[Congressional Record (Bound Edition), Volume 158 (2012), Part 11]
[Senate]
[Pages 15194-15203]
[From the U.S. Government Publishing Office, www.gpo.gov]




                       CYBERSECURITY ACT OF 2012

  The PRESIDING OFFICER. Under the previous order, the motion to 
proceed to the motion to reconsider the vote by which cloture was not 
invoked on S. 3414, the Cybersecurity Act of 2012, is agreed to, the 
motion to reconsider is agreed to, and there is up to 60 minutes of 
debate equally divided between the two leaders or their designees.
  The Senator from Connecticut is recognized.
  Mr. LIEBERMAN. Madam President, I want to begin by thanking the 
majority leader, Senator Reid, for being as steadfast as he has been in 
pursuit of a law that will protect America from what I think most 
security experts would say today, surprisingly, is the most serious 
threat to our security and to our economy, which is from cyber attack 
and cyber theft.
  The majority leader, with the authority he has over our schedule, has 
now pulled up the Cybersecurity Act of 2012, S. 3414, for 
reconsideration; that is to say, to reconsider the cloture vote that 
was held in August and failed to get 60 votes, much to my 
disappointment. I am very grateful that Senator Reid now gives the 
Senate a second chance to do something to protect the American people 
from cyber attack and cyber theft.
  If you look at what has happened since the cloture vote on the 
Cybersecurity Act failed back in August, I think you will see how 
urgently we need to seize this opportunity to at least vote to proceed 
to the Cybersecurity Act. Senator Reid has made clear that he would 
allow a finite number of amendments--finite because, after all, we are 
in a postelection so-called lameduck session. The amendments can't go 
on forever. But a finite list would allow there to be a discussion and 
vote on the major concerns people still seem to have with the 
compromised bipartisan Cybersecurity Act of 2012.
  I appeal to my colleagues: Don't be recorded as no. Say yes to at 
least allowing a discussion of cybersecurity legislation here, offer 
some amendments, and then, of course, understand that we are not a 
unicameral legislature, to say the obvious. If--as I hope--we can pass 
cyber security legislation here, it has to go to conference with the 
House that I would say has--describing it diplomatically--a different 
position than as reflected in the Cybersecurity Act of 2012 that 
emerged in part from the Homeland Security Committee; which is why I 
have the honor of managing this debate, brought out with the strong 
support from my ranking member and dear friend Senator Collins of 
Maine, and then working together with Senator Feinstein, the chair of 
the Senate Intelligence Committee, Senator Rockefeller, the chair of 
the Commerce Committee, and Senator Carper, who has had a real interest 
in cyber security and is a leader on the Homeland Security Committee. 
We bring this legislation forward.
  We are being given a second chance to raise our defenses against 
rival nations, enemy nations, industrial spies, cyber terrorists, 
organized anti-American nonstate actors, and international organized 
criminal gangs who are constantly probing our computer networks for 
weaknesses that they can exploit to steal industrial secrets, to take 
some of the best results of American innovation and entrepreneurship 
overseas and, with it, the jobs that come with those secrets. And, of 
course, to sabotage critical infrastructure--powerplants, financial 
systems, telecommunications systems, water systems, and so on and so 
on--which are the systems that we depend on in our society for our 
quality of life, for our freedom of expression, so many of them owned 
by the private sector and managed and controlled now, operated, by 
cyber systems over the Internet and, therefore, subject to cyber 
attacks.
  That is what this bill is about, creating standards for public-
private cooperation to raise our defenses against cyber attack and 
cyber theft. Everybody you talk to in the public or private sector says 
today that we are vulnerable to attack. This bill only relates to the 
most critical cyber infrastructure whose compromise, whose attack, 
whose disabling would result in mass casualties, catastrophic economic 
loss, and assaults on our national security.
  So let me come back to what I said. The best arguments for this bill 
and for voting on the motion to proceed and going to the bill are not 
the arguments, frankly, that I will make on behalf of the bill but the 
facts that have occurred and the limited amount of time since August 
when this initial vote to proceed to the Cybersecurity Act occurred.
  On August 15, just 2 weeks after the last cloture vote, a computer 
virus called Shamoon erased the hard drives of 30,000 computers owned 
and operated by Saudi Aramco, one of the world's largest energy 
companies. What happened as a result of the erasing of those hard 
drives, the data files were replaced with images of burning American 
flags. It is pretty clear who carried out this attack. The computers 
were rendered useless and had to be replaced and restored. Some cyber 
experts that I trust say this was the most destructive cyber attack 
against a private company in history. A similar attack was carried out 
on the Qatari natural gas company called RasGas. Remember the burning 
American flags? Iran is suspected as the attacker in both instances.
  Thanks to quick work, really extraordinary work by Aramco and many of 
the world's leading cyber security technologists and experts, the 
damage to Saudi Aramco was contained. But this attack could have thrown 
global oil markets into chaos and a lot of economies--including ours--
into greater stress than we are already in if orders couldn't be filled 
or shipments made.
  That was August, 2 weeks after the last cloture vote on the cyber 
security bill. Then in September, the consumer Web banking sites of 
some great American financial institutions--Bank of America, JPMorgan 
Chase, Wells Fargo, PNC Bank, and some others--came under the largest 
sustained denial of service attack in history. As I am sure most of my 
colleagues know, this is when the Web sites are essentially overloaded, 
they are flooded, to make it impossible for them to stay up and provide 
the service they normally do. These attacks went on in different waves 
for weeks, knocking many of these sites that are very important to 
commercial life in our country offline or slowing them to a crawl. Just 
take a look at how much commerce is now conducted over the Internet and 
I think you can see the potential catastrophe here. These kinds of 
attacks really could bring our banking system and the economy to its 
knees. Again, some intelligence officials that I respect suspect that 
Iran or its agents launched these attacks against the American banks.
  Defense Secretary Panetta warned in a recent speech that these and 
other cyber attacks show that we are approaching a cyber Pearl Harbor 
where:

       An aggressor nation or extremist group could use these 
     kinds of cybertools to gain control of critical switches . . 
     . [and] derail passenger trains, or even more dangerous, 
     trains loaded with lethal chemicals.
       They could contaminate the water supply in major cities, or 
     shut down the power grid across large parts of the country.

  That is not science fiction. That is not an alarmist. That is the 
Secretary of Defense of the United States, Leon Panetta, issuing a 
warning based on what anybody who works in this field knows is reality.
  In recent weeks, we have watched one section of our country--in this 
case the Northeast, including my own State of Connecticut--hit by 
Hurricane Sandy and then a follow-on northeaster storm, losing power. 
Some parts of New York and certainly New Jersey were hit harder than 
Connecticut, but we were hit pretty hard ourselves. Some still are 
without power, and this is the third week since the hurricane. This is 
exactly the kind of dislocation and suffering that would occur if an 
enemy cyber attacked America's electric power system. It is why we need 
to at least vote to take this bill up now with a sense of urgency in 
this session. Time is not on our side.

[[Page 15195]]

  The elections are over. The American people through their votes have 
told us in a clear and certain voice that they want us to work together 
to solve the many challenges our Nation confronts. I know we are 
focused on avoiding going over the fiscal cliff and the challenge to 
Congress is, Can we solve our fiscal problems? Can we come to a 
bipartisan compromise before we go over the cliff?
  In this case of cyber security and cyber vulnerability, the challenge 
before us is, Can we come to a bipartisan agreement compromise--and we 
think we have in the bill before us--and create and improve our 
defenses before a catastrophic cyber attack occurs, as it surely will, 
and then we come rushing back to raise our defenses, as we did after 9/
11, after we have suffered an attack?
  Mr. WHITEHOUSE. Mr. President, will the Senator yield for a question?
  Mr. LIEBERMAN. I will.
  Mr. WHITEHOUSE. I want to ask the distinguished chairman, who 
referenced the important word, ``compromise,'' if he has spoken about 
the extent to which this bill reflects not only the original bipartisan 
compromise between himself and his ranking member, Senator Susan 
Collins of Maine, but then a second compromise done to reach further to 
our Republican colleagues that is actually already embedded in this 
bill. I think it is important for the people who are watching and 
listening to us to recognize that not only was this an original 
bipartisan bill that was the product of bipartisan compromise and 
discussion, but then a further unilateral step was taken by the 
distinguished chairman to move even more toward Republican colleagues. 
So it is not only a compromise but double compromise that is on the 
Senate floor right now.
  Mr. LIEBERMAN. I thank my friend from Rhode Island. I thank my friend 
for his interest in the area of cyber security and for his leadership. 
I have not talked about that yet--and I will right now--which is to 
say, following the advice of most of the experts of both political 
administrations and experts outside, one of the centerpieces of our 
original bill was to create a public-private process--government and 
people who live in these sectors of our economy--to draft best 
practices, not to have them imposed by the Government, and then to make 
it mandatory within a set period of time, and that these practices, 
these standards, would be general principles, not all do's and don'ts, 
to leave room for the private sector to come up with the best way they 
thought they could meet those standards.
  Opponents, particularly the business community, and some of our 
friends on the other side, have said to us that they fear that would be 
more regulation of business. Senator Collins, my ranking member and 
dear friend, is a leading advocate of regulation reform and lighter 
regulation on business. But she said over and over with such 
credibility and force: This is not regulation of business; this is 
protection of our homeland security, of our economy. You reform 
regulation when the regulations seem to be too much and get in the way 
of economic growth. We have a threat that is today stealing billions of 
dollars of American innovation, taking jobs elsewhere in the world.
  OK, we had it mandatory, but it was clear we were not going to get to 
60 votes. I have said over and over, one of the problems we have in 
Congress now is people seem to say if they do not get 100 percent of 
what they want, they are not going to vote for a bill. So I had to 
listen to my own words because if they wait for 100 percent of what 
they want on a bill, everybody is going to end up with zero percent. We 
might as well try to get done what we agree on. So we took a big step, 
which was to make those mandatory standards voluntary.
  Then we threw in an incentive, which is a lot--partial liability, 
immunity from liability in the case of a cyber attack--as an 
encouragement for those companies that voluntarily opt into the 
standards that the voluntary process would set up that gets some 
immunity from liability for prosecution.
  Incidentally, President Obama has made very clear, first, that he 
totally gets the seriousness of this challenge to our security, this 
cyber challenge to our security and our prosperity. He has supported 
this legislation, but he has gone one step further now and said if we 
fail to pass legislation, he will issue an Executive order that does as 
much as an Executive order can do to protect America better from cyber 
attack and cyber theft.
  The President does have the authority to issue an Executive order 
that will establish standards for cyber security for all 18 critical 
infrastructure sectors under existing law and require those sectors to 
be implemented in certain areas where the regulators have the power to 
mandate such observance of the standards. A draft of such Presidential 
order is now being circulated, but the President does not have the 
power under existing law to offer a lot of the benefits that our bill 
would give private sector owners of critical infrastructure.
  For one thing the President does not have the ability to offer the 
private sector owners the liability protection I have just described. 
In addition, needed changes to law that permit private companies to 
share cyber security threat information among themselves and with the 
government will go unmade. So both sides in this debate have 
acknowledged that this is a critical piece in any bill. But it cannot 
be implemented by executive action. We are the lawmakers. We have the 
ability to protect our country better than the President does by 
Executive order. I have appealed to the President that if we are not 
able to act here that he should issue this Executive order. I am very 
encouraged by the work done on it, and I am confident that if we fail 
to act the President will act. I think he has a responsibility to act 
because if we fail to act we are leaving the American people extremely 
vulnerable to a major cyber attack. Therefore, although the legislation 
is preferable, an Executive order will certainly give the American 
people protection.
  I have more to say, but I note the presence on the floor of my 
colleague and partner in this pursuit, the chair of the Senate 
Intelligence Committee, Senator Feinstein. If she would like to speak, 
I will yield the floor to her.
  Mrs. FEINSTEIN. I would, and I thank my colleague.
  The PRESIDING OFFICER. The Senator from California is recognized.
  Mrs. FEINSTEIN. Madam President, if I may, I want to compliment 
Senator Lieberman on his steadfast determination to get this bill 
passed. I think he and his ranking member, Senator Collins, have done a 
very fine job. I think it is important for everyone to know about those 
hours when we sat down with other Members trying to negotiate something 
people might agree to on this cyber bill. Unfortunately, we could not.
  I am very worried. I am very worried there will be a major cyber 
attack on this Nation. I do not say that without intelligence to back 
it up. On the Intelligence Committee, we receive regular warnings from 
the Intelligence Community that tell us cyber attacks are increasing in 
number, sophistication, and damage.
  Unfortunately, despite significant changes made to the Cybersecurity 
Act that Senator Lieberman, Senator Collins, Senator Rockefeller and I 
agreed to in July and August, many on the other side of the aisle 
filibustered the bill. Since that time we have learned of additional 
major cyber attacks.
  In October and September of this year, at least nine major U.S. banks 
were hit by a series of attacks that blocked their customers from 
accessing their banking information or making online transactions. This 
list of victims includes the country's largest, most sophisticated 
financial institutions: the Bank of America, JPMorgan Chase, Citigroup, 
the U.S. Bank, Wells Fargo, PNC, Capital One, BB&T Corporation, and 
HSBC--all cyber attacked.
  These attacks systematically hit banks for 5 weeks. They disrupted 
traffic at each bank for a day or two before moving on to the next 
victim. It was a well planned and coordinated cyber attack from bank to 
bank to bank to bank. It disrupted the banking system,

[[Page 15196]]

but it did not destroy it. But that doesn't mean the attackers do not 
have the ability to destroy it. This is a real wake-up call, and I 
think we ignore it at our own peril.
  I have come to believe it is negligent to fail to pass a bill with 
the warnings that are out there today. I remember, I was on the 
Intelligence Committee when the CIA Director, then-Director Tenet, came 
before the committee in the middle of the summer in 2001 and said to 
us: We anticipate an attack. We don't know where. We don't know when. 
That attack came, and it was 9/11. Today there is the same anticipation 
of a big attack, a big cyber attack. And we need to put in place the 
legal procedures to prevent that.
  Let me mention other recent cyber attacks. In August, a foreign 
country or organization used computer code to destroy 30,000 computers 
at the world's largest energy company, that is Saudi Aramco, and that 
is Saudi Arabia's state-owned oil company. How is this done? According 
to the New York Times, the cyber attackers ``unleashed a computer virus 
to initiate what is regarded as among the most destructive acts of 
computer sabotage on a company to date. The virus erased data on three-
quarters of Aramco's corporate PCs--documents, spreadsheets, e-mails, 
files--replacing all of it with an image of a burning American flag.''
  If anything is a harbinger of things to come, that is clear. Why 
would one put their signature on a major cyber attack by showing 
burning American flags unless they had some additional intent against 
the U.S.? We cannot underestimate the threat. To do so is sheer 
negligence on the part of this body.
  In the 5 months from October 2011 through February 2012, over 50,000 
cyber attacks were reported on private and government networks with 86 
of those attacks taking place on critical infrastructure networks. So 
we have 86 attacks on critical infrastructure networks.
  Keep in mind these 50,000 incidents were only the ones reported to 
the Department of Homeland Security. So they represent but a small 
fraction of cyber attacks carried out against the United States. This 
year, 2012, Nissan, MasterCard, and Visa joined the ranks of other 
major companies already hacked--Sony, Citi, Lockheed Martin, Northrop 
Grumman, Google, Booz Allen Hamilton, RSA, L-3, and the U.S. Chamber of 
Commerce as victims of hacking last year.
  We also know that last year for at least 6 months, 48 companies in 
the chemical, defense, and other industries were penetrated by a hacker 
looking to steal intellectual property. The cyber security company 
Symantec has attributed some of these attacks to computers in Hebei, 
China.
  Here is the point. We know we are being attacked by other countries. 
I hear it in the Intelligence Committee. It is classified so I cannot 
go into it here. But suffice it to say that we know it is happening. 
Things are only going to get worse, as Secretary Panetta said in a 
recent major address in New York. Let me just read one section of his 
speech:

       The collective result of these kinds of attacks could be a 
     cyber Pearl Harbor, an attack that would cause physical 
     destruction and loss of life. In fact it would paralyze and 
     shock the nation and create a new, profound sense of 
     vulnerability.

  Members of the Senate, we are warned. We are warned clearly, we are 
warned directly, and we are warned by the Head of Cyber Command, 
General Alexander, as well as the Secretary of Defense. Yet we do 
nothing.
  I strongly believe we need to pass this bill. Then it will go to the 
House. And then there will be a conference. Along the way, there will 
have to be some accommodations made. But, there is no reason for this 
Senate, knowing what we know, not to pass this bill.
  We also know the President would sign this bill, and we know the 
President would not sign the House bill as is. So we have an 
opportunity by moving forward with this bill.
  I want to remind my colleagues of efforts made to negotiate an 
agreement on this bill. Before the bill came to the floor in July, and 
while the Senate was considering it, there were numerous meetings every 
day by a dozen or more Senators. The authors of the bill met with 
Senators McCain, Chambliss, Hutchison, the sponsors of the SECURE IT 
Act, as well as Senators Kyl and Whitehouse, and a group they convened. 
We had multiple meetings with the U.S. Chamber of Commerce. The 
Chamber's largest concern with Title VII on information sharing was 
over the liability protections in our bill--which is what the 
Intelligence Committee staff worked on and prepared.
  I asked the Chamber where they thought our language was deficient. I 
asked them if they could improve on the immunity provisions, to please 
send us bill language. Did they? No. They did not. I think that is some 
testimony that is worth thinking about.
  Over the summer, the majority leader offered to vote on a set list of 
amendments. He asked if the minority could put together the 10 votes it 
wanted, and as long as they were relevant and germane to the bill, we 
would consider them. No list was provided. So we voted, and by a vote 
of 52 to 46, cloture was not invoked.
  Again, after the vote, the staff from both sides of the Homeland 
Security Committee, the Commerce Committee, and the Intelligence 
Committee held numerous meetings to negotiate a compromise. The effort 
did not succeed. So if we are to address the major problem of cyber 
attacks and potential cyber warfare, we have no option but to bring the 
Lieberman-Collins bill back on the floor.
  I know my time is limited here today. And I know the Nation's cyber 
laws are woefully out of date. Let me touch on one more thing regarding 
the information sharing part of the bill. I received a call from a CEO 
of a high-tech company about the homeland security portal or exchange, 
as we call it in the bill. That CEO said, We would like our information 
to go directly into the Department of Defense. Let me note that would 
create a big problem. It created a problem with a number of U.S. 
Senators who are concerned about the military getting this kind of 
cyber information. And it created a big concern with the privacy 
organizations throughout our country. So it was changed so that the 
portal would be run most likely by Homeland Security. But here is the 
point I wish to make. The transfer of cyber information is with the 
click of a mouse. It moves instantaneously, so that as information----
  The PRESIDING OFFICER (Mr. Casey). The time of the Senator has 
expired.
  Mrs. FEINSTEIN. I ask unanimous consent for 1 minute to conclude.
  The PRESIDING OFFICER. Is there objection? Without objection, it is 
so ordered.
  Mrs. FEINSTEIN. So as information comes in, it goes instantaneously 
into the correct area. The CEO who called me said, I didn't know that. 
Thank you. I have no problem with that.
  So I would ask my colleagues who have voted against this bill to 
reconsider. We are never going to do the perfect bill. The bills are 
going to have to be changed and amended as time goes on. But I think 
passing a bill is important. I think to leave this country vulnerable, 
not to pass a bill because somebody doesn't like this part or that 
part, is negligent, it is irresponsible, and God forbid if we have that 
major cyber Pearl Harbor that Secretary Panetta referred to in his 
speech. I urge my colleagues to pass this bill.
  I thank the Chair for the extra time, yield the floor and ask that my 
remaining remarks be printed in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

       Let me describe what the information sharing title does 
     specifically.
       First, title VII explicitly authorizes companies to search 
     for cybersecurity threats on their own networks and to take 
     appropriate actions to defend their networks against these 
     threats.
       Many companies monitor and defend their own networks today, 
     in order to protect themselves and their customers.
       But we have heard from numerous companies that the law in 
     this area is unclear, and that sometimes it is less risky, 
     from a liability perspective, to just hope attacks don't

[[Page 15197]]

     happen than to take additional steps to defend themselves.
       So this bill will make the law crystal clear by giving 
     companies explicit authority to monitor and defend their own 
     networks.
       Second, the bill clearly authorizes private companies to 
     share cyber threat information with each other.
       There have been concerns that antitrust laws or other 
     statutes prevent companies from cooperating on cyber defense. 
     This bill, section 702, clearly says: ``notwithstanding any 
     other provision of law, any private entity may disclose 
     lawfully obtained cybersecurity threat indicators to any 
     other private entity in accordance with this section.''
       Third, the bill authorizes the government--which will 
     largely mean, in practice, the intelligence community--to 
     share classified information about cyber threats with 
     appropriately cleared organizations, such as companies, 
     outside of the government.
       Today, only government employees and contractors are 
     eligible to receive security clearances and therefore gain 
     access to national secrets. To put it another way, those with 
     a valid ``need to know'' national security secrets are 
     usually within the government or working for the government.
       That isn't true for cyber security. The companies that 
     underpin our Nation's economy and way of life have a ``need 
     to know'' about the nature of cyber attacks so they can 
     better secure their systems.
       So under this bill, companies able to qualify to receive 
     classified information will be certified and then be able to 
     obtain classified information about what cyber threats to 
     look out for.
       Fourth, the bill establishes a system for any private 
     sector entity--whether a power utility, a defense contractor, 
     a telecom company, or others--to share cyber threat 
     information with the government.
       This is the piece that General Alexander--the Director of 
     the National Security Agency and the Commander of U.S. Cyber 
     Command--says is absolutely necessary for the protection of 
     the United States.
       Here is how the provision works:
       The Secretary of Homeland Security, in consultation with 
     the Attorney General, the Secretary of Defense, and the 
     Director of National Intelligence, would designate a federal 
     cybersecurity exchange. This would be an office or center 
     that already exists, and already shares and receives cyber 
     threat information.
       Private companies would share cyber threat information with 
     the exchange directly. The exchange must be a civilian 
     entity; I expect it would be within the Department of 
     Homeland Security.
       Let me stop there. Why not have this portal or exchange be 
     in the military or the NSA? There are two reasons:
       First, we are talking here about the protection of the 
     government's network--the dot.gov network--and the computer 
     systems outside of the government. We are not talking about 
     protecting the dot.mil network and the Department of Defense, 
     and we are not talking about actions that the military takes 
     overseas. Protection of the private sector--of the electrical 
     grid or Wall Street--is simply not the military's or NSA's 
     responsibility.
       Second, there is, for good reason, major concern among 
     privacy advocates not to have private sector information, 
     which could include Americans' banking records, or email 
     traffic, or health care records, being shared by companies 
     with the military or intelligence community.
       In drafting this bill, we heard from several Senators for 
     whom having a military exchange was a complete non-starter. 
     We worked with Senators Durbin, Franken, Coons, Akaka, 
     Blumenthal, and Sanders, and others to craft this language 
     putting a civilian entity in the lead.
       General Keith Alexander, the Director of the National 
     Security Agency, also supports this model. He wrote, in his 
     July 31 letter to Senator Reid: ``The American people must 
     have confidence that threat information is being shared 
     appropriately and in the most transparent way possible. That 
     is why I support information to be shared through a civilian 
     entity, with real-time, rule-based sharing of cyber security 
     threat indicators with all relevant Federal partners.'' 
     General Alexander is the top military and intelligence 
     official on cyber saying that he supports a civilian 
     exchange.
       So we have the Federal exchange. Companies will use the 
     exchange, as a portal and information will be sent 
     automatically and instantaneously to other parts of the 
     government. This is what General Alexander was describing.
       This part is critical. We are not talking about information 
     going to an office in the Department of Homeland Security and 
     waiting for someone to look at it and figure out whether to 
     share it and with whom.
       This is an automatic, instantaneous process. Information 
     comes in and is automatically shared with other departments 
     and agencies.
       The bill requires that procedures be put in place so that 
     information is shared in real-time. This has to be done 
     automatically, so that cyber defense systems can move to 
     identify and disrupt a cyber attack as it is coming over the 
     networks.
       I discussed this recently with a CEO of a high-tech 
     company. He was concerned that information wouldn't reach the 
     Department of Defense. I explained that our bill would 
     provide instantaneous sharing to DOD. He said that would 
     satisfy his concerns. So this is a major point.
       Having a single focal point is also more efficient for the 
     government. It will help eliminate stovepipes because right 
     now there are dozens of different parts of the government 
     receiving information from the private sector about the cyber 
     threats they are encountering, and no one agency has the 
     responsibility to ensure the information is shared with other 
     parts of the government.
       It would also make privacy and civil liberties oversight 
     easier, as I will describe in a moment. Finally, it should 
     save tax payers money, because it is more efficient to manage 
     and oversee the operation of one designated cybersecurity 
     exchange versus a half dozen or more parts of the government.
       Now let me describe the liability protections, because that 
     is a critical part of title VII.
       Section 706 of the bill provides liability protection for 
     the voluntary sharing of cyber threat information with the 
     federal cybersecurity exchange.
       The bill reads: ``no civil or criminal cause of action 
     shall lie or be maintained in any Federal or State court 
     against any entity [meaning a company] acting as authorized 
     by this title, and any such action shall be dismissed 
     promptly for . . . the voluntary disclosure of a lawfully 
     obtained cybersecurity threat indicator to a cybersecurity 
     exchange.''
       In other words, a company is immune from lawsuit if it 
     shares cyber threat information with a Federal exchange.
       The same immunity applies to:
       Companies who monitor their own networks;
       Cybersecurity companies who share threat information with 
     their customers;
       Companies that share information with a critical 
     infrastructure owner or operator; or
       Companies who share threat information with other 
     companies, as long as they also share that information with 
     the Federal cybersecurity exchange within a reasonable time.
       If a company shared information in a way other than the 
     five ways I just mentioned, it still receives a legal defense 
     under this bill from suit if the company can make a 
     reasonable good faith showing that the information sharing 
     provisions permitted that sharing.
       Further, no civil or criminal cause of action can be 
     brought against a company or an officer, employee, or agency 
     of a company for the reasonable failure to act on information 
     received through the information sharing mechanisms set up by 
     this bill.
       Basically, the only way that anyone participating in the 
     information sharing system can be held liable is if they are 
     found to have knowingly violated a provision of the bill or 
     acted in gross negligence.
       So there are very strong liability protections in this bill 
     for anyone that shares information about cyber threats--which 
     is completely voluntarily.
       In addition to narrowly defining what information can be 
     shared with an exchange, our bill also requires the Federal 
     government to adopt a very robust privacy and civil liberties 
     oversight regime for information shared under this title. 
     There are multiple layers of oversight from different parts 
     of the executive branch, including the Department of Justice 
     and the independent Privacy and Civil Liberties Oversight 
     Board, as well as the Congress.
       Consider this: In October, General Alexander--the Director 
     of the NSA--and Anthony Romero, the Executive Director of the 
     ACLU, spoke together on a cybersecurity roundtable at the 
     Woodrow Wilson Center. General Alexander praised title VII's 
     approach to information sharing, and Mr. Romero said ``I 
     think it strikes the right balance.'' It is not often that 
     the Director of the NSA and the Executive Director of the 
     ACLU agree on legislation. If they can, I would hope that the 
     Senate can come together as well.
       The time to act is now. The cyber threat we face is real, 
     it is serious, and it is growing. The country is vulnerable, 
     and this legislation is essential. I urge my colleagues to 
     support the motion to proceed and to support the bill.

  The PRESIDING OFFICER. The Senator from Georgia.
  Mr. CHAMBLISS. Senator Grassley, who is scheduled to speak next, has 
been kind to give me 45 seconds, so I appreciate that.
  In July and August, the cosponsors of both the underlying bill, the 
Lieberman-Collins bill, and the SECURE IT bill, of which I am a 
cosponsor, met regularly, and I was hopeful we could resolve the 
significant differences between these two bills. Unfortunately, we did 
not reach an agreement, and even though we had been promised an open 
amendment process on this underlying bill, the majority leader once 
again filled the tree and filed cloture. Unfortunately, nothing has 
changed

[[Page 15198]]

since then, so I am compelled to do the same thing today.
  We all understand the serious threat that is facing our country from 
cyber attacks and intrusions, but that does not mean Congress should 
just pass any bill. Frankly, the underlying bill is not supported by 
the business community, for all the right reasons, and they are the 
ones who are impacted by it. They are the ones who are going to be 
called on to comply with the mandates and the regulations. Frankly, it 
is not going to give them the kind of protection they need from cyber 
attacks.
  So I regret to have to stand up today and say that I intend to vote 
against cloture on this bill, and I yield to Senator Grassley.
  The PRESIDING OFFICER. The Senator from Iowa.
  Mr. GRASSLEY. Mr. President, we are again discussing the important 
topic of cybersecurity--a topic we all agree is of the utmost 
importance and worthy of our attention. Unfortunately, this is like the 
movie ``Groundhog Day.'' The majority continues to push the same flawed 
legislation that failed to garner enough votes for consideration just 
three months ago.
  No one disputes the need for Congress to address cybersecurity.
  However, Members do disagree with the notion this problem requires 
legislation that increases the size of the Federal Government 
bureaucracy and places new burdens and regulation on businesses.
  Enhancing cybersecurity is important to our national security. I 
support efforts to strengthen our Nation against cyber attacks.
  However, I take issue with those who have come to the floor and 
argued that those who don't support this bill are against strengthening 
our Nation's cybersecurity.
  As I said in August, disagreements over how to address policy matters 
shouldn't devolve into accusations about a Member's willingness to 
tackle tough issues.
  The debate over cybersecurity legislation has turned from a 
substantive analysis of the merits into a political blame game as to 
which side supports defending our Nation more.
  If we want to tackle big issues such as cybersecurity, we need to 
rise above disagreements and work in a constructive manner. 
Disagreements over policy should be openly and freely debated.
  Unfortunately, this isn't how the debate on cybersecurity proceeded. 
Instead, before a real debate began last August, the majority cut it 
off.
  This was contrary to the majority's promise earlier this year of an 
open amendment process to address cybersecurity.
  Aside from process, I also have significant substantive concerns with 
the bill. Chief among my concerns with the pending bill is the role 
played by the Department of Homeland Security. These concerns stem from 
oversight I have conducted on its implementation of the Chemical 
Facility Anti-Terrorism Standards, or the CFATS program.
  CFATS was the Department's first major foray into regulation of the 
chemical sector. DHS spent nearly $500 million on the program. Five 
years later, they have just begun to approve site security plans for 
the more than 4,000 facilities designated under the rule.
  I have continued to conduct oversight on this matter. Despite 
assurances from DHS that they have fixed all the problems with CFATS, I 
keep discovering more problems.
  On top of this concern, since the last vote in August, the chairman 
and ranking member of the Senate Permanent Subcommittee on 
Investigations have released a report criticizing DHS and the fusion 
centers they operate. The subcommittee report criticized DHS's fusion 
centers as ``pools of ineptitude, waste, and civil liberties 
intrusions.''
  And that is the evaluation after DHS spent as much as $1.4 billion on 
this program.
  Given these examples, I am baffled why the Senate would take an 
agency that has proven problems with overseeing critical infrastructure 
and give them chief responsibility for our country's cybersecurity.
  Additionally, I am concerned with provisions that restrict the way 
information is shared.
  The restrictions imposed under title VII of this bill are a step 
backward from other information-sharing proposals. This includes the 
bill I have co-sponsored, the SECURE IT bill.
  The bill before us places DHS in the role of gatekeeper of cyber 
threat information. The bill calls for DHS to share the information in 
``as close to real time as possible'' with other agencies. However, 
this will create a bottleneck for information coming into the 
government.
  Further, title VII includes restrictions on what types of information 
can be shared, limiting the use of it for criminal prosecutions except 
those that cause imminent harm.
  This is exactly the type of restriction on information sharing that 
the 9/11 Commission warned about.
  In fact, the 9/11 Commission said, ``the [wall] resulted in far less 
information sharing and coordination.'' The Commission further added, 
``the removal of the wall that existed before 9/11 between intelligence 
and law enforcement has opened up new opportunities for cooperative 
action.''
  Why would we even consider legislation that could rebuild these walls 
that threaten our national security?
  We haven't had any real debate on these issues. The lack of a real 
process in the Senate on this current bill amplifies my substantive 
concerns.
  In fact, this is eerily reminiscent of the debate surrounding 
ObamaCare.
  Here we are once again, in a lame duck session the week before 
Thanksgiving, tackling a serious problem that hasn't been given the 
benefit of the Senate's full process.
  I don't want cybersecurity legislation to become another ObamaCare. 
If we are serious about our Nation's security, then shouldn't we treat 
it as such?
  Additionally, the staff of the sponsors of the legislation before us 
continue behind-the-scenes efforts to negotiate changes to the bill we 
are being asked to vote on. If the bill sponsors are still negotiating 
changes, why don't we have the benefit of a full and open amendment 
process to try and fix it before we vote for cloture? It simply doesn't 
make sense.
  Instead, it appears today's vote is about something other than 
cybersecurity. It is yet another attempt by the majority to paint the 
minority as obstructing the work of the Senate. Most likely, this vote 
will be used simply as fuel for the majority's effort to dismantle the 
filibuster. So much for tackling cybersecurity without putting politics 
into the mix.
  This isn't the way we are supposed to legislate. The people who 
elected us expect more.
  How many Senators are prepared to vote on something this important, 
without knowing its impact because we haven't followed regular order? 
Are we to once again pass a bill so that the American public can then 
read it and find out what is in it?
  These are questions that all Senators should consider. And our 
citizens should know in advance what we are actually considering.
  If we are serious about addressing this problem, then let's deal with 
it appropriately.
  Rushing something through that will impact the country in such a 
massive way isn't the way we should do business.
  It is not good for the country and it is not good for this body.
  Thank you. I yield the floor.
  Ms. MIKULSKI. Mr. President, today I wish to support the 
Cybersecurity Act of 2012. As a member of the Intelligence Committee, I 
know that cyber security is the most pressing economic and national 
security threat facing our country.
  There still needs to be a sense of urgency in addressing this issue, 
and we must pass this legislation. Doing so will allow us to defend our 
computer networks and critical infrastructure from a hostile, predatory 
attack. Such an attack is meant to humiliate, intimidate, and cripple 
us. If we wait until a major attack occurs, we will likely end up over-
reacting, over-regulating, and overspending in order to address our 
weakness.

[[Page 15199]]

  The threat of a cyber attack is real. Our Nation is already under 
attack. We are in a cyber war, and cyber attacks are happening every 
day. Cyber terrorists are working to damage critical infrastructure 
through efforts to take over the power grid or disrupt our air traffic 
control systems. Those carrying out these attacks are moving at 
breakneck speeds to steal state secrets and our Nation's intellectual 
property. They are stealing financial information and disrupting 
business operations.
  Cyber attacks can disrupt critical infrastructure, wipe out a 
family's entire life savings, and put human lives at risk. They can 
take down entire companies by hacking into computer networks where they 
remain undiscovered for months, even years.
  FBI Director Mueller testified before the Senate Intelligence 
Committee, stating that cyber crime will eventually surpass terrorism 
as the No. 1 threat to America. The economic losses of cyber crime 
alone are stunning. A Norton Cybercrime Report valued losses from cyber 
attacks at $388 billion in 2011.
  I have been working on cyber issues since I was elected to the 
Senate. The National Security Agency--our cyber warriors--are in 
Maryland. I have been working with the NSA to ensure that signals 
intelligence is a focus of our national security even before cyber was 
a method of warfare.
  In 2007, Estonia was attacked. Estonia was strengthening its ties to 
NATO, and Russian hackers swiftly struck back. They waged war on 
Estonia and threatened its government, rendered Estonia's networks 
obsolete for days. This attack was designed to intimidate, manipulate, 
and distort.
  The cyber attacks on Estonia raised important questions. Would 
article 5 of the NATO Charter be invoked? Since the attack was on one 
member of NATO--was it an attack on all members? How would the U.S. and 
other allies need respond to future attacks? What would happen if 
America experienced a similar cyber attack?
  As member of the Senate Intelligence Committee, I served on the Cyber 
Working Group where we developed core findings to guide Congress. The 
need to get governance right, the need to protect civil liberties, and 
the need to improve the cyber workforce.
  As chair of the Commerce, Justice, Science Appropriations 
Subcommittee, I fund critical cyber security agencies: the FBI which 
investigates cyber crime, NIST, which works with the private sector to 
develop standards for cyber security technology, and NSF, which does 
research.
  As a member of Defense Appropriations Subcommittee, I work to ensure 
critical funding for Intel and cyber agencies such as the NSA, CIA, and 
IARPA. These organizations are coming up with the new ideas that will 
create jobs and keep our country safe. Funding is critical to build the 
workforce, provide technology and resources, and to make our cyber 
security smarter, safer, and more secure.
  Yet technology will mean nothing unless we have a trained workforce. 
In order to fight the cyber security war, we have to maintain our 
technological development, maintain our qualitative advantage, and have 
our cyber warriors ready at battle stations. In order to develop our 
cyber shield, we need to train cyber warriors so they can protect our 
Nation. I have been working with Maryland colleges and universities to 
create world-class programs, a national model, and for training our 
next generation of cyber warriors.
  I asked Senator Reid to conduct a cyber security exercise, which 
showed us in real time how the U.S. Government would respond to a 
predatory cyber attack of great magnitude. I asked for the Senate cyber 
exercise for three reasons. First, we need a sense of urgency here in 
the Senate to pass cyber security legislation. Second, we need to put 
the proper legislative policy in place. Third, I wanted to create a 
sense of bipartisanship camaraderie.
  One example of the impact a cyber attack would have is the power 
outages caused by our freak storms this summer. We got a glimpse of 
what an attack on the grid would be like. At least Pepco has the 
ability to respond and restore and turn the power back on. With an 
attack on the grid we could lose the power to turn electricity back on 
because it was shut down by power manipulation. Imagine our largest 
cities, like New York and Washington, like the Wild West with no power, 
schools shut down, parents stuck in traffic, public transit crippled, 
no traffic lights, and 9-1-1 systems failing.
  In the financial industry, the FBI currently has 7,600 pending bank 
robbery cases and over 9,000 pending cyber investigations. According to 
the FBI, the Bureau is currently investigating over 400 reported cases 
of corporate account takeovers where cyber criminals have made 
unauthorized transfers from the bank accounts of U.S. businesses. These 
cases involve the attempted theft of over $255 million and actual 
losses of approximately $85 million.
  Hackers have repeatedly penetrated the computer network of the 
company that runs the Nasdaq Stock Market. The New York Stock Exchange 
has been the target of cyber attacks. In the future, successful 
attempts to shut down or steal information from our financial exchanges 
could wreak havoc of untold proportions on our economy.
  In the 2010 ``flash crash'', the Dow Jones plunged 1,000 points in 
matter of minutes when automatic computerized traders shut down. This 
was the result of turbulent trading, not a cyber attack and the market 
recovered. But this is a micro-example of what could happen if stock 
market computers are hacked, infected, or go dark.
  In November 2008 the American credit card processor RBS Worldpay was 
hacked--$9 million was stolen in less than 12 hours. The hackers broke 
into accounts and changed limits on payroll debit cards employees use 
to withdraw their salaries from ATMs. The cards were used at over 2,100 
ATMs in at least 280 cities around the world, United States, Russia, 
Ukraine, Estonia, Italy, Hong Kong, Japan, Canada, stealing over $9 
million from unsuspecting employers and employees.
  This heist, one of the most sophisticated and organized computer 
fraud attacks ever conducted proves that you don't need a visa to steal 
someone's Visa card.
  From 2008 to 2010, a Slovenian citizen created ``Butterfly Bot'' and 
sold it to other criminals worldwide. Cyber criminals developed 
networks of infected computers. The Mariposa variety from Spain was the 
most notorious and largest. Mariposa infected personal computers, stole 
credit card and bank account information, launched denial attacks to 
shut down online services, and spread viruses to disable computers and 
networks.
  Industry experts estimated the Mariposa Botnet may have infected as 
many as 8 million to 12 million computers. The size and scope of the 
infection makes it difficult to quantify financial losses but could 
easily be tens of millions of dollars.
  Speaking simply, this bill does two key things from a national 
security perspective. It helps businesses voluntarily get cyber 
standards that they can use to protect themselves, and it allows 
businesses and the government to share information with each other 
about cyber threats. That is, to help ``.gov'' to protect ``.com.''
  In a constitutional manner, these two things are not necessarily 
connected, but they can be. The reason why these provisions are such an 
innovation is that despite all the amazing talent and expertise that 
companies have, many are being attacked and don't know it. And this 
legislative framework gives the structure to allow for unprecedented 
``.com'' and ``.gov'' cooperation.
  There are also other several other key components in the bill 
focusing on research and development, workforce development, and FISMA 
reform.
  Why do we need a bill to make some of these vital partnerships and 
exchanges happen?
  Because, as I have outlined, America is under attack every second of 
every day. General Alexander, the head of NSA and U.S. Cyber Command, 
has said that we have witnessed the greatest transfer of wealth in 
history in the heist that foreign actors have perpetrated on our 
country. By stealing

[[Page 15200]]

our secrets, stealing our intellectual property, and stealing our 
wealth. It is mindboggling. Take just one example. A theft by a foreign 
actor that took, among other things, key plans for our F-35 fighter. 
One attack on the Pentagon made off with so many sensitive documents 
that they would have filled delivery trucks end-to-end stretching from 
Washington, DC to Baltimore Harbor.
  But don't take my word for it that this issue is urgent and that we 
need to address critical infrastructure. Who else says it is urgent? 
Experts from both side of the aisle do. Folks like former CIA Director 
Mike McConnell, DHS head Michael Chertoff, Vice Chairman of the Joint 
Chiefs of Staff James Cartwright, former cyber czar Richard Clarke, and 
many others have said we need to address critical infrastructure.
  And our top defense and military leaders such as Defense Secretary 
Leon Panetta, Chairman of the Joint Chiefs of Staff Dempsey, Director 
of National Intelligence Clapper, and again, GEN Keith Alexander. The 
threat is here and it is now. And if we do not act, if we let the 
perfect be the enemy of the good, then this country will be more 
vulnerable than ever before, and Congress will have done nothing.
  This bill is not perfect, but I want to say upfront that Senators 
Lieberman and Collins have heard the critics and tried to incorporate 
their views. DHS's role has been criticized by many, myself included. I 
have been skeptical that they could perform some of the duties assigned 
in this bill.
  To be honest, I still am skeptical, although less so than before, but 
I think this bill takes important steps to diversify the government and 
private sector actors involved. So we are not just focusing on DHS, but 
also the right civilian agencies in charge because in the end we cannot 
have intelligence agencies leading this effort with the private sector. 
Some would like to see that go further, and that is what the amendment 
process is there for.
  We have had people in the civil liberties community worried about 
whether this bill could allow intrusions by the government into 
people's privacy. As a Marylander, this was a tantamount concern for me 
as well. If we don't protect our civil liberties, then all this added 
security is for naught because we would have lost what we value most, 
our freedom.
  Again, I think the authors of this bill, especially Senator 
Feinstein, have made key improvements on issues of law enforcement 
powers and protecting core privacy concerns. I know not everyone is 
totally pleased. But I think this bill has made important strides to 
balance information sharing and privacy.
  We all have been concerned that the business community has opposed a 
lot of key critical infrastructure elements of this bill. They fear 
strangulation and over-regulation. They fear that they will open 
themselves up to lawsuits if they participate in the program with the 
government. These are valid concerns, and I have heard them from 
Maryland businesses. I think this new bill has made the most strides in 
trying to accommodate business and building a voluntary framework to 
allow businesses to choose protection.
  Protection does not come without responsibility for participants, but 
I think this bill links the need for cyber security with appropriate 
liability protection and the expertise of our business community in a 
way that answers a lot of companies' concerns. We cannot eliminate all 
government involvement in this issue. That won't work. And we will lose 
key government expertise in DOD, FBI, and elsewhere. But we work to try 
to minimize it while maintaining government's role in protecting our 
national security.
  I am so proud that the Senate came together in a bipartisan way to 
draft this legislation. The Senate must pass this legislation now. 
Working together we can make our Nation safer and stronger and we can 
show the American people that we can cooperate to get an important job 
done.
  Mr. ROCKEFELLER. Mr. President, for 4 years, we have been pushing the 
United States Senate to pass a bill to improve our Nation's 
cybersecurity. During this time, the cybersecurity threat to our 
country--to our way of life--has only grown. We have now seen cyber 
attacks against our Nation's pipelines, against our financial industry, 
and even against nuclear power plants.
  The good news is we have not yet suffered a devastating cyber attack. 
At this point, we are still only talking about the potential impacts. 
We have not yet suffered an attack that greatly disrupts our financial 
industry, or an attack that cripples our electric grid. But these 
potential outcomes are real. And it is imperative that we begin 
addressing the risks.
  Today, we have the opportunity to begin this important work by moving 
forward with the Cybersecurity Act of 2012. We have the opportunity to 
show the American people that we can rise above politics to do the job 
that they expect of us.
  National security is one of our most sacred obligations as Members of 
this body. If a vote on cybersecurity fails today, we will have failed 
to meet that obligation for the 112th Congress.
  I will be the first person to admit that this bill is not perfect. I 
have been clear that I believe a regulatory approach was the best 
approach to ensure that our country's most critical infrastructure 
addresses its cybersecurity vulnerabilities. We moved to a voluntary 
approach to seek a compromise. Yet it was not enough for some of our 
colleagues. Frankly, I do not understand why.
  I know the Chamber of Commerce decided that it did not like this 
bill. But sometimes we need to make decisions that the Chamber of 
Commerce is not happy with. Because it is not the Chamber's job to 
worry about national security. That is the job of our military. And 
they have been quite clear about what is needed. They have told us that 
they need this legislation. They have implored us to act. General 
Alexander, the Director of the National Security Agency, knows what is 
at stake. And his warnings have been dire.
  He has said: ``The cyber threat facing the Nation is real and demands 
immediate action.''
  He has said: ``the time to act is now.''
  General Dempsey, the Chairman of the Joint Chiefs of Staff, wrote me 
a letter earlier this year about the urgent need for comprehensive 
cybersecurity legislation. In the letter, he explained that our: 
``adversaries will increasingly attempt to hold our Nation's core 
critical infrastructure at risk.''
  He stated that: ``we cannot afford to leave our electricity grid and 
transportation system vulnerable to attack.''
  Both Generals agreed that we must do something and they both pushed 
the Senate to adopt comprehensive cybersecurity legislation that tracks 
the specifics of the bill we have been debating. Despite this urgent 
advice from our nation's top military advisors, that we need to act and 
that we need to do it now, some Senators suggested in August that we 
needed more time to debate cybersecurity. I strongly disagreed with 
this notion. But now we have had another few months to think about this 
bill. Today, there is simply no more reason for delay.
  We passed a Cybersecurity bill out of the Commerce Committee in March 
2010. And it passed unanimously. The Homeland Security Committee, led 
by Senators Lieberman and Collins, passed their cybersecurity bill by a 
voice vote in June 2010. The bills both went through Committees well 
over 2 years ago. Since that time, we have had hundreds of meetings 
with the private sector, interest groups, and national security 
experts. Senators have received multiple classified briefings about the 
nature of this threat. Everyone has had plenty of time to think about 
this issue. And we have made it quite clear that we are looking to 
compromise on this legislation. But to compromise you need a partner. I 
am hoping that our Republican colleagues are now willing to be our 
partners on this legislation.
  I hope that my colleagues will reconsider the path we are on. At some 
point, if we do not do anything, there will be a major cyber attack and 
it will do great damage to the United States.

[[Page 15201]]

After it is over, the American people will ask, just as they asked 
after 9/11, what could we have done to stop this?
  If we do not pass this legislation, they will learn about days like 
this one and their disappointment in us and the United States Senate 
will grow. And we will deserve their disappointment. Because we have 
had the opportunity to act and we have failed.
  The PRESIDING OFFICER. The Senator from Texas.
  Mrs. HUTCHISON. How much time is remaining on our side?
  The PRESIDING OFFICER. There is 20 minutes remaining.
  Mrs. HUTCHISON. Thank you. Are there other speakers on our side? Let 
me ask the Chair to notify me when there is 10 minutes left in case 
Senator Collins comes or someone else. So I would like to have up to 10 
minutes and be notified.
  Mr. President, I rise to speak against revoting this cloture motion, 
and the main reason is that we are not going to be allowed to have 
amendments. That is unacceptable because although we have worked 
diligently with the sponsors of the cyber security bill on the floor, a 
number of the ranking members of the relevant committees that have 
jurisdiction over cyber security have an alternative bill, the SECURE 
IT Act, that we would like to be able to put forward as an alternative 
or have an amendment process that would allow our approach to have a 
chance to prevail anyway.
  Now, we are aware that the President is signaling his intention to 
issue an Executive Order, but an Executive Order is not sufficient to 
really give the encouragement and the protection to the companies to 
allow them to share information with other companies that might have 
the same types of threats in the same industry area or with the Federal 
Government. I am sorry we are not going to be able to have amendments 
that would allow us to perfect this bill.
  Let me say that the proponents of S. 3414 acknowledge that it is 
important to have a collaborative effort between the businesses that 
run almost 90 percent of our Nation's critical infrastructure and the 
Federal Government. We agree with that, which is why we have worked 
with the companies that run the private networks to fashion a bill that 
would give them immunity if they share information and give them the 
direct sharing capabilities to go directly to the defense agencies 
because we believe the agencies that work with the communications and 
the military industrial base companies would have more of an 
understanding of the needs and what can be done to employ 
countermeasures in a direct way. The bill that is on the floor, 
however, requires everything to go through the Homeland Security 
Department, and those of us who are supporting SECURE IT believe there 
should be the ability to direction share information with other 
agencies including the defense agencies.
  The sponsors of our bill are the ranking members of eight committees 
and subcommittees that have jurisdiction in this area: Senators McCain, 
Chambliss, Grassley, Murkowski, Coats, Burr, Johnson, myself and 
Minority Leader McConnell. We believe the consensus items in our bill 
are preferable to the bill that is before us that we are not going to 
be allowed to amend.
  SECURE IT offers a balanced approach that will significantly advance 
cyber security in both the public and private sectors--first, to 
facilitate sharing of cyber threat information between the private 
sector and government, allowing the information to go to the defense 
agencies where the response can be direct, not filtered through 
Homeland Security. Secondly, it gives immunity from liability for 
sharing among the industries that might be affected as well as the 
defensive actions that are taken. This is essential because you even 
need antitrust protection if you are going to share vital information 
on this issue so that you are not going to get sued for collaborating 
with a competitor. It is in our country's interest, and I think our 
private sector companies want the ability to help secure all of our 
networks because we know this is a real threat.
  Secure IT has the overwhelming support of the network operators that 
are trying to gear up to defend against cyber threats. Because it will 
help their members protect their networks, we have the endorsement of 
the U.S. Chamber of Commerce.
  Mr. President, I ask unanimous consent to have printed in the Record 
a letter from the U.S. Chamber of Commerce dated November 14 of this 
year.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                                        Chamber of Commerce of the


                                     United States of America,

                                Washington, DC, November 14, 2012.
       To the Members of the United States Senate: The U.S. 
     Chamber of Commerce, the world's largest business federation 
     representing the interests of more than three million 
     businesses and organizations of every size, sector, and 
     region, continues to have serious concerns with S. 3414, the 
     ``Cybersecurity Act of 2012,'' including the related 
     manager's amendment, which was debated in the Senate before 
     the August recess.
       The Chamber believes that Congress should approve a 
     workable cybersecurity bill focused on information sharing. 
     The waning days of a lame-duck session are hardly the 
     appropriate place to address the fundamental flaws in a bill 
     that remain unresolved since it was last on the Senate floor. 
     The underlying issues are simply too crucial to our economy 
     for treatment in a rushed legislative product.
       First, there is a healthy and robust disagreement about the 
     proper role of government in regulating the business 
     community--given the incredibly dynamic nature of 
     cybersecurity risks--that is far from resolved. Title I of S. 
     3414 would create a National Cybersecurity Council that would 
     give federal departments and agencies overwhelming authority 
     over what actions businesses could take to protect their 
     computers and information systems.
       Critical infrastructure owners and operators are concerned 
     that core threats to enterprise cybersecurity--including 
     nation states or their proxies, organized criminals, and 
     other nefarious actors--could go unchallenged because they 
     would be compelled to redirect resources toward meeting 
     government mandates. Indeed, any cybersecurity program must 
     afford businesses maximum input and flexibility with respect 
     to implementing best cybersecurity practices.
       In addition, insufficient attention has been paid to the 
     likelihood of creating a well-intended program that, in 
     practice, becomes slow, bureaucratic, and costly. An 
     ineffective program would tie businesses in red tape but 
     would do little to deter bad actors. Businesses do not have 
     unlimited capital and human talent to devote to regulatory 
     regimes that are inadequately managed or out of date as soon 
     as they are written.
       Second, the Chamber agrees with most lawmakers that federal 
     legislation is needed to cause a sea change in the current 
     information-sharing practices between the public and private 
     sectors. Title VII of the bill would actually impede the 
     sharing of information between business and government. The 
     bill's framework and strict definition of cyber threat 
     information would erect, not bring down, barriers to 
     productive information sharing.
       Third, the liability ``protection'' provisions throughout 
     the bill need to be further clarified and strengthened. 
     Private-sector entities should be fully protected against 
     liability if they ``voluntarily'' adopt a federally directed 
     cybersecurity program and suffer a cyber incident. Strong 
     liability protections are essential to spur businesses to 
     share threat data with their peers and government partners.
       Fourth, the ``Marketplace Information'' provision of S. 
     3414 seems intended to compel businesses that suffer from a 
     cybersecurity event to publicly disclose the occurrence. This 
     section of the bill would essentially ``name-and-shame'' 
     companies and could compromise their security. The Chamber 
     strongly rejects disclosing businesses' sensitive security 
     information publicly, and draws your attention to a June 2011 
     letter from the Securities and Exchange Commission to the 
     Senate where the agency stated that investors have not asked 
     for more disclosure in this area.
       Finally, the bill has not been scored, making the cost of 
     the bill unknown to lawmakers and to the public.
       These are some of the Chamber's high-level concerns with S. 
     3414. The Chamber and our members have invested considerable 
     time and energy working with lawmakers to develop smart and 
     effective cybersecurity legislation. The business community 
     is fully prepared to work with Congress and the 
     Administration to advance efforts that would truly help 
     business owners and operators counter advanced and 
     increasingly sophisticated cyber threats.
       Cybersecurity is a pressing issue that the Chamber remains 
     committed to addressing in a constructive way. Moving a 
     large, problematic bill within a short legislative timeframe 
     would not lay the necessary groundwork to help businesses 
     deflect or defeat

[[Page 15202]]

     novel and highly adaptive cyber threats. Any new legislative 
     program must foster timely and actionable information, be 
     dynamic in its execution, and promote innovation in order to 
     increase collective cybersecurity and allow electronic 
     commerce to grow.
       The Chamber recognizes the leadership of the sponsors and 
     cosponsors of the bill on cybersecurity. We appreciate the 
     degree to which they have listened to the concerns of the 
     Chamber and the broader business community, and have sought 
     to address them in whole or in part. This legislation came 
     directly to the floor for consideration without proceeding 
     through regular order. Legislative hearings and a committee 
     mark-up of the bill would have properly allowed Senators who 
     have concerns with the bill to question experts and offer 
     amendments in order to improve the bill before a Senate floor 
     debate.
       The Chamber appreciates the steps that the Administration 
     has taken to engage the Chamber on cybersecurity. Despite all 
     this engagement, and despite the best intentions of the 
     sponsors of S. 3414, it would be ill-advised to craft a 
     cybersecurity bill on the Senate floor during a lame-duck 
     session.
       The Chamber strongly opposes S. 3414, the ``Cybersecurity 
     Act of 2012,'' and may consider including votes on, or in 
     relation to S. 3414 in our annual How They Voted scorecard.
           Sincerely,

                                              R. Bruce Josten,

                                         Executive Vice President,
                                               Government Affairs.

  Mrs. HUTCHISON. We also have the endorsement of the National 
Association of Manufacturers, the American Fuel & Petrochemical 
Manufacturers, the American Petroleum Institute, US Telecom, the 
National Retail Federation, Financial Services Roundtable, the Internet 
Security Alliance, and CTIA The Wireless Association.
  We can come together to pass the areas of SECURE IT that would allow 
better cooperation and also an information sharing relationship that 
they understand and know will help them defend against the cyber 
attacks. We believe SECURE IT is a superior bill, and we would like the 
ability to amend the bill that is on the floor to perfect it so we 
could send a bill to the House.
  If we are not able to get this bill this year, certainly I hope it 
will be started again with all of the relevant committees doing the 
markups, doing the discussion that is required for a bill of this 
magnitude. Many of the committees did not have markups. They did not 
have input into the bill. The committee process does work when we are 
able to use it, and I hope we will be able to go back to the drawing 
board, or if the majority would allow amendments down the road, if we 
have the time later this year, we would love to continue working with 
the sponsors of the legislation to see if we could come up with the 
amendments to which everyone could agree.
  It has been a tough road. We have all tried hard. I think the 
sponsors of the bill are sincere in wanting to improve the systems. The 
ranking members who have cosponsored SECURE IT, who also have 
jurisdiction of this area, also are sincere. I hope we can come 
together, hopefully later this year, but if not, certainly in the new 
year, with the new session, let's start from the beginning and go 
through all the committees of jurisdiction so there can be a real 
consensus and a give-and-take.
  Mr. President, I thank you and yield the floor.
  The PRESIDING OFFICER. The Senator from Connecticut.
  Mr. LIEBERMAN. Mr. President, I ask unanimous consent to speak for up 
to 1 minute and not have the time taken out of the Republican side.
  The PRESIDING OFFICER. Is there objection?
  Without objection, it is so ordered.
  Mr. LIEBERMAN. Mr. President, I want to respond to the concern of my 
friend from Texas that if cloture is granted on this motion, there will 
not be an opportunity to amend the bill. I understand why she is saying 
that, but I do want to say that Senator Reid has made it clear--I think 
twice today--that if cloture is granted, he is open to--he will allow 
amendments. He said he cannot allow endless amendments because we are 
in a lameduck session with limited time but that he will allow a finite 
number of amendments, if you will, on both sides.
  So I want to assure my colleagues and appeal to my colleagues to vote 
to at least consider this measure. I mean, our cyber enemies are at the 
gates. In fact, they have already broken through the gates. The least 
we can do is debate and vote on amendments to determine how we can 
strengthen our cyber defense.
  I thank my colleagues and yield the floor.
  The PRESIDING OFFICER. The Senator from Maine.
  Ms. COLLINS. Mr. President, first, let me thank the Senator from 
Texas for reserving some time for me while I was at a briefing and on 
my way to the floor. I will attempt to be very quick because I know our 
colleagues are eager to vote on this important issue. And, Mr. 
President, that is my point. This is a critically important issue. How 
many more warnings do we need to hear from the experts that we are 
extremely vulnerable to a cyber security attack? Cyber attacks are 
happening every day.
  Just recently there was an attack on several of our financial 
institutions. According to press reports, it was launched by Iranian 
sources. We know that Iran, Russia, and China are extremely active in 
probing our cyber systems, including those that control our critical 
infrastructure--not only our financial systems, our transportation 
systems, our water treatment plants, but also our electric grid.
  Recently we have seen what Hurricane Sandy, the superstorm, has done 
to States--so many States--destroying lives and property and leaving 
people without power for days on end. Well, multiply that many times. 
If it were a deliberate cyber attack that knocked out the electric grid 
along the entire east coast, that is what we are talking about. That is 
the kind of risk that calls us to act.
  We have heard from the experts over and over again that this 
vulnerability is huge and escalating. We know that the number of cyber 
attacks that have been reported to the Department of Homeland Security 
has increased by 200 percent in just the last year. And those are just 
the attacks that have been reported. That is just the tip of the 
iceberg. Undoubtedly, there are many more on our critical 
infrastructure that have not been reported. We know there have been 
attempts to probe the security of the computer systems that run some of 
our natural gas pipelines.
  This problem is very real, and it is not only a threat to our 
national and homeland security, it is also a threat to the economic 
prosperity of this country. How many more thefts of research and 
development, of intellectual property of businesses right here in our 
country that are providing good jobs for Americans do we need to endure 
before we act to secure our cyber systems?
  I have worked on the cyber security bill for years with my friend, 
colleague, and chairman, Joe Lieberman. We have held countless 
hearings. We have marked up a previous bill. It is so ironic that we 
are being criticized for not doing yet another markup on this bill when 
all of the changes reflect our attempts to address the criticisms of 
the opponents of this bill. We made a huge change by making this bill 
voluntary rather than mandatory and by providing incentives such as 
liability protections for businesses that voluntarily agree to adopt 
cyber standards. We have created a system where there would be a 
cooperative process between the public and the private sectors to share 
information and to develop the best practices so that information can 
be shared.
  In all the time I have worked on homeland security issues, I cannot 
think of another threat where our vulnerability is greater and where we 
have failed to act and have done less.
  This is not a Republican or a Democratic or an Independent issue. The 
experts, regardless of their political leanings, from the Bush 
administration to the current administration have urged us to act, have 
pleaded with us to act.
  General Alexander, the nonpartisan general who is the head of Cyber 
Command and the head of the National Security Agency, has urged this 
Congress over and over again to give this administration, to give our 
country the tools

[[Page 15203]]

it needs to protect critical infrastructure and to help safeguard our 
economic edge.
  I urge our colleagues to listen to the wisdom of former Homeland 
Security Secretary Michael Chertoff and former NSA chief GEN Michael 
Hayden from the previous administration, from President Bush's 
administration. They wrote the following:

       We carry the burden of knowing that 9/11 might have been 
     averted with the intelligence that existed at the time. We do 
     not want to be in the same position again when ``cyber 9/11'' 
     hits--it is not a question of ``whether'' this will happen; 
     it is a question of ``when.''

  This time all the dots have been connected. This time we know cyber 
attacks are occurring each and every day. This time the warnings are 
loud and clear. How can we ignore these dire warnings? How? How can we 
fail to act on the cyber security bill, especially since the majority 
leader has indicated he is willing to allow for amendments, as he 
should, to make this process fair. Germane amendments would be allowed.
  I urge our colleagues to heed the warnings from the experts and to 
vote for cloture on the cyber security bill so we can proceed to its 
consideration. I do not want to be here 1 year from now saying, why did 
we not act? Why did we not listen to the cyber experts from the Bush 
administration, from the Obama administration, from GEN Keith 
Alexander, the premier expert in our government.
  I yield the floor.
  The PRESIDING OFFICER. The Senator from Delaware.
  Mr. CARPER. Mr. President, I ask unanimous consent to speak for 1 
minute.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  Mr. CARPER. Mr. President, this is the first opportunity we will have 
had since returning from the election to cast a vote on a meaningful 
piece of legislation. As legislation goes, it is about as meaningful as 
any we are going to come across for a while.
  If we were in the minority and the Republicans were coming to the 
floor and asking us to support moving to a bill so we could debate it, 
offer amendments to the bill, I would hope we would do that. For our 
Republican friends who are fearful they are not going to have a chance 
to offer these amendments, Senator Lieberman, the chairman, the ranking 
Republican Susan Collins and myself, all cosponsors of the bill, say we 
will work very hard to make sure any amendments that are relevant and 
germane to the bill can be offered, can be debated.
  We worked a similar process with the postal bill. We ended up having 
50 or 60 amendments. They were not all relevant or germane. At the end, 
we had a lot of amendments and the chance for everyone to be heard. 
Some of those amendments were not relevant or germane. As long as 
amendments are relevant and germane to this underlying legislation on 
cyber security, we will work very hard to make sure they have their 
opportunity to be heard and to vote on their proposals.
  The PRESIDING OFFICER. The Senator from Maine.
  Ms. COLLINS. Mr. President, although we have different views on this 
issue, I would yield 1 minute to the Senator from Arizona.
  Mr. McCAIN. Mr. President, I would like to express my appreciation 
for Senator Lieberman's and Senator Collins' hard work. We have had 
some disagreements. I still believe that if we could have, say, five 
amendments that would be voted and debated, I think we could move 
forward with this bill. I truly believe that.
  I would like to see, possibly even right after this vote, if we could 
reach some agreement between the leaders and ourselves that we could 
say there would be five pending amendments and perhaps we could go 
ahead and debate and vote on those. I, again, think we have some very 
significant differences, but the fact that the chairman and the two 
cochairmen or whatever they call themselves have worked incredibly hard 
on this issue, they deserve debate. I hope they would understand we are 
seeking like five amendments.
  The PRESIDING OFFICER. The Senator from Connecticut.
  Mr. LIEBERMAN. Mr. President, in the remaining time, I appreciate 
what my friend from Arizona said. I not only join him in that request, 
but I am confident because I have talked to Senator Reid about this--he 
said that if we invoke cloture tonight, he will allow a finite number 
of amendments. I do not want to encourage anyone. He said not 15. I 
took that to be some number less than 15.
  I think five amendments is well within the term ``finite.'' So I 
would ask my colleagues, give it a chance, and let's vote for cloture. 
I am sure Senator Reid will allow five amendments.


                             Cloture Motion

  The PRESIDING OFFICER. The cloture motion having been presented under 
rule XXII, the Chair directs the clerk to read the motion.
  The assistant legislative clerk read as follows:

                             Cloture Motion

       We, the undersigned Senators, in accordance with the 
     provisions of Rule XXII of the Standing Rules of the Senate, 
     hereby move to bring to a close debate on S. 3414, a bill to 
     enhance the security and resiliency of the cyber and 
     communications infrastructure of the United States.

         Harry Reid, Joseph I. Lieberman, Barbara A. Mikulski, 
           Thomas R. Carper, Richard J. Durbin, Christopher A. 
           Coons, Mark Udall, Ben Nelson, Jeanne Shaheen, Tom 
           Udall, Daniel K. Inouye, Carl Levin, John D. 
           Rockefeller IV, Charles E. Schumer, Sheldon Whitehouse, 
           John F. Kerry, Michael F. Bennet.

  The PRESIDING OFFICER. By unanimous consent, the mandatory quorum 
call has been waived.
  The question is, Is it the sense of the Senate that debate on S. 
3414, a bill to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States, shall be brought to 
a close?
  The yeas and nays are mandatory under the rule.
  The clerk will call the roll.
  The assistant legislative clerk called the roll.
  Mr. DURBIN. I announce that the Senator from Hawaii (Mr. Inouye), is 
necessarily absent.
  Mr. KYL. The following Senator is necessarily absent: the Senator 
from Illinois (Mr. Kirk).
  The PRESIDING OFFICER (Mr. Bennet). Are there any other Senators in 
the Chamber desiring to vote?
  The yeas and nays resulted--yeas 51, nays 47, as follows:

                      [Rollcall Vote No. 202 Leg.]

                                YEAS--51

     Akaka
     Begich
     Bennet
     Bingaman
     Blumenthal
     Boxer
     Brown (MA)
     Brown (OH)
     Cantwell
     Cardin
     Carper
     Casey
     Collins
     Conrad
     Coons
     Durbin
     Feinstein
     Franken
     Gillibrand
     Hagan
     Harkin
     Johnson (SD)
     Kerry
     Klobuchar
     Kohl
     Landrieu
     Lautenberg
     Leahy
     Levin
     Lieberman
     Lugar
     Manchin
     McCaskill
     Menendez
     Mikulski
     Murray
     Nelson (NE)
     Nelson (FL)
     Reed
     Reid
     Rockefeller
     Sanders
     Schumer
     Shaheen
     Snowe
     Stabenow
     Udall (CO)
     Udall (NM)
     Warner
     Webb
     Whitehouse

                                NAYS--47

     Alexander
     Ayotte
     Barrasso
     Baucus
     Blunt
     Boozman
     Burr
     Chambliss
     Coats
     Coburn
     Cochran
     Corker
     Cornyn
     Crapo
     DeMint
     Enzi
     Graham
     Grassley
     Hatch
     Heller
     Hoeven
     Hutchison
     Inhofe
     Isakson
     Johanns
     Johnson (WI)
     Kyl
     Lee
     McCain
     McConnell
     Merkley
     Moran
     Murkowski
     Paul
     Portman
     Pryor
     Risch
     Roberts
     Rubio
     Sessions
     Shelby
     Tester
     Thune
     Toomey
     Vitter
     Wicker
     Wyden

                             NOT VOTING--2

     Inouye
     Kirk
  The PRESIDING OFFICER. On this vote, the yeas are 51, the nays are 
47. Three-fifths of the Senators duly chosen and sworn not having voted 
in the affirmative, upon reconsideration, the motion is not agreed to.
  The majority leader.

                          ____________________