[Congressional Record Volume 158, Number 23 (Monday, February 13, 2012)]
[Pages S568-S569]


      By Mrs. FEINSTEIN (for herself and Ms. Mikulski):
  S. 2102. A bill to provide the authority to monitor and defend 
against cyber threats, to improve the sharing of cybersecurity 
information, and for other purposes; to the Committee on Homeland 
Security and Governmental Affairs.
  Mrs. FEINSTEIN. Mr. President, I rise to introduce the Cybersecurity 
Information Sharing Act of 2012, which will improve the sharing of 
cyber threat and cybersecurity information in the private sector and 
with the federal government.
  We all know that the cyber threat is perhaps the number one threat to 
our Nation at this time. It is significant that just last month, at the 
Senate Intelligence Committee's hearing on

[[Page S569]]

Worldwide Threats, the U.S. Intelligence Community's official statement 
equated cyber threats to terrorism and proliferation as the highest 
priority threats to our security.
  An unclassified report by the Intelligence Community made public in 
November 2011 said cyber intrusions against U.S. companies cost untold 
billions of dollars annually and named China and Russia as aggressive 
and persistent cyber thieves.
  One of the main obstacles to better U.S. cybersecurity is that a 
combination of existing law, the threat of litigation, and standard 
business practices prevent or deter the private sector from sharing 
information about the cyber threats they face and the losses of 
information and money they suffer.
  We know there have been multi-million dollar cyber thefts from the 
Royal Bank of Scotland, Citibank, and other financial institutions. But 
companies like these are reticent about making public these cyber 
attacks because that could further damage their bottom line.
  Even cyber security companies like RSA and national security agencies 
like the Federal Bureau of Investigation fall victim to malicious cyber 
activity, but the lessons learned from those attacks are generally not 
shared with others that face the same threat.
  Finally, cyber criminals violate our privacy by hacking into the 
computers in our homes. They steal passwords for our bank accounts, 
access our private information, and turn our computers into launching 
points for further attacks.
  These cyber intrusions affect Americans in substantial and real ways, 
and the threat is only growing. After reviewing the intelligence for 
many years on the cyber threat, it is clear to me that foreign nations 
and non-state actors are already causing major damage to our economy. I 
am also convinced that these bad actors are capable of causing 
potentially catastrophic loss of life and economic damage by opening a 
dam, crashing our financial system, or bringing down the electric grid.
  For these reasons, I am very pleased that Majority Leader Reid is 
bringing comprehensive cybersecurity legislation to the Senate Floor 
after the President's Day Recess.
  For 2 years, Leader Reid has worked with the Chairmen and Ranking 
Members of all the committees of jurisdiction on cybersecurity to 
produce this legislation, and Senators Rockefeller, Collins, Lieberman 
and Snowe in particular are to be commended for their extensive efforts 
in this area.
  As the Chairman of the Intelligence Committee, I am particularly 
interested in legislation to address the need for better information 
  The intelligence committees in the Senate and House have been working 
to improve information sharing on counterterrorism since the terrorist 
attacks of September 11. The urgency in the cyber arena is just as 
important, but is, if anything, more difficult, as we must coordinate 
and protect the sharing of information that will go to a far greater 
number of entities, both public and private.
  Unfortunately, the private sector entities that operate the critical 
networks that control financial markets, power plants, dams, and 
communications are prevented in very real ways from sharing information 
to warn each other of cyber threats. Barriers to such sharing include 
perceived financial and reputational risks; legal barriers in 
electronic surveillance laws; liability concerns that arise from 
potential lawsuits; and lack of one Federal agency in charge of cyber 
information sharing.
  The bill I am introducing today will allow for more information 
sharing by providing clear authority to share cyber threat information 
and by reducing legal barriers to private entities' ability to work 
with each other and with the federal government to share cybersecurity 
information, in a manner that upholds privacy and civil liberties.
  Participation in information sharing in this bill would be voluntary 
for companies, but any company that does share threat information will 
be protected for doing so, and the information would be subject to 
strict privacy controls.
  I also want to be very clear that this bill does not give law 
enforcement or the Intelligence Community any new authorities for 
conducting surveillance.
  In an op-ed published in the Wall Street Journal on January 27, 2012, 
former Director of National Intelligence Mike McConnell, former 
Secretary of Homeland Security Michael Chertoff, and former Deputy 
Secretary of Defense Bill Lynn said that the Intelligence Community 
needs to make cyber threat information available to other parts of the 
government and to commercial entities to maximize our cyber defenses.
  The Cybersecurity Information Sharing Act of 2012 would do just that.
  Specifically, this legislation requires the Federal government to 
designate a single focal point for cybersecurity information sharing. 
The bill refers to this focal point as a ``Cybersecurity Exchange'' 
because with cybersecurity, it's not enough for entities to operate as 
``centers'' or ``task forces'' that only receive information; they must 
also serve as a hub for appropriately distributing and exchanging cyber 
threat information. The bill also requires the government to reduce 
bureaucratic obstacles to sharing so that the government can be a more 
effective partner for the private sector.
  The bill establishes procedures for the government to share 
classified cybersecurity threat information with certified private 
sector entities. Generally, only government contractors can receive a 
security clearance, but other companies, such as Internet Service 
Providers, need to receive classified threat information in order to 
protect against attacks. This bill makes them eligible to receive 
security clearances for that purpose. Those companies would be under 
the same restrictions to protect classified information as the 
  The bill removes legal and policy barriers to information sharing by 
affirmatively authorizing private sector entities to monitor and defend 
their own networks and to share cyber information.
  By creating a robust privacy compliance regime to ensure that 
information in the Federal government's hands is protected. Just as the 
Foreign Intelligence Surveillance Act, the Privacy Act, and many other 
statutes place conditions on the government's ability to use 
information it receives, this bill would limit the government's ability 
to use private sector cyber information for approved cybersecurity 
purposes only.
  And also by providing appropriate liability protections for companies 
that share cyber information under the terms of the bill. A company 
that shares threat information with a cybersecurity exchange or with 
other private sector entities is protected under this bill from 
litigation for having done so. Many companies have told us that the 
threat of litigation deters them from sharing details about cyber 
attacks they have faced. In order to assist other companies and the 
government to protect against those attacks in the future, that 
information needs to be shared and acted upon.
  I look forward to the consideration of this bill and the rest of the 
cyber legislative package that will be taken up by the Senate soon.