelligence--complements a number of critical cyber
provisions which are already in the bill which will ensure that the
Department of Defense has the capabilities it needs to deter
aggression, defend our national security interests, and, when called
upon, defeat our adversaries in cyber space.
The bill authorizes the Secretary of Defense to develop, prepare,
coordinate, and, when authorized by the President, conduct a military
cyber operation in response to malicious cyber activity carried out
against the United States or a U.S. person by a foreign power.
The bill includes a provision requiring the Secretary of Defense to
conduct biennial exercises on responding to cyber attacks against
critical infrastructure. It limits $10 million in funds available to
the Department of Defense to provide support services to the Executive
Office of the President until the President submits the integrated
policy to deter adversaries in cyber space, which was required by the
National Defense Authorization Act for Fiscal Year 2014.
It authorizes $200 million for a directed evaluation by the Secretary
of Defense of the cyber vulnerabilities of every major DOD weapons
system by not later than December 31, 2019.
It requires an independent panel on DOD war games to assess the
ability of the national mission forces of the U.S. Cyber Command to
reliably prevent or block large-scale attacks on the United States by
foreign powers with capabilities comparable to those expected of China,
Iran, North Korea, and Russia in years 2020 and 2025.
It establishes a $75 million cyber operations procurement fund for
the commander of U.S. Cyber Command to exercise limited acquisition
authorities.
It directs the Secretary of Defense to designate Department of
Defense entities to be responsible for the acquisition of critical
cyber capabilities.
The cyber security bill was passed through the Select Committee on
Intelligence because that is clearly, in many respects, among the
responsibilities of the Select Committee on Intelligence. But I think
it is obvious to anyone that the Department of Defense is a major
player. I just outlined a number of the provisions of the bill which
are directly overseen and related to the Department of Defense.
So my friends on the other side of the aisle seem to be all torqued-
up about the fact that this cyber bill should be divorced from the
Department of Defense. I know that my colleagues on the other side of
the aisle are very aware that just in the last few days, 4 million
Americans--4 million Americans--had their privacy compromised by a
cyber attack. The Chairman of the Joint Chiefs of Staff has stated that
we are ahead in every aspect of a potential adversary except for one,
and that is cyber. There are great threats that are now literally to
America's supremacy in space and to many other aspects of technology
that have been developed throughout the world and are now part of our
daily lives.
So I am not quite sure why my friends on the other side of the aisle
should take such exception to legislation that addresses our national
security and the threats to it, which literally every expert in America
has agreed is a major threat to our ability to defend the Nation.
So I think there are colleagues who are not on the Intelligence
Committee and are not familiar with the provisions of this bill. It
clearly is not only Department of Defense-related, but it is Department
of Defense-centric, with funds available to DOD to provide services to
the Executive Office of the President, $200 million, cyber
vulnerabilities of major DOD weapons system, an independent panel on
DOD war games, and on and on. It is Department of Defense-related, and
it is the whole purpose of the Defense authorization bill, which is to
defend the Nation. To leave cyber security out of that--yes, there are
some provisions in the underlying bill, but this hones and refines the
requirements that we are badly in need of and gives the President of
the United States and Secretary of Defense tools to try to limit the
damage that is occurring as we speak.
I want to repeat--and to my colleague from Indiana who is a member of
that committee, I would ask him--4 million Americans recently were
compromised by cyber attack.
Mr. COATS. In response to my friend from Arizona----
Mr. McCAIN. Madam President, I ask unanimous consent to engage in a
colloquy with the Senator from Indiana.
The PRESIDING OFFICER. Is there objection?
Without objection, it is so ordered.
Mr. COATS. Madam President, this is a serious breach, and there is
more to the story to be told. It shows the extreme position that we are
in here as Americans, as there are those who want to take this country
down, those who want to invade privacy of Americans and have the
capabilities of breaching this. The legislation before us, and the
reason why it is brought here now and, hopefully, will be attached to
the Defense bill is that this needs to be done now and not later. How
many breaches do we have to hear about--whether it is the private
sector or whether it is the government sector--before this Congress and
this Senate will stand up and say we have the capability of preventing
some of these things from happening, but we need the legislative
authority to do it. To delay and not even allow us to go forward with
this puts more and more millions of Americans at risk, whether they
work for the government or are in private industry.
Mr. McCAIN. And isn't it true, I would ask my colleague from Indiana,
that the Chairman of the Joint Chiefs of Staff recently stated that in
the potential of our adversaries to threaten our security, we have a
definite superiority in all areas except for one, which is in the issue
of cyber security; is that correct?
Mr. COATS. I think that is obvious, because, clearly, while we have
the capability to address some of these issues, we are not allowed to
use the capability. This legislation gives us the opportunity to have a
cooperative effort. Some of those who resist the use of this because
they think it is potentially a breach of privacy now understand that
breaches are occurring from outside and into the United States, by
those who are enemies of the state, those who are criminal groups,
those who are terrorist groups. While we may have the capacity to deal
with this, without this legislative authority we are not allowed to use
it.
So what an irony--what an irony that some are saying: We can't trust
the government on this to help us. This is defense. This is like saying
we can't trust the Department of Defense, we can't trust the Army or
the Navy to protect us from attack because it is government-run. Now,
they are saying there are some operations in government here that are
part of our defenses that can't be used until we have authority. The
irony is that people's privacies are being breached by all of these
attempts, and we are denying the opportunity to put the tools in place
to stop that from happening.
Mr. McCAIN. Could I ask my colleague again: The 4 million people
whose privacy was just breached--4 million Americans--what potential
damage is that to those individual Americans?
Mr. COATS. Well, we are just learning what damage this is and how it
can be misused in any number of ways. Some of this information is
classified. But I can say to my colleague from Arizona, the chairman of
the Armed Services Committee, that this puts some of our people and
some of our systems in great peril. It is something that needs to be
addressed now and not pushed down the line.
Mr. McCAIN. So it seems to me that to those 4 million Americans, we
owe them and it is our responsibility--in fact, our urgent
responsibility--to try to prevent that same kind of breach from being
perpetrated on 4 million or 8 million or 10 million more Americans. If
they are capable of doing it once to 4 million Americans, what is to
keep them from doing the same thing to millions of Americans more, if
we sit here idly by and do nothing on the grounds that the objection is
that it is not part of the Department of Defense
[[Page S3998]]
bill, which seems to me almost ludicrous?
Mr. COATS. Well, since the Department of Defense is one of those
agencies being attacked, I would certainly think this is the
appropriate attachment to a bill for which, hopefully, we will be given
the opportunity by our friends across the aisle. Hopefully, we will be
able to pass it in the Senate, move it on to the House, and get it to
the President so that these authorities can be in place.
The Senator mentioned 4 million. A company whose headquarters is in
the State of Indiana, Anthem insurance company, was breached--and this
is public information--of 80 million people on their roles. That is
almost one-third of all Americans who have had their private
information breached by a cyber attack--not to mention the threat that
comes from cyber attack on our critical infrastructure.
What if they take down the financial system of one of our major banks
or several banks? What if they take down the financial transactions
that they place on Wall Street every day? What if they shut down an
electric power grid in the middle of February when the temperatures in
the Northeast are in minus-Fahrenheit temperatures or when it is 110
degrees in Phoenix and you lose your power and can't turn on air
conditioning? People will die. People will be severely impacted by
this. To not go forward and give authorization to use the tools to try
to better protect American safety is not only unreasonable but is a
very serious thing.
Mr. McCAIN. I thank my colleague from Indiana for his outstanding
work on a very difficult issue that poses a threat to every American
and citizens throughout the world.
I yield the floor.
[...]
Cybersecurity Information Sharing Act
Mr. WYDEN. Mr. President, I wish to speak this afternoon about a
controversial proposal, the Cybersecurity Information Sharing Act,
otherwise known as CISA, which was filed yesterday as an amendment to
the Defense authorization bill.
I want to begin by saying to the Senate that I believe tacking this
legislation onto the Defense bill would, in my view, be a significant
mistake. I expect our colleagues are going to have a wide range of
views about this legislation, and I hope the Senate can agree that
bills as controversial as this one ought to be subject to public debate
and an open-ended process, not stapled onto unrelated legislation with
only a modest amount of discussion.
This is particularly true given the issue of cyber security, which is
going to have a significant impact on the security and the well-being
of the American people and obviously the consumer rights and the
privacy of law-abiding Americans. Because it is designed to increase
government collection of information from private companies, I am of
the view that for the Senate to have this expansion of collecting so
much information about the people of the United States, for it to have
real legitimacy in the eyes of the public, it is important to have open
debate, with votes on amendments from Senators who have a wide variety
of opinions on the issue of cyber security. Trying to rush this bill
through the Senate, in my view, is not going to increase public
confidence.
So let me be clear about the process and talk a bit about the
substance of the legislation as well. I believe tacking it onto the
Defense bill is a flawed process. But I think there are also
significant flaws with the substance of the legislation as well. Dozens
of independent experts agree this legislation will have serious
consequences and do little to make our Nation more secure at a time
when cyber threats are very real. The issue of cyber threats requires
more than a placebo, and this legislation is a bandaid on a gaping
wound. I believe the Senate, having the time for adequate reflection
and amendment, can do better.
In beginning, I would like the Senate to know just how much
controversy and concern this legislation has generated among those who
are considered independent experts on cyber security. Shortly before
the Intelligence Committee, which I have been honored to serve on for
more than 14 years--shortly before the committee marked up this
legislation, a coalition of nearly 50 organizations and security
experts wrote to the members of the Intelligence Committee expressing
serious concerns about the legislation.
Mr. President, I ask unanimous consent that this letter be printed in
the Record.
There being no objection, the material was ordered to be printed in
the Record, as follows:
Re Cyber Threat Information Sharing Bills
April 16, 2015.
Senator Dianne Feinstein,
Hart Senate Office Building,
Washington, DC.
Congressman Adam Schiff,
Rayburn House Office Building,
Washington, DC.
Congressman Michael McCaul,
Cannon House Office Building,
Washington, DC.
Senator Richard Burr,
Russell Senate Office Building,
Washington, DC.
Congressman Devin Nunes,
Longworth House Office Building,
Washington, DC.
Dear Senator Burr, Senator Feinstein, and Representatives
Nunes, Schiff, and McCaul: We are writing you today as
technologists, academics, and computer and network security
professionals who research, report on, and defend against
Internet security threats. Among us are antivirus and threat
signature developers, security researchers and analysts, and
system administrators charged with securing networks. We have
devoted our careers to building security technologies, and to
protecting networks, computers, and critical infrastructure
against a wide variety of even highly sophisticated attacks.
We do not need new legal authorities to share information
that helps us protect our systems from future attacks. When a
system is attacked, the compromise will leave a trail, and
investigators can collect these bread crumbs. Some of that
data empowers other system operators to check and see if
they, too, have been attacked, and also to guard against
being similarly attacked in the future. Generally speaking,
security practitioners can and do share this information with
each other and with the federal government while still
complying with our obligations under federal privacy law.
Significantly, threat data that security professionals use
to protect networks from future attacks is a far more narrow
category of information than those included in the bills
being considered by Congress, and will only rarely contain
private information. In those rare cases, we generally scrub
the data without losing the effectiveness of the threat
signature.
These are some common categories of data that we share to
figure out if systems have been compromised (indicators of
compromise, or IoCs) and to mitigate future threats:
Malware file names, code, and hashes
Objects (code) that communicate with malware
Compile times: data about the conversion of source code to
binary code
File size
File path location: where on the computer system malware
files are stored
Registry keys: configuration settings for low-level
operating system and applications
Memory process or running service information
Attached to this letter is an actual example of a threat
signature containing data that helps system administrators
secure their networks. You'll see that the information does
not contain users' private information.
Waiving privacy rights will not make security sharing
better. The more narrowly security practitioners can define
these IoCs and the less personal information that is in them,
the better. Private information about individual users is
often a detriment in developing threat signatures because we
need to be able to identify an attack no matter where it
comes from and no matter who the target is. Any bill that
allows for and results in significant sharing of personal
information could decrease the signal-to-noise ratio and make
IoCs less actionable.
Further, sharing users' private information creates new
security risks. Here are just three examples: First, any IoC
that contains personal information exacerbates the danger of
false-positives, that innocent behavior will erroneously be
classified as a threat. Second, distribution of private data
like passwords could expose our users to unauthorized access,
since, unfortunately, many people use the same password
across multiple sites. Third, private data contained in
personal emails or other messages can be abused by criminals
developing targeted phishing attacks in which they masquerade
as known and trusted correspondents.
For these reasons, we do not support any of the three
information sharing bills currently under consideration--the
Cybersecurity Information Sharing Act (CISA), the Protecting
Cyber Networks Act (PCNA), or the National Cybersecurity
Protection Advancement Act of 2015. These bills permit
overbroad sharing far beyond the IoCs described above that
are necessary to respond to an attack, including all
``harms'' of an attack. This excess sharing will not aid
cybersecurity, but would significantly harm privacy and could
actually undermine our ability to effectively respond to
threats.
As a general rule, when we do need to share addressing
information, we are sharing the addresses of servers which
are used to host malware, or to which a compromised computer
will connect for the exfiltration of data. In these cases,
this addressing information helps potential victims block
malicious incoming connections. These addresses do not belong
to subscribers or customers of the victims of a security
breach or of our clients whose systems we are helping to
secure. Sharing this kind of addressing is a common current
practice. We do not see the need for new authorities to
enable this sharing.
[[Page S4007]]
Before any information sharing bill moves further, it
should be improved to contain at least the following three
features:
1. Narrowly define the categories of information to be
shared as only those needed for securing systems against
future attacks;
2. Require firms to effectively scrub all personally
identifying information and other private data not necessary
to identify or respond to a threat; and
3. Not allow the shared information to be used for anything
other than securing systems.
We appreciate your interest in making our networks more
secure, but the legislation proposed does not materially
further that goal, and at the same time it puts our users'
privacy at risk. These bills weaken privacy law without
promoting security. We urge you to reject them.
Sincerely,
Ben Adida; Jacob Appelbaum, Security and privacy
researcher, The Tor Project; Sergey Bratus, Research
Associate Professor, Computer Science Department, Dartmouth
College; Eric Brunner-Williams, CTO, Wampumpeag; Dominique
Brezinski, Principal Security Engineer, Amazon.com; Jon
Callas; Katherine Carpenter, Independent Consultant; Antonios
A. Chariton, Security Researcher, Institute of Computer
Science, Foundation of Research and Technology--Hellas;
Stephen Checkoway, Assistant Research Professor, Johns
Hopkins University; Gordon Cook, Technologist, writer, editor
and publisher of ``COOK report on Internet Protocol'' since
1992; Shaun Cooley, Distinguished Engineer, Cisco; John
Covici, Systems Administrator, Covici Computer Systems; Tom
Cross, CTO, Drawbridge Networks; David L. Dill, Professor of
Computer Science, Stanford University; A. Riley Eller, Chief
Technology Officer, CoCo Communications Corp; Rik Farrow,
USENIX.
Robert G. Ferrell, Special Agent (retired), U.S. Dept of
Defense; Kevin Finisterre, Owner, DigitalMunition; Bryan
Ford, Associate Professor of Computer Science, Yale
University; Dr. Richard Forno, Affiliate, Stanford Center for
Internet and Society; Paul Ferguson, Vice President, Threat
Intelligence; Jim Fruchterman, Benetech; Kevin Gennuso,
Information Security Professional; Dan Gillmor. Teacher and
technology writer; Sharon Goldberg, assistant professor,
Computer Science Department, Boston University; Joe Grand,
Principal Engineer, Grand Idea Studio, Inc.; Thaddeus T
Grugq, independent security researcher; J. Alex Halderman,
Morris Wellman Faculty Development Assistant Professor of
Computer Science and Engineering, University of Michigan,
Director, University of Michigan Center for Computer Security
and Society; Professor Carl Hewitt, Emeritus EECS MIT; Gary
Knott, PhD (Stanford CS, 1975), CEO, Civilized Software; Rich
Kulawiec, Senior Internet Security Architect, Fire on the
Mountain, LLC; Ryan Lackey; Product, CloudFlare, Inc.
Ronald L. Larsen, Dean and Professor, School of Information
Sciences, University of Pittsburgh; Christopher Liljenstolpe,
Chief architect for AS3561 (at the time about 30% of the
Internet backbone by traffic) and AS1221 (Australia's main
Internet infrastructure); Ralph Logan, Partner, Logan Haile,
LP; Robert J. Lupo, Senior Security Engineer ``sales team'',
IBM inc.; Marc Maiffret, Former CTO BeyondTrust; Steve
Manzuik, Director of Security Research, Duo Security; Ryan
Maple. Information security professional; Brian Martin,
President Open Security Foundation (OSF); Morgan Marquis-
Boire; Aaron Massey, Postdoctoral Fellow, School of
Interactive Computing, Georgia Institute of Technology;
Andrew McConachie. Network engineer with experience working
on Internet infrastructure; Daniel L. McDonald, RTI Advocate
and Security Point-of-Contact, illumos Project; Alexander
McMillen, Mission critical datacenter and cloud services
expert; Charlie Miller, Security Engineer at Twitter; HD
Moore, Chief Research Officer, Rapid7.
Joseph ``Jay'' Moran, Vice President of Cimpress Technology
Operations; Peter G. Neumann, Senior Principal Scientist, SRI
International Moderator of the ACM Risks Forum (risks.org);
Jesus Oquendo, Information Security Researcher, E-Fensive
Security Strategies; Ken Pfeil, CISO, Pioneer investments;
Benjamin C. Pierce, Professor of Computer and Information
Science, University of Pennsylvania; Ryan Rawdon, Network and
Security Engineer; Bruce Schneier, security researcher and
cryptographer, published seminal works on applied
cryptography; Sid Stamm, Ph.D., Principal Engineer, Security
and Privacy, Mozilla; Visiting Assistant Professor of
Computer Science, Rose-Hulman Institute of Technology;
Armando Stettner, Technology Consultant; Matt Suiche, Staff
Engineer, VMware.
C. Thomas (Space Rogue), Security Strategist Tenable
Network Security; Arrigo Triulzi, independent security
consultant; Doug Turner, Sr. Director--Privacy, Security,
Networking, Mozilla Corporation; Daniel Paul Veditz,
Principal Security Engineer, Mozilla, Co-chair Web
Application Security Working Group, W3C; David Wagner,
Professor of Computer Science, University of California,
Berkeley; Dan S. Wallach, Professor, Department of Computer
Science and Rice Scholar, Baker Institute for Public Policy,
Rice University; Jonathan Weinberg, Professor of Law, Wayne
State University; Stephen Wilson, Managing Director and
Founder, Lockstep Technologies; Chris Wysopal, CTO and co-
founder Veracode, Inc.; Stefano Zanero, Board of Governors
member, IEEE Computer Society.
Mr. WYDEN. The signers of the letter expressed very serious concerns
about the legislation and were particularly concerned it would
``significantly undermine privacy and civil liberties.'' Unfortunately,
as the signers of the legislation will report, these concerns were not
adequately addressed in the committee markup.
Shortly after the committee markup, a group of 65 technologists and
cyber security professionals wrote to Chairman Burr and Vice Chairman
Feinstein expressing their opposition to this legislation.
Mr. President, I ask unanimous consent that this letter be printed in
the Record as well.
There being no objection, the material was ordered to be printed in
the Record, as follows:
March 2, 2015.
Chairman Richard Burr,
Senate Select Committee on Intelligence, U.S. Senate.
Vice Chairman, Dianne Feinstein,
Senate Select Committee on Intelligence, U.S. Senate.
Dear Chairman Burr, Vice Chairman Feinstein, and Members of
the Senate Select Committee on Intelligence: We the
undersigned civil society organizations, security experts,
and academics write to explain how the Cybersecurity
Information Sharing Act of 2015 (CISA), would significantly
undermine privacy and civil liberties. We now know that the
National Security Agency (NSA) has secretly collected the
personal information of millions of users, and the revelation
of these programs has created a strong need to rein in,
rather than expand, government surveillance. CISA disregards
the fact that information sharing can--and to be truly
effective, must--offer both security and robust privacy
protections. The legislation fails to achieve these critical
objectives by including:
Automatic NSA access to personal information shared with a
governmental entity;
Inadequate protections prior to sharing;
Dangerous authorization for countermeasures; and
Overbroad authorization for law enforcement use.
For the following reasons, we urge rejection of CISA in its
current form:
Automatic NSA Access to Personal Information and
Communications: Since the summer of 2013, NSA surveillance
activities, such as the telephony metadata bulk collection
program and the PRISM program, have raised nationwide alarm.
CISA ignores these objections, and requires real time
dissemination to military and intelligence agencies,
including the NSA. Congress should be working to limit the
NSA's overbroad authorities to conduct surveillance, rather
than passing a bill that would increase the NSA's access to
personal information and private communications.
Automatic sharing with NSA risks not only privacy, but also
effectiveness. During a recent House Intelligence Committee
hearing, NSA Director Admiral Mike Rogers stated that sharing
threat indicators without filtering out personal data would
slow operations and negatively impact NSA's cyber defense
activities. Further, in the wake of revelations regarding the
PRISM program, major tech companies stated that they would
not voluntarily share users' information with the NSA.
Automated NSA access could thus disincentivize sharing,
undercutting the key goal of the legislation.
Inadequate Protections Prior to Sharing: CISA does not
effectively require private entities to strip out information
that identifies a specific person prior to sharing cyber
threat indicators with the government, a fundamental and
important privacy protection. While the bill requires that
companies ``review'' cyber threat indicators for information
that identifies a specific person and sometimes remove it,
the bill contains no standard to ensure that this review
effort is--at a minimum--reasonable.
Further, the bill requires companies to remove that
information only for individuals that it knows are ``not
directly related to a cybersecurity threat.'' This could
encourage companies to retain data by default, unnecessarily
exposing the information of innocent bystanders and victims
to the government, and making it available to law enforcement
for a myriad of investigative uses. Legislation should
instead require that prior to sharing, companies make at
least a reasonable effort to identify all personally
identifiable information and, unless it is necessary to
counter the cyber threat before sharing any indicators with
the government, remove it. The default should be to preserve
privacy, rather than to sacrifice it.
Dangerous Authorization for Countermeasures: CISA
authorizes countermeasures ``notwithstanding any law,''
including the federal Computer Fraud and Abuse Act. As
amended by CISA, federal law would permit companies to
retaliate against a perceived threat in a manner that may
cause significant harm, and undermine cybersecurity. CISA
provides that countermeasures must be ``operated on'' one's
own information systems, but may have off-networks effects--
including harmful effects to external systems--so long as the
countermeasures do not ``intentionally'' destroy other
entities' systems. Given the risks of misattribution and
[[Page S4008]]
escalation posed by offensive cyber activities--as well as
the potential for misappropriation--this is highly
inadvisable. CISA permits companies to recklessly deploy
countermeasures that damage networks belonging to innocent
bystanders, such as a hospital or emergency responders that
attackers use as proxies to hide behind, so long as the
deploying company does not intend that the countermeasure
result in harm. CISA's authorization would not only
inadvisably wipe away the Computer Fraud and Abuse Act's
current prohibition against these activities, it would be
dangerous to internet security.
Overbroad Law Enforcement Use: Law enforcement use of
information shared for cybersecurity purposes should be
limited to prosecuting specific cyber crimes identified in
the bill and preventing imminent loss of life or serious
bodily harm. CISA goes far beyond this, and permits law
enforcement to use information it receives for investigations
and prosecutions of a wide range of crimes involving any
level of physical force, including those that involve no
threat of death or significant bodily harm, as well as for
terrorism investigations, which have served as the basis for
overbroad collection programs, and any alleged violations of
various provisions of the Espionage Act. The lack of use
limitations creates yet another loophole for law enforcement
to conduct backdoor searches on Americans--including searches
of digital communications that would otherwise require law
enforcement to obtain a warrant based on probable cause. This
undermines Fourth Amendment protections and constitutional
principles.
Cybersecurity legislation should be designed to increase
digital hygiene and identify and remediate advanced threats,
not create surveillance authorities that would compromise
essential privacy rights, and undermine security.
Accordingly, we urge that the Committee not approve this bill
without addressing these concerns.
Thank you for your consideration,
Civil Society Organizations--Access; American-Arab Anti-
Discrimination Committee; American Library Association;
Advocacy for Principled Action in Government; American Civil
Liberties Union; Association of Research Libraries; Bill of
Rights Defense Committee; Brennan Center for Justice; Center
for Democracy & Technology; Center for National Security
Studies; Competitive Enterprise Institute; Constitutional
Alliance; The Constitution Project; Council on American
Islamic Relations; Cyber Policy Project; Defending Dissent
Foundation; Demand Progress; Electronic Frontier Foundation
Free Press Action Fund FreedomWorks; Liberty Coalition;
National Association of Criminal Defense; Lawyers; New
America's Open Technology Institute; Project on Government
Oversight; R Street Institute; Sunlight Foundation.
Security Experts and Academics--Ben Adida, Cryptographer;
Jacob Appelbaum, The Tor Project; Alvaro Bedoya, Center on
Privacy and Technology at Georgetown Law; Brian Behlendorf;
David J Farber, University of Pennsylvania; J. Alex
Halderman, University of Michigan; Joan Feigenbaum, Yale
University; Bryan Ford, Yale University; Matthew D. Green,
Johns Hopkins University; Daniel Kahn Gillmor, Technologist;
Susan Landau, Worcester Polytechnic Institute; Sascha
Meinrath, X-Lab; Peter G, Neumann, SRI International; Ronald
L. Rivest, Massachusetts Institute of Technology; Phillip
Rogaway, University of California, Davis; Bruce Schneier,
Cryptographer and Security Specialist; Christopher Soghoian,
Technologist; Gene Spafford, Purdue University; Micah Sherr,
Georgetown University; Adam Shostack; Dan S. Wallach, Rice
University; Nicholas Weaver, University of California at
Berkeley.
Mr. WYDEN. This is a particularly important letter. We have some of
the most distinguished independent experts from across the country--
whether Amazon or Sysco, Stanford University, Dartmouth, some of the
leading experts in the private sector and academia--expressing real
concerns about this legislation and its House companion.
From their letter:
We appreciate your interest in making our networks more
secure, but the legislation proposed does not materially
further that goal, and at the same time it puts our users'
privacy at risk. These bills weaken privacy law without
promoting security. We urge you to reject them.
The reason I want our colleagues to be aware that these distinguished
scientists in Silicon Valley, and literally every corner of the
country, are so concerned is that the American people want both
security and liberty--and they understand the two are not mutually
exclusive. What this distinguished group of experts has just said is
this ``weaken[s] privacy law without promoting security.'' I hope the
Senate will review what these experts are saying.
Along the same lines, I note that the Christian Science Monitor
recently polled a group of more than 78 high-profile security and
privacy experts from across government, think tanks, and the private
sector. With these experts, they asked if legislation along the lines
of this bill--this bill which has been attached to the Defense
authorization. These experts were asked if this legislation would
significantly reduce security breaches, and 87 percent said it would
not. Many of them noted--a concern I have noted in opposing the
legislation--that incentivizing private companies to share information
about security threats is a very worthwhile proposition, a worthwhile
thing to do. But they go on to say that bills like this are going to
have limited value in that area and would have significant negative
consequences.
Now, many of my colleagues may have some disagreement with some of
the dozens and dozens of independent experts I have just mentioned.
Some of them may agree with the 13 percent of those experts who said
this bill will do a lot to reduce security breaches. That is their
right, and that is what a good Senate debate would be all about. But
what the Senate should not do is pretend that this legislation is
uncontroversial and try to rush it through without substantial
revisions and the chance for Senators on both sides of the aisle to be
heard.
Now, I think we all understand why some in the Senate would feel we
have to move immediately on this issue and in effect be tempted to rush
to action here. We have all understood there have been a number of
recent high-profile hacks that have drawn attention to the need to
improve our Nation's cyber security--and I don't disagree with the
importance of that at all.
For example, a major company in Oregon was hacked by the Chinese
simply because they were trying to enforce their rights under trade
law.
So this is not some abstract issue for the people I represent. We
have seen it in my home State.
So these high-profile hacks, like the one we saw here recently, is
obviously drawing attention to the need to improve cyber security. The
recent compromise of a very large amount of Office of Personnel
Management data is obviously the latest of these, but it is certainly
not going to be the last.
Every single time I read about these kind of hacks, what I do is--and
I have a very talented staff from the Intelligence Committee and my own
office to assist me--I try to reach out and talk to experts in the
field about ways to improve cyber security. But that doesn't mean every
single piece of legislation with the word ``cyber security'' in it is
automatically a good idea that ought to be blessed without revision in
the Senate.
The fact is, this particular cyber security bill is largely focused
on trying to make it more difficult for individuals to be able to take
on corporations. I understand why the U.S. Chamber of Commerce likes it
so much. They have always been concerned about the rights of the large
corporations. Sometimes the inevitable is, well, we are concerned about
the large corporations, let's make it harder for individuals to be able
to get a fair shake in the marketplace. But in my judgment, the actual
cyber security value of this bill would be very limited, and the
consequences for those individuals who are trying to get a fair shake
would be quite serious.
I am going to turn in a moment to the substance of the CISA bill to
explain why I consider it so problematic and why it needs a major
revision. But first I am going to take just a few minutes to discuss
proposals that I believe would actually make a difference in terms of
improving American cyber security.
First, the most effective way to improve cyber security is to ensure
that network owners take responsibility for the security of their
networks and effectively implement good security practices. This
proposal was the centerpiece of a 2012 bill called the Lieberman-
Collins cyber security bill, and in my view that legislation was just a
few changes away from being good cyber security law. Unfortunately, the
notion of having the government create even voluntary standards for
private companies was strongly opposed by the U.S. Chamber of Commerce
and the Congress has not revisited it since.
Beyond ensuring that network owners take responsibility and implement
good security practices, it is also important to ensure that government
agencies do not deliberately weaken security standards.
I know the Presiding Officer in the Senate has a great interest, as I
do, in
[[Page S4009]]
innovation and American competitiveness. It is pretty hard--when we say
the words: The American Government is actually thinking, as the FBI
Director has talked about, about requiring companies to build
weaknesses into their products--it is pretty hard to get your arms
around this theory, not the least of which is the reason that once the
good guys have the keys, the bad guys will also have the keys, which
will facilitate cyber hacking.
I have been skeptical of these statements from senior FBI officials
suggesting that U.S. hardware and software companies should be
required, as I would characterize it, to weaken the security of their
products because encryption and other advanced security measures are a
key part, a key compound of actually improving cyber security.
I was pleased to see that in the other body, just last week, a new
amendment from Representatives Massie and Lofgren to prevent the
government from deliberately weakening encryption standards was voted
on, and I am very hopeful the Senate will eventually follow suit. In
fact, I offered that concept in the Intelligence Committee, and
regrettably it did not pass.
With regard to government-held data, it is absolutely imperative that
Federal agencies receive the funding and expertise they need to develop
and implement strong network security programs and to ensure that they
have the technical and administrative controls in place to combat a
wide range of cyber security threats.
I also believe our government needs to be in a stronger position to
recruit and retain a capable Federal cyber security workforce by
ensuring that cyber security professionals can find opportunities in
government that are as rewarding as those in the private sector. In
order to ensure that there are enough professionals to fill positions
in both the private sector and the government, it is obvious that there
is going to need to be an investment in the education of the next
generation of cyber security leaders.
As we talk about responsible approaches to deal with these cyber
issues, I would like to note that I consider the Consumer Privacy
Protection Act--a piece of legislation initiated by Senator Leahy--to
be another step in the right direction. This legislation creates a
comprehensive approach to data security by requiring companies to build
a cyber security program that can defend against cyber attacks and
prevent data breaches. It also protects a wide range of personal
information, not just name or financial account information but also
online user names and passwords, information about a person's
geolocation, and access to private digital photographs and videos.
Unlike CISA, this legislation would, in my view, provide real tools
to address the kinds of recent cyber attacks we have seen in the news,
such as the celebrity photo hack. Unlike CISA, it would also empower
individuals by requiring companies to notify consumers if their
information has been lost and would protect the rights offered under
some State laws for consumers to sue in the event of a privacy
incident. The Consumer Privacy Protection Act is the right kind of
responsible, thoughtful approach to cyber security, which is
legislation that will help us get an added measure of security and
public protection, while at the same time protecting the individual
liberties and the privacy of our people.
Finally, in my judgment, our country needs to be willing to impose
consequences on foreign entities that attempt to hack into American
networks and steal large quantities of valuable data. These hacks are
undermining our national security, our economic competitiveness, and
the personal privacy of huge numbers of Americans. These consequences
should draw on the full range of American power, depending on the
nature of the hack and the entity responsible.
It would be a failure of American imagination to say that the only
way to respond to foreign hacking is to have our military and
intelligence agencies ``hack back,'' as the concept has been known, at
the parties responsible. We are the most powerful country in the world,
and our government has a wide variety of tools at its disposal,
including economic sanctions, law enforcement, and multilateral
diplomacy. And building a multifaceted strategy to deter foreign
hacking is going to require all of those kinds of tools I have
mentioned by way of articulating responsible steps to deal with cyber
security, steps that protect both our security and liberty. All of
those tools are ones we will have to draw on.
Having laid out ways that the Senate on a bipartisan basis can
improve cyber security, I want to turn to the proposal in detail that
is now in front of the Senate. As I have said, I believe it makes sense
to encourage private companies to share information about cyber
security threats. Cyber is a problem. Sharing information can be
useful, but it is also vital that information sharing not be bereft of
privacy protections for law-abiding Americans.
Cyber security is a problem. Information sharing is a plus. But let's
make no mistake about it--an information-sharing bill that lacks
privacy protections really is not a cyber security bill; it is a
surveillance bill. That is what has been one of my major concerns about
this legislation, that the legislation in front of the Senate--we
talked about the flaws in the process, but substantively, if you have
an information-sharing bill that lacks adequate privacy protections, it
is a surveillance bill by another name.
When the Senate Intelligence Committee voted on the CISA bill, I
opposed it. I opposed it because I believe its insufficient privacy
protections will lead to large volumes of Americans' personal
information, personal information from law-abiding Americans who have
done nothing wrong--that they will be faced with the prospect that
their information is shared with the government even when that
information is not needed for cyber security. When I say ``personal
information,'' I am talking about the contents of emails, financial
information, and what amounts to any data at all that is stored
electronically.
Some of my colleagues have stressed that companies will have a choice
about whether to participate in this information-sharing part of the
legislation. That is true, but while corporations will have a choice
about whether to participate, they will be able to do so without the
knowledge or consent of their customers, and they will receive broad
liability protections when they do so. The CISA bill as written trumps
all Federal privacy laws.
Furthermore, once this information is shared with the government,
government agencies will be permitted to use it for a wide variety of
purposes unrelated to cyber security. The bill creates what I consider
to be a double standard--really a bizarre double standard in that
private information that is shared about individuals can be used for a
variety of non-cyber security purposes, including law enforcement
action against these individuals, but information about the companies
supplying that information generally may not be used to police those
companies.
I will tell you, I think that will be pretty hard to explain at a
townhall meeting in virtually any corner of America because I believe
it is wrong to say that the privacy rights of corporations matter more
than the privacy rights of individual Americans.
I expect that some colleagues will say that it is not their intent to
authorize this excessively broad collection. The argument will be that
this is legislation to encourage companies to share information about
actual cyber security threats, such as lines of malicious code and
signatures of hostile cyber actors. Again, I would say to colleagues
that I am all for encouraging companies to share information about
genuine security threats, but if you read the language that is now
before the Senate in the cyber security bill, the language of that bill
is much broader than just sharing information about genuine security
threats.
If Senators want to pass a bill that is focused on real cyber
security threats and includes real protection for Americans' privacy,
then the Senate should add language specifying that companies should
only provide the government with individuals' personal information if
it is necessary to describe a cyber security threat. That does not seem
to me to be an unreasonable protection for the privacy of Americans,
that the Senate would adopt language specifying that the companies
provide the government with individuals' personal information if it is
necessary to
[[Page S4010]]
describe a cyber threat. That is pretty obvious.
We can explain that, I would say to the distinguished President of
the Senate, at a townhall meeting, that if it is related to a cyber
security threat, then the companies would provide individuals' personal
information. But this would discourage companies from unnecessarily
sharing large amounts of their customers' private information with the
government.
Unfortunately, the cyber security bill in front of the Senate now
takes the opposite approach. It only requires companies to withhold
information that is known at the time of sharing to be personal
information unrelated to cyber security. This approach will clearly
discourage companies from closely reviewing the information that they
share and will lead to a much greater amount of Americans' personal
information being transferred needlessly to government agencies.
I hope that here in the Senate there will be an opportunity to
carefully consider the potential consequences of this legislation
before voting to rush it through by an expedited process.
I have said here several times that cyber security is a real problem,
and policymakers are going to have to deal with it. In fact, I will go
so far as to say that the issue of cyber security is going to be an
ongoing and enduring challenge of the digital age. It is my view that
every Senator who serves in this body today can expect to deal with
cyber security questions for the rest of their career in public
service. Voting to rush a bill through, however, is not going to make
these problems somehow go away, and it will have real consequences for
our constituents for years to come, and in particular, it will not make
us safer and will jeopardize the rights of individual Americans.
Before I wrap up, I believe it is important and I have an obligation
to draw my colleagues' attention to one final issue. As of this
afternoon, there is a secret Justice Department legal opinion that is
of clear relevance to this debate that continues to be withheld from
the public. This opinion remains classified. The Senate rules prohibit
me from describing it in detail. But I can say that it interprets
common commercial service agreements and that in my judgment is
inconsistent with the public's understanding of the law.
So this gets back to a question I have talked about on the floor
often, which is secret law, when the public reads one thing and there
is a secret interpretation that goes in another direction and it
contributes to the public's cynicism about Washington.
As always, I certainly see it as my job to say that colleagues can
decide whether to take my counsel, but I believe any Senator who votes
for this legislation, without reading this secret Justice Department
legal opinion I have referred to, is voting without a full
understanding of the relevant legal landscape. If Senators do not
understand how these common commercial service agreements have been
interpreted by the executive branch, then it will be harder for the
Senate to have a fully informed debate on the cyber security
legislation, whether it is considered now or later.
I would also like to note for the record that I have repeatedly asked
the Justice Department to withdraw this opinion and to make it public
so anyone who is party to one of these commercial service agreements
can decide whether their agreement ought to be revised. The Justice
Department has chosen not to take my advice on either of my
suggestions.
In public testimony before the Senate Intelligence Committee, the
deputy head of the Justice Department's Office of Legal Counsel told me
she personally would not rely on this opinion today, and I appreciate
her view on that matter. Yet, until the opinion is withdrawn, I believe
Senators should be concerned about other government officials choosing
to rely on it at any time. In my judgment, that is a very clear
instance of the government developing what is essentially secret law--
law that is at variance with what you read if you are in a coffee shop
in Arkansas or Utah or anywhere else.
The reality is, as I have said often on the floor, operations always
have to be secret, as do the sources and methods. Chairman Hatch
remembers this from his service on the Intelligence Committee.
Operations always have to be secret, but the law ought to be public
because that is how the American people have confidence in how we make
decisions in our Republic.
I will close by saying it is quite obvious at this point that I have
significant reservations about the cyber security bill. I believe a
number of Senators are going to share these concerns. I will let them
speak for themselves, although I believe Senator Leahy's strong
statement yesterday was certainly on point. Yet I will also say, even
to my colleagues who are inclined to vote for this bill, that I hope
all Senators will think about whether this is an appropriate process
for this sort of legislation.
I have already said I believe Senators are going to be dealing with
cyber security questions for the rest of their time in public service,
because in the digital age, I think we are going to see a constant
evolution in this field with respect to these threats and both the
technical and political concerns that are raised by them.
Should the Senate be rushing a bill like this through by tacking it
onto an unrelated defense measure? Is this the best way to show the
American people, once again, that security and liberty are not mutually
exclusive and that it is possible to do both?
If Senators share the concerns I have raised, I hope they will oppose
the cyber security amendment if it is brought up for a vote on the
Defense bill. I hope Senators will support this issue, which has been
brought to the floor under a different process--a process that involves
regular order, so every Senator on both sides of the aisle will have an
opportunity to make the revisions I believe it needs and to offer their
own ideas.
With that, I yield the floor.
[...]
