[Congressional Record (Bound Edition), Volume 161 (2015), Part 12]
[Senate]
[Pages 16523-16524]
[From the U.S. Government Publishing Office, www.gpo.gov]




                 CYBERSECURITY INFORMATION SHARING BILL

  Mr. FRANKEN. Madam President, tomorrow we will vote on my amendment 
to the Cybersecurity Information Sharing Act, or CISA. I am proud to be 
joined on this amendment by Senators Leahy, Durbin, and Wyden, each of 
whom has worked to try to ensure that any cyber legislation passed by 
this body is effective and adequately safeguards the privacy and civil 
liberties of the American people.
  My amendment tightens the definitions of the terms ``cyber security 
threat'' and ``cyber threat indicator'' in the bill. These changes will 
help ensure that CISA's broad authorities are not triggered in 
circumstances where no real cyber threats are present. This makes the 
bill more privacy protected and more likely to work effectively.
  The amendment is supported by more than 30 civil society 
organizations, from the American Civil Liberties Union to prominent 
Libertarian groups like R Street. As I will describe, it addresses 
specific concerns that have been raised by security experts, major tech 
companies, and even the Department of Homeland Security.
  Under CISA, companies are authorized to monitor users online, share 
information with one another and with the Federal Government, and 
deploy defensive measures--all to protect against ``cyber security 
threats.'' Any action that may result in any unauthorized effort to 
adversely impact cyber security can be deemed a cyber security threat; 
that is, may result. That sets the lowest possible standard for 
determining when actions under CISA are justified, and that is a 
problem. It sets us up for the oversharing of information, or worse it 
jeopardizes privacy and threatens to hinder our cyber defense efforts 
by increasing the noise-to-signal ratio.
  My amendment would clarify that a threat is any action at least 
reasonably likely--reasonably likely--to result in an unauthorized 
effort to adversely impact cyber security. That definition gives 
companies ample flexibility to act on threats and ensures Americans 
that CISA isn't a free pass to share people's personal information when 
there is no threat.
  CISA's definition of cyber threat indicator has also been criticized 
by security experts, by companies such as Mozilla and, again, even by 
DHS, which has called the definition ``expansive'' and said that 
expansive definition heightens concerns raised by the bill.
  My amendment addresses the two parts of the definition that experts 
have suggested are the most likely to open the door to the sharing of 
extraneous information. First, as drafted, CISA would let companies 
share people's communications if they believe that the files have been 
harmed in a cyber attack or could potentially--potentially--be harmed 
by a perceived threat. The latter is especially problematic. The range 
of information that could be shared as evidence of potential harm is 
vast, and, as experts have explained, unnecessary to the technical work 
of identifying cyber threats. My amendment continues to allow companies 
to share information that reveals harms caused by a cyber incident but 
doesn't extend this to conjecture about hypothetical potential harms, 
which is unnecessarily broad.
  Finally, my amendment eliminates a troubling loophole in the cyber 
threat indicator definition. In addition to letting companies share 
information that reveals certain specified attributes or features of 
cyber threats, CISA also lets them share information that reveals ``any 
other attribute of a cybersecurity threat'' if the disclosure of that 
attribute is legal. Bill supporters claim that this final clause 
adequately limits

[[Page 16524]]

the scope of this provision, but looking at whether disclosure of a 
threat attribute is lawful is an unclear and unhelpful standard. 
Privacy law is about protecting information, not threat attributes. So 
my amendment clarifies that companies can share information in this 
catchall category only if it is legal to share the information being 
provided. It is a technical change, but it matters.
  This amendment represents a real effort to find common ground for 
moving forward. Quite frankly, it doesn't do
all the work that needs to be done to limit the definitions in this 
act, but it makes necessary changes--necessary changes--to improve the 
legislation, both for the sake of privacy and ultimately security.
  I urge my colleagues to support amendment No. 2612.
  I yield the floor.

                          ____________________