[Congressional Record (Bound Edition), Volume 161 (2015), Part 12]
[Senate]
[Pages 16508-16510]
[From the U.S. Government Publishing Office, www.gpo.gov]




                 CYBERSECURITY INFORMATION SHARING BILL

  Ms. COLLINS. Madam President, I rise to speak in favor of the 
Cybersecurity Information Sharing Act of 2015, and I urge my colleagues 
to support this much needed legislation. Nearly 3 months ago, the 
Senate was unable to find a path forward to adopt this important bill. 
Let's look at what has happened since the time that the Senate refused 
to proceed.
  The fact is that our country has continued to endure a wave of 
damaging and expensive cyber attacks. These incidents include the first 
major hack of Apple's popular App Store, the compromise of 15 million 
T-Mobile users due to a breach at Experian, and the exposure of data of 
up to 8,000 Army families due to improper procedures followed by the 
General Services Administration. For the Army families who were 
affected, this sensitive information included medical histories, Social 
Security numbers, and child day care details.
  Today, I renew my support for this bill in light of the continuing 
state of cyber insecurity that affects information held in the public 
and private sectors.
  Passing the Cybersecurity Information Sharing Act would make it 
easier for public and private sector entities to share cyber threat 
information and vulnerabilities in order to lessen the theft of trade 
secrets, intellectual property, and national security information, as 
well as the compromise of sensitive personal information. It would 
eliminate some of the legal and economic barriers impeding voluntary 
two-way information sharing between private industry and government. It 
is a modest but essential first step to protect networks and their 
information.
  This bill would not in any way compromise our personal information. 
Its purpose is to help safeguard our personal information that breach 
after breach, cyber attack after cyber attack has proven to be 
vulnerable.
  While this bill promotes appropriate information sharing between the 
government and the private sector--a good first step, as I have 
indicated--it unfortunately does little in its original form to harden 
the protection of Federal networks or to guard the critical 
infrastructure we rely upon every day. Thus, I have filed two 
amendments to further strengthen our Nation's cyber security.
  The first amendment is directed at improving the security of 
sensitive personal data that is stored on networks of Federal civilian 
agencies. The insecurity of Federal databases and networks has been 
evident for years. Inspectors general reports have warned of it. Yet, 
by and large, those calls for action have not been heeded by Federal 
agencies, and certainly the weaknesses in our Federal agencies' 
security systems are underscored by recent breaches and intrusions.
  In June, more than 20 million--20 million--current, former, and 
retired

[[Page 16509]]

Federal employees learned that their personal data was stolen from the 
poorly secured databases of the Office of Personnel Management. Since 
that time, we have learned that the personal emails of the Director of 
the CIA have been hacked. We have learned from the State Department's 
inspector general that the State Department is ``among the worst 
agencies in the Federal Government at protecting its computer 
networks.'' This substandard performance at the Department of State 
continued even as an adversary nation breached the Department's email 
system last year. According to the IG, compliance with Federal 
information security standards remains ``substandard'' at the State 
Department.
  I know from my many years of service on the committee on homeland 
security, where we worked on cyber security issues for literally a 
decade, producing legislation in 2010 and 2011 that unfortunately was 
not approved by this body, that this problem is long standing and it is 
only growing worse. We ignore it at our peril.
  This appalling performance in so many agencies and departments led to 
my introducing bipartisan legislation with my colleague from Virginia, 
Senator Warner, as well as Senator Mikulski, Senator Coats, Senator 
Ayotte, and Senator McCaskill, to strengthen the security of the 
networks of Federal civilian agencies.
  Our bill has five elements, but the most important provision would 
grant the Department of Homeland Security the authority to issue 
binding operational directives to Federal agencies to respond in the 
face of substantial breaches or to take action in the face of an 
imminent threat to a Federal network. Although the Secretary of 
Homeland Security is tasked with a very similar responsibility to 
protect Federal civilian networks, he has far less authority to 
accomplish this responsibility than does the Director of the National 
Security Agency for the dot-mil networks. We can no longer ignore the 
damaging consequences of failing to address these issues.
  Our amendment would fortify Federal computer networks from cyber 
threats in many ways. The key elements, I am pleased to say, in our 
bill were incorporated into an amendment that has been filed by Senator 
Carper, along with the chairman of the Homeland Security and 
Governmental Affairs Committee, Senator Johnson, and Senator Warner, my 
chief cosponsor of the bill we introduced, and, of course, myself.
  Our amendment has been included in the managers' substitute 
amendment, and I wish to thank Chairman Burr and Vice Chairman 
Feinstein for their willingness to include these much needed provisions 
to boost the security of the networks at Federal civilian agencies.
  Just think of the kind of data that civilian agencies have in the 
Federal Government. Whether we are talking about the Social Security 
Administration, the Medicare agency, the IRS, the VA or the Department 
of Defense, it is evident that millions of Americans--indeed, most 
Americans--have personal data, sensitive data, such as Social Security 
numbers, that are stored in these networks of Federal civilian 
agencies, and we have an obligation to protect as best we can that 
data.
  I have also filed another amendment to the cyber bill, amendment No. 
2623, that is aimed at protecting our country's most vital critical 
infrastructure from cyber attack. This bipartisan amendment was 
cosponsored by Senator Coats, Senator Warner, and Senator Hirono.
  The livelihood and well-being of almost every American depend upon 
critical infrastructure that includes the electricity that powers our 
communities, the national air transportation system that moves 
passengers and cargo safely from one location to another, and the 
elements of the financial sector that ensure the $14 trillion of 
payments made every day are securely routed through the banking system. 
Those are just some examples of critical infrastructure. There are 
obviously many more.
  Our amendment would have created a second tier of mandatory reporting 
to the government for the fewer than 65 entities identified by the 
Department of Homeland Security where damage caused by a single cyber 
attack would likely result in catastrophic harm in the form of more 
than $50 billion in economic damage, 2,500 fatalities or a severe 
degradation of our national security. In other words, only cyber 
attacks that could cause catastrophic results would fall under this 
reporting requirement.
  For 99 percent of businesses, the voluntary information sharing 
framework established in the bill before us would be enough, and the 
decision on whether or not to share cyber threat information should 
rightfully be left up to them. A second tier of reporting is necessary, 
however, to protect the critical infrastructure that is vital to the 
safety, health, and economic well-being of the American people.
  Under our amendment, the owners and operators of the country's most 
critical infrastructure would report significant cyber attacks just as 
incidents of communicable disease outbreaks must be reported to public 
health authorities and to the Centers for Disease Control and 
Prevention.
  Think about the situations we have here. Does it make sense that we 
require one case of measles to be reported to a Federal Government 
agency but not a cyber attack that could result in the death of more 
than 2,500 people? How does that make sense?
  The threats to our critical infrastructure are not hypothetical. They 
are already occurring and increasing in frequency and severity. At a 
recent Armed Services Committee hearing on cyber security, Senator 
Donnelly asked the Director of National Intelligence, Jim Clapper, what 
the No. 1 cyber challenge was that he was most concerned about. 
Director Clapper testified that, obviously, it was a large-scale cyber 
attack against the United States infrastructure.
  In light of this No. 1 threat, how protected is our country? Well, I 
have posed that very question to the Director of the NSA, Admiral Mike 
Rogers. His answer, on a scale of 1 to 10, was that we are at about a 5 
or 6. That is a failing grade when it comes to protecting critical 
infrastructure, no matter what curve we are grading on.
  Although I am very disappointed that the Senate will not consider the 
original amendment I filed, I do want to acknowledge that Chairman Burr 
and Vice Chairman Feinstein have worked closely with me on a compromise 
to begin to address the issue of cyber security risks that present such 
significant security threats to our critical infrastructure, and I am 
grateful for their acknowledging that this is a problem that deserves 
our attention.
  This new amendment, which is section 407 of the managers' amendment, 
requires the DHS Secretary to conduct an assessment of the fewer than 
65 critical infrastructure entities at greatest risk and develop a 
strategy to mitigate the risks of a catastrophic cyber attack. Let me 
stress two things. We are only talking about fewer than 65 entities 
that have already been designated by the Department of Homeland 
Security as critical infrastructure where a catastrophic cyber attack 
would cause terrible consequences.
  Second, let me again describe what we mean by a catastrophic attack. 
It means a single cyber attack that would likely result in $50 billion 
in economic damage, 2,500 Americans dying or a severe degradation of 
our national security. We are talking about significant consequences 
that would be catastrophic for this country--consequences we cannot and 
should not ignore.
  There are plenty of cyber threats that cannot be discussed in public 
because they are classified--I know that as a member of the Senate 
Intelligence Committee--but in light of the cyber threat to critical 
infrastructure described by Admiral Rogers and Director of National 
Intelligence Clapper in open testimony before the Congress, the bare 
minimum we ought to do is to ask to require DHS and the appropriate 
Federal agencies to describe to us what more could be done to prevent a 
catastrophic cyber attack on our critical infrastructure.
  One or two years from now, I don't want us to be standing here after 
a

[[Page 16510]]

cyber 9/11 chastising ourselves, saying: Why didn't we do more to 
confront an obvious and serious threat to our critical infrastructure?
  By including these two provisions in the managers' substitute 
amendment, we are strengthening the protections for Federal civilian 
agencies and beginning--not going nearly as far as I would like but 
beginning the vital task of protecting our critical infrastructure. We 
will be strengthening the cyber defenses of our Nation.
  I urge my colleagues to support the managers' amendment and the 
underlying bill. By passing this long-overdue legislation, we will 
begin the long-overdue work of securing our economic and national 
security and our personal information for generations to come.
  Thank you, Madam President.
  I yield the floor.
  Madam President, I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The legislative clerk proceeded to call the roll.
  Mr. NELSON. Madam President, I ask unanimous consent that the order 
for the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.

                          ____________________