[Congressional Record Volume 161, Number 153 (Tuesday, October 20, 2015)]
[Senate]
[Pages S7332-S7342]
CYBERSECURITY INFORMATION SHARING ACT of 2015
Mr. McCONNELL. Mr. President, under the order of August 5, 2015, I
ask that the Chair lay before the Senate S. 754.
The PRESIDING OFFICER. Under the previous order, the Senate will
proceed to the consideration of S. 754, which the clerk will report.
The senior assistant legislative clerk read as follows:
A bill (S. 754) to improve cybersecurity in the United
States through enhanced sharing of information about
cybersecurity threats, and for other purposes.
[[Page S7333]]
The PRESIDING OFFICER. The Senator from North Carolina.
Amendment No. 2716
(Purpose: In the nature of a substitute)
Mr. BURR. Mr. President, as under the previous order, I call up the
Burr-Feinstein amendment, which is at the desk, and I ask unanimous
consent that it be reported by number.
The PRESIDING OFFICER. Without objection, the clerk will report the
amendment by number.
The senior assistant legislative clerk read as follows:
The Senator from North Carolina [Mr. Burr] proposes an
amendment numbered 2716.
(The amendment is printed in today's Record under ``Text of
Amendments.'')
Mr. BURR. Mr. President, for the information of all Senators, this
substitute includes agreed-upon language on the following amendments:
Carper, No. 2615; Carper, No. 2627; Coats, No. 2604; Flake, No. 2580;
Gardner, No. 2631; Kirk, No. 2603; Tester, No. 2632; Wyden, No. 2622,
and, I might add, a handful of amendments that have been worked out in
addition to those which were part of that unanimous consent agreement
by both the vice chair and myself.
The vice chair and I have a number of amendments to be made pending
under the previous consent order, and I ask unanimous consent that they
be called up and reported by number.
The PRESIDING OFFICER. Without objection, it is so ordered.
Amendment No. 2581, as Modified, to Amendment No. 2716
Mr. BURR. Mr. President, I call up the Cotton amendment No. 2581, as
modified, to correct the instruction line.
The PRESIDING OFFICER. The clerk will report the amendment by number.
The bill clerk read as follows:
The Senator from North Carolina [Mr. Burr], for Mr. Cotton,
proposes an amendment numbered 2581, as modified, to
amendment No. 2716.
The amendment is as follows:
(Purpose: To exempt from the capability and process within the
Department of Homeland Security communication between a private entity
and the Federal Bureau of Investigation or the United States Secret
Service regarding cybersecurity threats)
On page 31, strike line 13 and insert the following:
authority regarding a cybersecurity threat; and
(iii) communications between a private entity and the
Federal Bureau of Investigation or the United States Secret
Service regarding a cybersecurity threat;
The PRESIDING OFFICER. The Senator from North Carolina.
Mr. BURR. Mr. President, let me add at this time that the vice
chairman and I have worked aggressively, as have our staffs, to
incorporate the suggestions and the concerns Members and companies have
raised with us. If we believed they made the legislation stronger--
stronger from the standpoint of minimizing data loss and stronger from
the standpoint of the privacy concerns--let me assure my colleagues we
have accepted those and we have incorporated them in the managers'
amendment. If, in fact, we couldn't agree or felt that it in any way
was detrimental to the legislation, the vice chair and I have agreed to
oppose those amendments.
I think it is important that this bill represent exactly what we have
sold: an information sharing bill, a bill that is voluntary.
So I would suggest to those who hear this debate and say ``I don't
really understand all this cyber stuff. I hear about it and don't
really understand it,'' let me put it in these terms. What this
legislation does is it creates a community watch program, and like any
neighborhood watch program, the spirit of what we are trying to do is
to protect the neighborhood. It doesn't mean that every resident on
every street in that community in that neighborhood is going to be a
participant, but it means that neighborhood is committed to making sure
that if crimes are happening, they are out there to stop them, to
report them, and maybe through reporting them, the number of crimes
over time will continue to decrease.
Well, I would share with you that is what we are doing with the cyber
security bill. We are out now trying to set up the framework for a
community watch program, one that is voluntary, that doesn't require
every person to participate, but it says: For those of you who can
embrace this and can report the crimes, it is not only beneficial to
you, it is beneficial to everybody.
So I respect the fact there are a few companies out there saying:
This is no good; we shouldn't have this. Really? Do you want to deny
this to everybody? There are a heck of a lot of businesses that have
made the determination that this is beneficial to their business, that
it is beneficial to their sector.
This is beneficial to the overall U.S. economy. That is what the
Senate is here to do. We are not here to pick winners and losers; we
are here to create a framework everybody can operate in that advances
the United States in the right direction.
Shortly we will have an opportunity to make pending some additional
amendments, and I encourage all Members, if your amendment is pending,
to come down and debate it. If you have additional amendments, please
come down and offer them and debate them. With the cooperation of
Members, we can process these in a matter of days and we can then send
this out of the Senate and be at a point where we could conference with
the House.
With that, I suggest the absence of a quorum.
The PRESIDING OFFICER. The clerk will call the roll.
The senior assistant legislative clerk proceeded to call the roll.
Mrs. FEINSTEIN. Madam President, I ask unanimous consent that the
order for the quorum call be rescinded.
The PRESIDING OFFICER (Ms. Ayotte). Without objection, it is so
ordered.
Amendment No. 2552, as Modified, to Amendment No. 2716
Mrs. FEINSTEIN. Madam President, I call up the Coons amendment No.
2552, as modified.
The PRESIDING OFFICER. The clerk will report the amendment by number.
The bill clerk read as follows:
The Senator from California [Mrs. Feinstein], for Mr.
Coons, proposes an amendment numbered 2552, as modified, to
amendment No. 2716.
The amendment, as modified, is as follows:
(Purpose: To modify section 5 to require DHS to review all cyber threat
indicators and countermeasures in order to remove certain personal
information)
Beginning on page 23, strike line 3 and all that follows
through page 33, line 10 and insert the following:
(3) Requirements concerning policies and procedures.--
Consistent with the guidelines required by subsection (b),
the policies and procedures developed and promulgated under
this subsection shall--
(A) ensure that cyber threat indicators shared with the
Federal Government by any entity pursuant to section 4 that
are received through the process described in subsection (c)
of this section and that satisfy the requirements of the
guidelines developed under subsection (b)--
(i) are shared in an automated manner with all of the
appropriate Federal entities;
(ii) are not subject to any unnecessary delay,
interference, or any other action that could impede receipt
by all of the appropriate Federal entities; and
(iii) may be provided to other Federal entities;
(B) ensure that cyber threat indicators shared with the
Federal Government by any entity pursuant to section 4 in a
manner other than the process described in subsection (c) of
this section--
(i) are shared as quickly as operationally practicable with
all of the appropriate Federal entities;
(ii) are not subject to any unnecessary delay,
interference, or any other action that could impede receipt
by all of the appropriate Federal entities; and
(iii) may be provided to other Federal entities;
(C) consistent with this Act, any other applicable
provisions of law, and the fair information practice
principles set forth in appendix A of the document entitled
``National Strategy for Trusted Identities in Cyberspace''
and published by the President in April 2011, govern the
retention, use, and dissemination by the Federal Government
of cyber threat indicators shared with the Federal Government
under this Act, including the extent, if any, to which such
cyber threat indicators may be used by the Federal
Government; and
(D) ensure there is--
(i) an audit capability; and
(ii) appropriate sanctions in place for officers,
employees, or agents of a Federal entity who knowingly and
willfully conduct activities under this Act in an
unauthorized manner.
(4) Guidelines for entities sharing cyber threat indicators
with federal government.--
[[Page S7334]]
(A) In general.--Not later than 60 days after the date of
the enactment of this Act, the Attorney General shall develop
and make publicly available guidance to assist entities and
promote sharing of cyber threat indicators with Federal
entities under this Act.
(B) Contents.--The guidelines developed and made publicly
available under subparagraph (A) shall include guidance on
the following:
(i) Identification of types of information that would
qualify as a cyber threat indicator under this Act that would
be unlikely to include personal information of or identifying
a specific person not necessary to describe or identify a
cyber security threat.
(ii) Identification of types of information protected under
otherwise applicable privacy laws that are unlikely to be
necessary to describe or identify a cybersecurity threat.
(iii) Such other matters as the Attorney General considers
appropriate for entities sharing cyber threat indicators with
Federal entities under this Act.
(b) Privacy and Civil Liberties.--
(1) Guidelines of attorney general.--Not later than 60 days
after the date of the enactment of this Act, the Attorney
General shall, in coordination with heads of the appropriate
Federal entities and in consultation with officers designated
under section 1062 of the National Security Intelligence
Reform Act of 2004 (42 U.S.C. 2000ee-1), develop, submit to
Congress, and make available to the public interim guidelines
relating to privacy and civil liberties which shall govern
the receipt, retention, use, and dissemination of cyber
threat indicators by a Federal entity obtained in connection
with activities authorized in this Act.
(2) Final guidelines.--
(A) In general.--Not later than 180 days after the date of
the enactment of this Act, the Attorney General shall, in
coordination with heads of the appropriate Federal entities
and in consultation with officers designated under section
1062 of the National Security Intelligence Reform Act of 2004
(42 U.S.C. 2000ee-1) and such private entities with industry
expertise as the Attorney General considers relevant,
promulgate final guidelines relating to privacy and civil
liberties which shall govern the receipt, retention, use, and
dissemination of cyber threat indicators by a Federal entity
obtained in connection with activities authorized in this
Act.
(B) Periodic review.--The Attorney General shall, in
coordination with heads of the appropriate Federal entities
and in consultation with officers and private entities
described in subparagraph (A), periodically review the
guidelines promulgated under subparagraph (A).
(3) Content.--The guidelines required by paragraphs (1) and
(2) shall, consistent with the need to protect information
systems from cybersecurity threats and mitigate cybersecurity
threats--
(A) limit the impact on privacy and civil liberties of
activities by the Federal Government under this Act;
(B) limit the receipt, retention, use, and dissemination of
cyber threat indicators containing personal information of or
identifying specific persons, including by establishing--
(i) a process for the timely destruction of such
information that is known not to be directly related to uses
authorized under this Act; and
(ii) specific limitations on the length of any period in
which a cyber threat indicator may be retained;
(C) include requirements to safeguard cyber threat
indicators containing personal information of or identifying
specific persons from unauthorized access or acquisition,
including appropriate sanctions for activities by officers,
employees, or agents of the Federal Government in
contravention of such guidelines;
(D) include procedures for notifying entities and Federal
entities if information received pursuant to this section is
known or determined by a Federal entity receiving such
information not to constitute a cyber threat indicator;
(E) protect the confidentiality of cyber threat indicators
containing personal information of or identifying specific
persons to the greatest extent practicable and require
recipients to be informed that such indicators may only be
used for purposes authorized under this Act; and
(F) include steps that may be needed so that dissemination
of cyber threat indicators is consistent with the protection
of classified and other sensitive national security
information.
(c) Capability and Process Within the Department of
Homeland Security.--
(1) In general.--Not later than 90 days after the date of
the enactment of this Act, the Secretary of Homeland
Security, in coordination with the heads of the appropriate
Federal entities, shall develop and implement a capability
and process within the Department of Homeland Security that--
(A) shall accept from any entity in real time cyber threat
indicators and defensive measures, pursuant to this section;
(B) shall, upon submittal of the certification under
paragraph (2) that such capability and process fully and
effectively operates as described in such paragraph, be the
process by which the Federal Government receives cyber threat
indicators and defensive measures under this Act that are
shared by a private entity with the Federal Government
through electronic mail or media, an interactive form on an
Internet website, or a real time, automated process between
information systems except--
(i) communications between a Federal entity and a private
entity regarding a previously shared cyber threat indicator;
and
(ii) communications by a regulated entity with such
entity's Federal regulatory authority regarding a
cybersecurity threat;
(C) shall require the Department of Homeland Security to
review all cyber threat indicators and defensive measures
received and remove any personal information of or
identifying a specific person not necessary to identify or
describe the cybersecurity threat before sharing such
indicator or defensive measure with appropriate Federal
entities;
(D) ensures that all of the appropriate Federal entities
receive in an automated manner such cyber threat indicators
as quickly as operationally possible from the Department of
Homeland Security;
(E) is in compliance with the policies, procedures, and
guidelines required by this section; and
(F) does not limit or prohibit otherwise lawful disclosures
of communications, records, or other information, including--
(i) reporting of known or suspected criminal activity, by
an entity to any other entity or a Federal entity;
(ii) voluntary or legally compelled participation in a
Federal investigation; and
(iii) providing cyber threat indicators or defensive
measures as part of a statutory or authorized contractual
requirement.
(2) Certification.--Not later than 10 days prior to the
implementation of the capability and process required by
paragraph (1), the Secretary of Homeland Security shall, in
consultation with the heads of the appropriate Federal
entities, certify to Congress whether such capability and
process fully and effectively operates--
(A) as the process by which the Federal Government receives
from any entity a cyber threat indicator or defensive measure
under this Act; and
(B) in accordance with the policies, procedures, and
guidelines developed under this section.
(3) Public notice and access.--The Secretary of Homeland
Security shall ensure there is public notice of, and access
to, the capability and process developed and implemented
under paragraph (1) so that--
(A) any entity may share cyber threat indicators and
defensive measures through such process with the Federal
Government; and
(B) all of the appropriate Federal entities receive such
cyber threat indicators and defensive measures as quickly as
operationally practicable with receipt through the process
within the Department of Homeland Security.
The PRESIDING OFFICER. The Senator from North Carolina.
Amendment No. 2582 to Amendment No. 2716
Mr. BURR. Madam President, I call up the Flake amendment No. 2582.
The PRESIDING OFFICER. The clerk will report the amendment by number.
The bill clerk read as follows:
The Senator from North Carolina [Mr. Burr], for Mr. Flake,
proposes an amendment numbered 2582 to amendment No. 2716.
The amendment is as follows:
(Purpose: To terminate the provisions of the Act after six years)
At the end, add the following:
SEC. 11. EFFECTIVE PERIOD.
(a) In General.--Except as provided in subsection (b), this
Act and the amendments made by this Act shall be in effect
during the 6-year period beginning on the date of the
enactment of this Act.
(b) Exception.--With respect to any action authorized by
this Act or information obtained pursuant to an action
authorized by this Act, which occurred before the date on
which the provisions referred to in subsection (a) cease to
have effect, the provisions of this Act shall continue in
effect.
The PRESIDING OFFICER. The Senator from California.
Amendment No. 2612, as Modified, to Amendment No. 2716
Mrs. FEINSTEIN. Madam President, I call up the Franken amendment No.
2612, as modified.
The PRESIDING OFFICER. The clerk will report the amendment by number.
The bill clerk read as follows:
The Senator from California [Mrs. Feinstein], for Mr.
Franken, proposes an amendment numbered 2612, as modified, to
amendment No. 2716.
The amendment, as modified, is as follows:
(Purpose: To improve the definitions of cybersecurity threat and cyber
threat indicator)
Beginning on page 4, strike line 12 and all that follows
through page 5, line 21, and insert the following:
system that is reasonably likely to result in an unauthorized
effort to adversely impact the security, availability,
confidentiality, or integrity of an information system or
information that is stored on, processed by, or transiting an
information system.
(B) Exclusion.--The term ``cybersecurity threat'' does not
include any action that
[[Page S7335]]
solely involves a violation of a consumer term of service or
a consumer licensing agreement.
(6) Cyber threat indicator.--The term ``cyber threat
indicator'' means information that is necessary to describe
or identify--
(A) malicious reconnaissance, including anomalous patterns
of communications that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat or security vulnerability;
(B) a method of defeating a security control or
exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous activity
that appears to indicate the existence of a security
vulnerability;
(D) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
unwittingly enable the defeat of a security control or
exploitation of a security vulnerability;
(E) malicious cyber command and control;
(F) the harm caused by an incident, including a description
of the information exfiltrated as a result of a particular
cybersecurity threat;
(G) any other attribute of a cybersecurity threat, if
disclosure of such information is not otherwise prohibited by
law; or
The PRESIDING OFFICER. The Senator from North Carolina.
Amendment No. 2548, as Modified, to Amendment No. 2716
Mr. BURR. Madam President, I call up the Heller amendment No. 2548,
as modified, to correct the instruction line.
The PRESIDING OFFICER. The clerk will report the amendment by number.
The bill clerk read as follows:
The Senator from North Carolina [Mr. Burr], for Mr. Heller,
proposes an amendment numbered 2548, as modified, to
amendment No. 2716.
The amendment, as modified, is as follows:
(Purpose: To protect information that is reasonably believed to be
personal information or information that identifies a specific person)
On page 12, line 19, strike ``knows'' and insert
``reasonably believes''.
The PRESIDING OFFICER. The Senator from California.
Amendment No. 2587, as Modified, to Amendment No. 2716
Mrs. FEINSTEIN. Madam President, I call up the Leahy amendment No.
2587, as modified.
The PRESIDING OFFICER. The clerk will report the amendment by number.
The bill clerk read as follows:
The Senator from California [Mrs. Feinstein], for Mr.
Leahy, proposes an amendment numbered 2587, as modified, to
amendment No. 2716.
The amendment, as modified, is as follows:
(Purpose: To strike the FOIA exemption)
Beginning on page 35, strike line 1 and all that follows
through page 35, line 13.
The PRESIDING OFFICER. The Senator from North Carolina.
Amendment No. 2564, as Modified, to Amendment No. 2716
Mr. BURR. Madam President, I call up the Paul amendment No. 2564, as
modified, to correct the instruction line.
The PRESIDING OFFICER. The clerk will report the amendment by number.
The bill clerk read as follows:
The Senator from North Carolina [Mr. Burr], for Mr. Paul,
proposes an amendment numbered 2564, as modified, to
amendment No. 2716.
The amendment, as modified, is as follows:
(Purpose: To prohibit liability immunity to applying to private
entities that break user or privacy agreements with customers)
On page 40, after line 24, insert the following:
(d) Exception.--This section shall not apply to any private
entity that, in the course of monitoring information under
section 4(a) or sharing information under section 4(c),
breaks a user agreement or privacy agreement with a customer
of the private entity.
The PRESIDING OFFICER. The Senator from California.
Amendment No. 2557 to Amendment No. 2716
Mrs. FEINSTEIN. Madam President, I call up the Mikulski amendment No.
2557.
The PRESIDING OFFICER. The clerk will report the amendment by number.
The bill clerk read as follows:
The Senator from California [Mrs. Feinstein], for Ms.
Mikulski, proposes an amendment numbered 2557 to amendment
No. 2716.
The amendment is as follows:
(Purpose: To provide amounts necessary for accelerated cybersecurity in
response to data breaches)
At the appropriate place, insert the following:
SEC. ___. FUNDING.
(a) In General.--Effective on the date of enactment of this
Act, there is appropriated, out of any money in the Treasury
not otherwise appropriated, for the fiscal year ending
September 30, 2015, an additional amount for the
appropriations account appropriated under the heading
``salaries and expenses'' under the heading ``Office of
Personnel Management'', $37,000,000, to remain available
until September 30, 2017, for accelerated cybersecurity in
response to data breaches.
(b) Emergency Designation.--The amount appropriated under
subsection (a) is designated by the Congress as an emergency
requirement pursuant to section 251(b)(2)(A)(i) of the
Balanced Budget and Emergency Deficit Control Act of 1985,
and shall be available only if the President subsequently so
designates such amount and transmits such designation to the
Congress.
Amendment No. 2626 to Amendment No. 2716
Mrs. FEINSTEIN. Madam President, I call up the Whitehouse amendment
No. 2626.
The PRESIDING OFFICER. The clerk will report the amendment by number.
The bill clerk read as follows:
The Senator from California [Mrs. Feinstein], for Mr.
Whitehouse, proposes an amendment numbered 2626 to amendment
No. 2716.
The amendment is as follows:
(Purpose: To amend title 18, United States Code, to protect Americans
from cybercrime)
At the end, add the following:
SEC. __. STOPPING THE SALE OF AMERICANS' FINANCIAL
INFORMATION.
Section 1029(h) of title 18, United States Code, is amended
by striking ``if--'' and all that follows through
``therefrom.'' and inserting ``if the offense involves an
access device issued, owned, managed, or controlled by a
financial institution, account issuer, credit card system
member, or other entity organized under the laws of the
United States, or any State, the District of Columbia, or
other Territory of the United States.''.
SEC. __. SHUTTING DOWN BOTNETS.
(a) Amendment.--Section 1345 of title 18, United States
Code, is amended--
(1) in the heading, by inserting ``and abuse'' after
``fraud'';
(2) in subsection (a)--
(A) in paragraph (1)--
(i) in subparagraph (B), by striking ``or'' at the end;
(ii) in subparagraph (C), by inserting ``or'' after the
semicolon; and
(iii) by inserting after subparagraph (C) the following:
``(D) violating or about to violate paragraph (1), (4),
(5), or (7) of section 1030(a) where such conduct would
affect 100 or more protected computers (as defined in section
1030) during any 1-year period, including by denying access
to or operation of the computers, installing malicious
software on the computers, or using the computers without
authorization;''; and
(B) in paragraph (2), by inserting ``, a violation
described in subsection (a)(1)(D),'' before ``or a Federal'';
and
(3) by adding at the end the following:
``(c) A restraining order, prohibition, or other action
described in subsection (b), if issued in circumstances
described in subsection (a)(1)(D), may, upon application of
the Attorney General--
``(1) specify that no cause of action shall lie in any
court against a person for complying with the restraining
order, prohibition, or other action; and
``(2) provide that the United States shall pay to such
person a fee for reimbursement for such costs as are
reasonably necessary and which have been directly incurred in
complying with the restraining order, prohibition, or other
action.''.
(b) Technical and Conforming Amendment.--The table of
section for chapter 63 is amended by striking the item
relating to section 1345 and inserting the following:
``1345. Injunctions against fraud and abuse.''.
SEC. __. AGGRAVATED DAMAGE TO A CRITICAL INFRASTRUCTURE
COMPUTER.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer, if such damage results in (or, in the case of an
attempted offense, would, if completed have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with such
computer.
``(b) Penalty.--Any person who violates subsection (a)
shall, in addition to the term of punishment provided for the
felony violation of section 1030, be fined under this title,
imprisoned for not more than 20 years, or both.
``(c) Consecutive Sentence.--Notwithstanding any other
provision of law--
[[Page S7336]]
``(1) a court shall not place any person convicted of a
violation of this section on probation;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any term of imprisonment imposed on the
person under any other provision of law, including any term
of imprisonment imposed for the felony violation of section
1030;
``(3) in determining any term of imprisonment to be imposed
for the felony violation of section 1030, a court shall not
in any way reduce the term to be imposed for such violation
to compensate for, or otherwise take into account, any
separate term of imprisonment imposed or to be imposed for a
violation of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, if such discretion shall be exercised in
accordance with any applicable guidelines and policy
statements issued by the United States Sentencing Commission
pursuant to section 994 of title 28.
``(d) Definitions.--In this section
``(1) the terms `computer' and `damage' have the meanings
given the terms in section 1030; and
``(2) the term `critical infrastructure' has the meaning
given the term in section 1016(e) of the USA PATRIOT Act (42
U.S.C. 5195c(e)).''.
(b) Table of Sections.--The table of sections for chapter
47 of title 18, United States Code, is amended by inserting
after the item relating to section 1030 the following:
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. __. STOPPING TRAFFICKING IN BOTNETS.
(a) In General.--Section 1030 of title 18, United States
Code, is amended--
(1) in subsection (a), by striking paragraph (6) and
inserting the following:
``(6) knowing such conduct to be wrongful, intentionally
traffics in any password or similar information, or any other
means of access, further knowing or having reason to know
that a protected computer would be accessed or damaged
without authorization in a manner prohibited by this section
as the result of such trafficking;'';
(2) in subsection (c)--
(A) in paragraph (2), by striking ``, (a)(3), or (a)(6)''
each place it appears and inserting ``or (a)(3)''; and
(B) in paragraph (4)--
(i) in subparagraph (C)(i), by striking ``or an attempt to
commit an offense''; and
(ii) in subparagraph (D), by striking clause (ii) and
inserting the following:
``(ii) an offense, or an attempt to commit an offense,
under subsection (a)(6);''; and
(3) in subsection (g), in the first sentence, by inserting
``, except for a violation of subsection (a)(6),'' after ``of
this section''.
Amendment No. 2621, as Modified, to Amendment No. 2716
Mrs. FEINSTEIN. Madam President, I call up the Wyden amendment No.
2621, as modified.
The PRESIDING OFFICER. The clerk will report the amendment by number.
The bill clerk read as follows:
The Senator from California [Mrs. Feinstein], for Mr.
Wyden, proposes an amendment numbered 2621, as modified, to
amendment No. 2716.
The amendment, as modified, is as follows:
(Purpose: To improve the requirements relating to removal of personal
information from cyber threat indicators before sharing)
On page 17, strike lines 9 through 22 and insert the
following:
(A) review such cyber threat indicator and remove, to the
extent feasible, any personal information of or identifying a
specific individual that is not necessary to describe or
identity a cybersecurity threat; or
(B) implement and utilize a technical capability configured
to remove, to the extent feasible, any personal information
of or identifying a specific individual contained within such
indicator that is not necessary to describe or identify a
cybersecurity threat.
The PRESIDING OFFICER. The Senator from North Carolina.
Mr. BURR. Madam President, as the vice chair and I have said numerous
times this afternoon, nothing would make us happier than for Members to
come to the floor. We have amendments pending. We have a managers'
amendment. Everybody knows exactly what is in this bill. Let's start
the debate. Let's vote on amendments. Let's end this process in a
matter of days. We are prepared to vote on every amendment.
So at this time, I ask unanimous consent that on Thursday, October
22, at 11 a.m., the Senate vote on the pending amendments to the Burr-
Feinstein substitute to S. 754, with a 60-vote threshold for those
amendments that are not germane; and that following the disposition of
the amendments, the substitute, as amended, if amended, be agreed to,
the bill, as amended, be read a third time, and the Senate vote on
passage with a 60-vote threshold for passage.
The PRESIDING OFFICER. Is there objection?
Mr. WYDEN. Reserving the right to object.
The PRESIDING OFFICER. The Senator from Oregon.
Mr. WYDEN. Madam President, I certainly support most of the
amendments that were just described. However, I am especially troubled
about amendment No. 2626, which would significantly expand a badly
outdated Computer Fraud and Abuse Act. I have sought to modernize the
Computer Fraud and Abuse Act, and I believe that amendment No. 2626
would take that law--the Computer Fraud and Abuse Act--in the wrong
direction. I would object to any unanimous consent request that
includes that amendment. Therefore, I object to this request.
The PRESIDING OFFICER. Objection is heard.
The Senator from North Carolina.
Mr. BURR. Madam President, the Senate functions best when Members are
free to come to the floor and offer amendments, debate the amendments,
and have a vote on the amendments. I might even share Senator Wyden's
concerns about that particular piece of legislation. I am not sure. It
is a judiciary issue. The vice chair is on the Judiciary Committee. It
is an amendment that we were not able to pass in the managers'
amendment. But as the vice chair and I said at the beginning of this
process, we would like the Senate to function like it is designed,
where every Member feels invested, and if they have a great idea, come
down, introduce it as an amendment, debate it, and let your colleagues
vote up or down against it. If we can't move forward with a process
like that, then it is difficult to see how in a reasonable amount of
time we are going to complete this agenda.
So I would only urge my colleague from Oregon that there is nothing
to be scared about. This is a process we will go through, and a
nongermane amendment, which I think this would be listed as--I look for
my staff. It would be a nongermane amendment--requiring 60 votes, a
threshold that the Senate designed to pass practically anything.
So I urge him to reconsider at some point, and I will make a similar
unanimous consent request once he has had an opportunity to think about
it. But also, we will work to see if in fact that amendment might be
modified in a way that might make it a little more acceptable for the
debate and for colleagues to vote on it.
With that, I yield the floor.
The PRESIDING OFFICER. The Senator from Utah.
Mr. HATCH. Madam President, as the Senate turns its focus to
legislation related to the critical issue of our Nation's cyber
security and in the light of Chinese President Xi Jinping's state visit
last month, I would like to reflect on America's security in cyber
space.
As the global economy becomes increasingly dependent on the Internet,
the exponential increase in the number and scale of cyber attacks and
cyber thefts are straining our relationship with international trading
partners throughout the world. This is especially true for our
important trade relationship with China. This year alone, the United
States has experienced some of the largest cyber attacks in our
Nation's history--many of which are believed to have been perpetrated
by the Chinese. Just last February, hackers breached the customer
records of the health insurance company Anthem Blue Cross Blue Shield.
Many news sources reported that China was responsible for the attack.
This cyber attack resulted in the theft of approximately 80 million
customers' personally identifiable information, including Social
Security numbers and information that can be used for identity theft.
In the early summer, cyber criminals also hacked United Airlines,
compromising manifest data that detailed the movement of millions of
Americans. According to the news media, China was again believed to
have been responsible.
But the most devastating cyber attack this year was on the U.S.
Government's Office of Personnel Management. This past June, sources
report that the OPM data breach, considered the worst cyber intrusion
ever perpetrated against the U.S. Government,
[[Page S7337]]
affected about 21.5 million Federal employees and contractors. Hackers
successfully accessed sensitive personal information, including
security clearance files, Social Security numbers, and information
about employees' contacts and families. Again, China was the suspected
culprit.
Most troubling, the OPM breach included over 19.7 million background
investigation records for cleared U.S. Government employees. The
exposure of this highly sensitive information not only puts our
national security at risk but also raises concern that foreign
governments may be keeping detailed databases on Federal workers and
their associations.
I was pleased during the Chinese President's visit to Washington last
month that President Obama expressed his ``very serious concerns about
growing cyber threats'' and stated that the cyber theft of intellectual
property and commercial trade secrets ``has to stop.'' President Obama
and President Xi Jinping came to an agreement not to ``conduct or
knowingly support'' cyber theft of intellectual property or commercial
trade secrets.
Even so, Director of Intelligence James Clapper expressed doubts
about the agreement in a hearing before the Senate Armed Services
Committee last week. When Chairman McCain asked Mr. Clapper if he was
optimistic about the deal, he told members of the committee he was not.
I add my skepticism of this agreement to the growing chorus of
lawmakers, military leaders, and intelligence community personnel who
have voiced similar concerns.
As Admiral Rogers, head of the National Security Agency and U.S.
Cyber Command, has said, ``China is the biggest proponent of
cyberattacks being waged against the U.S.'' We must do more to defend
ourselves against this growing threat. Unfortunately, I have been
disappointed in this administration's inability to protect our Federal
computer systems from cyber intrusions and to hold criminals
accountable for their participation in cyber attacks committed against
the United States. Sadly, the cyber threats facing our Nation are not
limited to China. Investigators believe Russia, North Korea, Iran, and
several other nations have also launched cyber attacks against our
government, U.S. citizens, and of course companies. These attacks are
increasing both in severity and in number.
In April, Russian hackers accessed White House networks containing
sensitive information, including emails sent and received by the
President himself.
In May, hackers breached IRS servers to gain access to 330,000
American taxpayers' tax returns. That same month a fraudulent stock
trader manipulated U.S. markets, costing the stock exchange an
estimated $1 trillion in just 36 minutes. In July, it was reported that
a Russian spear phishing attack shut down the Joint Chiefs of Staff
email system for 11 days. Just 1 month ago, hackers stole the personal
data of 15 million T-Mobile customers by breaching Experian, the
company that processes credit checks for prospective customers. This
stolen data includes names, birth dates, addresses, Social Security
numbers, and credit card information.
These breaches have a serious and real cost for the victims.
According to the Federal Trade Commission, the average identity fraud
victim in 2012 incurred an average of $365 in losses. Incredibly, all
of these high-profile breaches have occurred this year, making 2015
perhaps the worst year ever in terms of attacks on our national cyber
security.
Prior to 2015, we also saw several high-profile breaches at large
American corporations, including Target, Home Depot, Sony, and others.
Our lack of effective cyber security policies and procedures threatens
the safety of our people, the strength of our national defense, and the
future of our economy. We must be more vigilant in reinforcing our
cyber infrastructure to better defend ourselves against these attacks.
In doing so, Congress must create a deterrent for those who seek to
commit cyber attacks against our Nation. Our adversaries must know they
will suffer dire consequences if they attack the United States. Finding
a solution to this critical problem must be an urgent priority for the
Senate.
I agree with Leader McConnell that we must move forward in the Senate
with legislation to improve our Nation's cyber security practices and
policies. I am supportive of the objectives outlined in Chairman Burr
and Vice Chairperson Feinstein's bipartisan Cybersecurity Information
Sharing Act, CISA.
I was pleased to see the Senate Select Committee on Intelligence pass
the Burr-Feinstein CISA bill out of the committee by an overwhelming
bipartisan vote of 14 to 1. This important legislation incentivizes and
authorizes private sector companies to voluntarily share cyber threat
information in real time that can be useful in detecting cyber attacks
and in preventing future cyber intrusions.
I also commend Chairman Burr and Vice Chairman Feinstein's efforts to
include provisions in CISA to protect personal privacy, including a
measure that prevents a user's personally identifiable information from
being shared with government agencies. Additionally, CISA sets limits
on information that can be collected or monitored by allowing
information to be used only for cyber security purposes.
As the American economy grows ever more dependent on the Internet, I
believe CISA represents an important first step in protecting our
Nation's critical infrastructure from the devastating impact of cyber
attacks. Congress must do more to adequately protect and secure
America's presence in cyber space.
In light of recent revelations highlighting our Federal Government's
inability to adequately protect and secure classified data and other
sensitive information, I joined Senator Carper, the ranking member of
the Homeland Security and Governmental Affairs Committee, in
introducing the Federal Computer Security Act.
The Hatch-Carper bill shines light on whether our Federal Government
is using the most up-to-date cyber security practices and software to
protect Federal computer systems and databases from both external cyber
attackers and insider threats. Specifically, this legislation requires
Federal agency inspectors general to report to Congress on the security
practices and software used to safeguard classified and personally
identifiable information on Federal computer systems themselves.
This bill also requires each Federal agency to submit a report to
each respective congressional committee with oversight jurisdiction
describing in detail to each committee which security access controls
the agency is implementing to protect unauthorized access to classified
and sensitive, personally identifiable information on government
computers.
Requiring an accounting of each Federal agency's security practices,
software, and technology is a logical first step in bolstering our
Nation's cyber infrastructure. These reports will guide Congress in
crafting legislation to prevent future large-scale data breaches and
ensure that unauthorized users are not able to access classified and
sensitive information.
Agencies should be employing multifactor authentication policies and
should be implementing software to detect and monitor cyber security
threats. They should also be using the most up-to-date technology and
security controls. The future of our Nation's cyber security starts
with our Federal Government practicing good cyber hygiene. In
strengthening our security infrastructure, the Federal Government
should be accountable to the American people, especially when cyber
attacks affect millions of taxpayers.
I have heard from many constituents who have expressed concerns about
the state of America's cyber security. I am honored to represent a
State that is an emerging center of technological advancement and
innovation, with the growing hub of computer companies expanding across
a metropolitan area known as Silicon Slopes. The people of Utah
recognize that our Nation's future depends on America's ability to
compete in the digital area. They understand we must create effective
cyber security policies so we can continue to lead the world in
innovation and technology advancement.
I am pleased to announce that an amended version of the Federal
Computer Security Act is included in Chairman Burr and Vice Chairman
[[Page S7338]]
Feinstein's managers' package. I wish to express my appreciation to
both the chairman and vice chairman for their willingness to work with
me in fine-tuning this legislation. I appreciate it. I wish to also
thank Chairman Ron Johnson and Ranking Member Tom Carper of the
Homeland Security and Governmental Affairs Committee for their efforts
in this endeavor as well.
In addition to broad bipartisan support in the Senate, the Federal
Computer Security Act enjoys support from key industry stakeholders.
Some of our Nation's largest computer security firms support the bill,
including Symantec, Adobe, and CA Technologies. Several industry groups
have also voiced their support, including the Business Software
Alliance and the IT Alliance for the Public Sector.
I commend Intelligence Committee Chairman Burr and Vice Chairman
Feinstein for their leadership in managing this critical cyber security
legislation. As Leader McConnell works to restore the Senate to its
proper function, I am grateful we have been able to consider this
legislation in an open and transparent fashion. By reinstating the open
amendment process, we have not only been able to vote on dozens of
amendments this year, we have been able to refine legislation through
robust consideration and debate. I think we voted on approximately 160-
plus amendments so far this year, and they are about evenly split
between Democrats and Republicans.
With the renewal of longstanding Senate practices, we are passing
meaningful laws that will better serve the needs of the American
people. May we build on the foundation of success as we work to improve
this critically important Cybersecurity Information Sharing Act.
I wish to again thank the distinguished leaders of this Intelligence
Committee. Having served 18 years on the Intelligence Committee, I
really appreciate the work that both of them have done, especially on
this bill, and I look forward to its passage.
With that, I yield the floor.
The PRESIDING OFFICER. The Senator from California.
Mrs. FEINSTEIN. Madam President, I thank the distinguished Senator
from Utah for his words. They are much appreciated, as is his
friendship as well. I think he knows that. I believe the chairman feels
certainly as strongly if not more strongly than I do.
I rose to be able to make a brief statement about the sanctuary bill
as in morning business, if that is possible.
The PRESIDING OFFICER. Without objection, it is so ordered.
Stop Sanctuary Policies and Protect Americans Bill
Mrs. FEINSTEIN. Madam President, I voted against Senator Vitter's
bill. I believe it goes much too far. My longer statement is in the
Record, but I want to respond to some of what I heard today. I do
believe we should ensure that there is a notification prior to release
of a dangerous individual with a criminal record, just as Senator
Schumer said on this floor. I do believe we could take a narrow action
to do just that. We could focus on dangerous individuals and not on all
undocumented immigrants who happen to be taken into State or local
custody. We could require notification without threatening vital law
enforcement and local government funding, as Senator Vitter's bill
does.
I had an amendment prepared for the Judiciary Committee's
consideration when the committee had scheduled the bill for markup over
a series of weeks, but the committee canceled its markup, so we were on
the floor today with a bill that has never been heard in full by the
Judiciary Committee.
Senator Vitter's bill includes a notification requirement and a
detention requirement. It is not limited to those who are dangerous or
have particular criminal records. It would cover a farmworker who was
detained for a broken taillight or a mother who was detained for
similar reasons, taking her away from her children. This is a standard
that could be abused in another administration, and it is potentially a
huge unfunded mandate to impose on States and localities.
The bill would also impose lengthy criminal sentences at the Federal
level for individuals coming across the border to see their families or
to perform work that is vital to the economy of California and the
Nation. For example, in California, virtually the majority, if not all,
of the farmworkers are undocumented. It happens to be a fact. It is why
the agriculture jobs bill was part of the immigration reform act which
was before this body and passed this body and went to the House and had
no action.
Although Members on the other side state that this bill has support
among law enforcement, I will note that the Major Cities Chiefs
Association, the Major County Sheriffs' Association, the Fraternal
Order of Police, the United States Conference of Mayors, and the
National League of Cities are opposed to this bill or have submitted
letters opposing threats to Federal law enforcement funding over this
issue.
So, bottom line, I do believe we should do something about the
circumstance that led to the tragic murder of Kate Steinle, which
occurred in my city and State, and the tragic murder of Marilyn Pharis,
which happened in the middle part of my State. I will support a
reasonable effort to do just that, but this is not a targeted effort.
It is too broad, and so I opposed it. My full statement is in the
Record, but because it was spoken about on the floor, I did want to add
these words.
I thank the Presiding Officer, and I yield the floor.
The PRESIDING OFFICER. The Senator from North Carolina.
Mr. BURR. Madam President, moving back to cyber security, we now have
S. 754 before the Senate, and we have a managers' package that is
pending. We have a number of amendments that have been accepted and
incorporated in the managers' package. We have several amendments that
we could not reach agreement on, but those Members have the opportunity
to come to the Senate floor. The amendments are already pending. They
can debate those amendments, and they can have a vote on their
amendment. For Members who might just now be engaging or who have had
an opportunity to further read the bill, there are still present
opportunities to offer perfecting amendments.
Let me suggest to my colleagues that when the vice chairman and I
started down this road, we knew we couldn't reach unanimous consent of
every company in the country and every Member of Congress. It was our
goal, and I think we are pretty close to it when we look at the
numbers. But there will be companies that object to this bill for some
reason that I might not recognize.
The vice chairman has said this and I have said it and I want to
reiterate it another time: This bill is voluntary. It does not require
any company in America to participate in this. It does not require any
entity to turn over information to the Federal Government for purposes
of the Federal Government partnering with that company to determine who
hacked their system, who penetrated, and who exfiltrated personal data.
If a company has made the determination that they don't want to support
this bill for whatever reason, I am resigned to the fact that that is a
debate between their customers and themselves. It is, in fact, their
customers that have to question the actions of the company.
I can confidently tell my colleagues that Senator Feinstein and I
have done everything to make sure there is wholesome participation by
companies on a voluntary basis. We see tremendous value in those parts
of our government that are experts at processing attacks like this to
be able to identify who did it and what tools were used but, more
importantly, what software defensive mechanism we can put on our
systems to limit any additional exfiltration of data and, more broadly,
to the rest of the business community say: Here is an attack that is in
progress. Here is the tool they are using. Here is how you defend your
data.
Now, we leave open, if we pass it, that there may be a company that
decides they don't support this legislation. They can still participate
in this program. Do we think if they get a call from the Department of
Homeland Security or from the National Security Agency saying ``Here is
an attack that is happening; here is the tool they are using,'' they
are going to look at their system and say ``Is it in our system?'' They
get the benefit of still participating and partnering with the Federal
Government, even though they didn't support the legislation.
[[Page S7339]]
I know over the next day or so the vice chairman and I will
concentrate on sharing with Members what is actually in the managers'
package. We don't leave it up to staff just to cover it.
Let me just briefly share 15 points that I would make about the
managers' package.
No. 1, it eliminates the government's uses for noncyber crimes; in
other words, a removal of the serious violent felonies.
No. 2, it limits the authorizations to share cyber threat information
for cyber security purposes, period.
No. 3, it eliminates new FOIA exemptions. In other words, everybody
is under the same FOIA regulations that existed prior to this
legislation being enacted.
No. 4, it ensures defensive measures are properly limited. We can't
get wild and put these things in places that government shouldn't be,
regardless of what the threat is.
No. 5, it includes the Secretary of Homeland Security as coauthor--
coauthor--of government-sharing guidelines. I think this is an
incredibly important part. The individual who is in charge of Homeland
Security, that Secretary, is actively involved in the guidelines that
are written.
No. 6, it clarifies exceptions to the DHS portal entry point for the
transfer of information.
No. 7, it adds a requirement that the procedures for government
sharing include procedures for notifying U.S. persons whose personal
information is known to have been shared in violation--in violation--of
this act. In other words, if a company mistakenly transmits
information, the government is required to notify that individual. But,
additionally, the government is statutorily required not to disseminate
that information to any other Federal agency once it comes in and is
identified.
No. 8, it clarifies the real-time automated process for sharing
through that DHS portal.
No. 9, it clarifies that private entities are not required to share
information with the Federal Government or another private entity.
No. 10, it adds a Federal cyber security enhancement title.
No. 11, it adds a study on mobile device security.
No. 12, it adds a requirement for the Secretary of State to produce
an international cyber space policy strategy.
No. 13, it adds a reporting provision concerning the apprehension and
prosecution of international cyber criminals.
No. 14, it improves the contents of the biannual report on CISA's
implementation. My colleagues might remember, as some have raised
issues on this, they have said: Why are there not more reports? There
are biannual reports on the implementation and how it is done.
No. 15, and last, is additional technical and conforming edits.
Now, we didn't get into detail. We will get into detail later, but I
say that because if that has in any way triggered with somebody who
felt they were opposed to the bill because of something they were told
was in it, maybe it was covered by one of those 15 things that I just
talked about. They are things that were brought to the attention of the
vice chairman and me, and we sat down and looked at it. If we didn't
feel as though it changed the intent of the bill--and we have always
erred on the side of protecting personal data, of not letting this
legislation extend outside of what it was intended to do. Where we have
drawn the line is when we believed that the effort was to thwart the
effectiveness of this legislation.
I will remind my colleagues one last time: This legislation does not
prevent cyber attacks. This legislation is designed to minimize the
loss of the personal data of the customers of the companies that are
penetrated by these cyber actors.
As we stand here today, we have had some rather significant breaches
within the United States. I remind my colleagues that just today it was
proposed that a high school student has hacked the unclassified
accounts, the personal email, of the Secretary of the Department of
Homeland Security and the Director of the CIA. Is there anybody who
really thinks that this is going to go away because we are having a
debate in the Senate and in the Congress of the United States, that the
people who commit these acts and go without any identification are
going to quit? No. It is going to become more rampant and more rampant
and more rampant. From the standpoint of 2 of 15 Members who are
designated by the U.S. Senate and its leadership to, on behalf of the
other 85, look at the most sensitive information that our country can
accumulate about threats, as many threads of threats as we look at
today on the security of the American people, I think I can speak for
the vice chairman: We are just as concerned about the economic security
of the United States based upon the threat that we are faced with from
cyber actors here at home and, more importantly, around the world.
I urge my colleagues, if you have something to contribute, come to
the floor and contribute it. If you have an amendment already pending,
come to the floor and debate it and vote on it. Give us the ability to
work through the great thoughts of all 100 Members, but recognize the
fact that those individuals whom you have entrusted to represent you
with the most sensitive information that exists in our country came to
a 14-to-1 vote when they passed this originally out of the Intelligence
Committee. That is because of how grave we see the threat and how real
the attackers are.
I thank the vice chairman. She has been absolutely wonderful to work
with through this process. We are going to have a long couple of days
if we process all of this, but I am willing to be here as long as it
takes so that we can move on to conference with the House.
I yield the floor.
The PRESIDING OFFICER. The Senator from California.
Mrs. FEINSTEIN. Madam President, I thank the chairman for those
words. I have one little duty left.
Amendment No. 2626
Madam President, I call for the regular order with respect to
Whitehouse amendment No. 2626.
The PRESIDING OFFICER. The amendment is now pending.
Amendment No. 2626, as Modified
Mrs. FEINSTEIN. I ask that the amendment be modified with the changes
that are at the desk.
The PRESIDING OFFICER. The amendment is so modified.
The amendment, as modified, is as follows:
At the end, add the following:
SEC. __. STOPPING THE SALE OF AMERICANS' FINANCIAL
INFORMATION.
Section 1029(h) of title 18, United States Code, is amended
by striking ``title if--'' and all that follows through
``therefrom.'' and inserting ``title if the offense involves
an access device issued, owned, managed, or controlled by a
financial institution, account issuer, credit card system
member, or other entity organized under the laws of the
United States, or any State, the District of Columbia, or
other Territory of the United States.''.
SEC. __. SHUTTING DOWN BOTNETS.
(a) Amendment.--Section 1345 of title 18, United States
Code, is amended--
(1) in the heading, by inserting ``and abuse'' after
``fraud'';
(2) in subsection (a)--
(A) in paragraph (1)--
(i) in subparagraph (B), by striking ``or'' at the end;
(ii) in subparagraph (C), by inserting ``or'' after the
semicolon; and
(iii) by inserting after subparagraph (C) the following:
``(D) violating or about to violate section 1030(a)(5)
where such conduct has caused or would cause damage (as
defined in section 1030) without authorization to 100 or more
protected computers (as defined in section 1030) during any
1-year period, including by--
``(i) impairing the availability or integrity of the
protected computers without authorization; or
``(ii) installing or maintaining control over malicious
software on the protected computers that, without
authorization, has caused or would cause damage to the
protected computers;''; and
(B) in paragraph (2), by inserting ``, a violation
described in subsection (a)(1)(D),'' before ``or a Federal'';
and
(3) by adding at the end the following:
``(c) A restraining order, prohibition, or other action
described in subsection (b), if issued in circumstances
described in subsection (a)(1)(D), may, upon application of
the Attorney General--
``(1) specify that no cause of action shall lie in any
court against a person for complying with the restraining
order, prohibition, or other action; and
``(2) provide that the United States shall pay to such
person a fee for reimbursement for such costs as are
reasonably necessary and which have been directly incurred in
[[Page S7340]]
complying with the restraining order, prohibition, or other
action.''.
(b) Technical and Conforming Amendment.--The table of
section for chapter 63 is amended by striking the item
relating to section 1345 and inserting the following:
``1345. Injunctions against fraud and abuse.''.
SEC. __. AGGRAVATED DAMAGE TO A CRITICAL INFRASTRUCTURE
COMPUTER.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer, if such damage results in (or, in the case of an
attempted offense, would, if completed have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with such
computer.
``(b) Penalty.--Any person who violates subsection (a)
shall, in addition to the term of punishment provided for the
felony violation of section 1030, be fined under this title,
imprisoned for not more than 20 years, or both.
``(c) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place any person convicted of a
violation of this section on probation;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any term of imprisonment imposed on the
person under any other provision of law, including any term
of imprisonment imposed for the felony violation of section
1030;
``(3) in determining any term of imprisonment to be imposed
for the felony violation of section 1030, a court shall not
in any way reduce the term to be imposed for such violation
to compensate for, or otherwise take into account, any
separate term of imprisonment imposed or to be imposed for a
violation of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, if such discretion shall be exercised in
accordance with any applicable guidelines and policy
statements issued by the United States Sentencing Commission
pursuant to section 994 of title 28.
``(d) Definitions.--In this section
``(1) the terms `computer' and `damage' have the meanings
given the terms in section 1030; and
``(2) the term `critical infrastructure' means systems and
assets, whether physical or virtual, so vital to the United
States that the incapacity or destruction of such systems and
assets would have catastrophic regional or national effects
on public health or safety, economic security, or national
security.''.
(b) Table of Sections.--The table of sections for chapter
47 of title 18, United States Code, is amended by inserting
after the item relating to section 1030 the following:
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. __. STOPPING TRAFFICKING IN BOTNETS.
(a) In General.--Section 1030 of title 18, United States
Code, is amended--
(1) in subsection (a)--
(A) in paragraph (7), by adding ``or'' at the end; and
(B) by inserting after paragraph (7) the following:
``(8) intentionally traffics in the means of access to a
protected computer, if--
``(A) the trafficker knows or has reason to know the
protected computer has been damaged in a manner prohibited by
this section; and
``(B) the promise or agreement to pay for the means of
access is made by, or on behalf of, a person the trafficker
knows or has reason to know intends to use the means of
access to--
``(i) damage the protected computer in a manner prohibited
by this section; or
``(ii) violate section 1037 or 1343;'';
(2) in subsection (c)(3)--
(A) in subparagraph (A), by striking ``(a)(4) or (a)(7)''
and inserting ``(a)(4), (a)(7), or (a)(8)''; and
(B) in subparagraph (B), by striking ``(a)(4), or (a)(7)''
and inserting ``(a)(4), (a)(7), or (a)(8)'';
(3) in subsection (e)--
(A) in paragraph (11), by striking ``and'' at the end;
(B) in paragraph (12), by striking the period at the end
and inserting ``; and''; and
(C) by adding at the end the following:
``(13) the term `traffic', except as provided in subsection
(a)(6), means transfer, or otherwise dispose of, to another
as consideration for the receipt of, or as consideration for
a promise or agreement to pay, anything of pecuniary
value.''; and
(4) in subsection (g), in the first sentence, by inserting
``, except for a violation of subsection (a)(8),'' after ``of
this section''.
Mrs. FEINSTEIN. I thank the Chair and yield the floor.
Mr. BURR. I suggest the absence of a quorum.
The PRESIDING OFFICER. The clerk will call the roll.
The legislative clerk proceeded to call the roll.
Mr. PERDUE. Madam President, I ask unanimous consent that the order
for the quorum call be rescinded.
The PRESIDING OFFICER. Without objection, it is so ordered.
Sanctuary Cities Bill
Mr. PERDUE. Madam President, I rise to speak very briefly about the
Stop Sanctuary Cities Act, which I was proud to cosponsor in the
Senate. Simply put, this legislation protects American citizens from
criminal illegal immigrants. Today, at least 340 cities across our
country are choosing not to enforce our Nation's immigration laws.
These sanctuary cities have become a safe haven for criminals who are
not only in the United States illegally but also are committing
additional crimes and repeatedly reentering trying our country after
being deported. This summer we witnessed the tragic impact this
lawlessness has on American citizens when Kate Steinle was murdered in
San Francisco, a sanctuary city, by a felon living in our country
illegally and who was previously deported five separate times. Three
months prior to Kate's tragic death, the Department of Homeland
Security actually asked San Francisco to detain her murderer, but the
sanctuary city refused to cooperate and released the criminal back into
the community. Had they not done that, had they turned that person over
to Homeland Security as they were requested, Kate might still be with
us.
This is unconscionable. I do not think I can overstate the importance
of this Stop Sanctuary Cities Act to the American people and to the
people of my home State of Georgia. The fact is that Kate Steinle did
not have to die at the hands of a seven-time convicted felon and a
five-time deportee. Kate and many others would not have died if our
country had a functional immigration system and a government that
actually enforces our laws.
This is why it is absolutely crucial that we stop sanctuary cities
and address this illegal immigration crisis, which has also become a
national security crisis. This bill would have done just that, and yet
we were not able to even get it on the floor to have a debate. This is
what drives people in my home State absolutely apoplectic. We want to
get these bills to the floor, have an open debate, and let's let
Americans see how we all vote on critical issues like this.
It is a very sad day, indeed, when this body cannot come together to
stop rogue cities from breaking our Nation's laws, protecting the
livelihood of American citizens, and support our law enforcement
officials. I thank Senator Vitter and Chairman Grassley for working
closely with the victims' families and law enforcement to produce this
legislation. I hope we can continue to debate this and get this bill
back on the floor. I will keep fighting to stop this lawlessness and
protect all Americans.
I yield the floor.
I suggest the absence of a quorum.
The PRESIDING OFFICER (Mr. Gardner). The clerk will call the roll.
The legislative clerk proceeded to call the roll.
Mr. WHITEHOUSE. Mr. President, I ask unanimous consent that the order
for the quorum call be rescinded.
The PRESIDING OFFICER. Without objection, it is so ordered.
Mr. WHITEHOUSE. Mr. President, I ask unanimous consent to speak as in
morning business for up to 20 minutes.
The PRESIDING OFFICER. Without objection, it is so ordered.
[...]
Cloture Motion
Mr. McCONNELL. Mr. President, I send a cloture motion to the desk for
the Burr-Feinstein amendment No. 2716.
The PRESIDING OFFICER. The cloture motion having been presented under
rule XXII, the Chair directs the clerk to read the motion.
The bill clerk read as follows:
Cloture Motion
We, the undersigned Senators, in accordance with the
provisions of rule XXII of the Standing Rules of the Senate,
do hereby move to bring to a close debate on the amendment
No. 2716 to S. 754, a bill to improve cybersecurity in the
United States through enhanced sharing of information about
cybersecurity threats, and for other purposes.
Mitch McConnell, John Cornyn, Johnny Isakson, Richard
Burr, John McCain, Shelley Moore Capito, Orrin G.
Hatch, John Thune, Chuck Grassley, Pat Roberts, John
Barrasso, Jeff Flake, Lamar Alexander, Bill Cassidy,
Deb Fischer, Susan M. Collins, Patrick J. Toomey.
Cloture Motion
Mr. McCONNELL. Mr. President, I send a cloture motion to the desk for
the underlying bill, S. 754.
The PRESIDING OFFICER. The cloture motion having been presented under
rule XXII, the Chair directs the clerk to read the motion.
The bill clerk read as follows:
Cloture Motion
We, the undersigned Senators, in accordance with the
provisions of rule XXII of the Standing Rules of the Senate,
do hereby move to bring to a close debate on S. 754, an
original bill to improve cybersecurity in the United States
through enhanced sharing of information about cybersecurity
threats, and for other purposes.
Mitch McConnell, John Cornyn, Johnny Isakson, Richard
Burr, John McCain, Shelley Moore Capito, Orrin G.
Hatch, John Thune, Chuck Grassley, Pat Roberts, John
Barrasso, Jeff Flake, Lamar Alexander, Bill Cassidy,
Deb Fischer, Susan M. Collins, Patrick J. Toomey.
____________________
