[Congressional Record Volume 161, Number 155 (Thursday, October 22, 2015)]
[Senate]
[Pages S7452-S7453]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                 CYBERSECURITY INFORMATION SHARING ACT

  Mr. FRANKEN. Mr. President, I rise today to talk about the 
Intelligence Committee bill we are currently debating, the 
Cybersecurity Information Sharing Act of 2015, or CISA.
  This Chamber sees its fair share of disagreements, so it is worth 
noting when there is something we can all agree on, and I think we can 
all agree on the need for congressional action on cyber security. We 
face ever-increasing cyber attacks from sophisticated individuals, 
organized crime syndicates, and foreign regimes. These attacks pose a 
real threat to our economy and to our national security. It is clear 
that we must respond to these new threats because the cost of 
complacency is too high, but it is critical, in deciding how we protect 
our information networks, that we also continue to protect the 
fundamental privacy rights and civil liberties of Americans. In short, 
there is a pressing need for meaningful, effective cyber security 
legislation that balances privacy and security. Unfortunately, as it 
now stands, the Cybersecurity Information Sharing Act falls short.
  Since this legislation was first introduced, I and a number of my 
colleagues on both sides of the aisle have raised serious concerns 
about the problems the bill presents for Americans' privacy and for the 
effective operation of our Nation's cyber defense. My colleagues and I 
are not alone. Serious concerns have been raised by technologists and 
security experts, civil society organizations from across the political 
spectrum, and major tech companies, such as Apple, Dropbox, Twitter, 
Yelp, salesforce.com, and Mozilla. Neither the Business Software 
Alliance nor the Computer & Communications Industry Association 
supports CISA as written.
  In a letter I received from the Department of Homeland Security this 
summer, the agency--which has a leading role in cyber security for the 
Federal Government--expressed concern about specific aspects of CISA. 
DHS explained that under the bill's approach, ``the complexity--for 
both government and businesses--and inefficiency of any information 
sharing program will markedly increase.'' The letter explained that 
CISA would do away with important privacy protections and could make it 
harder, not easier, to develop ``a single, comprehensive picture of the 
range of cyber threats faced daily.''
  Senator Burr and Senator Feinstein, the bill managers, have worked 
very hard over the last months to improve various aspects of the bill, 
and their substitute amendment offers a significantly improved version 
of CISA. I really appreciate their efforts, but it is clear to me and 
others that the improvements did not go far enough. Major concerns 
raised in the letter from DHS and voiced by security experts, privacy 
advocates, and tech companies still have not been resolved. Let me 
briefly describe three of them.
  First, the bill gives companies a free pass to engage in network 
monitoring and information sharing activities, as well as the operation 
of defensive measures, in response to anything they deem a ``cyber 
security threat,'' no matter how improbable it is that it constitutes a 
risk of any kind.
  The term ``cyber security threat'' is really the linchpin of this 
bill. Companies can monitor systems, share cyber threat indicators with 
one another or with the government, and deploy defensive measures to 
protect against any cyber security threats. So the definition of 
``cyber security threat'' is pretty important, and the bill defines 
``cyber security threat'' to include any action that ``may result in an 
unauthorized effort to adversely impact'' cyber security. Under this 
definition, companies can take action even if it is unreasonable to 
think that security might be compromised.
  This raises serious concerns about the scope of all of the 
authorities granted by the bill and the privacy implications of those 
authorities. Security experts and advocates have warned that in this 
context, establishing the broadest possible definition of ``cyber 
security threat'' actually threatens to undermine security by 
increasing the amount of unreliable information shared with the 
government.

  I have written an amendment, which is cosponsored by Senators Leahy, 
Wyden, and Durbin, which would set the bar a bit higher, requiring that 
a threat be at least ``reasonably likely'' to result in an effort to 
adversely impact security. This standard gives companies plenty of 
flexibility. They don't need to be certain that an incident or event is 
an attack before they share information, but they should have at least 
determined that it is a plausible threat.
  The definition of a cyber security threat isn't the only problematic 
provision of the bill. This brings me to the second concern that I 
would like to highlight. The bill provides a blanket authorization that 
allows companies to share information ``notwithstanding any other 
provision of law.'' As DHS explained this past summer, that statutory 
language ``sweeps away important privacy protections.'' Indeed, it 
means that CISA would override all existing privacy laws, from the 
Electronic Communications Privacy Act, ECPA, to HIPAA, a law that 
protects sensitive health information.
  Moreover, this blanket authorization applies to sharing done with any 
Federal agency. Companies are free to directly share with whomever they 
may choose, including law enforcement and military intelligence 
agencies. This means that, unbeknownst to their customers, companies 
may share information that contains customers' personal information 
with NSA, FBI, and others. From a security perspective, it also means 
we are setting up a diffuse system. I want to emphasize this. This is 
setting up a diffuse system that, as DHS's letter acknowledged, is 
likely to be complex and inefficient, where it is

[[Page S7453]]

actually harder for our cyber security experts to connect the dots and 
keep us safe.
  These are all reasons why privacy experts, independent security 
experts, and the Department of Homeland Security have all warned that 
CISA's blanket authorization is a problem.
  Earlier this year, the House avoided this problem when they passed 
the National Cybersecurity Protection Advancement Act by a vote of 355 
to 63. That information sharing bill only authorizes sharing with the 
government through a single civilian hub at the Department of Homeland 
Security--a move toward efficient streamlining of information that is 
also good for privacy. But understand that this is the House of 
Representatives, 355 to 63, saying: Let's make this easier for the 
government to have all the information in one place.
  Finally, CISA fails to adequately assure the removal of irrelevant 
personal information. This, of course, is a major concern. The bill 
allows personal information to be shared even when there is a high 
likelihood that the information is not related to a cyber security 
threat. Combined with the bill's overly broad definition of ``cyber 
security threat,'' this basically ensures that private entities will 
share extraneous information from Americans' personal communications. 
If companies are going to receive the broad liability protection this 
bill provides, they should be expected to do better than this.
  Senator Wyden has offered an amendment, which I am proud to be the 
cosponsor of, which would require companies to be more diligent and to 
remove ``to the extent feasible'' any personal information that isn't 
necessary to identify a cyber security threat. The ``extent feasible'' 
is a crucial improvement, but it is hardly novel; in fact, it is 
basically the same standard that is in place today when information is 
shared between private companies and the Department of Homeland 
Security. There is no justification for lowering that standard in CISA, 
especially because the bill also provides companies with significant 
liability protection.
  Mr. President, the amendments I have talked about today, as well as a 
number of other pending amendments, would make CISA a better deal, one 
that is significantly more protective of Americans' privacy and more 
likely to advance cyber security. I want to encourage my colleagues to 
support these amendments. Without them, I fear that, however well 
intentioned, CISA would do a disservice to the American people.

  I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The senior assistant legislative clerk proceeded to call the roll.
  Mr. CARPER. Mr. President, I ask unanimous consent that the order for 
the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.

                          ____________________