[Congressional Record Volume 161, Number 92 (Wednesday, June 10, 2015)]
[Senate]
[Pages S3986-S4017]


        NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2016

[...]

                 Cybersecurity Information Sharing Act

  Mrs. FEINSTEIN. Mr. President, last week we learned of the latest in 
the string of massive breaches of private information from cyber 
penetrations, this time of government personnel records held by the 
Office of Personnel Management.
  In its annual worldwide threat assessment, the intelligence community 
this year ranked cyber intrusions and attacks as the No. 1 threat to 
our Nation's security. Cyber attacks and threats are also a major drag 
on our economy, with the theft of billions and billions of dollars of 
intellectual property and actual money from our Nation's businesses. 
Quite simply, cyber attacks are a major and growing threat to every 
aspect of our life.
  It is with that background that Senator Burr and I began working 
early this year on a new cyber security information-sharing bill. It is 
a first-step bill, in that for sharing company to company or sharing 
cyber threat information directly with the government, a company would 
receive liability protection and therefore feel free to have this kind 
of constructive interchange.
  The Senate Select Intelligence Committee produced the bill in the 
last Congress, but it didn't receive a vote. Chairman Burr and I have 
been determined not only to get a vote but to get a bill signed into 
law. It should be evident to everybody that the only way we will get 
this done is if it is bipartisan.
  With significant compromises on both sides, we put together the 
Cybersecurity Information Sharing Act, a bill approved in March by our 
Intelligence Committee by an overwhelming 14-to-1 vote. That bill has 
been ready for Senate consideration for nearly 3 months but has not yet 
been brought to the floor.
  Last week's attack underscores why such legislation is necessary.
  The Democratic leader told me many weeks ago that this issue is too 
important for political wrangling, that he would not seek to block or 
slow down consideration of the bill and would work to move the bill 
quickly. So the bill is ready for floor consideration.
  Now, a number of my colleagues would like to propose amendments--as 
is their right--and I expect I would support some of them and would 
oppose some of them. The Senate should have an opportunity to fully 
consider the bill and to receive the input of other committees with 
jurisdiction in this area. Unless we do this, we won't have a 
bipartisan vote, I believe, because, like it or not, no matter how 
simple--and I have been through two bills now--this was not an easy 
bill to draft because there are conflicts on both sides.
  Filing the cyber security bill as an amendment to the Defense 
authorization bill prompted a lot of legitimate and understandable 
concern from both sides of the aisle. People want debate on the 
legislation, and they want an opportunity to offer relevant amendments. 
To do this as an amendment--when Senator Burr discussed it with me, I 
indicated I did not want to go on and make that proposal--I think is a 
mistake.
  I very much hope that the majority leader will reconsider this path, 
and that once we have finished with the Defense authorization bill, the 
Senate can take up, consider, and hopefully approve the cyber security 
legislation. I think if we do it any other way, we are in for real 
trouble, and this is the product of experience. So I very much hope 
that there can be a change in procedure and that this bill--I know our 
leader will agree--could come up directly following the Defense 
authorization bill.
  I thank the Chair, and I yield the floor.

[...]

                           Amendment No. 1921

  Mr. McCAIN. Madam President, I want to say a few words about the Burr 
amendment, No. 1921, which has now been made pending. I am thankful for 
the leadership of Chairman Burr and Vice Chairman Feinstein.
  The language of this amendment, of which I am an original cosponsor, 
was overwhelmingly approved by a 14-to-1 vote in the Senate Select 
Committee on Intelligence in March.
  Implementing legislation to address a long list of cyber threats that 
have become all too common is among my highest priorities. Earlier this 
month, it was the Office of Personnel Management and the Army. A few 
weeks before that, it was the Pentagon network, the White House, and 
the State Department. Before that, it was Anthem and Sony. That is just 
to name a few.
  I am pleased we are able to consider this amendment on the National 
Defense Authorization Act. This voluntary information sharing is 
critical to addressing these threats and ensuring that mechanisms are 
in place to identify those responsible for costly and crippling cyber 
attacks and ultimately deterring future attacks.
  Our current defenses are inadequate, and our overall cyber strategy 
has failed to deter cyber adversaries from continued attacks of 
intellectual property theft and cyber espionage against the U.S. 
Government and American companies. This failure to develop a meaningful 
cyber deterrent strategy has increased the resolve of our adversaries 
and will continue to do so at a growing risk to our national security

[[Page S3997]]

until we demonstrate that the consequences of exploiting the United 
States through cyber greatly outweigh any perceived benefit.
  This amendment is a crucial piece of that overall deterrent strategy, 
and it is long past time that Congress move forward on information-
sharing legislation. This legislation--again, 14 to 1 from the Select 
Committee on Intelligence--complements a number of critical cyber 
provisions which are already in the bill which will ensure that the 
Department of Defense has the capabilities it needs to deter 
aggression, defend our national security interests, and, when called 
upon, defeat our adversaries in cyber space.
  The bill authorizes the Secretary of Defense to develop, prepare, 
coordinate, and, when authorized by the President, conduct a military 
cyber operation in response to malicious cyber activity carried out 
against the United States or a U.S. person by a foreign power.
  The bill includes a provision requiring the Secretary of Defense to 
conduct biennial exercises on responding to cyber attacks against 
critical infrastructure. It limits $10 million in funds available to 
the Department of Defense to provide support services to the Executive 
Office of the President until the President submits the integrated 
policy to deter adversaries in cyber space, which was required by the 
National Defense Authorization Act for Fiscal Year 2014.
  It authorizes $200 million for a directed evaluation by the Secretary 
of Defense of the cyber vulnerabilities of every major DOD weapons 
system by not later than December 31, 2019.
  It requires an independent panel on DOD war games to assess the 
ability of the national mission forces of the U.S. Cyber Command to 
reliably prevent or block large-scale attacks on the United States by 
foreign powers with capabilities comparable to those expected of China, 
Iran, North Korea, and Russia in years 2020 and 2025.
  It establishes a $75 million cyber operations procurement fund for 
the commander of U.S. Cyber Command to exercise limited acquisition 
authorities.
  It directs the Secretary of Defense to designate Department of 
Defense entities to be responsible for the acquisition of critical 
cyber capabilities.
  The cyber security bill was passed through the Select Committee on 
Intelligence because that is clearly, in many respects, among the 
responsibilities of the Select Committee on Intelligence. But I think 
it is obvious to anyone that the Department of Defense is a major 
player. I just outlined a number of the provisions of the bill which 
are directly overseen and related to the Department of Defense.
  So my friends on the other side of the aisle seem to be all torqued-
up about the fact that this cyber bill should be divorced from the 
Department of Defense. I know that my colleagues on the other side of 
the aisle are very aware that just in the last few days, 4 million 
Americans--4 million Americans--had their privacy compromised by a 
cyber attack. The Chairman of the Joint Chiefs of Staff has stated that 
we are ahead in every aspect of a potential adversary except for one, 
and that is cyber. There are great threats that are now literally to 
America's supremacy in space and to many other aspects of technology 
that have been developed throughout the world and are now part of our 
daily lives.
  So I am not quite sure why my friends on the other side of the aisle 
should take such exception to legislation that addresses our national 
security and the threats to it, which literally every expert in America 
has agreed is a major threat to our ability to defend the Nation.
  So I think there are colleagues who are not on the Intelligence 
Committee and are not familiar with the provisions of this bill. It 
clearly is not only Department of Defense-related, but it is Department 
of Defense-centric, with funds available to DOD to provide services to 
the Executive Office of the President, $200 million, cyber 
vulnerabilities of major DOD weapons system, an independent panel on 
DOD war games, and on and on. It is Department of Defense-related, and 
it is the whole purpose of the Defense authorization bill, which is to 
defend the Nation. To leave cyber security out of that--yes, there are 
some provisions in the underlying bill, but this hones and refines the 
requirements that we are badly in need of and gives the President of 
the United States and Secretary of Defense tools to try to limit the 
damage that is occurring as we speak.
  I want to repeat--and to my colleague from Indiana who is a member of 
that committee, I would ask him--4 million Americans recently were 
compromised by cyber attack.
  Mr. COATS. In response to my friend from Arizona----
  Mr. McCAIN. Madam President, I ask unanimous consent to engage in a 
colloquy with the Senator from Indiana.
  The PRESIDING OFFICER. Is there objection?
  Without objection, it is so ordered.
  Mr. COATS. Madam President, this is a serious breach, and there is 
more to the story to be told. It shows the extreme position that we are 
in here as Americans, as there are those who want to take this country 
down, those who want to invade privacy of Americans and have the 
capabilities of breaching this. The legislation before us, and the 
reason why it is brought here now and, hopefully, will be attached to 
the Defense bill is that this needs to be done now and not later. How 
many breaches do we have to hear about--whether it is the private 
sector or whether it is the government sector--before this Congress and 
this Senate will stand up and say we have the capability of preventing 
some of these things from happening, but we need the legislative 
authority to do it. To delay and not even allow us to go forward with 
this puts more and more millions of Americans at risk, whether they 
work for the government or are in private industry.
  Mr. McCAIN. And isn't it true, I would ask my colleague from Indiana, 
that the Chairman of the Joint Chiefs of Staff recently stated that in 
the potential of our adversaries to threaten our security, we have a 
definite superiority in all areas except for one, which is in the issue 
of cyber security; is that correct?
  Mr. COATS. I think that is obvious, because, clearly, while we have 
the capability to address some of these issues, we are not allowed to 
use the capability. This legislation gives us the opportunity to have a 
cooperative effort. Some of those who resist the use of this because 
they think it is potentially a breach of privacy now understand that 
breaches are occurring from outside and into the United States, by 
those who are enemies of the state, those who are criminal groups, 
those who are terrorist groups. While we may have the capacity to deal 
with this, without this legislative authority we are not allowed to use 
it.
  So what an irony--what an irony that some are saying: We can't trust 
the government on this to help us. This is defense. This is like saying 
we can't trust the Department of Defense, we can't trust the Army or 
the Navy to protect us from attack because it is government-run. Now, 
they are saying there are some operations in government here that are 
part of our defenses that can't be used until we have authority. The 
irony is that people's privacies are being breached by all of these 
attempts, and we are denying the opportunity to put the tools in place 
to stop that from happening.
  Mr. McCAIN. Could I ask my colleague again: The 4 million people 
whose privacy was just breached--4 million Americans--what potential 
damage is that to those individual Americans?
  Mr. COATS. Well, we are just learning what damage this is and how it 
can be misused in any number of ways. Some of this information is 
classified. But I can say to my colleague from Arizona, the chairman of 
the Armed Services Committee, that this puts some of our people and 
some of our systems in great peril. It is something that needs to be 
addressed now and not pushed down the line.
  Mr. McCAIN. So it seems to me that to those 4 million Americans, we 
owe them and it is our responsibility--in fact, our urgent 
responsibility--to try to prevent that same kind of breach from being 
perpetrated on 4 million or 8 million or 10 million more Americans. If 
they are capable of doing it once to 4 million Americans, what is to 
keep them from doing the same thing to millions of Americans more, if 
we sit here idly by and do nothing on the grounds that the objection is 
that it is not part of the Department of Defense

[[Page S3998]]

bill, which seems to me almost ludicrous?
  Mr. COATS. Well, since the Department of Defense is one of those 
agencies being attacked, I would certainly think this is the 
appropriate attachment to a bill for which, hopefully, we will be given 
the opportunity by our friends across the aisle. Hopefully, we will be 
able to pass it in the Senate, move it on to the House, and get it to 
the President so that these authorities can be in place.
  The Senator mentioned 4 million. A company whose headquarters is in 
the State of Indiana, Anthem insurance company, was breached--and this 
is public information--of 80 million people on their roles. That is 
almost one-third of all Americans who have had their private 
information breached by a cyber attack--not to mention the threat that 
comes from cyber attack on our critical infrastructure.
  What if they take down the financial system of one of our major banks 
or several banks? What if they take down the financial transactions 
that they place on Wall Street every day? What if they shut down an 
electric power grid in the middle of February when the temperatures in 
the Northeast are in minus-Fahrenheit temperatures or when it is 110 
degrees in Phoenix and you lose your power and can't turn on air 
conditioning? People will die. People will be severely impacted by 
this. To not go forward and give authorization to use the tools to try 
to better protect American safety is not only unreasonable but is a 
very serious thing.
  Mr. McCAIN. I thank my colleague from Indiana for his outstanding 
work on a very difficult issue that poses a threat to every American 
and citizens throughout the world.
  I yield the floor.

[...]

                 Cybersecurity Information Sharing Act

  Mr. WYDEN. Mr. President, I wish to speak this afternoon about a 
controversial proposal, the Cybersecurity Information Sharing Act, 
otherwise known as CISA, which was filed yesterday as an amendment to 
the Defense authorization bill.
  I want to begin by saying to the Senate that I believe tacking this 
legislation onto the Defense bill would, in my view, be a significant 
mistake. I expect our colleagues are going to have a wide range of 
views about this legislation, and I hope the Senate can agree that 
bills as controversial as this one ought to be subject to public debate 
and an open-ended process, not stapled onto unrelated legislation with 
only a modest amount of discussion.
  This is particularly true given the issue of cyber security, which is 
going to have a significant impact on the security and the well-being 
of the American people and obviously the consumer rights and the 
privacy of law-abiding Americans. Because it is designed to increase 
government collection of information from private companies, I am of 
the view that for the Senate to have this expansion of collecting so 
much information about the people of the United States, for it to have 
real legitimacy in the eyes of the public, it is important to have open 
debate, with votes on amendments from Senators who have a wide variety 
of opinions on the issue of cyber security. Trying to rush this bill 
through the Senate, in my view, is not going to increase public 
confidence.
  So let me be clear about the process and talk a bit about the 
substance of the legislation as well. I believe tacking it onto the 
Defense bill is a flawed process. But I think there are also 
significant flaws with the substance of the legislation as well. Dozens 
of independent experts agree this legislation will have serious 
consequences and do little to make our Nation more secure at a time 
when cyber threats are very real. The issue of cyber threats requires 
more than a placebo, and this legislation is a bandaid on a gaping 
wound. I believe the Senate, having the time for adequate reflection 
and amendment, can do better.
  In beginning, I would like the Senate to know just how much 
controversy and concern this legislation has generated among those who 
are considered independent experts on cyber security. Shortly before 
the Intelligence Committee, which I have been honored to serve on for 
more than 14 years--shortly before the committee marked up this 
legislation, a coalition of nearly 50 organizations and security 
experts wrote to the members of the Intelligence Committee expressing 
serious concerns about the legislation.
  Mr. President, I ask unanimous consent that this letter be printed in 
the Record.

  There being no objection, the material was ordered to be printed in 
the Record, as follows:
     Re Cyber Threat Information Sharing Bills

                                                   April 16, 2015.
     Senator Dianne Feinstein,
     Hart Senate Office Building,
     Washington, DC.
     Congressman Adam Schiff,
     Rayburn House Office Building,
     Washington, DC.
     Congressman Michael McCaul,
     Cannon House Office Building,
     Washington, DC.
     Senator Richard Burr,
     Russell Senate Office Building,
     Washington, DC.
     Congressman Devin Nunes,
     Longworth House Office Building,
     Washington, DC.
       Dear Senator Burr, Senator Feinstein, and Representatives 
     Nunes, Schiff, and McCaul: We are writing you today as 
     technologists, academics, and computer and network security 
     professionals who research, report on, and defend against 
     Internet security threats. Among us are antivirus and threat 
     signature developers, security researchers and analysts, and 
     system administrators charged with securing networks. We have 
     devoted our careers to building security technologies, and to 
     protecting networks, computers, and critical infrastructure 
     against a wide variety of even highly sophisticated attacks.
       We do not need new legal authorities to share information 
     that helps us protect our systems from future attacks. When a 
     system is attacked, the compromise will leave a trail, and 
     investigators can collect these bread crumbs. Some of that 
     data empowers other system operators to check and see if 
     they, too, have been attacked, and also to guard against 
     being similarly attacked in the future. Generally speaking, 
     security practitioners can and do share this information with 
     each other and with the federal government while still 
     complying with our obligations under federal privacy law.
       Significantly, threat data that security professionals use 
     to protect networks from future attacks is a far more narrow 
     category of information than those included in the bills 
     being considered by Congress, and will only rarely contain 
     private information. In those rare cases, we generally scrub 
     the data without losing the effectiveness of the threat 
     signature.
       These are some common categories of data that we share to 
     figure out if systems have been compromised (indicators of 
     compromise, or IoCs) and to mitigate future threats:
       Malware file names, code, and hashes
       Objects (code) that communicate with malware
       Compile times: data about the conversion of source code to 
     binary code
       File size
       File path location: where on the computer system malware 
     files are stored
       Registry keys: configuration settings for low-level 
     operating system and applications
       Memory process or running service information
       Attached to this letter is an actual example of a threat 
     signature containing data that helps system administrators 
     secure their networks. You'll see that the information does 
     not contain users' private information.
       Waiving privacy rights will not make security sharing 
     better. The more narrowly security practitioners can define 
     these IoCs and the less personal information that is in them, 
     the better. Private information about individual users is 
     often a detriment in developing threat signatures because we 
     need to be able to identify an attack no matter where it 
     comes from and no matter who the target is. Any bill that 
     allows for and results in significant sharing of personal 
     information could decrease the signal-to-noise ratio and make 
     IoCs less actionable.
       Further, sharing users' private information creates new 
     security risks. Here are just three examples: First, any IoC 
     that contains personal information exacerbates the danger of 
     false-positives, that innocent behavior will erroneously be 
     classified as a threat. Second, distribution of private data 
     like passwords could expose our users to unauthorized access, 
     since, unfortunately, many people use the same password 
     across multiple sites. Third, private data contained in 
     personal emails or other messages can be abused by criminals 
     developing targeted phishing attacks in which they masquerade 
     as known and trusted correspondents.
       For these reasons, we do not support any of the three 
     information sharing bills currently under consideration--the 
     Cybersecurity Information Sharing Act (CISA), the Protecting 
     Cyber Networks Act (PCNA), or the National Cybersecurity 
     Protection Advancement Act of 2015. These bills permit 
     overbroad sharing far beyond the IoCs described above that 
     are necessary to respond to an attack, including all 
     ``harms'' of an attack. This excess sharing will not aid 
     cybersecurity, but would significantly harm privacy and could 
     actually undermine our ability to effectively respond to 
     threats.
       As a general rule, when we do need to share addressing 
     information, we are sharing the addresses of servers which 
     are used to host malware, or to which a compromised computer 
     will connect for the exfiltration of data. In these cases, 
     this addressing information helps potential victims block 
     malicious incoming connections. These addresses do not belong 
     to subscribers or customers of the victims of a security 
     breach or of our clients whose systems we are helping to 
     secure. Sharing this kind of addressing is a common current 
     practice. We do not see the need for new authorities to 
     enable this sharing.

[[Page S4007]]

       Before any information sharing bill moves further, it 
     should be improved to contain at least the following three 
     features:
       1. Narrowly define the categories of information to be 
     shared as only those needed for securing systems against 
     future attacks;
       2. Require firms to effectively scrub all personally 
     identifying information and other private data not necessary 
     to identify or respond to a threat; and
       3. Not allow the shared information to be used for anything 
     other than securing systems.
       We appreciate your interest in making our networks more 
     secure, but the legislation proposed does not materially 
     further that goal, and at the same time it puts our users' 
     privacy at risk. These bills weaken privacy law without 
     promoting security. We urge you to reject them.
           Sincerely,
       Ben Adida; Jacob Appelbaum, Security and privacy 
     researcher, The Tor Project; Sergey Bratus, Research 
     Associate Professor, Computer Science Department, Dartmouth 
     College; Eric Brunner-Williams, CTO, Wampumpeag; Dominique 
     Brezinski, Principal Security Engineer, Amazon.com; Jon 
     Callas; Katherine Carpenter, Independent Consultant; Antonios 
     A. Chariton, Security Researcher, Institute of Computer 
     Science, Foundation of Research and Technology--Hellas; 
     Stephen Checkoway, Assistant Research Professor, Johns 
     Hopkins University; Gordon Cook, Technologist, writer, editor 
     and publisher of ``COOK report on Internet Protocol'' since 
     1992; Shaun Cooley, Distinguished Engineer, Cisco; John 
     Covici, Systems Administrator, Covici Computer Systems; Tom 
     Cross, CTO, Drawbridge Networks; David L. Dill, Professor of 
     Computer Science, Stanford University; A. Riley Eller, Chief 
     Technology Officer, CoCo Communications Corp; Rik Farrow, 
     USENIX.
       Robert G. Ferrell, Special Agent (retired), U.S. Dept of 
     Defense; Kevin Finisterre, Owner, DigitalMunition; Bryan 
     Ford, Associate Professor of Computer Science, Yale 
     University; Dr. Richard Forno, Affiliate, Stanford Center for 
     Internet and Society; Paul Ferguson, Vice President, Threat 
     Intelligence; Jim Fruchterman, Benetech; Kevin Gennuso, 
     Information Security Professional; Dan Gillmor. Teacher and 
     technology writer; Sharon Goldberg, assistant professor, 
     Computer Science Department, Boston University; Joe Grand, 
     Principal Engineer, Grand Idea Studio, Inc.; Thaddeus T 
     Grugq, independent security researcher; J. Alex Halderman, 
     Morris Wellman Faculty Development Assistant Professor of 
     Computer Science and Engineering, University of Michigan, 
     Director, University of Michigan Center for Computer Security 
     and Society; Professor Carl Hewitt, Emeritus EECS MIT; Gary 
     Knott, PhD (Stanford CS, 1975), CEO, Civilized Software; Rich 
     Kulawiec, Senior Internet Security Architect, Fire on the 
     Mountain, LLC; Ryan Lackey; Product, CloudFlare, Inc.
       Ronald L. Larsen, Dean and Professor, School of Information 
     Sciences, University of Pittsburgh; Christopher Liljenstolpe, 
     Chief architect for AS3561 (at the time about 30% of the 
     Internet backbone by traffic) and AS1221 (Australia's main 
     Internet infrastructure); Ralph Logan, Partner, Logan Haile, 
     LP; Robert J. Lupo, Senior Security Engineer ``sales team'', 
     IBM inc.; Marc Maiffret, Former CTO BeyondTrust; Steve 
     Manzuik, Director of Security Research, Duo Security; Ryan 
     Maple. Information security professional; Brian Martin, 
     President Open Security Foundation (OSF); Morgan Marquis-
     Boire; Aaron Massey, Postdoctoral Fellow, School of 
     Interactive Computing, Georgia Institute of Technology; 
     Andrew McConachie. Network engineer with experience working 
     on Internet infrastructure; Daniel L. McDonald, RTI Advocate 
     and Security Point-of-Contact, illumos Project; Alexander 
     McMillen, Mission critical datacenter and cloud services 
     expert; Charlie Miller, Security Engineer at Twitter; HD 
     Moore, Chief Research Officer, Rapid7.
       Joseph ``Jay'' Moran, Vice President of Cimpress Technology 
     Operations; Peter G. Neumann, Senior Principal Scientist, SRI 
     International Moderator of the ACM Risks Forum (risks.org); 
     Jesus Oquendo, Information Security Researcher, E-Fensive 
     Security Strategies; Ken Pfeil, CISO, Pioneer investments; 
     Benjamin C. Pierce, Professor of Computer and Information 
     Science, University of Pennsylvania; Ryan Rawdon, Network and 
     Security Engineer; Bruce Schneier, security researcher and 
     cryptographer, published seminal works on applied 
     cryptography; Sid Stamm, Ph.D., Principal Engineer, Security 
     and Privacy, Mozilla; Visiting Assistant Professor of 
     Computer Science, Rose-Hulman Institute of Technology; 
     Armando Stettner, Technology Consultant; Matt Suiche, Staff 
     Engineer, VMware.
       C. Thomas (Space Rogue), Security Strategist Tenable 
     Network Security; Arrigo Triulzi, independent security 
     consultant; Doug Turner, Sr. Director--Privacy, Security, 
     Networking, Mozilla Corporation; Daniel Paul Veditz, 
     Principal Security Engineer, Mozilla, Co-chair Web 
     Application Security Working Group, W3C; David Wagner, 
     Professor of Computer Science, University of California, 
     Berkeley; Dan S. Wallach, Professor, Department of Computer 
     Science and Rice Scholar, Baker Institute for Public Policy, 
     Rice University; Jonathan Weinberg, Professor of Law, Wayne 
     State University; Stephen Wilson, Managing Director and 
     Founder, Lockstep Technologies; Chris Wysopal, CTO and co-
     founder Veracode, Inc.; Stefano Zanero, Board of Governors 
     member, IEEE Computer Society.

  Mr. WYDEN. The signers of the letter expressed very serious concerns 
about the legislation and were particularly concerned it would 
``significantly undermine privacy and civil liberties.'' Unfortunately, 
as the signers of the legislation will report, these concerns were not 
adequately addressed in the committee markup.
  Shortly after the committee markup, a group of 65 technologists and 
cyber security professionals wrote to Chairman Burr and Vice Chairman 
Feinstein expressing their opposition to this legislation.
  Mr. President, I ask unanimous consent that this letter be printed in 
the Record as well.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:
                                                    March 2, 2015.
     Chairman Richard Burr,
     Senate Select Committee on Intelligence, U.S. Senate.
     Vice Chairman, Dianne Feinstein,
     Senate Select Committee on Intelligence, U.S. Senate.
       Dear Chairman Burr, Vice Chairman Feinstein, and Members of 
     the Senate Select Committee on Intelligence: We the 
     undersigned civil society organizations, security experts, 
     and academics write to explain how the Cybersecurity 
     Information Sharing Act of 2015 (CISA), would significantly 
     undermine privacy and civil liberties. We now know that the 
     National Security Agency (NSA) has secretly collected the 
     personal information of millions of users, and the revelation 
     of these programs has created a strong need to rein in, 
     rather than expand, government surveillance. CISA disregards 
     the fact that information sharing can--and to be truly 
     effective, must--offer both security and robust privacy 
     protections. The legislation fails to achieve these critical 
     objectives by including:
       Automatic NSA access to personal information shared with a 
     governmental entity;
       Inadequate protections prior to sharing;
       Dangerous authorization for countermeasures; and
       Overbroad authorization for law enforcement use.
       For the following reasons, we urge rejection of CISA in its 
     current form:
       Automatic NSA Access to Personal Information and 
     Communications: Since the summer of 2013, NSA surveillance 
     activities, such as the telephony metadata bulk collection 
     program and the PRISM program, have raised nationwide alarm. 
     CISA ignores these objections, and requires real time 
     dissemination to military and intelligence agencies, 
     including the NSA. Congress should be working to limit the 
     NSA's overbroad authorities to conduct surveillance, rather 
     than passing a bill that would increase the NSA's access to 
     personal information and private communications.
       Automatic sharing with NSA risks not only privacy, but also 
     effectiveness. During a recent House Intelligence Committee 
     hearing, NSA Director Admiral Mike Rogers stated that sharing 
     threat indicators without filtering out personal data would 
     slow operations and negatively impact NSA's cyber defense 
     activities. Further, in the wake of revelations regarding the 
     PRISM program, major tech companies stated that they would 
     not voluntarily share users' information with the NSA. 
     Automated NSA access could thus disincentivize sharing, 
     undercutting the key goal of the legislation.
       Inadequate Protections Prior to Sharing: CISA does not 
     effectively require private entities to strip out information 
     that identifies a specific person prior to sharing cyber 
     threat indicators with the government, a fundamental and 
     important privacy protection. While the bill requires that 
     companies ``review'' cyber threat indicators for information 
     that identifies a specific person and sometimes remove it, 
     the bill contains no standard to ensure that this review 
     effort is--at a minimum--reasonable.
       Further, the bill requires companies to remove that 
     information only for individuals that it knows are ``not 
     directly related to a cybersecurity threat.'' This could 
     encourage companies to retain data by default, unnecessarily 
     exposing the information of innocent bystanders and victims 
     to the government, and making it available to law enforcement 
     for a myriad of investigative uses. Legislation should 
     instead require that prior to sharing, companies make at 
     least a reasonable effort to identify all personally 
     identifiable information and, unless it is necessary to 
     counter the cyber threat before sharing any indicators with 
     the government, remove it. The default should be to preserve 
     privacy, rather than to sacrifice it.
       Dangerous Authorization for Countermeasures: CISA 
     authorizes countermeasures ``notwithstanding any law,'' 
     including the federal Computer Fraud and Abuse Act. As 
     amended by CISA, federal law would permit companies to 
     retaliate against a perceived threat in a manner that may 
     cause significant harm, and undermine cybersecurity. CISA 
     provides that countermeasures must be ``operated on'' one's 
     own information systems, but may have off-networks effects--
     including harmful effects to external systems--so long as the 
     countermeasures do not ``intentionally'' destroy other 
     entities' systems. Given the risks of misattribution and

[[Page S4008]]

     escalation posed by offensive cyber activities--as well as 
     the potential for misappropriation--this is highly 
     inadvisable. CISA permits companies to recklessly deploy 
     countermeasures that damage networks belonging to innocent 
     bystanders, such as a hospital or emergency responders that 
     attackers use as proxies to hide behind, so long as the 
     deploying company does not intend that the countermeasure 
     result in harm. CISA's authorization would not only 
     inadvisably wipe away the Computer Fraud and Abuse Act's 
     current prohibition against these activities, it would be 
     dangerous to internet security.
       Overbroad Law Enforcement Use: Law enforcement use of 
     information shared for cybersecurity purposes should be 
     limited to prosecuting specific cyber crimes identified in 
     the bill and preventing imminent loss of life or serious 
     bodily harm. CISA goes far beyond this, and permits law 
     enforcement to use information it receives for investigations 
     and prosecutions of a wide range of crimes involving any 
     level of physical force, including those that involve no 
     threat of death or significant bodily harm, as well as for 
     terrorism investigations, which have served as the basis for 
     overbroad collection programs, and any alleged violations of 
     various provisions of the Espionage Act. The lack of use 
     limitations creates yet another loophole for law enforcement 
     to conduct backdoor searches on Americans--including searches 
     of digital communications that would otherwise require law 
     enforcement to obtain a warrant based on probable cause. This 
     undermines Fourth Amendment protections and constitutional 
     principles.
       Cybersecurity legislation should be designed to increase 
     digital hygiene and identify and remediate advanced threats, 
     not create surveillance authorities that would compromise 
     essential privacy rights, and undermine security. 
     Accordingly, we urge that the Committee not approve this bill 
     without addressing these concerns.
       Thank you for your consideration,
       Civil Society Organizations--Access; American-Arab Anti-
     Discrimination Committee; American Library Association; 
     Advocacy for Principled Action in Government; American Civil 
     Liberties Union; Association of Research Libraries; Bill of 
     Rights Defense Committee; Brennan Center for Justice; Center 
     for Democracy & Technology; Center for National Security 
     Studies; Competitive Enterprise Institute; Constitutional 
     Alliance; The Constitution Project; Council on American 
     Islamic Relations; Cyber Policy Project; Defending Dissent 
     Foundation; Demand Progress; Electronic Frontier Foundation 
     Free Press Action Fund FreedomWorks; Liberty Coalition; 
     National Association of Criminal Defense; Lawyers; New 
     America's Open Technology Institute; Project on Government 
     Oversight; R Street Institute; Sunlight Foundation.
       Security Experts and Academics--Ben Adida, Cryptographer; 
     Jacob Appelbaum, The Tor Project; Alvaro Bedoya, Center on 
     Privacy and Technology at Georgetown Law; Brian Behlendorf; 
     David J Farber, University of Pennsylvania; J. Alex 
     Halderman, University of Michigan; Joan Feigenbaum, Yale 
     University; Bryan Ford, Yale University; Matthew D. Green, 
     Johns Hopkins University; Daniel Kahn Gillmor, Technologist; 
     Susan Landau, Worcester Polytechnic Institute; Sascha 
     Meinrath, X-Lab; Peter G, Neumann, SRI International; Ronald 
     L. Rivest, Massachusetts Institute of Technology; Phillip 
     Rogaway, University of California, Davis; Bruce Schneier, 
     Cryptographer and Security Specialist; Christopher Soghoian, 
     Technologist; Gene Spafford, Purdue University; Micah Sherr, 
     Georgetown University; Adam Shostack; Dan S. Wallach, Rice 
     University; Nicholas Weaver, University of California at 
     Berkeley.

  Mr. WYDEN. This is a particularly important letter. We have some of 
the most distinguished independent experts from across the country--
whether Amazon or Sysco, Stanford University, Dartmouth, some of the 
leading experts in the private sector and academia--expressing real 
concerns about this legislation and its House companion.
  From their letter:

       We appreciate your interest in making our networks more 
     secure, but the legislation proposed does not materially 
     further that goal, and at the same time it puts our users' 
     privacy at risk. These bills weaken privacy law without 
     promoting security. We urge you to reject them.

  The reason I want our colleagues to be aware that these distinguished 
scientists in Silicon Valley, and literally every corner of the 
country, are so concerned is that the American people want both 
security and liberty--and they understand the two are not mutually 
exclusive. What this distinguished group of experts has just said is 
this ``weaken[s] privacy law without promoting security.'' I hope the 
Senate will review what these experts are saying.
  Along the same lines, I note that the Christian Science Monitor 
recently polled a group of more than 78 high-profile security and 
privacy experts from across government, think tanks, and the private 
sector. With these experts, they asked if legislation along the lines 
of this bill--this bill which has been attached to the Defense 
authorization. These experts were asked if this legislation would 
significantly reduce security breaches, and 87 percent said it would 
not. Many of them noted--a concern I have noted in opposing the 
legislation--that incentivizing private companies to share information 
about security threats is a very worthwhile proposition, a worthwhile 
thing to do. But they go on to say that bills like this are going to 
have limited value in that area and would have significant negative 
consequences.
  Now, many of my colleagues may have some disagreement with some of 
the dozens and dozens of independent experts I have just mentioned. 
Some of them may agree with the 13 percent of those experts who said 
this bill will do a lot to reduce security breaches. That is their 
right, and that is what a good Senate debate would be all about. But 
what the Senate should not do is pretend that this legislation is 
uncontroversial and try to rush it through without substantial 
revisions and the chance for Senators on both sides of the aisle to be 
heard.
  Now, I think we all understand why some in the Senate would feel we 
have to move immediately on this issue and in effect be tempted to rush 
to action here. We have all understood there have been a number of 
recent high-profile hacks that have drawn attention to the need to 
improve our Nation's cyber security--and I don't disagree with the 
importance of that at all.
  For example, a major company in Oregon was hacked by the Chinese 
simply because they were trying to enforce their rights under trade 
law.
  So this is not some abstract issue for the people I represent. We 
have seen it in my home State.
  So these high-profile hacks, like the one we saw here recently, is 
obviously drawing attention to the need to improve cyber security. The 
recent compromise of a very large amount of Office of Personnel 
Management data is obviously the latest of these, but it is certainly 
not going to be the last.
  Every single time I read about these kind of hacks, what I do is--and 
I have a very talented staff from the Intelligence Committee and my own 
office to assist me--I try to reach out and talk to experts in the 
field about ways to improve cyber security. But that doesn't mean every 
single piece of legislation with the word ``cyber security'' in it is 
automatically a good idea that ought to be blessed without revision in 
the Senate.
  The fact is, this particular cyber security bill is largely focused 
on trying to make it more difficult for individuals to be able to take 
on corporations. I understand why the U.S. Chamber of Commerce likes it 
so much. They have always been concerned about the rights of the large 
corporations. Sometimes the inevitable is, well, we are concerned about 
the large corporations, let's make it harder for individuals to be able 
to get a fair shake in the marketplace. But in my judgment, the actual 
cyber security value of this bill would be very limited, and the 
consequences for those individuals who are trying to get a fair shake 
would be quite serious.
  I am going to turn in a moment to the substance of the CISA bill to 
explain why I consider it so problematic and why it needs a major 
revision. But first I am going to take just a few minutes to discuss 
proposals that I believe would actually make a difference in terms of 
improving American cyber security.
  First, the most effective way to improve cyber security is to ensure 
that network owners take responsibility for the security of their 
networks and effectively implement good security practices. This 
proposal was the centerpiece of a 2012 bill called the Lieberman-
Collins cyber security bill, and in my view that legislation was just a 
few changes away from being good cyber security law. Unfortunately, the 
notion of having the government create even voluntary standards for 
private companies was strongly opposed by the U.S. Chamber of Commerce 
and the Congress has not revisited it since.
  Beyond ensuring that network owners take responsibility and implement 
good security practices, it is also important to ensure that government 
agencies do not deliberately weaken security standards.
  I know the Presiding Officer in the Senate has a great interest, as I 
do, in

[[Page S4009]]

innovation and American competitiveness. It is pretty hard--when we say 
the words: The American Government is actually thinking, as the FBI 
Director has talked about, about requiring companies to build 
weaknesses into their products--it is pretty hard to get your arms 
around this theory, not the least of which is the reason that once the 
good guys have the keys, the bad guys will also have the keys, which 
will facilitate cyber hacking.

  I have been skeptical of these statements from senior FBI officials 
suggesting that U.S. hardware and software companies should be 
required, as I would characterize it, to weaken the security of their 
products because encryption and other advanced security measures are a 
key part, a key compound of actually improving cyber security.
  I was pleased to see that in the other body, just last week, a new 
amendment from Representatives Massie and Lofgren to prevent the 
government from deliberately weakening encryption standards was voted 
on, and I am very hopeful the Senate will eventually follow suit. In 
fact, I offered that concept in the Intelligence Committee, and 
regrettably it did not pass.
  With regard to government-held data, it is absolutely imperative that 
Federal agencies receive the funding and expertise they need to develop 
and implement strong network security programs and to ensure that they 
have the technical and administrative controls in place to combat a 
wide range of cyber security threats.
  I also believe our government needs to be in a stronger position to 
recruit and retain a capable Federal cyber security workforce by 
ensuring that cyber security professionals can find opportunities in 
government that are as rewarding as those in the private sector. In 
order to ensure that there are enough professionals to fill positions 
in both the private sector and the government, it is obvious that there 
is going to need to be an investment in the education of the next 
generation of cyber security leaders.
  As we talk about responsible approaches to deal with these cyber 
issues, I would like to note that I consider the Consumer Privacy 
Protection Act--a piece of legislation initiated by Senator Leahy--to 
be another step in the right direction. This legislation creates a 
comprehensive approach to data security by requiring companies to build 
a cyber security program that can defend against cyber attacks and 
prevent data breaches. It also protects a wide range of personal 
information, not just name or financial account information but also 
online user names and passwords, information about a person's 
geolocation, and access to private digital photographs and videos.
  Unlike CISA, this legislation would, in my view, provide real tools 
to address the kinds of recent cyber attacks we have seen in the news, 
such as the celebrity photo hack. Unlike CISA, it would also empower 
individuals by requiring companies to notify consumers if their 
information has been lost and would protect the rights offered under 
some State laws for consumers to sue in the event of a privacy 
incident. The Consumer Privacy Protection Act is the right kind of 
responsible, thoughtful approach to cyber security, which is 
legislation that will help us get an added measure of security and 
public protection, while at the same time protecting the individual 
liberties and the privacy of our people.
  Finally, in my judgment, our country needs to be willing to impose 
consequences on foreign entities that attempt to hack into American 
networks and steal large quantities of valuable data. These hacks are 
undermining our national security, our economic competitiveness, and 
the personal privacy of huge numbers of Americans. These consequences 
should draw on the full range of American power, depending on the 
nature of the hack and the entity responsible.
  It would be a failure of American imagination to say that the only 
way to respond to foreign hacking is to have our military and 
intelligence agencies ``hack back,'' as the concept has been known, at 
the parties responsible. We are the most powerful country in the world, 
and our government has a wide variety of tools at its disposal, 
including economic sanctions, law enforcement, and multilateral 
diplomacy. And building a multifaceted strategy to deter foreign 
hacking is going to require all of those kinds of tools I have 
mentioned by way of articulating responsible steps to deal with cyber 
security, steps that protect both our security and liberty. All of 
those tools are ones we will have to draw on.
  Having laid out ways that the Senate on a bipartisan basis can 
improve cyber security, I want to turn to the proposal in detail that 
is now in front of the Senate. As I have said, I believe it makes sense 
to encourage private companies to share information about cyber 
security threats. Cyber is a problem. Sharing information can be 
useful, but it is also vital that information sharing not be bereft of 
privacy protections for law-abiding Americans.
  Cyber security is a problem. Information sharing is a plus. But let's 
make no mistake about it--an information-sharing bill that lacks 
privacy protections really is not a cyber security bill; it is a 
surveillance bill. That is what has been one of my major concerns about 
this legislation, that the legislation in front of the Senate--we 
talked about the flaws in the process, but substantively, if you have 
an information-sharing bill that lacks adequate privacy protections, it 
is a surveillance bill by another name.
  When the Senate Intelligence Committee voted on the CISA bill, I 
opposed it. I opposed it because I believe its insufficient privacy 
protections will lead to large volumes of Americans' personal 
information, personal information from law-abiding Americans who have 
done nothing wrong--that they will be faced with the prospect that 
their information is shared with the government even when that 
information is not needed for cyber security. When I say ``personal 
information,'' I am talking about the contents of emails, financial 
information, and what amounts to any data at all that is stored 
electronically.
  Some of my colleagues have stressed that companies will have a choice 
about whether to participate in this information-sharing part of the 
legislation. That is true, but while corporations will have a choice 
about whether to participate, they will be able to do so without the 
knowledge or consent of their customers, and they will receive broad 
liability protections when they do so. The CISA bill as written trumps 
all Federal privacy laws.
  Furthermore, once this information is shared with the government, 
government agencies will be permitted to use it for a wide variety of 
purposes unrelated to cyber security. The bill creates what I consider 
to be a double standard--really a bizarre double standard in that 
private information that is shared about individuals can be used for a 
variety of non-cyber security purposes, including law enforcement 
action against these individuals, but information about the companies 
supplying that information generally may not be used to police those 
companies.
  I will tell you, I think that will be pretty hard to explain at a 
townhall meeting in virtually any corner of America because I believe 
it is wrong to say that the privacy rights of corporations matter more 
than the privacy rights of individual Americans.
  I expect that some colleagues will say that it is not their intent to 
authorize this excessively broad collection. The argument will be that 
this is legislation to encourage companies to share information about 
actual cyber security threats, such as lines of malicious code and 
signatures of hostile cyber actors. Again, I would say to colleagues 
that I am all for encouraging companies to share information about 
genuine security threats, but if you read the language that is now 
before the Senate in the cyber security bill, the language of that bill 
is much broader than just sharing information about genuine security 
threats.
  If Senators want to pass a bill that is focused on real cyber 
security threats and includes real protection for Americans' privacy, 
then the Senate should add language specifying that companies should 
only provide the government with individuals' personal information if 
it is necessary to describe a cyber security threat. That does not seem 
to me to be an unreasonable protection for the privacy of Americans, 
that the Senate would adopt language specifying that the companies 
provide the government with individuals' personal information if it is 
necessary to

[[Page S4010]]

describe a cyber threat. That is pretty obvious.
  We can explain that, I would say to the distinguished President of 
the Senate, at a townhall meeting, that if it is related to a cyber 
security threat, then the companies would provide individuals' personal 
information. But this would discourage companies from unnecessarily 
sharing large amounts of their customers' private information with the 
government.
  Unfortunately, the cyber security bill in front of the Senate now 
takes the opposite approach. It only requires companies to withhold 
information that is known at the time of sharing to be personal 
information unrelated to cyber security. This approach will clearly 
discourage companies from closely reviewing the information that they 
share and will lead to a much greater amount of Americans' personal 
information being transferred needlessly to government agencies.
  I hope that here in the Senate there will be an opportunity to 
carefully consider the potential consequences of this legislation 
before voting to rush it through by an expedited process.
  I have said here several times that cyber security is a real problem, 
and policymakers are going to have to deal with it. In fact, I will go 
so far as to say that the issue of cyber security is going to be an 
ongoing and enduring challenge of the digital age. It is my view that 
every Senator who serves in this body today can expect to deal with 
cyber security questions for the rest of their career in public 
service. Voting to rush a bill through, however, is not going to make 
these problems somehow go away, and it will have real consequences for 
our constituents for years to come, and in particular, it will not make 
us safer and will jeopardize the rights of individual Americans.
  Before I wrap up, I believe it is important and I have an obligation 
to draw my colleagues' attention to one final issue. As of this 
afternoon, there is a secret Justice Department legal opinion that is 
of clear relevance to this debate that continues to be withheld from 
the public. This opinion remains classified. The Senate rules prohibit 
me from describing it in detail. But I can say that it interprets 
common commercial service agreements and that in my judgment is 
inconsistent with the public's understanding of the law.
  So this gets back to a question I have talked about on the floor 
often, which is secret law, when the public reads one thing and there 
is a secret interpretation that goes in another direction and it 
contributes to the public's cynicism about Washington.
  As always, I certainly see it as my job to say that colleagues can 
decide whether to take my counsel, but I believe any Senator who votes 
for this legislation, without reading this secret Justice Department 
legal opinion I have referred to, is voting without a full 
understanding of the relevant legal landscape. If Senators do not 
understand how these common commercial service agreements have been 
interpreted by the executive branch, then it will be harder for the 
Senate to have a fully informed debate on the cyber security 
legislation, whether it is considered now or later.
  I would also like to note for the record that I have repeatedly asked 
the Justice Department to withdraw this opinion and to make it public 
so anyone who is party to one of these commercial service agreements 
can decide whether their agreement ought to be revised. The Justice 
Department has chosen not to take my advice on either of my 
suggestions.
  In public testimony before the Senate Intelligence Committee, the 
deputy head of the Justice Department's Office of Legal Counsel told me 
she personally would not rely on this opinion today, and I appreciate 
her view on that matter. Yet, until the opinion is withdrawn, I believe 
Senators should be concerned about other government officials choosing 
to rely on it at any time. In my judgment, that is a very clear 
instance of the government developing what is essentially secret law--
law that is at variance with what you read if you are in a coffee shop 
in Arkansas or Utah or anywhere else.
  The reality is, as I have said often on the floor, operations always 
have to be secret, as do the sources and methods. Chairman Hatch 
remembers this from his service on the Intelligence Committee. 
Operations always have to be secret, but the law ought to be public 
because that is how the American people have confidence in how we make 
decisions in our Republic.
  I will close by saying it is quite obvious at this point that I have 
significant reservations about the cyber security bill. I believe a 
number of Senators are going to share these concerns. I will let them 
speak for themselves, although I believe Senator Leahy's strong 
statement yesterday was certainly on point. Yet I will also say, even 
to my colleagues who are inclined to vote for this bill, that I hope 
all Senators will think about whether this is an appropriate process 
for this sort of legislation.
  I have already said I believe Senators are going to be dealing with 
cyber security questions for the rest of their time in public service, 
because in the digital age, I think we are going to see a constant 
evolution in this field with respect to these threats and both the 
technical and political concerns that are raised by them.
  Should the Senate be rushing a bill like this through by tacking it 
onto an unrelated defense measure? Is this the best way to show the 
American people, once again, that security and liberty are not mutually 
exclusive and that it is possible to do both?
  If Senators share the concerns I have raised, I hope they will oppose 
the cyber security amendment if it is brought up for a vote on the 
Defense bill. I hope Senators will support this issue, which has been 
brought to the floor under a different process--a process that involves 
regular order, so every Senator on both sides of the aisle will have an 
opportunity to make the revisions I believe it needs and to offer their 
own ideas.
  With that, I yield the floor.

[...]