[Congressional Record Volume 161, Number 158 (Tuesday, October 27, 2015)]
[Senate]
[Pages S7498-S7510]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




             CYBERSECURITY INFORMATION SHARING ACT OF 2015

  The PRESIDING OFFICER. Under the previous order, the Senate will 
resume consideration of S. 754, which the clerk will report.
  The senior assistant legislative clerk read as follows:

       A bill (S. 754) to improve cybersecurity in the United 
     States through enhanced sharing of information about 
     cybersecurity threats, and for other purposes.

  Pending:

       Burr/Feinstein amendment No. 2716, in the nature of a 
     substitute.
       Burr (for Cotton) modified amendment No. 2581 (to amendment 
     No. 2716), to exempt from the capability and process within 
     the Department of Homeland Security communication between a 
     private entity and the Federal Bureau of Investigation or the 
     United States Secret Service regarding cybersecurity threats.
       Feinstein (for Coons) modified amendment No. 2552 (to 
     amendment No. 2716), to modify section 5 to require DHS to 
     review all cyber threat indicators and countermeasures in 
     order to remove certain personal information.
       Burr (for Flake/Franken) amendment No. 2582 (to amendment 
     No. 2716), to terminate the provisions of the Act after ten 
     years.
       Feinstein (for Franken) further modified amendment No. 2612 
     (to amendment No. 2716), to improve the definitions of 
     cybersecurity threat and cyber threat indicator.
       Burr (for Heller) modified amendment No. 2548 (to amendment 
     No. 2716), to protect information that is reasonably believed 
     to be personal information or information that identifies a 
     specific person.
       Feinstein (for Leahy) modified amendment No. 2587 (to 
     amendment No. 2716), to strike the FOIA exemption.
       Feinstein (for Mikulski/Cardin) amendment No. 2557 (to 
     amendment No. 2716), to provide amounts necessary for 
     accelerated cybersecurity in response to data breaches.
       Feinstein (for Whitehouse/Graham) modified amendment No. 
     2626 (to amendment No. 2716), to amend title 18, United 
     States Code, to protect Americans from cybercrime.
       Feinstein (for Wyden) modified amendment No. 2621 (to 
     amendment No. 2716), to improve the requirements relating to 
     removal of personal information from cyber threat indicators 
     before sharing.

  The PRESIDING OFFICER. Under the previous order, the time until 11 
a.m. will be equally divided between the two leaders or their 
designees.
  The assistant Democratic leader.
  Mr. DURBIN. Mr. President, the debate which we will engage in today 
on the floor of the Senate is really one that parallels the historic 
debates that have occurred in the course of our Nation's history. When 
a great democracy sets out to defend its citizens and to engage in 
security, it really is with a challenge: Can we keep our Nation safe 
and still protect our rights and liberties? That question has been 
raised, and that challenge has been raised time and again.
  It was President Abraham Lincoln during the Civil War who suspended 
the right of habeas corpus. It was challenged by some as an 
overextension by the executive branch, but President Lincoln thought it 
was necessary to resolve the Civil War in favor of the Union. In World 
War I, the passage of the Alien and Sedition Acts raised questions 
about the loyalty of Americans who question many of the great issues 
that were being raised during that war. We certainly all remember what 
happened during World War II when, even under President Franklin 
Roosevelt, thousands of Japanese Americans were interned because of our 
concerns about safety and security in the United States. It continued 
in the Cold War with the McCarthy hearings and accusations that certain 
members of the State Department and other officials were, in fact, 
Communist sympathizers. That history goes on and on.

  So whenever we engage in a question of the security and safety for 
our Nation, we are always going to be faced

[[Page S7499]]

with that challenge. Are we going too far? Are we giving too much 
authority to the government? Are we sacrificing our individual rights 
and liberty and privacy far more than we should to keep this Nation 
safe? That, in fact, is the debate we have today on the most 
sophisticated new form of warfare--cyber war.
  Cyber security is an enormous concern not just for private companies 
but for every American. Data breaches happen almost every day. We read 
not that long ago that 21 million current and former Federal employees 
had their records breached and stolen from the Office of Personnel 
Management. Just this month more than 700,000 T-Mobile users in my home 
State may have had their information compromised by hackers. It seems 
there isn't a month that goes by where we don't hear of another 
security breach. That is why we need to take steps to improve data 
security and share cyber threat information.
  Chairman Burr and Ranking Member Feinstein worked long and hard to 
put together a bill to encourage private and governmental entities to 
share potential threat information. This bill has evolved over 5 years. 
No one has worked harder during that period of time than my colleague, 
Senator Feinstein of California. Senator Burr is now joining her in 
this effort.
  Many are skeptical about the bill before us. Some have raised those 
concerns on the floor. But we look at the major companies that are 
opposing this bill as currently written--Apple, IBM, Microsoft, Google, 
Facebook, and Amazon--just a few of the major companies that have said 
they can't support the bill that is on the floor today. They note that 
the bill does not require companies or the Federal Government to 
protect private information, including personal emails, email 
addresses, and more. In fact, this bill preempts all laws that would 
prevent a company or agency from sharing personal information.
  I am encouraged that the managers of this bill have moved in the 
direction of addressing this concern. They have limited the 
authorization to share cyber threat information to ``cyber security 
purposes''--a valuable step toward making sure the bill is not used as 
surveillance. They have included a provision requiring government 
procedures to notify Americans if their information is shared 
mistakenly by the government. They have clarified that the 
authorization to employ defensive measures--or defensive ``hacking''--
does not allow an entity to gain unauthorized access to another's 
computer network.
  There will be some amendments before us today that I will support 
which I think strengthen the privacy protections that should be 
included in this bill.
  I am a cosponsor of the Franken amendment to improve the definitions 
of ``cyber security threat'' and other cyber threat indicators. 
Narrowing this definition from information that ``may'' be a threat to 
information that is ``reasonably likely'' to pose a threat would reduce 
the amount of potentially personal information shared under the bill.
  I also urge my colleagues to support the Wyden amendment to 
strengthen the requirement that private companies remove sensitive 
personal information before sharing cyber threat indicators. Again, 
this amendment would limit the amount of potentially personal 
information shared under the bill.
  I support the Coons amendment to give the Department of Homeland 
Security time to remove or scrub personal information from the 
information it shares with other Federal agencies. There is simply no 
need for personal information unrelated to a threat to be shared with 
law enforcement agencies such as the Department of Justice and NSA.
  These amendments would strengthen privacy protections in the bill 
much more than the original managers' package. I look forward to 
working with Senators Burr and Feinstein and others to ensure that the 
final bill addresses our cyber security concerns while still protecting 
privacy--something I know we all want to do.
  Mr. President, I yield the floor.
  Mrs. FEINSTEIN. Mr. President, I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The senior assistant legislative clerk proceeded to call the roll.
  Mrs. FEINSTEIN. Mr. President, I ask unanimous consent that the order 
for the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mrs. FEINSTEIN. Mr. President, I ask unanimous consent that the time 
be charged equally on both sides.
  The PRESIDING OFFICER. Is there objection?
  Without objection, it is so ordered.
  Mrs. FEINSTEIN. I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The senior assistant legislative clerk proceeded to call the roll.
  Mr. BURR. Mr. President, I ask unanimous consent that the order for 
the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mr. BURR. Mr. President, shortly we will once again begin the process 
on the cyber security bill. We will start votes hopefully right at 11 
o'clock. We will try to work through five amendments this morning and 
return this afternoon with a short period of debate, and once again, at 
4 o'clock, we will take up five additional votes--or possibly four--and 
be at the point where we could conclude this legislation.
  Let me say to my colleagues that the Senate has tried for several 
years now to bring cyber security legislation to the Senate floor and 
find the will to pass it. With the work of the vice chairman, I think 
we have been able to succeed in that. We enjoyed a 14-to-1 vote out of 
the committee, showing tremendous bipartisan support. Thousands of 
businesses and almost 100 organizations around the country are 
supportive of the bill. But, more importantly, in the last several days 
the bill has gained the support of the Wall Street Journal and the 
Washington Post--not necessarily publications that chime in on the need 
for certain pieces of legislation from the Senate floor, but in this 
particular case, two publications understand the importance of cyber 
security legislation getting signed into law.
  This is the first step, and conferencing with the House will come 
shortly after. I am proud to say that we already have legislation the 
White House says they support. So I think we are in the final stretches 
of actually getting legislation into law that would voluntarily allow 
companies to partner with the Federal Government when their systems 
have been breached, when personal data is at risk.
  I still say today to those folks both in this institution and outside 
of this institution who are concerned with privacy that I think the 
vice chairman and I have bent over backward to accommodate concerns. 
Some concerns still exist. We don't believe they are necessarily 
accurate and that only by utilizing this system will, in fact, we 
understand whether we have been deficient anywhere.
  There are also several companies that are not supportive of this 
bill, as is their right. I will say this: From the beginning, we 
committed to make this bill voluntary, meaning that any company in 
America, if its systems are breached, could choose voluntarily to 
create the partnership with the Federal Government. Nobody is mandated 
to do it. So I speak specifically to those companies right now: You 
might not like the legislation, but for goodness' sakes, do not deprive 
every other business in America from having the opportunity to have 
this partnership. Do not deprive the other companies in this country 
from trying to minimize the amount of personal data that is lost 
because there has been a cyber attack. Do not try to stop this 
legislation and put us in a situation where we ignore the fact that 
cyber attacks are going to happen with greater frequency from more 
individuals and that the sooner we learn how to defend our systems, the 
better off personal data will be in the United States of America.
  This is a huge deal. The vice chairman and I from day one have said 
to our Members that we will entertain any good ideas that we think 
strengthen the bill. On both sides of the aisle, we have said to 
Members that if this breaks the agreement that we have for the support 
we need, because they don't believe the policy is right, then

[[Page S7500]]

we will lock arms and we will vote against amendments.
  We have about eight amendments today. On a majority of those, we will 
do that. I am proud to tell my colleagues that during the overnight and 
this morning--we will announce today that we have taken care of the 
Flake amendment with a modification. We are changing the sunset on the 
legislation to 10 years, and we will accept the Flake amendment on a 
voice vote later this morning. We continue even over these last hours 
to try to modify legislation that can be agreed to on both sides of the 
aisle but, more importantly, without changing the delicate balance we 
have tried to legislate into this legislation.
  I am sure Members will come down over the next 35 minutes, but at 
this time I will yield the floor so the vice chairman can seek time.
  The PRESIDING OFFICER. The Senator from California.
  Mrs. FEINSTEIN. Thank you, Mr. President.
  I wish to begin by thanking the chairman for his work on the bill.
  For me, this has been a 6-year effort. It hasn't been easy. It hasn't 
been easy because we have tried to strike a balance and make the bill 
understandable so that there would be a cooperative effort to share 
between companies and the government.
  Last Thursday the Senate showed its support for moving forward with 
two strong votes. We had a vote of 83 to 14 to invoke cloture on the 
substitute amendment, showing that there is, in fact, deep bipartisan 
support for moving significant legislation to the President's desk.
  To that end, I ask unanimous consent that editorials from the two 
major U.S. newspapers be printed in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

               [From the Washington Post, Oct. 22, 2015]

      The Senate Should Take a Crucial First Step on Cybersecurity

                          (By Editorial Board)

       After years of failure to find a consensus on 
     cybersecurity, the Senate is expected to vote early next week 
     on a bill that would enable the government and the private 
     sector to share information about malicious threats and 
     respond to them more quickly. The legislation is not going to 
     completely end the tidal wave of cyberattacks against the 
     government and corporations, but passing it is better than 
     doing nothing--and that is where Congress has left the matter 
     in recent years.
       The legislation, approved by the Senate Select Committee on 
     Intelligence on a bipartisan 14-to-1 vote in March, is 
     intended to iron out legal and procedural hurdles to sharing 
     information on cyberthreats between companies and the 
     government. Private-sector networks have been extremely 
     vulnerable, while the government possesses sophisticated 
     tools that might be valuable in defending those networks. If 
     threats are shared in real time, they could be blunted. The 
     legislation is not a magic wand. Hackers innovate destructive 
     and intrusive attacks even faster than they can be detected. 
     The information sharing would be voluntary. But the bill is 
     at least a first step for Congress after several years of 
     inconclusive debate over how to respond to attacks that have 
     infiltrated networks ranging from those of Home Depot to the 
     Joint Chiefs of Staff.
       The biggest complaint about the bill is from privacy 
     advocates, including Sen. Ron Wyden (D-Ore.), who cast the 
     sole dissenting vote on the intelligence committee. His 
     concerns have been amplified recently by several tech giants. 
     Apple told The Post this week that it opposes the legislation 
     because of privacy concerns. In a statement, the company 
     said, ``The trust of our customers means everything to us and 
     we don't believe security should come at the expense of their 
     privacy.'' Some other large technology firms are also 
     opposing the bill through a trade association. Separately, 
     alarmist claims have been made by privacy advocates who 
     describe it as a ``surveillance'' bill.
       The notion that there is a binary choice between privacy 
     and security is false. We need both privacy protection and 
     cybersecurity, and the Senate legislation is one step toward 
     breaking the logjam on security. Sponsors have added privacy 
     protections that would scrub out personal information before 
     it is shared. They have made the legislation voluntary, so if 
     companies are really concerned, they can stay away. Abroad 
     coalition of business groups, including the U.S. Chamber of 
     Commerce, has backed the legislation, saying that cybertheft 
     and disruption are ``advancing in scope and complexity.''
       The status quo is intolerable: Adversaries of the United 
     States are invading computer networks and hauling away 
     sensitive information and intellectual property by the 
     gigabyte. A much stronger response is called for in all 
     directions, both to defend U.S. networks and to punish those, 
     such as China, doing the stealing and spying. This 
     legislation is a needed defensive step from a Congress that 
     has so far not acted on a vital national concern.
                                  ____


             [From the Wall Street Journal, Oct. 26, 2015]

                     A Cyber Defense Bill, at Last


         Data sharing can improve security and consumer privacy

       By now everyone knows the threat from cyber attacks on 
     American individuals and business, and Congress finally seems 
     poised to do something about it. As early as Tuesday the 
     Senate may vote on a bill that would let businesses and the 
     government cooperate to shore up U.S. cyber defenses.
       This should have been done long ago, but Democrats blocked 
     a bipartisan bill while they controlled the Senate and 
     President Obama insisted on imposing costly new cyber-
     security mandates on business. The GOP Senate takeover in 
     2014 has broken the logjam, helped by high-profile attacks 
     against the likes of Sony, Home Depot, Ashley Madison and the 
     federal Office of Personnel Management.
       Special thanks to WikiLeaks, the anti-American operation 
     that last week announced that its latest public offering 
     would be information hacked from the private email account of 
     CIA chief John Brennan. We assume Mr. Brennan's government 
     email is better protected, but then this is the same 
     government that let Hillary Clinton send top-secret 
     communications on her private email server.
       Democrats have decided it's now bad politics to keep 
     resisting a compromise, and last week the Cybersecurity 
     Information Sharing Act co-sponsored by North Carolina 
     Republican Richard Burr and California Democrat Dianne 
     Feinstein passed the filibuster hurdle. A similar bill passed 
     the House in April 307-106.
       The idea behind the legislation is simple: Let private 
     businesses share information with each other, and with the 
     government, to better fight an escalating and constantly 
     evolving cyber threat. This shared data might be the 
     footprint of hackers that the government has seen but private 
     companies haven't. Or it might include more advanced 
     technology that private companies have developed as a 
     defense.
       Since hackers can strike fast, real-time cooperation is 
     essential. A crucial provision would shield companies from 
     private lawsuits and antitrust laws if they seek help or 
     cooperate with one another. Democrats had long resisted this 
     legal safe harbor at the behest of plaintiffs lawyers who 
     view corporate victims of cyber attack as another source of 
     plunder.
       The plaintiffs bar aside, the bill's main opponents now are 
     big tech companies that are still traumatized by the fallout 
     from the Edward Snowden data theft. Apple, Dropbox and 
     Twitter, among others, say the bill doesn't do enough to 
     protect individual privacy and might even allow government 
     snooping.
       Everyone knows government makes mistakes, but the far 
     larger threat to privacy is from criminal or foreign-
     government hackers who aren't burdened by U.S. due-process 
     protections. Cooperation is voluntary, and the bill includes 
     penalties if government misuses the information. Before 
     either side can share data, personal information that might 
     jeopardize customer privacy must be scrubbed.
       The tech giants are the outliers in this debate, while 
     nearly all of the rest of American business supports the 
     bill. The White House has said Mr. Obama will sign the 
     legislation, which would make it a rare example of bipartisan 
     cooperation. The security-privacy debate is often portrayed 
     as a zero-sum trade-off, but this bill looks like a win for 
     both: Helping companies better protect their data from cyber 
     thieves will enhance American privacy.

  Mrs. FEINSTEIN. The first is from the Washington Post dated October 
22, entitled ``The Senate should take a crucial first step on 
cybersecurity.'' The second is in today's Wall Street Journal, and it 
is entitled ``A Cyber Defense Bill, At Last: Data sharing can improve 
security and consumer privacy.''
  I also note the endorsement from Secretary Jeh Johnson on October 22.
  I have been privileged to work with our chairman. We have really 
tried to produce a balanced bill. We have tried to make it 
understandable to private industry so that companies understand it and 
are willing to cooperate. This bill will allow companies and the 
government to voluntarily share information about cyber threats and the 
defensive measures they might be able to implement to protect their 
networks.
  Right now, the same cyber intrusions are used again and again to 
penetrate different targets. That shouldn't happen. If someone sees a 
particular virus or harmful cyber signature, they should tell others so 
they can protect themselves.
  That is what this bill does. It clears away the uncertainty and the 
concerns that keep companies from sharing this information. It provides 
that two competitors in a market can share information on cyber threats 
with each other without facing anti-trust suits. It provides that 
companies sharing

[[Page S7501]]

cyber threat information with the government for cyber security 
purposes will have liability protection.
  As I have said many times, the bill is completely voluntary. If a 
company doesn't want to share information, it does not have to.
  Today, we will vote on up to seven amendments. As late as this 
morning, Senator Burr and I have been working to see if we can reach 
agreement to accept or voice vote some of them, and I hope these 
discussions will be successful. However, I remain in agreement with 
Chairman Burr that we will oppose any amendments that undo the careful 
compromises we have made on this bill. Over the past 10 months, we have 
tried to thread a needle in fact to draft a bill that as I said gives 
the private sector the insurances it needs to share more information 
while including privacy protections to make sure Americans' information 
is not compromised.

  I see on the floor the ranking member of the Homeland Security and 
Governmental Affairs Committee, the distinguished Senator from 
Delaware, and I thank Senator Carper for all he has done to help us and 
also to make what I consider a major amendment on this bill, which as 
you know has been accepted.
  Several of today's amendments would undo this balance. Senators 
Wyden, Heller, and Franken have amendments that would lead to less 
information sharing. Each of them would replace clear requirements that 
are now in the bill on what a company or a government must do prior to 
sharing information with a new subjective standard that would insert 
the concern of legal liability.
  I would offer to work with these Senators and others as the bill 
moves forward and hopefully goes into conference to see if there is a 
way to achieve their goals without interfering with the bill's goal of 
increasing information sharing.
  Senator Leahy's amendment would similarly decrease the amount of 
sharing by opening up the chances of public disclosure through the 
Freedom of Information Act of cyber threats shared under this bill. 
While the bill seeks to share information about the nature of cyber 
threats and suggestions on how to defend networks, this information 
should not be made widely available to hackers and cyber criminals who 
could use it for their own purposes.
  Senator Burr and I worked closely with Senators Leahy and Cornyn in 
putting together the managers' package to remove a FOIA exemption that 
they viewed as unnecessary and harmful. I am pleased we were able to 
reach that agreement. However, the FOIA exemption that remains in the 
bill is needed to encourage companies to share this information, and I 
would oppose this amendment.
  The President has an amendment on the other side of the spectrum 
which I will also strongly oppose. This amendment would basically undo 
one of the core concepts of this bill. Instead of requiring cyber 
information to go through a single portal at the Department of Homeland 
Security, it would allow companies to share cyber information directly 
with the FBI or the Secret Service and still provide full liability 
protection.
  This change runs afoul of one of the most important privacy 
protections in the bill, which was to limit direct sharing of this 
cyber information with the intelligence community or with law 
enforcement. In other words, everything will go through the portal 
first, where it will receive an additional scrub to remove any residual 
personal information and then go to the respective departments. In this 
way the privacy is kept by not being able to misuse the authority to 
provide unrelated information directly to departments.
  If there is a crime, companies should be able to share information 
with law enforcement--I agree with that--but that is not what this bill 
is about. This bill is about sharing cyber information on threats so 
there can be greater awareness and better defenses.
  When there is a cyber crime and law enforcement is called in, we are 
talking about very different information. When the FBI investigates, it 
takes entire databases and servers. It looks at everything--far beyond 
the cyber information that could be lawfully shared in this act. So 
sharing with the FBI outside of the DHS portal may be appropriate in 
certain cases but not as a parallel option for cyber threat 
information.
  In fact, our bill already makes clear in section 105(c)(E) that it 
``does not limit or prohibit otherwise lawful disclosures of 
communications, records, or other information, including reporting of 
known or suspected criminal activity.'' I would just refer to this 
chart which quotes section 105(c). It says exactly that.
  This amendment would undo the key structure of this bill--the central 
portal for sharing information located at the Department of Homeland 
Security--and decrease the ability of the government to effectively 
manage all the cyber information it receives. So I will oppose this 
amendment and urge my colleagues to do the same.
  I very much appreciate that the Senate will complete its 
consideration of this bill today. We still have a long way to go. We 
have to conference the House bill with our bill. I want to make this 
offer, and I know I think I speak for the chairman as well, that we are 
happy to work with any Member as we go into conference, but I hope we 
can complete these last few votes without upsetting the careful 
negotiations and compromise we have been able to reach.
  Again, I thank the Chair.
  I yield back the remainder of my time, and I yield the floor.
  The PRESIDING OFFICER. The Senator from Delaware.
  Mr. CARPER. Let me start off by saying to Senator Feinstein, 6 years 
ago, you, along with Senators Susan Collins, Joe Lieberman, Jay 
Rockefeller, and others started leading the effort to put in place 
comprehensive cyber security legislation and offered the first 
comprehensive bill dealing with information sharing. We had a vote in 
late 2012. It came up short, and we started all over again in the last 
Congress. You have shown great leadership right from the start. I thank 
you and I thank Senator Burr, the chair of the committee. I thank you 
for cooperating with us and with others to make sure that we have not 
just a good bill but a very good bill that addresses effectively the 
greatest challenges we face in our country.
  I have heard Senator Feinstein say this time and again, and I will 
say it again today: If companies don't want to share information with 
the Federal Government, they don't have to. It is elective. In some 
cases they can form their own groups called ISOCs that will share 
information with one another. They don't have to share information on 
attacks with the Federal Government. They can share it with other peers 
if they wish to, but if they do share it with the Federal Government, 
with a couple of narrow exceptions, we ask that it be shared with the 
Department of Homeland Security because the Department of Homeland 
Security is set up in large part to provide a privacy scrub.
  Next month the DHS will have the ability, when these threat 
indicators come through that are reported by other businesses across 
the country, in real time to be able to scrub that information through 
the portal and remove from it personally identifiable information that 
should not be shared with other Federal agencies, and just like that, 
bingo, we are off to the races. It is a smart compromise that I am 
pleased and grateful to have worked out with Senators Burr and 
Feinstein and their staff. I thank both their staff and ours as well.
  The other piece is the legislation we literally took out of the 
Committee on Homeland Security and Governmental Affairs that has been 
pending. I think the entire title 2 of the managers' amendment is the 
legislation that Senator Johnson and I have worked on. We are grateful 
for that.
  One piece of it is something called EINSTEIN 1, 2, and 3--not to be 
confused with the renowned scientist, Albert Einstein. But we have 
something called EINSTEIN 1, EINSTEIN 2, and EINSTEIN 3. What do they 
mean? What this legislation does is it means we are going to use these 
tools--we are going to continue to update and modernize these tools--
to, No. 1, record intrusions; No. 2, to be able to detect the bad stuff 
coming through into the Federal Government; and No. 3, block it.
  We are going to make sure it is not just something that is positive 
work on a piece of paper but that 100 percent of

[[Page S7502]]

the Federal agencies are able to use these new tools. Senator Johnson 
and I worked on legislation included in this package that uses 
encryption tools and doubles the number of processes we have available 
to better protect our information.
  Finally, I would mention that Senator Collins, the former chair of 
the Homeland Security Committee--she and a number of our colleagues, 
including Senator Mikulski, Senator McCaskill, and others, have worked 
on legislation that we added to and all of that was reported out of the 
committee. All of this together is a very robust defender of our dot-
gov domain and could be used to help those outside the Federal 
Government as well.
  Going back to the last Congress, Tom Coburn and I worked together to 
do three things to strengthen the Department of Homeland Security to 
let it do its job. Growing up, I remember seeing cartoon ads in a 
magazine about some guy at the beach kicking sand on a smaller guy. The 
smaller guy in this case would have been the Department of Homeland 
Security, with respect to their ability to provide robust defense 
against cyber attacks. If I can use that cartoon as an analogy, in the 
past, the Department of Homeland Security was the 98-pound weakling, 
and it is no weakling anymore. Legislation that Dr. Coburn and I 
offered, passed in the Congress, to, No. 1, say the cyber ops center in 
the Department of Homeland Security is real. We are standing it up. We 
are making it real and robust.
  The Federal Information Security Management Act for years was a 
paperwork exercise and was a once-a-year check to make sure our cyber 
defenses were secure. We are transforming that into a 24/7, robust, 
around-the-clock operation by modifying legislation and improving 
legislation called FISMA. We also in that legislation make clear what 
OMB's job is and we make clear what the job of the Department of 
Homeland Security is.
  Finally, for years the Department of Homeland Security hired and 
trained cyber warriors, and just as they were getting really good, they 
were hired away because we couldn't retain them. We couldn't pay them 
or provide retention bonuses or hiring bonuses. We need to make sure we 
have some of the best cyber warriors in the world working at the 
Department of Homeland Security. Now DHS has that authority, and we 
will be able to hire these people.
  Putting all this together, folks, what we have done is move the 
needle. With passage of this legislation we will move the needle and we 
need to do that.
  There will be discussion later on of amendments. There are a couple 
of them that for this Senator are especially troubling. Senator 
Feinstein has mentioned a couple of them, and I suspect Senator Burr 
has mentioned them as well. We will look at them as we go through, but 
a couple of them set this legislation back and I will very strongly 
oppose them.
  Having said that, regarding the old saying--I am tired of hearing it 
and I am tired of saying it, but ``don't let the perfect be the enemy 
of the good.'' This isn't just good legislation, this is very good 
legislation, and it has gotten better every step of the way because of 
the willingness of the ranking member and the chairman of the Intel 
Committee to collaborate. The three C's at work are communicating, 
compromising, and collaborating. We should work out these amendments 
today and pass this bill.
  I thank the Chair.
  The PRESIDING OFFICER. The Senator from Nevada.


                    Amendment No. 2548, as Modified

  Mr. HELLER. Mr. President, this Senator, like everyone else in this 
Chamber, realizes the need to address the threat of cyber attacks. The 
impact of these attacks is a matter of individual financial security as 
well as America's national security, and I contend that these efforts 
must not interfere with Americans' privacy. In doing so, the cure, 
which is this piece of legislation, is worse than the problem.
  I have said it before and I will continue saying it, privacy for 
Nevadans is nonnegotiable. Nevadans elected me in part to uphold their 
civil rights and their liberties, and that is what I am on the floor 
doing today. That is why I fought for passage of the USA FREEDOM Act. 
That is why I offered my amendment being considered on this floor this 
given day. Hundreds of Nevadans have reached out to my office 
expressing concerns about the Cybersecurity Information Sharing Act, 
saying it did not do enough to safeguard their personal information.

  Also tech companies, including Google, Apple, Microsoft, Oracle, and 
BSA Software Alliance, all expressed the same concerns about privacy 
under this piece of legislation. It is our responsibility in Congress 
to listen to these concerns and address them before allowing this piece 
of legislation to become law. I recognize the chairman of the 
intelligence committee does not support my amendment and has been 
encouraging our colleagues to oppose it.
  With respect, however, I believe my amendment is a commonsense, 
middle-ground amendment. It ensures that we strike an appropriate 
balance that guarantees privacy, but also allows for real-time sharing 
of cyber threat indicators. My amendment would simply require the 
Federal Government, before sharing any cyber threat indicators, to 
strip out any personally identifiable information that they reasonably 
believe is not directly related to a cyber security threat.
  This standard creates a wide protection for American's personal 
information. Furthermore, it also improves the operational capabilities 
of this cyber sharing program. DHS has stated that removing more 
personally identifiable information before sharing will help the 
private sector meaningfully digest that information as they work to 
combat cyber threats.
  Again, I respect what Chairman Burr and Ranking Member Feinstein are 
trying to do here, which is why I have carefully crafted this amendment 
to meet the needs of both sides--those fighting for privacy and those 
fighting for our national security. I would like to take a moment to 
address the concerns expressed by the chairman, who has argued that 
this amendment is a poison pill for this piece of legislation. I want 
to be clear: This amendment is not creating legal uncertainty that 
would delay the sharing of cyber threat indicators. In fact, the term 
``reasonably believes'' is used as the standard for the private sector 
in the House-passed cyber bill. Let me repeat that. This phrase, 
``reasonably believes,'' is the standard applied to the private sector 
in the House-passed bill. Our counterparts on the House Intelligence 
Committee felt that this standard was high enough to protect privacy 
while also meeting the goal of the bill which is real-time sharing.
  If this standard is good enough for the private sector, it should be 
good enough for the Federal Government. Just 6 months ago, the chamber 
of commerce released a strong statement of support and praise for the 
House-passed cyber legislation. Not once did they release statements of 
concern over using the term ``reasonably believes'' as it applies to 
the private sector, the industry which they represent. I ask again: If 
it is good enough for the private sector, should it not be good enough 
for the Federal Government?
  Finally, I am proud to have the support of two of the Senate's 
leading privacy advocates, Senators Leahy and Wyden, who have been 
fighting with me to make key changes to this bill to maintain 
Americans' rights. I strongly urge my colleagues today to vote in 
support of my simple fix. Let's keep our oath to the American people 
and make this bill stronger for privacy rights and civil liberties.
  I yield the floor.
  The PRESIDING OFFICER. The Senator from Oregon.
  Mr. WYDEN. Mr. President, I ask unanimous consent that after Chairman 
Burr has spoken, I be recognized for 2 minutes.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The PRESIDING OFFICER. The Senator from North Carolina.
  Mr. BURR. Mr. President, I want to say to my colleague Senator 
Heller, I wish we could accommodate all of the amendments. The fact is 
that even a word here and there changes the balance of what Senator 
Feinstein and I have tried to put together. Although on the surface it 
may not look like a big deal--I understand we have two competing bills 
that were passed in the House, and one has the language. The fact is, 
our language for the entirety of the bill does not match the House 
bill.
  When you change something, we have to look at the cause and effect of 
it.

[[Page S7503]]

Here are the realities. This is a voluntary bill. I will start backward 
with some of the things Senator Heller said. Technology companies are 
opposed to it. They are. I cannot do anything about that, but I can 
plead with them: Why would you deprive thousands of businesses that 
want to have a partnership with the Federal Government from having it 
because you have determined for your business, even though you are a 
large holder of personal data, that you don't want a partnership with 
the Federal Government.
  I would suggest that the first day they get penetrated, they may find 
that partnership is worthy. I cannot change where they are on the 
legislation. The reality is that for a voluntary bill, it means there 
has to be a reason for people to want to participate. Uncertainty is 
the No. 1 thing that drives that away. We believe the change the 
Senator proposes provides that degree of uncertainty, and therefore we 
would not have information shared either at all or in a timely fashion. 
If it is not shared in a timely fashion, then we won't reach the real-
time transfer of data which gives us the basis of minimizing data loss 
in this bill.
  I think it is easy to look at certain pieces of the bill and say: 
Well, this does not change it that much. But it changes it in a way 
that would cause either companies to choose not to participate, or it 
may change it in a way that delays the notification to the Federal 
Government. Therefore, we are not able to accomplish what we set out to 
do in the mission of this bill, which is to minimize the amount of data 
that is lost not just at that company but across the U.S. economy.
  Again, I urge our colleagues--we will move to amendments shortly. We 
will have an opportunity to debate for 1 minute on each side on those 
amendments. I would urge my colleagues to keep this bill intact. If we 
change the balance of what we have been able to do, then it changes the 
effects of how this will be implemented, and, in fact, we may or may 
not at the end of the day----
  Mr. HELLER. Will the chairman yield time so I can respond to his 
comment?
  Mr. BURR. I will be happy to yield.
  Mr. HELLER. I appreciate everything the Senator is doing. I 
understand the importance of fighting against cyber attacks. I want to 
make two points--clarify two points that I think are very important. 
The language in this bill is the same standard the private sector is 
held to in the House-passed bill. The chamber had no problem 6 months 
ago when that bill was passed out of the House of Representatives.
  So I continue to ask the question: If it is good enough--if this 
language is good enough for the private sector, why is it not good 
enough for the public sector, for the Federal Government? The second 
thing is that I believe my amendment does strike a balance, increasing 
privacy but still providing that real-time information sharing. I just 
wanted to make those two points.
  Mr. BURR. Mr. President, I appreciate the Senator's input. I can only 
say to my colleagues that it is the recommendation of the vice chair 
and myself that this not be supported. It does change the balance, it 
puts uncertainty in the level of participation, and any delay from real 
time would, in fact, mean that we would not have lived up to the 
mission of this bill, which is to minimize data loss.
  I think, though, that there are similarities between the House and 
Senate bills. Ours is significantly different, and therefore it has a 
different implication when you change certain words.
  With that, I yield the floor.
  The PRESIDING OFFICER. The Senator from Oregon.
  Mr. WYDEN. Before he leaves the floor, I want to commend my colleague 
from Nevada. I strongly support his amendment.


                    Amendment No. 2621, as Modified

  Colleagues, the first vote we will have at 11 o'clock is on my 
amendment No. 2621. This amendment is supported by a wide variety of 
leaders across the political spectrum, progressive voices that have 
focused on cyber security and privacy as well as conservative 
organizations. FreedomWorks, for example, an important conservative 
organization, announced last night that they will consider the privacy 
amendment that I will be offering. It will be the first vote, a key 
vote on their congressional scorecard.
  It was the view of FreedomWorks that this amendment, the first vote, 
would add crucial privacy protections to this legislation. The point of 
the first amendment we will vote on is to strengthen privacy 
protections by requiring that companies make reasonable efforts to 
remove unrelated personal information about their customers before 
providing data to the government. It says that companies should take 
these efforts to the extent feasible. Let me say that this truly offers 
a great deal of flexibility and discretion to companies. It certainly 
does not demand perfection, but it does say to these companies that 
they should actually have to take some real responsibility, some 
affirmative step.
  We will have a chance, I guess for a minute or so, when we get to the 
amendments, but for purposes of colleagues reflecting before we start 
voting, the first amendment I will be offering is backed by important 
progressive organizations, such as the Center for Democracy and 
Technology, and conservative groups, such as FreedomWorks, which last 
night said this is a particularly important vote with respect to 
liberty and privacy. It says that with respect to the standard for 
American companies, you just cannot hand it over, you have to take some 
affirmative steps--reasonable, affirmative steps--before you share 
personal information.
  I yield the floor.
  The PRESIDING OFFICER. The Senator from North Carolina.
  Mr. BURR. Mr. President, we are going to go to these amendments, and 
we will have five amendments this morning and possibly up to five this 
afternoon starting at 4 o'clock.


               Amendment Nos. 2626, as Modified, and 2557

  I want to take this opportunity--there are two pending amendments 
that are not germane. I ask unanimous consent that it be in order to 
raise those points of order en bloc at this time.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mr. BURR. I make a point of order that the Whitehouse amendment No. 
2626 and the Mikulski amendment No. 2557 are not germane to amendment 
No. 2716.
  The PRESIDING OFFICER. The points of order are well taken and the 
amendments fall.
  Mr. BURR. Mr. President, I want to take this opportunity before we 
start the final process to thank the vice chairman. She has been 
incredibly willing to participate, even when we started in a different 
place than where we ended. She brought to the table a tremendous amount 
of experience on this issue because of the number of years she had 
worked on it. She was very accommodating on areas that I felt were 
important for us to either incorporate or at least debate.
  What I really want to share with my colleagues is that we had a 
wholesome debate in the committee. The debate the vice chair and I and 
our staffs had was wholesome before it even came to the Presiding 
Officer or to Senator Wyden. That is good. It is why some of the 
Members might have said in committee: Gee, this looks like a good 
amendment. Yet it did not fit within the framework of what the vice 
chair and I sat down and agreed to.
  So this has been a process over a lot of months of building support, 
not just within this institution but across the country. It is not a 
process where I expected to get to the end and for there to be nothing 
but endorsements of the legislation. I have never seen a piece of 
legislation achieve that coming out of the Senate. But I think the vice 
chair and I believed when we actually put legislation together that we 
were on the same page. The fact is, it is important that today we are 
again still on the same page, that we have stuck there. I thank the 
vice chairman.

  I also thank Senator Johnson and Senator Carper, the chairman and the 
ranking member of the homeland security committee. They have been 
incredibly helpful and incredibly accommodating. We have tried to 
incorporate everything we thought contributed positively to this 
legislation, and they were huge contributors.
  Lastly, let me say to all of my colleagues that it is tough to be put 
in a situation--the vice chair and myself--where we have Members on 
both sides

[[Page S7504]]

who are going to offer amendments--I understand that to them those 
amendments are very reasonable, and I would only ask my colleagues to 
understand the situation the vice chair and I are in. We have 
negotiated a very delicately written piece of legislation, and any 
change in that that is substantive we feel might, in fact, change the 
outcome of what this bill accomplishes.
  We will have votes on amendments this morning. One of those 
amendments, Senator Flake's amendment--overnight we were able to 
negotiate a change in the sunset provision to 10 years. We will modify 
that on the floor and accept it by voice vote. The others will be 
recorded votes.
  With that, I yield the floor.


                    Amendment No. 2621, as Modified

  The PRESIDING OFFICER (Mrs. Fischer). Under the previous order, the 
question occurs on amendment No. 2621, as modified, offered by the 
Senator from Oregon, Mr. Wyden.
  There is 2 minutes of debate equally divided.
  The Senator from Oregon.
  Mr. WYDEN. Madam President, virtually all agree that cyber security 
is a serious problem. Virtually all agree that it is useful to share 
information, but sharing information without robust privacy standards 
creates as many problems as it may solve.
  The first amendment I am offering is supported by a wide variety of 
organizations across the political spectrum because they want what this 
amendment would do; that is, reasonable efforts have to be made to 
strike unrelated personal information before it is handed over to the 
government. Without that, you have a flimsy standard that says: When in 
doubt, hand it over.
  I urge colleagues to support this amendment. It is backed by 
progressive groups and conservative groups.
  Madam President, I ask unanimous consent to add Senator Warren as a 
cosponsor to my amendment.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mr. WYDEN. Madam President, I ask unanimous consent to have printed 
in the Record a letter of support from FreedomWorks, a leading 
conservative voice on these issues.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:


                                                 FreedomWorks,

                                 Washington, DC, October 26, 2015.

           Key Vote YES on the Wyden Amendment #2621 to CISA

       As one of our over 6.9 million FreedomWorks activists 
     nationwide, I urge you to contact your senators and ask them 
     to vote YES on the Wyden amendment to add crucial privacy 
     protections to the Cyber Information Sharing Act (CISA), S. 
     754.
       CISA purports to facilitate stronger network security 
     across the nation by facilitating the interchange of 
     information on cyber threats between private companies and 
     government agencies. But one of CISA's several gaping flaws 
     is the incentive it creates for some companies to share this 
     data recklessly.
       The personally identifiable information (PII) of a 
     company's users can be attached to cyber threat indicators 
     after a hack--potentially sensitive information that is 
     generally unnecessary to diagnose the threat. But since 
     companies which share cyber threat data are completely immune 
     to consequence if that shared data should be misused, their 
     incentive is to share the data as quickly as possible--even 
     if that means some would be sharing PII.
       And if that personal data is irresponsibly shared with the 
     government, it gets spread far and wide between government 
     agencies (including the NSA) in real time, thanks to CISA's 
     mandatory interagency sharing provision.
       The Wyden amendment goes a long way toward addressing the 
     potential misuse of this personal information by requiring 
     companies which share cyber threat data to review said data 
     to ensure that all PII that is not directly necessary to 
     counter the cyber threat is deleted before it is shared.
       Passing the Wyden amendment wouldn't fully fix the problems 
     with CISA, but it is an important protection against 
     potential distribution and misuse of innocent consumers' 
     private information.
       Please contact your senators and ask that they vote YES on 
     the Wyden amendment to CISA. FreedomWorks will count the vote 
     on this amendment as a Key Vote when calculating our 
     Congressional Scorecard for 2015. The scorecard is used to 
     determine eligibility for the FreedomFighter Award, which 
     recognizes Members of Congress who consistently vote to 
     support economic freedom and individual liberty.
           Sincerely,
                                                     Adam Brandon,
                                                CEO, FreedomWorks.

  The PRESIDING OFFICER. The time of the Senator has expired.
  The Senator from California.
  Mrs. FEINSTEIN. Madam President, I rise to oppose the amendment. This 
amendment would replace a key feature of the underlying bill. Right 
now, under section 104(d) of the managers' amendment, a company is 
required to conduct a review of any information before it is shared and 
remove any personal information that is not ``directly related to a 
cybersecurity threat.''
  Senator Wyden's amendment, while well-intentioned, would replace that 
review with a requirement that a company must remove personal 
information ``to the extent feasible''--and there is the rub. This is a 
very unclear requirement. In this bill, we are trying to provide 
clarity on what a company has to do so that it is understandable. 
Companies understand what it means to conduct a review to see whether 
there is personal information and then strip it out. They don't know 
what may or may not be feasible, and they worry that this lack of 
clarity could create the risk of a lawsuit where the current language 
does not.
  The PRESIDING OFFICER. The time of the Senator has expired.
  Mrs. FEINSTEIN. Therefore, I ask my colleagues to join with me in 
voting no on the Wyden amendment.
  The PRESIDING OFFICER. The question is on agreeing to the Wyden 
amendment, as modified.
  Mr. BURR. Madam President, I ask for the yeas and nays.
  The PRESIDING OFFICER. Is there a sufficient second?
  There appears to be a sufficient second.
  The clerk will call the roll.
  The legislative clerk called the roll.
  Mr. CORNYN. The following Senators are necessarily absent: the 
Senator from Texas (Mr. Cruz), the Senator from Kentucky (Mr. Paul), 
the Senator from Florida (Mr. Rubio), and the Senator from Louisiana 
(Mr. Vitter).
  The PRESIDING OFFICER. Are there any other Senators in the Chamber 
desiring to vote?
  The result was announced--yeas 41, nays 55, as follows:

                      [Rollcall Vote No. 285 Leg.]

                                YEAS--41

     Baldwin
     Bennet
     Blumenthal
     Booker
     Boxer
     Brown
     Cantwell
     Cardin
     Casey
     Coons
     Crapo
     Daines
     Durbin
     Franken
     Gardner
     Gillibrand
     Heinrich
     Heller
     Hirono
     Klobuchar
     Leahy
     Lee
     Markey
     Menendez
     Merkley
     Murkowski
     Murphy
     Murray
     Peters
     Reed
     Reid
     Sanders
     Schatz
     Schumer
     Shaheen
     Stabenow
     Sullivan
     Tester
     Udall
     Warren
     Wyden

                                NAYS--55

     Alexander
     Ayotte
     Barrasso
     Blunt
     Boozman
     Burr
     Capito
     Carper
     Cassidy
     Coats
     Cochran
     Collins
     Corker
     Cornyn
     Cotton
     Donnelly
     Enzi
     Ernst
     Feinstein
     Fischer
     Flake
     Graham
     Grassley
     Hatch
     Heitkamp
     Hoeven
     Inhofe
     Isakson
     Johnson
     Kaine
     King
     Kirk
     Lankford
     Manchin
     McCain
     McCaskill
     McConnell
     Mikulski
     Moran
     Nelson
     Perdue
     Portman
     Risch
     Roberts
     Rounds
     Sasse
     Scott
     Sessions
     Shelby
     Thune
     Tillis
     Toomey
     Warner
     Whitehouse
     Wicker

                             NOT VOTING--4

     Cruz
     Paul
     Rubio
     Vitter
  The amendment (No. 2621), as modified, was rejected.


                    Amendment No. 2548, as Modified

  The PRESIDING OFFICER. Under the previous order, the question occurs 
on amendment No. 2548, as modified, offered by the Senator from Nevada, 
Mr. Heller.
  There is 2 minutes of debate equally divided.
  The Senator from Nevada.
  Mr. HELLER. Madam President, the chairman has stated that this piece 
of legislation has privacy protections. But I don't believe it goes far 
enough or we wouldn't be in this Chamber, vote after vote after vote, 
trying to move this so there is some personal privacy and so there are 
some liberties that are protected.
  This amendment in front of us right now is a commonsense, middle-
ground approach that strengthens the standards for the Federal 
Government removing personal information prior to sharing it with the 
private sector.
  I want to leave my colleagues with two points. This is the same 
standard

[[Page S7505]]

that the private sector is held to in the House-passed bill, supported 
by the Chamber. If this amendment is good enough for the private 
sector, the question is, Why isn't it good enough for the Federal 
sector or the government? No. 2, my amendment strikes a balance between 
increasing privacy but still providing for real-time information 
sharing.
  I urge my colleagues to support this amendment.
  I yield the floor.
  The PRESIDING OFFICER. The Senator from North Carolina.
  Mr. BURR. Madam President, Senator Feinstein and I have tried to 
reach a very delicate balance. We think we have done that. Senator 
Heller raised one specific issue. He said the chamber is supportive of 
the language. Let me just read: The chamber opposes Senator Heller's 
amendment for much of the same reason that we oppose comparable 
amendments being offered. It says: The difficulty with seemingly simple 
tweaks and wording is that interpreting the language, such as `` 
reasonably believes'' and ``reasonable efforts'' in legislation, is far 
from simple. It would create legal uncertainty and is contrary to the 
goal of real-time information sharing. The chamber will press to 
maintain NOS as the standard.
  Hopefully, this shares some texture with my colleagues about how 
difficult this has been. As I said earlier, I would love to accept all 
of the amendments. But when it changes the balance of what we have been 
able to put--when we take a voluntary bill and provide uncertainty, we 
have now given a reason for either companies not to participate or for 
the government to delay the transmission to the appropriate agencies.
  The PRESIDING OFFICER. The Senator's time has expired.
  Mr. BURR. We believe we have the right protections in place. I urge 
my colleagues to defeat the Heller amendment.
  The PRESIDING OFFICER. The question is on agreeing to the amendment, 
as modified.
  Mr. THUNE. I ask for the yeas and nays.
  The PRESIDING OFFICER. Is there a sufficient second?
  There appears to be a sufficient second.
  The clerk will call the roll.
  The bill clerk called the roll.
  Mr. CORNYN. The following Senators are necessarily absent: the 
Senator from Texas (Mr. Cruz), the Senator from Kentucky (Mr. Paul), 
the Senator from Florida (Mr. Rubio), and the Senator from Louisiana 
(Mr. Vitter).
  The PRESIDING OFFICER. Are there any other Senators in the Chamber 
desiring to vote?
  The result was announced--yeas 47, nays 49, as follows:

                      [Rollcall Vote No. 286 Leg.]

                                YEAS--47

     Baldwin
     Barrasso
     Bennet
     Blumenthal
     Booker
     Boxer
     Cantwell
     Cardin
     Casey
     Cassidy
     Coons
     Crapo
     Daines
     Donnelly
     Durbin
     Enzi
     Ernst
     Flake
     Franken
     Gardner
     Gillibrand
     Heinrich
     Heitkamp
     Heller
     Hirono
     Hoeven
     Kaine
     Lankford
     Leahy
     Lee
     Markey
     McCaskill
     Menendez
     Merkley
     Moran
     Murkowski
     Murray
     Peters
     Portman
     Reed
     Sanders
     Sullivan
     Tester
     Toomey
     Udall
     Warren
     Wyden

                                NAYS--49

     Alexander
     Ayotte
     Blunt
     Boozman
     Brown
     Burr
     Capito
     Carper
     Coats
     Cochran
     Collins
     Corker
     Cornyn
     Cotton
     Feinstein
     Fischer
     Graham
     Grassley
     Hatch
     Inhofe
     Isakson
     Johnson
     King
     Kirk
     Klobuchar
     Manchin
     McCain
     McConnell
     Mikulski
     Murphy
     Nelson
     Perdue
     Reid
     Risch
     Roberts
     Rounds
     Sasse
     Schatz
     Schumer
     Scott
     Sessions
     Shaheen
     Shelby
     Stabenow
     Thune
     Tillis
     Warner
     Whitehouse
     Wicker

                             NOT VOTING--4

     Cruz
     Paul
     Rubio
     Vitter
  The amendment (No. 2548), as modified, was rejected.


                    Amendment No. 2587, as Modified

  The PRESIDING OFFICER. Under the previous order, the question occurs 
on amendment No. 2587, as modified, offered by the Senator from 
Vermont, Mr. Leahy.
  The Democratic leader.
  Mr. REID. Madam President, I would ask that my remarks be under 
leader time.
  The PRESIDING OFFICER. Without objection, it is so ordered.


       Congratulating Senator Leahy on Casting His 15,000th Vote

  Mr. REID. Mr. President, today my friend and colleague Pat Leahy has 
reached another milestone in an extraordinary career. He just cast his 
15,000th vote. That is remarkable. He is only the sixth Senator in the 
history of this great body to have done that. In 226 years, he is one 
of 6.
  Today's momentous occasion should come as no surprise because his 
entire career in public service has been history in the making. He 
graduated from St. Michael's College, which is a Vermont institution. 
He graduated from Georgetown University Law Center.
  He was first appointed as the State's attorney when he was 26 years 
old. He was then reelected on two separate occasions. During that time, 
Pat Leahy was a nationally renowned prosecutor. In 1974--his last as a 
State's attorney--he was selected as one of the three most outstanding 
prosecutors in America.
  At age 34, Pat became the first Democrat in U.S. history to be 
elected to the Senate from Vermont. After he was elected, the 
Republican Senator he was to succeed, George Aiken, was asked by some 
to resign his seat a day early--which you could do in those days--to 
give Senator Leahy a head start in seniority among his fellow freshmen. 
Here is what Senator Aiken said: ``If Vermont is foolish enough to 
elect a Democrat, let him be number 100.''
  Senator Leahy's career has proven that the people of Vermont were 
wise in selecting him. From No. 100, Senator Leahy over time ascended 
to the rank of President pro tempore of the Senate. Senator Leahy has 
spent four decades in the Senate fighting for justice and equality. As 
the chairman of the Judiciary Committee, he became a national leader 
for an independent judiciary, the promotion of equal rights, and the 
protection of our Constitution.
  His main focus, though, has always been Vermont. He carries with him 
a picture of what he calls his farmhouse, which is on lots of acres. It 
looks like a picture you would use if you were trying to get somebody 
to come and stay at your place--it is just beautiful. It doesn't remind 
me of the desert, but it is beautiful.
  Over the years, he has done everything he can to protect the State's 
natural beauty, the resources, land and water, through conservation 
efforts. When people visit Vermont, they see these beautiful green 
vistas, pristine lakes and rivers, and picturesque farms. Senator Leahy 
has worked hard to keep Vermont that way.
  Senator Leahy has done everything in his power to promote agriculture 
in his home State. As former chair of the agriculture committee, I can 
remember what he has done to protect the dairy industry. It is legend 
what he has done to protect the dairy industry. We all remember holding 
up the Senate for periods of time until he got what he wanted for 
dairy. He wrote the Organic Foods Production Act of 1990, which helped 
foster Vermont and America's growing organic food industry. Today, 
organic foods are a $40 billion industry. Many of those organic farms 
and businesses are based in Vermont.
  After Tropical Storm Irene, I remember, graphically, his fighting for 
the State of Vermont. That storm devastated parts of Vermont. Roads 
were underwater for weeks. He helped secure $500 million in assistance 
for the people of Vermont to overcome a brutal natural disaster.
  I am fortunate to be able to serve with Pat Leahy here in the Senate. 
He is more than a colleague; he really is a dear friend, as is his wife 
of 52 years, Marcelle, whom Landra and I know well. We have helped each 
other through our times of joy and our times of travail. Senator Leahy 
and his wife Marcelle have three wonderful children and five 
grandchildren. Give Pat a minute alone and he will start telling you 
about them.

  Senator Leahy, congratulations on your 15,000th vote in the U.S. 
Senate.
  Mr. LEAHY. I thank my colleague.

[[Page S7506]]

  (Applause, Senators rising.)
  The PRESIDING OFFICER. The majority leader.
  Mr. McCONNELL. Madam President, as the Democratic leader has pointed 
out, this is indeed the 15,000th vote of the Senator from Vermont. That 
means he has taken the largest number of votes among all of us 
currently serving here in the Senate. It means he has taken the sixth 
largest number of votes in Senate history. It certainly means he has 
taken more votes than any other Senator from his State, and Vermont has 
been sending Senators here since the late 1700s.
  That is not the only thing that sets him apart from every other 
Vermonter to serve here in the Senate. He was the first Democrat 
elected to serve from Vermont. Unfortunately, that is a habit that has 
not continued. I think we can safely assume he is Vermont's first 
Batman fanboy to serve as well; the first Bat fan and probably the 
first Dead Head as well.
  There is no doubt that our colleague is the longest serving current 
Member of the Senate from any State. We are happy to recognize today 
his 15,000th vote.
  (Applause, Senators rising.)
  The PRESIDING OFFICER. The Senator from Iowa.
  Mr. GRASSLEY. May I have 1 minute to speak to that point?
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mr. GRASSLEY. Madam President, I wish to commemorate my friend and 
colleague for casting his 15,000th vote today in the Senate.
  Senator Leahy has been a stalwart Member of this body since joining 
the Senate at the age of 34 in 1975. Four decades later, Senator Leahy 
continues to serve his State and our Nation with great passion and 
conviction.
  Senator Leahy has been a good friend as we work together in leading 
the Senate Judiciary Committee.
  So, Senator Leahy, congratulations on this tremendous milestone. I 
hope we can cast many more votes together as we continue to work in a 
bipartisan way on the committee.
  I applaud the Senator from Vermont for his great commitment to 
service, and I wish him many more votes in the future.
  (Applause, Senators rising.)
  The PRESIDING OFFICER. The junior Senator from Vermont.
  Mr. SANDERS. Madam President, I rise to say a few words in 
congratulating Senator Leahy, not just for his 15,000th vote but on his 
many years of service serving the people of the State of Vermont. 
Vermont is very proud of all of the work Pat Leahy has done.
  As we all know, Senator Leahy has been a champion on agriculture 
issues, on protecting family farmers, especially in dairy and organics. 
He has been a champion in fighting for civil liberties in this country. 
He has been a champion on environmental issues, making sure the planet 
we leave our kids is a clean and healthy planet. He has been a champion 
on women's issues, and on so many other issues.
  Senator Leahy, on behalf of the people of Vermont, I want to thank 
you so much for your years of service.
  (Applause, Senators rising.)
  Mr. LEAHY. Madam President, I want to thank my dear friends, Senator 
Reid, Senator McConnell, Senator Sanders, and Senator Grassley for 
their comments, and I appreciate the opportunity to be able to serve 
with them. I thank the members of the Senate for this opportunity to 
make a very few observations about this personal milestone.
  You know, the Senate offers both great opportunities and 
responsibility for both Senators from Vermont and all who serve here. 
We have a chance, day after day, to make things better for Vermonters 
and for all Americans. We can strengthen our country and ensure its 
vitality into the future. We can forge solutions in the unending quest 
throughout this Nation's history to form a more perfect Union.
  I cast my first vote in this Chamber in 1975 on a resolution to 
establish the Church Committee. The critical issues of the post-
Watergate era parallel issues we face today--proof of the enduring fact 
that, while the votes we cast today address the issues we face now, 
problems will persist, threats will continue, and improvements to the 
democracy we all revere can always be made.
  I think back on the 15,000 votes I have cast on behalf of Vermonters. 
A lot of them come quickly to mind today--some specific to Vermont and 
some national and some global--writing and enacting the organic farm 
bill, the charter for what has become a thriving $30 billion industry; 
stronger regulations on mercury pollution and combating the effects of 
global warming; emergency relief for the devastation caused by Tropical 
Storm Irene; adopting price support programs for small dairy farmers; 
fighting for the privacy and civil liberties of all Americans; 
supporting the Reagan-O'Neill deal to save Social Security; nutrition 
bills to help Americans below the poverty line; bipartisan--strongly 
bipartisan--campaign reform in McCain-Feingold; the bipartisan Leahy-
Smith Act, on patent reform; reauthorizing and greatly expanding and 
strengthening the Violence Against Women Act; opposing the war in Iraq, 
a venture that cost so many lives and trillions of taxpayer dollars.
  The Senate at its best can be the conscience of the Nation. I have 
seen that when it happens, and I marvel in the fundamental soundness 
and wisdom of our system every time the Senate stands up and is the 
conscience of our Nation. But we cannot afford to put any part of the 
mechanism on automatic pilot. It takes constant work and vigilance to 
keep our system working as it should for the betterment of our society 
and the American people. And we can only do it if we work together.
  I am so grateful to my fellow Vermonters for the confidence they have 
shown in me. It is a measure of trust that urges me on. I will never 
betray it, and I will never take it for granted. Reflecting on the past 
15,000 votes reminds me about the significance every time we vote, why 
I feel energized about what votes lie ahead, and how we can keep making 
a difference.
  I thank my friends, the two leaders, for their remarks, my respected 
Senate colleague, Senator Sanders, my friend, Senator Grassley, with 
whom I've served a long time. I appreciate my friendship with them and 
have appreciated my friendship with other leaders, including Senators 
Mansfield, Byrd, Baker, Dole, Lott, and Daschle, and lifelong gratitude 
to my former colleague, Senator Stafford, a Republican, who took me 
under his wing and guided me. And I am privileged to serve now--I mean, 
our whole Vermont delegation is here: Senator Sanders, Congressman 
Welch, and myself. Not many other States could do that and fit all of 
them in this body. And lastly I remember what a thrill it was to tell 
my wife, Marcelle, when I cast my first vote. And now 40 years later, I 
can still tell her about the 15,000th vote, and she knows, she and our 
children and grandchildren are the most important people in my life.
  I do not want to further delay the Senate's work today, and I will 
reflect more on this milestone later. I thank you for your friendships 
that have meant more to me and my family than I can possibly say, and I 
look forward to continuing serving here. Thank you very, very much.
  (Applause, Senators rising.)
  Mr. DURBIN. Madam President, I want to add my voice to the well-
deserved chorus of congratulations for our colleague and friend from 
Vermont.
  Of the 1,963 men and women who have ever served in the U.S. Senate, 
only six have the distinction of casting 15,000 votes. And of those 
august six, only Patrick Leahy continues to serve in this body today. 
The only other members of the 15,000-vote league are Senators Robert C. 
Byrd, Strom Thurmond, Daniel Inouye, Ted Kennedy, and Ted Stevens.
  More important than the number of votes Senator Leahy has cast, 
however, is the wisdom and courage reflected in his votes.
  He was elected to the U.S. Senate in 1974--part of an historic group 
of new Senators known as the ``Watergate Babies.''
  He has voted time and again to uphold the values of our 
Constitution--even when it contained some political risk.
  His very first vote in this Senate was to authorize the Church 
Committee--the precursor to today's Senate Select Committee on 
Intelligence. The Church Committee was created to investigate possible 
illegalities by the CIA, the FBI, and the National Security Agency--and 
it resulted in major reforms.

[[Page S7507]]

  As you may know, Senator Leahy is a major Batman fan. In fact, he has 
made several cameo appearances in Batman movies.
  His affinity for the Caped Crusader makes sense. You see, Batman is 
one of the few superheroes with no superhuman powers. He is simply a 
man with unusual courage and determination to fight wrongdoing. That is 
Patrick Leahy, too.
  I have served on the Senate Judiciary Committee for more than 18 
years. During that time, Senator Leahy has been either our committee 
chairman or its ranking member.
  I have the greatest respect for his fidelity to the rule of law and 
his determined efforts to safeguard the independence and integrity of 
America's Federal courts.
  He is a champion of human rights at home and abroad.
  According to the nonpartisan website GovTrack, Senator Leahy has 
sponsored more bipartisan bills than any other current member of this 
Senate. Sixty-one percent of his bills have had both Democratic and 
Republican cosponsors. In this time of increasingly sharp partisanship, 
that is a record that we would all do well to emulate.
  I am particularly grateful to Senator Leahy for his strong support of 
a bipartisan bill that I am cosponsoring, along with a broad array of 
Senators, from Chairman Chuck Grassley to Senator Cory Booker. The 
Sentencing Reform and Corrections Act would make Federal sentencing 
laws smarter, fairer, more effective, and more fiscally responsible. It 
passed the Judiciary Committee last week by a vote of 15-5. Senator 
Leahy's leadership has been critical in building this broad support, 
and I look forward to the day--in the near future, I hope--when we can 
celebrate passage of this important measure.
  I learned recently that Senator Leahy dedicates all of his fees and 
royalties from his acting roles to charities. A favorite charity is the 
Kellogg-Hubbard library in Montpelier, VT, where he read comic books as 
a child. I hope that there are young boys and girls discovering in that 
library the same uncommon courage and love of justice that Patrick 
Leahy found there.
  America needs more heroes like Pat Leahy.


                    Amendment No. 2587, as Modified

  The PRESIDING OFFICER. Under the previous order, the question occurs 
on amendment No. 2587, as modified, offered by the Senator from 
Vermont, Mr. Leahy.
  Mr. McCONNELL. I ask for the yeas and nays.
  The PRESIDING OFFICER. Is there a sufficient second?
  There appears to be a sufficient second.
  The yeas and nays were ordered.
  There will now be 2 minutes equally divided.
  The Senator from California.
  Mrs. FEINSTEIN. Madam President, I rise regretfully to speak against 
the amendment directly following the important monument of 15,000 votes 
by one of the idols of my life, but so be it.
  As it might become very clear, Senator Burr and I, on a bill that 
came out of committee 14 to 1, have tried to keep a balance and have 
tried to prevent this kind of information sharing from being a threat 
to business so they won't participate. Therefore, the words that are 
used are all important as to whether they have a legal derivation. 
Senator Leahy's amendment would essentially decrease the amount of 
sharing by opening up the chance of public disclosure through the 
Freedom of Information Act of cyber threats shared under this bill.
  Now, we seek to share information about the nature of cyber effects 
and suggestions on how to defend networks. This information clearly 
should not be made available to hackers and cyber criminals who could 
use it for their own purposes. So Senator Burr and I worked closely 
with Senator Leahy and Senator Cornyn in putting together the managers' 
package to remove a FOIA exemption that they viewed as unnecessary and 
harmful. That has been removed in the managers' package.
  The PRESIDING OFFICER. The time of the Senator has expired.
  Mrs. FEINSTEIN. I thank the Chair.
  The PRESIDING OFFICER. The Senator from Vermont.
  Mr. LEAHY. Madam President, as much as I hate to disagree with my 
dear friend from California, I will on this amendment.
  I don't like to see unnecessary exemptions to the Freedom of 
Information Act.
  Today I offer an amendment to the Cybersecurity Information Sharing 
Act that would remove from the bill an overly broad and wholly 
unnecessary new FOIA exemption. That new exemption to our Nation's 
premier transparency law was added without public debate and in a 
closed session by the Senate Intelligence Committee. Any amendments to 
the Freedom of Information Act should be considered openly and publicly 
by the Senate Judiciary Committee, which has exclusive jurisdiction 
over FOIA--not in secret by the Senate Intelligence Committee.
  I expect that much of the information to be shared with the 
government under CISA would be protected from disclosure to the general 
public. A thorough committee process, including consideration by the 
Senate Judiciary Committee, would have made clear that the vast 
majority of sensitive information to be shared under this bill is 
already protected from disclosure under existing FOIA exemptions. This 
includes exemption (b)(4), which protects confidential business and 
financial information; exemption (b)(6) which protects personal 
privacy; and exemption (b)(7), which protects information related to 
law enforcement investigations.
  In case there is any doubt that this information would be exempt from 
disclosure, the underlying bill already makes clear that information 
provided to the Federal Government ``shall be considered the 
commercial, financial, and proprietary information'' of the entity 
submitting the information. Commercial and financial information is 
exempt from disclosure under FOIA pursuant to exemption (b)(4), and 
additional protections are unnecessary. The comprehensive exemptions 
already in law have been carefully crafted to protect the most 
sensitive information from disclosure while prohibiting the Federal 
Government from withholding information the public is entitled to. 
Creating unnecessary exemptions will call into question the existing 
FOIA framework and threaten its twin goals of promoting government 
transparency and accountability.
  The new FOIA exemption in the cyber bill also includes a preemption 
clause that is overly broad and sets a terrible precedent. As drafted, 
it applies not only to FOIA, but to all State, local, or tribal 
disclosure laws. By its very terms, this provision applies not just to 
transparency and sunshine laws, but to any law ``requiring disclosure 
of information or records.'' Because this broad preemption of State and 
local law has not received careful, open consideration, there has not 
been adequate consultation with State and local governments to consider 
the potential impacts. Such a sweeping approach could impact hundreds 
of State and local laws and lead to unintended consequences.
  Amending our Nation's premier transparency law and preempting State 
and local law deserves more public debate and consideration. If we do 
not oppose this new FOIA exemption, then I expect more antitransparency 
language will be slipped into other bills without the consideration of 
the Judiciary Committee. Just a few months ago, I was here on the 
Senate floor fighting against new FOIA exemptions that had been tucked 
into the surface transportation bill, and I have no doubt I will be 
down here again in the future fighting similar fights. But an open and 
transparent government is worth fighting for. I believe in transparency 
in our Federal Government, and I believe that FOIA is the backbone to 
ensuring an open and accountable government. I urge all Members to join 
me in this effort and vote for the Leahy amendment.
  The PRESIDING OFFICER. The time of the Senator has expired.
  Mr. LEAHY. I thank the Chair.
  The PRESIDING OFFICER. The question is on agreeing to amendment No. 
2587, as modified.
  The yeas and nays have been ordered.
  The clerk will call the roll.
  The senior assistant legislative clerk called the roll.
  Mr. CORNYN. The following Senators are necessarily absent: the 
Senator from Texas (Mr. Cruz), the Senator from Kentucky (Mr. Paul), 
the Senator from Florida (Mr. Rubio), and the Senator from Louisiana 
(Mr. Vitter).

[[Page S7508]]

  The PRESIDING OFFICER. Are there any other Senators in the Chamber 
desiring to vote?
  The result was announced--yeas 37, nays 59, as follows:

                      [Rollcall Vote No. 287 Leg.]

                                YEAS--37

     Baldwin
     Bennet
     Blumenthal
     Booker
     Boxer
     Brown
     Cantwell
     Cardin
     Casey
     Coons
     Daines
     Durbin
     Franken
     Gillibrand
     Heinrich
     Heller
     Hirono
     Klobuchar
     Leahy
     Lee
     Markey
     Menendez
     Merkley
     Murray
     Peters
     Reed
     Reid
     Sanders
     Schatz
     Schumer
     Shaheen
     Stabenow
     Sullivan
     Tester
     Udall
     Warren
     Wyden

                                NAYS--59

     Alexander
     Ayotte
     Barrasso
     Blunt
     Boozman
     Burr
     Capito
     Carper
     Cassidy
     Coats
     Cochran
     Collins
     Corker
     Cornyn
     Cotton
     Crapo
     Donnelly
     Enzi
     Ernst
     Feinstein
     Fischer
     Flake
     Gardner
     Graham
     Grassley
     Hatch
     Heitkamp
     Hoeven
     Inhofe
     Isakson
     Johnson
     Kaine
     King
     Kirk
     Lankford
     Manchin
     McCain
     McCaskill
     McConnell
     Mikulski
     Moran
     Murkowski
     Murphy
     Nelson
     Perdue
     Portman
     Risch
     Roberts
     Rounds
     Sasse
     Scott
     Sessions
     Shelby
     Thune
     Tillis
     Toomey
     Warner
     Whitehouse
     Wicker

                             NOT VOTING--4

     Cruz
     Paul
     Rubio
     Vitter
  The amendment (No. 2587), as modified, was rejected.


 =========================== NOTE =========================== 

  
  On page S7508, October 27, 2015, in the first column, the 
following language appears: The amendment (No. 2582), as modified, 
was rejected.
  
  The online Record has been corrected to read: The amendment (No. 
2587), as modified, was rejected.


 ========================= END NOTE ========================= 



                           Amendment No. 2582

  The PRESIDING OFFICER. Under the previous order, the question occurs 
on amendment No. 2582, offered by the Senator from Arizona, Mr. Flake.
  The Senator from North Carolina.


    Amendment Nos. 2582, as Modified, and 2552, as Further Modified

  Mr. BURR. Madam President, I ask unanimous consent that the Flake 
amendment No. 2582 and the Coons amendment No. 2552 be modified with 
the changes at the desk.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The amendments (No. 2582), as modified, and (No. 2552), as further 
modified, are as follows:


 =========================== NOTE =========================== 

  
  On page S7508, October 27, 2015, in the first column, the 
following language appears: The amendments (No. 2582), as 
modified, and (2552), as further modified, are as follows:
  
  The online Record has been corrected to read: The amendments 
(No. 2582), as modified, and (No. 2552), as further modified, are 
as follows:


 ========================= END NOTE ========================= 



                    AMENDMENT NO. 2582, as Modified

       At the end, add the following:

     SEC. 11. EFFECTIVE PERIOD.

       (a) In General.--Except as provided in subsection (b), this 
     Act and the amendments made by this Act shall be in effect 
     during the 10-year period beginning on the date of the 
     enactment of this Act.
       (b) Exception.--With respect to any action authorized by 
     this Act or information obtained pursuant to an action 
     authorized by this Act, which occurred before the date on 
     which the provisions referred to in subsection (a) cease to 
     have effect, the provisions of this Act shall continue in 
     effect.


                Amendment No. 2552, as further modified

       Beginning on page 23, strike line 3 and all that follows 
     through page 33, line 10 and insert the following:
       (3) Requirements concerning policies and procedures.--
     Consistent with the guidelines required by subsection (b), 
     the policies and procedures developed and promulgated under 
     this subsection shall--
       (A) ensure that cyber threat indicators shared with the 
     Federal Government by any entity pursuant to section 104(c) 
     through the real-time process described in subsection (c) of 
     this section--
       (i) are shared in an automated manner with all of the 
     appropriate Federal entities;
       (ii) are not subject to any unnecessary delay, 
     interference, or any other action that could impede receipt 
     by all of the appropriate Federal entities; and
       (iii) may be provided to other Federal entities;
       (B) ensure that cyber threat indicators shared with the 
     Federal Government by any entity pursuant to section 104 in a 
     manner other than the real time process described in 
     subsection (c) of this section--
       (i) are shared as quickly as operationally practicable with 
     all of the appropriate Federal entities;
       (ii) are not subject to any unnecessary delay, 
     interference, or any other action that could impede receipt 
     by all of the appropriate Federal entities; and
       (iii) may be provided to other Federal entities;
       (C) consistent with this title, any other applicable 
     provisions of law, and the fair information practice 
     principles set forth in appendix A of the document entitled 
     ``National Strategy for Trusted Identities in Cyberspace'' 
     and published by the President in April 2011, govern the 
     retention, use, and dissemination by the Federal Government 
     of cyber threat indicators shared with the Federal Government 
     under this title, including the extent, if any, to which such 
     cyber threat indicators may be used by the Federal 
     Government; and
       (D) ensure there are--
       (i) audit capabilities; and
       (ii) appropriate sanctions in place for officers, 
     employees, or agents of a Federal entity who knowingly and 
     willfully conduct activities under this title in an 
     unauthorized manner.
       (4) Guidelines for entities sharing cyber threat indicators 
     with federal government.--
       (A) In general.--Not later than 60 days after the date of 
     the enactment of this Act, the Attorney General and the 
     Secretary of Homeland Security shall develop and make 
     publicly available guidance to assist entities and promote 
     sharing of cyber threat indicators with Federal entities 
     under this title.
       (B) Contents.--The guidelines developed and made publicly 
     available under subparagraph (A) shall include guidance on 
     the following:
       (i) Identification of types of information that would 
     qualify as a cyber threat indicator under this title that 
     would be unlikely to include personal information or 
     information that identifies a specific person not directly 
     related to a cyber security threat.
       (ii) Identification of types of information protected under 
     otherwise applicable privacy laws that are unlikely to be 
     directly related to a cybersecurity threat.
       (iii) Such other matters as the Attorney General and the 
     Secretary of Homeland Security consider appropriate for 
     entities sharing cyber threat indicators with Federal 
     entities under this title.
       (b) Privacy and Civil Liberties.--
       (1) Guidelines of attorney general.--Not later than 60 days 
     after the date of the enactment of this Act, the Attorney 
     General shall, in coordination with heads of the appropriate 
     Federal entities and in consultation with officers designated 
     under section 1062 of the National Security Intelligence 
     Reform Act of 2004 (42 U.S.C. 2000ee-1), develop, submit to 
     Congress, and make available to the public interim guidelines 
     relating to privacy and civil liberties which shall govern 
     the receipt, retention, use, and dissemination of cyber 
     threat indicators by a Federal entity obtained in connection 
     with activities authorized in this title.
       (2) Final guidelines.--
       (A) In general.--Not later than 180 days after the date of 
     the enactment of this Act, the Attorney General shall, in 
     coordination with heads of the appropriate Federal entities 
     and in consultation with officers designated under section 
     1062 of the National Security Intelligence Reform Act of 2004 
     (42 U.S.C. 2000ee-1) and such private entities with industry 
     expertise as the Attorney General considers relevant, 
     promulgate final guidelines relating to privacy and civil 
     liberties which shall govern the receipt, retention, use, and 
     dissemination of cyber threat indicators by a Federal entity 
     obtained in connection with activities authorized in this 
     title.
       (B) Periodic review.--The Attorney General shall, in 
     coordination with heads of the appropriate Federal entities 
     and in consultation with officers and private entities 
     described in subparagraph (A), periodically, but not less 
     frequently than once every two years, review the guidelines 
     promulgated under subparagraph (A).
       (3) Content.--The guidelines required by paragraphs (1) and 
     (2) shall, consistent with the need to protect information 
     systems from cybersecurity threats and mitigate cybersecurity 
     threats--
       (A) limit the effect on privacy and civil liberties of 
     activities by the Federal Government under this title;
       (B) limit the receipt, retention, use, and dissemination of 
     cyber threat indicators containing personal information or 
     information that identifies specific persons, including by 
     establishing--
       (i) a process for the timely destruction of such 
     information that is known not to be directly related to uses 
     authorized under this title; and
       (ii) specific limitations on the length of any period in 
     which a cyber threat indicator may be retained;
       (C) include requirements to safeguard cyber threat 
     indicators containing personal information or information 
     that identifies specific persons from unauthorized access or 
     acquisition, including appropriate sanctions for activities 
     by officers, employees, or agents of the Federal Government 
     in contravention of such guidelines;
       (D) include procedures for notifying entities and Federal 
     entities if information received pursuant to this section is 
     known or determined by a Federal entity receiving such 
     information not to constitute a cyber threat indicator;
       (E) protect the confidentiality of cyber threat indicators 
     containing personal information or information that 
     identifies specific persons to the greatest extent 
     practicable and require recipients to be informed that such 
     indicators may only be used for purposes authorized under 
     this title; and
       (F) include steps that may be needed so that dissemination 
     of cyber threat indicators is consistent with the protection 
     of classified and other sensitive national security 
     information.
       (c) Capability and Process Within the Department of 
     Homeland Security.--
       (1) In general.--Not later than 90 days after the date of 
     the enactment of this Act, the Secretary of Homeland 
     Security, in coordination with the heads of the appropriate 
     Federal entities, shall develop and implement a capability 
     and process within the Department of Homeland Security that--

[[Page S7509]]

       (A) shall accept from any entity in real time cyber threat 
     indicators and defensive measures, pursuant to this section;
       (B) shall, upon submittal of the certification under 
     paragraph (2) that such capability and process fully and 
     effectively operates as described in such paragraph, be the 
     process by which the Federal Government receives cyber threat 
     indicators and defensive measures under this title that are 
     shared by a private entity with the Federal Government 
     through electronic mail or media, an interactive form on an 
     Internet website, or a real time, automated process between 
     information systems except--
       (i) consistent with section 104, communications between a 
     Federal entity and a private entity regarding a previously 
     shared cyber threat indicator to describe the relevant 
     cybersecurity threat or develop a defensive measure based on 
     such cyber threat indicator; and
       (ii) communications by a regulated entity with such 
     entity's Federal regulatory authority regarding a 
     cybersecurity threat;
       (C) shall require the Department of Homeland Security to 
     develop and implement measures to remove, through the most 
     efficient means practicable, any personal information of or 
     identifying a specific person not necessary to identify or 
     describe the cybersecurity threat before sharing a cyber 
     threat indicator or defensive measure with appropriate 
     Federal entities;
       (D) ensures that all of the appropriate Federal entities 
     receive in an automated manner such cyber threat indicators 
     as quickly as operationally possible from the Department of 
     Homeland Security;
       (E) is in compliance with the policies, procedures, and 
     guidelines required by this section; and
       (F) does not limit or prohibit otherwise lawful disclosures 
     of communications, records, or other information, including--
       (i) reporting of known or suspected criminal activity, by 
     an entity to any other entity or a Federal entity;
       (ii) voluntary or legally compelled participation in a 
     Federal investigation; and
       (iii) providing cyber threat indicators or defensive 
     measures as part of a statutory or authorized contractual 
     requirement.
       (2) Certification.--Not later than 10 days prior to the 
     implementation of the capability and process required by 
     paragraph (1), the Secretary of Homeland Security shall, in 
     consultation with the heads of the appropriate Federal 
     entities, certify to Congress whether such capability and 
     process fully and effectively operates--
       (A) as the process by which the Federal Government receives 
     from any entity a cyber threat indicator or defensive measure 
     under this title; and
       (B) in accordance with the policies, procedures, and 
     guidelines developed under this section.
       (3) Public notice and access.--The Secretary of Homeland 
     Security shall ensure there is public notice of, and access 
     to, the capability and process developed and implemented 
     under paragraph (1) so that--
       (A) any entity may share cyber threat indicators and 
     defensive measures through such process with the Federal 
     Government; and
       (B) all of the appropriate Federal entities receive such 
     cyber threat indicators and defensive measures as quickly as 
     operationally practicable with receipt through the process 
     within the Department of Homeland Security.
       (4) Effective date of certain provision.--The requirement 
     described in paragraph (1)(C) shall take effect upon the 
     earlier of--
       (A) the date on which the Secretary of Homeland Security 
     determines that the Department of Homeland Security has 
     developed the measures described in paragraph (1)(C); or
       (B) the date that is 12 months after the date of enactment 
     of this Act.


                    Amendment No. 2582, as Modified

  Mr. FLAKE. Madam President, I thank the chair of the subcommittee and 
the vice chair, ranking member, for working on this. This was initially 
a 6-year sunset. This has been moved under the amendment to a 10-year 
sunset. I believe it is important, when we deal with information that 
is sensitive, to have a look back after a number of years to see if we 
have struck the right balance.
  We have done that on other sensitive programs like this. I think it 
ought to be done here. I appreciate the work that Senators Burr and 
Feinstein and my colleagues have put into this.
  I urge support.
  The PRESIDING OFFICER. The Senator from North Carolina.
  Mr. BURR. Madam President, I thank my colleagues. We have agreed on 
this. We can hopefully do this by voice vote.
  The PRESIDING OFFICER. If there is no further debate, the question is 
on agreeing to the amendment, as modified.
  The amendment (No. 2582), as modified, was agreed to.


                Amendment No. 2612, as Further Modified

  The PRESIDING OFFICER. Under the previous order, the question occurs 
on amendment No. 2612, as further modified, offered by the Senator from 
Minnesota, Mr. Franken.
  The Senator from Minnesota.
  Mr. FRANKEN. Madam President, the Franken, Leahy, Durbin, and Wyden 
amendment addresses concerns raised by privacy advocates, tech 
companies, and security experts, including the Department of Homeland 
Security.
  The amendment tightens definitions of the terms ``cyber security 
threat'' and ``cyber threat indicator,'' which are currently too broad 
and too vague, and would encourage the sharing of extraneous 
information--unhelpful information.
  Overbreadth is not just a privacy problem; as DHS has noted, it is 
bad for cyber security if too much of the wrong kind of information 
floods into agencies.
  My amendment redefines ``cyber security threat'' as an action that is 
at least reasonably likely to try to adversely impact an information 
system. It is a standard that tells companies what is expected of them 
and assures consumers that CISA imposes appropriate limits.
  The PRESIDING OFFICER. The Senator's time has expired.
  Mr. FRANKEN. Madam President, I ask unanimous consent for 20 more 
seconds.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mr. FRANKEN. The amendment also tightens the definition of ``cyber 
threat indicator'' to avoid the sharing of unnecessary information. The 
amendment is intentionally modest. It makes only changes that are most 
needed for the sake of both privacy and security.
  I urge my colleagues to support this amendment.
  The PRESIDING OFFICER. The Senator from North Carolina.
  Mr. BURR. Madam President, let me say to my colleagues, again, we are 
trying to change the words that have been very delicately chosen to 
provide the certainty that companies understand and need for them to 
make a decision to share.
  Like some other amendments, if you don't want them to share, then 
provide uncertainty. That is in language changing from ``may'' to 
``reasonably likely,'' changing from ``actual'' or ``potential'' to 
``harm caused by an incident.'' The Department of Homeland Security is 
for this bill. The White House is for this bill. Fifty-two 
organizations representing thousands of companies in America are for 
this bill. We have reached the right balance. Let's defeat this 
amendment and let's move to this afternoon's amendments.
  I yield the floor.
  The PRESIDING OFFICER. The question is on agreeing to the amendment, 
as further modified.
  Mr. TILLIS. I ask for the yeas and nays.
  The PRESIDING OFFICER. Is there a sufficient second?
  There appears to be a sufficient second.
  The clerk will call the roll.
  The bill clerk called the roll.
  Mr. CORNYN. The following Senators are necessarily absent: the 
Senator from Texas (Mr. Cruz), the Senator from South Carolina (Mr. 
Graham), the Senator from Kentucky (Mr. Paul), the Senator from Florida 
(Mr. Rubio), and the Senator from Louisiana (Mr. Vitter).
  The PRESIDING OFFICER. Are there any other Senators in the Chamber 
desiring to vote?
  The result was announced--yeas 35, nays 60, as follows:

                      [Rollcall Vote No. 288 Leg.]

                                YEAS--35

     Baldwin
     Bennet
     Blumenthal
     Booker
     Boxer
     Brown
     Cantwell
     Cardin
     Coons
     Daines
     Durbin
     Franken
     Gillibrand
     Heinrich
     Heller
     Hirono
     Klobuchar
     Lankford
     Leahy
     Lee
     Markey
     Menendez
     Merkley
     Murray
     Peters
     Reid
     Sanders
     Schatz
     Schumer
     Shaheen
     Stabenow
     Tester
     Udall
     Warren
     Wyden

                                NAYS--60

     Alexander
     Ayotte
     Barrasso
     Blunt
     Boozman
     Burr
     Capito
     Carper
     Casey
     Cassidy
     Coats
     Cochran
     Collins
     Corker
     Cornyn
     Cotton
     Crapo
     Donnelly
     Enzi
     Ernst
     Feinstein
     Fischer
     Flake
     Gardner
     Grassley
     Hatch
     Heitkamp
     Hoeven
     Inhofe
     Isakson
     Johnson
     Kaine
     King
     Kirk
     Manchin
     McCain

[[Page S7510]]


     McCaskill
     McConnell
     Mikulski
     Moran
     Murkowski
     Murphy
     Nelson
     Perdue
     Portman
     Reed
     Risch
     Roberts
     Rounds
     Sasse
     Scott
     Sessions
     Shelby
     Sullivan
     Thune
     Tillis
     Toomey
     Warner
     Whitehouse
     Wicker

                             NOT VOTING--5

     Cruz
     Graham
     Paul
     Rubio
     Vitter
  The amendment (No. 2612), as further modified, was rejected.
  The PRESIDING OFFICER. The Senator from Missouri.
  Mr. BLUNT. Madam President, I ask unanimous consent to address the 
floor for up to 15 minutes.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mr. BLUNT. Madam President, last week I came to the floor to express 
my support for the Cybersecurity Information Sharing Act, which we are 
dealing with today. The bipartisan vote of 83 to 14 that happened later 
that day was an important step in the right direction to deal with this 
issue. The debate has been encouraging. We need to deal with this 
threat to our economy. It is a threat to our security, it is a threat 
to our privacy, and we need to deal with it now.
  As I and others have said before, if we wait until there is an event 
that gets people's attention in such a dramatic way that everybody 
suddenly realizes what is at stake, there is no telling what kind of 
overreaction Congress will make. This has been a good debate at the 
time we should have it. Now, of course, we need to move on.
  There have been a lot of amendments offered. Many amendments have 
been accepted by the managers of the bill. With almost all certainty, 
today we will finish the remaining amendments pending on the bill and 
hopefully finish the bill itself. A lot of these amendments have been 
very well-intentioned--in fact, I suspect they all have been well-
intentioned--but in many cases they fundamentally undermine the core 
purpose of the bill, which is to have voluntary real-time sharing of 
cyber threats, to allow that sharing to be between private entities and 
the Federal Government, and even for private entities to be able to 
share with each other.
  This is a bill that creates the liability protections and the anti-
trust protections which that particular kind of sharing would allow. Of 
course, throughout this whole debate, there has been much discussion 
about how we protect our liberty in an information age. How do we have 
both security and liberty?
  Having served for a number of years on both the House Intelligence 
Committee and the Senate Intelligence Committee, having served on the 
Armed Services Committee in the last Congress and in this Congress on 
the Defense Appropriations Committee, there is no argument in any of 
those committees that one of our great vulnerabilities is cyber 
security and how we protect ourselves.
  We saw in the last few days that the head of the CIA had his own 
personal account hacked into apparently by a teenager who is in the 
process of sharing that information. If the head of the CIA and the 
head of Homeland Security do not know how to protect their own personal 
information, obviously information much more valuable than they might 
personally share is also in jeopardy.
  We do need to ensure that we protect people's personal liberties. We 
need to do that in a way that defends the country. Both of those are 
primarily responsibilities that we accept when we take these jobs, and 
it is certainly our responsibility to the Constitution itself.
  I think Chairman Burr and Vice Chairman Feinstein have done a good 
job of bringing that balance together. This bill is carefully crafted 
in a way that creates a number of different layers of efforts to try to 
do both of those things.
  First, the bill only encourages sharing; it doesn't require it. It 
doesn't require anybody to share anything they don't want to share, but 
it encourages the sharing of cyber threats. It works on the techniques 
and the malware used by hackers. It specifically does not authorize the 
sharing of personal information, and in fact the bill explicitly 
directs the Federal Government to develop and make available to the 
public guidelines to protect privacy and civil liberties in the course 
of sharing the information.
  The Attorney General is required to review these guidelines on a 
regular basis. The bill mandates reports on the implementation and any 
privacy impacts by inspectors general and by the Privacy and Civil 
Liberties Oversight Board, to ensure that these threats to privacy are 
constantly looked at.
  Senator Flake's amendment, which we accepted as part of the bill just 
a few minutes ago, guarantees that this issue has to be revisited.
  I gave a speech at Westminster College in Fulton, MO, about a month 
ago at the beginning of the 70th year of the anniversary of Winston 
Churchill giving the ``Iron Curtain'' speech on that campus and talking 
about liberty versus security there. I said I thought one of the things 
we should always do is have a time that forced us as a Congress to 
revisit any of the laws we have looked at in recent years to be sure we 
protect ourselves and protect our liberty at the same time. This is a 
voluntary bill. Maybe that wouldn't have been quite as absolutely 
necessary here, but I was pleased to see that requirement again added 
to this bill, as it has been to other bills like this.
  This is a responsible bill. The people the Presiding Officer and I 
work for can feel good about the responsible balance it has. It defends 
our security, but it also protects our liberty. I look forward to its 
final passage today. The debate would lead me to believe, and the votes 
would lead me to believe, that is going to happen, but of course we 
need to continue to work now to put a bill on the President's desk that 
does that.
  There still remain things to be done. One of the things I have worked 
on for the last 3 years--Senator Carper and I have worked together, 
Senator Warner has been very engaged in this discussion, as has 
Chairman Thune--is the protection of sensitive personal information as 
well as how do we protect the systems themselves.
  Clearly this information sharing will help in that fight. There is no 
doubt about that. In addition to supporting this bill, I want to 
continue to work with my colleagues to see that we have a way to notify 
people in a consistent way when their information has been stolen.
  There are at least a dozen different State laws that address how you 
secure personal information, and there are 47 different State laws that 
address how you tell people if their information has been stolen. That 
is too much to comply with. We need to find one standard. This 
patchwork of laws is a nightmare for everybody trying to comply and 
frankly a nightmare for citizens who get all kinds of different notices 
in all kinds of different ways.
  Without a consistent national standard pertaining to securing 
information, without a consistent national standard pertaining to what 
happens when you have a data breach and your information is wrongly 
taken by someone else, we have only done part of this job. So I want us 
to continue to work to find the solutions there. We need to find a way 
to establish that standard for both data security and data breach. I am 
going to continue to work with the Presiding Officer and my other 
colleagues. Our other committee, the commerce committee, is a critical 
place to have that happen. I wish we could have done this on this bill. 
We didn't get it done on this bill, but I would say that now the first 
step to do what we need to do is dealing with the problem of cyber 
security in the way this bill does and then finish the job at some 
later time.

  So I look forward to seeing this bill passed today. I am certainly 
urging my colleagues to vote for it. I think it has the protections the 
people we work for would want to see, and I am grateful to my 
colleagues for giving me a few moments here to speak.
  I yield the floor.

                          ____________________