[Congressional Record Volume 159, Number 52 (Wednesday, April 17, 2013)]
[House]
[Pages H2088-H2103]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                              {time}  1420
             CYBER INTELLIGENCE SHARING AND PROTECTION ACT


                             general leave

  Mr. ROGERS of Michigan. Mr. Speaker, I ask unanimous consent that all 
Members may have 5 legislative days to revise and extend their remarks 
and include extraneous material on the bill H.R. 624.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Michigan?
  There was no objection.
  The SPEAKER pro tempore. Pursuant to House Resolution 164 and rule 
XVIII, the Chair declares the House in the Committee of the Whole House 
on the state of the Union for the consideration of the bill, H.R. 624.
  The Chair appoints the gentlewoman from Florida (Ms. Ros-Lehtinen) to 
preside over the Committee of the Whole.

                              {time}  1422


                     In the Committee of the Whole

  Accordingly, the House resolved itself into the Committee of the 
Whole House on the state of the Union for the consideration of the bill 
(H.R. 624) to provide for the sharing of certain cyber threat 
intelligence and cyber threat information between the intelligence 
community and cybersecurity entities, and for other purposes, with Ms. 
Ros-Lehtinen in the chair.
  The Clerk read the title of the bill.
  The CHAIR. Pursuant to the rule, the bill is considered read the 
first time.
  The gentleman from Michigan (Mr. Rogers) and the gentleman from 
Maryland (Mr. Ruppersberger) each will control 30 minutes.
  The Chair recognizes the gentleman from Michigan.
  Mr. ROGERS of Michigan. I yield myself such time as I may consume.
  I want to thank my ranking member and both the Republican and 
Democratic staffs and the Republican and Democratic members of the 
Intelligence Committee for 2 years of long hours in negotiated efforts 
to reach the point that we are.
  I want to back up just a little bit and tell you how we got to where 
we are today. We sat down some 2 years ago when the ranking member and 
I assumed the leadership of the Intelligence Committee and we looked at 
the one threat that we knew existed but we were not prepared to handle 
as Americans, both the private sector and the government. And we knew 
that we had to do something about this new and growing and 
misunderstood cyber threat and what it was doing to our intellectual 
property across the country, what it was doing to the freedom and open 
Internet that we so enjoy and are increasingly dependent on and the 
commercial value of our growing economy. And it was at risk. The 
private sector was at risk because people were stealing their 
identities, their accounts, their intellectual property, and subsequent 
to that, their jobs, and people began to question the value of getting 
on the Internet and using it for commercial purposes. Their trust in 
the free and open Internet the way we've embraced it in the United 
States really was at risk.
  How do we solve that problem? We knew that nation states were 
investing millions and billions of dollars to generate cyber warriors 
to go in and crack your computer network. I don't care if you had 
intellectual property--those blueprints that made your business 
successful, or maybe it was your bank account, or your ability to have 
a transaction. If they could interrupt that, they could do great harm 
to our economy and to the United States.
  We saw nation-states like Russia and China and now Iran and North 
Korea and others developing military-style attacks to actually do harm 
to the U.S. economy, to hurt the very men and women who get up every 
day and play by the rules and think that the Internet would be a safe 
place for them to interact when it comes to commerce. We want that to 
continue.
  So we sat down and we talked to industry folks, people who are in the 
business, high-tech industry folks from Silicon Valley, financial 
services folks from New York City, manufacturers from across the 
Midwest, who were losing intellectual property due to theft from 
nation-states like China. We talked to privacy groups. We talked to the 
executive branch. And over the last 2 years, there were some 19 
adjustments to this bill on privacy.
  We believe this: this bill will not work if Americans don't have 
confidence that it will protect your privacy and civil liberties while 
allowing one very simple thing to happen: cyber threat material, that 
malware that goes on your computer and does bad things, allows somebody 
else to take over your computer to attack a bank, allows them to go on 
your computer and steal your personally identifiable information and 
use it in a crime, allows them to go into your network at work and 
steal your most valuable company secrets that keep you alive and build 
great products here in the United States--could we allow the government 
to share what they know with the private sector and allow the private 
sector to share when it comes to just that cyber threat, those zeros 
and ones in a pattern that equates to malicious code traveling at 
hundreds of millions of times a second the speed of light, can we share 
that in a way to stop them from getting in and stealing your private 
information?

  And the good news is the answer is, yes, we can do this. We can 
protect privacy and civil liberties, and we can allow this sharing 
arrangement, but not of your identity, not of your personally 
identifiable information. As a matter of fact, if that's what's 
happening, it won't work. But at the speed of light, from machine to 
machine, from your Internet service provider before it ever gets into 
your network they bounce out the nastiest stuff that's in there that's 
going to take over your computer, steal your money, steal your 
personally identifiable information, steal your company secrets. And 
they can identify that by a pattern and kick it out. They'll say, 
Something looks bad about that. Can the government take a look at that 
and say, you know what? This is a Chinese attack, it's an Iranian 
attack, it's a North Korean attack--let's defend our networks. It's 
really very simple.
  Today, what you see is a collaborative effort. This isn't a bill by 
Dutch Ruppersberger and Mike Rogers and this is the only way it has to 
be. We have taken suggestions from all the groups I just talked about, 
from privacy to the executive branch to industry to other trade 
associations. And this is the bill that mutually all of those people, 
representing tens of millions of employees around this country, said 
this is the way you do this and protect the free and open Internet and 
you protect civil liberties. And you finally raise that big red sign 
that tells people like China and Iran and Russia, stop. We're going to 
prevent you from stealing America's prosperity.
  I heard a lot of debate earlier on the rule. I've heard a lot of 
misinformation. There are people who don't like it for whatever reason, 
maybe it's conviction, maybe it's politics, maybe it's political 
theater. And I have a feeling there's a little bit of all of that when 
they talk about this bill.
  This bill does none of the things I've heard talked about in the 
rule--that

[[Page H2089]]

it's an exchange of information that they've never seen with the 
government. This is not a surveillance bill. It does not allow the 
national security agencies or the Department of Defense or any of our 
military organizations to monitor our domestic networks. It does not 
allow that to happen. We would not allow that to happen.

                              {time}  1430

  So some notion that that's happening is just wrong, and some of the 
folks who are pretending otherwise know it's wrong. This is important.
  You know, the Iranians, by public report, are laughing at our shores, 
looking for weaknesses in our financial institutions. They're not doing 
it for benevolence. They're doing it to try to create chaos in our 
markets here at home. This isn't 10 years or 20 years. This is today. 
It's happening today.
  The average credit card in your purse, Madam Chair, will be hit 
300,000 times today by bad actors trying to get in and steal your 
personal information--all those cardholders' information--and use it to 
commit a crime.
  Today, hundreds of millions of times across this great country 
companies will be besieged by DDoS attacks trying to overwhelm their 
systems and shut them down and not allow commerce to happen, by people 
who are trying to get into their networks and steal something valuable.
  This bill is that right balance between our privacy, civil liberties, 
and stopping bad guys in their tracks from ruining what is one-sixth of 
the U.S. economy. It's that important, and it's important that we get 
at it today.
  We must do more to improve our cybersecurity, and this bill is that 
vital first step toward that bill. Our intelligence agencies collect 
important information overseas about advanced foreign cyber threats 
that could dramatically assist the private sector. That information is 
the intelligence community's unique value-added when it comes to our 
cybersecurity.
  Unfortunately, we are not getting the full value of those 
intelligence insights. As I said, the intelligence community is not 
monitoring the Internet. They don't know what's happening on the 
domestic Internet. So when there is a nasty piece of source code or 
malicious source code attacking the private sector, the only way we're 
going to know that is if we--and these folks are victims of crime, by 
the way--if we allow them, in a classified environment, to share 
malicious source codes--zeros and ones in the right pattern--with the 
government and say, Hey, I am the victim of a crime. Here's what it 
looks like. Can you help? The government needs to be able to share this 
threat intelligence so that the private sector can protect its own 
networks.
  The government is going to reciprocate. Our intelligence services go 
overseas. They find out what the bad guys are doing. They come back and 
protect the government networks. The problem is, because of laws and 
policies and procedures, we can't share that with the private sector so 
they can protect their own networks. Wouldn't it be great if they know 
what's coming? If you know what you're looking for, you can stop it. 
That's really what we're talking about doing here, Madam Chair.
  We must also modernize the law to give the private sector clear 
authority to share cyber threat information within the private sector, 
as well as the government, on a voluntary, anonymous basis.
  Again, if you believe in the free and open Internet and you look at 
all the bills that have been introduced, there is a chomping at the bit 
in this town to go out and try to put their mitts on the Internet. They 
want to get in there and start regulating and standards and setting up 
procedures. They want to get in from business-to-business 
communication. They want the government to be at every corner of the 
Internet. I reject that wholly. It's the wrong approach. It will not 
work. It will bring the Internet to a halt. This is the only bill that 
doesn't have new mandates, new authorizations for any government 
involvement in the Internet.
  It does something very simple. I'm going to repeat it a lot today, 
Madam Chair. It allows the government to share zeros and ones in the 
right pattern with the private sector. And zeros and ones from the 
private sector, when they know it's malicious and attacking their 
networks, they share it with the government and say, This is a problem. 
Can you help me? That's what this bill does. And we've got a long list 
of privacy protections and restrictions to make sure that that's all 
that this bill does. The bill achieves all of these important goals 
that I just walked through, and it will empower the private sector, 
which already does significant work to protect computer networks, to do 
even more.
  The bill will allow the government to share cyber threat intelligence 
more widely with American companies in operationally usable form so 
they can help prevent state-sponsored cyber spies from stealing 
American trade secrets. It also provides clear, positive authority to 
allow companies to share cyber threat information with others in the 
private sector. It also provides authority to allow those companies to 
share threat information on a purely voluntary and anonymized basis 
with the government, meaning no personal identifying information.
  This bill will not require additional Federal spending. It will not 
require the creation of a vast new government bureaucracy. It will not 
impose any Federal regulations or unfunded mandates on the private 
sector. To the contrary, it will be a critical, bipartisan first step 
toward enabling America's private sector to better defend itself from 
the advanced state-sponsored cyber threats in which we live in today.
  I'm very proud of the open and transparent process that produced this 
bill. We've had a great conversation over the last 2 years with a broad 
range of private sector companies, trade groups, privacy and civil 
liberties advocates, and the executive branch. I appreciate all the 
constructive input we have received from the process. This bill has 
been revised every step of the way in this process, and all of that has 
been based on discussions with all the groups I just mentioned.
  I just want to cover some of the privacy protections we've added 
along the way.
  The bill prohibits the government from requiring private sector 
entities to provide information to the government. There is nothing in 
here that has any requirement that the private sector must share cyber 
threat information. If they don't think it's in their best interest to 
stop that cyber crime, they don't have to say a word. If they do, 
they're allowed to share just that cyber threat information with the 
right agencies in real time. Again, this is machine to machine so that 
they can deal with the international nature of that threat.
  It encourages the private sector to anonymize or minimize the 
information it voluntarily shares with others, including the 
government.
  In addition, the bill requires an annual independent inspector 
general audit and report to Congress of all voluntary information 
sharing with the government. That's another layer of oversight. We have 
built multiple layers of oversight into this bill so that we can gain 
the confidence of the public in its purpose, intent, and success.
  The bill significantly limits the Federal Government's use of 
information voluntarily provided by the private sector, including a 
restriction on the government's ability to search that data--very 
important.
  The bill also enforces the restrictions on the government by levying 
penalties against the government through Federal court lawsuits for any 
violations of those restrictions. Again, another layer of oversight.
  In the markup, we've made some progress, as well, between the ranking 
member and the members on the committee negotiating and working out 
what changes we can make to, again, improve the confidence that people 
have in this bill. We have improved this bill every step of the way for 
the last 2 years, and the markup was no different. At our markup, which 
voted the bill out of committee on a strong 18-2 vote, we adopted five 
important amendments to further strengthen the bill's protections and 
safeguards.
  We adopted an amendment by Mr. Langevin that made it clear that the 
bill contained no new authority to allow companies to hack back into 
networks in other companies. It certainly wasn't intended in the 
legislation. I thought it was a well-intended amendment. The last thing 
we want to do is

[[Page H2090]]

unleash digital vigilantism across the country and what that might do 
to our ability to continue to rely on the Internet as an engine of 
commerce.
  We've put in place the private sector use restriction that limits 
companies' use of information received to only cybersecurity purposes. 
Mr. Heck and Mr. Himes worked diligently on this amendment to improve 
the bill and make it very clear that this is just about cybersecurity 
and cybersecurity purposes.
  The bill previously gave the government authorization to create 
procedures to protect privacy and civil liberties and prevent the 
government's retention of personal information not necessary to 
understand a cyber threat. Last week's amendment makes those procedures 
mandatory. That was by Mr. Himes. We agreed that was the right place to 
put the burden to make sure there was no personal identifiable 
information that was not necessary to determine the nature of the 
attack.
  We also struck the bill's authorized government ``national security'' 
use of information received from the private sector. This would have 
provided the government flexibility in the future to address advanced 
cybersecurity threats. In conversations with government national 
security lawyers in recent months, they assured us that this 
flexibility wouldn't be required in the near future. In light of that, 
and given the widespread misunderstanding this language was generating, 
we thought it was prudent to take it out. Ms. Sewell from Alabama 
offered that amendment and worked with the committee to make sure it 
was adopted.
  We also added additional oversight in the already very strong 
oversight structure in the bill to monitor the government's receipt and 
use of cyber threat information voluntarily provided by the private 
sector. We added roles for the Privacy and Civil Liberties Board and 
the individual agency privacy officers to provide additional oversight 
of the government's use of information received from the private sector 
under this bill.
  I'm also very proud to cosponsor an amendment today with Mr. McCaul 
and Mr. Thompson of Mississippi, Mr. Ruppersberger and myself that 
would put a civilian face on the privacy sector cyber information 
sharing with this government. It was a concern by many. It was 
something we had long debates and conversations on, and I think we came 
to an agreement that will at least end that debate. It puts the 
appropriate civilian face so that, again, people can have confidence in 
the intention of this bill and what it will do to protect cybersecurity 
on networks or allow the private sector to protect their own networks 
and protect civil liberties of Americans.

                              {time}  1440

  Other elements of the government, such as the intelligence community, 
will still receive the information they need to play their important 
roles, but only after it has been minimized and screened by a civilian 
entity like the DHS or, in some rare cases, the FBI.
  This bill already contains several levels of strong protections to 
ensure that it improves cybersecurity without compromising our 
important civil liberties, but this bill will add a significant new 
privacy protection to that existing structure.
  Again, Madam Chair, you can see the level of effort that we are doing 
here to protect privacy and civil liberties and still have a workable 
bill that stops nation-states like China, Russia, Iran, and North Korea 
from getting into your networks and stealing your property.
  We have yet to find a single U.S. company that opposes this bill. In 
fact, we have the enthusiastic support of nearly every sector of the 
economy, because they are under assault from foreign cyber attacks and 
they need our help. They need it now. Companies and industry groups 
from across the country, including Intel, the chip maker, IBM, the 
Internet Security Alliance, the U.S. Chamber of Commerce, the Business 
Roundtable, TechAmerica, TechNet, companies of Silicon Valley, the 
Financial Services Roundtable, U.S. Telecom, the Nuclear Energy 
Institute, and the National Association of Manufacturers, just to name 
a few, have sent the committee letters of support. And that list is 
growing by the day of people who are encouraged by the very light touch 
of the government; no new programs, no new authorizations, it's not a 
surveillance bill. This is the only appropriate way to try to deal with 
this problem.
  By allowing the private sector to expand its own cyber defense 
efforts and to employ classified information to protect systems and 
networks, this bill will harness private-sector drive and innovation 
while also keeping the government out of the business of monitoring and 
guarding private-sector networks.
  This important legislation would enable cyber threat sharing and 
provide clear authority for the private sector to defend its own 
networks while providing strong protections for privacy and civil 
liberties.
  Madam Chair, with this great collaborative effort, with the effort 
facing this country, when you see this many Republicans and Democrats 
coming together, recognizing the threat and crafting a bill that meets 
that very important standard, this is the bill we should all stand up 
and enthusiastically support, and I reserve the balance of my time.
  Mr. RUPPERSBERGER. Madam Chair, I yield to the gentleman from 
Illinois (Mr. Gutierrez) for the purpose of making a unanimous consent 
request.
  (Mr. GUTIERREZ asked and was given permission to revise and extend 
his remarks.)
  Mr. GUTIERREZ. I thank the gentleman for yielding.
  Madam Chair, as a member of the House Permanent Select Committee on 
Intelligence, I am very familiar with the types of threats that this 
country faces every day and the serious ramifications of cyber 
vulnerabilities. This is an issue to which the committee has devoted a 
great deal of time and energy during the last year.
  In the cyber security realm these threats are growing in frequency 
and severity, so much so that the Director of National Intelligence, 
James Clapper, identified cyber security as a top threat facing this 
country earlier this year. Director Clapper stated in an open hearing 
just a month ago that the growing cyber capabilities of both state and 
non-state actors ``put all sectors of our county at risk, from 
government and private networks to critical infrastructures.'' We have 
seen more and more brazen attacks, from financial institutions and 
banks to news outlets, credit card companies, telecommunications 
providers and even government entities.
  I believe that we should make every effort to safeguard the privacy 
of Americans' personal information even as we take steps to prevent 
attacks to our electronic networks and attempts to steal trade secrets, 
facilitate critical information sharing, and protect our critical 
infrastructure.
  To that end, the committee made a number of improvements to the bill 
with bipartisan support during our markup last week. Most notably, we 
voted to remove the authority for private information to be used for 
broad non-cyber ``national security'' purposes. We also expanded 
oversight responsibilities for the Privacy and Civil Liberties 
Oversight Board and restricted usage of information received by private 
entities to cyber security information. The bill also requires the 
government to minimize any personal information that is unrelated to a 
cyber threat. The bill has improved since the last time it was 
considered by the House of Representatives in 2012.
  I understand that there remain areas of concern for some of my 
colleagues. I share your reservations and am disappointed that we were 
unable to adopt amendments to address some of the liability issues, 
require private sector entities to make ``reasonable efforts'' to 
remove irrelevant personally identifiable information, and establish 
the Department of Homeland Security as the primary receptor of cyber 
threat information. An amendment to place DHS as the primary agency was 
not made in order today and I hope that we can continue to work on an 
agreement to do that.
  I am sensitive to these privacy concerns and hope that we can 
continue to improve the Cyber Intelligence Sharing and Protection Act 
through amendments today and ongoing dialogue. However, my underlying 
concerns about the national security implications of ever-present and 
even escalating cyber attacks compels me to support the bill today.
  Mr. RUPPERSBERGER. Madam Chair, I yield myself such time as I may 
consume.
  Chairman Rogers and I are here today to discuss the Cyber 
Intelligence Sharing and Protection Act, known as CISPA. The bill 
simply allows the government to give cyber threat intelligence to the 
private sector to protect its networks from cyber attacks.
  I don't want to repeat a lot of what the chairman has said, but the 
first

[[Page H2091]]

thing I want to do is to acknowledge the leadership of the chairman. 
Three years ago, the chairman and I, when we took over the leadership 
of the House Select Intelligence Committee, realized how serious the 
threat of cyber attacks were to our country, to our businesses, to our 
health, safety, and welfare.
  We decided to pull together a group of representatives from different 
parts of this issue--we had the administration involved, we had the 
privacy groups involved, including the ACLU, we brought in the 
industry--because we knew that we had to put together a bill that would 
pass the House, the Senate and be signed by the President.
  So, what we attempted to do was get input, and then we put together a 
bill. And, by the way, the bill is only 27 pages--it's probably a 
record in this Congress--and we did read the bill.
  Now, what we attempted to do in this bill is to address a situation 
where now, the government cannot really communicate with the private 
sector to try to help protect our citizens, our businesses from cyber 
attacks. The reason for that is in 1947, there is a law that says that 
the intelligence community cannot communicate or pass information to 
another entity that does not have clearances. So, basically what our 
bill does is to allow the sharing of information, which we can't do 
now, to the private sector.
  Now, why is this important? This is something that is very important 
because most people don't understand this. In the United States of 
America we have 10 companies, called the providers, that control 80 
percent of our network--80 percent of our network. So in order for us 
to protect the United States of America from cyber attacks, we need to 
make sure that the government has a partnership with the private sector 
and that they can pass the threat information so that the government 
can help protect.
  As an example, if your house is being robbed, you call 911 and the 
police department comes. That's the same scenario that we're looking at 
here, only it's a lot more sophisticated. Again, as the chairman said, 
passing information, mostly zeroes and ones, to the government so that 
we can work together to protect our network.
  Now, why is this so important? And I think it's important that we get 
into some of the issues of threats. Just recently, we understand, and 
we know, that The Washington Post, The New York Times, The Wall Street 
Journal, were cyber-attacked. And basically, our understanding is that 
they did this, especially China, to intimidate the paper sources within 
China. We had our U.S. banks. It is very serious for U.S. banks to be 
attacked and hacked. Most of what our banks have are records and 
information. And to be able to shut down a bank or to be able to 
manipulate or get privacy information could be very destructive to our 
banks, and yet this is being done, and it's been done for a period of 
time.
  Media reports have said that Iran, a rogue country that we know 
exports terrorism--we know what Iran's beliefs are, and yet reports 
have said that Iran attacked Saudi Arabia's oil company, one of the 
largest in the world, Aramco, and wiped out 30,000 computers in a 
weekend. And let me say this: Iran is not a very sophisticated company 
as it comes to cyber, but they have the sophistication to be able to 
knock out 30,000 computers and really shut their businesses down for a 
period of time. This is what's happening in the United States.
  Cyber Command, whose job it is to protect our military networks, 
estimated that in the last couple of years that we have had, the United 
States of America has had $400 billion--not million, billion--worth of 
American trade secrets being stolen from U.S. companies every year, 
costing these companies market share and jobs. That's probably the 
biggest theft in the history of the world, and yet we still are not 
able to help government working with business.
  You have Secretary Napolitano, the Director of the FBI, you have the 
Director of the NSA, Alexander, and all three have said one of the 
biggest fears they have now are these attacks, and that unless we have 
a sharing opportunity between government and between business, they 
feel that they cannot protect our country from these cyber attacks the 
way that they should. It's so important that we need to act now on this 
bill.
  Now, we can pass bills in the House all day long, but if the Senate 
doesn't pass a bill and the President doesn't sign it, where are we? We 
were able to pass our bill last year in a bipartisan manner, and yet 
our bill went to the Senate and it stalled and the bill didn't go 
anywhere, so Chairman Rogers and I started again.
  But, what we said to each other and we discussed was that we need to 
address the issue of privacy. Even though we felt strongly that our 
bill does protect privacy, we knew there were groups out there, 
especially the privacy groups, that felt that there was not enough 
protection in our bill. So we rolled up our sleeves, we listened to the 
issues raised by the privacy groups, the administration had issues with 
respect to privacy, and we changed the bill.
  Now, I don't want to repeat what the chairman said, but basically we 
made some significant changes to our bill to deal with the issue of 
privacy. We provided that first, there's a privacy and civil liberties 
oversight board, and now that board must review our program. That's one 
area of oversight.
  In the intelligence community, we have privacy officers in each 
department, in each area. And these privacy people have to look at the 
threat information. They must also conduct a classified and 
unclassified review. That's the second oversight that was changed in 
the bill.

                              {time}  1450

  An annual report must be sent to Congress. We also have what we call 
the ``inspector general,'' whose job it is to oversee the different 
agencies they represent. Those are four areas of oversight just in the 
bill.
  Regarding the privacy agreements that we were concerned about, we 
only have five elements where this bill applies. That means if you're a 
tax cheat and we pick up some information, that can't be used against 
you. The privacy agreements were concerned about the issue of national 
security being one of those elements in this bill. They thought it was 
too broad. So Chairman Rogers and I got together, and we were able to 
get the votes from both sides of the aisle, and we were able to take a 
position that the national security issue is not in the bill anymore. 
We feel national security is being covered by one of the elements in 
the bill that says it deals with the issue of protecting people's lives 
or liberty. So we feel that we have covered national security.
  One of the most important issues was the issue of minimization. What 
is minimization? Most people don't know what it is. Basically, 
minimization is if private information is passed, there needs to be an 
entity out there that will take that private information out so that it 
is not used.
  We've now added to the bill that any of the zeroes and ones that are 
passed--and that's what's happening--if there was some reason why 
somebody's personal information is passed when those zeroes and ones 
are coming back and forth, now we have what we call 100 percent 
minimization, and the government will make sure that every single 
entity and all the information that is passed will be 100 percent 
minimized. If there is any personal information in there at all, it 
will be knocked out. That's very significant, and that gives a lot of 
coverage.
  This is also important: you don't have security if you don't have 
privacy. That was one of the themes Chairman Rogers and I used in the 
beginning: if you don't have security, you don't have privacy. Even 
though we thought our first bill had it, we felt there was a certain 
perception, we heard what was said and we made these changes.
  There is one other issue that is out there that's very important that 
I think is also extremely relevant. That's the issue of when the 
information is passed when we're attempting to protect our citizens and 
our businesses from these attacks and hopefully from a destructive 
attack like Iran did to Aramco in Saudi Arabia, there was a perception 
out there which, again, had to deal with perceptions. The perception 
was that if this information of zeroes and ones that are being passed 
back and forth, what is the point of entry. We did not want the 
perception to be that the military in any way would be in charge or 
would

[[Page H2092]]

be the entity that is overseeing this. We felt very strongly that it 
had to be civil.
  So Chairman Rogers and I, along with Chairman McCaul of the Homeland 
Security Committee and Ranking Member Thompson, have an amendment here 
today which is very significant. I'm sure it will be very well received 
by the privacy groups in the White House. What the bill will now say is 
that when information is passed, it will be the Department of Homeland 
Security. That is very significant, and we would hope that that would 
truly deal with the majority of these privacy issues.
  We know that we have to move and we have to move quickly. We're here 
today to debate this bill. And, again, Chairman Rogers--he's not 
listening, but I'll say it anyhow--has shown tremendous leadership. I 
say this and I say it sometimes in jest, that I was a former 
investigative prosecutor and he was a former FBI agent and all good FBI 
agents must listen to their prosecutors, even if we're in the minority. 
That was a joke. Not withstanding that, he has shown leadership. We 
threw partisanship out the window. We knew the stakes were high. We 
have been concerned that we have not been able to protect our country. 
I believe that Congress needs to act because we're standing in the way 
of protecting our country.
  This reminds me of a situation. We know how serious Hurricane Sandy 
was. It's similar to if you are a meteorologist and Sandy is coming up 
the east coast and you can't warn your constituents that Sandy is 
coming. That's why we need to pass this bill tomorrow, and we need to 
do it for the benefit of our country.
  And I do want to end with this: you do not have security if you don't 
have privacy. We feel that this bill, along with the amendments that 
will be introduced today, will effect that.
  With that, I reserve the balance of my time.
  Mr. ROGERS of Michigan. Madam Chair, I yield 3 minutes to a current 
military officer and great member of the Intelligence Committee, the 
gentleman from Nevada (Mr. Heck).
  Mr. HECK of Nevada. I want to begin by thanking both the chairman and 
the ranking member for their incredible leadership on this very 
difficult task. It was especially gratifying to work in such a 
bipartisan manner to come to the final product that we'll be voting on 
later tomorrow.
  Madam Chair, our Nation is under attack every day, every hour, every 
minute. Cyber attacks on our Nation's networks threaten our economic 
and national security. That is why I rise in support of H.R. 624, the 
Cyber Intelligence Sharing and Protection Act.
  Whether it is hacktivists attempting to disrupt services, criminals 
intent on stealing personal information, spies looking for intellectual 
property or trade secrets or nation-states searching for military and 
security vulnerabilities, our networks are at risk.
  Cyber looting puts U.S. businesses at a competitive disadvantage, 
threatening jobs and our private information. The same vulnerabilities 
used to steal intellectual and personality property are also exploited 
to target America's critical infrastructure, such as our electrical 
grids and our banking and financial institutions. These cyber 
weaknesses make the intelligence-sharing provisions within H.R. 624 
vitally important. However, as we seek to secure and defend the U.S. 
economy and our country's critical infrastructure, we must be mindful 
of our Nation's founding principles. We must ensure that we protect our 
citizens' privacy and civil liberties.
  The House Permanent Select Committee on Intelligence has sought the 
input of and worked closely with privacy and civil liberties groups to 
strengthen the bill and provide necessary individual protections. These 
discussions resulted in a number of amendments that were adopted on a 
broad bipartisan basis during the committee markup.
  My amendment, offered with my colleague from Connecticut (Mr. Himes), 
specifically limits the private sector's use of cyber threat 
intelligence only to a cybersecurity purpose. This provision addresses 
the concerns and misperceptions that private sector companies could 
have used this information for marketing and other commercial purposes.
  Another amendment requires the establishment of minimization 
procedures to limit the receipt, retention, and use of personally 
identifiable information, or PII. In the unlikely event that PII is 
inadvertently shared, this provision will prevent the government from 
receiving and/or maintaining that information while still ensuring 
rapid transmission of critical cyber threat intelligence necessary to 
protect our systems.
  Yet another amendment narrows the authorized use of shared cyber 
threat intelligence by striking the provision providing the government 
broad authority to use this information for national security purposes.
  All of these bipartisan amendments will provide the private sector 
the necessary tools to protect its own networks while at the same time 
providing critical protections for privacy and civil liberties.
  This legislation represents an important first step toward securing 
our Nation's intellectual property and critical infrastructure from 
cyber attack, and I urge my colleagues to support its passage.
  Again, I thank the chairman and the ranking member for their 
leadership.
  Mr. RUPPERSBERGER. Madam Chair, I now yield 2 minutes to a senior 
member of our committee who worked very hard on this bill, the 
gentleman from California (Mr. Thompson). He's been with us for the 
last 3 years attempting to pass a bill that will help our country and 
protect us.
  Mr. THOMPSON of California. Madam Chair, I thank the gentleman for 
yielding, and I thank both the ranking member and the chairman for 
their good work on this measure and for including all of us in trying 
to build a better product.
  Clearly, the threat of a devastating cyber attack is real and, as has 
been mentioned by a number of previous speakers, can't be understated. 
Advanced cyber attacks from China and other nation-state actors are 
stealing hundreds of billions of dollars' worth of cutting-edge 
research and development from our U.S. companies and even from our 
Federal Government. That's why it's essential that the business 
community and the Federal Government work together to share cyber 
threat information for the purpose of protecting the American people 
from the fallout of cyber attacks and cyber hackers.
  While it's important that we protect against the threat of 
cybersecurity, it's equally as important that we recognize the 
responsibility to protect the constitutional rights of law-abiding 
citizens. Though I support H.R. 624, both for the fact that it is 
important that we address these issues and because I believe it needs 
to be moved on and we can get it in conference committee with the 
Senate bill, I remain somewhat concerned that the bill as drafted could 
lead to the broad sharing of consumer information which in turn could 
be used in ways unrelated to combating cybersecurity threats.

                              {time}  1500

  I emphasize ``could be used.''
  Already the chair and the ranking member have accepted and we've 
incorporated a series of provisions in this bill that I authored that 
would minimize the sharing of some personally identifiable information, 
that would limit permissible uses of information which would be shared 
under this bill, and that would insist on a number of reporting 
requirements that will ensure Congress' ability to provide the 
necessary oversight of this program.
  The CHAIR. The time of the gentleman has expired.
  Mr. RUPPERSBERGER. I yield the gentleman an additional 30 seconds.
  Mr. THOMPSON of California. So, taken together, these provisions will 
improve the transparency and the accountability of this bill. However, 
notwithstanding these important changes, the bill is not perfect. Given 
the significance of this threat and the commitment of everyone to 
continue to work together, I strongly urge my colleagues to support 
this bill and to move it out of the House. Let's get the thing to 
conference. Let's get the best bill possible, get it signed into law, 
and work together to protect the American people.
  Mr. ROGERS of Michigan. Madam Chair, I am proud to yield 3 minutes to 
a leader on the Homeland Security

[[Page H2093]]

Committee and the chair of the House Admin Committee, the gentlelady 
from Michigan (Mrs. Miller).
  Mrs. MILLER of Michigan. I thank the gentleman for yielding me time.
  Madam Chair, let me just read for our colleagues the preamble of our 
Constitution:

       We the people of the United States, in order to form a more 
     perfect Union, establish justice, insure domestic 
     tranquility, provide for the common defence, promote the 
     general welfare, and secure the blessings of liberty to 
     ourselves and our posterity, do ordain and establish this 
     Constitution for the United States of America.

  Madam Chair, this great statement that is the foundation for our 
Federal Government provides us the direction that we need to our 
primary responsibilities. I would suggest that this legislation helps 
us fulfill every one of the responsibilities mandated on us by our 
Constitution. Now let's just take them one by one.
  ``Establish justice''--it is just to protect American companies from 
the theft of their intellectual property by attackers and by 
competitors.
  ``Insure domestic tranquility''--can you even imagine the threat to 
domestic tranquility if our power grid is successfully attacked by a 
foreign state like North Korea and this Nation is left in the dark?
  ``Provide for the common defence''--what is more common than our 
power grid, our financial system and our economy? Are we not required 
to defend all of that?
  ``Promote the general welfare''--again, if our power grid is taken 
down, it is impossible to promote the general welfare.
  ``Secure the blessings of liberty to ourselves and to our 
posterity''--our intellectual property, made with American ingenuity, 
our life savings in banks, under threat from foreign actors, our jobs, 
our economy. All of these blessings of liberty are currently at risk if 
we do nothing.
  I've heard some suggest, Madam Chair, that they have constitutional 
concerns about passing this bill. I would just suggest to them that I 
believe strongly that you should have constitutional concerns about not 
passing this bill. I do not believe that our Constitution gives foreign 
state actors like China or Russia or North Korea or Iran uncontested 
access to the critical systems of private American companies. To the 
contrary, I believe that our Constitution requires us, the Federal 
Government, to defend them.
  I certainly want to applaud the great work that has been done by the 
chairman of the House Intelligence Committee, Mr. Rogers of Michigan, 
and certainly applaud our ranking member, Mr. Ruppersberger.
  Gentlemen, you have worked so closely together on your committee and 
with other committees as well on this great piece of legislation.
  I would urge all of my colleagues, Madam Chair, to join me in 
fulfilling our oath and in voting ``yes.''
  Mr. RUPPERSBERGER. Madam Chairwoman, I yield 2 minutes to a great 
Member from the State of Illinois (Mr. Enyart).
  Mr. ENYART. Madam Chair, I rise today in support of this important 
legislation.
  The threat we face today from cyber attacks poses a clear and present 
danger that must be addressed. When I was sworn in to Congress to 
represent the people of southern Illinois, I took a vow to protect them 
from all enemies, both foreign and domestic. It was not the first time 
I had taken such an oath. By supporting CISPA, we move to fulfill our 
oath.
  I know there are good Americans who oppose this legislation because 
they believe the protections for civil liberties and privacy don't go 
far enough, but we must not let the perfect be the enemy of the good. 
This bill prohibits the government from forcing private sector entities 
to provide information to the government. It places restrictions on the 
use of any data voluntarily shared. The bill provides for strong 
congressional oversight. These are tremendous victories to protect our 
civil liberties.
  I support this bill because American jobs hang in the balance. Every 
day, our companies are subject to cyber attacks seeking to steal 
valuable trade secrets which deprive American citizens of high-paying 
high-tech jobs. Locally, my hometown grocery store in southern 
Illinois, Schnucks, was recently hacked, and customers' debit and 
credit card information was compromised, making many of my constituents 
vulnerable to theft.
  I cannot stand by and let an opportunity to prevent such actions pass 
me by, which is why I stand in support of this legislation. To protect 
the jobs of those who work to build planes at Boeing in Belleville or 
workers at Afton Chemical in Sauget, I must support this legislation. 
To ensure that those who make weapons to defend our country at General 
Dynamics in Marion, Illinois, don't lose their jobs because some 
Chinese hacker has stolen proprietary information, I must support this 
legislation.

  As the weapons of warfare change and adapt, we must make the 
necessary adjustments to protect our Nation while adhering to our 
founding principles. I urge my colleagues to join me in support of this 
act.
  The CHAIR. The gentleman from Maryland has 14\1/2\ minutes remaining, 
and the gentleman from Michigan has 5\1/2\ minutes remaining.
  Mr. ROGERS of Michigan. Madam Chair, I yield 2 minutes to a former 
military officer, the distinguished gentleman from Kansas (Mr. Pompeo).
  Mr. POMPEO. I want to thank Chairman Rogers and Ranking Member 
Ruppersberger for all of their hard work over many months, now years, 
in bringing this to where we are today, and I want to thank all of the 
committee staff who worked so hard to bring it to this point as well.
  I'd like to keep things pretty simple. If there were a sergeant from 
the Chinese People's Liberation Army inside one of our power plants or 
inside one of our banks and if they were trying to steal stuff and if 
they were looking around, trying to figure out how to get in and how to 
access our systems or to take property or to do damage to our power 
grid, the American people would demand that the government do whatever 
it could, and they would be thrilled to learn that that company was 
permitted and, indeed, protected if it decided to share with others 
that potential threat to its piece of the infrastructure. That's what 
we're doing today.
  The world has changed just a little bit. In just this last month, the 
last M-1 tank left Europe. It's the first time we haven't had a tank in 
Europe since D-day when the great Kansan invaded on the great quest to 
free us from Nazi totalitarian domination. There are no tanks. We fight 
in a different world today. We use the word ``cyber,'' and sometimes 
folks forget what we're really talking about. We're talking about 
nation-states trying to do terrible harm to American interests, to 
American property and, indeed, to American civil liberties.
  Now, in the last minute I have here, I want to talk about a couple of 
myths that have arisen about this piece of legislation. When I first 
learned about it, I, too, shared some of the concerns about what might 
be happening, about what might take place here. I offered an amendment 
last year, which is now incorporated into the bill, along with dozens 
of such amendments, to make sure belt-and-suspenders that we protected 
civil liberties.
  I've heard the myth propagated that this piece of legislation 
violates contract rights, that somehow through CISPA we're going to 
take away the ability of people to negotiate privately for contractual 
things that they want. I don't know how that could be. This bill is 
purely voluntary. It mandates that no one participate. It simply allows 
businesses to voluntarily participate and share information they have 
about attacks that have been foisted upon them.
  I've heard a second myth that this will authorize warrantless 
searches across the United States of America.
  The CHAIR. The time of the gentleman has expired.
  Mr. ROGERS of Michigan. I yield an additional 60 seconds to the 
gentleman.

                              {time}  1510

  Mr. POMPEO. There's talk about warrantless searches all across 
America. The legislation does no such thing. It's a short bill. It's 26 
pages. I would urge everyone to go read it for themselves.
  It fairly clearly limits what government may do, what information 
government may receive. It limits what private companies can share with 
government and amongst themselves. It

[[Page H2094]]

limits what government can do with that information once it is 
received. It has greatly capped what is going on here.
  Its design is simple: it is to make sure that all of the information 
about direct attacks on America are widely known, easily disseminated, 
and available for all to help in the protection of the American state. 
I urge my colleagues to support this legislation.
  Mr. RUPPERSBERGER. Madam Chair, I yield 2 minutes to my good friend, 
the gentleman from Rhode Island (Mr. Langevin); and I do want to say 
that we've been working together for years on this issue of 
cybersecurity, and I consider him to be one of the experts and one of 
my closest friends working on this issue.
  (Mr. LANGEVIN asked and was given permission to revise and extend his 
remarks.)
  Mr. LANGEVIN. Madam Chair, I thank the gentleman for yielding. I rise 
in strong support of H.R. 624, and I do thank Chairman Rogers and 
Ranking Member Ruppersberger for their commitment to a bipartisan and 
inclusive process on a very, very challenging issue.
  We know with certainty that cybersecurity threats that we face are 
real, and they are increasing both in number and sophistication every 
day. Congress may not have acted last year, but those who would use 
cyberspace for nefarious purposes certainly did, and they continue to 
steal intellectual property, identities, funds from bank accounts, and 
sensitive security information.
  I know full well that this is not a perfect bill, such is the nature 
of the legislative process. But we need the authority that CISPA 
provides to allow the voluntary sharing of cybersecurity threat 
information.
  Improvements, I should point out, have been made over last year's 
bill. Several amendments have already been adopted to alleviate many 
privacy concerns, and more may be adopted before we are done. I welcome 
such progress. This bill is an important step, but information-sharing 
is only one portion of the broader cybersecurity debate.
  I have long maintained that we must also work to ensure the creation 
of minimum standards for critical infrastructure; the education of a 
strong and vibrant future cybersecurity workforce; and effective 
Federal and military cyber structure, including a Senate-confirmed 
cybersecurity director with real authority, including comprehensive 
budgetary authority; and the coordination of research and development 
on cybersecurity across the Nation.
  Together with the President's recent executive order, I believe CISPA 
and the bills this House approved yesterday are a very promising 
beginning, but there is obviously much more to be done.
  Again, I want to thank Chairman Rogers and Ranking Member 
Ruppersberger for their efforts. I commend them on a collaborative 
approach to a very important issue, and I ask my colleagues to support 
this important measure.
  Mr. ROGERS of Michigan. I don't have any further speakers, and so I 
will continue to reserve the balance of my time to close.
  Mr. RUPPERSBERGER. I yield 2 minutes to the gentlewoman from Illinois 
(Ms. Schakowsky), who is a senior member of our committee and has 
worked very hard on this issue.
  Ms. SCHAKOWSKY. Madam Chair, I sincerely want to thank the chair and 
ranking member of the Intelligence Committee and express my 
appreciation for all of their efforts to work in a bipartisan manner 
and to address the concerns raised by me, by civil liberties groups, 
and by the White House.
  However, I rise today in opposition to the bill. While I strongly 
believe that we need to address the serious cybersecurity threat--there 
is no question about that--I think we can do it without compromising 
our civil liberties. Despite some positive changes, I feel this bill 
fails to adequately safeguard the privacy of Americans. Cybersecurity 
and privacy are not mutually exclusive, and this bill fails to achieve 
a balance between protecting our networks and safeguarding our 
liberties.
  Yesterday, I offered an amendment that would have made critical 
advances toward protecting privacy. My amendment would have required 
that companies report cyber threat information directly to civilian 
agencies, maintaining the longstanding tradition that the military 
doesn't operate on U.S. soil or collect information of American 
citizens.
  Another important amendment offered by Congressman Schiff would have 
required companies to make ``reasonable efforts'' to remove personal 
information before sharing cyber threat information. Unfortunately, 
those critical amendments were not made in order.
  Yesterday, the Obama administration expressed ongoing concerns about 
this legislation, issuing a veto threat. I share the President's 
concern--despite positive changes, this bill falls short in several key 
ways. As written right now, and hopefully there still may be some 
changes, CISPA allows the military to directly collect personal 
information on American citizens. It fails to safeguard privacy of 
Americans and grants sweeping immunity to companies for decisions made 
based on cyber information, prohibiting consumers from holding 
companies accountable for reckless actions and negligence.
  The CHAIR. The time of the gentlewoman has expired.
  Mr. RUPPERSBERGER. I yield 30 seconds to the gentlewoman.
  Ms. SCHAKOWSKY. I do urge my colleagues to oppose this bill. We can 
and should do better, and I'm hopeful that we still will do better.
  Mr. ROGERS of Michigan. Madam Chair, I yield myself 30 seconds.
  I just want to make very, very clear--and I thank the gentlelady for 
working with us, she is a great member of the committee--nowhere in 
this bill does it allow the military to collect information on private 
citizens in the United States. This is not a surveillance bill. It does 
not allow it to happen. That needs to be very, very clear in this 
debate. It does not allow the military to surveil private networks in 
the United States. Period. End of story. That's the biggest part of our 
privacy protections. Again, I want to thank the gentlelady for working 
with us, but that's just an inaccurate statement, and I want to make 
that clear for the Record.
  I reserve the balance of my time.
  Mr. RUPPERSBERGER. Madam Chair, how much time do I have remaining?
  The CHAIR. The gentleman from Maryland has 10 minutes remaining.
  Mr. RUPPERSBERGER. Madam Chair, I yield 2 minutes to the gentlewoman 
from Texas (Ms. Jackson Lee), a very active member of our caucus.
  Ms. JACKSON LEE. I thank the distinguished ranking member and the 
chairman, as well, for working to answer an enormous concern on the 
question of national and domestic security.
  Since Robert Tappan Morris in 1988 released one of the first commuter 
worms, we realized, as the computer and the Internet now have grown, 
the proliferation of computer malware, or computer programs designed 
specifically to damage computers or their networks or to co-opt systems 
or steal data, has attracted public and media attention and that we 
needed to do something. Now more than ever, cybersecurity impacts every 
aspect of our lives.
  As a member of the Homeland Security Committee, I can assure you that 
my concern about the electric grid utilities, the energy and financial 
industries, recognize that it is important to act, and to act with 
speed and understanding. Likewise, I am concerned about the rage in 
epidemic of hackers and the impact that it has on 85 to 87 percent of 
the infrastructure in this Nation.
  For that reason, however, I believe that along with this effort, we 
should have a lead civilian agency to collect the data. I'm looking 
forward to the manager's amendment, which I hope will clarify that 
Homeland Security will be that.
  In addition, I have offered an amendment. My amendment ensures that 
if a cloud service provider identifies or detects an attempt by someone 
to access, to gain unauthorized access to nongovernmental information 
stored on the system, it would not be required or permitted to report 
that attempt to the government and it cannot share that information 
with the government. I thank the Rules Committee for allowing that 
amendment to be in.
  I do, however, want to raise the question on privacy. I believe that 
we could

[[Page H2095]]

fix this legislation with a small addition dealing with the privacy 
question as we hopefully address the question dealing with the lead 
civilian agency. I thank the chairman and the ranking member, and I 
look forward to further discussion on this legislation.
  Mr. ROGERS of Michigan. I continue to reserve the balance of my time.
  Mr. RUPPERSBERGER. Madam Chair, I yield 2 minutes to the gentleman 
from Colorado (Mr. Polis), a member of the Rules Committee.
  Mr. POLIS. I thank the gentleman.
  This bill, unfortunately, hurts what it purports to help. It's 
detrimental to job growth, innovation, and privacy.

                              {time}  1520

  We talked a bit about the process whereby a number of amendments that 
would have improved it were not allowed to be discussed or voted on on 
the floor. And there are still enormous flaws with this bill which need 
to be addressed.
  Look, to the extent that companies believe that information-sharing 
is important, it should be done in a way that's consistent with 
sanctity of contract. If there's something that gets in the way of 
information-sharing, we need to identify it. That hasn't been 
identified.
  Clearly, the answer is not to say whatever a company agrees upon with 
a personal user, even if explicitly it says we're going to keep your 
information private, the minute after that's agreed to by a user, the 
company would be completely indemnified by turning all this 
information, personal information, credit card information, address, 
everything, over to the government.
  Now, why not remove anything?
  Why not just pass along the parts that are related to cybersecurity?
  There's no incentive to do so. Had there been a requirement that 
reasonable efforts were taken to delete personal data, that would have 
been a step in the right direction. But, again, it's an extra cost with 
no benefit for the company to delete personal data because they're 
completely indemnified with regard to this matter without the consent 
of the user himself.
  What happens to this information once it reaches the government?
  It can be shared with any government agency. It can be shared with 
the Bureau of Alcohol, Tobacco and Firearms, the National Security 
Agency, the Food and Drug Administration. Again, the limitations are so 
open-ended that anything that relates even to a minor scratch or a cut, 
issues completely unrelated to cybersecurity, things that could be 
related to dog bites, essentially any information.
  Part of the problem here, there are cyber attacks everywhere. I ran 
an e-commerce site. Tens of thousand every day. I mean, any e-commerce 
company experiences this every day, so it's a reality every day. 
Everything is a potential cybersecurity threat. There's people cracking 
passwords every day.
  So all information is affected by this, under this bill, in its 
present form, turned over to the government, shared with every agency 
relating to any bodily injury or harm, and we haven't been offered an 
opportunity to amend that.
  So I encourage my colleagues to vote ``no'' on this bill. We can and 
we must do better for our country.
  Mr. RUPPERSBERGER. I yield 2 minutes to the gentlewoman from Alabama 
(Ms. Sewell). Is it ``Roll Tide''? She is an outstanding new member of 
the Intelligence Committee. She's smart. She works hard. She's very 
dynamic, and she is our closer today.
  Ms. SEWELL of Alabama. Madam Chair, today I rise to support the bill.
  I can say, Madam Chair, that I actually voted against the bill last 
term. But today I am proud to say, because of the hard work of both the 
chairman and the ranking member and so many members of this committee, 
that today I stand before you in support of the bill.
  I am now a new member of the Intelligence Committee and, as I've told 
my staff, the more you know, the better you can vote. And today, I want 
to rise to explain why I am voting for this bill.
  I think that everybody agrees that there are cyber threats each and 
every day. And, in fact, Director Clapper, the Director of National 
Intelligence, he actually said his number one thing that keeps him up 
at night is cyber attacks.
  And what this bill will do is simply to share information. It is not 
about releasing personal identifiable information. That is strictly 
prohibited by this bill. So it is strictly prohibited by this bill.
  And this bill has been greatly enhanced by so many of my wonderful 
colleagues who have submitted amendments, many of which I am sure will 
pass tomorrow, as well as greatly enhanced by the amendments that were 
brought forth by committee members.
  I shared some serious concerns about some privacy protections when I 
came on the committee, and I have to tell you that the committee was 
gracious enough to listen to the amendments that I offered, as well as 
other amendments that were offered by my colleagues on this side of the 
aisle.
  I was surprised, given the partisan nature of politics here in this 
House, that the Intelligence Committee really tries, because of our 
national security, to work together. And in a true bipartisan manner, 
many of those privacy protections were unanimously agreed to by members 
of the committee.
  Once again, I urge my colleagues to vote for this bill, and I urge 
the President to sign this bill into law.
  Today, I rise in support of this bill. But Madam Chair, last year, I 
voted against the cybersecurity bill that was offered in this body. I 
am now and am honored to serve as a member of the Intelligence 
Committee and the more you know, the better you can vote. I want to 
commend the Chairman and the Ranking Member for their leadership to 
improve this legislation. I also want to thank all of my colleagues who 
offered amendments to strengthen this bill by providing more privacy 
protections for our citizens and improving inter-agency coordination. 
While this is not a perfect bill, this is a step in the right direction 
and I am hopeful that the Senate will take up this measure and make it 
even stronger. It is also my hope that the White House will continue to 
work with us in this body's effort to be proactive instead of reactive. 
Madam Speaker, we simply cannot afford to wait--The threats against our 
national and economic security are real. Attacks against our financial, 
energy and communication sectors are happening every day. We have 
received dire warnings from our defense and intelligence officials that 
widespread attacks are the number one threat to our national security 
above all else. The Director of National Intelligence, James Clapper, 
has elevated cyber threats to the top of the list of national-security 
concerns. The National Intelligence Estimate provided evidence of 
widespread infiltrations of U.S. computer networks. Evidence has also 
emerged of spying inside the computer networks of major U.S. media, 
including the Wall Street Journal and New York Times. Defense and 
intelligence officials have grown increasingly alarmed over a 
relentless cyber attack campaign against U.S. banks, critical 
infrastructure and a host of other private entities.
  We must continue to work together to find a balance between 
preserving privacy and protecting the security of this country from the 
danger of cyber attacks. Sharing cyber threat information, as provided 
for in this bill, is vital for combatting malicious hackers, criminals, 
and foreign agents. By removing the legal and regulatory barriers 
currently impeding the free flow of actionable information, the Cyber 
Intelligence Sharing and Protection Act (CISPA) will promote nimble, 
adaptive innovation--the best strategy for defending against a rapidly 
evolving threat landscape.
  This growing number and complexity of cyber attacks on private and 
government computers has provided an opportunity for us to join 
together and pass bipartisan legislation to address the problem. I am 
committed to finding a workable solution with the Senate and White 
House, and I believe this bill provides a solid framework on a critical 
issue for national and economic security. I look forward to considering 
any amendments my colleagues put forth today to help improve the 
legislation of this bill. And though I realize this is not a perfect 
bill, I think the time to act is now to protect our national security. 
I urge members to vote for this legislation.
  Mr. RUPPERSBERGER. Madam Chair, I yield myself as much time as I may 
consume.
  First thing, we've heard testimony today about how serious the cyber 
attacks are to our country. We know what has occurred already. We know 
that our banks have been attacked, our major banks. We know that our 
newspapers, New York Times, Washington Post, have been attacked.
  We know that news reports have said that Iran attacked Aramco, Saudi 
Arabia's largest oil company. They took out 30,000 computers, which 
means we are subjected to those attacks also.
  We also know that Cyber Command has said that we, in the United 
States,

[[Page H2096]]

have lost, from the attacks on our businesses, approximately $200 
billion. Just think what that equates to in jobs, stealing information 
about trade secrets, about competing globally with a country like China 
where they have all of our information, where they're able to shut down 
banks.
  This is a very serious issue, and we need to do a better job to 
educate the public on how serious it is. And we just hope that we can 
pass this bill today in the House, a bill in the Senate, and the 
President signs the bill, so that we can protect our citizens, we can 
protect our businesses from these attacks.
  If we knew that Iran was sending over an airplane with a bomb we 
would take it out. And yet we have to make sure that we deal with the 
issue in the United States of America to protect ourselves.
  Now, there was a major issue raised, and that issue was privacy. And 
believe me, I want to say this over and over again. You don't have 
security if you don't have privacy. And we feel very strongly that this 
bill provides privacy.
  But we also know, Chairman Rogers and I know, that if we pass a bill 
here, we need to pass a bill in the Senate, and we need the President 
to sign it. So we got together, and even though we passed our bill in a 
bipartisan effort last year and it stalled in the Senate, we now have 
made the bill what we feel is a lot stronger as it deals with the 
perception of privacy.
  And we've added oversight. We have four categories of oversight, 
privacy. We've made sure that minimization--taking out any privacy 
information that might pass--we made sure that that is 100 percent 
minimization so that no one's private information will pass.
  But the most important thing is that we have to make sure that we 
pass a bill because of the fact that 80 percent of our network is 
controlled by 10 companies in the United States of America. And all of 
our experts in this area have said that if government and business 
can't share information about these attacks, zeros and ones, if they 
can't share information, they cannot protect our country from these 
ongoing attacks that are occurring as we speak right now.
  So let's act. Let's not wait until we have another catastrophic 
attack like 9/11. Let's deal with this now. Let's pass the bill and 
make sure that we protect, again, our citizens. And I want to say it 
one more time. The issue that you can't have security if you don't have 
privacy.
  I do want to also say, I want to thank all those individuals in our 
government, in the private sector. The privacy groups have all come 
together. This has been a good debate. It's been a debate about issues 
that the public needed to know.
  And I also want to thank the chairman for his leadership, and the 
fact that he was willing, even though we had our bill passed a year 
ago, he was willing to deal with the issue of perception and to make 
sure we made privacy an element that we could deal with, and that we 
could change our bill to deal with certain perceptions. I feel that 
we've done that.
  I also want to thank Chairman McCaul from Homeland Security and 
Ranking Member Bennie Thompson from Homeland Security, who've worked 
with us to get an amendment that was very important, as you heard from 
Jan Schakowsky.
  That amendment basically says that the point of entry for any 
communication is on the civil side of our government, Homeland 
Security, and we hope to pass that amendment.
  And I feel very strongly that if we do that, we will have addressed 
the majority of the issues that are so important to this bill and to 
our security and to our privacy.
  I yield back the balance of my time.
  Mr. ROGERS of Michigan. Madam Chair, I yield myself the remaining 
time.
  I just want to quickly, Madam Chair, address some of the moving 
targets on the bill. When we move to change something in the bill, the 
19 privacy amendments, people who still decide they don't like it for, 
again, whatever reason, move their challenges of why they don't like 
it.
  The newest, I think, straw man is that this somehow would violate 
contract law. Nothing in this bill allows you to avoid contract law. 
Nothing.

                              {time}  1530

  It's a red herring. It is not accurate. Nothing in this bill would 
allow this to happen. The fact that someone who was in the technical 
business would say this hurts job growth, that's interesting. The sheer 
number of companies who support this, from the Business Roundtable to 
the Financial Services Business Group to TechNet, who has companies 
like Intel Corporation, Symantec, Juniper, Oracle, EMC, social media, 
all stand up and say this is the right approach. It will allow us to 
protect our consumers of our product from foreign governments stealing 
their private information.
  We need to understand what this bill is and what it is not. It is not 
a surveillance bill. Nothing in here authorizes surveillance. We're 
going to have an amendment to clarify that, to say it in the law so 
people can regain that confidence.
  We argue, Read the bill. It's 27 pages. It is very clear. It is 
predominantly protections of your civil liberties, and it also allows 
companies to voluntarily share malicious source code--and that's source 
code that's committing a crime against their consumers and their 
company--with the Federal Government so they can go back overseas and 
find the Chinese or the Iranians or the Russians or the North Koreans 
who are perpetrating that crime. This bill is nothing more. It does do 
that.
  Thanks to the ranking member and all who have gotten to this point. I 
look forward, Madam Chair, to the debate on the amendments, and I yield 
back the balance of my time.
  Mr. CONYERS. Madam Chair, this week, the House of Representatives is 
scheduled to take up the Cyber Intelligence Sharing and Protection Act 
(CISPA). Among other things, the legislation would authorize open-ended 
sharing of threat information between certain private companies and the 
federal government, and grant those companies unlimited legal immunity. 
I--along with more than 30 civil liberties and privacy groups ranging 
from the ACLU to the Competitive Enterprise Institute--believe the bill 
is badly flawed, and will harm the privacy and civil liberties of our 
citizens. While the Intelligence Committee amended CISPA last week, 
purporting to address privacy-related issues, the changes do not 
ameliorate the core concerns I have with the bill.
  CISPA would create a ``Wild West'' of information-sharing, where any 
``certified'' private-sector entity could share information with any 
federal government agency for various ill-defined purposes. By allowing 
for the direct sharing of information between the private sector and 
the National Security Agency, as well as other Defense Department 
agencies, the legislation hastily casts aside time-tested legal 
prohibitions against intelligence agencies and the military from 
operating on U.S. soil. The bill should be amended to prevent this 
direct sharing with non-civilian agencies.
  CISPA would also create duplicative information-sharing processes 
with no central oversight or accountability. Successive administrations 
have expended enormous resources building proper information-sharing 
programs at the Department of Homeland Security and the FBI; these 
efforts should be enhanced, not clouded by permitting the proliferation 
of redundant programs across the federal government.
  The legislation also removes current legal protections applicable to 
companies that facilitate and process our private communications and 
share them with the government and one another. Companies sharing 
information would be exempt from all privacy statutes and would be 
relieved of liability for recklessly sharing, or deciding not to share 
information. Without narrowly defining the information that may be 
shared, limiting to whom it may be shared and why, and preserving 
mechanisms to provide accountability for wrongdoing, the privacy of our 
citizens and confidence in the trustworthiness of our electronic 
communications networks would be weakened. For example, the bill would 
not prevent a company sharing cyber threat information from including 
data not necessary to understanding the threat, such as private emails 
between family members or personal information such as medical records, 
in a data dump to the government.
  The bill should narrowly define the categories of information that 
may be shared, such as malicious code or methods of defeating 
cybersecurity controls, and require that companies sharing the data 
take reasonable steps to remove information identifying individuals not 
involved in the threat. It is not enough to require government 
recipients of the data to remove the private information because it 
should never be sent to the government in the first place. The bill 
therefore should be amended to require that companies sharing cyber 
threat information make reasonable efforts to

[[Page H2097]]

remove such personally identifiable information from the data they 
share with other companies and the government.
  The bill's liability protection provisions are also unnecessarily 
broad and eliminate the ability of aggrieved citizens and companies to 
protect and secure their privacy, as well as their property and 
physical well-being. Regardless of whether a company acted recklessly 
or negligently, the bill would prevent civil or criminal actions for 
decisions made for cybersecurity purposes ``based on'' cyber threat 
information. In effect, the legislation removes critical incentives for 
industry to act reasonably concerning cyber threat information.
  Consider a situation in which a telecommunications company through 
its operations becomes aware of a cyber threat directed toward a 
utility but fails to notify the critical infrastructure company of the 
threat, denying the utility the opportunity to engage in defensive 
measures and resulting in a catastrophic event producing substantial 
property damage and loss of life. Under the legislation, the 
telecommunications company characterizing its decision not to notify as 
one made for a cybersecurity purpose would be able to avoid legal 
liability. The bill's exemption from liability should therefore be 
narrowed to exclude protection for such decisions.
  The cyber threats our nation faces are serious, and we need to take 
action. The president's recent executive order directing the enhanced 
sharing of cyber threat information by the government to industry is a 
significant step in the right direction. Legislation encouraging 
information-sharing by the private sector is also required, but it must 
be carefully crafted and limited to actual threats. The House version 
of CISPA is not the right solution to this real problem, and it must be 
fixed before it reaches the president's desk.
  The CHAIR. All time for general debate has expired.
  Pursuant to the rule, the bill shall be considered for amendment 
under the 5-minute rule.
  In lieu of the amendment in the nature of a substitute recommended by 
the Permanent Select Committee on Intelligence, printed in the bill, it 
shall be in order to consider as an original bill for the purpose of 
amendment under the 5-minute rule an amendment in the nature of a 
substitute consisting of the text of Rules Committee Print 113-7. That 
amendment in the nature of a substitute shall be considered as read.
  The text of the amendment in the nature of a substitute is as 
follows:

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

                                H.R. 624

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Cyber Intelligence Sharing 
     and Protection Act''.

     SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING.

       (a) In General.--Title XI of the National Security Act of 
     1947 (50 U.S.C. 442 et seq.) is amended by adding at the end 
     the following new section:


          ``cyber threat intelligence and information sharing

       ``Sec. 1104.  (a) Intelligence Community Sharing of Cyber 
     Threat Intelligence With Private Sector and Utilities.--
       ``(1) In general.--The Director of National Intelligence 
     shall establish procedures to allow elements of the 
     intelligence community to share cyber threat intelligence 
     with private-sector entities and utilities and to encourage 
     the sharing of such intelligence.
       ``(2) Sharing and use of classified intelligence.--The 
     procedures established under paragraph (1) shall provide that 
     classified cyber threat intelligence may only be--
       ``(A) shared by an element of the intelligence community 
     with--
       ``(i) a certified entity; or
       ``(ii) a person with an appropriate security clearance to 
     receive such cyber threat intelligence;
       ``(B) shared consistent with the need to protect the 
     national security of the United States; and
       ``(C) used by a certified entity in a manner which protects 
     such cyber threat intelligence from unauthorized disclosure.
       ``(3) Security clearance approvals.--The Director of 
     National Intelligence shall issue guidelines providing that 
     the head of an element of the intelligence community may, as 
     the head of such element considers necessary to carry out 
     this subsection--
       ``(A) grant a security clearance on a temporary or 
     permanent basis to an employee or officer of a certified 
     entity;
       ``(B) grant a security clearance on a temporary or 
     permanent basis to a certified entity and approval to use 
     appropriate facilities; and
       ``(C) expedite the security clearance process for a person 
     or entity as the head of such element considers necessary, 
     consistent with the need to protect the national security of 
     the United States.
       ``(4) No right or benefit.--The provision of information to 
     a private-sector entity or a utility under this subsection 
     shall not create a right or benefit to similar information by 
     such entity or such utility or any other private-sector 
     entity or utility.
       ``(5) Restriction on disclosure of cyber threat 
     intelligence.--Notwithstanding any other provision of law, a 
     certified entity receiving cyber threat intelligence pursuant 
     to this subsection shall not further disclose such cyber 
     threat intelligence to another entity, other than to a 
     certified entity or other appropriate agency or department of 
     the Federal Government authorized to receive such cyber 
     threat intelligence.
       ``(b) Use of Cybersecurity Systems and Sharing of Cyber 
     Threat Information.--
       ``(1) In general.--
       ``(A) Cybersecurity providers.--Notwithstanding any other 
     provision of law, a cybersecurity provider, with the express 
     consent of a protected entity for which such cybersecurity 
     provider is providing goods or services for cybersecurity 
     purposes, may, for cybersecurity purposes--
       ``(i) use cybersecurity systems to identify and obtain 
     cyber threat information to protect the rights and property 
     of such protected entity; and
       ``(ii) share such cyber threat information with any other 
     entity designated by such protected entity, including, if 
     specifically designated, the Federal Government.
       ``(B) Self-protected entities.--Notwithstanding any other 
     provision of law, a self-protected entity may, for 
     cybersecurity purposes--
       ``(i) use cybersecurity systems to identify and obtain 
     cyber threat information to protect the rights and property 
     of such self-protected entity; and
       ``(ii) share such cyber threat information with any other 
     entity, including the Federal Government.
       ``(2) Sharing with the federal government.--
       ``(A) Information shared with the national cybersecurity 
     and communications integration center of the department of 
     homeland security.--Subject to the use and protection of 
     information requirements under paragraph (3), the head of a 
     department or agency of the Federal Government receiving 
     cyber threat information in accordance with paragraph (1) 
     shall provide such cyber threat information in as close to 
     real time as possible to the National Cybersecurity and 
     Communications Integration Center of the Department of 
     Homeland Security.
       ``(B) Request to share with another department or agency of 
     the federal government.--An entity sharing cyber threat 
     information that is provided to the National Cybersecurity 
     and Communications Integration Center of the Department of 
     Homeland Security under subparagraph (A) or paragraph (1) may 
     request the head of such Center to, and the head of such 
     Center may, provide such information in as close to real time 
     as possible to another department or agency of the Federal 
     Government.
       ``(3) Use and protection of information.--Cyber threat 
     information shared in accordance with paragraph (1)--
       ``(A) shall only be shared in accordance with any 
     restrictions placed on the sharing of such information by the 
     protected entity or self-protected entity authorizing such 
     sharing, including appropriate anonymization or minimization 
     of such information and excluding limiting a department or 
     agency of the Federal Government from sharing such 
     information with another department or agency of the Federal 
     Government in accordance with this section;
       ``(B) may not be used by an entity to gain an unfair 
     competitive advantage to the detriment of the protected 
     entity or the self-protected entity authorizing the sharing 
     of information;
       ``(C) may only be used by a non-Federal recipient of such 
     information for a cybersecurity purpose;
       ``(D) if shared with the Federal Government--
       ``(i) shall be exempt from disclosure under section 552 of 
     title 5, United States Code (commonly known as the `Freedom 
     of Information Act');
       ``(ii) shall be considered proprietary information and 
     shall not be disclosed to an entity outside of the Federal 
     Government except as authorized by the entity sharing such 
     information;
       ``(iii) shall not be used by the Federal Government for 
     regulatory purposes;
       ``(iv) shall not be provided by the department or agency of 
     the Federal Government receiving such cyber threat 
     information to another department or agency of the Federal 
     Government under paragraph (2)(A) if--

       ``(I) the entity providing such information determines that 
     the provision of such information will undermine the purpose 
     for which such information is shared; or
       ``(II) unless otherwise directed by the President, the head 
     of the department or agency of the Federal Government 
     receiving such cyber threat information determines that the 
     provision of such information will undermine the purpose for 
     which such information is shared; and

       ``(v) shall be handled by the Federal Government consistent 
     with the need to protect sources and methods and the national 
     security of the United States; and
       ``(E) shall be exempt from disclosure under a State, local, 
     or tribal law or regulation that requires public disclosure 
     of information by a public or quasi-public entity.
       ``(4) Exemption from liability.--
       ``(A) Exemption.--No civil or criminal cause of action 
     shall lie or be maintained in Federal or State court against 
     a protected entity, self-protected entity, cybersecurity 
     provider, or an officer, employee, or agent of a protected 
     entity, self-protected entity, or cybersecurity provider, 
     acting in good faith--
       ``(i) for using cybersecurity systems to identify or obtain 
     cyber threat information or for sharing such information in 
     accordance with this section; or
       ``(ii) for decisions made for cybersecurity purposes and 
     based on cyber threat information

[[Page H2098]]

     identified, obtained, or shared under this section.
       ``(B) Lack of good faith.--For purposes of the exemption 
     from liability under subparagraph (A), a lack of good faith 
     includes any act or omission taken with intent to injure, 
     defraud, or otherwise endanger any individual, government 
     entity, private entity, or utility.
       ``(5) Relationship to other laws requiring the disclosure 
     of information.--The submission of information under this 
     subsection to the Federal Government shall not satisfy or 
     affect--
       ``(A) any requirement under any other provision of law for 
     a person or entity to provide information to the Federal 
     Government; or
       ``(B) the applicability of other provisions of law, 
     including section 552 of title 5, United States Code 
     (commonly known as the `Freedom of Information Act'), with 
     respect to information required to be provided to the Federal 
     Government under such other provision of law.
       ``(6) Rule of construction.--Nothing in this subsection 
     shall be construed to provide new authority to--
       ``(A) a cybersecurity provider to use a cybersecurity 
     system to identify or obtain cyber threat information from a 
     system or network other than a system or network owned or 
     operated by a protected entity for which such cybersecurity 
     provider is providing goods or services for cybersecurity 
     purposes; or
       ``(B) a self-protected entity to use a cybersecurity system 
     to identify or obtain cyber threat information from a system 
     or network other than a system or network owned or operated 
     by such self-protected entity.
       ``(c) Federal Government Use of Information.--
       ``(1) Limitation.--The Federal Government may use cyber 
     threat information shared with the Federal Government in 
     accordance with subsection (b)--
       ``(A) for cybersecurity purposes;
       ``(B) for the investigation and prosecution of 
     cybersecurity crimes;
       ``(C) for the protection of individuals from the danger of 
     death or serious bodily harm and the investigation and 
     prosecution of crimes involving such danger of death or 
     serious bodily harm; or
       ``(D) for the protection of minors from child pornography, 
     any risk of sexual exploitation, and serious threats to the 
     physical safety of minors, including kidnapping and 
     trafficking and the investigation and prosecution of crimes 
     involving child pornography, any risk of sexual exploitation, 
     and serious threats to the physical safety of minors, 
     including kidnapping and trafficking, and any crime referred 
     to in section 2258A(a)(2) of title 18, United States Code.
       ``(2) Affirmative search restriction.--The Federal 
     Government may not affirmatively search cyber threat 
     information shared with the Federal Government under 
     subsection (b) for a purpose other than a purpose referred to 
     in paragraph (1).
       ``(3) Anti-tasking restriction.--Nothing in this section 
     shall be construed to permit the Federal Government to--
       ``(A) require a private-sector entity or utility to share 
     information with the Federal Government; or
       ``(B) condition the sharing of cyber threat intelligence 
     with a private-sector entity or utility on the provision of 
     cyber threat information to the Federal Government.
       ``(4) Protection of sensitive personal documents.--The 
     Federal Government may not use the following information, 
     containing information that identifies a person, shared with 
     the Federal Government in accordance with subsection (b) 
     unless such information is used in accordance with the 
     policies and procedures established under paragraph (7):
       ``(A) Library circulation records.
       ``(B) Library patron lists.
       ``(C) Book sales records.
       ``(D) Book customer lists.
       ``(E) Firearms sales records.
       ``(F) Tax return records.
       ``(G) Educational records.
       ``(H) Medical records.
       ``(5) Notification of non-cyber threat information.--If a 
     department or agency of the Federal Government receiving 
     information pursuant to subsection (b)(1) determines that 
     such information is not cyber threat information, such 
     department or agency shall notify the entity or provider 
     sharing such information pursuant to subsection (b)(1).
       ``(6) Retention and use of cyber threat information.--No 
     department or agency of the Federal Government shall retain 
     or use information shared pursuant to subsection (b)(1) for 
     any use other than a use permitted under subsection (c)(1).
       ``(7) Privacy and civil liberties.--
       ``(A) Policies and procedures.--The Director of National 
     Intelligence, in consultation with the Secretary of Homeland 
     Security and the Attorney General, shall establish and 
     periodically review policies and procedures governing the 
     receipt, retention, use, and disclosure of non-publicly 
     available cyber threat information shared with the Federal 
     Government in accordance with subsection (b)(1). Such 
     policies and procedures shall, consistent with the need to 
     protect systems and networks from cyber threats and mitigate 
     cyber threats in a timely manner--
       ``(i) minimize the impact on privacy and civil liberties;
       ``(ii) reasonably limit the receipt, retention, use, and 
     disclosure of cyber threat information associated with 
     specific persons that is not necessary to protect systems or 
     networks from cyber threats or mitigate cyber threats in a 
     timely manner;
       ``(iii) include requirements to safeguard non-publicly 
     available cyber threat information that may be used to 
     identify specific persons from unauthorized access or 
     acquisition;
       ``(iv) protect the confidentiality of cyber threat 
     information associated with specific persons to the greatest 
     extent practicable; and
       ``(v) not delay or impede the flow of cyber threat 
     information necessary to defend against or mitigate a cyber 
     threat.
       ``(B) Submission to congress.--The Director of National 
     Intelligence shall, consistent with the need to protect 
     sources and methods, submit to Congress the policies and 
     procedures required under subparagraph (A) and any updates to 
     such policies and procedures.
       ``(C) Implementation.--The head of each department or 
     agency of the Federal Government receiving cyber threat 
     information shared with the Federal Government under 
     subsection (b)(1) shall--
       ``(i) implement the policies and procedures established 
     under subparagraph (A); and
       ``(ii) promptly notify the Director of National 
     Intelligence, the Attorney General, and the congressional 
     intelligence committees of any significant violations of such 
     policies and procedures.
       ``(D) Oversight.--The Director of National Intelligence, in 
     consultation with the Attorney General, the Secretary of 
     Homeland Security, and the Secretary of Defense, shall 
     establish a program to monitor and oversee compliance with 
     the policies and procedures established under subparagraph 
     (A).
       ``(d) Federal Government Liability for Violations of 
     Restrictions on the Disclosure, Use, and Protection of 
     Voluntarily Shared Information.--
       ``(1) In general.--If a department or agency of the Federal 
     Government intentionally or willfully violates subsection 
     (b)(3)(D) or subsection (c) with respect to the disclosure, 
     use, or protection of voluntarily shared cyber threat 
     information shared under this section, the United States 
     shall be liable to a person adversely affected by such 
     violation in an amount equal to the sum of--
       ``(A) the actual damages sustained by the person as a 
     result of the violation or $1,000, whichever is greater; and
       ``(B) the costs of the action together with reasonable 
     attorney fees as determined by the court.
       ``(2) Venue.--An action to enforce liability created under 
     this subsection may be brought in the district court of the 
     United States in--
       ``(A) the district in which the complainant resides;
       ``(B) the district in which the principal place of business 
     of the complainant is located;
       ``(C) the district in which the department or agency of the 
     Federal Government that disclosed the information is located; 
     or
       ``(D) the District of Columbia.
       ``(3) Statute of limitations.--No action shall lie under 
     this subsection unless such action is commenced not later 
     than two years after the date of the violation of subsection 
     (b)(3)(D) or subsection (c) that is the basis for the action.
       ``(4) Exclusive cause of action.--A cause of action under 
     this subsection shall be the exclusive means available to a 
     complainant seeking a remedy for a violation of subsection 
     (b)(3)(D) or subsection (c).
       ``(e) Reports on Information Sharing.--
       ``(1) Inspector general report.--The Inspector General of 
     the Intelligence Community, in consultation with the 
     Inspector General of the Department of Justice, the Inspector 
     General of the Department of Defense, and the Privacy and 
     Civil Liberties Oversight Board, shall annually submit to the 
     congressional intelligence committees a report containing a 
     review of the use of information shared with the Federal 
     Government under this section, including--
       ``(A) a review of the use by the Federal Government of such 
     information for a purpose other than a cybersecurity purpose;
       ``(B) a review of the type of information shared with the 
     Federal Government under this section;
       ``(C) a review of the actions taken by the Federal 
     Government based on such information;
       ``(D) appropriate metrics to determine the impact of the 
     sharing of such information with the Federal Government on 
     privacy and civil liberties, if any;
       ``(E) a list of the departments or agencies receiving such 
     information;
       ``(F) a review of the sharing of such information within 
     the Federal Government to identify inappropriate stovepiping 
     of shared information; and
       ``(G) any recommendations of the Inspector General for 
     improvements or modifications to the authorities under this 
     section.
       ``(2) Privacy and civil liberties officers report.--The 
     Civil Liberties Protection Officer of the Office of the 
     Director of National Intelligence and the Chief Privacy and 
     Civil Liberties Officer of the Department of Justice, in 
     consultation with the Privacy and Civil Liberties Oversight 
     Board, the Inspector General of the Intelligence Community, 
     and the senior privacy and civil liberties officer of each 
     department or agency of the Federal Government that receives 
     cyber threat information shared with the Federal Government 
     under this section, shall annually and jointly submit to 
     Congress a report assessing the privacy and civil liberties 
     impact of the activities conducted by the Federal Government 
     under this section. Such report shall include any 
     recommendations the Civil Liberties Protection Officer and 
     Chief Privacy and Civil Liberties Officer consider 
     appropriate to minimize or mitigate the privacy and civil 
     liberties impact of the sharing of cyber threat information 
     under this section.
       ``(3) Form.--Each report required under paragraph (1) or 
     (2) shall be submitted in unclassified form, but may include 
     a classified annex.
       ``(f) Federal Preemption.--This section supersedes any 
     statute of a State or political subdivision of a State that 
     restricts or otherwise expressly regulates an activity 
     authorized under subsection (b).
       ``(g) Savings Clauses.--

[[Page H2099]]

       ``(1) Existing authorities.--Nothing in this section shall 
     be construed to limit any other authority to use a 
     cybersecurity system or to identify, obtain, or share cyber 
     threat intelligence or cyber threat information.
       ``(2) Limitation on military and intelligence community 
     involvement in private and public sector cybersecurity 
     efforts.--Nothing in this section shall be construed to 
     provide additional authority to, or modify an existing 
     authority of, the Department of Defense or the National 
     Security Agency or any other element of the intelligence 
     community to control, modify, require, or otherwise direct 
     the cybersecurity efforts of a private-sector entity or a 
     component of the Federal Government or a State, local, or 
     tribal government.
       ``(3) Information sharing relationships.--Nothing in this 
     section shall be construed to--
       ``(A) limit or modify an existing information sharing 
     relationship;
       ``(B) prohibit a new information sharing relationship;
       ``(C) require a new information sharing relationship 
     between the Federal Government and a private-sector entity or 
     utility;
       ``(D) modify the authority of a department or agency of the 
     Federal Government to protect sources and methods and the 
     national security of the United States; or
       ``(E) preclude the Federal Government from requiring an 
     entity to report significant cyber incidents if authorized or 
     required to do so under another provision of law.
       ``(4) Limitation on federal government use of cybersecurity 
     systems.--Nothing in this section shall be construed to 
     provide additional authority to, or modify an existing 
     authority of, any entity to use a cybersecurity system owned 
     or controlled by the Federal Government on a private-sector 
     system or network to protect such private-sector system or 
     network.
       ``(5) No liability for non-participation.--Nothing in this 
     section shall be construed to subject a protected entity, 
     self-protected entity, cyber security provider, or an 
     officer, employee, or agent of a protected entity, self-
     protected entity, or cybersecurity provider, to liability for 
     choosing not to engage in the voluntary activities authorized 
     under this section.
       ``(6) Use and retention of information.--Nothing in this 
     section shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     Government to retain or use information shared pursuant to 
     subsection (b)(1) for any use other than a use permitted 
     under subsection (c)(1).
       ``(h) Definitions.--In this section:
       ``(1) Availability.--The term `availability' means ensuring 
     timely and reliable access to and use of information.
       ``(2) Certified entity.--The term `certified entity' means 
     a protected entity, self-protected entity, or cybersecurity 
     provider that--
       ``(A) possesses or is eligible to obtain a security 
     clearance, as determined by the Director of National 
     Intelligence; and
       ``(B) is able to demonstrate to the Director of National 
     Intelligence that such provider or such entity can 
     appropriately protect classified cyber threat intelligence.
       ``(3) Confidentiality.--The term `confidentiality' means 
     preserving authorized restrictions on access and disclosure, 
     including means for protecting personal privacy and 
     proprietary information.
       ``(4) Cyber threat information.--
       ``(A) In general.--The term `cyber threat information' 
     means information directly pertaining to--
       ``(i) a vulnerability of a system or network of a 
     government or private entity or utility;
       ``(ii) a threat to the integrity, confidentiality, or 
     availability of a system or network of a government or 
     private entity or utility or any information stored on, 
     processed on, or transiting such a system or network;
       ``(iii) efforts to deny access to or degrade, disrupt, or 
     destroy a system or network of a government or private entity 
     or utility; or
       ``(iv) efforts to gain unauthorized access to a system or 
     network of a government or private entity or utility, 
     including to gain such unauthorized access for the purpose of 
     exfiltrating information stored on, processed on, or 
     transiting a system or network of a government or private 
     entity or utility.
       ``(B) Exclusion.--Such term does not include information 
     pertaining to efforts to gain unauthorized access to a system 
     or network of a government or private entity or utility that 
     solely involve violations of consumer terms of service or 
     consumer licensing agreements and do not otherwise constitute 
     unauthorized access.
       ``(5) Cyber threat intelligence.--
       ``(A) In general.--The term `cyber threat intelligence' 
     means intelligence in the possession of an element of the 
     intelligence community directly pertaining to--
       ``(i) a vulnerability of a system or network of a 
     government or private entity or utility;
       ``(ii) a threat to the integrity, confidentiality, or 
     availability of a system or network of a government or 
     private entity or utility or any information stored on, 
     processed on, or transiting such a system or network;
       ``(iii) efforts to deny access to or degrade, disrupt, or 
     destroy a system or network of a government or private entity 
     or utility; or
       ``(iv) efforts to gain unauthorized access to a system or 
     network of a government or private entity or utility, 
     including to gain such unauthorized access for the purpose of 
     exfiltrating information stored on, processed on, or 
     transiting a system or network of a government or private 
     entity or utility.
       ``(B) Exclusion.--Such term does not include intelligence 
     pertaining to efforts to gain unauthorized access to a system 
     or network of a government or private entity or utility that 
     solely involve violations of consumer terms of service or 
     consumer licensing agreements and do not otherwise constitute 
     unauthorized access.
       ``(6) Cybersecurity crime.--The term `cybersecurity crime' 
     means--
       ``(A) a crime under a Federal or State law that involves--
       ``(i) efforts to deny access to or degrade, disrupt, or 
     destroy a system or network;
       ``(ii) efforts to gain unauthorized access to a system or 
     network; or
       ``(iii) efforts to exfiltrate information from a system or 
     network without authorization; or
       ``(B) the violation of a provision of Federal law relating 
     to computer crimes, including a violation of any provision of 
     title 18, United States Code, created or amended by the 
     Computer Fraud and Abuse Act of 1986 (Public Law 99-474).
       ``(7) Cybersecurity provider.--The term `cybersecurity 
     provider' means a non-Federal entity that provides goods or 
     services intended to be used for cybersecurity purposes.
       ``(8) Cybersecurity purpose.--
       ``(A) In general.--The term `cybersecurity purpose' means 
     the purpose of ensuring the integrity, confidentiality, or 
     availability of, or safeguarding, a system or network, 
     including protecting a system or network from--
       ``(i) a vulnerability of a system or network;
       ``(ii) a threat to the integrity, confidentiality, or 
     availability of a system or network or any information stored 
     on, processed on, or transiting such a system or network;
       ``(iii) efforts to deny access to or degrade, disrupt, or 
     destroy a system or network; or
       ``(iv) efforts to gain unauthorized access to a system or 
     network, including to gain such unauthorized access for the 
     purpose of exfiltrating information stored on, processed on, 
     or transiting a system or network.
       ``(B) Exclusion.--Such term does not include the purpose of 
     protecting a system or network from efforts to gain 
     unauthorized access to such system or network that solely 
     involve violations of consumer terms of service or consumer 
     licensing agreements and do not otherwise constitute 
     unauthorized access.
       ``(9) Cybersecurity system.--
       ``(A) In general.--The term `cybersecurity system' means a 
     system designed or employed to ensure the integrity, 
     confidentiality, or availability of, or safeguard, a system 
     or network, including protecting a system or network from--
       ``(i) a vulnerability of a system or network;
       ``(ii) a threat to the integrity, confidentiality, or 
     availability of a system or network or any information stored 
     on, processed on, or transiting such a system or network;
       ``(iii) efforts to deny access to or degrade, disrupt, or 
     destroy a system or network; or
       ``(iv) efforts to gain unauthorized access to a system or 
     network, including to gain such unauthorized access for the 
     purpose of exfiltrating information stored on, processed on, 
     or transiting a system or network.
       ``(B) Exclusion.--Such term does not include a system 
     designed or employed to protect a system or network from 
     efforts to gain unauthorized access to such system or network 
     that solely involve violations of consumer terms of service 
     or consumer licensing agreements and do not otherwise 
     constitute unauthorized access.
       ``(10) Integrity.--The term `integrity' means guarding 
     against improper information modification or destruction, 
     including ensuring information nonrepudiation and 
     authenticity.
       ``(11) Protected entity.--The term `protected entity' means 
     an entity, other than an individual, that contracts with a 
     cybersecurity provider for goods or services to be used for 
     cybersecurity purposes.
       ``(12) Self-protected entity.--The term `self-protected 
     entity' means an entity, other than an individual, that 
     provides goods or services for cybersecurity purposes to 
     itself.
       ``(13) Utility.--The term `utility' means an entity 
     providing essential services (other than law enforcement or 
     regulatory services), including electricity, natural gas, 
     propane, telecommunications, transportation, water, or 
     wastewater services.''.
       (b) Procedures and Guidelines.--The Director of National 
     Intelligence shall--
       (1) not later than 60 days after the date of the enactment 
     of this Act, establish procedures under paragraph (1) of 
     section 1104(a) of the National Security Act of 1947, as 
     added by subsection (a) of this section, and issue guidelines 
     under paragraph (3) of such section 1104(a);
       (2) in establishing such procedures and issuing such 
     guidelines, consult with the Secretary of Homeland Security 
     to ensure that such procedures and such guidelines permit the 
     owners and operators of critical infrastructure to receive 
     all appropriate cyber threat intelligence (as defined in 
     section 1104(h)(5) of such Act, as added by subsection (a)) 
     in the possession of the Federal Government; and
       (3) following the establishment of such procedures and the 
     issuance of such guidelines, expeditiously distribute such 
     procedures and such guidelines to appropriate departments and 
     agencies of the Federal Government, private-sector entities, 
     and utilities (as defined in section 1104(h)(13) of such Act, 
     as added by subsection (a)).
       (c) Privacy and Civil Liberties Policies and Procedures.--
     Not later than 60 days after the date of the enactment of 
     this Act, the Director of National Intelligence, in 
     consultation with the Secretary of Homeland Security and the 
     Attorney General, shall establish the policies and procedures 
     required under section 1104(c)(7)(A) of the National Security 
     Act of 1947, as added by subsection (a) of this section.
       (d) Initial Reports.--The first reports required to be 
     submitted under paragraphs (1) and (2) of subsection (e) of 
     section 1104 of the National Security Act of 1947, as added 
     by subsection (a) of this section, shall be submitted not 
     later than 1 year after the date of the enactment of this 
     Act.
       (e) Table of Contents Amendment.--The table of contents in 
     the first section of the National Security Act of 1947 is 
     amended by adding at the end the following new item:


[[Page H2100]]


       ``Sec. 1104. Cyber threat intelligence and information 
           sharing.''.

     SEC. 3. SUNSET.

       Effective on the date that is 5 years after the date of the 
     enactment of this Act--
       (1) section 1104 of the National Security Act of 1947, as 
     added by section 2(a) of this Act, is repealed; and
       (2) the table of contents in the first section of the 
     National Security Act of 1947, as amended by section 2(d) of 
     this Act, is amended by striking the item relating to section 
     1104, as added by such section 2(d).

  The CHAIR. No amendment to that amendment in the nature of a 
substitute shall be in order except those printed in House Report 113-
41. Each such amendment may be offered only in the order printed in the 
report, by a Member designated in the report, shall be considered as 
read, shall be debatable for the time specified in the report equally 
divided and controlled by the proponent and an opponent, shall not be 
subject to amendment, and shall not be subject to a demand for division 
of the question.


           Amendment No. 1 Offered by Mr. Rogers of Michigan

  The CHAIR. It is now in order to consider amendment No. 1 printed in 
House Report 113-41.
  Mr. ROGERS of Michigan. Madam Chair, I have an amendment at the desk.
  The CHAIR. The Clerk will designate the amendment.
  The text of the amendment is as follows:

       Page 12, beginning line 15, strike ``unless such 
     information is used in accordance with the policies and 
     procedures established under paragraph (7)''.

  The CHAIR. Pursuant to House Resolution 164, the gentleman from 
Michigan (Mr. Rogers) and a Member opposed each will control 5 minutes.
  The Chair recognizes the gentleman from Michigan.
  Mr. ROGERS of Michigan. I offer this amendment to ensure that library 
records, firearm sales records, medical records, and tax returns are 
not included in any information voluntarily shared with the government 
under CISPA. Though the underlying bill would not permit this 
information unless it was cyber threat information, I will support this 
amendment, as it is a clarification amendment that settles some 
Members' concerns and reflects an amendment that was passed last year 
overwhelmingly.
  With that, Madam Chair, I urge this body's support of this 
clarification amendment, and I reserve the balance of my time.
  Mr. RUPPERSBERGER. Madam Chair, I rise to claim the time in 
opposition, even though I am not opposed.
  The CHAIR. Without objection, the gentleman from Maryland is 
recognized for 5 minutes.
  There was no objection.
  Mr. RUPPERSBERGER. I support Chairman Rogers' amendment to make a 
technical change to correct our personal records provision and retain 
the privacy protections that we had in our bill upon the introduction.
  I yield back the balance of my time.
  Mr. ROGERS of Michigan. I yield back the balance of my time.
  The CHAIR. The question is on the amendment offered by the gentleman 
from Michigan (Mr. Rogers).
  The question was taken; and the Chair announced that the ayes 
appeared to have it.
  Mr. ROGERS of Michigan. Madam Chair, I demand a recorded vote.
  The CHAIR. Pursuant to clause 6 of rule XVIII, further proceedings on 
the amendment offered by the gentleman from Michigan will be postponed.


                Amendment No. 2 Offered by Mr. Connolly

  The CHAIR. It is now in order to consider amendment No. 2 printed in 
House Report 113-41.
  Mr. CONNOLLY. Madam Chairwoman, I have an amendment at the desk.
  The CHAIR. The Clerk will designate the amendment.
  The text of the amendment is as follows:

       Page 2, line 15, strike ``and''.
       Page 2, line 18, strike the period and insert ``; and''.
       Page 2, after line 18, insert the following:
       ``(D) used, retained, or further disclosed by a certified 
     entity for cybersecurity purposes.''.

  The CHAIR. Pursuant to House Resolution 164, the gentleman from 
Virginia (Mr. Connolly) and a Member opposed each will control 5 
minutes.
  The Chair recognizes the gentleman from Virginia.
  Mr. CONNOLLY. Madam Chairwoman, this amendment represents a 
commonsense improvement to H.R. 624, which I support, that simply 
narrows the scope of the authorization for the intelligence community 
to share classified--I stress, classified--cyber threat intelligence 
with private sector entities and utilities.
  As my colleagues are aware, the administration and some leading 
voices from the civil liberties and privacy rights communities have 
raised serious concerns with CISPA as reported out of the Permanent 
Select Committee on Intelligence. These concerns revolve around the 
fact that many provisions of CISPA are perhaps perceived as overly 
vague, or outright silent, with respect to limiting the scope of 
information sharing and mitigating the risk of unintended consequences.
  For example, section 2 of CISPA, titled ``Cyber Threat Intelligence 
and Information Sharing,'' is silent on what specific purposes 
classified cyber threat intelligence may be used, retained, or further 
disclosed by a certified entity. As reported, section 2 only requires 
that the DNI's procedures governing the sharing of classified cyber 
threat intelligence between the intelligence community and private 
sector entities be ``consistent with the need to protect the national 
security of the United States'' and used by certified entities ``in a 
manner which protects cyber threat intelligence from unauthorized 
disclosure.''
  In this particular instance, I believe the concerns raised over the 
potential unintentional consequences from vagueness are real, valid, 
and ought to be addressed. I also believe it's a false choice that we 
must somehow choose between effective cybersecurity initiatives on the 
one hand and preserving the sacred civil liberties and privacy rights 
we hold so dear as a Nation on the other. In many cases, defining or 
limiting the scope of authority would go a long way toward addressing 
the privacy concerns that have been raised with respect to this 
legislation.
  To be clear, I want to recognize that the sponsors of CISPA have 
already engaged in good faith efforts to incorporate and address 
outstanding concerns with respect to the legislation that were held by 
the administration and other stakeholders, and I think that needs to be 
recognized.
  On that note, I am pleased that my amendment that was made in order 
represents a straightforward improvement, I hope, to CISPA that's 
consistent with the sponsor's stated commitment to enhancing 
cybersecurity, safeguarding privacy rights and civil liberties, and 
ensuring oversight of activity. The amendment simply establishes that, 
with respect to CISPA's requirements, the DNI establish procedures to 
govern the sharing of classified cyber threat intelligence--that this 
classified cyber threat intelligence may only be used, retained, or 
further disclosed by a certified entity for cybersecurity purposes.
  As noted by the ACLU in its statement of support for the amendment, 
it's consistent with similar restrictions limiting the scope of other 
information sharing activities addressed in other parts of the bill. 
The straightforward enhancement will be one of many needed improvements 
to the bill that will ensure it is a targeted, well-defined bill that 
directly--and only--strengthens our national cybersecurity.
  With that, I reserve the balance of my time.
  Mr. ROGERS of Michigan. Madam Chair, while I do not oppose the 
amendment, I ask unanimous consent to claim the time in opposition.
  The CHAIR. Without objection, the gentleman is recognized for 5 
minutes.
  Mr. ROGERS of Michigan. Madam Chair, I do not oppose this amendment, 
which clarifies that classified intelligence shared by the government 
with a certified cybersecurity entity may only be used, retained, or 
further disclosed for cybersecurity purposes. The amendment is 
consistent with language that is already in the bill requiring the DNI, 
the Director of National Intelligence, to ensure that such classified 
information is carefully protected.
  I appreciate the gentleman's working with us and the ACLU to find an 
amendment that we could all agree on. I do not oppose this further 
clarification and would urge support by this body of the amendment.
  I reserve the balance of my time.

[[Page H2101]]

  Mr. CONNOLLY. I would inquire of the Chair how much time is 
remaining.
  The CHAIR. The gentleman from Virginia has 2 minutes remaining.
  Mr. CONNOLLY. Madam Chairwoman, I yield 1 minute to the distinguished 
ranking member of the committee, the gentleman from Maryland (Mr. 
Ruppersberger).

                              {time}  1540

  Mr. RUPPERSBERGER. I thank the gentleman for yielding.
  This amendment increases the privacy and civil liberties protections 
in our bill; therefore, I urge a ``yes'' on Congressman Connolly's 
amendment.
  Mr. ROGERS of Michigan. I continue to reserve the balance of my time.
  Mr. CONNOLLY. Madam Chairwoman, I yield 1 minute to my distinguished 
colleague and our friend from Georgia (Mr. Johnson).
  Mr. JOHNSON of Georgia. Madam Chair, I rise in support of this 
amendment.
  I would also argue that, in addition to it being vague, it's also 
overbroad in that it includes investigations for child pornography and 
child abductions and computer crimes. This means that under CISPA, the 
NSA could share data with law enforcement to investigate computer 
crimes, which is so broad and includes even lying about your age on 
your Facebook page. Are these really cyber threats that this bill 
claims to fix? We must defend against cyber attacks while protecting 
the liberties and privacy of Americans.
  Mr. ROGERS of Michigan. Madam Chair, I yield myself such time as I 
may consume to clarify that this doesn't call for investigations of 
those crimes based on this material, but only protection of the 
individuals that may--and I want to stress ``may,'' because, again, the 
PII, the personal identifying information, is stripped clean. But in 
some rare, rare cases, you might find that you have located the child 
who has been subjugated to child pornography. In those cases, you don't 
want to throw that away. There are parents out there begging for us to 
find this child. It's very rare, it's exceptional, doesn't happen 
often, but in that very rare case--and, remember, there's no personally 
identifiable information. It would allow for the protection, not 
investigation.
  I reserve the balance of my time.
  Mr. CONNOLLY. Madam Chairwoman, I just want to thank the 
distinguished chairman and the distinguished ranking member of the 
committee for their leadership and for their cooperation, and I yield 
back the balance of my time.
  Mr. ROGERS of Michigan. Madam Chair, I yield back the balance of my 
time.
  The CHAIR. The question is on the amendment offered by the gentleman 
from Virginia (Mr. Connolly).
  The question was taken; and the Chair announced that the ayes 
appeared to have it.
  Mr. ROGERS of Michigan. Madam Chair, I demand a recorded vote.
  The CHAIR. Pursuant to clause 6 of rule XVIII, further proceedings on 
the amendment offered by the gentleman from Virginia will be postponed.


                Amendment No. 3 Offered by Mr. Schneider

  The CHAIR. It is now in order to consider amendment No. 3 printed in 
House Report 113-41.
  Mr. SCHNEIDER. Madam Chairman, I have an amendment at the desk.
  The CHAIR. The Clerk will designate the amendment.
  The text of the amendment is as follows:

       Page 3, beginning on line 2, strike ``employee or officer'' 
     and insert ``employee, independent contractor, or officer''.

  The CHAIR. Pursuant to House Resolution 164, the gentleman from 
Illinois (Mr. Schneider) and a Member opposed each will control 5 
minutes.
  The Chair recognizes the gentleman from Illinois.
  Mr. SCHNEIDER. Every day, U.S. Web sites, databases, and operating 
networks are threatened by foreign governments, criminal organizations, 
and other groups trying to hack into our systems and wreak havoc.
  Daily we read about infiltrations of the networks of our banks, 
newspapers, and even Federal agencies putting sensitive information at 
risk. These cyber attacks are real, and they can have devastating 
consequences: billions of dollars a year in stolen intellectual 
property and the potential to shut down our power grids and financial 
systems. The Cyber Intelligence Sharing and Protection Act gives the 
private sector the necessary tools to protect itself and its customers 
against these cyber attacks.
  Currently, the intelligence community has the ability to detect cyber 
threats, but Federal law prohibits the sharing of this information with 
the very companies whose firewalls are under attack. By sharing this 
information, private companies can actually prevent these attacks.
  The amendment I'm offering makes a small, clarifying change to the 
underlying bill, simply allowing independent contractors to be eligible 
for security clearances to perform the critical work of handling cyber 
threat intelligence. This clarification will allow companies--in 
particular, small and medium-sized businesses without the resources to 
employ full-time experts--to hire the most capable individuals and 
organizations to analyze network information, coordinate with the 
Federal Government, and protect ordinary Americans.
  We cannot allow ourselves to be in a situation where the Federal 
Government has available the information to prevent or mitigate a cyber 
attack, but companies remain defenseless because there was no legal 
framework to share that critical information.
  The networks at risk power our homes, our small businesses, and are 
what allow our banking systems to function. They facilitate nearly 
every aspect of our daily lives. These networks must be protected as 
best and responsibly as possible.
  I urge my colleagues to support both my amendment and final passage 
of this critically important bill.
  I reserve the balance of my time.
  Mr. ROGERS of Michigan. Madam Chairman, while I do not oppose the 
amendment, I ask unanimous consent to control the time in opposition.
  The CHAIR. Without objection, the gentleman is recognized for 5 
minutes.
  There was no objection.
  Mr. ROGERS of Michigan. Madam Chairman, I will support the 
clarification in this amendment.
  The amendment clarifies that independent contractors are eligible to 
receive security clearances to handle cyber threat intelligence and 
cyber threat information shared under the bill, an important 
clarification amendment.
  I appreciate the gentleman's work and effort in offering this 
amendment; And because the bill was not intended to exclude independent 
contractors, I will support this important clarification and would 
reserve the balance of my time.
  Mr. SCHNEIDER. I yield such time as he may consume to the gentleman 
from California (Mr. Schiff).
  Mr. SCHIFF. I thank the gentleman for yielding, and I rise in 
opposition to the overall measure.
  There are three concerns that have been raised by the administration 
about this bill that I share.
  The first is that it does not include a provision requiring the 
private sector to make reasonable efforts to remove personal 
information before they share it with each other or before they share 
it with the government. This is a bedrock necessity for those who are 
concerned about the privacy of Americans who may be implicated in this 
cyber sharing.
  Second, it's very important that a civilian agency, like the 
Department of Homeland Security, be the main intake--really, the sole 
intake--for this domestic data.
  There was one form of amendment offered in Rules to try to address 
this problem yesterday, yet another form of that amendment that was 
ultimately adopted by Rules, and yet a third form of that amendment 
that was adopted here this morning. None of us know exactly what it 
does because it has been a moving object. But it is very unclear 
whether this amendment would make a civilian agency, such as DHS, the 
sole intake for this domestic data. It should not be a military agency. 
We shouldn't have the private sector interacting directly with a 
military agency when it comes to domestic data that may involve the 
privacy of the American people.
  Finally, the immunity provisions are very broad and need to be reined 
in so as to encourage the private sector to take reasonable steps to 
make sure it

[[Page H2102]]

does not compromise privacy interests when it is not necessary to do so 
to protect cybersecurity.
  Those three issues still must be addressed.
  I want to compliment the chairman and the ranking member for the work 
they have done. They have made a very good-faith effort to make 
progress on many of these issues and in fact have made progress, but 
the bill still falls short and I must urge a ``no'' vote.
  Mr. SCHNEIDER. Madam Chairman, may I inquire as to how much time I 
have remaining.
  The CHAIR. The gentleman from Illinois has 2 minutes remaining.
  Mr. SCHNEIDER. I yield such time as he may consume to the ranking 
member.
  Mr. RUPPERSBERGER. Madam Chair, our bill now enables companies and 
the government to have the option to hire independent contractors to 
handle cyber threat information. It helps bring talented people into 
our cybersecurity workforce; it provides jobs; it is good for our 
economy; and it is good for our national security. Therefore, I urge a 
``yes'' vote on this amendment.
  I also want to acknowledge Congressman Schneider for his involvement 
in this issue.
  Mr. SCHNEIDER. I reserve the balance of my time.
  Mr. ROGERS of Michigan. I yield myself such time as I may consume.
  I just want to address my friend from California, who is a thoughtful 
member of the intelligence community.
  This is a position that much has been debated about: Should the 
government regulate into the private sector their use of the Internet? 
I argue that is a dangerous place to go. They will have to promulgate 
rules; they will have to set what reasonable standards are; they will 
have to determine what the private sector does on the Internet. That's 
government in the Internet. One of the things that we decided to avoid 
in this bill was not to make that mandate, the burden to make sure that 
no PII, personal identifying information, is mandated in this bill; and 
it's stripped out at the place where the burden should be: on the 
government. To make sure it happens, we have four different layers of 
oversight built in just to make sure what we say that they're supposed 
to do according to the law, they follow the law--four levels of review.

                              {time}  1550

  We shouldn't put the burden on the victims. We don't do it if 
somebody sticks a gun in your face on the street or robs the bank or 
robs your home. What's the difference if they're robbing your Internet 
or stealing your blueprints that steals American jobs? The difference? 
There is none. Theft is theft.
  Let us not move to get the government into regulating. Aspects of the 
Internet between private to private has been the explosion of growth in 
one-sixth of our economy. Keep the government out of it.
  That's what we decided to do. We came to a very sensible place that 
protects that PII, that personal identifying information, and allows 
the government to stay out of regulating the Internet.
  I think that's the right prudent course. I think most Americans are 
with us. Certainly the broad specter of industries who have joined 
this, from the high-tech industry to the financial services to 
manufacturing, have said, This is the right way to go. You stay out of 
our business. We'll share with you when we're victims of a crime.
  With that, I reserve the balance of my time.
  Mr. SCHNEIDER. Madam Chairman, I just want to thank the ranking 
member and the chairman for the way you have approached this in a 
bipartisan effort, and I yield back the balance of my time.
  Mr. ROGERS of Michigan. I yield back the balance of my time.
  The CHAIR. The question is on the amendment offered by the gentleman 
from Illinois (Mr. Schneider).
  The amendment was agreed to.


                Amendment No. 4 Offered by Mr. Langevin

  The CHAIR. It is now in order to consider amendment No. 4 printed in 
House Report 113-41.
  Mr. LANGEVIN. Madam Chair, I rise to offer an amendment, No. 35, 
listed as No. 4 in the rule.
  The CHAIR. The Clerk will designate the amendment.
  The text of the amendment is as follows:
       Page 8, line 16, strike ``a State, local, or tribal law or 
     regulation'' and insert ``a law or regulation of a State, 
     political subdivision of a State, or a tribe''.

  The CHAIR. Pursuant to House Resolution 164, the gentleman from Rhode 
Island (Mr. Langevin) and a Member opposed each will control 5 minutes.
  The Chair recognizes the gentleman from Rhode Island.
  Mr. LANGEVIN. Madam Chair, I yield myself such time as I may consume.
  My amendment ensures that utility districts are not unnecessarily and 
unintentionally limited from protecting their own information and 
ultimately will lead to a broader and more effective information 
sharing structure, leading to better cybersecurity across all critical 
infrastructure. Specifically, the amendment replaces the word 
``local,'' which is typically interpreted to mean city, town, and 
county by the courts.
  Such a definition, I believe, could potentially leave out special 
districts that provide utility services, like the Salt River Project, 
the Central Arizona Project, the Metropolitan Water District of 
Southern California, and other smaller special districts.
  My amendment, Madam Chair, which is supported by the American Public 
Power Association, changes the bill to read, ``political subdivision,'' 
allowing more utilities to receive the protections built into our bill. 
In doing so, it also makes the language consistent with the preemption 
provision in the bill.
  If not amended, this legislation could subject utility districts to 
additional requirements if they share threat information, effectively 
creating a deterrent to participation--precisely what we want to avoid. 
We know that myriad threats are arrayed against the networks that run 
our critical infrastructure, and we must ensure that the utilities, 
which are the front lines in the cybersecurity fight, are properly 
protected.
  I have long advocated for minimum standards for utilities, but absent 
such standards, I believe that we have to make sure that as many 
utilities as possible have access to the best possible information to 
defend their networks and are able to share information about the 
attacks that they experience.
  This is an important bill overall. I really do want to applaud, 
again, Chairman Rogers and Ranking Member Ruppersberger for their 
outstanding work on the underlying bill.
  Obviously, the challenges of the threats that we face in cyberspace 
are growing exponentially every day. It seems like there's not a week 
that goes by that you don't hear of a new major attack on the critical 
infrastructure or, in particular, our banking system or major 
corporations with intellectual property theft, and obviously we have 
got to take action and do so now. Failure to do so would be a great 
abdication of our responsibility.
  I'm disappointed the bill didn't pass last year. I know how hard the 
chairman and ranking member worked on this legislation, but clearly our 
adversaries, or enemies, have not taken a hiatus. They are actively 
engaged in cyber attacks or threats of intellectual property or 
identity theft, and the list goes on and on.
  The underlying bill is a major step forward in protecting our cyber 
networks, allowing classified information to be shared with the private 
sector, allowing threat information to be shared back with the 
government to give broader situation awareness, as well as information 
sharing between both in the private sector among companies.
  So, again, the underlying bill is a major step forward. I believe 
this amendment that I'm offering makes the bill even better for making 
sure that broader utilities are included in allowing for information 
sharing.
  I urge my colleagues to support this commonsense amendment and the 
underlying legislation, and I reserve the balance of my time.
  Mr. ROGERS of Michigan. Madam Chair, while I do not oppose the 
amendment, I ask unanimous consent to control the time in opposition.
  The CHAIR. Without objection, the gentleman is recognized for 5 
minutes.
  Mr. ROGERS of Michigan. Madam Chair, I yield myself such time as I 
may consume.

[[Page H2103]]

  I want to thank the gentleman from Rhode Island (Mr. Langevin), who 
has been a tremendous leader on cybersecurity efforts on the 
Intelligence Committee. Much of our work there is classified and it 
goes unnoticed, and rightly so. I think it would be wrong for us not to 
commend in public your great leadership and efforts and work with us to 
try to make sure that this bill does what we say we want it to do. It 
has been a great privilege and pleasure to work with you throughout 
that process, and without that leadership, we wouldn't be standing on 
the floor today. I want to thank the gentleman for that.
  I will support the amendment, which clarifies that entities located 
across multiple localities are intended to be covered by provisions in 
the bill exempting information shared under the bill from certain 
disclosures otherwise required of public or quasi-public entities. The 
amendment replaces the term ``local'' with ``political subdivision.'' 
Because there is no intention to exclude such entities, this is 
intended as a clarification, an important clarification, and I will 
gladly support the amendment, and again thank the gentleman for his 
work on the totality of both national security issues and 
cybersecurity.
  I reserve the balance of my time.
  Mr. LANGEVIN. Madam Chair, I yield such time as he may consume to the 
ranking member of the Intelligence Committee, the gentleman from 
Maryland (Mr. Ruppersberger).
  Mr. RUPPERSBERGER. I thank the gentleman for yielding.
  Madam Chair, first, I want to agree with our chairman, and I said it 
before, that you have been one of the key players in developing 
legislation to protect our country. From the beginning, when those of 
us started working on this issue, probably 2006, you were there. You 
have a tremendous amount of expertise. You have been a great adviser to 
all of us, and also not only the Intelligence Committee, but the Armed 
Services Committee, and I appreciate all your work.
  I also support your amendment to include political subdivisions 
within the information, use, and protection requirements in our bill. 
Your amendment ensures that utility districts are not unnecessarily and 
unintentionally limited from protecting their own information.
  Therefore, I urge a ``yes'' vote on your amendment.
  Mr. LANGEVIN. Madam Chair, before I close, I just wanted to thank, 
again, the chairman and the ranking member for their comments, but, 
more importantly, their extraordinary collaborative work in trying to 
protect our Nation's cybersecurity. The work that they did in putting 
this legislation together, it is a real service to the country what you 
have done, and I am grateful to have played a part in it with you, and 
thank you for your friendship.
  With that, I urge my colleagues to support the amendment, and I yield 
back the balance of my time.
  Mr. ROGERS of Michigan. I yield back the balance of my time.
  The CHAIR. The question is on the amendment offered by the gentleman 
from Rhode Island (Mr. Langevin).
  The question was taken; and the Chair announced that the ayes 
appeared to have it.
  Mr. ROGERS of Michigan. Madam Chair, I demand a recorded vote.
  The CHAIR. Pursuant to clause 6 of rule XVIII, further proceedings on 
the amendment offered by the gentleman from Rhode Island will be 
postponed.

                              {time}  1600

  Mr. ROGERS of Michigan. Madam Chair, I move that the Committee do now 
rise.
  The motion was agreed to.
  Accordingly, the Committee rose; and the Speaker pro tempore (Mr. 
Marchant) having assumed the chair, Ms. Ros-Lehtinen, Chair of the 
Committee of the Whole House on the state of the Union, reported that 
that Committee, having had under consideration the bill (H.R. 624) to 
provide for the sharing of certain cyber threat intelligence and cyber 
threat information between the intelligence community and cybersecurity 
entities, and for other purposes, had come to no resolution thereon.

                          ____________________