[Congressional Record Volume 161, Number 155 (Thursday, October 22, 2015)]
[Senate]
[Pages S7430-S7439]
CYBERSECURITY INFORMATION SHARING ACT OF 2015
The PRESIDING OFFICER. Under the previous order, the Senate will
resume consideration of S. 754, which the clerk will report.
The senior assistant legislative clerk read as follows:
A bill (S. 754) to improve cybersecurity in the United
States through enhanced sharing of information about
cybersecurity threats, and for other purposes.
Pending:
Burr/Feinstein amendment No. 2716, in the nature of a
substitute.
Burr (for Cotton) modified amendment No. 2581 (to amendment
No. 2716), to exempt from the capability and process within
the Department of Homeland Security communication between a
private entity and the Federal Bureau of Investigation or the
United States Secret Service regarding cybersecurity threats.
Feinstein (for Coons) modified amendment No. 2552 (to
amendment No. 2716), to modify section 5 to require DHS to
review all cyber threat indicators and countermeasures in
order to remove certain personal information.
Burr (for Flake/Franken) amendment No. 2582 (to amendment
No. 2716), to terminate the provisions of the Act after six
years.
Feinstein (for Franken) further modified amendment No. 2612
(to amendment No. 2716), to improve the definitions of
cybersecurity threat and cyber threat indicator.
Burr (for Heller) modified amendment No. 2548 (to amendment
No. 2716), to protect information that is reasonably believed
to be personal information or information that identifies a
specific person.
Feinstein (for Leahy) modified amendment No. 2587 (to
amendment No. 2716), to strike the FOIA exemption.
Burr (for Paul) modified amendment No. 2564 (to amendment
No. 2716), to prohibit liability immunity to applying to
private entities that break user or privacy agreements with
customers.
Feinstein (for Mikulski/Cardin) amendment No. 2557 (to
amendment No. 2716), to provide amounts necessary for
accelerated cybersecurity in response to data breaches.
Feinstein (for Whitehouse/Graham) modified amendment No.
2626 (to amendment No. 2716), to amend title 18, United
States Code, to protect Americans from cybercrime.
Feinstein (for Wyden) modified amendment No. 2621 (to
amendment No. 2716), to improve the requirements relating to
removal of personal information from cyber threat indicators
before sharing.
The PRESIDING OFFICER. Under the previous order, the time until 11
a.m. will be equally divided between the two leaders or their
designees.
The Senator from Nevada.
Amendment No. 2548, as Modified
Mr. HELLER. Mr. President, after my years of growing up in Nevada, I
appreciate the values that make Nevadans distinct, fiercely
independent, and very diverse--in fact, as diverse as the terrain is in
Nevada. But what never ceases to amaze me about Nevadans is our passion
for protecting America's privacy from the intrusion of the Federal
Government. It is a value that is shared across the entire State and
one that I have sworn to uphold. But many Americans have lost faith
that their government will uphold their civil liberties.
It is Congress's responsibility to ensure that every piece of
legislation passed by this body protects the privacy and liberties of
all Americans, and I will not accept attempts to diminish these
nonnegotiable rights. That is why I am on the floor today to continue
protecting Americans' and Nevadans' privacy by pushing for my amendment
on the Cybersecurity Information Sharing Act.
To begin with, I wish to commend my colleagues, both Chairman Burr
and Ranking Member Feinstein, for recognizing the need to address the
serious issue of cyber security. As ranking member of the commerce
committee's consumer protection subcommittee in the last Congress, I
delved into these issues and understand the impact of data breaches and
cyber threats. It is an economic concern as well as a national security
concern for our country.
I share the desire to find a path forward on information sharing
between the Federal Government and the private sector as another tool
in the cyber security toolbox, but these efforts cannot come at the
expense of personal privacy. The bill, including the substitute
amendment that I see today, does not do enough to ensure that personal,
identifiable information is stripped out before being shared, and that
is why I have offered this simple fix.
Let's strengthen the standard for stripping out this information.
Right now, this legislation says that the Federal Government only has
to strip out personal information if they know it is not directly
related to cyber threat--that word being ``know.'' My amendment No.
2548, as modified, will ensure that when personal information is being
stripped out, it is because the entity reasonably believes it is not
related to cyber threat. That is the change--from knowing to reasonably
believing. This distinction creates a wider protection for personal
information by ensuring that these entities are making an effort to
take out personal information that is not necessary.
Frankly, I am proud of the support I have from Senators Leahy and
Wyden, both great advocates in the Senate for privacy. However, I am
disappointed that my amendment was not included in the substitute
amendment that we see today.
The supporters of this bill talk about how this legislation upholds
privacy but couldn't accept a reasonable amendment that complements
those privacy provisions.
Our friends over in the House of Representatives already agree that
the private sector should be held to this standard, which is why they
included this language in the cyber security bill they passed. I guess
the question is, If this is good enough for the private sector,
shouldn't it be good enough for the government sector?
Furthermore, DHS has publicly acknowledged the importance of removing
personal, identifiable information because it will allow an information
sharing regime to function more efficiently.
What this has come down to is our Nation's commitment to balancing
the needs for sharing cyber security information with the needs to
protect Americans' personal information. Like many in the tech
community have already stated, security should not come at the expense
of privacy. In fact, that was said a couple hundred years ago by
Benjamin Franklin. Security should not come at the expense of privacy.
I believe my amendment No. 2548 to hold the Federal Government
accountable strikes that balance, and I hope this simple fix can be
incorporated into the legislation.
I encourage my colleagues to support this commonsense effort to
strengthen this bill and keep our commitment to upholding the rights of
all U.S. citizens.
I appreciate Senators Burr and Feinstein's willingness to work with
me on this amendment and look forward to continuing this debate.
I thank the Presiding Officer, and I yield the floor.
The PRESIDING OFFICER. The Senator from North Carolina.
[[Page S7431]]
Mr. BURR. Mr. President, I thank my colleague from Nevada and say to
him generally that we tried to put everything in the managers'
amendment that we could, and the threshold was that we had to have
total agreement. I know my colleague understands that it is difficult,
but we have done everything we can to protect the rights of every
individual Member to bring an amendment to the floor, to debate the
amendment, and to have an up-or-down vote--even for the ones that were
not germane. It is unfortunate that one amendment on both sides will be
kicked out because they have to happen before the cloture vote, and
that was not allowed to take place.
Measure Placed on the Calendar--S. 2193
Mr. President, I understand that there is a bill at the desk that is
due for its second reading.
The PRESIDING OFFICER. The clerk will report the bill by title for
the second time.
The senior assistant legislative clerk read as follows:
A bill (S. 2193) to amend the Immigration and Nationality
Act to increase penalties for individuals who illegally
reenter the United States after being removed and for other
purposes.
Mr. BURR. Mr. President, in order to place the bill on the calendar
under the provisions of rule XIV, I object to further proceedings.
The PRESIDING OFFICER. Objection is heard.
The bill will be placed on the calendar.
Mr. BURR. Mr. President, in just shy of 25 minutes, the Senate will
have a procedural vote on the Cybersecurity Information Sharing Act of
2015. The committee worked diligently for most of this year in a
bipartisan way to achieve a balance of great policy and reported that
bill out on a 14-to-1 vote.
I say to my colleagues: We have reached a very delicate balance.
There have been bending and twisting and giving and taking, and we have
done it not only within the Senate of the United States and within the
committee, we have done it with stakeholders all around the country.
I will remind my colleagues that this bill we are attempting to get
through the Senate is a voluntary information sharing bill, and the
mere fact that it is voluntary means we have to have in place certain
incentives that provide a reason for companies to participate.
I commend Chairman Johnson and Ranking Member Carper. Their committee
and staff have worked with us side by side to try to incorporate their
thoughts and the thoughts of all the agencies and also worked with
stakeholders around the country.
I am pleased to tell my colleagues today that we received this
morning a notice from the U.S. Chamber of Commerce, and it says: ``The
Chamber urges the United States Senate to pass CISA expeditiously.
There is overwhelming support.''
When the vice chair and I ventured into this, we also made a
commitment to lock arms because we thought we found the right balance.
Although it may be enticing for Members to support amendments that
might come up, there is a reason we didn't incorporate them in the
managers' amendment. It may have been due to the differences the vice
chair and I had or maybe it was because it would have killed the
support we had with the stakeholders around the country. We will have
one of those amendments today, and it is going to be inviting for
people to do it, but let me say to my colleagues, if do you it,
information sharing is over with, and the effort is dead. It has been
tried for 3 years, yet we continue to see attacks happen, and massive
amounts of personal data go out of the system to be used for criminal
or espionage reasons.
This is really our last chance. The vice chairman and I have reached
what we think is the absolute balance that provides the buy-in of those
who will be asked to voluntarily turn over this data and to help
minimize the loss of data in our entire economy.
I urge my colleagues to support the cloture motion that will happen
at 11 a.m. We will have a short debate, and then we will take up an
amendment, and the vice chair and I at that time will ask our
colleagues not to support that amendment.
Mr. President, I ask unanimous consent to waive the mandatory quorum
calls with respect to the cloture motions on amendment No. 2716 and S.
754.
The PRESIDING OFFICER. Is there objection?
Without objection, it is so ordered.
Mr. BURR. I yield the floor.
The PRESIDING OFFICER. The Senator from California.
Mrs. FEINSTEIN. Mr. President, I ask unanimous consent that the
following Senators on the Democratic side be permitted to speak for 5
minutes each on our time: Feinstein 5 minutes, Wyden 5 minutes, and
Carper 5 minutes.
The PRESIDING OFFICER. Without objection, it is so ordered.
Mrs. FEINSTEIN. Mr. President, after many years of effort, the Senate
is about to take its first vote to move forward on important cyber
security legislation. As I stated in my remarks yesterday, this
substitute makes 20 changes to the underlying bill. It includes 14
amendments offered by other Senators to improve privacy protections and
ensure better cyber security for emergency services, the health care
industry, and the Federal Government. As the chairman just said, we
have been listening and we have tried to incorporate a substantial
number of amendments in the managers' package.
This is a good bill. It is a first step. It is not going to prevent
all cyber attacks or penetrations, but it will allow companies and the
government to share information about the cyber threats they see and
the defensive measures to implement in order to protect their networks.
Right now--and this is important--the same cyber intrusions are used
again and again to penetrate different targets. That shouldn't happen.
If someone sees a particular virus or harmful signature, they should be
able to tell others so they can protect themselves. That is what this
bill does--it clears away the uncertainty and concern that keep
companies from sharing this information. It says that two competitors
in a market can share information on cyber threats with each other
without facing antitrust lawsuits. It says that companies sharing cyber
threat information with the government for cyber security purposes have
liability protection.
The bill is completely voluntary. I don't know how to say that over
and over more times than I have. If you don't want to participate,
don't. If a company wants to take the position that it can defend
itself and doesn't want to participate in real-time sharing with the
Department of Homeland Security, that is its right.
I thank my colleagues who came to the floor in support of this bill
and this managers' amendment yesterday: Senators McConnell, Reid,
Grassley, Nelson, McCain, King, Thune, Flake, Senator Carper in
particular, Senator Blunt, and others. They have all described the need
for this bill, and I so appreciate their support.
I urge my colleagues to support cloture on this substitute managers'
package so that we can start moving on to other amendments that are
pending.
I also thank Senator Burr and his staff. Over the past couple of
days, they have been going through comments, proposing technical
changes, and perfecting changes to the substitute. It is my
understanding that Chairman Burr will ask a unanimous consent agreement
on that perfecting amendment shortly.
I also thank Senator Collins for agreeing to changes in her
provision, section 407, to start to address concerns that were raised
by its inclusion.
I also want to thank Senators Whitehouse, Leahy, and Wyden for
reaching an agreement on text that Senator Whitehouse very much wanted
to include, and I am pleased we were able to include it in this
unanimous consent package.
So I appreciate the support of my colleagues. I urge a strong ``yes''
vote on the cloture vote to allow us to proceed to this bill.
The PRESIDING OFFICER. The Senator from Oregon.
Mr. WYDEN. Mr. President, I rise to speak against cloture on the
substitute. This substitute would not have stopped the Target hack, the
Anthem hack, the Home Depot hack, or the OPM hack. When it comes to
real privacy protection for millions of Americans with this substitute,
there is simply no ``there'' there.
We see that by looking at page 17 of the substitute. Companies have
to remove only personal, unrelated information if they know that it is
personal
[[Page S7432]]
and unrelated. How would they know under this amendment? Under this
amendment, they are required to virtually do no looking. It is the most
cursory review. That is why the Nation's leading technology companies
have come out overwhelmingly against this legislation. They are not
satisfied by this substitute.
The sponsors of the bill have been pretty vociferous about attacking
these companies for coming out against the legislation. These companies
know a lot about the importance of protecting both cyber security and
individual privacy. These tech companies that are being attacked now
have to manage that challenge every single day. The challenge gets
harder all the time with things such as the EU ruling that I opposed.
These companies know that customer confidence is their lifeblood, and
the only way to ensure customer confidence is to convince people that
if they use their product, their information is going to be protected
both from malicious hackers and from unnecessary collection by the
government.
The fact is, we have a serious problem with hacking and cyber
security threats. The fact is, information sharing can be good, but a
cyber security information sharing bill without real and robust privacy
protections that this amendment lacks--I would submit millions of
Americans are going to look at that, and they are going to say this
isn't a cyber security bill, this is yet another surveillance bill.
With this amendment, colleagues, the Senate is again missing another
opportunity to do this right and promote both security and liberty.
Just because a proposal has the words ``cyber security'' in its title
doesn't make it good. But that is, of course, why the leading
technology companies in this country--companies that make a living
every single day by being sensitive to cyber threats and privacy--have
come out overwhelmingly against this bill.
I know my colleagues have tried to improve this issue, and I
appreciate that. But the core privacy protections that America deserves
in a bill like this are still lacking, and that is why I oppose
cloture.
The PRESIDING OFFICER. The Senator from Delaware.
Mr. CARPER. Mr. President, I wish to respond very briefly to what our
colleague from Oregon has said.
Senator Feinstein shared with me a copy of the actual text of the
managers' amendment. I would maybe make two points. One, if a private
company elects to share information--they don't have to, but if they
elect to share information, as Senator Feinstein has said, it is their
call. But if they do, there is a requirement under the law that they
scrub it. The reporting entity which is submitting the indicator--in
this case to DHS, the Federal entity--has to scrub it. They have the
responsibility, whoever is initiating this, to scrub and remove that
personally identifiable information. If for some reason they don't, the
way the legislation comes before us today, in order for a company that
chooses to submit threat indicators to the Federal Government, in order
to get help on the liability protection they are looking for, they have
to submit it through the Department of Homeland Security, through the
portal of the Department of Homeland Security, which is literally set
up to do privacy scrubs. It is literally set up to do privacy scrubs,
and then to share information it wants with other relevant Federal
agencies. Very, very infrequently--very infrequently--will there be
some reason to--the threat indicators coming through the portal at DHS,
maybe less than 1 percent of the time, there might be a need to take a
closer look at that information and make sure there is nothing that is
personally identifiable or problematic. I think with the compromise
that has been worked out, the issue that our colleague has raised has
been addressed.
Let me just go back in time. Why is this important? We know the
situation is grim. When the Secretary of Defense has his emails hacked
by an entity, and we know not who, when we have 22 million personal
records and background checks hacked by maybe the Chinese or maybe
somebody else, that is not good. When companies such as DuPont in my
own State and universities all over the country are having their R&D
information--their intellectual seed corn upon which our economy is
going to grow--stolen, and presumably stolen for bad reasons, so that
they can beat us to the bunch in terms of economic opportunity, that is
not good.
What are we going to do about it? It turns out we did quite a bit
about it in the last Congress. Two Congresses ago, Senator Feinstein
proposed comprehensive cyber security legislation, the whole kit and
caboodle. We tried very hard, as she knows, for a year or two to get
that enacted. We couldn't get it done. Finally, we gave up at the end
of I think the 112th Congress. We gave it up, and we started again in
2013.
Tom Coburn was the ranking member on Homeland Security. I was
privileged to be chairman. He and I partnered with people on our
committee and, frankly, with a lot of folks outside of the committee,
to do three things: To strengthen the capability of the Department of
Homeland Security to do its job, a much better job of protecting not
just the Federal Government but the country as a whole against cyber
attacks. We passed three pieces of legislation. They are helpful; they
are not the whole package, but they are three very helpful bills to
make DHS a better, more effective partner.
This year, the Intel Committee, under the leadership of Senator Burr
and Senator Feinstein, came forward with their proposal. The
administration, the President, came forward with an information sharing
proposal as well. We took it up in a hearing in the committee on
homeland security, looking at the President's proposal, trying to
figure out what we should retain and what we should change to make it
better, and we did. We changed it and we made it better. I introduced
it as a standalone bill. The Intel Committee reported out their
legislation 14 to 1.
We have been working with Senator Burr and Senator Feinstein and
their staffs ever since to try to infuse the elements of the
President's proposal, modified by us on homeland security, to make a
more perfect--not a more perfect union, but a more perfect bill. Is it
perfect? No. Is it better? Sure, it is better. I think it is going to
enable us to do a much better job protecting that which needs to be
protected.
The last thing I will say is this: On this floor I have said more
than a few times I love to ask people that have been married a long
time, what is the secret to a long marriage? The best answer I have
ever received is the two C's--communicate and compromise. I would add a
third C, which is also important for a vibrant democracy. The third C
is collaborate.
This legislation is a great example of communicating, talking with
own another, with stakeholders on Capitol Hill, off Capitol Hill,
across the country and around the world, but at the end of the day to
figure out how to compromise and to do so by collaborating.
I think we have come up with a very good piece of legislation. At the
end of the day, if an entity or business wants to share information--I
hope they would, we need them to do that. If they want to share
information with the Federal Government, the idea is to get liability
protection and share it through the portal of the Department of
Homeland Security; that information is scrubbed--cyber security
scrubbed, piracy scrubbed. Share with other Federal agencies as
appropriate after it has been dutifully scrubbed, and then we are in a
better position to defend against those attacks in the future.
I think when people send us to work on big problems--and this is a
big problem for our country--they want us to work together. They want
us to get stuff done. We have been talking about this for 3 or 4 years,
and now we have an opportunity to get something done. Let's pass this
and accept this managers' amendment, and then let's take up some other
amendments, and pass this bill and send it to the House. When they have
done their work, let's go to conference.
Thank you very much.
The PRESIDING OFFICER. The Senator from Wisconsin.
Mr. JOHNSON. Mr. President, I rise to support the Cybersecurity
Information Sharing Act, long overdue and vital legislation designed to
reduce our Nation's vulnerability to cyber attacks.
I want to commend the ranking member of my committee, Senator
[[Page S7433]]
Tom Carper, and Senator Burr and Senator Feinstein, for their
collaborative effort. This is an example of when we actually seek to
find the areas of agreement that unify us versus exploit our divisions,
then we can actually accomplish some pretty good things. This bill is
one of those examples.
The cyber threat we face today is real and it is growing.
Sophisticated nation-state adversaries such as China and North Korea
are constantly probing American companies' and Federal agencies'
computer networks to steal valuable and sensitive data. International
criminal organizations are exploiting our networks to commit financial
fraud and health fraud. Cyber crime is so pervasive that the former
Director of the National Security Agency described it as the ``greatest
transfer of wealth in human history.'' Cyber terrorists are trying to
attack cyber-connected critical infrastructure, thereby threatening our
very way of life.
We have already experienced the impact of this threat. Within the
last year and a half alone, more than 20 top American companies and
Federal agencies have experienced major breaches. A breach of the
Office of Personnel Management allowed a foreign adversary to steal
19.7 million Federal employees' background checks, over 5 million
fingerprint files, and 4 million personnel records. A breach at IRS
allowed cyber criminals abroad to access over 330,000 taxpayer
financial records. A destructive cyber attack from North Korea on Sony
Pictures resulted in the destruction of thousands of computers and
theft of the company's most valuable intellectual property. Data
breaches at both Anthem and JP Morgan resulted in the theft of 80
million health care subscribers' personal data and 83 million banking
customers' personal information. Even the White House is not immune
from attack. Six months ago, foreign adversaries breached White House
networks, compromising the President's nonpublic schedule.
Federal agencies are neglecting to protect Americans' data and
Federal law is preventing companies from defending their networks.
Congressional oversight, including hearings held by my committee, the
Senate Committee on Homeland Security and Governmental Affairs, has
shown agencies are not doing enough to protect their sensitive data.
Our committee's oversight hearings of the IRS and OPM data breaches
revealed that basic cyber security hygiene and best practices would
have stopped attackers in their tracks had they been in place at these
agencies. The Department of Homeland Security has not yet fully
implemented the cyber security programs we need to protect Federal
agencies' networks.
Meanwhile, current law hinders private companies from sharing
indicators that can be used to detect and stop attacks against their
networks. To be effective, cyber threat indicators must be shared very
quickly. The 2015 Verizon data breach investigation report revealed
that 75 percent of attacks spread within 24 hours, and 40 percent
spread within just 1 hour. Yet our current network of anti-trust and
wiretap loss hampers companies from sharing that information quickly,
creating a threat of lawsuit and prosecution for sharing that the
information companies can use to identify and stop attacks.
There is no easy solution, but there are things Congress can do to
improve cyber security that might make cyber attacks more difficult.
That is why I am proud to have worked with Senator Burr and Senator
Feinstein to create the Cybersecurity Information Sharing Act, which
takes a significant first step in addressing both of these issues.
First, it enables information sharing to improve cyber security
within private companies.
Second, it improves cyber security at Federal agencies.
I especially appreciate the collaboration of Senator Carper in
working with me to help craft title II of the bill--the Federal
Cybersecurity Enhancement Act--which was unanimously reported out of
our committee. This bill will put Federal agencies on track to
implement commonsense cyber security solutions already in use in many
companies, thereby improving the security of Americans' data at the
Federal agencies.
The Federal Cybersecurity Enhancement Act will achieve four key
goals.
The PRESIDING OFFICER. The time of the Senator has expired.
Mr. JOHNSON. I ask unanimous consent for 1 more minute.
The PRESIDING OFFICER. Without objection, it is so ordered.
Mr. JOHNSON. First, it will mandate deployment and implementation of
a government-wide intrusion detection and prevention system for Federal
networks.
Second, it will require OMB to develop an intrusion assessment plan
so government agencies can hunt down and eradicate attackers already in
their networks.
Third, it requires agencies to implement specific cyber security
practices, such as multifactor authentication and encryption of
sensitive data, which would have stopped previous attacks.
Fourth, and finally, it will give the Secretary of Homeland Security
and the Director of the Office of Management and Budget the authority
they need to oversee cyber security across the Federal Government.
In short, the Cybersecurity Information Sharing Act, with the
inclusion of the Federal Cybersecurity Enhancement Act, will
significantly improve our cyber security posture. This bill will not
solve all of our cyber security woes, but it is an important step in
the right direction, and I am glad to support it.
Thank you, Mr. President, and I yield back.
The PRESIDING OFFICER. The Senator from North Carolina.
Mr. BURR. Mr. President, I ask unanimous consent for 2 additional
minutes before we move to the cloture vote.
The PRESIDING OFFICER. Is there objection?
Without objection, it is so ordered.
Mrs. FEINSTEIN. Mr. President, I believe I have a couple of minutes
left after the chairman speaks that I would like to use.
Mr. WYDEN. Mr. President, reserving the right to object.
The PRESIDING OFFICER. The Senator from Oregon.
Mr. WYDEN. Mr. President, reserving the right to object, I am happy
to extend the debate for a couple of minutes for each side, but I think
it does need, in the interest of fairness for the proponents and
opponents, to have equal time for the purposes of wrapping up, if my
colleagues want to go further.
Mr. BURR. Mr. President, let me modify my request. I ask unanimous
consent for 2 additional minutes on both sides.
The PRESIDING OFFICER. Without objection, it is so ordered.
Mrs. FEINSTEIN. Mr. President, just so the record is clear, I was
told I did not utilize my entire 5 minutes, and I want to make a very
brief closing statement on my 5 minutes.
Mr. BURR. May I modify my request further? My unanimous consent would
grant me 2 additional minutes and would grant the vice chair 2 minutes
45 seconds.
Mr. WYDEN. Mr. President, I don't want to prolong this. Reserving the
right to object--do I have any additional time? I wasn't sure I had
used my full 5 minutes.
The PRESIDING OFFICER. The Senator from Oregon has 45 seconds
remaining in his time from before.
Mr. BURR. Mr. President, I ask unanimous consent that each side be
given 2 additional minutes.
The PRESIDING OFFICER. Is there objection?
Mr. McCAIN. I am about to object. Let's get going here.
Mrs. FEINSTEIN. I withdraw my request for my 5 minutes, Mr.
President.
The PRESIDING OFFICER. Is there objection to the request of the
Senator from North Carolina for 2 additional minutes for each side?
Without objection, it is so ordered.
Mr. BURR. Mr. President, I thank my colleagues for allowing me the
time.
Very quickly, it was said that this bill will not prevent and would
not have prevented the attacks that took place at American companies.
It is, in fact, right. The vice chair and I have never portrayed that
this was a prevention bill. We said it is not a prevention bill. It is
a bill designed to share information to minimize the loss of data.
As it relates to personal data, my colleague from Oregon forgets that
the managers' amendment strengthens by making sure on the government
side that they only draw in the fields that
[[Page S7434]]
the entire government collaborative group agrees need to be used for
forensic purposes over and above what Senator Carper pointed out are
the responsibilities of the private sector companies.
It was said that the vice chair and I have been critical of
technology companies that oppose this bill. I don't think we have been
critical. We have been confused--confused that the companies that hold
the most personal data on the American people in the country want to
deprive every other business in America from having the ability to
share their information when they are hacked. So I am not critical. I
am challenged to figure out why they would take that position, but I
have come to the conclusion that there are some questions in life that
have no answers, and I have now reached one of those.
Given that we are at the end of this debate, let me once again thank
Chairman Johnson and Ranking Member Carper for the unbelievable
contribution that both of them individually made in their committee,
and on behalf of the vice chair and myself, I would urge our colleagues
to support cloture and allow this process to move forward so we could
conference with the House.
I yield the floor.
The PRESIDING OFFICER. The Senator from California.
Mrs. FEINSTEIN. Mr. President, thank you very much.
I just want to urge people to vote yes on cloture. We have been at
this for 6 years. This is the third bill. We have been bipartisan. The
bill is considered. This is a complicated and difficult arena. The bill
is all voluntary. The moaning and groaning of companies, I say, if you
don't want to participate, don't participate, but I can give you
hundreds and thousands of companies that are desperate to participate
to be able to protect themselves without a lawsuit, and this enables
that. It is a first-step bill.
I particularly wish to thank the chair and ranking on the Homeland
Security Committee. I very much appreciate this support and know that
Senator Burr, I, and others will continue to work as we recognize this
most serious threat on our economy and the privacy of individuals. To
do nothing now is to admit that we cannot come up with a bill, and, in
fact, we can. Please vote yes.
The PRESIDING OFFICER (Mr. Flake). The Senator from Oregon.
Mr. WYDEN. Mr. President, I hope colleagues will vote no. I have
three quick points. No. 1, the chairman of the committee--and we work
together often--acknowledged that this substitute would not have
prevented these major hacks that we are all so concerned about. No. 2,
once again we have heard an attack on the country's major technology
companies. All of them, all of them, colleagues, are opposed to this
legislation. We are talking about Apple and Dropbox and Twitter. The
list goes on and on. Why? Because these companies have to be concerned
about both cyber security and protecting their employees and their
customers privacy. Unfortunately, this legislation does very little to
protect cyber security, which has now been acknowledged by the lead
sponsor of the legislation and has major problems with respect to
protecting the liberty of the American people. I urge colleagues to
vote no.
Mr. CARPER. Mr. President, are we out of time on the Democrats' side?
The PRESIDING OFFICER. Twenty seconds remain.
Mr. CARPER. Colleagues, keep in mind, EINSTEIN 1 and EINSTEIN 2 are
already effective to detect but not block these intrusions. EINSTEIN 3,
authorized by our legislation, puts a new player on the field--a
defensive player--to be able to block these intrusions. This is new and
requires these agencies to implement that. For no other reason than
that, it is a good reason to support this proposal.
Thank you.
The PRESIDING OFFICER. The Senator's time has expired.
Cloture Motion
The PRESIDING OFFICER. Pursuant to rule XXII, the Chair lays before
the Senate the pending cloture motion, which the clerk will state.
The legislative clerk read as follows:
Cloture Motion
We, the undersigned Senators, in accordance with the
provisions of rule XXII of the Standing Rules of the Senate,
do hereby move to bring to a close debate on amendment No.
2716 to S. 754, a bill to improve cybersecurity in the United
States through enhanced sharing of information about
cybersecurity threats, and for other purposes.
Mitch McConnell, John Cornyn, Johnny Isakson, Richard
Burr, John McCain, Shelley Moore Capito, Orrin G.
Hatch, John Thune, Chuck Grassley, Pat Roberts, John
Barrasso, Jeff Flake, Lamar Alexander, Bill Cassidy,
Deb Fischer, Susan M. Collins, Patrick J. Toomey.
The PRESIDING OFFICER. By unanimous consent, the mandatory quorum
call has been waived.
The question is, Is it the sense of the Senate that debate on
amendment No. 2716, offered by the Senator from North Carolina, Mr.
Burr, to S. 754, shall be brought to a close?
The yeas and nays are mandatory under the rule.
The clerk will call the roll.
The legislative clerk called the roll.
Mr. CORNYN. The following Senators are necessarily absent: the
Senator from South Carolina (Mr. Graham), the Senator from Florida (Mr.
Rubio), and the Senator from Louisiana (Mr. Vitter).
The PRESIDING OFFICER. Are there any other Senators in the Chamber
desiring to vote?
The yeas and nays resulted--yeas 83, nays 14, as follows:
[Rollcall Vote No. 281 Leg.]
YEAS--83
Alexander
Ayotte
Barrasso
Bennet
Blumenthal
Blunt
Boozman
Boxer
Burr
Cantwell
Capito
Cardin
Carper
Casey
Cassidy
Coats
Cochran
Collins
Corker
Cornyn
Cotton
Crapo
Cruz
Daines
Donnelly
Durbin
Enzi
Ernst
Feinstein
Fischer
Flake
Gardner
Gillibrand
Grassley
Hatch
Heinrich
Heitkamp
Heller
Hirono
Hoeven
Inhofe
Isakson
Johnson
Kaine
King
Kirk
Klobuchar
Lankford
Lee
Manchin
McCain
McCaskill
McConnell
Mikulski
Moran
Murkowski
Murphy
Murray
Nelson
Perdue
Peters
Portman
Reed
Reid
Risch
Roberts
Rounds
Sasse
Schatz
Schumer
Scott
Sessions
Shaheen
Shelby
Stabenow
Sullivan
Tester
Thune
Tillis
Toomey
Warner
Whitehouse
Wicker
NAYS--14
Baldwin
Booker
Brown
Coons
Franken
Leahy
Markey
Menendez
Merkley
Paul
Sanders
Udall
Warren
Wyden
NOT VOTING--3
Graham
Rubio
Vitter
The PRESIDING OFFICER (Mr. Flake). On this vote, the yeas are 83, the
nays are 14.
Three-fifths of the Senators duly chosen and sworn having voted in
the affirmative, the motion is agreed to.
Amendment No. 2564, as Modified
There will now be 10 minutes of debate equally divided prior to a
vote in relation to amendment No. 2564, offered by the Senator from
North Carolina, Mr. Burr, for Mr. Paul.
The Senator from North Carolina.
Mr. BURR. Mr. President, I wish to say to my colleagues that there is
10 minutes of debate in between these votes, so those Members who have
conversations, I wish they would take them off the floor. If they are
not going to have conversations, stay and listen to the debate.
Mr. President, from the floor, I have said to my colleagues that the
information sharing bill is a very delicately balanced piece of
legislation.
What we have attempted to do is to create a voluntary program that
companies around this country can choose to participate in or not. Some
have already expressed their opposition to it, and I would say that is
very easy--pass the bill, and they just won't participate.
There are going to be amendments, though, that change the balance. I
don't want to get into the details of every amendment. Let me just say
to my colleagues that if we change the balance we have reached not just
on both sides of the aisle but with the comfort level of businesses
across this country to where they believe they can no longer
participate in it, then we won't have a successful information sharing
bill.
I think every Member of this body and every American knows that cyber
attacks are not going to go away. They are going to continue, they are
going
[[Page S7435]]
to become more numerous, and we are going to be on the floor debating
something that is probably much more specific in the future. I wish we
could prevent it, but right now our only tool is legislation that
voluntarily asks companies to participate to minimize the loss of data.
I encourage my colleagues, as the vice chair and I have--we are going
to oppose all the amendments that come up. We have gone through all the
amendments, and those which we could accept and which we felt embraced
the balance we had achieved and could still hold together the support
across the country--we incorporated those in the managers' amendment,
and that managers' amendment will be voted on when we come back on
Monday or Tuesday.
With that, I yield the floor to my vice chair.
The PRESIDING OFFICER. The Senator from California.
Mrs. FEINSTEIN. Mr. President, I ask the Senate to vote no on this
amendment, and I would like to explain why. This amendment would create
an exemption to the bill's narrowly tailored liability protections for
companies that take responsible actions to look for cyber threats and
share information about them if a company ``breaks a user or privacy
agreement with a customer, regardless of how trivial it may be.''
The underlying cyber bill has been carefully drafted to ensure that
it is totally voluntary and that activities can only be conducted on a
customer's behalf with express authorization.
Let me read the language in the bill. The bill reads:
Nothing in this title shall be construed--
(1) to amend, repeal, or supersede any current or future
contractual agreement, terms of service agreement, or other
contractual relationship between any entities, or between any
entity and a Federal entity.
There is tremendous objection to the Paul amendment that is coming in
from the chamber of commerce, various companies, and the health
industry. They understand what is in our bill. This amendment would
actually fatally disturb what is in the bill, which is clear and
concise.
I urge a ``no'' vote.
The PRESIDING OFFICER. The Senator from Kentucky.
Mr. PAUL. Mr. President, this cyber security bill attempts to enhance
security for transactions on the Internet but I think actually weakens
privacy in the process. The bill would grant legal immunity to
companies that, in sharing information, actually violate your privacy.
Most companies have a privacy agreement. You see it when you get on
the Internet. It is supposed to guarantee that your information,
individual choices, and consumer choices on the Internet are not
revealed to anyone. This bill says that if the company violates it in
sharing your information, there will be legal immunity for that
company. I think that weakens privacy. It makes the privacy agreement
not really worth the paper it is written on.
I think privacy is of great concern to Americans. The government
doesn't have a very good record with privacy. In the news today, a
teenager is now reading the email of the CIA Director. It doesn't sound
as though the government is very good at protecting privacy. I am not
really excited about letting them have more information.
The government revealed 20 million individual records of their
employees, private records of their employees. This is the same
government that now says: Trust us, and let's give everybody involved
immunity so the consumer has no recourse if their privacy is breached.
This is the same government that allowed the ObamaCare Web site to be
hacked and looked at. This is a government that doesn't have a lot of
concern or ability to protect privacy. We are now asked to entrust this
government with volumes and volumes of personal information sent across
the vastness of the Internet. There is good reason that many of our
largest technological companies oppose this legislation.
My amendment will give companies and Internet users clarity on what
information is shared with the government, and it will protect the
privacy agreement.
The PRESIDING OFFICER. The Senator from California.
Mrs. FEINSTEIN. Mr. President, I would like to respond to that
because we have been told that for the industries that support this
bill, this amendment is a bill killer, and the opposition to it has
come in far and wide. We have 52 industrial associations in business,
finance, banking, petroleum, waterworks, railroads, public power, real
estate, and retail--52 associations that are on your desk--supporting
it. In particular, the health industry has weighed in against this
amendment.
We accomplished the purpose in our bill in a way that is acceptable.
Please vote no.
I yield the floor.
The PRESIDING OFFICER. The Senator from Kentucky.
Mr. PAUL. Mr. President, let us be clear that most of the high-tech
companies that have anything to do with the Internet and anything to do
with information sharing oppose this bill.
The PRESIDING OFFICER. The Senator from North Carolina.
Mr. BURR. Mr. President, I think everybody would like to vote, but I
will say one last thing to my colleagues.
Any company in America--any company in America--that chooses not to
participate, doesn't have to. If for some reason they find there is
something in this piece of legislation they are uncomfortable with or
they are concerned about with regard to the transfer of any personal
data, it is very simple: They do not have to participate. But to deny
everybody who would like to participate is wrong.
I would encourage my colleagues to defeat the amendment and support
moving on.
I yield the floor.
The PRESIDING OFFICER. The question is on agreeing to amendment No.
2564, as modified.
Mr. PAUL. I ask for the yeas and nays.
The PRESIDING OFFICER. Is there a sufficient second?
There appears to be a sufficient second.
The clerk will call the roll.
The bill clerk called the roll.
Mr. CORNYN. The following Senators are necessarily absent: the
Senator from South Carolina (Mr. Graham), the Senator from Florida (Mr.
Rubio), and the Senator from Louisiana (Mr. Vitter).
The PRESIDING OFFICER (Mrs. Fischer). Are there any other Senators in
the Chamber desiring to vote?
The result was announced--yeas 32, nays 65, as follows:
[Rollcall Vote No. 282 Leg.]
YEAS--32
Baldwin
Barrasso
Bennet
Booker
Boxer
Brown
Cantwell
Cardin
Coons
Crapo
Cruz
Daines
Durbin
Enzi
Franken
Gillibrand
Heinrich
Heller
Leahy
Lee
Markey
Menendez
Merkley
Murkowski
Murray
Paul
Sanders
Schumer
Sullivan
Udall
Warren
Wyden
NAYS--65
Alexander
Ayotte
Blumenthal
Blunt
Boozman
Burr
Capito
Carper
Casey
Cassidy
Coats
Cochran
Collins
Corker
Cornyn
Cotton
Donnelly
Ernst
Feinstein
Fischer
Flake
Gardner
Grassley
Hatch
Heitkamp
Hirono
Hoeven
Inhofe
Isakson
Johnson
Kaine
King
Kirk
Klobuchar
Lankford
Manchin
McCain
McCaskill
McConnell
Mikulski
Moran
Murphy
Nelson
Perdue
Peters
Portman
Reed
Reid
Risch
Roberts
Rounds
Sasse
Schatz
Scott
Sessions
Shaheen
Shelby
Stabenow
Tester
Thune
Tillis
Toomey
Warner
Whitehouse
Wicker
NOT VOTING--3
Graham
Rubio
Vitter
The amendment (No. 2564), as modified, was rejected.
Ms. COLLINS. Madam President, I ask unanimous consent to speak as in
morning business for not longer than 10 minutes.
The PRESIDING OFFICER. Without objection, it is so ordered.
(The remarks of Ms. Collins pertaining to the introduction of S. 2194
are printed in today's Record under ``Statements on Introduced Bills
and Joint Resolutions.'')
Ms. COLLINS. Madam President, I suggest the absence of a quorum.
The PRESIDING OFFICER. The clerk will call the roll.
The senior assistant legislative clerk proceeded to call the roll.
[[Page S7436]]
Mr. MERKLEY. Madam President, I ask unanimous consent that the order
for the quorum call be rescinded.
The PRESIDING OFFICER. Without objection, it is so ordered.
[...]
[Congressional Record Volume 161, Number 155 (Thursday, October 22, 2015)]
[Senate]
[Pages S7452-S7453]
CYBERSECURITY INFORMATION SHARING ACT
Mr. FRANKEN. Mr. President, I rise today to talk about the
Intelligence Committee bill we are currently debating, the
Cybersecurity Information Sharing Act of 2015, or CISA.
This Chamber sees its fair share of disagreements, so it is worth
noting when there is something we can all agree on, and I think we can
all agree on the need for congressional action on cyber security. We
face ever-increasing cyber attacks from sophisticated individuals,
organized crime syndicates, and foreign regimes. These attacks pose a
real threat to our economy and to our national security. It is clear
that we must respond to these new threats because the cost of
complacency is too high, but it is critical, in deciding how we protect
our information networks, that we also continue to protect the
fundamental privacy rights and civil liberties of Americans. In short,
there is a pressing need for meaningful, effective cyber security
legislation that balances privacy and security. Unfortunately, as it
now stands, the Cybersecurity Information Sharing Act falls short.
Since this legislation was first introduced, I and a number of my
colleagues on both sides of the aisle have raised serious concerns
about the problems the bill presents for Americans' privacy and for the
effective operation of our Nation's cyber defense. My colleagues and I
are not alone. Serious concerns have been raised by technologists and
security experts, civil society organizations from across the political
spectrum, and major tech companies, such as Apple, Dropbox, Twitter,
Yelp, salesforce.com, and Mozilla. Neither the Business Software
Alliance nor the Computer & Communications Industry Association
supports CISA as written.
In a letter I received from the Department of Homeland Security this
summer, the agency--which has a leading role in cyber security for the
Federal Government--expressed concern about specific aspects of CISA.
DHS explained that under the bill's approach, ``the complexity--for
both government and businesses--and inefficiency of any information
sharing program will markedly increase.'' The letter explained that
CISA would do away with important privacy protections and could make it
harder, not easier, to develop ``a single, comprehensive picture of the
range of cyber threats faced daily.''
Senator Burr and Senator Feinstein, the bill managers, have worked
very hard over the last months to improve various aspects of the bill,
and their substitute amendment offers a significantly improved version
of CISA. I really appreciate their efforts, but it is clear to me and
others that the improvements did not go far enough. Major concerns
raised in the letter from DHS and voiced by security experts, privacy
advocates, and tech companies still have not been resolved. Let me
briefly describe three of them.
First, the bill gives companies a free pass to engage in network
monitoring and information sharing activities, as well as the operation
of defensive measures, in response to anything they deem a ``cyber
security threat,'' no matter how improbable it is that it constitutes a
risk of any kind.
The term ``cyber security threat'' is really the linchpin of this
bill. Companies can monitor systems, share cyber threat indicators with
one another or with the government, and deploy defensive measures to
protect against any cyber security threats. So the definition of
``cyber security threat'' is pretty important, and the bill defines
``cyber security threat'' to include any action that ``may result in an
unauthorized effort to adversely impact'' cyber security. Under this
definition, companies can take action even if it is unreasonable to
think that security might be compromised.
This raises serious concerns about the scope of all of the
authorities granted by the bill and the privacy implications of those
authorities. Security experts and advocates have warned that in this
context, establishing the broadest possible definition of ``cyber
security threat'' actually threatens to undermine security by
increasing the amount of unreliable information shared with the
government.
I have written an amendment, which is cosponsored by Senators Leahy,
Wyden, and Durbin, which would set the bar a bit higher, requiring that
a threat be at least ``reasonably likely'' to result in an effort to
adversely impact security. This standard gives companies plenty of
flexibility. They don't need to be certain that an incident or event is
an attack before they share information, but they should have at least
determined that it is a plausible threat.
The definition of a cyber security threat isn't the only problematic
provision of the bill. This brings me to the second concern that I
would like to highlight. The bill provides a blanket authorization that
allows companies to share information ``notwithstanding any other
provision of law.'' As DHS explained this past summer, that statutory
language ``sweeps away important privacy protections.'' Indeed, it
means that CISA would override all existing privacy laws, from the
Electronic Communications Privacy Act, ECPA, to HIPAA, a law that
protects sensitive health information.
Moreover, this blanket authorization applies to sharing done with any
Federal agency. Companies are free to directly share with whomever they
may choose, including law enforcement and military intelligence
agencies. This means that, unbeknownst to their customers, companies
may share information that contains customers' personal information
with NSA, FBI, and others. From a security perspective, it also means
we are setting up a diffuse system. I want to emphasize this. This is
setting up a diffuse system that, as DHS's letter acknowledged, is
likely to be complex and inefficient, where it is
[[Page S7453]]
actually harder for our cyber security experts to connect the dots and
keep us safe.
These are all reasons why privacy experts, independent security
experts, and the Department of Homeland Security have all warned that
CISA's blanket authorization is a problem.
Earlier this year, the House avoided this problem when they passed
the National Cybersecurity Protection Advancement Act by a vote of 355
to 63. That information sharing bill only authorizes sharing with the
government through a single civilian hub at the Department of Homeland
Security--a move toward efficient streamlining of information that is
also good for privacy. But understand that this is the House of
Representatives, 355 to 63, saying: Let's make this easier for the
government to have all the information in one place.
Finally, CISA fails to adequately assure the removal of irrelevant
personal information. This, of course, is a major concern. The bill
allows personal information to be shared even when there is a high
likelihood that the information is not related to a cyber security
threat. Combined with the bill's overly broad definition of ``cyber
security threat,'' this basically ensures that private entities will
share extraneous information from Americans' personal communications.
If companies are going to receive the broad liability protection this
bill provides, they should be expected to do better than this.
Senator Wyden has offered an amendment, which I am proud to be the
cosponsor of, which would require companies to be more diligent and to
remove ``to the extent feasible'' any personal information that isn't
necessary to identify a cyber security threat. The ``extent feasible''
is a crucial improvement, but it is hardly novel; in fact, it is
basically the same standard that is in place today when information is
shared between private companies and the Department of Homeland
Security. There is no justification for lowering that standard in CISA,
especially because the bill also provides companies with significant
liability protection.
Mr. President, the amendments I have talked about today, as well as a
number of other pending amendments, would make CISA a better deal, one
that is significantly more protective of Americans' privacy and more
likely to advance cyber security. I want to encourage my colleagues to
support these amendments. Without them, I fear that, however well
intentioned, CISA would do a disservice to the American people.
I suggest the absence of a quorum.
The PRESIDING OFFICER. The clerk will call the roll.
The senior assistant legislative clerk proceeded to call the roll.
Mr. CARPER. Mr. President, I ask unanimous consent that the order for
the quorum call be rescinded.
The PRESIDING OFFICER. Without objection, it is so ordered.
____________________
