[Congressional Record Volume 161, Number 59 (Wednesday, April 22, 2015)]
[House]
[Pages H2368-H2378]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




  PROVIDING FOR CONSIDERATION OF H.R. 1560, PROTECTING CYBER NETWORKS 
      ACT, AND PROVIDING FOR CONSIDERATION OF H.R. 1731, NATIONAL 
            CYBERSECURITY PROTECTION ADVANCEMENT ACT OF 2015

  Mr. COLLINS of Georgia. Mr. Speaker, by direction of the Committee on 
Rules, I call up House Resolution 212 and ask for its immediate 
consideration.
  The Clerk read the resolution, as follows:

                              H. Res. 212

       Resolved, That at any time after adoption of this 
     resolution the Speaker may, pursuant to clause 2(b) of rule 
     XVIII, declare the House resolved into the Committee of the 
     Whole House on the state of the Union for consideration of 
     the bill (H.R. 1560) to improve cybersecurity in the United 
     States through enhanced sharing of information about 
     cybersecurity threats, and for other purposes. The first 
     reading of the bill shall be dispensed with. All points of 
     order against consideration of the bill are waived. General 
     debate shall be confined to the bill and shall not exceed one 
     hour equally divided and controlled by the chair and ranking 
     minority member of the Permanent Select Committee on 
     Intelligence. After general debate the bill shall be 
     considered for amendment under the five-minute rule. It shall 
     be in order to consider as an original bill for the purpose 
     of amendment under the five-minute rule the amendment in the 
     nature of a substitute recommended by the Permanent Select 
     Committee on Intelligence now printed in the bill. The 
     committee amendment in the nature of a substitute shall be 
     considered as read. All points of order against the committee 
     amendment in the nature of a substitute are waived. No 
     amendment to the committee amendment in the nature of a 
     substitute shall be in order except those printed in part A 
     of the report of the Committee on Rules accompanying this 
     resolution. Each such amendment may be offered only in the 
     order printed in the report, may be offered only by a Member 
     designated in the report, shall be considered as read, shall 
     be debatable for the time specified in the report equally 
     divided and controlled by the proponent and an opponent, 
     shall not be subject to amendment, and shall not be subject 
     to a demand for division of the question in the House or in 
     the Committee of the Whole. All points of order against such 
     amendments are waived. At the conclusion of consideration of 
     the bill for amendment the Committee shall rise and report 
     the bill to the House with such amendments as may have been 
     adopted. Any Member may demand a separate vote in the House 
     on any amendment adopted in the Committee of the Whole to the 
     bill or to the committee amendment in the nature of a 
     substitute. The previous question shall be considered as 
     ordered on the bill and amendments thereto to final passage 
     without intervening motion except one motion to recommit with 
     or without instructions.
       Sec. 2.  At any time after adoption of this resolution the 
     Speaker may, pursuant to clause 2(b) of rule XVIII, declare 
     the House resolved into the Committee of the Whole House on 
     the state of the Union for consideration of the bill (H.R. 
     1731) to amend the Homeland Security Act of 2002 to enhance 
     multi-directional sharing of information related to 
     cybersecurity risks and strengthen privacy and civil 
     liberties protections, and for other purposes. The first 
     reading of the bill shall be dispensed with. All points of 
     order against consideration of the bill are waived. General 
     debate shall be confined to the bill and amendments specified 
     in this section and shall not exceed one hour equally divided 
     and controlled by the chair and ranking minority member of 
     the Committee on Homeland Security. After general debate the 
     bill shall be considered for amendment under the five-minute 
     rule. In lieu of the amendment in the nature of a substitute 
     recommended by the Committee on Homeland Security now printed 
     in the bill, it shall be in order to consider as an original 
     bill for the purpose of amendment under the five-minute rule 
     an amendment in the nature of a substitute consisting of the 
     text of Rules Committee Print 114-12. That amendment in the 
     nature of a substitute shall be considered as read. All 
     points of order against that amendment in the nature of a 
     substitute are waived. No amendment to that amendment in the 
     nature of a substitute shall be in order except those printed 
     in part B of the report of the Committee on Rules 
     accompanying this resolution. Each such amendment may be 
     offered only in the order printed in the report, may be 
     offered only by a Member designated in the report, shall be 
     considered as read, shall be debatable for the time specified 
     in the report equally divided and controlled by the proponent 
     and an opponent,

[[Page H2369]]

     shall not be subject to amendment, and shall not be subject 
     to a demand for division of the question in the House or in 
     the Committee of the Whole. All points of order against such 
     amendments are waived. At the conclusion of consideration of 
     the bill for amendment the Committee shall rise and report 
     the bill to the House with such amendments as may have been 
     adopted. Any Member may demand a separate vote in the House 
     on any amendment adopted in the Committee of the Whole to the 
     bill or to the amendment in the nature of a substitute made 
     in order as original text. The previous question shall be 
     considered as ordered on the bill and amendments thereto to 
     final passage without intervening motion except one motion to 
     recommit with or without instructions.
       Sec. 3. (a) In the engrossment of H.R. 1560 the Clerk 
     shall--
       (1) add the text of H.R. 1731, as passed by the House, as 
     new matter at the end of H.R. 1560;
       (2) conform the title of H.R. 1560 to reflect the addition 
     of H.R. 1731, as passed by the House, to the engrossment;
       (3) assign appropriate designations to provisions within 
     the engrossment; and
       (4) conform cross-references and provisions for short 
     titles within the engrossment.
       (b) Upon the addition of the text of H.R. 1731, as passed 
     by the House, to the engrossment of H.R. 1560, H.R. 1731 
     shall be laid on the table.

                              {time}  1230

  The SPEAKER pro tempore. The gentleman from Georgia (Mr. Collins) is 
recognized for 1 hour.
  Mr. COLLINS of Georgia. Mr. Speaker, for the purpose of debate only, 
I yield the customary 30 minutes to the gentleman from Colorado (Mr. 
Polis), pending which I yield myself such time as I may consume. During 
consideration of this resolution, all time yielded is for the purpose 
of debate only.


                             General Leave

  Mr. COLLINS of Georgia. Mr. Speaker, I ask unanimous consent that all 
Members have 5 legislative days to revise and extend their remarks and 
to include extraneous materials on H. Res. 212, currently under 
consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Georgia?
  There was no objection.
  Mr. COLLINS of Georgia. Mr. Speaker, I am pleased to bring this rule 
forward on behalf of the Rules Committee. It is a rule that respects 
the legislative process and reflects the responsibility of Congress to 
address a critical deficit in the infrastructure of our Nation.
  This rule provides for consideration of both cybersecurity measures 
under a structured amendment process. As a result of a thorough and 
deliberative committee hearing yesterday evening, there are five 
amendments to H.R. 1560 and 11 amendments to H.R. 1731 that this body 
will have the opportunity to debate and ultimately vote for or against.
  The bipartisan nature of these bills speaks to the critical need for 
this legislation. Both bills passed their respective committees with 
bipartisan support, and I am hopeful this rule will enjoy similar 
overwhelming support.
  For each bill, amendments offered by Democrats exceeded those offered 
by Republicans. I would like to thank Chairman Nunes and also Chairman 
McCaul for their work, both within our conference and across the aisle, 
to ultimately bring forward two bills that reflect compromise, 
consistency, and a deep understanding of the dangers that cyber attacks 
pose every day.
  If both bills are adopted, this rule combines the bills and sends 
them to the Senate as a package in an effort to work with the other 
Chamber, go to conference, and to produce a product that will be signed 
into law. This is a fair rule that respects this body, the importance 
of this issue, and the legislative process as a whole.
  The world has changed greatly since this body last discussed 
cybersecurity. The ``Internet of Things'' has created unforeseen risks 
and exposed vulnerabilities and defects in the ability of companies to 
even simply talk to each other without fear of frivolous litigation.
  Our enemy is adapting, growing bolder and more sophisticated. North 
Korea, Iran, Russia, and China seek to exploit and devastate our 
economic security as a nation and our data security as individuals 
through cyber attacks that we cannot adequately anticipate, respond, or 
even communicate about.
  Foreign governments aren't the only ones who wish to do Americans 
harm. Terrorists and criminal enterprises have also recognized that 
American companies are crippled by the ambiguity in our law as it 
relates to sharing cyber threat information.
  The cyber attack surface has expanded. Wearables, connected vehicles, 
and embedded devices have made it possible for cyber attacks to 
literally be driven into the parking lot or walked through doors.
  The traditional ways of responding to cyber threats and recovering 
from them are not sufficient to safeguard the data privacy of Americans 
and the economic security of our Nation. The scope of these attacks and 
devastating damages are increasing as rapidly as the attackers are 
themselves.
  These bills are not a magic pill. They will not render inoperable the 
scores of foreign countries and enterprises that want to see American 
exceptionalism brought to its knees; but they do give clear, positive 
legal authority to American companies to allow them to protect their 
own and to appropriately share cyber threats with other countries and, 
in certain cases, Federal agencies.
  Let me be clear. These are not surveillance bills. These are not data 
collection bills. This is not the PATRIOT Act or FISA. This body will 
debate intelligence gathering, collecting, sharing, and using at some 
point in the future, but today is not that day.
  I know those rightly concerned with government surveillance, like 
myself, would like to use this rule for that purpose and the underlying 
measures as a platform to debate that, but I urge them to refrain. We 
will have that debate.
  Today's focus is on the perpetrating of the thousands of cyber 
threats American businesses face every single day. Let the attention be 
on North Korea. Let it be on Iran. Let it be on the countless enemies 
of the United States who want to destroy this Nation. For today, we 
speak with a united voice that they will fail.
  We declare with one voice that American companies have the right to 
protect their own, to protect and defend their own networks, to share 
technical information with the appropriate agencies on a voluntary 
basis if they so choose.
  I thank the Intelligence and Homeland Security Committees and their 
staff for their tireless work they have done to ensure that we can 
protect our economy, our infrastructure, and our private information.
  I know detractors of the legislation may attempt to paint this rule 
and underlying measures in a different light, so let's allow the facts 
to speak for themselves.
  These bills have three key components. First, they provide for 
completely voluntary participation by private companies in a program 
with positive legal authority. This program allows three kinds of 
sharing--private company to private company, government to private 
company, and private company to government--but this sharing of 
information is limited only to cyber threat indicators.
  Second, they require the removal of all unrelated personal 
information. It is the technical cyber threat information that is being 
shared, zeros and ones. In fact, there is a requirement that both the 
government and the private entity remove personally identifiable 
information when the information is shared and also when it is 
received.
  Third, the legislation expressly prohibits the cyber threat 
indicators from being used for surveillance.
  These bills will benefit all Americans by helping businesses better 
protect sensitive information. Attacks against our network often seek 
to steal Americans' personal information. This can include credit and 
debit card information, medical records, or even Social Security 
numbers.
  Many of the recent attacks that we have all read about in the news 
were specifically aimed at stealing the personal information of 
Americans. Cyber attackers are also increasingly targeting small 
businesses. In fact, in 2014, 60 percent of all targeted attacks struck 
at small- and medium-sized businesses.
  The underlying legislation will also help protect American jobs by 
protecting the intellectual property of American businesses. It is 
estimated that cyber attacks cost Americans roughly 500,000 jobs a 
year. Foreign companies often use cyber attacks to target the trade 
secrets of U.S. companies and then use the information to produce their 
own competing product.

[[Page H2370]]

  The threat is real, both to our economic security as a nation and our 
personal information as individuals. If we fail to act and pass this 
rule and the underlying bills, our Nation and our personal privacy is 
more at risk than ever before.
  Mr. Speaker, I reserve the balance of my time.
  Mr. POLIS. Mr. Speaker, I thank the gentleman from Georgia for 
yielding me the customary 30 minutes, and I yield myself such time as I 
may consume.
  Mr. Speaker, I rise in opposition to the rule and the underlying 
legislation.
  Today, the House is convening to debate a matter that we all agree is 
critical for our national security, our economic competitiveness, our 
prosperity, and the success of our private sector.
  The recent cyber attacks on Sony and Anthem are but two prominent 
examples of cases in which American businesses or government entities 
have come under attack by hackers, among many other instances that 
haven't even been reported.
  I want to recognize the work that the House Intelligence and Homeland 
Security Committees did on these pieces of legislation and their 
attempts to address these issues. Unfortunately, in spite of their hard 
work and the work of those that went into crafting these two bills, I 
regret that they fall short of their goals and would likely do more 
harm than good.
  Not only do both bills, particularly the Protecting Cyber Networks 
Act, raise enormous concerns about inappropriate sharing of personal 
information and surveillance on Americans' private lives, but they are 
built on the premise that many security experts have warned is 
fundamentally flawed, that sharing information with the Federal 
Government should be the central focus of our efforts to protect 
American cyber networks, rather than simply one aspect to a 
multipronged strategy to defeat hackers, foreign and domestic.
  Now, before I address the substance of these two bills, I want to 
discuss this unusual rule before us and how it treats two bills which 
contradict each other in significant ways.
  Ordinarily, when two committees share jurisdiction over a matter--in 
this case, the Homeland Security Committee and the Intelligence 
Committee--they collaborate. One committee handles one portion of the 
bill, reports it out; the other committee handles the other portion, 
reports it out, and they work together to bring a single piece of 
legislation to the floor for Members to debate, amend, and vote for or 
against.
  This is what happened, for example, with the recent SGR repeal 
legislation, which had components under the jurisdiction of no less 
than six different committees in this body, but was presented before us 
as a single bill.
  In this case, however, because there seems to be some kind of turf 
war between the Intelligence Committee and the Homeland Security 
Committee, we are actually voting on two overlapping bills that, in 
several respects, contradict one another.
  For instance, the bills have drastically different determinations of 
what kind of information may be shared, what purposes the government 
may use the information for, and what hacking countermeasures companies 
are allowed to take to protect their networks.
  Instead of having a meaningful debate on the merits of each bill's 
approach, this body, if this rule passes, would forego that, and we 
would simply debate and vote on each bill separately, and if they both 
pass, the rule directs the Clerk to mesh them together through 
something called conforming amendments.
  Not only would this leave businesses to wade their way through two 
separate, contradictory regulatory schemes, but it leaves it unclear 
which bill's provisions would actually prevail in practice and under 
which circumstances. It actually would create more uncertainty in the 
marketplace, rather than less.
  I don't think anybody could reasonably call this an open process. We 
shouldn't be depriving our constituents of an open debate on important 
issues. The major amendments of this bill that would have restored 
privacy, many of which I was a cosponsor, are not even allowed to be 
debated on the floor of the House, not for 10 minutes, not for 5 
minutes, not even for 1 minute.
  My colleagues and I on both sides of the aisle are being denied a 
vote on the very amendments that we feel could address the concerns we 
have with the cybersecurity legislation and make sure that we keep 
American networks safe.
  Mr. Speaker, in the 2 years since the NSA's shockingly broad data 
collection program PRISM came to light, we have heard from many of our 
constituents. The American people want an end to unwarranted 
surveillance. They want Congress to restore desperately needed 
accountability and transparency to our Nation's often out-of-control 
intelligence-gathering apparatus.
  It is bewildering to many people that, at the very time the American 
people have spoken out that we want more safeguards, instead, we are 
bringing forward two bills whose central objective is to facilitate the 
flow of more personal information to the Federal Government, when we 
continue to put off the question of surveillance reform and bringing an 
end to the NSA's bulk data collection without warrants.
  It is especially disappointing in light of the fact that several 
PATRIOT Act provisions will sunset at the end of next month, giving 
Congress a crucial opportunity to reexamine and rein in Federal 
surveillance programs.
  By putting off that issue and bringing mass information sharing to 
the floor, Congress is asking the American people for a blank check. 
Congress is saying: Trust the President. No President would allow this 
information sharing to infringe on your civil liberties, even though we 
have utterly failed to pass a single piece of legislation to end the 
privacy abuses that we know have occurred under this administration and 
the prior administration.
  The problem with these bills is that they go far beyond, and they 
open up additional loopholes and potential abuses with regard to 
privacy abuses, particularly H.R. 1560, the so-called Protecting Cyber 
Networks Act. Both bills open up Americans' private information to 
inappropriate scrutiny by the Federal Government.
  Now, I expect we will hear proponents of both bills argue at length 
that the protections against sharing personal information are 
sufficiently robust.
  For instance, under both bills, they will cite that cyber threat data 
is scrubbed twice for personal information, once by private entities 
before they transmit it to the government and once by government 
entities before they store the information or share it with anybody 
else.
  Now, that sounds good, but, unfortunately, the devil is in the 
details, and a close reading of the bill shows that there is an 
enormous loophole in the information-scrubbing component and that it 
fails to offer Americans safeguards for the personal information.

                              {time}  1245

  Under both bills, any Federal entity in receipt of cyber data threat 
information may store and share personal information it receives--
unscrubbed information--if they believe that it is related to a 
cybersecurity threat.
  Now, this standard isn't too vague, considering that information 
``related'' to a cybersecurity threat could be interpreted to mean just 
about anything, but it is also incredibly broad. It includes an 
implicit assumption that Americans' personal information should be 
shared, unless Federal officials have information that it is not 
related to a cybersecurity threat. In many cases, the burden is to show 
that the personal information is not related to a cybersecurity threat 
for it to be scrubbed, rather than the other way around.
  So, yes, companies and Federal entities are required to scrub the 
data for information that can be used to identify a specific person. 
But the loophole then calls on them not to remove any personally 
identifiable information unless they can show that it is not related to 
cybersecurity. Even if there is an off chance that something at some 
point might be pertinent to some kind of investigation, it puts 
Americans' personal information--without warrants, without due process, 
including information about patterns of Internet use, location, content 
of online communications--at great risk.
  We have seen before that the Federal Government has a poor track 
record of

[[Page H2371]]

safeguarding our personal information when they are entrusted with it. 
The last thing we should be doing is empowering Federal agencies even 
more with a broad discretion to look at personal information unless 
there is clear evidence that doing so would combat a cybersecurity 
threat.
  I introduced, along with my colleagues on both sides of the aisle, a 
number of amendments to both bills--one with the gentlewoman from 
California, Representative Zoe Lofgren, and one with Representative Zoe 
Lofgren and the gentleman from Michigan, Representative Justin Amash--
to impose a higher standard on Federal entities who are entrusted with 
this personal information. Our proposal would simply require the 
Federal Government to remove personally identifiable information unless 
it is directly necessary to identify or mitigate a cybersecurity 
threat--the purported purpose of this bill.
  These amendments would have imposed no additional burdens on private 
companies, but they would have given our Nation's technology companies 
and the customers who keep them globally competitive more confidence 
that private information shared under these bills would not be 
subjected to inappropriate mass scrutiny by the government.
  Sadly, our amendments met the same fate as nearly two dozen others 
put forth to add in important privacy safeguards.
  The potential for abuse of private information under H.R. 1560 is 
even more far-reaching. The Homeland Security bill at least makes clear 
that the information companies transmit to DHS should be shared 
specifically with other agencies that need it to protect critical 
infrastructure. But the circumstances under which information can be 
shared under the Intelligence bill--and who it can be shared with--are 
fuzzier and broader.
  Under the approach taken by H.R. 1560, every cyber threat indicator 
shared with a civilian agency of the Federal Government is immediately 
shared with a host of other government agencies, including the NSA. 
This increases the threat to cybersecurity by having repositories of 
information replicated across numerous government agencies, creating 
additional avenues for attack by malicious hackers. That means that 
private sector companies will not be able to participate in the program 
and promise their users they will not share information with NSA or 
other government agencies unless required by law.
  Furthermore, it is true that the Homeland Security bill includes some 
troubling provisions that allow the government to use cybersecurity 
threat information for criminal investigations unrelated to 
cybersecurity. Fortunately, the Rules Committee made in order an 
amendment by Representatives John Katko, Zoe Lofgren, and Anna Eshoo 
that would address this problem in the Homeland Security bill. I hope 
that my colleagues adopt this amendment.
  Unfortunately, no such amendment is being considered to address this 
issue within the Intelligence bill, H.R. 1560, where the problem 
actually runs much deeper. H.R. 1560 permits cyber threat data, 
including Americans' private information, that is shared with the 
Federal Government to be stored and used for a raft of unrelated 
purposes, unconstrained by congressional directive, including 
investigations and potential prosecution of crimes completely unrelated 
to cybersecurity.
  Obviously, all of us want law enforcement agencies to be equipped to 
prevent and prosecute violent crime, but the inclusion of these matters 
completely unrelated to cybersecurity broadens the scope of the measure 
far beyond what it is purported to be: a cybersecurity bill. In fact, 
it reduces the focus of our efforts on combating cybersecurity when you 
open it up to everything under the sun.
  By including a vast array of other reasons the government can invoke 
to store and share personal information, the authors of the bill 
essentially transformed the information-sharing initiative into a broad 
new surveillance program.
  Yes. Rather than a cybersecurity measure, effectively, these bills 
are a stalking horse for broad new surveillance authority by multiple 
agencies of the Federal Government without warrants, without oversight.
  H.R. 1560 empowers Federal entities to hold onto any information 
about an individual that may be ``related to'' any of the many law 
enforcement purposes lumped into the bill. That gives the Federal 
Government enormous incentive to retain and scrutinize personal 
information, even if it is unrelated to a cybersecurity threat.
  The scope of the use authorizations also undermines due process 
protections that exist to protect Americans against unwarranted search 
and seizure. Private information about a person that was transmitted 
warrantlessly to the NSA under a program that was purportedly designed 
to combat hackers should not be admissible or used in court against 
them on an unrelated offense--not related to cybersecurity, not related 
to hacking. It would render all of our due process protections invalid 
simply because of the medium of the information that is used with 
regard to these matters in this case: Internet and cyber-related 
mediums and communications through them.
  I joined Representatives Zoe Lofgren, Darrell Issa, and Blake 
Farenthold on an amendment to make clear that information sharing may 
only be used for the purpose of mitigating cybersecurity threats, 
again, the purported purpose of this bill. If the proponents of this 
bill are serious about combating cybersecurity, why did the Rules 
Committee deny Members the opportunity to limit the provisions of this 
bill to cybersecurity rather than a whole host of unrelated offenses?
  I also joined the gentleman from Kansas, Representative Kevin Yoder, 
to sponsor an amendment to address a longstanding due process issue 
that has plagued our Nation's legal system and our privacy rights.
  While the government is required to get a warrant if it wants to 
search through a person's physical mail, it is not required to get a 
warrant to search through somebody's old emails, provided the emails 
are older than 6 months. That contradiction and loophole was based on a 
1986 law that was written before most people knew what email was.

  Representative Yoder and I sponsor a bipartisan bill that has 261 
cosponsors, and yet when we offered a provision on this bill, we were 
not given a chance to vote on it and pass it in spite of the grave due 
process implications that the underlying legislation has.
  In addition to these privacy and due process concerns, I am alarmed 
by the prospect that H.R. 1560 will actually invite attempts by both 
private and public entities to deliberately weaken the integrity of 
software systems in the name of cybersecurity.
  H.R. 1560, for instance, authorizes companies to deploy 
countermeasures that are called defensive measures in the form of hack 
backs that would otherwise be illegal. A countermeasure operated on one 
network should never cause harm to another that is prohibited by the 
Federal antihacking statute, the Computer Fraud and Abuse Act. But that 
is precisely what can happen when a company places malware on its own 
network, because if that data gets stolen along with other valuable 
data, it can harm or lead to unauthorized or backdoor access of other 
proprietary networks or information.
  The gentleman from Virginia, Representative Gerry Connolly, put 
forward two amendments to address this issue in a very thoughtful 
manner. Regrettably, neither one will be allowed to be debated or 
receive a vote on the floor of the House unless we can defeat this 
rule.
  Furthermore, both bills present the risk that Federal entities will 
use the threat information they receive from private companies to 
circumvent the security protections safeguarding those same private 
companies' information systems, effectively creating their own back 
doors which could later be exploited by malicious hackers.
  As a matter of routine, our intelligence apparatus already demands 
that private companies include defects in their encryption system for 
the purported purpose of conducting backdoor surveillance. Today's 
legislation only makes it easier for the NSA to find and exploit more 
of these back doors and, therefore, easier--not harder--for hackers to 
find and exploit these very same security weaknesses.

[[Page H2372]]

  Once again, Representative Lofgren put forward an amendment that 
would actually improve cybersecurity by making it clear that Federal 
entities could not use data obtained through information sharing to 
demand that private entities create new encryption weaknesses to enable 
backdoor hacking. Sadly, once again, her amendment will not be heard on 
the floor of the House, and this bill will encourage and allow 
additional venues for the illicit hacking it purports to combat.
  Mr. Speaker, I don't doubt the intentions and the goals of my 
colleagues on the Intelligence and Homeland Security Committees, but 
these bills simply represent a step backwards rather than a step 
forward, present risks on too many fronts, from privacy, to due 
process, to the threats that they add to the integrity of the very 
networks that these bills are designed to safeguard.
  In addition, the bills' focus on information sharing negates an 
important conversation about more important mechanisms Congress should 
be looking at to protect cyber systems, mechanisms that are not as 
fraught with risks to our civil liberties and are more effective at 
protecting our networks. We should be doing more, for instance, to 
educate businesses and governments about basic network security.
  Even here in Congress, we have seen evidence of how woefully lacking 
even elementary knowledge about cyber threats is. Helping businesses 
prevent cyber attacks doesn't have to mean that the government vacuums 
up endless amounts of personal data about how individual Americans are 
using the Internet and their personal communications.
  In fact, if we stop allowing the NSA to demand that U.S. businesses 
deliberately weaken their own networks for the purpose of government 
surveillance, that, in itself, would be a big step forward to 
strengthening our national cybersecurity.
  Sadly, today's rule doesn't even allow for a debate or for a vote on 
the most significant concerns surrounding this legislation and denies 
Members the opportunity to consider changes that would address the 
issues that we have raised and improve cybersecurity under this bill. 
For these reasons, I hope my colleagues join me in opposing the rule 
and the underlying legislation.
  I reserve the balance of my time.
  Mr. COLLINS of Georgia. Mr. Speaker, again, I want to focus this 
debate. There are many things my friend from Colorado brought up that 
will be debated, that are coming up, I think, as early, frankly, as 
tomorrow in some committees and will be debated on this floor. This is 
about sharing. This is about information protection.
  And with that, I am pleased to yield 3 minutes to the distinguished 
gentleman from New York (Mr. King), who is a member of both the 
Homeland Security and the Intelligence Committees. He is the chairman 
of the Homeland Subcommittee on Counterterrorism, and he is also the 
former chairman of the full committee.
  Mr. KING of New York. I thank the gentleman for yielding.
  Mr. Speaker, I rise in strong support of the rule and also of the 
underlying bills, H.R. 1731 and H.R. 1560.
  As was pointed out, I am the only Member of Congress who is on the 
Homeland Security Committee and the Intelligence Committee; and I was 
able to both take part and also to observe closely the extent to which 
the gentleman from Texas, Chairman McCaul, and the gentleman from 
California, Chairman Nunes, worked with Members on both sides of the 
aisle, worked with privacy groups, worked with Federal officials, 
government officials, and administration officials to try to make this 
as bipartisan a bill as possible, to ensure that privacy would be 
protected, but also to ensure that everything possible can be done to 
protect our Nation against cyber intrusions.
  Now, every day there are attacks upon our infrastructure. The 
critical infrastructure--mostly in private hands--is being targeted; 
and Federal networks, databases that are vital to our national 
security, are under assault every second of every day.
  Cyberterrorism, whether it is carried out by a nation-state, such as 
Iran or Russia or China, or carried out by terrorist organizations, 
such as ISIS or al Qaeda, is extremely damaging and threatening to our 
national security; and it is essential that we, especially since so 
much of our critical infrastructure is in the hands of the private 
sector, allow for sharing, that we allow companies to share information 
with the government, that there is mutual sharing with the government, 
with the private sector, so that these companies can do it without fear 
of being sued, without fear of liability--they act in good faith; they 
do what has to be done.
  Every measure that was put in there--I know the gentleman from 
Colorado disagrees, but every measure is in there to ensure that 
individual rights will not be violated, that privacy will not be 
violated. And again, we have to look at, for instance, if the gentleman 
from Colorado is wrong, what this could mean to our country, how this 
could devastate--devastate--our infrastructure, devastate our national 
security, devastate our financial system.
  So again, this was not something that was rushed into. And when you 
have both bills passing out of committee with, as far as I recall, not 
one dissenting vote--not that everyone was in full agreement with the 
bills. But the fact is this is probably as close to a consensus as you 
can come in the Halls of Congress on such a critical and, in some ways, 
such a controversial issue, to find that type of unanimity on the two 
committees that deal with this most significantly.

                              {time}  1300

  H.R. 1731 is the Homeland Security Committee bill that allows this 
information to be shared. The port will be the Department of Homeland 
Security, and that was done, again, working with privacy groups and 
working with those who are concerned with civil liberties, at the same 
time working with those who realize how absolutely essential to our 
security passage of this legislation is and how we have to have this 
type of cooperation, this type of sharing, this information sharing, 
and being done with the government and with the private sector working 
together to combat these enemies which can come at us from all 
directions. Again, every second of every day these attacks are being 
attempted and carried out.
  That is the crisis that faces us as a nation. It is not as obvious as 
a bomb going off in Times Square, and it is not as obvious as a bomb 
going off at the Boston Marathon, but it is just as critical.
  The SPEAKER pro tempore. The time of the gentleman has expired.
  Mr. COLLINS of Georgia. Mr. Speaker, I yield the gentleman an 
additional 1 minute.
  Mr. KING of New York. It is just as critical and just as vital, in 
some ways more so, in that the ultimate result could be so devastating 
to our Nation.
  So, Mr. Speaker, I would ask, again, passage of the rule, which I 
believe is obviously essential, but also passage of the underlying 
bills because, again, our Congress has been criticized, with some 
validity, for not being able to work together and for not being able to 
get things done. But to have such a vital, controversial issue as this, 
to have both committees who deal with it most closely, to have them 
come together, all the effort and work that went into it, to have them 
come together to come up with this package of legislation, this shows 
Congress works. It shows we take this issue seriously, and it means we 
are going to go forward in all we can to combat terrorism in all its 
forms. Right now, probably the most lethal are the cybersecurity 
attacks being made on us.
  Mr. Speaker, I urge strong support of the rule and the underlying 
bill.
  Mr. POLIS. Mr. Speaker, I would just add that demanding that private 
companies deliberately include defects in their own encryption systems 
for the purpose of allowing the NSA to conduct backdoor surveillance 
only increases the risk of our cybersecurity networks rather than 
decreases it, which is exactly what the bill does.
  Mr. Speaker, I yield 2 minutes to the distinguished gentleman from 
Mississippi (Mr. Thompson), the ranking member of the Committee on 
Homeland Security.
  Mr. THOMPSON of Mississippi. Mr. Speaker, I thank the gentleman from 
Colorado for yielding the time.
  Mr. Speaker, though I support H.R. 1731, the National Cybersecurity 
Protection Advancement Act, as approved by voice vote in my committee, 
I rise to express my disappointment with the rule.

[[Page H2373]]

  Yesterday the White House announced support for House passage of H.R. 
1731 but said that ``improvements to the bill are needed to ensure that 
its liability protections are appropriately targeted to encourage 
responsible cybersecurity practices.'' The White House was referring to 
the language that was inserted at the direction of the Judiciary 
majority.
  Instead of providing a targeted safe harbor for companies to share 
timely cyber threat information, it establishes an unduly complicated 
legal framework that runs the risk of providing liability relief to 
companies that act negligently. Moreover, it explicitly immunizes 
companies from not acting on timely cyber information. This language 
runs counter to the fundamental goal of the legislation: to get 
companies timely, actionable information to use to protect their 
networks.
  Yet when H.R. 1731 is considered tomorrow, Members will not be 
allowed to vote on a single amendment to fix the liability provision 
that the White House has called ``sweeping'' and said may weaken 
cybersecurity overall. Remarkably, none of the seven amendments that 
were filed to fix it are being allowed.
  I would also like to register my disappointment that the rule calls 
for H.R. 1731, upon passage, to be attached to the Intelligence 
Committee bill. From my conversation with Members, I know that there is 
a great deal of support for authorizing cyber information sharing with 
the Federal civilian lead, the Department of Homeland Security. As 
such, I would argue that the rule should have called for H.R. 1560 to 
be folded into our bill.
  Mr. COLLINS of Georgia. At this point, Mr. Speaker, I am pleased to 
yield 1 minute to the distinguished gentleman from California (Mr. 
Issa), the chairman of the Judiciary Committee's Subcommittee on 
Courts, Intellectual Property, and the Internet.
  Mr. ISSA. Mr. Speaker, I thank the gentleman.
  Mr. Speaker, I will be supporting the rule, but not without 
trepidation. I will be opposing the underlying bill, but not without 
regret. The underlying bill could have done what we wanted it to do. It 
could have allowed for the exchange of information while protecting 
individuals' privacy. It could have limited that information to 
preventing a cyberterrorist attack. But, in fact, amendments that were 
offered on a bipartisan basis, a number of them, that could have 
limited this would have, in fact, allowed us to have the confidence 
that this information would be used only for what it was intended.
  Mr. Speaker, since 9/11, the government has begun to know more and 
more about what we are doing, who we are, where we live, where we 
sleep, whom we love, whom we do business with, and where we travel. And 
we have known less and less. Just a few days ago, the Ninth Circuit in 
northern California had to rule that the government had to turn over 
information in a usable format. It took a Federal court order to do so.
  The SPEAKER pro tempore. The time of the gentleman has expired.
  Mr. COLLINS of Georgia. Mr. Speaker, I yield the gentleman an 
additional 1 minute.
  Mr. ISSA. I thank the gentleman.
  Mr. Speaker, this bill should mandate our knowing more and the 
government not knowing. It should have ensured that the government only 
had what it needed. It should have protected private companies who 
wanted to exchange appropriate information between each other. It 
should not have created a vast treasure trove here in Washington or 
somewhere in the hinterland where the government now and in the future 
can dig in for any purpose--criminal background investigations or 
perhaps simply checking to see if you paid your taxes. The fact is, 
this is a data vault that is not narrowly construed, and, therefore, 
sadly, without the amendments that were not allowed, I am not in a 
position to vote for this bill. I thank the chairman, and I thank Mr. 
Polis for his kind remarks also.
  Mr. POLIS. Mr. Speaker, if we defeat the previous question, we will 
offer an amendment to the rule that will allow the House to consider 
the Department of Veterans Affairs Cybersecurity Protection Act.
  Mr. Speaker, I yield 2 minutes to the gentlewoman from Arizona (Mrs. 
Kirkpatrick) to discuss our proposal.
  Mrs. KIRKPATRICK. Mr. Speaker, I thank my colleague for giving me a 
couple of minutes to talk about the importance of protecting our 
veterans from cyber attack.
  Mr. Speaker, I rise in support of H.R. 1128, the Department of 
Veterans Affairs Cyber Security Protection Act. My bill will protect 
veterans' personal and sensitive information from cyber attacks without 
compromising the VA's ability to provide the health care, benefits, and 
services our veterans have earned.

  This legislation will do primarily three things. First, it will 
require the VA to develop an information security strategic plan that 
protects current veterans' information and anticipates future 
cybersecurity threats. Second, it mandates a report on VA actions to 
hold employees accountable for data breaches. Third, it requires the VA 
to propose a reorganization of the VA's information-security 
infrastructure to protect veterans and provide greater levels of 
accountability and responsibility in the VA.
  My bill will also require the VA to report employee violations of its 
policy and report any incidents involving the compromise of veterans' 
personal information by the VA or from outside cyber attacks.
  Mr. Speaker, this bill is one commonsense way that we can hold the VA 
accountable and protect veterans' private and personal information from 
cyber threats, and I urge all of my colleagues to support H.R. 1128.
  Mr. COLLINS of Georgia. Mr. Speaker, at this time I am pleased to 
yield 5 minutes to the gentleman from Georgia (Mr. Carter), a member of 
the Homeland Security Committee and a colleague of mine from Georgia.
  Mr. CARTER of Georgia. I thank the gentleman.
  Mr. Speaker, national cybersecurity will be an issue this House will 
have to constantly address for the foreseeable future. To achieve a 
system that will protect our Nation's citizens and its infrastructure, 
we must create a public-private partnership between Federal agencies 
and American businesses. This partnership will allow Federal agencies 
and American businesses to share cyber threat information, 
vulnerabilities within our cyber network, and the creation of new 
systems to protect consumer information. However, private businesses 
need to be provided protections and incentives to ensure they are 
protected from government abuse and private legal proceedings meant to 
gain access to private security information.
  Mr. Speaker, one of our top priorities with these two bills should be 
to clearly acknowledge protections given to companies that engage in 
penetration testing and clearly state that company proprietary 
information is protected from nefarious legal proceedings and exempted 
from Freedom of Information Act requests. It is reasonable to think 
that individuals would actively pursue this sort of proprietary 
information for the sole purpose of accessing the vulnerabilities of 
private cyber networks if we do not clearly state that this information 
is protected and exempt from those actions.
  I believe we should consider these possibilities and ensure that 
protections are provided so our country and its citizens can fully 
benefit from these laws.
  Mr. COLLINS of Georgia. Will the gentleman yield?
  Mr. CARTER of Georgia. I yield to the gentleman.
  Mr. COLLINS of Georgia. I want to thank my colleague from Georgia who 
sits on the Homeland Security Committee for his passion and his 
commitment to addressing these critical defects in the laws governing 
this voluntary sharing of cyber threat information. The legislation 
before us today is good policy reflective of the hard work of the 
committees on which you sit, Homeland Security and the Intelligence 
Committee, as well as input from a vast array of stakeholders. It is 
important to know that the legislation is supported by every sector of 
the economy.
  As my friend so eloquently noted, the legislative process will 
rightly continue after these bills are considered by the full House 
this week and for years to come as we revisit and reassess the needs of 
Americans' privacy and also the laws governing cybersecurity.

[[Page H2374]]

  Mr. Speaker, I agree with my friend that if there is a conference 
committee on this bill, we should encourage them to seek additional 
clarification language as needed to ensure that companies are 
appropriately incentivized to share cyber threat information.
  I just want to say personally that I appreciate all the hard work 
that you have done on this issue bringing this forward and continuing 
to work for not only the companies in Georgia but across this Nation 
who depend on a safe and secure cyber network.
  Mr. POLIS. Mr. Speaker, I yield myself the balance of my time.
  Mr. Speaker, it is ironic that on this very day, leaders on the 
Judiciary Committee will introduce legislation designed to reform and 
rein in the Federal Government's surveillance programs. I haven't had 
the opportunity to review those bills yet, so I can't speak to their 
merits. But I hope that if it is a strong bill, it will make its way 
through both Chambers and become law.
  But, today, this body is considering a rule that would take us in the 
wrong direction. Recent history has shown that this body shares the 
American people's concerns that we don't take the threat of unwarranted 
surveillance seriously enough and that Congress needs to pass 
meaningful reforms that balance our liberties, our freedoms, and our 
privacy with the need to keep America safe.
  Senate Majority Leader Mitch McConnell introduced legislation 
yesterday that would extend the NSA's surveillance program without any 
of the reforms that many of us on both sides of the aisle have 
advocated to rein them in. This is despite the national outcry and, 
indeed, international embarrassment that has been counterproductive to 
the very American security goals that these provisions are designed to 
advance.
  This makes me fear that Congress is not learning from the mistakes of 
the past, mistakes of overly broad surveillance authorities, but 
instead is about to repeat them. So before we approve faster, broader, 
and easier sharing of vast amounts of personal information from 
innocent Americans with the Federal Government, Congress should be 
taking up legislation to prove that we have the ability to curb abuse 
and the Federal Government's penchant for abusing its access to this 
kind of data.
  So far Congress has not shown its aptitude for preventing this kind 
of abuse. Yet today we ask the American people to trust us, to trust 
the President, yet again, by opening up even more information to the 
NSA and other surveillance agencies.
  Our experience with the NSA has shown us that to protect American 
civil liberties from an overzealous surveillance apparatus, the 
authorities to review and share Americans' personal information need to 
be construed as narrowly, as unambiguously, and as specifically as 
possible by the United States Congress. We need to limit very 
specifically to a specific set of circumstances under which sharing 
data and information is necessary for mitigating a security threat.
  We offered to do that through bipartisan amendments, working with 
Representative Lofgren, Representative Issa, and others, but none of 
those amendments are allowed to be discussed or debated under this 
rule.
  Both the Protecting Cyber Networks Act and the National Cybersecurity 
Protection Advancement Act fall well short of the standard--and in the 
case of the Protecting Cyber Networks Act can even be counterproductive 
and falls woefully short.

                              {time}  1315

  These pieces of legislation would enable Federal agencies to store 
and share Americans' private information, such as Internet usage 
patterns, even the content of online communications, based on a vague 
or broad standard that doing so is not unrelated to a cybersecurity 
threat.
  Again, not affirmatively, they don't have to prove that it is related 
to a cybersecurity threat; the burden of proof is to show that it is 
not unrelated to a cybersecurity threat. How can you demonstrably show 
that about anything?
  It would make it easier for government agencies to deliberately 
weaken software systems for the purpose of creating new surveillance 
back doors that foreign nation-states and hackers can presumably also 
exploit.
  It would leave the door wide open to more NSA surveillance by 
allowing the sharing of personal information for a raft of purposes 
unrelated to cybersecurity. We can do better.
  By rejecting this rule, Members of Congress will show that, yes, we 
take cybersecurity seriously, so seriously that we want to take the 
time to get it right. Whether that takes another week or 2 weeks or 3 
weeks, getting it right means allowing Members of this body input into 
the formulation of the final bill meaningfully through the kinds of 
amendments that have been rejected outright under this rule without 
discussion, without debate, without a vote.
  Unfortunately, the rule before us today denies us the ability to 
consider amendments that would have addressed many of the concerns with 
the bill.
  Mr. Speaker, I ask unanimous consent to insert the text of the 
amendment in the Record, along with extraneous material, immediately 
prior to the vote on the previous question.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Colorado?
  There was no objection.
  Mr. POLIS. Mr. Speaker, I urge my colleagues on both sides of the 
aisle to vote ``no'' and defeat the previous question.
  I urge a ``no'' vote on this bizarre rule that combines two, at 
times, contradictory bills and rejects bipartisan amendments that would 
have addressed the concerns that many of us have with the underlying 
legislation.
  I urge a ``no'' vote on the previous question and the rule.
  Mr. Speaker, I yield back the balance of my time.
  Mr. COLLINS of Georgia. Mr. Speaker, I yield myself such time as I 
may consume.
  As we move forward, I think one of the things--and there are many 
things that are going to be discussed, and I encourage all Members to 
vote for this rule. As we move into general debate, there will be a lot 
of discussion that talks about what we are moving forward; but, also, I 
want to bring forward that we are--as is seemingly not discussed 
bringing forth, there are amendments being brought forth on both of 
these bills.
  There also were 20-something amendments in Homeland Security; there 
was also an amendment in Intelligence. These are vetted bills. This is 
a proper role with what we are doing in Congress in bringing these to 
the floor.
  Are there times that someone may want others? Yes; but, at this 
point, we are going to have that debate here on the floor. That is why 
voting for this rule and moving this forward is the proper thing to do.
  Before we also move back from this, I want to talk about this need 
and why we are here even to start with. Most Americans recognize and 
understand that the growing attacks against our cyber networks and 
critical infrastructure and our laws fail to provide proper legal 
authority for information regarding cyber threats to be shared.
  In fact, when I am back home in the Ninth District of Georgia 
discussing this, most people don't realize there is this barrier, and 
especially everything that is going on, they don't understand why some 
of these impediments were put into place that keeps companies from 
protecting their own, but also protecting their own personal 
information.
  One of the things that is missing in this debate is the discussion of 
what has actually happened and the personal information that is shared 
by these hackers who are getting into our system.
  Some of the latest attacks perpetrated by North Korea and other 
criminal enterprises on Sony Pictures and health insurance providers 
Anthem and Blue Cross Blue Shield speak to the type of attacks that 
occur on a daily basis that target the backbone of American business 
and the privacy of America's most sensitive data.
  As we look to constrain this, as we look to put in proper safeguards, 
we have to realize that doing nothing exposes more and more of our 
American citizens to personal information being shared. If we don't 
believe it, just read the headlines from Sony, Anthem, and these others 
that have come out recently.
  According to the Department of Homeland Security, in 2014 alone, they

[[Page H2375]]

received almost 100,000 cyber incident reports and detected 64,000 
cyber vulnerabilities, and these numbers are just based on information 
given to DHS and does not reflect the full scope of the attacks on our 
Nation.
  When we look at this and we talk about the personal information, the 
FBI Director James Comey said:

       There are two kinds of big companies in the United States. 
     There are those who have been hacked . . . and those who 
     don't know they have been hacked.

  A recent survey by the Ponemon Institute showed an average cost of a 
cyber crime for U.S. retail stores more than doubled from 2013 to an 
annual average of 8.6 million per company in 2014.
  The annual average cost for a company of a successful cyber attack in 
2014 increased to 20.8 million in financial services, 14.5 million in 
the technology sector, and 12.7 million in the communications industry.
  The scope of many attacks are not fully known. For example, in July 
of 2014, the U.S. Computer Emergency Readiness Team issued an advisory 
that more than 1,000 U.S. businesses have been affected by the Backoff 
malware, which targets point-of-sale systems used by most retail 
industries. These attacks targeted administrative and customer data 
and, in many cases, financial data. Most companies encounter multiple 
cyber attacks every day, many unknown to the public and many unknown to 
the companies themselves even.
  Again, as we look back over the attacks of just the past year, Target 
announced an additional 70 million individual contact information was 
taken during the December 2013 breach in which 40 million customers' 
credit and debit information was stolen.
  Between May 2013 and January 2014, the payment cards of 2.6 million 
Michaels customers were affected. Attackers targeted the Michaels POS 
system to gain access to their systems.
  The email service Yahoo! Mail was reportedly hacked in for 273 
million users, although the specific number of accounts affected was 
not released.
  For 2 weeks, AT&T was hacked from the inside by personnel who 
accessed user information, including Social Security information.
  Foreign nationals from China have been indicted for computer hacking 
and economic espionage. We have seen these attacks all over the board.

  Looking at this, the real issue that comes to mind is if we sit back 
and are not productive and not proactive as the Intelligence Committee 
and the Homeland Security Committee have been here, we are putting in 
danger more personal information being exposed in ways that no American 
needs to have their personal information exposed and are being targeted 
in the process.
  This is good legislation that needs to stay on the floor, and that is 
why we are here today to support this rule and to look forward to that 
debate that has already happened and will continue to happen.
  I appreciate the discussion we have had over the past hour. Although 
we may have some differences, our unity should be clear against the 
cyber attacks and our resolve to prevent them and show their success is 
strong.
  This rule provides for ample debate on the floor, the opportunity to 
debate and to vote on 16 amendments, and a smooth and deliberative 
process for sending one bill to the Senate. These bills will help 
protect American consumers, jobs, and small businesses.
  Allowing companies, again, to voluntarily share cyber threat 
indicators with other companies and government agencies will help bring 
awareness to new threats and vulnerabilities.
  If businesses can learn about a new threat from another business or 
from the government before they are targeted themselves, they can 
better act to protect their customers' personal information from a 
similar attack.
  I would like to thank Intel, Homeland Security, Judiciary, and Rules 
Committee members and staff for the thoughtful and involved processes 
that have brought us to this point.
  I urge my colleagues to support the rule and these two cybersecurity 
bills.
  Ms. JACKSON LEE. Mr. Speaker, I rise to speak on the Rule governing 
debate on H.R. 1731 and H.R. 1560.
  I support the Rule for H.R. 1731 and H.R. 1569 because it: 1. 
provides for consideration of important improvements to both bills; 2. 
makes clear the role of the Department of Homeland Security in securing 
civil government networks; and 3. the responsibilities of DHS in assist 
private sector entities in improving overall cybersecurity for 
themselves and their customers.
  The bipartisan process that the Homeland Security Committee followed 
through the leadership of Chairman McCaul and Ranking Member Thompson 
is an example of what can be accomplished when partisanship is removed 
from the policymaking equation.
  I would also like to thank Chairman Sessions and Ranking Member 
Slaughter as well as members of the Rules Committee for making 4 of my 
amendments in order.
  I join my colleagues in the work to secure our nation's 
cybersecurity, while preserving the privacy and civil liberties of our 
citizens.
  The road to today began in 2011, when President Obama took several 
steps to move the issue of cybersecurity to the forefront by: 1. 
releasing a cybersecurity legislative proposal; 2. calling on Congress 
to take urgent action to give the private sector and government the 
tools needed to combat cyber threats at home and abroad; and 3. issuing 
the International Strategy for Cyberspace to make clear to nations 
abroad that the United States was firmly committed to improving 
cybersecurity and combating cyber terrorism.
  I will be offering several amendments as the two bills are 
considered.
  The Jackson Lee amendments are simple and will improve the privacy 
protections already in the bills and allow the Department of Homeland 
Security to become a better partner with the private sector in its work 
to improve domestic cybersecurity.
  One of the Jackson Lee amendments that will be offered to the both 
bills will improve privacy and civil liberties by providing the public 
with a report from the Government Accountability Office that their 
privacy and civil liberties are not being compromised by the programs 
established by this bill.
  Other Jackson Lee Amendments to H.R. 1731 will include an assurance 
that DHS's remains current on innovations: 1. on data security that can 
improve privacy and civil liberties protections; 2. in industrial 
control systems to keep pace with industry adoption of new 
technologies; and industry best practices; and 3. that can aid DHS in 
aligning federally funded cybersecurity research and development with 
private sector efforts to protect privacy and civil liberties.
  These amendments will make sure that technology and equipment 
purchased with taxpayer dollars provided to ensure cybersecurity will 
remain current and focused on real-world applications that reflect 
constitutional values and how businesses and industry function.
  An important building block for improving the Nation's cybersecurity 
is ensuring that private entities can collaborate to share timely cyber 
threat information with each other and the Federal Government.
  The Administration is expressing concerns with H.R. 1560's broad 
liability protections offered to companies that sharing information 
with federal government programs established under this bill.
  Appropriate liability protections should be established that 
incentivize good cybersecurity practices and would not grant immunity 
to a private company for failing to act on information it receives 
about the security of its networks.
  The important component of cybersecurity is that computer network 
owners and managers will act to improve cyber defense of their systems 
when provided with information that vulnerabilities in their computer 
networks exist.
  Legislation should not provide incentives for companies not to act 
when presented with evidence of network cyber security vulnerabilities.
  Electronic data breaches involving Sony, Target, Home Depot, Neiman 
Marcus, JPMorgan Chase, and Athem are only a few of the cyber incidents 
that have plagued private sector networks.
  These data breaches also are a reminder that the Internet is not yet 
what it must become to continue to meet the remote communication needs 
of a global marketplace.
  As with other threats this nation has faced in the past and overcome 
we must create the resources and the institutional responses to protect 
our nation while preserving our liberties and freedoms.
  We cannot accomplish the task of better cybersecurity without the 
cooperation and full support of citizens; the private sector; local 
state and federal government; computing research community; and 
academia.
  This level of cooperation requires the trust and confidence of the 
American people that the actions taken by government to combat cyber 
threats will not threaten our way of life nor our hard fought 
Constitutional rights.
  H.R. 1731 makes clear that the Department of Homeland Security will 
be the federal government agency responsible for securing civilian 
government networks and supporting voluntary efforts by private sector 
companies and institutions to improve coordination and response to 
cyber security threats.

[[Page H2376]]

  The issues regarding liability protection related to cybersecurity 
must be addressed in order for H.R. 1560 and H.R. 1731 to have any 
chance of succeeding.
  It is my understanding that Chairman McCaul and Ranking Member 
Thompson have reached agreement on language that addresses concerns 
that have been raised regarding liability.
  There are talented and resourceful people outside and inside of 
government who can inform Congress on approaches to information sharing 
that will yield the desired results without compromising privacy or 
civil liberties.
  Mr. RICHMOND. Mr. Speaker, I rise in opposition to the Rule for H.R. 
1560 and H.R. 1731. Members from both parties have a shared goal of 
bolstering cybersecurity and improving the quality of information that 
the private sector receives about timely cyber threats so that they can 
protect their systems. I am greatly disappointed that the Rules 
Committee failed to make in order any of the several amendments 
submitted by both Democrats and Republicans to refine what the White 
House has called ``sweeping'' liability protections, as they appear in 
both cyber information sharing bills to be considered this week.
  Extending liability protection to a company that ``fails to act'' on 
timely threat information could encourage companies to simply do 
nothing despite receiving information critical to the security of its 
systems. Appropriate liability protection does not grant immunity to 
companies for failing to act on such cybersecurity threat information, 
but rather incentivizes sound cybersecurity practices. The provision 
also effectively preempts state laws--including those in California, 
Massachusetts, and Maryland--that hold businesses liable for failing to 
maintain reasonable security of their systems, thereby undermining 
important protections for consumers and their sensitive data.
  Instead, my Democratic colleagues on the Homeland Security Committee 
and I support President Obama's straightforward, tailored approach to 
addressing what some in industry have identified as a major barrier to 
the sharing of cyber threat information--the risk that sharing such 
information would expose companies to legal liability. Unfortunately, 
the liability protection provision included in the bill puts in place 
an unduly complicated structure that runs the risk of providing 
liability relief to companies that fail to act on timely cyber 
information. I submitted two amendments to address the liability 
protection problems that exist in both information sharing bills to be 
considered this week. The first would have struck the provision 
immunizing companies that fail to act on timely threat information and 
clarified that the Act has no impact on a duty to act on shared 
cybersecurity threat information. The second would have removed all 
potential liability exemptions for willful misconduct by government 
actors.
  These provisions would have improved both bills greatly, and at a 
minimum they deserved to be debated on the House floor today. The 
effectiveness of information sharing legislation and efforts to improve 
the security of companies' systems depends on getting liability 
protection right. I look forward to continuing the discussion on 
liability protection with Members from both sides of the aisle as the 
bill moves forward.
  Mr. COLLINS of Georgia. Mr. Speaker, House Report 114-88, the report 
to accompany H. Res. 212, the special rule governing consideration of 
H.R. 1731, does not reflect a request by Mr. Mulvaney of South Carolina 
to add Mr. Thompson of Mississippi as a cosponsor of his amendment, 
number 8 printed in part B of the report.
  The material previously referred to by Mr. Polis is as follows:

      An Amendment to H. Res. 212 Offered by Mr. Polis of Colorado

       At the end of the resolution, add the following new 
     sections:
       Sec. 4. Immediately upon adoption of this resolution the 
     Speaker shall, pursuant to clause 2(b) of rule XVIII, declare 
     the House resolved into the Committee of the Whole House on 
     the state of the Union for consideration of the bill (H.R. 
     1128) to amend title 38, United States Code, to make certain 
     improvements in the information security of the Department of 
     Veterans Affairs, and for other purposes. General debate 
     shall be confined to the bill and shall not exceed one hour 
     equally divided and controlled by the chair and ranking 
     minority member of the Committee on Veterans' Affairs. After 
     general debate the bill shall be considered for amendment 
     under the five-minute rule. All points of order against 
     provisions in the bill are waived. At the conclusion of 
     consideration of the bill for amendment the Committee shall 
     rise and report the bill to the House with such amendments as 
     may have been adopted. The previous question shall be 
     considered as ordered on the bill and amendments thereto to 
     final passage without intervening motion except one motion to 
     recommit with or without instructions. If the Committee of 
     the Whole rises and reports that it has come to no resolution 
     on the bill, then on the next legislative day the House 
     shall, immediately after the third daily order of business 
     under clause 1 of rule XIV, resolve into the Committee of the 
     Whole for further consideration of the bill.
       Sec. 5. Clause 1(c) of rule XIX shall not apply to the 
     consideration of H.R. 1128.
                                  ____


        The Vote on the Previous Question: What It Really Means

       This vote, the vote on whether to order the previous 
     question on a special rule, is not merely a procedural vote. 
     A vote against ordering the previous question is a vote 
     against the Republican majority agenda and a vote to allow 
     the Democratic minority to offer an alternative plan. It is a 
     vote about what the House should be debating.
       Mr. Clarence Cannon's Precedents of the House of 
     Representatives (VI, 308-311), describes the vote on the 
     previous question on the rule as ``a motion to direct or 
     control the consideration of the subject before the House 
     being made by the Member in charge.'' To defeat the previous 
     question is to give the opposition a chance to decide the 
     subject before the House. Cannon cites the Speaker's ruling 
     of January 13, 1920, to the effect that ``the refusal of the 
     House to sustain the demand for the previous question passes 
     the control of the resolution to the opposition'' in order to 
     offer an amendment. On March 15, 1909, a member of the 
     majority party offered a rule resolution. The House defeated 
     the previous question and a member of the opposition rose to 
     a parliamentary inquiry, asking who was entitled to 
     recognition. Speaker Joseph G. Cannon (R-Illinois) said: 
     ``The previous question having been refused, the gentleman 
     from New York, Mr. Fitzgerald, who had asked the gentleman to 
     yield to him for an amendment, is entitled to the first 
     recognition.''
       The Republican majority may say ``the vote on the previous 
     question is simply a vote on whether to proceed to an 
     immediate vote on adopting the resolution . . . [and] has no 
     substantive legislative or policy implications whatsoever.'' 
     But that is not what they have always said. Listen to the 
     Republican Leadership Manual on the Legislative Process in 
     the United States House of Representatives, (6th edition, 
     page 135). Here's how the Republicans describe the previous 
     question vote in their own manual: ``Although it is generally 
     not possible to amend the rule because the majority Member 
     controlling the time will not yield for the purpose of 
     offering an amendment, the same result may be achieved by 
     voting down the previous question on the rule. . . . When the 
     motion for the previous question is defeated, control of the 
     time passes to the Member who led the opposition to ordering 
     the previous question. That Member, because he then controls 
     the time, may offer an amendment to the rule, or yield for 
     the purpose of amendment.''
       In Deschler's Procedure in the U.S. House of 
     Representatives, the subchapter titled ``Amending Special 
     Rules'' states: ``a refusal to order the previous question on 
     such a rule [a special rule reported from the Committee on 
     Rules] opens the resolution to amendment and further 
     debate.'' (Chapter 21, section 21.2) Section 21.3 continues: 
     ``Upon rejection of the motion for the previous question on a 
     resolution reported from the Committee on Rules, control 
     shifts to the Member leading the opposition to the previous 
     question, who may offer a proper amendment or motion and who 
     controls the time for debate thereon.''
       Clearly, the vote on the previous question on a rule does 
     have substantive policy implications. It is one of the only 
     available tools for those who oppose the Republican 
     majority's agenda and allows those with alternative views the 
     opportunity to offer an alternative plan.

  Mr. COLLINS of Georgia. Mr. Speaker, I yield back the balance of my 
time, and I move the previous question on the resolution.
  The SPEAKER pro tempore (Mr. Marchant). The question is on ordering 
the previous question.
  The question was taken; and the Speaker pro tempore announced that 
the ayes appeared to have it.
  Mr. POLIS. Mr. Speaker, on that I demand the yeas and nays.
  The yeas and nays were ordered.
  The SPEAKER pro tempore. Pursuant to clause 9 of rule XX, the Chair 
will reduce to 5 minutes the minimum time for any electronic vote on 
the question of adoption of the resolution.
  The vote was taken by electronic device, and there were--yeas 237, 
nays 179, not voting 15, as follows:

                             [Roll No. 163]

                               YEAS--237

     Abraham
     Aderholt
     Allen
     Amash
     Amodei
     Babin
     Barletta
     Barr
     Barton
     Benishek
     Bilirakis
     Bishop (MI)
     Bishop (UT)
     Black
     Blackburn
     Blum
     Bost
     Boustany
     Brat
     Bridenstine
     Brooks (AL)
     Brooks (IN)
     Buchanan
     Buck
     Bucshon
     Burgess
     Byrne
     Calvert
     Carter (GA)
     Carter (TX)
     Chabot
     Chaffetz
     Clawson (FL)
     Coffman
     Cole
     Collins (GA)
     Collins (NY)
     Comstock
     Conaway
     Cook
     Costello (PA)
     Cramer
     Crawford
     Crenshaw
     Culberson
     Davis, Rodney
     Denham
     Dent
     DeSantis
     Diaz-Balart
     Dold
     Duffy
     Duncan (SC)
     Duncan (TN)

[[Page H2377]]


     Ellmers (NC)
     Emmer (MN)
     Farenthold
     Fincher
     Fitzpatrick
     Fleischmann
     Fleming
     Flores
     Forbes
     Fortenberry
     Foxx
     Franks (AZ)
     Frelinghuysen
     Garrett
     Gibbs
     Gibson
     Gohmert
     Goodlatte
     Gosar
     Gowdy
     Granger
     Graves (GA)
     Graves (LA)
     Griffith
     Grothman
     Guinta
     Guthrie
     Hanna
     Hardy
     Harper
     Harris
     Hartzler
     Heck (NV)
     Hensarling
     Herrera Beutler
     Hice, Jody B.
     Hill
     Holding
     Hudson
     Huelskamp
     Huizenga (MI)
     Hultgren
     Hunter
     Hurd (TX)
     Hurt (VA)
     Issa
     Jenkins (KS)
     Jenkins (WV)
     Johnson (OH)
     Johnson, Sam
     Jolly
     Jones
     Jordan
     Joyce
     Katko
     Kelly (PA)
     King (IA)
     King (NY)
     Kinzinger (IL)
     Kline
     Knight
     Labrador
     LaMalfa
     Lamborn
     Lance
     Latta
     LoBiondo
     Long
     Loudermilk
     Love
     Lucas
     Luetkemeyer
     Lummis
     MacArthur
     Marchant
     Marino
     Massie
     McCarthy
     McCaul
     McClintock
     McHenry
     McKinley
     McMorris Rodgers
     McSally
     Meadows
     Meehan
     Messer
     Mica
     Miller (FL)
     Miller (MI)
     Moolenaar
     Mooney (WV)
     Mullin
     Mulvaney
     Murphy (PA)
     Neugebauer
     Newhouse
     Noem
     Nugent
     Nunes
     Palazzo
     Palmer
     Paulsen
     Pearce
     Perry
     Pittenger
     Pitts
     Poliquin
     Pompeo
     Posey
     Price, Tom
     Ratcliffe
     Reed
     Reichert
     Renacci
     Ribble
     Rice (SC)
     Rigell
     Roby
     Roe (TN)
     Rogers (AL)
     Rogers (KY)
     Rohrabacher
     Rokita
     Rooney (FL)
     Ros-Lehtinen
     Roskam
     Ross
     Rothfus
     Rouzer
     Royce
     Russell
     Ryan (WI)
     Salmon
     Sanford
     Scalise
     Schweikert
     Scott, Austin
     Sensenbrenner
     Sessions
     Shimkus
     Shuster
     Simpson
     Smith (MO)
     Smith (NE)
     Smith (NJ)
     Smith (TX)
     Stefanik
     Stewart
     Stivers
     Stutzman
     Thompson (PA)
     Thornberry
     Tiberi
     Tipton
     Trott
     Turner
     Upton
     Valadao
     Wagner
     Walberg
     Walden
     Walker
     Walorski
     Walters, Mimi
     Weber (TX)
     Webster (FL)
     Wenstrup
     Westerman
     Westmoreland
     Whitfield
     Williams
     Wilson (SC)
     Wittman
     Womack
     Woodall
     Yoder
     Yoho
     Young (AK)
     Young (IA)
     Young (IN)
     Zeldin
     Zinke

                               NAYS--179

     Adams
     Aguilar
     Ashford
     Bass
     Beatty
     Becerra
     Bera
     Beyer
     Bishop (GA)
     Blumenauer
     Bonamici
     Boyle, Brendan F.
     Brady (PA)
     Brown (FL)
     Brownley (CA)
     Bustos
     Butterfield
     Capps
     Capuano
     Caardenas
     Carney
     Carson (IN)
     Cartwright
     Castor (FL)
     Castro (TX)
     Chu, Judy
     Cicilline
     Clark (MA)
     Clarke (NY)
     Clay
     Cleaver
     Clyburn
     Cohen
     Connolly
     Conyers
     Cooper
     Courtney
     Crowley
     Cuellar
     Cummings
     Davis (CA)
     Davis, Danny
     DeFazio
     DeGette
     Delaney
     DeLauro
     DelBene
     DeSaulnier
     Dingell
     Doggett
     Doyle, Michael F.
     Duckworth
     Edwards
     Ellison
     Engel
     Eshoo
     Esty
     Farr
     Fattah
     Foster
     Frankel (FL)
     Fudge
     Gabbard
     Gallego
     Garamendi
     Graham
     Grayson
     Green, Al
     Green, Gene
     Grijalva
     Gutieerrez
     Hahn
     Heck (WA)
     Higgins
     Himes
     Hinojosa
     Honda
     Hoyer
     Huffman
     Israel
     Jackson Lee
     Jeffries
     Johnson (GA)
     Johnson, E. B.
     Kaptur
     Keating
     Kelly (IL)
     Kennedy
     Kildee
     Kilmer
     Kind
     Kirkpatrick
     Kuster
     Langevin
     Larsen (WA)
     Larson (CT)
     Lawrence
     Lee
     Levin
     Lewis
     Lieu, Ted
     Lipinski
     Loebsack
     Lofgren
     Lowenthal
     Lowey
     Lujan Grisham (NM)
     Lujaan, Ben Ray (NM)
     Lynch
     Maloney, Carolyn
     Maloney, Sean
     Matsui
     McCollum
     McDermott
     McGovern
     McNerney
     Meeks
     Meng
     Moore
     Moulton
     Nadler
     Napolitano
     Nolan
     Norcross
     O'Rourke
     Pallone
     Pascrell
     Pelosi
     Perlmutter
     Peters
     Peterson
     Pingree
     Pocan
     Polis
     Price (NC)
     Quigley
     Rangel
     Rice (NY)
     Richmond
     Roybal-Allard
     Ruiz
     Ruppersberger
     Rush
     Ryan (OH)
     Saanchez, Linda T.
     Sanchez, Loretta
     Sarbanes
     Schakowsky
     Schiff
     Scott (VA)
     Scott, David
     Serrano
     Sewell (AL)
     Sherman
     Sinema
     Sires
     Slaughter
     Speier
     Swalwell (CA)
     Takai
     Takano
     Thompson (CA)
     Thompson (MS)
     Titus
     Tonko
     Torres
     Tsongas
     Van Hollen
     Vargas
     Veasey
     Vela
     Velaazquez
     Visclosky
     Walz
     Waters, Maxine
     Watson Coleman
     Welch
     Wilson (FL)
     Yarmuth

                             NOT VOTING--15

     Brady (TX)
     Costa
     Curbelo (FL)
     DesJarlais
     Deutch
     Graves (MO)
     Hastings
     Murphy (FL)
     Neal
     Olson
     Payne
     Poe (TX)
     Schrader
     Smith (WA)
     Wasserman Schultz

                              {time}  1349

  Messrs. CLEAVER and GENE GREEN of Texas changed their vote from 
``yea'' to ``nay.''
  Messrs. NEUGEBAUER, HUDSON, and STIVERS changed their vote from 
``nay'' to ``yea.''
  So the previous question was ordered.
  The result of the vote was announced as above recorded.
  Stated against:
  Mr. DEUTCH. Mr. Speaker, on rollcall No. 163, had I been present, I 
would have voted ``no.''
  The SPEAKER pro tempore. The question is on the resolution.
  The question was taken; and the Speaker pro tempore announced that 
the ayes appeared to have it.


                             Recorded Vote

  Mr. POLIS. Mr. Speaker, I demand a recorded vote.
  A recorded vote was ordered.
  The vote was taken by electronic device, and there were--ayes 238, 
noes 182, not voting 11, as follows:

                             [Roll No. 164]

                               AYES--238

     Abraham
     Aderholt
     Allen
     Amodei
     Ashford
     Babin
     Barletta
     Barr
     Barton
     Benishek
     Bilirakis
     Bishop (MI)
     Bishop (UT)
     Black
     Blackburn
     Blum
     Bost
     Boustany
     Brat
     Bridenstine
     Brooks (AL)
     Brooks (IN)
     Buchanan
     Buck
     Bucshon
     Burgess
     Byrne
     Calvert
     Carter (GA)
     Carter (TX)
     Chabot
     Chaffetz
     Clawson (FL)
     Coffman
     Cole
     Collins (GA)
     Collins (NY)
     Comstock
     Conaway
     Cook
     Costa
     Costello (PA)
     Cramer
     Crawford
     Crenshaw
     Culberson
     Davis, Rodney
     Denham
     Dent
     DeSantis
     Diaz-Balart
     Dold
     Duckworth
     Duffy
     Duncan (SC)
     Duncan (TN)
     Ellmers (NC)
     Emmer (MN)
     Farenthold
     Fincher
     Fitzpatrick
     Fleischmann
     Fleming
     Flores
     Forbes
     Fortenberry
     Foxx
     Franks (AZ)
     Frelinghuysen
     Garrett
     Gibbs
     Gibson
     Gohmert
     Goodlatte
     Gosar
     Gowdy
     Granger
     Graves (GA)
     Graves (LA)
     Griffith
     Grothman
     Guinta
     Guthrie
     Hanna
     Hardy
     Harper
     Harris
     Hartzler
     Heck (NV)
     Hensarling
     Herrera Beutler
     Hice, Jody B.
     Hill
     Holding
     Hudson
     Huizenga (MI)
     Hultgren
     Hunter
     Hurd (TX)
     Hurt (VA)
     Issa
     Jenkins (KS)
     Jenkins (WV)
     Johnson (OH)
     Johnson, Sam
     Jolly
     Jordan
     Joyce
     Katko
     Kelly (PA)
     King (IA)
     King (NY)
     Kinzinger (IL)
     Kline
     Knight
     Labrador
     LaMalfa
     Lamborn
     Lance
     Latta
     LoBiondo
     Long
     Loudermilk
     Love
     Lucas
     Luetkemeyer
     Lummis
     MacArthur
     Marchant
     Marino
     McCarthy
     McCaul
     McClintock
     McHenry
     McKinley
     McMorris Rodgers
     McSally
     Meadows
     Meehan
     Messer
     Mica
     Miller (FL)
     Miller (MI)
     Moolenaar
     Mooney (WV)
     Mullin
     Mulvaney
     Murphy (PA)
     Neugebauer
     Newhouse
     Noem
     Nugent
     Nunes
     Palazzo
     Palmer
     Paulsen
     Pearce
     Perry
     Pittenger
     Pitts
     Poe (TX)
     Poliquin
     Pompeo
     Posey
     Price, Tom
     Ratcliffe
     Reed
     Reichert
     Renacci
     Ribble
     Rice (SC)
     Rigell
     Roby
     Roe (TN)
     Rogers (AL)
     Rogers (KY)
     Rohrabacher
     Rokita
     Rooney (FL)
     Ros-Lehtinen
     Roskam
     Ross
     Rothfus
     Rouzer
     Royce
     Russell
     Ryan (WI)
     Salmon
     Sanford
     Scalise
     Schweikert
     Scott, Austin
     Sensenbrenner
     Sessions
     Shimkus
     Shuster
     Simpson
     Sinema
     Smith (MO)
     Smith (NE)
     Smith (NJ)
     Smith (TX)
     Stefanik
     Stewart
     Stivers
     Stutzman
     Thompson (PA)
     Thornberry
     Tiberi
     Tipton
     Trott
     Turner
     Upton
     Valadao
     Wagner
     Walberg
     Walden
     Walker
     Walorski
     Walters, Mimi
     Weber (TX)
     Webster (FL)
     Wenstrup
     Westerman
     Westmoreland
     Whitfield
     Williams
     Wilson (SC)
     Wittman
     Womack
     Woodall
     Yoder
     Yoho
     Young (AK)
     Young (IA)
     Young (IN)
     Zeldin
     Zinke

                               NOES--182

     Adams
     Aguilar
     Amash
     Bass
     Beatty
     Becerra
     Bera
     Beyer
     Bishop (GA)
     Blumenauer
     Bonamici
     Boyle, Brendan F.
     Brady (PA)
     Brown (FL)
     Brownley (CA)
     Bustos
     Butterfield
     Capps
     Capuano
     Caardenas
     Carney
     Carson (IN)
     Cartwright
     Castor (FL)
     Castro (TX)
     Chu, Judy
     Cicilline
     Clark (MA)
     Clarke (NY)
     Clay
     Cleaver
     Clyburn
     Cohen
     Connolly
     Conyers
     Cooper
     Courtney
     Crowley
     Cuellar
     Cummings
     Davis (CA)
     Davis, Danny
     DeFazio
     DeGette
     Delaney
     DeLauro
     DelBene
     DeSaulnier
     Deutch
     Dingell
     Doggett
     Doyle, Michael F.
     Edwards
     Ellison
     Engel
     Eshoo
     Esty
     Farr
     Fattah
     Foster
     Frankel (FL)
     Fudge
     Gabbard
     Gallego
     Garamendi
     Graham
     Grayson
     Green, Al
     Green, Gene
     Grijalva
     Gutieerrez
     Hahn
     Heck (WA)
     Higgins
     Himes
     Hinojosa
     Honda
     Hoyer
     Huelskamp
     Huffman
     Israel
     Jackson Lee
     Jeffries
     Johnson (GA)
     Johnson, E. B.
     Jones
     Kaptur
     Keating
     Kelly (IL)
     Kennedy
     Kildee
     Kilmer
     Kind
     Kirkpatrick
     Kuster
     Langevin
     Larsen (WA)
     Larson (CT)
     Lawrence
     Lee
     Levin
     Lewis
     Lieu, Ted
     Lipinski
     Loebsack
     Lofgren
     Lowenthal
     Lowey
     Lujan Grisham (NM)
     Lujaan, Ben Ray (NM)
     Lynch
     Maloney, Carolyn
     Maloney, Sean
     Massie
     Matsui
     McCollum
     McDermott
     McGovern
     McNerney
     Meeks
     Meng
     Moore
     Moulton
     Nadler

[[Page H2378]]


     Napolitano
     Nolan
     Norcross
     O'Rourke
     Pallone
     Pascrell
     Pelosi
     Perlmutter
     Peters
     Peterson
     Pingree
     Pocan
     Polis
     Price (NC)
     Quigley
     Rangel
     Rice (NY)
     Richmond
     Roybal-Allard
     Ruiz
     Ruppersberger
     Rush
     Ryan (OH)
     Saanchez, Linda T.
     Sanchez, Loretta
     Sarbanes
     Schakowsky
     Schiff
     Schrader
     Scott (VA)
     Scott, David
     Serrano
     Sewell (AL)
     Sherman
     Sires
     Slaughter
     Speier
     Swalwell (CA)
     Takai
     Takano
     Thompson (CA)
     Thompson (MS)
     Titus
     Tonko
     Torres
     Tsongas
     Van Hollen
     Vargas
     Veasey
     Vela
     Velaazquez
     Visclosky
     Walz
     Waters, Maxine
     Watson Coleman
     Welch
     Wilson (FL)
     Yarmuth

                             NOT VOTING--11

     Brady (TX)
     Curbelo (FL)
     DesJarlais
     Graves (MO)
     Hastings
     Murphy (FL)
     Neal
     Olson
     Payne
     Smith (WA)
     Wasserman Schultz

                              {time}  1356

  So the resolution was agreed to.
  The result of the vote was announced as above recorded.
  A motion to reconsider was laid on the table.

                          ____________________


[Congressional Record Volume 161, Number 59 (Wednesday, April 22, 2015)]
[House]
[Pages H2381-H2398]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                     PROTECTING CYBER NETWORKS ACT


                             General Leave

  Mr. NUNES. Mr. Speaker, I ask unanimous consent that all Members may 
have 5 legislative days in which to revise and extend their remarks and 
insert extraneous material on H.R. 1560, the Protecting Cyber Networks 
Act.
  The SPEAKER pro tempore (Mr. Rodney Davis of Illinois). Is there 
objection to the request of the gentleman from California?
  There was no objection.
  The SPEAKER pro tempore. Pursuant to House Resolution 212 and rule 
XVIII, the Chair declares the House in the Committee of the Whole House 
on the state of the Union for the consideration of the bill, H.R. 1560.
  The Chair appoints the gentleman from Texas (Mr. Marchant) to preside 
over the Committee of the Whole.

                              {time}  1436


                     In the Committee of the Whole

  Accordingly, the House resolved itself into the Committee of the 
Whole House on the state of the Union for the consideration of the bill 
(H.R. 1560) to improve cybersecurity in the United States through 
enhanced sharing of information about cybersecurity threats, and for 
other purposes, with Mr. Marchant in the chair.
  The Clerk read the title of the bill.
  The CHAIR. Pursuant to the rule, the bill is considered read the 
first time.
  The gentleman from California (Mr. Nunes) and the gentleman from 
California (Mr. Schiff) each will control 30 minutes.
  The Chair recognizes the gentleman from California (Mr. Nunes).
  Mr. NUNES. Mr. Chair, I yield myself such time as I may consume.
  Over the last several years, cyber attacks have become a pressing 
concern for the United States. Anthem, Home Depot, Sony, Target, 
JPMorgan Chase, and other companies have been subject to major attacks, 
resulting in the compromise of personal information of employees and 
customers alike.
  Cyber thieves, whether hostile foreign agents or money-seeking 
criminals, have stolen credit card numbers, accessed medical records, 
leaked proprietary information, and published confidential emails 
affecting tens of millions of Americans. This situation cannot 
continue.
  The House has passed cybersecurity information-sharing legislation 
with strong majorities in the past two Congresses. The gentleman from 
California, Ranking Member Schiff, and I have continued this bipartisan 
tradition, working closely together to draft a bill that will increase 
the security of our networks while protecting users' privacy.
  I see the gentleman from Maryland (Mr. Ruppersberger) is here. He 
sponsored this legislation last time, along with the gentleman from 
Michigan, Chairman Rogers, who is now retired, but I do want to give 
them a special thanks and gratitude.
  I hope that we can get this bill across the floor this year.
  We have also worked closely with leadership--the gentleman from 
Texas, Chairman McCaul; the gentleman from Virginia, Chairman 
Goodlatte--and the Senate Intelligence Committee to ensure that our 
bills complement each other.
  The Protecting Cyber Networks Act addresses a core problem in our 
digital security infrastructure. Because of legal ambiguities, many 
companies are afraid to share information about cyber threats with each 
other or with the government. If a company sees some threat or attack, 
this bill will allow the company to quickly report information about 
the problem without fearing a lawsuit so that other companies can take 
measures to protect themselves.
  The bill encourages three kinds of sharing: private-to-private, 
government-to-private, and private-to-government. In that third 
scenario, the bill allows companies to share cyber threat information 
with a variety of government agencies. If banks are comfortable sharing 
with the Treasury Department, they can share with Treasury. If 
utilities prefer sharing with the Department of Energy, they can share 
with Energy. If companies want to share with the Department of Homeland 
Security, the Justice Department, or the Commerce Department, they can 
share with them.
  The only sharing that this bill does not encourage is direct sharing 
to the Department of Defense or the National Security Agency. Companies 
can still share with DOD and NSA, but they will not receive any new 
liability protections.

[[Page H2382]]

  This bill does not provide the government with any new surveillance 
authorities. To the contrary, it includes robust privacy protections. 
It only authorizes the sharing of cyber threat indicators and defensive 
measures: technical information like malware signatures and malicious 
code.
  Before companies share with the Federal Government, they must remove 
all personal information. If companies don't follow those requirements, 
there is no liability protection. Furthermore, a government agency that 
receives the information must scrub it a second time. This will ensure 
all personal information has been removed. Only then can the 
information be forwarded to other Federal agencies.
  Finally, the bill provides for strong public and congressional 
oversight by requiring a detailed biennial inspectors general report 
relating to the government's receipt, use, and dissemination of cyber 
threat indicators. The Privacy and Civil Liberties Oversight Board must 
also submit a biennial report on the privacy and civil liberties impact 
of the bill.
  The increasing pace and scope of cyber attacks cannot be ignored. 
This bill will strengthen our digital defenses so that American 
consumers and businesses will not be put at the mercy of cyber 
criminals. I look forward to passing this legislation.
  I reserve the balance of my time.
  Mr. SCHIFF. Mr. Chairman, I yield myself such time as I may consume.
  I rise in support of H.R. 1560, the Protecting Cyber Networks Act. At 
some point, we need to stop just hearing about cyber attacks that steal 
our most valuable trade secrets and our most private information and 
actually do something to stop it. At some point, we need to stop 
talking about the next Sony, the next Anthem, the next Target, the next 
JPMorgan Chase, and the next State Department hack and actually pass a 
bill that will help ensure that there will be no next cyber attack.

  A few weeks back, the House Intelligence Committee held an open 
hearing on the cyber threat to America's private sector. We heard from 
our witnesses that their businesses are cyber attacked billions of 
times a day--not thousands, not millions, but billions.
  The threat to our economy, our jobs, and our privacy from not acting 
is massive, and it is certain. We see it happening all around us. So we 
must act now. That is why I am proud to support this bill.
  The Protecting Cyber Networks Act provides for voluntary information 
sharing of cyber threats between and among the private and public 
sectors. It does what no executive order can do: it incentivizes cyber 
threat information sharing by providing limited liability protection. 
Now companies can pool their resources and say to one another: I found 
this malicious code or this virus in my system; you need to protect 
yourself against it as well. And now the government can better warn 
companies of an impending cyber attack, just as it can for an 
approaching hurricane or an impending flu outbreak.
  But let me be very clear about this: to get the liability protection, 
a company that chooses to participate must remove any unrelated private 
information prior to sharing. This is something privacy advocates and I 
called for when previous information-sharing bills came before the 
House.
  Unlike prior bills, this measure requires the private sector to strip 
out private information. In fact, the bill has two, not one, privacy 
scrubs. The first happens when a company shares with another company or 
the Federal Government, and the second happens when the Federal 
Government shares the information further. This bill even holds the 
government directly liable if it doesn't do what it is required to do.
  Second, to get the liability protection, a private company wishing to 
share with the Federal Government must go through a civilian portal. To 
be clear: a company can't go directly to the DOD or NSA and get the 
bill's liability protection.
  The lack of a civilian portal in previous bills was another key 
privacy group criticism, and this bill has resolved that issue, too. In 
fact, of the five main criticisms of prior cyber bills, this bill has 
resolved each of them. It has private sector privacy stripping of 
information. It has a civilian portal. It also has narrow restrictions 
on what the government can use that shared cyber threat information 
for. Gone is a national security use provision. Gone is a vague 
terrorism use provision. And what is left is only the most narrow of 
uses: to prevent cyber attacks, to prevent the loss of life, to prevent 
serious harm to a child, and to prevent other serious felonies.

                              {time}  1445

  Gone, too, is any question of whether offensive countermeasures or 
hack back is authorized. This bill makes clear that you cannot take 
anything but defensive actions to protect your networks and data.
  And, lest anyone be confused, Mr. Chairman, this bill makes clear in 
black-and-white legislative text that nothing in the bill authorizes 
government surveillance in this act--nothing.
  What this bill does is authorize voluntary, private sector sharing of 
cyber threat information, and it allows the government to be able to 
quickly share threat information with the private sector, just as we 
need a CDC to put out timely warnings and advice on how to counteract 
this year's flu strain or how to prevent a local disease from becoming 
an epidemic. In addition, the bill requires strong privacy and civil 
liberties guidelines and intense reporting requirements.
  The bill before us today strikes the right balance between securing 
our networks and protecting our privacy, and addresses the privacy 
concerns that I, among others, raised last session. However, there are 
still some improvements that are yet to be made as the bill moves 
forward. In particular, we need to further clarify that our liability 
protection only extends to those who act, or fail to act, reasonably.
  Before closing, I want to thank Chairman Nunes for his leadership and 
for working so hard on this bill. It has been a great pleasure to work 
with you, Mr. Chairman. I am grateful for all of the hours, energy, and 
talent that you and your staff have put in to making this bill 
successful. I want to thank all the members of HPSCI as well as the 
Judiciary Committee and the Homeland Security Committee for working 
together on this. We had many differences in opinion, and we still have 
some, but we kept our eyes firmly on what is best for the American 
people as a whole. With that, we found ways to come together and 
produce a stronger bill.
  Mr. Chairman, I hope we can continue to work together as well with 
the Senate and with the White House and all the stakeholders to produce 
an even stronger bill for the President to sign into law.
  I also want to acknowledge the leadership of our predecessors, Dutch 
Ruppersberger and former HPSCI Chairman Mike Rogers. We have come this 
far in part because of the good work they did in the last couple of 
sessions. I also want to thank all those who came in to speak with us 
and provide their input in making this a better bill.
  Every day we delay more privacy is stolen, more jobs are lost, and 
more economic harm is done. Let's stop sitting by and watching all of 
this happen. Let's do something. Let's do what this administration has 
urged us to do and pass this bill. Let's do it now. I reserve the 
balance of my time.
  Mr. NUNES. Madam Chair, at this time I would like to yield 3 minutes 
to the gentleman from Georgia (Mr. Westmoreland), who also is the 
chairman of the Subcommittee on NSA and Cybersecurity for the House 
Intelligence Committee.
  Mr. WESTMORELAND. Thank you, Chairman Nunes.
  Madam Chairman, today I rise in support of H.R. 1560, the Protecting 
Cyber Networks Act. The bill encourages and protects information 
sharing on cyber threats between private companies and the government 
and private companies. The bill safeguards personally identifiable 
information from being exchanged during the process by requiring 
private companies and the government to both make sure that no private 
information is exchanged.
  My home State of Georgia is home to many companies that deal with and 
secure sensitive data on a daily basis, and they are constantly looking 
for better ways to protect their networks.
  After recent cyber attacks against American businesses, I have spoken 
to industry leaders from Georgia and

[[Page H2383]]

across the Nation about how we can make information sharing between the 
industries and the government stronger to better protect our Nation.
  Cyberterrorism is the new battlefield, and adapting to this warfare 
is crucial to eliminating these threats. By allowing American 
businesses to alert other companies and the government of specific 
threats, and only the threats, the Protecting Cyber Networks Act can 
help shut down the cybercriminals from stealing sensitive information 
or causing devastating damage to our networks.
  The Protecting Cyber Networks Act is a bipartisan step forward in 
protecting businesses and citizens from being the next victim of a 
cyber attack. This bill helps devastating cyber attacks from going 
unnoticed or only being shared months after the attack.
  Madam Chairman, I would like to thank Chairman Nunes; Ranking Member 
Schiff; the ranking member on the subcommittee, Mr. Himes; and Mr. 
Ruppersberger for all the work that he has put into this, as well as 
former Chairman Rogers. I ask for a ``yea'' vote on this.
  Mr. SCHIFF. Madam Chair, it is a pleasure to yield 2 minutes to the 
gentleman from Maryland (Mr. Ruppersberger), the former ranking member 
of the Intelligence Committee.
  Mr. RUPPERSBERGER. Madam Chairman, I rise in support of the 
bipartisan Protecting Cyber Networks Act and want to thank the members 
of the House Intelligence Committee for continuing to prioritize our 
Nation's security over partisan rhetoric. I do want to say this: I want 
to thank Chairman Nunes and also Ranking Member Schiff for 
acknowledging Chairman Rogers and me, but I want to remind you that it 
was a team approach, and you two were very active in helping to bring 
this bill here today as we did before. So thank you for your 
leadership. It is well worth it, and it is refreshing to see this 
bipartisanship.
  Mr. NUNES. Will the gentleman yield?
  Mr. RUPPERSBERGER. I yield to the gentleman from California.
  Mr. NUNES. I thank the gentleman for yielding. I thanked you in my 
opening statement, Mr. Ruppersberger, but without your leadership and 
former Chairman Rogers' leadership on this bill, we would not be here 
today. I am encouraged not only by your past support, but then your 
taking the time to come down here to speak on this bill I think says a 
lot about you and your commitment to our national security and the 
security of our cyber networks. So thank you.
  Mr. RUPPERSBERGER. Thank you, again, and thank you for your 
leadership. Now, this legislation is very similar to the bill that 
Chairman Rogers and I introduced to promote information sharing between 
the private and public sectors, which is the single most important 
thing we can do to combat increasingly aggressive cyber attacks.
  Experts believe these attacks are costing American corporations 
billions of dollars each year. Target, Home Depot, and CareFirst are 
only the beginning. With Sony, we saw the first destructive attack in 
our country. It is only a matter of time before our critical 
infrastructure is targeted. What would happen if someone were to take 
out our electrical grid or 911 call centers or air traffic control? It 
goes on and on.
  Voluntary information sharing among companies helps our companies 
defend themselves. Voluntary, two-way information sharing with the 
Federal Government helps improve our ability to protect America against 
foreign cyber threats by getting out more and better information 
faster.

  There are some concerns I have, as anyone has in any bill, between 
the bill and the bill Chairman Rogers and I introduced which passed the 
House.
  The Acting CHAIR (Ms. Foxx). The time of the gentleman has expired.
  Mr. SCHIFF. I yield the gentleman an additional 30 seconds.
  Mr. RUPPERSBERGER. However, I feel it is important to reach consensus 
and move this issue forward now. Our country continues to be cyber 
attacked. We are under attack as I speak. To do nothing is not an 
option.
  I want to thank again the leadership of Chairman Nunes and Ranking 
Member Schiff for their leadership and for the entire committee coming 
together for this bill, and I ask my colleagues to support it.
  Mr. NUNES. Madam Chair, at this time I yield 5 minutes to the 
gentleman from Texas (Mr. McCaul), the chairman of the Homeland 
Security Committee, who, without his strong leadership and support, we 
wouldn't be at this juncture today getting a bill passed today and 
tomorrow that will hopefully become law.
  Mr. McCAUL. Madam Chair, I rise today in strong support of H.R. 1560, 
the Protecting Cyber Networks Act. I would like to first thank Chairman 
Nunes for his great leadership and collaboration with my committee and 
Judiciary on this bill, and also the ranking member, Adam Schiff, a 
good friend as well, for his great work in the direction that this bill 
has gone. I think it has gone in the right direction. Also I know 
former Ranking Member Dutch Ruppersberger was here. I want to thank him 
for his leadership over the many years on this important issue of 
cybersecurity.
  Madam Chair, this legislation comes at a critical time of rising 
cyber threats and attacks on our digital networks. Cyber breaches and 
attacks are affecting Americans' privacy, security, and prosperity. 
Individuals are having their most private information compromised. 
Businesses are seeing their intellectual property stolen and their 
networks damaged.
  The Federal Government's sensitive information is being targeted. The 
country's critical infrastructure is being probed by foreign enemies.
  Detecting and defending against these digital assaults requires 
timely and robust information sharing between the public and private 
sectors. This exchange of data is crucial to connecting the dots, 
identifying cyber attacks, and shutting them down.
  The Protecting Cyber Networks Act will enable private companies to 
share cyber threat information on a voluntary basis with the Federal 
Government. This bill provides essential liability protection for 
sharing cyber threat indicators through trusted civilian agency 
portals.
  Again, Madam Chair, I commend Chairman Nunes for his important work 
on this bill and thank him for his great partnership in working 
together to have these two complementary bills, as tomorrow I will 
bring to the floor a pro-security, pro-privacy bill, the National 
Cybersecurity Protection Advancement Act of 2015, which further 
reinforces the role of the Department of Homeland Security's National 
Cybersecurity and Communications Integration Center as the hub for 
cyber threat information sharing.
  Chairman Nunes and I have worked in lockstep to remove obstacles 
preventing greater cyber threat information sharing across the private 
and public sectors. I commend the staff on both sides of the aisle, who 
have operated in tandem as we crafted these cybersecurity bills. I 
would also like to acknowledge Chairman Goodlatte for devising the 
House's standard liability exemption language for this week's 
cybersecurity bill.
  These bills represent a unified front in the House for strengthening 
cybersecurity while ensuring Americans' privacy, and I urge my 
colleagues to support this measure.
  Mr. SCHIFF. Madam Chair, it gives me great pleasure to yield 3 
minutes to Mr. Himes, one of our subcommittee ranking members on the 
Intelligence Committee and the Representative from Connecticut.
  Mr. HIMES. Madam Chairwoman, I would like to thank my friend from 
California for yielding time and start by saying that I am thrilled to 
be standing here to urge support for the Protecting Cyber Networks Act. 
I would like to thank and congratulate Chairman Nunes, Ranking Member 
Schiff, and the chairman of the subcommittee on which I serve as 
ranking member, Mr. Westmoreland, for coming together at a time when 
this Congress is accused, often rightly so, of being dysfunctional to 
take a very substantial step to secure the networks on which so much of 
our lives today depend.
  As ranking member of the Cybersecurity Subcommittee, my daily travels 
every single day expose me to people who say the single most important 
thing we as a Congress can do today to advance the security of our 
networks, to protect Americans, their financial records, their health 
records and, of course, even more ominously, to protect them against 
potential attack

[[Page H2384]]

against our utilities and any sort of thing that our antagonists around 
the world would seek to do to us, the single most important thing we 
can do is to do what we are doing today, which is to set up a rubric 
whereby the very good people within the private sector who focus on 
this day in and day out can communicate threats to each other and 
communicate with the experts within the United States Government to 
work as a team to counter very, very serious threats. This rubric has 
been set up with ample attention and good attention to the very 
legitimate privacy claims and the liberties that we all take so 
seriously.
  The stakes are high. We saw what happened at Sony. We saw what 
happened at Anthem. We know all the attacks that have been leveled 
internationally that destroyed computers. This is the reality that we 
live with, and this is a very big step, an information-sharing protocol 
that will counter those who wish us ill.
  I would note that the privacy protections in this bill are 
considerably better, as the chairman and ranking member have pointed 
out, than those that were in the bill of the last Congress. The 
objections of those who are focused on privacy have been dealt with 
point by point. And while I won't say that the bill is perfect, this 
bill does what it needs to do to protect the privacy of the American 
people by obligating everyone to work hard to scrub personally 
identifiable information from any code, any information that is 
exchanged.
  I have learned in my 6 years here that we don't produce perfection, 
and it is my hope that as this bill proceeds through the legislative 
path that we will work even harder to make sure we are very clear about 
definitions and, in fact, are protecting the privacy rights of 
Americans as best as we can. But in the meantime we have taken a very 
big step forward in a bipartisan fashion in a way that will make 
America, its people, and its networks more secure. For that, I am 
grateful to the leadership and urge support of the Protecting Cyber 
Networks Act.
  Mr. NUNES. Madam Chair, I continue to reserve the balance of my time.
  Mr. SCHIFF. Madam Chairman, I yield 3 minutes to the gentleman from 
California (Mr. Swalwell), another of our ranking members on the 
Intelligence Committee and a colleague from California.

                              {time}  1500

  Mr. SWALWELL of California. Madam Chair, I want to thank our ranking 
member and also the chair for bringing forward this bipartisan and 
necessary legislation.
  As we speak right now, Americans are under attack, and these attacks 
are not coming in the form of anything that we have been used to 
before. People are not kicking down front doors of homes and 
businesses; instead, they are attacking us through our networks. Our 
bank accounts, our health care records, our social media accounts, our 
cell phones, all are being hacked every day.
  CNN reported that, in 2014, half of the Nation's adults were hacked. 
The examples are voluminous: 70 million Target customers were hacked; 
56 million Home Depot customers were hacked; 4.6 million Snapchat users 
were hacked. This is Snapchat, which is supposed to be an impenetrable 
account that allows data to come in and disappear. They were hacked. 
Hackings are happening every day. Our privacy is under attack.
  The problem, today, there is virtually zero relationship between 
private industry and government--private industry, which has about 85 
percent of the networks, and government, which has about 15 percent of 
the networks but has vast resources that can help protect individuals 
against attacks.
  Our government has a duty, a responsibility, to protect the American 
people, and that is what this bill seeks to do. It does it in a number 
of ways.
  First and foremost, this is a voluntary program that is being 
created. No business is required to turn over their breach or hack 
information to the government; instead, there is a format, a procedure, 
that is now in place that will incentivize them to work with the 
government to identify in a way that strips out, through a number of 
protections, personal identifying information.
  The first way that it is stripped out is, when the business that has 
been hacked reports to a civilian agency, they must scrub the personal 
identifying information; but that is not the only way that that 
information is scrubbed.
  Once the government agency receives this personal identifying 
information, again, before it can be used or forwarded anywhere else in 
the government, it, again, must be scrubbed--two protections against 
personal identifying information being used.
  Now, should any personal identifying information be passed along to 
the government, this bill provides a right of action, civil recourse 
for any individual who is wronged to sue the government. There is also 
an oversight committee, a biannual inspector general report that must 
be presented to Congress that would report on any privacy violations 
that occur.
  Madam Chair, the American people, day after day, are either learning 
that they have been hacked or someone they know has been hacked. This 
will continue to have a devastating effect on our economy and, as my 
colleague from Connecticut alluded to, perhaps our public utilities if 
we do not act.
  I urge support of this for my colleagues, and I thank the chairman 
and the ranking member for the hard work they have done.
  Mr. NUNES. Madam Chair, I continue to reserve the balance of my time.
  Mr. SCHIFF. Madam Chair, I yield 3 minutes to the gentlewoman from 
Alabama (Ms. Sewell), another one of the ranking members on the 
Intelligence Committee and a great Member.
  Ms. SEWELL of Alabama. Madam Chair, I would like to thank Ranking 
Member Adam Schiff, as well as our chair, Chairman Nunes, for your 
leadership on this matter.
  Today, I rise in support of H.R. 1560, the Protecting Cyber Networks 
Act, a bill that I am proud to be an original cosponsor, a bill that 
was unanimously voted out of our committee, the Intel Committee.
  Again, I want to commend both the chairman and the ranking member for 
their leadership. It is an honor to serve on that committee where we 
really try, on a daily basis, to be bipartisan in our efforts to 
protect the homeland and to secure our national security.
  This critical bill is bipartisan legislation, which encourages the 
private sector to share cyber threat information, which will ultimately 
help prevent future attacks. It seems like we are always hearing about 
another company being hit with cyber attacks.
  These attacks cost our economy billions of dollars each year, and it 
threatens our national security and jeopardizes every American's 
sensitive, personal, and financial information.
  This bill takes a very important step towards addressing this 
emerging national security threat without compromising the privacy of 
American citizens.
  Fostering an environment where companies can voluntarily share 
information with each other helps American businesses defend themselves 
against harmful cyber attacks and helps them protect consumer 
information and privacy.
  Additionally, two-way information sharing with the Federal Government 
helps improve the Federal Government's ability to protect all Americans 
against foreign cyber threats by disseminating vital information in a 
more timely and efficient manner.
  I know some continue to criticize this cyber bill and all cyber bills 
as violating privacy, but I must assure you, Madam Chair, that this 
bill is a vast improvement over the CISPA bill that was entered and 
passed this House last term.
  This bill includes many more privacy protections that weren't in the 
original bill, the most important of which is the requirement for two 
scrubs of private information, one by the private sector before sharing 
that information and one by the government before sharing it further.
  There is also now a civilian portal--no direct sharing with NSA--a 
very narrow set of government use provisions, and a clear and 
legislative prohibition against such surveillance. Let me repeat: no 
provision of this bill provides any surveillance authorities.
  I am encouraged by the strong showing of bipartisanship as we work 
together to address the emerging threats

[[Page H2385]]

to our national security. I urge my colleagues to join those of us who 
are members of the Intel Committee, as well as this administration has 
said that it also encourages a vote in support of this bill.
  I urge my colleagues to support the efforts and vote ``yes'' on H.R. 
1560.
  Mr. NUNES. Madam Chair, at this time, I yield 2 minutes to the 
gentleman from Michigan (Mr. Trott).
  Mr. TROTT. Madam Chair, I want to thank the gentleman from California 
for allowing me to speak in support of this bill.
  Today, I rise concerned about the need for stronger cybersecurity 
efforts in our country. We live in a world where personal data flows 
through the Internet with great speed and data about people is gathered 
in an instant. The use of social media has opened up our lives to 
anyone with a computing device, and this is the same world where 
hackers steal millions of personal records from people in our 
districts.
  I would venture to guess that most Members of Congress have been 
affected by hackers. Internet criminals pose dire threats to our 
governments on the local, State, and Federal level. The Federal 
Government has extensive resources to put up a fight, but our local 
governments and municipalities do not.

  In response, five southeast Michigan counties--Livingston, Monroe, 
Oakland, Washtenaw, and Wayne--and the State of Michigan came together 
to build the Cyber Security Assessment for Everyone. CySAFE, as it is 
known, provides a strong point for governments to begin assessing their 
cybersecurity needs and taking steps to respond to attacks. The 
assessment is a simple Excel download located at www.g2gmarket.com.
  Madam Chair, I commend these local Michigan governments for 
committing the resources to develop such a tool. I encourage all of my 
colleagues to promote the use of CySAFE and to work together to find 
the right solutions to fight cyber crime, starting with passing H.R. 
1560.
  Mr. SCHIFF. Madam Chair, I am pleased to yield 2 minutes to the 
gentleman from Rhode Island (Mr. Langevin), who is a former member of 
the Intelligence Committee and one of the Congress' leading experts on 
cyber matters.
  Mr. LANGEVIN. Madam Chair, I thank the gentleman for yielding.
  Madam Chair, this has been a long time in coming. When I served on 
the Intelligence Committee the past two Congresses, I worked very 
closely with Chairman Rogers and Ranking Member Ruppersberger on CISPA, 
and their legacy is very evident in this fine bill.
  I would, however, like to commend Chairman Nunes and Ranking Member 
Schiff for rising to the challenge as the new leaders of the House 
Permanent Select Committee on Intelligence and producing an even better 
product, particularly with regard to privacy protections.
  PCNA, as it is known, also provides statutory authorization for the 
CTIIC, an important new center the President has created to provide 
comprehensive assessments of cyber threats.
  This bill before us certainly isn't perfect. The liability 
protections, while generally narrow, could still be construed to 
project a company's failure to act on threat indicators. It is 
important that my friends in this Chamber understand that information 
sharing is not a silver bullet.
  There will still be important work to be done to improve our Nation's 
cyber defenses, but I can say, with great confidence, passing an 
information-sharing bill will get us significantly closer to being much 
more secure in cyberspace than where we are right now, particularly 
when it comes to protecting critical infrastructure.
  However, after studying this issue for the better part of a decade, I 
can firmly say that this bill marks a meaningful step forward.
  Let me, again, congratulate the chairman and the ranking member for 
continuing with this bipartisan spirit that has long animated the 
Intelligence Committee's cybersecurity work.
  I urge my colleagues to support the bill.
  Mr. NUNES. Madam Chair, I reserve the balance of my time.
  Mr. SCHIFF. Madam Chair, I yield myself such time as I may consume.
  Every moment we wait equals another Social Security number stolen, 
another checking account hacked, another invaluable trade secret 
pilfered, and another job lost. This is certain. We see it every day.
  Many of us and our constituents, both individuals and businesses, 
have been the victim of a cyber crime. Whether it is identity theft, 
the hacking of our email or Facebook accounts, or the loss of our 
privacy, when our health insurance company is breached, we have our 
privacy invaded.
  All of us are certainly paying higher fees to compensate for the 
billions of dollars our businesses lose to cyber hacking and to the 
costs of preventing future cyber attacks. The problem is only getting 
worse. As our cars, our phones, our home security systems, our Internet 
banking, our electronic health records, our web-based baby monitors all 
get smarter, they also get more vulnerable.
  This isn't speculation. This is happening today. It is happening 
right now. On the time that we have been on the floor discussing this 
cyber bill, billions of additional hacking attempts have been made.
  Here, we have the opportunity to help stop this scourge of cyber 
hacking. We need to encourage cyber threat information sharing by 
passing the Protecting Cyber Networks Act today and then not resting 
until it improves on its way to the President's desk for signature.
  I urge my colleagues to vote for this important measure. It is a bill 
that will help protect America's most valuable and private information, 
while itself protecting privacy and civil liberties to a degree far in 
advance of where prior legislation has gone. I and my colleagues have 
made sure of that, and we will continue to do so as the bill advances.
  Madam Chair, I yield back the balance of my time.
  Mr. NUNES. Madam Chair, I yield myself such time as I may consume.
  I will close by just taking a few moments to thank my ranking member 
and colleague from California (Mr. Schiff) for his fine work on this 
product.
  I also would be remiss not to thank, on both sides of the aisle, the 
staff that have worked hours and hours and hours to make the 
legislation from last Congress even better and then, as Mr. McCaul 
said, to work with the Judiciary Committee and the Homeland Security 
Committee so that we have a product that I think is much better than 
the product that we have had in the past.
  We have been in consultations with the United States Senate. They 
have passed their bill out of committee. We look forward to, hopefully, 
their passing a bill off the Senate floor so that we can get to a 
conference.
  Madam Chair, I yield back the balance of my time.
  Mr. VAN HOLLEN. Madam Chair, I rise today to oppose to H.R. 1560, the 
Protecting Cyber Network Act (PCNA). While I commend Chairman Nunes and 
Ranking Member Schiff for crafting a bill that improves upon the 
cybersecurity legislation this body has previously voted on, I cannot 
support it in its current form.
  Despite addressing many of the reservations I had when we voted on 
the Cyber Intelligence Sharing and Protection Act (CISPA) last 
Congress, I have concerns about the ambiguous liability provisions in 
this legislation. While companies should have some legal protection, 
this bill gives liability protections to companies so long as they 
share or receive information ``in accordance with the Act.'' It would 
grant immunity to companies for simply putting forth a ``good faith'' 
effort when reporting security threats and sharing consumer data with 
the government and other companies. For example, companies would 
receive liability protection even if they fail to act on threat 
information in a timely manner. The unintended effect of these murky 
liability provisions is that companies would not have the same 
incentive to report security threats and protect their consumers' 
privacy. I was disappointed that Republicans did not allow a vote on 
two amendments offered by Rep. Richmond than would have addressed these 
overbroad liability provisions.
  Our country faces cyber-network attacks each day which threaten our 
national security and our economy. I strongly believe that we must take 
steps to protect against these cyber threats while not sacrificing our 
privacy and civil liberties. Should this bill pass the House,

[[Page H2386]]

I hope that many of the loopholes can be resolved with the Senate, but 
as it stands today I cannot support it.
  The Acting CHAIR. All time for general debate has expired.
  Pursuant to the rule, the bill shall be considered for amendment 
under the 5-minute rule.
  It shall be in order to consider as an original bill for the purpose 
of amendment under the 5-minute rule an amendment in the nature of a 
substitute recommended by the Permanent Select Committee on 
Intelligence printed in the bill. The committee amendment in the nature 
of a substitute shall be considered as read.
  The text of the committee amendment in the nature of a substitute is 
as follows:

                               H.R. 1560

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Protecting 
     Cyber Networks Act''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Sharing of cyber threat indicators and defensive measures by 
              the Federal Government with non-Federal entities.
Sec. 3. Authorizations for preventing, detecting, analyzing, and 
              mitigating cybersecurity threats.
Sec. 4. Sharing of cyber threat indicators and defensive measures with 
              appropriate Federal entities other than the Department of 
              Defense or the National Security Agency.
Sec. 5. Federal Government liability for violations of privacy or civil 
              liberties.
Sec. 6. Protection from liability.
Sec. 7. Oversight of Government activities.
Sec. 8. Report on cybersecurity threats.
Sec. 9. Construction and preemption.
Sec. 10. Conforming amendments.
Sec. 11. Definitions.

     SEC. 2. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE 
                   MEASURES BY THE FEDERAL GOVERNMENT WITH NON-
                   FEDERAL ENTITIES.

       (a) In General.--Title I of the National Security Act of 
     1947 (50 U.S.C. 3021 et seq.) is amended by inserting after 
     section 110 (50 U.S.C. 3045) the following new section:

     ``SEC. 111. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE 
                   MEASURES BY THE FEDERAL GOVERNMENT WITH NON-
                   FEDERAL ENTITIES.

       ``(a) Sharing by the Federal Government.--
       ``(1) In general.--Consistent with the protection of 
     classified information, intelligence sources and methods, and 
     privacy and civil liberties, the Director of National 
     Intelligence, in consultation with the heads of the other 
     appropriate Federal entities, shall develop and promulgate 
     procedures to facilitate and promote--
       ``(A) the timely sharing of classified cyber threat 
     indicators in the possession of the Federal Government with 
     representatives of relevant non-Federal entities with 
     appropriate security clearances;
       ``(B) the timely sharing with relevant non-Federal entities 
     of cyber threat indicators in the possession of the Federal 
     Government that may be declassified and shared at an 
     unclassified level; and
       ``(C) the sharing with non-Federal entities, if 
     appropriate, of information in the possession of the Federal 
     Government about imminent or ongoing cybersecurity threats to 
     such entities to prevent or mitigate adverse impacts from 
     such cybersecurity threats.
       ``(2) Development of procedures.--The procedures developed 
     and promulgated under paragraph (1) shall--
       ``(A) ensure the Federal Government has and maintains the 
     capability to share cyber threat indicators in real time 
     consistent with the protection of classified information;
       ``(B) incorporate, to the greatest extent practicable, 
     existing processes and existing roles and responsibilities of 
     Federal and non-Federal entities for information sharing by 
     the Federal Government, including sector-specific information 
     sharing and analysis centers;
       ``(C) include procedures for notifying non-Federal entities 
     that have received a cyber threat indicator from a Federal 
     entity in accordance with this Act that is known or 
     determined to be in error or in contravention of the 
     requirements of this section, the Protecting Cyber Networks 
     Act, or the amendments made by such Act or another provision 
     of Federal law or policy of such error or contravention;
       ``(D) include requirements for Federal entities receiving a 
     cyber threat indicator or defensive measure to implement 
     appropriate security controls to protect against unauthorized 
     access to, or acquisition of, such cyber threat indicator or 
     defensive measure;
       ``(E) include procedures that require Federal entities, 
     prior to the sharing of a cyber threat indicator, to--
       ``(i) review such cyber threat indicator to assess whether 
     such cyber threat indicator, in contravention of the 
     requirement under section 3(d)(2) of the Protecting Cyber 
     Networks Act, contains any information that such Federal 
     entity knows at the time of sharing to be personal 
     information of or information identifying a specific person 
     not directly related to a cybersecurity threat and remove 
     such information; or
       ``(ii) implement a technical capability configured to 
     remove or exclude any personal information of or information 
     identifying a specific person not directly related to a 
     cybersecurity threat; and
       ``(F) include procedures to promote the efficient granting 
     of security clearances to appropriate representatives of non-
     Federal entities.
       ``(b) Definitions.--In this section, the terms `appropriate 
     Federal entities', `cyber threat indicator', `defensive 
     measure', `Federal entity', and `non-Federal entity' have the 
     meaning given such terms in section 11 of the Protecting 
     Cyber Networks Act.''.
       (b) Submittal to Congress.--Not later than 90 days after 
     the date of the enactment of this Act, the Director of 
     National Intelligence, in consultation with the heads of the 
     other appropriate Federal entities, shall submit to Congress 
     the procedures required by section 111(a) of the National 
     Security Act of 1947, as inserted by subsection (a) of this 
     section.
       (c) Table of Contents Amendment.--The table of contents in 
     the first section of the National Security Act of 1947 is 
     amended by inserting after the item relating to section 110 
     the following new item:

``Sec. 111. Sharing of cyber threat indicators and defensive measures 
              by the Federal Government with non-Federal entities.''.

     SEC. 3. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, 
                   AND MITIGATING CYBERSECURITY THREATS.

       (a) Authorization for Private-sector Defensive 
     Monitoring.--
       (1) In general.--Notwithstanding any other provision of 
     law, a private entity may, for a cybersecurity purpose, 
     monitor--
       (A) an information system of such private entity;
       (B) an information system of a non-Federal entity or a 
     Federal entity, upon the written authorization of such non-
     Federal entity or such Federal entity; and
       (C) information that is stored on, processed by, or 
     transiting an information system monitored by the private 
     entity under this paragraph.
       (2) Construction.--Nothing in this subsection shall be 
     construed to--
       (A) authorize the monitoring of an information system, or 
     the use of any information obtained through such monitoring, 
     other than as provided in this Act;
       (B) authorize the Federal Government to conduct 
     surveillance of any person; or
       (C) limit otherwise lawful activity.
       (b) Authorization for Operation of Defensive Measures.--
       (1) In general.--Except as provided in paragraph (2) and 
     notwithstanding any other provision of law, a private entity 
     may, for a cybersecurity purpose, operate a defensive measure 
     that is operated on and is limited to--
       (A) an information system of such private entity to protect 
     the rights or property of the private entity; and
       (B) an information system of a non-Federal entity or a 
     Federal entity upon written authorization of such non-Federal 
     entity or such Federal entity for operation of such defensive 
     measure to protect the rights or property of such private 
     entity, such non-Federal entity, or such Federal entity.
       (2) Limitation.--The authority provided in paragraph (1) 
     does not include the intentional or reckless operation of any 
     defensive measure that destroys, renders unusable or 
     inaccessible (in whole or in part), substantially harms, or 
     initiates a new action, process, or procedure on an 
     information system or information stored on, processed by, or 
     transiting such information system not owned by--
       (A) the private entity operating such defensive measure; or
       (B) a non-Federal entity or a Federal entity that has 
     provided written authorization to that private entity for 
     operation of such defensive measure on the information system 
     or information of the entity in accordance with this 
     subsection.
       (3) Construction.--Nothing in this subsection shall be 
     construed--
       (A) to authorize the use of a defensive measure other than 
     as provided in this subsection; or
       (B) to limit otherwise lawful activity.
       (c) Authorization for Sharing or Receiving Cyber Threat 
     Indicators or Defensive Measures.--
       (1) In general.--Except as provided in paragraph (2) and 
     notwithstanding any other provision of law, a non-Federal 
     entity may, for a cybersecurity purpose and consistent with 
     the requirement under subsection (d)(2) to remove personal 
     information of or information identifying a specific person 
     not directly related to a cybersecurity threat and the 
     protection of classified information--
       (A) share a lawfully obtained cyber threat indicator or 
     defensive measure with any other non-Federal entity or an 
     appropriate Federal entity (other than the Department of 
     Defense or any component of the Department, including the 
     National Security Agency); and
       (B) receive a cyber threat indicator or defensive measure 
     from any other non-Federal entity or an appropriate Federal 
     entity.
       (2) Lawful restriction.--A non-Federal entity receiving a 
     cyber threat indicator or defensive measure from another non-
     Federal entity or a Federal entity shall comply with 
     otherwise lawful restrictions placed on the sharing or use of 
     such cyber threat indicator or defensive measure by the 
     sharing non-Federal entity or Federal entity.
       (3) Construction.--Nothing in this subsection shall be 
     construed to--
       (A) authorize the sharing or receiving of a cyber threat 
     indicator or defensive measure other than as provided in this 
     subsection;
       (B) authorize the sharing or receiving of classified 
     information by or with any person not authorized to access 
     such classified information;

[[Page H2387]]

       (C) prohibit any Federal entity from engaging in formal or 
     informal technical discussion regarding cyber threat 
     indicators or defensive measures with a non-Federal entity or 
     from providing technical assistance to address 
     vulnerabilities or mitigate threats at the request of such an 
     entity;
       (D) limit otherwise lawful activity;
       (E) prohibit a non-Federal entity, if authorized by 
     applicable law or regulation other than this Act, from 
     sharing a cyber threat indicator or defensive measure with 
     the Department of Defense or any component of the Department, 
     including the National Security Agency; or
       (F) authorize the Federal Government to conduct 
     surveillance of any person.
       (d) Protection and Use of Information.--
       (1) Security of information.--A non-Federal entity 
     monitoring an information system, operating a defensive 
     measure, or providing or receiving a cyber threat indicator 
     or defensive measure under this section shall implement an 
     appropriate security control to protect against unauthorized 
     access to, or acquisition of, such cyber threat indicator or 
     defensive measure.
       (2) Removal of certain personal information.--A non-Federal 
     entity sharing a cyber threat indicator pursuant to this Act 
     shall, prior to such sharing, take reasonable efforts to--
       (A) review such cyber threat indicator to assess whether 
     such cyber threat indicator contains any information that the 
     non-Federal entity reasonably believes at the time of sharing 
     to be personal information of or information identifying a 
     specific person not directly related to a cybersecurity 
     threat and remove such information; or
       (B) implement a technical capability configured to remove 
     any information contained within such indicator that the non-
     Federal entity reasonably believes at the time of sharing to 
     be personal information of or information identifying a 
     specific person not directly related to a cybersecurity 
     threat.
       (3) Use of cyber threat indicators and defensive measures 
     by non-federal entities.--A non-Federal entity may, for a 
     cybersecurity purpose--
       (A) use a cyber threat indicator or defensive measure 
     shared or received under this section to monitor or operate a 
     defensive measure on--
       (i) an information system of such non-Federal entity; or
       (ii) an information system of another non-Federal entity or 
     a Federal entity upon the written authorization of that other 
     non-Federal entity or that Federal entity; and
       (B) otherwise use, retain, and further share such cyber 
     threat indicator or defensive measure subject to--
       (i) an otherwise lawful restriction placed by the sharing 
     non-Federal entity or Federal entity on such cyber threat 
     indicator or defensive measure; or
       (ii) an otherwise applicable provision of law.
       (4) Use of cyber threat indicators by state, tribal, or 
     local government.--
       (A) Law enforcement use.--A State, tribal, or local 
     government may use a cyber threat indicator shared with such 
     State, tribal, or local government for the purposes described 
     in clauses (i), (ii), and (iii) of section 4(d)(5)(A).
       (B) Exemption from disclosure.--A cyber threat indicator 
     shared with a State, tribal, or local government under this 
     section shall be--
       (i) deemed voluntarily shared information; and
       (ii) exempt from disclosure under any State, tribal, or 
     local law requiring disclosure of information or records, 
     except as otherwise required by applicable State, tribal, or 
     local law requiring disclosure in any criminal prosecution.
       (e) No Right or Benefit.--The sharing of a cyber threat 
     indicator with a non-Federal entity under this Act shall not 
     create a right or benefit to similar information by such non-
     Federal entity or any other non-Federal entity.

     SEC. 4. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE 
                   MEASURES WITH APPROPRIATE FEDERAL ENTITIES 
                   OTHER THAN THE DEPARTMENT OF DEFENSE OR THE 
                   NATIONAL SECURITY AGENCY.

       (a) Requirement for Policies and Procedures.--
       (1) In general.--Section 111 of the National Security Act 
     of 1947, as inserted by section 2 of this Act, is amended--
       (A) by redesignating subsection (b) as subsection (c); and
       (B) by inserting after subsection (a) the following new 
     subsection:
       ``(b) Policies and Procedures for Sharing With the 
     Appropriate Federal Entities Other Than the Department of 
     Defense or the National Security Agency.--
       ``(1) Establishment.--The President shall develop and 
     submit to Congress policies and procedures relating to the 
     receipt of cyber threat indicators and defensive measures by 
     the Federal Government.
       ``(2) Requirements concerning policies and procedures.--The 
     policies and procedures required under paragraph (1) shall--
       ``(A) be developed in accordance with the privacy and civil 
     liberties guidelines required under section 4(b) of the 
     Protecting Cyber Networks Act;
       ``(B) ensure that--
       ``(i) a cyber threat indicator shared by a non-Federal 
     entity with an appropriate Federal entity (other than the 
     Department of Defense or any component of the Department, 
     including the National Security Agency) pursuant to section 3 
     of such Act is shared in real-time with all of the 
     appropriate Federal entities (including all relevant 
     components thereof);
       ``(ii) the sharing of such cyber threat indicator with 
     appropriate Federal entities is not subject to any delay, 
     modification, or any other action without good cause that 
     could impede receipt by all of the appropriate Federal 
     entities; and
       ``(iii) such cyber threat indicator is provided to each 
     other Federal entity to which such cyber threat indicator is 
     relevant; and
       ``(C) ensure there--
       ``(i) is an audit capability; and
       ``(ii) are appropriate sanctions in place for officers, 
     employees, or agents of a Federal entity who knowingly and 
     willfully use a cyber threat indicator or defense measure 
     shared with the Federal Government by a non-Federal entity 
     under the Protecting Cyber Networks Act other than in 
     accordance with this section and such Act.''.
       (2) Submission.--The President shall submit to Congress--
       (A) not later than 90 days after the date of the enactment 
     of this Act, interim policies and procedures required under 
     section 111(b)(1) of the National Security Act of 1947, as 
     inserted by paragraph (1) of this section; and
       (B) not later than 180 days after such date, final policies 
     and procedures required under such section 111(b)(1).
       (b) Privacy and Civil Liberties.--
       (1) Guidelines of attorney general.--The Attorney General, 
     in consultation with the heads of the other appropriate 
     Federal agencies and with officers designated under section 
     1062 of the Intelligence Reform and Terrorism Prevention Act 
     of 2004 (42 U.S.C. 2000ee-1), shall develop and periodically 
     review guidelines relating to privacy and civil liberties 
     that govern the receipt, retention, use, and dissemination of 
     cyber threat indicators by a Federal entity obtained in 
     accordance with this Act and the amendments made by this Act.
       (2) Content.--The guidelines developed and reviewed under 
     paragraph (1) shall, consistent with the need to protect 
     information systems from cybersecurity threats and mitigate 
     cybersecurity threats--
       (A) limit the impact on privacy and civil liberties of 
     activities by the Federal Government under this Act, 
     including guidelines to ensure that personal information of 
     or information identifying specific persons is properly 
     removed from information received, retained, used, or 
     disseminated by a Federal entity in accordance with this Act 
     or the amendments made by this Act;
       (B) limit the receipt, retention, use, and dissemination of 
     cyber threat indicators containing personal information of or 
     information identifying specific persons, including by 
     establishing--
       (i) a process for the prompt destruction of such 
     information that is known not to be directly related to a use 
     for a cybersecurity purpose;
       (ii) specific limitations on the length of any period in 
     which a cyber threat indicator may be retained; and
       (iii) a process to inform recipients that such indicators 
     may only be used for a cybersecurity purpose;
       (C) include requirements to safeguard cyber threat 
     indicators containing personal information of or identifying 
     specific persons from unauthorized access or acquisition, 
     including appropriate sanctions for activities by officers, 
     employees, or agents of the Federal Government in 
     contravention of such guidelines;
       (D) include procedures for notifying non-Federal entities 
     and Federal entities if information received pursuant to this 
     section is known or determined by a Federal entity receiving 
     such information not to constitute a cyber threat indicator;
       (E) be consistent with any other applicable provisions of 
     law and the fair information practice principles set forth in 
     appendix A of the document entitled ``National Strategy for 
     Trusted Identities in Cyberspace'' and published by the 
     President in April, 2011; and
       (F) include steps that may be needed so that dissemination 
     of cyber threat indicators is consistent with the protection 
     of classified information and other sensitive national 
     security information.
       (3) Submission.--The Attorney General shall submit to 
     Congress--
       (A) not later than 90 days after the date of the enactment 
     of this Act, interim guidelines required under paragraph (1); 
     and
       (B) not later than 180 days after such date, final 
     guidelines required under such paragraph.
       (c) National Cyber Threat Intelligence Integration 
     Center.--
       (1) Establishment.--Title I of the National Security Act of 
     1947 (50 U.S.C. 3021 et seq.), as amended by section 2 of 
     this Act, is further amended--
       (A) by redesignating section 119B as section 119C; and
       (B) by inserting after section 119A the following new 
     section:

     ``SEC. 119B. CYBER THREAT INTELLIGENCE INTEGRATION CENTER.

       ``(a) Establishment.--There is within the Office of the 
     Director of National Intelligence a Cyber Threat Intelligence 
     Integration Center.
       ``(b) Director.--There is a Director of the Cyber Threat 
     Intelligence Integration Center, who shall be the head of the 
     Cyber Threat Intelligence Integration Center, and who shall 
     be appointed by the Director of National Intelligence.
       ``(c) Primary Missions.--The Cyber Threat Intelligence 
     Integration Center shall--
       ``(1) serve as the primary organization within the Federal 
     Government for analyzing and integrating all intelligence 
     possessed or acquired by the United States pertaining to 
     cyber threats;
       ``(2) ensure that appropriate departments and agencies have 
     full access to and receive all-source intelligence support 
     needed to execute the cyber threat intelligence activities of 
     such agencies and to perform independent, alternative 
     analyses;
       ``(3) disseminate cyber threat analysis to the President, 
     the appropriate departments and agencies of the Federal 
     Government, and the appropriate committees of Congress;

[[Page H2388]]

       ``(4) coordinate cyber threat intelligence activities of 
     the departments and agencies of the Federal Government; and
       ``(5) conduct strategic cyber threat intelligence planning 
     for the Federal Government.
       ``(d) Limitations.--The Cyber Threat Intelligence 
     Integration Center shall--
       ``(1) have not more than 50 permanent positions;
       ``(2) in carrying out the primary missions of the Center 
     described in subsection (c), may not augment staffing through 
     detailees, assignees, or core contractor personnel or enter 
     into any personal services contracts to exceed the limitation 
     under paragraph (1); and
       ``(3) be located in a building owned or operated by an 
     element of the intelligence community as of the date of the 
     enactment of this section.''.
       (2) Table of contents amendments.--The table of contents in 
     the first section of the National Security Act of 1947, as 
     amended by section 2 of this Act, is further amended by 
     striking the item relating to section 119B and inserting the 
     following new items:

``Sec. 119B. Cyber Threat Intelligence Integration Center.
``Sec. 119C. National intelligence centers.''.
       (d) Information Shared With or Provided to the Federal 
     Government.--
       (1) No waiver of privilege or protection.--The provision of 
     a cyber threat indicator or defensive measure to the Federal 
     Government under this Act shall not constitute a waiver of 
     any applicable privilege or protection provided by law, 
     including trade secret protection.
       (2) Proprietary information.--Consistent with section 
     3(c)(2), a cyber threat indicator or defensive measure 
     provided by a non-Federal entity to the Federal Government 
     under this Act shall be considered the commercial, financial, 
     and proprietary information of the non-Federal entity that is 
     the originator of such cyber threat indicator or defensive 
     measure when so designated by such non-Federal entity or a 
     non-Federal entity acting in accordance with the written 
     authorization of the non-Federal entity that is the 
     originator of such cyber threat indicator or defensive 
     measure.
       (3) Exemption from disclosure.--A cyber threat indicator or 
     defensive measure provided to the Federal Government under 
     this Act shall be--
       (A) deemed voluntarily shared information and exempt from 
     disclosure under section 552 of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records; and
       (B) withheld, without discretion, from the public under 
     section 552(b)(3)(B) of title 5, United States Code, and any 
     State, tribal, or local provision of law requiring disclosure 
     of information or records, except as otherwise required by 
     applicable Federal, State, tribal, or local law requiring 
     disclosure in any criminal prosecution.
       (4) Ex parte communications.--The provision of a cyber 
     threat indicator or defensive measure to the Federal 
     Government under this Act shall not be subject to a rule of 
     any Federal department or agency or any judicial doctrine 
     regarding ex parte communications with a decision-making 
     official.
       (5) Disclosure, retention, and use.--
       (A) Authorized activities.--A cyber threat indicator or 
     defensive measure provided to the Federal Government under 
     this Act may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable provisions of Federal 
     law, any department, agency, component, officer, employee, or 
     agent of the Federal Government solely for--
       (i) a cybersecurity purpose;
       (ii) the purpose of responding to, prosecuting, or 
     otherwise preventing or mitigating a threat of death or 
     serious bodily harm or an offense arising out of such a 
     threat;
       (iii) the purpose of responding to, or otherwise preventing 
     or mitigating, a serious threat to a minor, including sexual 
     exploitation and threats to physical safety; or
       (iv) the purpose of preventing, investigating, disrupting, 
     or prosecuting any of the offenses listed in sections 1028, 
     1029, 1030, and 3559(c)(2)(F) and chapters 37 and 90 of title 
     18, United States Code.
       (B) Prohibited activities.--A cyber threat indicator or 
     defensive measure provided to the Federal Government under 
     this Act shall not be disclosed to, retained by, or used by 
     any Federal department or agency for any use not permitted 
     under subparagraph (A).
       (C) Privacy and civil liberties.--A cyber threat indicator 
     or defensive measure provided to the Federal Government under 
     this Act shall be retained, used, and disseminated by the 
     Federal Government in accordance with--
       (i) the policies and procedures relating to the receipt of 
     cyber threat indicators and defensive measures by the Federal 
     Government required by subsection (b) of section 111 of the 
     National Security Act of 1947, as added by subsection (a) of 
     this section; and
       (ii) the privacy and civil liberties guidelines required by 
     subsection (b).

     SEC. 5. FEDERAL GOVERNMENT LIABILITY FOR VIOLATIONS OF 
                   PRIVACY OR CIVIL LIBERTIES.

       (a) In General.--If a department or agency of the Federal 
     Government intentionally or willfully violates the privacy 
     and civil liberties guidelines issued by the Attorney General 
     under section 4(b), the United States shall be liable to a 
     person injured by such violation in an amount equal to the 
     sum of--
       (1) the actual damages sustained by the person as a result 
     of the violation or $1,000, whichever is greater; and
       (2) reasonable attorney fees as determined by the court and 
     other litigation costs reasonably incurred in any case under 
     this subsection in which the complainant has substantially 
     prevailed.
       (b) Venue.--An action to enforce liability created under 
     this section may be brought in the district court of the 
     United States in--
       (1) the district in which the complainant resides;
       (2) the district in which the principal place of business 
     of the complainant is located;
       (3) the district in which the department or agency of the 
     Federal Government that violated such privacy and civil 
     liberties guidelines is located; or
       (4) the District of Columbia.
       (c) Statute of Limitations.--No action shall lie under this 
     subsection unless such action is commenced not later than two 
     years after the date of the violation of the privacy and 
     civil liberties guidelines issued by the Attorney General 
     under section 4(b) that is the basis for the action.
       (d) Exclusive Cause of Action.--A cause of action under 
     this subsection shall be the exclusive means available to a 
     complainant seeking a remedy for a violation by a department 
     or agency of the Federal Government under this Act.

     SEC. 6. PROTECTION FROM LIABILITY.

       (a) Monitoring of Information Systems.--No cause of action 
     shall lie or be maintained in any court against any private 
     entity, and such action shall be promptly dismissed, for the 
     monitoring of an information system and information under 
     section 3(a) that is conducted in good faith in accordance 
     with this Act and the amendments made by this Act.
       (b) Sharing or Receipt of Cyber Threat Indicators.--No 
     cause of action shall lie or be maintained in any court 
     against any non-Federal entity, and such action shall be 
     promptly dismissed, for the sharing or receipt of a cyber 
     threat indicator or defensive measure under section 3(c), or 
     a good faith failure to act based on such sharing or receipt, 
     if such sharing or receipt is conducted in good faith in 
     accordance with this Act and the amendments made by this Act.
       (c) Willful Misconduct.--
       (1) Rule of construction.--Nothing in this section shall be 
     construed--
       (A) to require dismissal of a cause of action against a 
     non-Federal entity (including a private entity) that has 
     engaged in willful misconduct in the course of conducting 
     activities authorized by this Act or the amendments made by 
     this Act; or
       (B) to undermine or limit the availability of otherwise 
     applicable common law or statutory defenses.
       (2) Proof of willful misconduct.--In any action claiming 
     that subsection (a) or (b) does not apply due to willful 
     misconduct described in paragraph (1), the plaintiff shall 
     have the burden of proving by clear and convincing evidence 
     the willful misconduct by each non-Federal entity subject to 
     such claim and that such willful misconduct proximately 
     caused injury to the plaintiff.
       (3) Willful misconduct defined.--In this subsection, the 
     term ``willful misconduct'' means an act or omission that is 
     taken--
       (A) intentionally to achieve a wrongful purpose;
       (B) knowingly without legal or factual justification; and
       (C) in disregard of a known or obvious risk that is so 
     great as to make it highly probable that the harm will 
     outweigh the benefit.

     SEC. 7. OVERSIGHT OF GOVERNMENT ACTIVITIES.

       (a) Biennial Report on Implementation.--
       (1) In general.--Section 111 of the National Security Act 
     of 1947, as added by section 2(a) and amended by section 4(a) 
     of this Act, is further amended--
       (A) by redesignating subsection (c) (as redesignated by 
     such section 4(a)) as subsection (d); and
       (B) by inserting after subsection (b) (as inserted by such 
     section 4(a)) the following new subsection:
       ``(c) Biennial Report on Implementation.--
       ``(1) In general.--Not less frequently than once every two 
     years, the Director of National Intelligence, in consultation 
     with the heads of the other appropriate Federal entities, 
     shall submit to Congress a report concerning the 
     implementation of this section and the Protecting Cyber 
     Networks Act.
       ``(2) Contents.--Each report submitted under paragraph (1) 
     shall include the following:
       ``(A) An assessment of the sufficiency of the policies, 
     procedures, and guidelines required by this section and 
     section 4 of the Protecting Cyber Networks Act in ensuring 
     that cyber threat indicators are shared effectively and 
     responsibly within the Federal Government.
       ``(B) An assessment of whether the procedures developed 
     under section 3 of such Act comply with the goals described 
     in subparagraphs (A), (B), and (C) of subsection (a)(1).
       ``(C) An assessment of whether cyber threat indicators have 
     been properly classified and an accounting of the number of 
     security clearances authorized by the Federal Government for 
     the purposes of this section and such Act.
       ``(D) A review of the type of cyber threat indicators 
     shared with the Federal Government under this section and 
     such Act, including the following:
       ``(i) The degree to which such information may impact the 
     privacy and civil liberties of specific persons.
       ``(ii) A quantitative and qualitative assessment of the 
     impact of the sharing of such cyber threat indicators with 
     the Federal Government on privacy and civil liberties of 
     specific persons.
       ``(iii) The adequacy of any steps taken by the Federal 
     Government to reduce such impact.
       ``(E) A review of actions taken by the Federal Government 
     based on cyber threat indicators shared with the Federal 
     Government under this

[[Page H2389]]

     section or such Act, including the appropriateness of any 
     subsequent use or dissemination of such cyber threat 
     indicators by a Federal entity under this section or section 
     4 of such Act.
       ``(F) A description of any significant violations of the 
     requirements of this section or such Act by the Federal 
     Government--
       ``(i) an assessment of all reports of officers, employees, 
     and agents of the Federal Government misusing information 
     provided to the Federal Government under the Protecting Cyber 
     Networks Act or this section, without regard to whether the 
     misuse was knowing or wilful; and
       ``(ii) an assessment of all disciplinary actions taken 
     against such officers, employees, and agents.
       ``(G) A summary of the number and type of non-Federal 
     entities that received classified cyber threat indicators 
     from the Federal Government under this section or such Act 
     and an evaluation of the risks and benefits of sharing such 
     cyber threat indicators.
       ``(H) An assessment of any personal information of or 
     information identifying a specific person not directly 
     related to a cybersecurity threat that--
       ``(i) was shared by a non-Federal entity with the Federal 
     Government under this Act in contravention of section 
     3(d)(2); or
       ``(ii) was shared within the Federal Government under this 
     Act in contravention of the guidelines required by section 
     4(b).
       ``(3) Recommendations.--Each report submitted under 
     paragraph (1) may include such recommendations as the heads 
     of the appropriate Federal entities may have for improvements 
     or modifications to the authorities and processes under this 
     section or such Act.
       ``(4) Form of report.--Each report required by paragraph 
     (1) shall be submitted in unclassified form, but may include 
     a classified annex.
       ``(5) Public availability of reports.--The Director of 
     National Intelligence shall make publicly available the 
     unclassified portion of each report required by paragraph 
     (1).''.
       (2) Initial report.--The first report required under 
     subsection (c) of section 111 of the National Security Act of 
     1947, as inserted by paragraph (1) of this subsection, shall 
     be submitted not later than one year after the date of the 
     enactment of this Act.
       (b) Reports on Privacy and Civil Liberties.--
       (1) Biennial report from privacy and civil liberties 
     oversight board.--
       (A) In general.--Section 1061(e) of the Intelligence Reform 
     and Terrorism Prevention Act of 2004 (42 U.S.C. 2000ee(e)) is 
     amended by adding at the end the following new paragraph:
       ``(3) Biennial report on certain cyber activities.--
       ``(A) Report required.--The Privacy and Civil Liberties 
     Oversight Board shall biennially submit to Congress and the 
     President a report containing--
       ``(i) an assessment of the privacy and civil liberties 
     impact of the activities carried out under the Protecting 
     Cyber Networks Act and the amendments made by such Act; and
       ``(ii) an assessment of the sufficiency of the policies, 
     procedures, and guidelines established pursuant to section 4 
     of the Protecting Cyber Networks Act and the amendments made 
     by such section 4 in addressing privacy and civil liberties 
     concerns.
       ``(B) Recommendations.--Each report submitted under this 
     paragraph may include such recommendations as the Privacy and 
     Civil Liberties Oversight Board may have for improvements or 
     modifications to the authorities under the Protecting Cyber 
     Networks Act or the amendments made by such Act.
       ``(C) Form.--Each report required under this paragraph 
     shall be submitted in unclassified form, but may include a 
     classified annex.
       ``(D) Public availability of reports.--The Privacy and 
     Civil Liberties Oversight Board shall make publicly available 
     the unclassified portion of each report required by 
     subparagraph (A).''.
       (B) Initial report.--The first report required under 
     paragraph (3) of section 1061(e) of the Intelligence Reform 
     and Terrorism Prevention Act of 2004 (42 U.S.C. 2000ee(e)), 
     as added by subparagraph (A) of this paragraph, shall be 
     submitted not later than 2 years after the date of the 
     enactment of this Act.
       (2) Biennial report of inspectors general.--
       (A) In general.--Not later than 2 years after the date of 
     the enactment of this Act and not less frequently than once 
     every 2 years thereafter, the Inspector General of the 
     Department of Homeland Security, the Inspector General of the 
     Intelligence Community, the Inspector General of the 
     Department of Justice, and the Inspector General of the 
     Department of Defense, in consultation with the Council of 
     Inspectors General on Financial Oversight, shall jointly 
     submit to Congress a report on the receipt, use, and 
     dissemination of cyber threat indicators and defensive 
     measures that have been shared with Federal entities under 
     this Act and the amendments made by this Act.
       (B) Contents.--Each report submitted under subparagraph (A) 
     shall include the following:
       (i) A review of the types of cyber threat indicators shared 
     with Federal entities.
       (ii) A review of the actions taken by Federal entities as a 
     result of the receipt of such cyber threat indicators.
       (iii) A list of Federal entities receiving such cyber 
     threat indicators.
       (iv) A review of the sharing of such cyber threat 
     indicators among Federal entities to identify inappropriate 
     barriers to sharing information.
       (C) Recommendations.--Each report submitted under this 
     paragraph may include such recommendations as the Inspectors 
     General referred to in subparagraph (A) may have for 
     improvements or modifications to the authorities under this 
     Act or the amendments made by this Act.
       (D) Form.--Each report required under this paragraph shall 
     be submitted in unclassified form, but may include a 
     classified annex.
       (E) Public availability of reports.--The Inspector General 
     of the Department of Homeland Security, the Inspector General 
     of the Intelligence Community, the Inspector General of the 
     Department of Justice, and the Inspector General of the 
     Department of Defense shall make publicly available the 
     unclassified portion of each report required under 
     subparagraph (A).

     SEC. 8. REPORT ON CYBERSECURITY THREATS.

       (a) Report Required.--Not later than 180 days after the 
     date of the enactment of this Act, the Director of National 
     Intelligence, in consultation with the heads of other 
     appropriate elements of the intelligence community, shall 
     submit to the Select Committee on Intelligence of the Senate 
     and the Permanent Select Committee on Intelligence of the 
     House of Representatives a report on cybersecurity threats, 
     including cyber attacks, theft, and data breaches.
       (b) Contents.--The report required by subsection (a) shall 
     include the following:
       (1) An assessment of--
       (A) the current intelligence sharing and cooperation 
     relationships of the United States with other countries 
     regarding cybersecurity threats (including cyber attacks, 
     theft, and data breaches) directed against the United States 
     that threaten the United States national security interests, 
     economy, and intellectual property; and
       (B) the relative utility of such relationships, which 
     elements of the intelligence community participate in such 
     relationships, and whether and how such relationships could 
     be improved.
       (2) A list and an assessment of the countries and non-state 
     actors that are the primary threats of carrying out a 
     cybersecurity threat (including a cyber attack, theft, or 
     data breach) against the United States and that threaten the 
     United States national security, economy, and intellectual 
     property.
       (3) A description of the extent to which the capabilities 
     of the United States Government to respond to or prevent 
     cybersecurity threats (including cyber attacks, theft, or 
     data breaches) directed against the United States private 
     sector are degraded by a delay in the prompt notification by 
     private entities of such threats or cyber attacks, theft, and 
     breaches.
       (4) An assessment of additional technologies or 
     capabilities that would enhance the ability of the United 
     States to prevent and to respond to cybersecurity threats 
     (including cyber attacks, theft, and data breaches).
       (5) An assessment of any technologies or practices utilized 
     by the private sector that could be rapidly fielded to assist 
     the intelligence community in preventing and responding to 
     cybersecurity threats.
       (c) Form of Report.--The report required by subsection (a) 
     shall be submitted in unclassified form, but may include a 
     classified annex.
       (d) Public Availability of Report.--The Director of 
     National Intelligence shall make publicly available the 
     unclassified portion of the report required by subsection 
     (a).
       (e) Intelligence Community Defined.--In this section, the 
     term ``intelligence community'' has the meaning given that 
     term in section 3 of the National Security Act of 1947 (50 
     U.S.C. 3003).

     SEC. 9. CONSTRUCTION AND PREEMPTION.

       (a) Prohibition of Surveillance.--Nothing in this Act or 
     the amendments made by this Act shall be construed to 
     authorize the Department of Defense or the National Security 
     Agency or any other element of the intelligence community to 
     target a person for surveillance.
       (b) Otherwise Lawful Disclosures.--Nothing in this Act or 
     the amendments made by this Act shall be construed to limit 
     or prohibit--
       (1) otherwise lawful disclosures of communications, 
     records, or other information, including reporting of known 
     or suspected criminal activity, by a non-Federal entity to 
     any other non-Federal entity or the Federal Government; or
       (2) any otherwise lawful use of such disclosures by any 
     entity of the Federal government, without regard to whether 
     such otherwise lawful disclosures duplicate or replicate 
     disclosures made under this Act.
       (c) Whistle Blower Protections.--Nothing in this Act or the 
     amendments made by this Act shall be construed to prohibit or 
     limit the disclosure of information protected under section 
     2302(b)(8) of title 5, United States Code (governing 
     disclosures of illegality, waste, fraud, abuse, or public 
     health or safety threats), section 7211 of title 5, United 
     States Code (governing disclosures to Congress), section 1034 
     of title 10, United States Code (governing disclosure to 
     Congress by members of the military), or any similar 
     provision of Federal or State law..
       (d) Protection of Sources and Methods.--Nothing in this Act 
     or the amendments made by this Act shall be construed--
       (1) as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal Government, or 
     any department or agency thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, or use of classified information;
       (2) to affect the conduct of authorized law enforcement or 
     intelligence activities; or
       (3) to modify the authority of the President or a 
     department or agency of the Federal Government to protect and 
     control the dissemination of classified information, 
     intelligence sources and methods, and the national security 
     of the United States.
       (e) Relationship to Other Laws.--Nothing in this Act or the 
     amendments made by this Act shall be construed to affect any 
     requirement under any other provision of law for a non-
     Federal entity to provide information to the Federal 
     Government.

[[Page H2390]]

       (f) Information Sharing Relationships.--Nothing in this Act 
     or the amendments made by this Act shall be construed--
       (1) to limit or modify an existing information-sharing 
     relationship;
       (2) to prohibit a new information-sharing relationship; or
       (3) to require a new information-sharing relationship 
     between any non-Federal entity and the Federal Government.
       (g) Preservation of Contractual Obligations and Rights.--
     Nothing in this Act or the amendments made by this Act shall 
     be construed--
       (1) to amend, repeal, or supersede any current or future 
     contractual agreement, terms of service agreement, or other 
     contractual relationship between any non-Federal entities, or 
     between any non-Federal entity and a Federal entity; or
       (2) to abrogate trade secret or intellectual property 
     rights of any non-Federal entity or Federal entity.
       (h) Anti-tasking Restriction.--Nothing in this Act or the 
     amendments made by this Act shall be construed to permit the 
     Federal Government--
       (1) to require a non-Federal entity to provide information 
     to the Federal Government;
       (2) to condition the sharing of a cyber threat indicator 
     with a non-Federal entity on such non-Federal entity's 
     provision of a cyber threat indicator to the Federal 
     Government; or
       (3) to condition the award of any Federal grant, contract, 
     or purchase on the provision of a cyber threat indicator to a 
     Federal entity.
       (i) No Liability for Non-participation.--Nothing in this 
     Act or the amendments made by this Act shall be construed to 
     subject any non-Federal entity to liability for choosing not 
     to engage in a voluntary activiy authorized in this Act and 
     the amendments made by this Act.
       (j) Use and Retention of Information.--Nothing in this Act 
     or the amendments made by this Act shall be construed to 
     authorize, or to modify any existing authority of, a 
     department or agency of the Federal Government to retain or 
     use any information shared under this Act or the amendments 
     made by this Act for any use other than permitted in this Act 
     or the amendments made by this Act.
       (k) Federal Preemption.--
       (1) In general.--This Act and the amendments made by this 
     Act supersede any statute or other provision of law of a 
     State or political subdivision of a State that restricts or 
     otherwise expressly regulates an activity authorized under 
     this Act or the amendments made by this Act.
       (2) State law enforcement.--Nothing in this Act or the 
     amendments made by this Act shall be construed to supersede 
     any statute or other provision of law of a State or political 
     subdivision of a State concerning the use of authorized law 
     enforcement practices and procedures.
       (l) Regulatory Authority.--Nothing in this Act or the 
     amendments made by this Act shall be construed--
       (1) to authorize the promulgation of any regulations not 
     specifically authorized by this Act or the amendments made by 
     this Act;
       (2) to establish any regulatory authority not specifically 
     established under this Act or the amendments made by this 
     Act; or
       (3) to authorize regulatory actions that would duplicate or 
     conflict with regulatory requirements, mandatory standards, 
     or related processes under another provision of Federal law.

     SEC. 10. CONFORMING AMENDMENTS.

       Section 552(b) of title 5, United States Code, is amended--
       (1) in paragraph (8), by striking ``or'' at the end;
       (2) in paragraph (9), by striking ``wells.'' and inserting 
     ``wells; or''; and
       (3) by inserting after paragraph (9) the following:
       ``(10) information shared with or provided to the Federal 
     Government pursuant to the Protecting Cyber Networks Act or 
     the amendments made by such Act.''.

     SEC. 11. DEFINITIONS.

       In this Act:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Appropriate federal entities.--The term ``appropriate 
     Federal entities'' means the following:
       (A) The Department of Commerce.
       (B) The Department of Defense.
       (C) The Department of Energy.
       (D) The Department of Homeland Security.
       (E) The Department of Justice.
       (F) The Department of the Treasury.
       (G) The Office of the Director of National Intelligence.
       (3) Cybersecurity purpose.--The term ``cybersecurity 
     purpose'' means the purpose of protecting (including through 
     the use of a defensive measure) an information system or 
     information that is stored on, processed by, or transiting an 
     information system from a cybersecurity threat or security 
     vulnerability or identifying the source of a cybersecurity 
     threat.
       (4) Cybersecurity threat.--
       (A) In general.--Except as provided in subparagraph (B), 
     the term ``cybersecurity threat'' means an action, not 
     protected by the first amendment to the Constitution of the 
     United States, on or through an information system that may 
     result in an unauthorized effort to adversely impact the 
     security, confidentiality, integrity, or availability of an 
     information system or information that is stored on, 
     processed by, or transiting an information system.
       (B) Exclusion.--The term ``cybersecurity threat'' does not 
     include any action that solely involves a violation of a 
     consumer term of service or a consumer licensing agreement.
       (5) Cyber threat indicator.--The term ``cyber threat 
     indicator'' means information or a physical object that is 
     necessary to describe or identify--
       (A) malicious reconnaissance, including anomalous patterns 
     of communications that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat or security vulnerability;
       (B) a method of defeating a security control or 
     exploitation of a security vulnerability;
       (C) a security vulnerability, including anomalous activity 
     that appears to indicate the existence of a security 
     vulnerability;
       (D) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     unwittingly enable the defeat of a security control or 
     exploitation of a security vulnerability;
       (E) malicious cyber command and control;
       (F) the actual or potential harm caused by an incident, 
     including a description of the information exfiltrated as a 
     result of a particular cybersecurity threat; or
       (G) any other attribute of a cybersecurity threat, if 
     disclosure of such attribute is not otherwise prohibited by 
     law.
       (6) Defensive measure.--The term ``defensive measure'' 
     means an action, device, procedure, technique, or other 
     measure executed on an information system or information that 
     is stored on, processed by, or transiting an information 
     system that prevents or mitigates a known or suspected 
     cybersecurity threat or security vulnerability.
       (7) Federal entity.--The term ``Federal entity'' means a 
     department or agency of the United States or any component of 
     such department or agency.
       (8) Information system.--The term ``information system''--
       (A) has the meaning given the term in section 3502 of title 
     44, United States Code; and
       (B) includes industrial control systems, such as 
     supervisory control and data acquisition systems, distributed 
     control systems, and programmable logic controllers.
       (9) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other political subdivision of a State.
       (10) Malicious cyber command and control.--The term 
     ``malicious cyber command and control'' means a method for 
     unauthorized remote identification of, access to, or use of, 
     an information system or information that is stored on, 
     processed by, or transiting an information system.
       (11) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning security vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       (12) Monitor.--The term ``monitor'' means to acquire, 
     identify, scan, or otherwise possess information that is 
     stored on, processed by, or transiting an information system.
       (13) Non-federal entity.--
       (A) In general.--Except as otherwise provided in this 
     paragraph, the term ``non-Federal entity'' means any private 
     entity, non-Federal government department or agency, or 
     State, tribal, or local government (including a political 
     subdivision, department, officer, employee, or agent 
     thereof).
       (B) Inclusions.--The term ``non-Federal entity'' includes a 
     government department or agency (including an officer, 
     employee, or agent thereof) of the District of Columbia, the 
     Commonwealth of Puerto Rico, the Virgin Islands, Guam, 
     American Samoa, the Northern Mariana Islands, and any other 
     territory or possession of the United States.
       (C) Exclusion.--The term ``non-Federal entity'' does not 
     include a foreign power or known agent of a foreign power, as 
     both terms are defined in section 101 of the Foreign 
     Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
       (14) Private entity.--
       (A) In general.--Except as otherwise provided in this 
     paragraph, the term ``private entity'' means any person or 
     private group, organization, proprietorship, partnership, 
     trust, cooperative, corporation, or other commercial or 
     nonprofit entity, including an officer, employee, or agent 
     thereof.
       (B) Inclusion.--The term ``private entity'' includes a 
     component of a State, tribal, or local government performing 
     electric utility services.
       (C) Exclusion.--The term ``private entity'' does not 
     include a foreign power as defined in section 101 of the 
     Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 
     1801).
       (15) Real time; real-time.--The terms ``real time'' and 
     ``real-time'' mean a process by which an automated, machine-
     to-machine system processes cyber threat indicators such that 
     the time in which the occurrence of an event and the 
     reporting or recording of it are as simultaneous as 
     technologically and operationally practicable.
       (16) Security control.--The term ``security control'' means 
     the management, operational, and technical controls used to 
     protect against an unauthorized effort to adversely impact 
     the security, confidentiality, integrity, and availability of 
     an information system or its information.
       (17) Security vulnerability.--The term ``security 
     vulnerability'' means any attribute of hardware, software, 
     process, or procedure that could enable or facilitate the 
     defeat of a security control.
       (18) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

  The Acting CHAIR. No amendment to the committee amendment in the 
nature of a substitute shall be in order except those printed in part A 
of House

[[Page H2391]]

Report 114-88. Each such amendment may be offered only in the order 
printed in the report, by a Member designated in the report, shall be 
considered read, shall be debatable for the time specified in the 
report, equally divided and controlled by the proponent and an 
opponent, shall not be subject to amendment, and shall not be subject 
to a demand for division of the question.

                              {time}  1515


                  Amendment No. 1 Offered by Mr. Nunes

  The Acting CHAIR. It is now in order to consider amendment No. 1 
printed in part A of House Report 114-88.
  Mr. NUNES. Madam Chair, I have an amendment at the desk.
  The Acting CHAIR. The Clerk will designate the amendment.
  The text of the amendment is as follows:

       Page 5, beginning line 16, strike ``in accordance with'' 
     and insert ``under''.
       Page 9, line 2, strike ``and is limited to''.
       Page 9, beginning line 14, strike ``the intentional or 
     reckless operation of any'' and insert ``a''.
       Page 9, beginning line 17, strike ``substantially harms, or 
     initiates a new action, process, or procedure on'' and insert 
     ``, or substantially harms''.
       Page 12, beginning line 2, strike ``a non-Federal entity, 
     if authorized by applicable law or regulation other than this 
     Act, from sharing'' and insert ``otherwise lawful sharing by 
     a non-Federal entity of''.
       Page 14, line 18, insert ``or defensive measure'' before 
     ``shared''.
       Page 23, line 19, strike ``section 3(c)(2)'' and insert 
     ``this Act''.
       Page 24, line 15, strike ``section 552(b)(3)(B)'' and 
     insert ``section 552(b)(3)''.
       Page 25, line 13, insert ``investigating,'' after ``to,''.
       Page 25, line 18, insert ``investigating, prosecuting,'' 
     after ``to,''.
       Page 27, line 23, strike ``subsection'' and insert 
     ``section''.
       Page 27, beginning line 24, strike ``of the violation'' and 
     all that follows through the period on page 28, line 2, and 
     insert the following: ``on which the cause of action 
     arises.''.
       Page 28, line 4, strike ``subsection'' and insert 
     ``section''.
       Page 28, line 14, strike ``in good faith''.
       Page 28, beginning line 22, strike ``in good faith''.
       Page 33, line 16, insert ``of such Act'' before the 
     semicolon.
       Page 33, line 19, insert ``of such Act'' before the period.
       Page 38, line 20, strike ``threats,'' and insert the 
     following: ``threats to the national security and economy of 
     the United States,''.
       Page 44, line 2, strike ``activiy'' and insert 
     ``activity''.
       Page 44, after line 23, insert the following:
       (3) State regulation of utilities.--Except as provided by 
     section 3(d)(4)(B), nothing in this Act or the amendments 
     made by this Act shall be construed to supersede any statute, 
     regulation, or other provision of law of a State or political 
     subdivision of a State relating to the regulation of a 
     private entity performing utility services, except to the 
     extent such statute, regulation, or other provision of law 
     restricts activity authorized under this Act or the 
     amendments made by this Act.
       Strike section 10.
       Page 51, line 13, strike ``electric''.

  The Acting CHAIR. Pursuant to House Resolution 212, the gentleman 
from California (Mr. Nunes) and a Member opposed each will control 5 
minutes.
  The Chair recognizes the gentleman from California.
  Mr. NUNES. Madam Chair, I offer this amendment to make certain 
technical changes to the bill. These changes will align several 
sections of the bill, including the authorization for the use of 
defensive measures and the liability protections, with the Committee on 
Homeland Security's bill, H.R. 1731.
  The amendment also removes a direct amendment to the Freedom of 
Information Act because the bill already contains a strong exemption of 
cyber threat information and defensive measures from disclosure. The 
change does not have a substantive effect on the exemption of cyber 
threat information from disclosure laws.
  The changes also reflect feedback we have received from our minority, 
from the executive branch, from outside groups, and from other 
committees of Congress. We want to make sure that the bill establishes 
a workable system for companies and the government to share cyber 
threat information and defensive measures.
  I urge Members to support this technical and clarifying amendment, 
and I reserve the balance of my time.
  Mr. SCHIFF. Madam Chair, I claim the time in opposition, although I 
am not opposed to the gentleman's amendment.
  The Acting CHAIR. Without objection, the gentleman from California is 
recognized for 5 minutes.
  There was no objection.
  Mr. SCHIFF. Madam Chair, the manager's amendment makes mostly 
technical edits to the bill which advanced out of the Intelligence 
Committee unanimously. These strong edits came from our close and 
continuing consultations with outside groups and with the White House.
  There is still work that remains to be done. In particular, we are 
going to work, as the bill moves forward, on the liability section. In 
order to benefit from the liability protection under the current 
language, it is necessary for companies to strictly comply with the 
act, which means sharing information only for a cybersecurity purpose 
and taking reasonable efforts to remove private information before 
sharing it.
  I would support making further changes to the bill to make this 
requirement even more clear. In particular, I think it would be 
advantageous to strike what is, in my view, an unnecessary section on 
the rule of construction pertaining to willful misconduct.
  Striking the rule of construction will help further clarify the 
intent of the bill, which is that liability protection is only 
available if a company or other non-Federal entity shares cyber threat 
information, for a cybersecurity purpose, and only after it takes 
reasonable steps to remove private information not directly related to 
the cybersecurity threat.
  That is the intention of the bill, and I think striking that section 
will make it more clear. If a company acts unreasonably--let alone 
recklessly or willfully--in following these requirements, it does not 
get liability protection, nor should it.
  That is the right result, and we have to be careful not to create any 
confusion about there being any immunity for people or for companies 
acting willfully, recklessly, or even unreasonably in disregarding 
private information or the requirement that it be extricated.
  The manager's amendment makes positive technical changes. There are 
further changes that I would like to see as the bill moves forward. 
Confusion in any section of the bill, particularly as it pertains to 
liability, means litigation, and litigation means costs, so I think 
there is further work for us to do to make it even more clear.
  In sum, I support the technical and substantive changes made in the 
manager's amendment, and I urge my colleagues to do the same. I join 
the chairman in urging support for the manager's amendment.
  I yield back the balance of my time.
  Mr. NUNES. Madam Chair, as I have no other speakers, I urge my 
colleagues to support this amendment.
  I yield back the balance of my time.
  The Acting CHAIR. The question is on the amendment offered by the 
gentleman from California (Mr. Nunes).
  The amendment was agreed to.


                Amendment No. 2 Offered by Mr. Caardenas

  The Acting CHAIR. It is now in order to consider amendment No. 2 
printed in part A of House Report 114-88.
  Mr. CAARDENAS. Madam Chair, I am here to present my amendment.
  The Acting CHAIR. The Clerk will designate the amendment.
  The text of the amendment is as follows:

       Page 15, after line 7, insert the following:
       (f) Small Business Participation.--
       (1) Assistance.--The Administrator of the Small Business 
     Administration shall provide assistance to small businesses 
     and small financial institutions to monitor information and 
     information systems, operate defensive measures, and share 
     and receive cyber threat indicators and defensive measures 
     under this section
       (2) Report.--Not later than one year after the date of the 
     enactment of this Act, the Administrator of the Small 
     Business Administration shall submit to the President a 
     report on the degree to which small businesses and small 
     financial institutions are able to engage in cyber threat 
     information sharing under this section. Such report shall 
     include the recommendations of the Administrator for 
     improving the ability of such businesses and institutions to 
     engage in cyber threat information sharing and to use shared 
     information to defend their networks.
       (3) Outreach.--The Federal Government shall conduct 
     outreach to small businesses and small financial institutions 
     to encourage such businesses and institutions to exercise 
     their authority under this section.

  The Acting CHAIR. Pursuant to House Resolution 212, the gentleman

[[Page H2392]]

from California (Mr. Caardenas) and a Member opposed each will control 
5 minutes.
  The Chair recognizes the gentleman from California.
  Mr. CAARDENAS. Madam Chair, I rise today to speak in support of my 
amendment to H.R. 1560.
  I applaud the managers of this legislation for all of their hard 
work. I understand the difficult balance that must be struck in this 
important debate, and I thank the committee for the opportunity to have 
my amendment considered today.
  Madam Chair, this amendment will protect national security by 
starting from the ground up in protecting our smallest of businesses.
  Cyber attacks are a real threat to our economy and national security. 
Hackers will look for the most vulnerable in the supply chain to 
exploit their security. This is why we must make sure any legislation 
related to cybersecurity places small businesses at the forefront of 
our security planning.
  By doing this, we will be protecting customers and businesses up and 
down the supply chain, which will defend our economy, as a whole, from 
being attacked.
  The amendment will ensure that the SBA will assist small businesses 
and small financial institutions in participating in the programs under 
this bill, and it will make sure the Federal Government performs 
outreach to small businesses and to small financial institutions.
  This is a commonsense provision that addresses the issues that are 
critical to ensuring the security of our cyberspace and of our economic 
well-being now and into the future.
  Small businesses are increasingly becoming the target of cyber 
criminals as larger companies increase their protections, so we need to 
arm them with the information and technical assistance they need to 
create effective plans to thwart these attacks and intrusions.
  On a personal note, I once owned a small business myself. I left my 
bigger, corporate job to start a small business in my local community 
and employ people I grew up with. Washington is a faraway place for 
many small businesses in our country. The laws here can seem 
disconnected. The issues can be brushed off as someone else's problem.
  That is why it is essential that, today and moving forward on all of 
these cybersecurity debates, that we make sure we have programs in 
place to work with and to educate our small businesses and that we 
understand that, every time one of these small businesses is 
successfully attacked and breached, it is a possibility that it could 
go under, losing those local jobs. I think this is a commonsense 
amendment.
  I reserve the balance of my time.
  Mr. NUNES. Madam Chair, I claim the time in opposition, although I am 
not opposed to the amendment.
  The Acting CHAIR. Without objection, the gentleman from California is 
recognized for 5 minutes.
  There was no objection.
  Mr. NUNES. Madam Chair, I want to thank the gentleman from California 
for bringing forward this thoughtful amendment. He worked closely with 
the committee to ensure that the language did not disrupt the intent of 
the bill. I am prepared to accept the amendment.
  I yield back the balance of my time.
  Mr. CAARDENAS. Madam Chair, I yield the balance of my time to the 
gentleman from California (Mr. Schiff).
  Mr. SCHIFF. I thank the gentleman, my colleague, for yielding.
  Madam Chair, for a large business, a cyber attack can be costly and 
damaging. For a small business, a cyber attack can be fatal, wiping out 
a family's dream or a lifetime of work in a few clicks of a mouse.
  Small businesses and small financial institutions also don't have the 
large legal shops that are sometimes necessary to keep up with the 
latest changes or regulations coming from Washington.
  That is why I am so pleased that my California colleague offered this 
important amendment. While I don't expect that any sharing mechanism 
will ultimately be costly to maintain or to access, there will be some 
costs, especially in the early stages of implementation, and there will 
be some new procedures to navigate.
  This amendment will help put the reach and authority of the Small 
Business Administration in the service of cybersecurity by having the 
agency assist in the rollout of cyber threat information sharing.
  It is an important addition to the bill. I thank the gentleman for 
raising the issue, and I urge my colleagues to support it.
  Mr. CAARDENAS. I yield back the balance of my time.
  The Acting CHAIR. The question is on the amendment offered by the 
gentleman from California (Mr. Caardenas).
  The amendment was agreed to.


            Amendment No. 3 Offered by Mr. Carson of Indiana

  The Acting CHAIR. It is now in order to consider amendment No. 3 
printed in part A of House Report 114-88.
  Mr. CARSON of Indiana. Madam Chair, I have an amendment at the desk.
  The Acting CHAIR. The Clerk will designate the amendment.
  The text of the amendment is as follows:

       Page 37, after line 16, insert the following new clause:
       (v) A review of the current procedures pertaining to the 
     sharing of information, removal procedures for personal 
     information or information identifying a specific person, and 
     any incidents pertaining to the improper treatment of such 
     information.

  The Acting CHAIR. Pursuant to House Resolution 212, the gentleman 
from Indiana (Mr. Carson) and a Member opposed each will control 5 
minutes.
  The Chair recognizes the gentleman from Indiana.
  Mr. CARSON of Indiana. Madam Chair, I proudly supported this bill 
when we marked it in the Intelligence Committee. I am only bringing up 
this amendment today to address a basic transparency concern raised by 
my constituents after the markup, that the cybersecurity threat posed 
to our government, to our businesses, and to our personal information 
is massive and is growing every day.
  This bill provides important tools to ensure that the lessons learned 
from a breach of one company can help strengthen the security of 
others. As a result, your Social Security and credit card numbers will 
be better protected.
  Madam Chair, as someone who opposed CISPA last year, I feel like this 
iteration is a major first step forward in privacy protection and 
transparency. I am particularly happy with the robust protections of 
personally identifiable information.
  Unlike past iterations, this bill mandates that cyber threat 
information is scanned and that personal information is removed not 
once, but twice, before it can be transmitted to other Federal 
agencies.
  I am pleased, Madam Chair, that companies will share their cyber 
threat information with a civilian agency and not directly with the 
intelligence community. I am also happy that additional limitations are 
placed on the ways that cyber threat information can be utilized.
  For all of the benefits of this bill, the American people still--
rightfully so--expect oversight that is consistent and comprehensive. 
That is what this amendment is all about. It strengthens the oversight 
of the inspector general's monitoring of this kind of information 
sharing.
  Now, with this amendment, the inspector general will oversee and 
report on the process for information-sharing procedures, for removing 
personal information, and any incidence in which this information was 
treated improperly.
  It will ensure Congress and the public that sharing is happening 
properly and that the public is being protected. I hope that my good 
Republican colleagues will support this amendment.
  I reserve the balance of my time.
  Mr. NUNES. Madam Chair, I claim the time in opposition, although I am 
not opposed to the amendment.
  The Acting CHAIR. Without objection, the gentleman from California is 
recognized for 5 minutes.
  There was no objection.
  Mr. NUNES. Madam Chair, I want to thank the gentleman. He is a member 
of the Intelligence Committee and has played a very productive and 
constructive role. As he said, his constituents have brought these 
concerns to him. He worked with the ranking member and

[[Page H2393]]

me, and we are prepared to accept the amendment.
  I yield back the balance of my time.

                              {time}  1530

  Mr. CARSON of Indiana. Madam Chair, I yield 2 minutes to the 
gentleman from California (Mr. Schiff), my good friend.
  Mr. SCHIFF. I thank the gentleman for yielding.
  Madam Chair, this is Mr. Carson's first year on the committee, and I 
appreciate his dedicated service and the interest he has taken in 
oversight of the intelligence community. He brings a background in law 
enforcement, which is a very welcome addition to our committee, and 
joins other colleagues with a very similar background.
  He has worked closely with us to make privacy improvements throughout 
the process. I support his efforts here again to make a good bill even 
better. Mr. Carson's amendment would include a requirement to make sure 
the critical dual privacy scrub is working the way it should. This is 
very important. It is at the core of our bill and at the core of our 
efforts to protect privacy. So we must monitor how these requirements 
are working and support transparent reporting to make sure that they 
are working as intended.
  I support the amendment and urge my colleagues to do the same.
  Mr. CARSON of Indiana. I thank Chairman Nunes and Ranking Member 
Schiff once again for their support in helping to keep our communities 
safer, but I still want to thank my Republican colleagues for 
supporting this amendment, and I thank them for their friendship. As a 
new member of the committee, Madam Chair, I have greatly appreciated 
the guidance--bipartisan guidance, if you will.
  Every Member of this House, Madam Chair, has heard from constituents 
who are concerned about government surveillance and overreach. After 
everything we have heard about bulk collection over the last few years, 
the American people are right to be concerned about new authorities to 
collect data.
  As the text plainly and repeatedly states, this is not a surveillance 
bill. We have protections in place to ensure that the intelligence 
community cannot collect and utilize your personal data. This amendment 
simply ensures that Congress and the public get to see this sharing 
process and see how it works if these protections happen to fail. I 
urge support for this amendment and the underlying bill.
  I yield back the balance of my time, Madam Chair.
  The Acting CHAIR. The question is on the amendment offered by the 
gentleman from Indiana (Mr. Carson).
  The amendment was agreed to.


                Amendment No. 4 Offered by Mr. Mulvaney

  The Acting CHAIR. It is now in order to consider amendment No. 4 
printed in part A of House Report 114-88.
  Mr. MULVANEY. I have an amendment at the desk.
  The Acting CHAIR. The Clerk will designate the amendment.
  The text of the amendment is as follows:

       Add at the end the following new section:

     SEC. 12. SUNSET.

       This Act and the amendments made by this Act shall 
     terminate on the date that is seven years after the date of 
     the enactment of this Act.

  The Acting CHAIR. Pursuant to House Resolution 212, the gentleman 
from South Carolina (Mr. Mulvaney) and a Member opposed each will 
control 5 minutes.
  The Chair recognizes the gentleman from South Carolina.
  Mr. MULVANEY. Madam Chair, I thank the chairman of the committee for 
the opportunity to present the amendment here today.
  Very briefly, I will talk about the genesis of this amendment, which 
is very simple, by the way. It adds a 7-year sunset to all the 
provisions of the bill.
  Madam Chair, in going through the review of this bill, it occurred to 
me that this was a really close call. There were folks whom I respect 
with a great deal of credibility who reached out to me and said: Look, 
here are the difficulties with this bill and why we should defeat this 
bill. At the same time, there are a lot of folks for whom I have a 
great deal of respect and have a great deal of credibility in the 
industry who also reached out to me and said: Look, this is a very 
serious problem. Here are the good things in the bill, and here is why 
you should support it.
  It is probably not unusual that we have that circumstance before us 
where it is a close call. We are balancing two very critical things: 
security--specifically, cybersecurity--on one hand, and privacy, 
liberty interests, on the other. It is a balancing act that we are 
called on to do many, many times here in Washington, D.C.
  As I was going through the bill, taking input from both sides of the 
argument, it occurred to me: All right, what if we have got it wrong? 
What if we have the balancing act wrong? Sure, we can go back in and 
fix it at some point in the future, some indeterminate time in the 
future; but face it, this is a busy place, with a lot of bills 
demanding attention on any given day in Congress.
  Wouldn't it be nice to have something hardwired into the bill that 
would force Congress at some point in the future to come back and say: 
Okay. A couple years back, here is what we did on cybersecurity. Is it 
working? Did we get it right? Is the balance between security and 
privacy one that is serving both of those very important interests 
correctly?
  We sat down to talk amongst some of my colleagues about the amount of 
time that was necessary. Madam Chair, 7 years is a long time to have a 
sunset provision in a bill. It came to my attention, though, given the 
complexities, the complexities of the systems necessary to be put in 
place in order to implement the programs in the bill, that 7 years was 
the appropriate level of time.
  I am glad that we have sunset provisions in other pieces of 
legislation. I doubt very seriously we would be having serious 
discussions right now about things as important as the PATRIOT Act if a 
sunset provision was not hardwired into the bill. Maybe we should 
consider adding these to every single piece of legislation for just the 
same reason: to force us from time to time to see if what we thought we 
were doing several years ago was really as good an idea as we thought 
it was several years ago. So that was the intention.
  That is the genesis of this amendment--again, very simple, a 7-year 
sunset provision. I hope my colleagues will see fit to support it.
  I reserve the balance of my time.
  Mr. NUNES. Madam Chair, I rise in opposition to this amendment, 
although I appreciate my colleague's concern.
  The Acting CHAIR. The gentleman from California is recognized for 5 
minutes.
  Mr. NUNES. Madam Chair, my friend from South Carolina, I think, is 
very thoughtful in his approach in wanting sunset provisions in many 
laws that pass this body, and I think that is correct on major pieces 
of legislation, especially involving government bureaucracies, the 
creation of government bureaucracies, and the implementation of 
regulation.
  I would just make a few important points that I think this bill is 
very different because this is a voluntary bill. It is also legislation 
that, because of the liability protections that are in this bill, if 
you have a sunset clause in it--and part of the reason why the other 
amendments that were made out of order and this one was made in order, 
because it was the longest time, with the 7 years, as the gentleman 
said--it is tough for a company to design, build, get in the process of 
preparing how they are going to share this information company to 
company, and I am afraid that even though this is 7 years, will 
companies make the investment terms of being willing to actually share? 
Then, if this expires, what happens with the trial lawyers that would 
then come after the fact when the Congress doesn't act with information 
that is sitting out there that no longer has the protections?
  This is actually why, back when the last version of this legislation 
was up last Congress, we made several changes since then, and we have 
many more supporters since that time because of the changes we have 
made to make sure that we have scrubbed private data, to make sure this 
doesn't go to any government agency, to make sure that it is voluntary, 
all of the steps that we have taken. But because of the trial lawyer 
component and the liability being left open, this is why groups

[[Page H2394]]

like Heritage, in the last Congress, opposed an amendment just like 
this.
  We would like to work with the gentleman and his colleagues on this, 
but I would ask if he would be willing to maybe work with us in a 
potential conference or possibly down the road, if it might be 
appropriate. I hate to oppose this amendment because he is my good 
friend, but I want to try to see if he might be willing to withdraw and 
work with us when we get to a conference on a reasonable solution to 
this.
  I reserve the balance of my time.
  Mr. MULVANEY. I will respond in a couple of different ways.
  Under ordinary circumstances, Madam Chair, I might consider 
withdrawing the amendment, but I think we are here today under a 
somewhat extraordinary rule. I do appreciate the chairman's genuineness 
in his request because we have worked very closely together on other 
matters in the past. I look forward to working with him on other 
matters in the future. I consider him to be a good friend and 
colleague. But because of the nature of the joint rule, if this bill 
passes and the bill that is being offered by the Homeland Security 
Committee tomorrow passes as well, my understanding is those two bills 
will then be merged. I have a similar amendment, Madam Chair, tomorrow 
to Mr. McCaul's bill, so I am not really sure if even withdrawing at 
this point would accomplish the necessary end that you seek. I will 
politely decline your request, and respectfully so.
  I will point out, my good friend does mention an interesting part of 
my history here in Washington, D.C. When I offered a similar amendment 
to, I believe, the PATRIOT Act a couple years back, The Heritage 
Foundation did oppose it. It always makes me smile, Madam Chair, when I 
remember going through that conversation with my friends over at The 
Heritage Foundation, and I had to send them a copy of Ed Feulner's own 
book. Ed, of course, is one of the founding members of The Heritage 
Foundation, and the last chapter is an exhortation to please include a 
sunset provision in every single piece of Federal legislation. Again, 
that just sort of makes me smile.

  With all due respect due to the chairman, both as the chair of the 
committee and a Member of this body and a friend of mine, I will 
politely decline his request.
  I yield back the balance of my time.
  Mr. NUNES. I now yield 1 minute to the gentleman from Texas (Mr. 
Farenthold).
  Mr. FARENTHOLD. I appreciate the chairman yielding time to me, even 
though I am in support of this amendment.
  Madam Chair, we need this legislation because our companies, our 
industries, our government, and even our individual citizens are under 
attack by foreign cyber hackers, under attack from criminals. We need 
the cooperation between the government and the private sector, but 
unfortunately we have seen that well-meaning folks in the government 
sometimes get a little overzealous in their data collection we don't 
always see.
  For instance, section 215 of the PATRIOT Act, we saw in the Snowden 
revelations that every bit of metadata on phones was being collected. 
We didn't know that when we passed the PATRIOT Act. Now we have an 
opportunity to put a backstop in place where we can take a look a few 
years down the road and make sure this isn't being misinterpreted, not 
in line with congressional intent, and not in line with the 
Constitution. This backstop, this sunset, is a critical piece of the 
bill. The bill is not perfect, but this makes it a whole lot better and 
gives us a second bite at the apple should things be going wrong.
  I appreciate your yielding.
  Mr. NUNES. Madam Chair, I am prepared to close.
  I would just say that I hate to have to oppose this amendment because 
I think my colleagues are offering it in good faith, with good 
intentions. However, it is a voluntary program. As I said, 
cybersecurity is going to continue to be an ever-increasing problem and 
challenge, and the last thing we want to do is put a backstop in to 
where companies or private citizens are afraid to share the information 
with each other because they are afraid of being sued by some trial 
lawyer down the road.
  Like I said, I hate to oppose the amendment, but I will have to 
oppose the amendment and urge my colleagues to vote ``no.''
  I yield back the balance of my time.
  The Acting CHAIR. The question is on the amendment offered by the 
gentleman from South Carolina (Mr. Mulvaney).
  The question was taken; and the Acting Chair announced that the noes 
appeared to have it.
  Mr. MULVANEY. Madam Chair, I demand a recorded vote.
  The Acting CHAIR. Pursuant to clause 6 of rule XVIII, further 
proceedings on the amendment offered by the gentleman from South 
Carolina will be postponed.


               Amendment No. 5 Offered by Ms. Jackson Lee

  The Acting CHAIR. It is now in order to consider amendment No. 5 
printed in part A of House Report 114-88.
  Ms. JACKSON LEE. Madam Chair, I have an amendment at the desk.
  The Acting CHAIR. The Clerk will designate the amendment.
  The text of the amendment is as follows:

       Add at the end the following:

     SEC. 12. COMPTROLLER GENERAL REPORT ON REMOVAL OF PERSONAL 
                   IDENTIFYING INFORMATION.

       (a) Report.--Not later than three years after the date of 
     the enactment of this Act, the Comptroller General of the 
     United States shall submit to Congress a report on the 
     actions taken by the Federal Government to remove personal 
     information from cyber threat indicators pursuant to section 
     4(b).
       (b) Form.--The report under subsection (a) shall be 
     submitted in unclassified form, but may include a classified 
     annex.

  The Acting CHAIR. Pursuant to House Resolution 212, the gentlewoman 
from Texas (Ms. Jackson Lee) and a Member opposed each will control 5 
minutes.
  The Chair recognizes the gentlewoman from Texas.

                              {time}  1545

  Ms. JACKSON LEE. Madam Chair, I thank the manager and the chairman 
and ranking member of the House Intelligence Committee for their 
service and leadership.
  I offer this amendment that I believe will answer a question that has 
been raised by many Members but really has bipartisan support.
  This amendment is offered as a Jackson Lee-Polis amendment, and the 
specifics of it say:
  ``Not later than three years after the date of the enactment of this 
Act, the Comptroller General of the United States shall submit to 
Congress a report on the actions taken by the Federal Government to 
remove personal information from cyber threat indicators pursuant to 
section 4(b).''
  Again, this relates to the concern that many of us will hear over and 
over again from our constituents.
  In the world of hacking and mistakes and misdirection and unfairness 
and terrorism, it is important to secure this Nation and to be able to 
have the right information.
  As I serve as a member of the Homeland Security Committee, I believe 
we have to have information to thwart terrorist acts and protect the 
homeland.
  But there is a public benefit to my amendment. This amendment will 
provide the public assurance from a reliable and trustworthy source 
that their privacy and civil liberties are not being compromised.
  We are a State and a Nation born out of the existence of the Bill of 
Rights. Along with the Constitution, it has framed a democracy, but it 
has also framed the preciousness of individual rights and privacy. I 
offer this amendment, again, to emphasize the importance of privacy 
that is so very important.
  The Jackson Lee-Polis amendment provides, again, for a Government 
Accountability Act report to Congress on the actions taken by the 
Federal Government to remove personal information from data shared 
through the programs established by this statute.
  The intent of the report, as indicated, is to provide Congress with 
information regarding the effectiveness of protecting the privacy of 
Americans.
  Again, this amendment would result in the sole external report on the 
privacy and civil liberties impact of the programs created under this 
bill.
  Privacy is of great concern to the American people. I know that 
because, as we were doing the Patriot Act in the

[[Page H2395]]

shadow of the heinous acts of 9/11, I will tell you that large voices 
were raised, particularly out of the Judiciary Committee and in working 
with the Intelligence Committee, about the issues of privacy. Americans 
understand that.
  Privacy is of great concern to the American public. Privacy involves 
the handling and protection of personal information. And as well, when 
personal information is improperly accessed, used, or abused, it can 
cause financial and personal harm to those whose data is involved.
  Madam Chair, may I ask how much time is remaining?
  The Acting CHAIR. The gentlewoman from Texas has 2 minutes remaining.
  Ms. JACKSON LEE. Madam Chair, I ask my colleagues to support the 
Jackson Lee amendment.
  I yield 2 minutes to the gentleman from California (Mr. Schiff), the 
distinguished ranking member.
  Mr. SCHIFF. Madam Chair, I thank the gentlewoman from Texas and the 
gentleman from Colorado for their amendment, and I am happy to support 
it.
  We create a lot of law in this body, and it is absolutely necessary 
that we establish reporting mechanisms that allow us to measure the 
effectiveness of the work that we do here. This is an amendment that 
will do just that.
  By requiring regular reports on the operation of the sharing 
mechanism that we are creating today, we can determine whether it is 
working as intended or whether it needs to be tweaked or changed to be 
more effective. We must always ensure that the government is fulfilling 
its obligation under this bill to remove personal information.
  Again, I want to thank Sheila Jackson Lee, as well as the gentleman 
from Colorado, for their efforts. I support the amendment.
  Ms. JACKSON LEE. Madam Chair, how much time is remaining?
  The Acting CHAIR. The gentlewoman from Texas has 45 seconds 
remaining.
  Ms. JACKSON LEE. Thank you, Madam Chair.
  Let me quickly say that a report on consumer views on the privacy 
issue published by the Pew Center found that a majority of adults 
surveyed felt that their privacy is being challenged along such core 
dimensions as the security of their personal information and their 
ability to retain confidentiality.
  It is for this reason that I believe the Jackson Lee amendment, in 
conjunction with the underlying legislation, H.R. 1560, will be an 
added asset to ensure that the personal data, privacy, and civil 
liberties of Americans are protected.
  Madam Chair, I offer my thanks to Chairman Nunes, and Ranking Member 
Schiff for their leadership and work on H.R. 1560.
  The bipartisan work done by the House Select Committee on 
Intelligence resulted in H.R. 1560 being brought before the House for 
consideration.
  I offer acknowledgement to Congressman Polis in joining me in 
sponsoring this amendment.
  The Jackson Lee-Polis Amendment to H.R. 1560 is simple and would 
improve the bill.
  Jackson Lee Amendment designated #5 on the list of amendments 
approved for H.R. 1560:
  The Jackson Lee-Polis Amendment provides for a Government 
Accountability Office (GAO) report to Congress on the actions taken by 
the Federal Government to remove personal information from data shared 
through the programs established by this statute.
  The intent of the report is to provide Congress with information 
regarding the effectiveness of protecting the privacy of Americans.
  This amendment would result in the sole external report on the 
privacy and civil liberties impact of the programs created under this 
bill.
  Privacy is of great concern to the American public.
  Privacy involves the handling and protection of personal information 
that individuals provide in the course of everyday commercial 
transactions.
  When personal information is improperly accessed, used, or abused it 
can cause financial and personal harm to the people whose data is 
involved.
  A report on consumer views on their privacy published by the Pew 
Center found that a majority of adults surveyed felt that their privacy 
is being challenged along such core dimensions as the security of their 
personal information and their ability to retain confidentiality.
  For this reason, the Jackson Lee amendment providing an independent 
report to the public on how their privacy and civil liberties are 
treated under the implementation of this bill is important.
  I ask that my colleagues on both sides of the aisle support this 
amendment.
  I ask that the amendment be supported, and I yield back the balance 
of my time.
  The Acting CHAIR. The question is on the amendment offered by the 
gentlewoman from Texas (Ms. Jackson Lee).
  The amendment was agreed to.


                Amendment No. 4 Offered by Mr. Mulvaney

  The Acting CHAIR. Pursuant to clause 6 of rule XVIII, the unfinished 
business is the demand for a recorded vote on the amendment offered by 
the gentleman from South Carolina (Mr. Mulvaney) on which further 
proceedings were postponed and on which the noes prevailed by voice 
vote.
  The Clerk will redesignate the amendment.
  The Clerk redesignated the amendment.


                             Recorded Vote

  The Acting CHAIR. A recorded vote has been demanded.
  A recorded vote was ordered.
  The vote was taken by electronic device, and there were--ayes 313, 
noes 110, not voting 8, as follows:

                             [Roll No. 168]

                               AYES--313

     Adams
     Aguilar
     Allen
     Amash
     Ashford
     Babin
     Barton
     Bass
     Beatty
     Becerra
     Bera
     Beyer
     Bilirakis
     Bishop (GA)
     Bishop (UT)
     Black
     Blum
     Blumenauer
     Bonamici
     Bost
     Boyle, Brendan F.
     Brady (PA)
     Brat
     Bridenstine
     Brooks (AL)
     Brown (FL)
     Brownley (CA)
     Buchanan
     Buck
     Burgess
     Bustos
     Butterfield
     Byrne
     Capps
     Capuano
     Caardenas
     Carney
     Carson (IN)
     Carter (GA)
     Cartwright
     Castor (FL)
     Castro (TX)
     Chabot
     Chaffetz
     Chu, Judy
     Cicilline
     Clark (MA)
     Clarke (NY)
     Clawson (FL)
     Clay
     Cleaver
     Clyburn
     Cohen
     Cole
     Collins (GA)
     Connolly
     Conyers
     Cooper
     Costa
     Courtney
     Cramer
     Crowley
     Cummings
     Davis (CA)
     DeFazio
     DeGette
     Delaney
     DeLauro
     DelBene
     Denham
     DeSantis
     DeSaulnier
     DesJarlais
     Deutch
     Dingell
     Doggett
     Doyle, Michael F.
     Duckworth
     Duffy
     Duncan (SC)
     Duncan (TN)
     Edwards
     Ellison
     Ellmers (NC)
     Emmer (MN)
     Engel
     Eshoo
     Esty
     Farenthold
     Farr
     Fattah
     Fitzpatrick
     Fleischmann
     Fleming
     Flores
     Forbes
     Fortenberry
     Foster
     Foxx
     Frankel (FL)
     Franks (AZ)
     Fudge
     Gabbard
     Gallego
     Garamendi
     Garrett
     Gibbs
     Gibson
     Gohmert
     Goodlatte
     Gosar
     Gowdy
     Graham
     Granger
     Graves (GA)
     Graves (LA)
     Grayson
     Green, Al
     Green, Gene
     Griffith
     Grijalva
     Grothman
     Guinta
     Gutieerrez
     Hahn
     Hanna
     Harris
     Heck (WA)
     Hensarling
     Herrera Beutler
     Hice, Jody B.
     Higgins
     Himes
     Hinojosa
     Honda
     Hoyer
     Huelskamp
     Huffman
     Huizenga (MI)
     Hultgren
     Hunter
     Hurt (VA)
     Issa
     Jackson Lee
     Jeffries
     Johnson (GA)
     Johnson (OH)
     Johnson, E. B.
     Jolly
     Jones
     Jordan
     Joyce
     Kaptur
     Keating
     Kelly (IL)
     Kennedy
     Kildee
     Kilmer
     Kind
     King (IA)
     Kline
     Kuster
     Labrador
     LaMalfa
     Lamborn
     Langevin
     Larsen (WA)
     Larson (CT)
     Latta
     Lawrence
     Lee
     Levin
     Lewis
     Lieu, Ted
     Lipinski
     Loebsack
     Lofgren
     Loudermilk
     Love
     Lowenthal
     Lowey
     Lucas
     Luetkemeyer
     Lujan Grisham (NM)
     Lujaan, Ben Ray (NM)
     Lummis
     Lynch
     Maloney, Sean
     Marchant
     Massie
     Matsui
     McClintock
     McCollum
     McDermott
     McGovern
     McMorris Rodgers
     McNerney
     Meadows
     Meeks
     Meng
     Miller (FL)
     Mooney (WV)
     Moore
     Moulton
     Mullin
     Mulvaney
     Nadler
     Napolitano
     Neal
     Neugebauer
     Noem
     Nolan
     Norcross
     Nugent
     O'Rourke
     Palazzo
     Pallone
     Palmer
     Pascrell
     Paulsen
     Payne
     Pearce
     Pelosi
     Perlmutter
     Perry
     Peters
     Peterson
     Pingree
     Pitts
     Pocan
     Poe (TX)
     Polis
     Posey
     Price (NC)
     Price, Tom
     Quigley
     Rangel
     Ribble
     Rice (NY)
     Rice (SC)
     Richmond
     Rigell
     Roe (TN)
     Rohrabacher
     Rokita
     Ross
     Rothfus
     Rouzer
     Roybal-Allard
     Ruiz
     Rush
     Russell
     Salmon
     Saanchez, Linda T.
     Sanchez, Loretta
     Sanford
     Sarbanes
     Scalise
     Schakowsky
     Schiff
     Schrader
     Schweikert
     Scott (VA)
     Scott, Austin
     Scott, David
     Serrano
     Sessions
     Sewell (AL)
     Sherman
     Sires
     Slaughter
     Smith (MO)
     Smith (NE)
     Smith (NJ)
     Smith (TX)
     Speier
     Stefanik
     Stutzman
     Swalwell (CA)
     Takai
     Takano
     Thompson (CA)
     Thompson (MS)
     Thompson (PA)
     Tipton
     Titus
     Tonko
     Torres
     Tsongas
     Van Hollen
     Vargas
     Veasey
     Vela
     Velaazquez
     Visclosky
     Walker
     Walorski
     Walz
     Waters, Maxine
     Watson Coleman
     Weber (TX)
     Webster (FL)
     Welch

[[Page H2396]]


     Westerman
     Williams
     Wilson (FL)
     Wilson (SC)
     Wittman
     Yarmuth
     Yoder
     Yoho
     Zeldin
     Zinke

                               NOES--110

     Abraham
     Aderholt
     Amodei
     Barletta
     Barr
     Benishek
     Bishop (MI)
     Blackburn
     Boustany
     Brooks (IN)
     Bucshon
     Calvert
     Carter (TX)
     Coffman
     Collins (NY)
     Comstock
     Conaway
     Cook
     Costello (PA)
     Crawford
     Crenshaw
     Cuellar
     Culberson
     Davis, Danny
     Davis, Rodney
     Dent
     Diaz-Balart
     Dold
     Fincher
     Frelinghuysen
     Guthrie
     Hardy
     Harper
     Hartzler
     Heck (NV)
     Hill
     Holding
     Hudson
     Hurd (TX)
     Israel
     Jenkins (KS)
     Jenkins (WV)
     Johnson, Sam
     Katko
     Kelly (PA)
     King (NY)
     Kinzinger (IL)
     Kirkpatrick
     Knight
     Lance
     LoBiondo
     Long
     MacArthur
     Maloney, Carolyn
     Marino
     McCarthy
     McCaul
     McHenry
     McKinley
     McSally
     Meehan
     Messer
     Mica
     Miller (MI)
     Moolenaar
     Murphy (PA)
     Newhouse
     Nunes
     Pittenger
     Poliquin
     Pompeo
     Ratcliffe
     Reed
     Reichert
     Renacci
     Roby
     Rogers (AL)
     Rogers (KY)
     Rooney (FL)
     Ros-Lehtinen
     Roskam
     Royce
     Ruppersberger
     Ryan (OH)
     Ryan (WI)
     Sensenbrenner
     Shimkus
     Shuster
     Simpson
     Sinema
     Stewart
     Stivers
     Thornberry
     Tiberi
     Trott
     Turner
     Upton
     Valadao
     Wagner
     Walberg
     Walden
     Walters, Mimi
     Wenstrup
     Westmoreland
     Whitfield
     Womack
     Woodall
     Young (AK)
     Young (IA)
     Young (IN)

                             NOT VOTING--8

     Brady (TX)
     Curbelo (FL)
     Graves (MO)
     Hastings
     Murphy (FL)
     Olson
     Smith (WA)
     Wasserman Schultz

                              {time}  1620

  Messrs. ISRAEL, FINCHER, CALVERT, RYAN of Wisconsin, TURNER, SAM 
JOHNSON of Texas, Mrs. CAROLYN B. MALONEY of New York, Messrs. ABRAHAM, 
and RUPPERSBERGER changed their vote from ``aye'' to ``no.''
  Ms. ADAMS, Mr. MILLER of Florida, Ms. PELOSI, Mses. EDWARDS, LORETTA 
SANCHEZ of California, Messrs. ROHRABACHER, CARNEY, ZELDIN, ROSS, 
RICHMOND, Mses. MATSUI, STEFANIK, Messrs. SIRES, CROWLEY, Mses. 
SCHAKOWSKY, DeGETTE, TITUS, Messrs. JOYCE, SEAN PATRICK MALONEY of New 
York, VEASEY, Mses. BROWNLEY of California, LEE, and Mr. PETERSON 
changed their vote from ``no'' to ``aye.''
  So the amendment was agreed to.
  The result of the vote was announced as above recorded.
  The Acting CHAIR (Mr. Thompson of Pennsylvania). The question is on 
the committee amendment in the nature of a substitute, as amended.
  The amendment was agreed to.
  The Acting CHAIR. Under the rule, the Committee rises.
  Accordingly, the Committee rose; and the Speaker pro tempore (Mr. 
Hultgren) having assumed the chair, Mr. Thompson of Pennsylvania, 
Acting Chair of the Committee of the Whole House on the state of the 
Union, reported that that Committee, having had under consideration the 
bill (H.R. 1560) to improve cybersecurity in the United States through 
enhanced sharing of information about cybersecurity threats, and for 
other purposes, and, pursuant to House Resolution 212, he reported the 
bill back to the House with an amendment adopted in the Committee of 
the Whole.
  The SPEAKER pro tempore. Under the rule, the previous question is 
ordered.
  Is a separate vote demanded on any amendment to the amendment 
reported from the Committee of the Whole?
  If not, the question is on the committee amendment in the nature of a 
substitute, as amended.
  The amendment was agreed to.
  The SPEAKER pro tempore. The question is on the engrossment and third 
reading of the bill.
  The bill was ordered to be engrossed and read a third time, and was 
read the third time.


                           Motion to Recommit

  Miss RICE of New York. Mr. Speaker, I have a motion to recommit at 
the desk.
  The SPEAKER pro tempore. Is the gentlewoman opposed to the bill?
  Miss RICE of New York. I am opposed to it in its current form.
  The SPEAKER pro tempore. The Clerk will report the motion to 
recommit.
  The Clerk read as follows:

       Miss Rice of New York moves to recommit the bill H.R. 1560 
     to the Select Committee on Intelligence (Permanent Select) 
     with instructions to report the same back to the House 
     forthwith, with the following amendment:
       Page 22, line 14, strike ``and''.
       Page 22, line 16, strike the period and insert a semicolon.
       Page 22, after line 16, insert the following:
       ``(6) to prevent a terrorist attack against the United 
     States, ensure that the appropriate departments and agencies 
     of the Federal Government prioritize the sharing of cyber 
     threat indicators regarding known terrorist organizations 
     (including the Islamic State, al Qaeda, al Qaeda in the 
     Arabian Peninsula, and Boko Haram) with respect to--
       ``(A) cyberattacks;
       ``(B) the recruitment of homegrown terrorists by such 
     terrorist organizations; and
       ``(C) travel by persons to and from foreign countries in 
     which such terrorist organizations are based or provide 
     training (including Syria, Iraq, Yemen, Afghanistan, and 
     Nigeria); and
       ``(7) to prevent the intelligence and military capability 
     of the United States from being improperly transferred to any 
     foreign country, terrorist organization, or state sponsor of 
     terrorism, ensure that the appropriate departments and 
     agencies of the Federal Government prioritize the sharing of 
     cyber threat indicators regarding attempts to steal the 
     military technology of the United States by state-sponsored 
     computer hackers from the People's Republic of China and 
     other foreign countries.''.

  Mr. NUNES (during the reading). Mr. Speaker, I ask unanimous consent 
to dispense with the reading.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from California?
  There was no objection.
  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman is 
recognized for 5 minutes in support of her motion.
  Miss RICE of New York. Mr. Speaker, this is the final amendment to 
the bill, which will not kill the bill or send it back to committee. If 
adopted, the bill will immediately proceed to final passage, as 
amended.
  Mr. Speaker, the most important job we have is to protect the 
American homeland and the American people. The threats against our 
country are ceaseless and constantly evolving, and we too must evolve 
and adapt in our efforts to maintain the domestic security that the 
American people have entrusted us to uphold.
  Passing H.R. 1560 will be a significant step forward in that effort. 
Our Nation's cyber infrastructure is under attack every single day from 
hackers, from foreign nations, and from terrorists. I believe H.R. 1560 
will strengthen our government's ability to coordinate with companies 
in the private sector, share intelligence, and respond to these 
threats, but I also believe the legislation should be stronger.
  We know that foreign nations and terrorist organizations are actively 
seeking to steal American military intelligence and technology, and we 
know that terrorists are using the Internet to spread their poisonous 
ideology, recruit American citizens to join their ranks, and encourage 
attacks here in America. Just this week, six Minnesota men were 
arrested after trying to travel to Syria to join the Islamic State. 
Last week, authorities arrested an Ohio man who actually trained with a 
terrorist group in Syria and returned to the U.S., intent on carrying 
out an attack on our soil. Earlier this month, two women in my home 
State of New York were arrested for planning to detonate a bomb in New 
York City.
  Mr. Speaker, this amendment will help prevent a domestic terror 
attack by allowing Federal agencies to coordinate and prioritize the 
sharing of cyber threat intelligence regarding known terrorist 
organizations like the Islamic State, Boko Haram, al Shabaab, and al 
Qaeda and its affiliates, groups that use the Internet and social media 
as a weapon in their efforts to attack the United States and the 
American people. Likewise, this amendment will direct Federal agencies 
to prioritize the sharing of intelligence regarding attempts by 
terrorists and foreign nations to steal American military technology.
  This amendment will help protect our Nation and the people we serve. 
I have no doubt that that is the highest priority for my colleagues on 
both sides of the aisle, so we must also make it a priority to 
neutralize these threats and do all that we can to thwart the violent 
ambitions of those who want to do us harm.
  Again, Mr. Speaker, I believe H.R. 1560 is important legislation that 
deserves bipartisan support, but I believe this amendment deserves the 
same. It

[[Page H2397]]

will make the legislation stronger, make the American people safer, and 
I urge my colleagues on both sides of the aisle to give it their full 
support.
  Mr. Speaker, I yield back the balance of my time.
  Mr. NUNES. Mr. Speaker, I rise in opposition to the motion to 
recommit.
  The SPEAKER pro tempore. The gentleman from California is recognized 
for 5 minutes.
  Mr. NUNES. Mr. Speaker, this motion to recommit is nothing more than 
a poison pill designed to destroy the years of work that have gone into 
crafting this legislation.
  The bill already does exactly what the motion to recommit purposes. 
It helps the American people defend themselves against hackers from 
countries like China, Russia, Iran, North Korea, and other terrorist 
groups.
  While we stand here and continue to debate this problem, our country 
is under attack from hackers who steal our intellectual property, 
pilfer our personal information, and target our national security 
interests.
  I urge my colleagues to vote ``no'' on the motion to recommit and 
``yes'' on final passage.
  I yield back the balance of my time.
  The SPEAKER pro tempore. Without objection, the previous question is 
ordered on the motion to recommit.
  There was no objection.
  The SPEAKER pro tempore. The question is on the motion to recommit.
  The question was taken; and the Speaker pro tempore announced that 
the noes appeared to have it.


                             Recorded Vote

  Miss RICE of New York. Mr. Speaker, I demand a recorded vote.
  A recorded vote was ordered.
  The SPEAKER pro tempore. Pursuant to clause 9 of rule XX, this 5-
minute vote on the motion to recommit will be followed by a 5-minute 
vote on the passage of the bill, if ordered.
  The vote was taken by electronic device, and there were--ayes 183, 
noes 239, not voting 9, as follows:

                             [Roll No. 169]

                               AYES--183

     Adams
     Aguilar
     Ashford
     Bass
     Beatty
     Becerra
     Bera
     Beyer
     Bishop (GA)
     Blumenauer
     Bonamici
     Boyle, Brendan F.
     Brady (PA)
     Brown (FL)
     Brownley (CA)
     Bustos
     Butterfield
     Capps
     Capuano
     Caardenas
     Carney
     Carson (IN)
     Cartwright
     Castor (FL)
     Castro (TX)
     Chu, Judy
     Cicilline
     Clark (MA)
     Clarke (NY)
     Clay
     Cleaver
     Clyburn
     Cohen
     Connolly
     Conyers
     Cooper
     Costa
     Courtney
     Crowley
     Cuellar
     Cummings
     Davis (CA)
     Davis, Danny
     DeFazio
     DeGette
     Delaney
     DeLauro
     DelBene
     DeSaulnier
     Deutch
     Dingell
     Doggett
     Doyle, Michael F.
     Duckworth
     Edwards
     Ellison
     Engel
     Eshoo
     Esty
     Farr
     Fattah
     Foster
     Frankel (FL)
     Fudge
     Gabbard
     Gallego
     Garamendi
     Graham
     Grayson
     Green, Al
     Green, Gene
     Grijalva
     Gutieerrez
     Hahn
     Heck (WA)
     Higgins
     Himes
     Hinojosa
     Honda
     Hoyer
     Huffman
     Israel
     Jackson Lee
     Jeffries
     Johnson (GA)
     Johnson, E. B.
     Kaptur
     Keating
     Kelly (IL)
     Kennedy
     Kildee
     Kilmer
     Kind
     Kirkpatrick
     Kuster
     Langevin
     Larsen (WA)
     Larson (CT)
     Lawrence
     Lee
     Levin
     Lewis
     Lieu, Ted
     Lipinski
     Loebsack
     Lofgren
     Lowenthal
     Lowey
     Lujan Grisham (NM)
     Lujaan, Ben Ray (NM)
     Lynch
     Maloney, Carolyn
     Maloney, Sean
     Matsui
     McCollum
     McDermott
     McGovern
     McNerney
     Meeks
     Meng
     Moore
     Moulton
     Nadler
     Napolitano
     Neal
     Nolan
     Norcross
     O'Rourke
     Pallone
     Pascrell
     Payne
     Pelosi
     Perlmutter
     Peters
     Pingree
     Pocan
     Polis
     Price (NC)
     Quigley
     Rangel
     Rice (NY)
     Richmond
     Roybal-Allard
     Ruiz
     Ruppersberger
     Rush
     Ryan (OH)
     Saanchez, Linda T.
     Sanchez, Loretta
     Sarbanes
     Schakowsky
     Schiff
     Schrader
     Scott (VA)
     Scott, David
     Serrano
     Sewell (AL)
     Sherman
     Sinema
     Sires
     Slaughter
     Speier
     Swalwell (CA)
     Takai
     Takano
     Thompson (CA)
     Thompson (MS)
     Titus
     Tonko
     Torres
     Tsongas
     Van Hollen
     Vargas
     Veasey
     Vela
     Velaazquez
     Visclosky
     Walz
     Waters, Maxine
     Watson Coleman
     Welch
     Wilson (FL)
     Yarmuth

                               NOES--239

     Abraham
     Aderholt
     Allen
     Amash
     Amodei
     Babin
     Barletta
     Barr
     Barton
     Benishek
     Bilirakis
     Bishop (MI)
     Bishop (UT)
     Black
     Blackburn
     Blum
     Bost
     Boustany
     Brat
     Bridenstine
     Brooks (AL)
     Brooks (IN)
     Buchanan
     Buck
     Bucshon
     Burgess
     Byrne
     Calvert
     Carter (GA)
     Carter (TX)
     Chabot
     Chaffetz
     Clawson (FL)
     Coffman
     Cole
     Collins (GA)
     Collins (NY)
     Comstock
     Conaway
     Cook
     Costello (PA)
     Cramer
     Crawford
     Crenshaw
     Culberson
     Davis, Rodney
     Denham
     Dent
     DeSantis
     DesJarlais
     Diaz-Balart
     Dold
     Duffy
     Duncan (SC)
     Duncan (TN)
     Ellmers (NC)
     Emmer (MN)
     Farenthold
     Fincher
     Fitzpatrick
     Fleischmann
     Fleming
     Flores
     Forbes
     Fortenberry
     Foxx
     Franks (AZ)
     Frelinghuysen
     Garrett
     Gibbs
     Gibson
     Gohmert
     Goodlatte
     Gosar
     Gowdy
     Granger
     Graves (GA)
     Graves (LA)
     Griffith
     Grothman
     Guinta
     Guthrie
     Hanna
     Hardy
     Harper
     Harris
     Hartzler
     Heck (NV)
     Hensarling
     Herrera Beutler
     Hice, Jody B.
     Hill
     Holding
     Hudson
     Huelskamp
     Huizenga (MI)
     Hultgren
     Hunter
     Hurd (TX)
     Hurt (VA)
     Issa
     Jenkins (KS)
     Jenkins (WV)
     Johnson (OH)
     Johnson, Sam
     Jolly
     Jones
     Jordan
     Joyce
     Katko
     Kelly (PA)
     King (IA)
     King (NY)
     Kinzinger (IL)
     Kline
     Knight
     Labrador
     Lamborn
     Lance
     Latta
     LoBiondo
     Long
     Loudermilk
     Love
     Lucas
     Luetkemeyer
     Lummis
     MacArthur
     Marchant
     Marino
     Massie
     McCarthy
     McCaul
     McClintock
     McHenry
     McKinley
     McMorris Rodgers
     McSally
     Meadows
     Meehan
     Messer
     Mica
     Miller (FL)
     Miller (MI)
     Moolenaar
     Mooney (WV)
     Mullin
     Mulvaney
     Murphy (PA)
     Neugebauer
     Newhouse
     Noem
     Nugent
     Nunes
     Palazzo
     Palmer
     Paulsen
     Pearce
     Perry
     Peterson
     Pittenger
     Pitts
     Poe (TX)
     Poliquin
     Pompeo
     Posey
     Price, Tom
     Ratcliffe
     Reed
     Reichert
     Renacci
     Ribble
     Rice (SC)
     Rigell
     Roby
     Roe (TN)
     Rogers (AL)
     Rogers (KY)
     Rohrabacher
     Rokita
     Rooney (FL)
     Ros-Lehtinen
     Roskam
     Ross
     Rothfus
     Rouzer
     Royce
     Russell
     Ryan (WI)
     Salmon
     Sanford
     Scalise
     Schweikert
     Scott, Austin
     Sensenbrenner
     Sessions
     Shimkus
     Shuster
     Simpson
     Smith (MO)
     Smith (NE)
     Smith (NJ)
     Smith (TX)
     Stefanik
     Stewart
     Stivers
     Stutzman
     Thompson (PA)
     Thornberry
     Tiberi
     Tipton
     Trott
     Turner
     Upton
     Valadao
     Wagner
     Walberg
     Walden
     Walker
     Walorski
     Walters, Mimi
     Weber (TX)
     Webster (FL)
     Wenstrup
     Westerman
     Westmoreland
     Whitfield
     Williams
     Wilson (SC)
     Wittman
     Womack
     Woodall
     Yoder
     Yoho
     Young (AK)
     Young (IA)
     Young (IN)
     Zeldin
     Zinke

                             NOT VOTING--9

     Brady (TX)
     Curbelo (FL)
     Graves (MO)
     Hastings
     LaMalfa
     Murphy (FL)
     Olson
     Smith (WA)
     Wasserman Schultz

                              {time}  1635

  So the motion to recommit was rejected.
  The result of the vote was announced as above recorded.
  The SPEAKER pro tempore. The question is on the passage of the bill.
  The question was taken; and the Speaker pro tempore announced that 
the ayes appeared to have it.


                             Recorded Vote

  Mr. SCHIFF. Mr. Speaker, I demand a recorded vote.
  A recorded vote was ordered.
  The SPEAKER pro tempore. This is a 5-minute vote.
  The vote was taken by electronic device, and there were--ayes 307, 
noes 116, not voting 8, as follows:

                             [Roll No. 170]

                               AYES--307

     Abraham
     Adams
     Aderholt
     Aguilar
     Allen
     Amodei
     Ashford
     Babin
     Barletta
     Barr
     Beatty
     Benishek
     Bera
     Beyer
     Bilirakis
     Bishop (GA)
     Bishop (MI)
     Bishop (UT)
     Black
     Blackburn
     Blum
     Bost
     Boustany
     Boyle, Brendan F.
     Brooks (AL)
     Brooks (IN)
     Brown (FL)
     Brownley (CA)
     Buck
     Bucshon
     Burgess
     Bustos
     Butterfield
     Byrne
     Calvert
     Caardenas
     Carney
     Carson (IN)
     Carter (GA)
     Carter (TX)
     Castor (FL)
     Castro (TX)
     Chabot
     Chaffetz
     Clarke (NY)
     Clay
     Cleaver
     Clyburn
     Coffman
     Cole
     Collins (GA)
     Collins (NY)
     Comstock
     Conaway
     Connolly
     Cook
     Cooper
     Costa
     Costello (PA)
     Cramer
     Crawford
     Crenshaw
     Crowley
     Cuellar
     Culberson
     Davis (CA)
     Davis, Rodney
     Delaney
     Denham
     Dent
     DeSantis
     DeSaulnier
     Diaz-Balart
     Dingell
     Dold
     Duckworth
     Duffy
     Duncan (TN)
     Ellmers (NC)
     Emmer (MN)
     Engel
     Farenthold
     Farr
     Fincher
     Fitzpatrick
     Fleischmann
     Flores
     Forbes
     Fortenberry
     Foster
     Foxx
     Frankel (FL)
     Franks (AZ)
     Frelinghuysen
     Fudge
     Gallego
     Garamendi
     Gibbs
     Goodlatte
     Gowdy
     Graham
     Granger
     Graves (GA)
     Green, Gene
     Guthrie
     Gutieerrez
     Hanna
     Hardy
     Harper
     Hartzler
     Heck (NV)
     Heck (WA)
     Hensarling
     Herrera Beutler
     Higgins
     Hill
     Himes
     Hinojosa
     Holding
     Hoyer
     Hudson
     Huizenga (MI)
     Hultgren
     Hunter
     Hurd (TX)
     Hurt (VA)
     Israel
     Jackson Lee
     Jeffries
     Jenkins (KS)
     Jenkins (WV)
     Johnson (OH)
     Johnson, Sam
     Jolly
     Joyce
     Kaptur
     Katko

[[Page H2398]]


     Keating
     Kelly (IL)
     Kelly (PA)
     Kennedy
     Kilmer
     Kind
     King (IA)
     King (NY)
     Kinzinger (IL)
     Kirkpatrick
     Kline
     Knight
     Kuster
     LaMalfa
     Lamborn
     Lance
     Langevin
     Larsen (WA)
     Latta
     Lawrence
     Levin
     Lipinski
     LoBiondo
     Loebsack
     Long
     Love
     Lowey
     Lucas
     Luetkemeyer
     Lujan Grisham (NM)
     Lujaan, Ben Ray (NM)
     MacArthur
     Maloney, Carolyn
     Maloney, Sean
     Marchant
     Marino
     McCarthy
     McCaul
     McHenry
     McKinley
     McMorris Rodgers
     McNerney
     McSally
     Meadows
     Meehan
     Meeks
     Meng
     Messer
     Mica
     Miller (FL)
     Miller (MI)
     Moolenaar
     Moore
     Moulton
     Mullin
     Mulvaney
     Murphy (PA)
     Neal
     Neugebauer
     Newhouse
     Noem
     Norcross
     Nugent
     Nunes
     Palazzo
     Palmer
     Pascrell
     Paulsen
     Payne
     Pearce
     Pelosi
     Perlmutter
     Peters
     Peterson
     Pittenger
     Pitts
     Poliquin
     Pompeo
     Price (NC)
     Price, Tom
     Quigley
     Ratcliffe
     Reed
     Reichert
     Renacci
     Rice (NY)
     Rice (SC)
     Richmond
     Rigell
     Roby
     Roe (TN)
     Rogers (AL)
     Rogers (KY)
     Rohrabacher
     Rokita
     Rooney (FL)
     Ros-Lehtinen
     Roskam
     Ross
     Rothfus
     Rouzer
     Royce
     Ruiz
     Ruppersberger
     Russell
     Ryan (WI)
     Sanchez, Loretta
     Scalise
     Schiff
     Schrader
     Scott, Austin
     Scott, David
     Sensenbrenner
     Sessions
     Sewell (AL)
     Shimkus
     Shuster
     Simpson
     Sinema
     Sires
     Smith (MO)
     Smith (NE)
     Smith (NJ)
     Smith (TX)
     Speier
     Stefanik
     Stewart
     Stivers
     Swalwell (CA)
     Takai
     Thompson (CA)
     Thompson (MS)
     Thompson (PA)
     Thornberry
     Tiberi
     Tipton
     Titus
     Torres
     Trott
     Turner
     Upton
     Valadao
     Vargas
     Veasey
     Visclosky
     Wagner
     Walberg
     Walden
     Walker
     Walorski
     Walters, Mimi
     Weber (TX)
     Webster (FL)
     Wenstrup
     Westerman
     Westmoreland
     Whitfield
     Williams
     Wilson (FL)
     Wilson (SC)
     Wittman
     Womack
     Woodall
     Yoder
     Yoho
     Young (AK)
     Young (IA)
     Young (IN)
     Zeldin
     Zinke

                               NOES--116

     Amash
     Barton
     Bass
     Becerra
     Blumenauer
     Bonamici
     Brady (PA)
     Brat
     Bridenstine
     Buchanan
     Capps
     Capuano
     Cartwright
     Chu, Judy
     Cicilline
     Clark (MA)
     Clawson (FL)
     Cohen
     Conyers
     Courtney
     Cummings
     Davis, Danny
     DeFazio
     DeGette
     DeLauro
     DelBene
     DesJarlais
     Deutch
     Doggett
     Doyle, Michael F.
     Duncan (SC)
     Edwards
     Ellison
     Eshoo
     Esty
     Fattah
     Fleming
     Gabbard
     Garrett
     Gibson
     Gohmert
     Gosar
     Graves (LA)
     Grayson
     Green, Al
     Griffith
     Grijalva
     Grothman
     Guinta
     Hahn
     Harris
     Hice, Jody B.
     Honda
     Huelskamp
     Huffman
     Issa
     Johnson (GA)
     Johnson, E. B.
     Jones
     Jordan
     Kildee
     Labrador
     Larson (CT)
     Lee
     Lewis
     Lieu, Ted
     Lofgren
     Loudermilk
     Lowenthal
     Lummis
     Lynch
     Massie
     Matsui
     McClintock
     McCollum
     McDermott
     McGovern
     Mooney (WV)
     Nadler
     Napolitano
     Nolan
     O'Rourke
     Pallone
     Perry
     Pingree
     Pocan
     Poe (TX)
     Polis
     Posey
     Rangel
     Ribble
     Roybal-Allard
     Rush
     Ryan (OH)
     Salmon
     Saanchez, Linda T.
     Sanford
     Sarbanes
     Schakowsky
     Schweikert
     Scott (VA)
     Serrano
     Sherman
     Slaughter
     Stutzman
     Takano
     Tonko
     Tsongas
     Van Hollen
     Vela
     Velaazquez
     Walz
     Waters, Maxine
     Watson Coleman
     Welch
     Yarmuth

                             NOT VOTING--8

     Brady (TX)
     Curbelo (FL)
     Graves (MO)
     Hastings
     Murphy (FL)
     Olson
     Smith (WA)
     Wasserman Schultz

                              {time}  1642

  So the bill was passed.
  The result of the vote was announced as above recorded.
  A motion to reconsider was laid on the table.

                          ____________________