Floor Updates

Durbin, Collins, Franken, Coons, Blumenthal

Cybersecurity bill (S. 3414)

Jul 26 2012

01:16 PM

Senator Durbin: (12:18 PM)
  • Spoke on the Cybersecurity bill.
    • SUMMARY "It will help make America safe by enhancing our nation's ability to prevent, mitigate, and rapidly respond to cyber attacks. The bill contains important provisions for securing our nation's critical infrastructure. Every day without thinking about it, we rely on power plants, pipelines, electric power grids, water treatment facilities, transportation systems, and financial networks to work, to live, to travel, to do so many things we take for granted. All of these critical systems today are increasingly vulnerable to cyber attack from our enemies. Last year, there was a 400% increase in cyber attacks. Reported by the owners of critical infrastructure, according to the Department of National Security. That increase does not account for the many attacks that went unreported. We don't think twice about it but this infrastructure is the backbone of America's economy and our way with of life. This bill has provisions that will help minimize our vulnerability and shore up our defenses. The bill also includes a new framework for voluntary information sharing so that government agencies and private companies can improve their mutual understanding of cyber threats and vulnerabilities and develop good practices to keep us safe. I thought it was worth doing a few months ago to call together a dozen major corporations in Chicago and across Illinois that I thought with the advice of some people who were experts might be vulnerable to cyber attack. I asked these experts in a closed setting outside the press what congress could do to help them secure their infrastructure at their business, and networks, from cyber attacks. The answer from each and every one of them was the same. We need to be able to share information on cyber threats with the government and other private entities, we need to receive information from them in order to know what they've done to effectively prevent and mitigate attacks. Estimates are that 85% of America's critical infrastructure is owned by the private sector. Since we depend so much on the private sector for our critical infrastructure, the lines of communications between government and that private sector must be open. If we share best practices, the result could be to make us a secure nation."

Senator Collins: (12:33 PM)
  • Spoke on the Cybersecurity bill.
    • SUMMARY "I heard this morning a member saying that somehow we're going to be hurting the high-tech sector of our society. Well, that's not what Cisco and Oracle, certainly two of the leading businesses in the high-tech sector, think. This morning they wrote to us . They said that they appreciate the efforts that we've made to craft legislation that addresses the important issue of cybersecurity by supporting American industry in its efforts to continue to be the world's leading innovators. The fact is, it is American businesses that are being robbed of billions of dollars every year due to cyber intrusions from foreign governments, from transnational criminals, from hackers. This is a threat not only to our national security but to our economic prosperity. That's why the letter from Cisco and Oracle goes on to say that "we praise your continued recognition of the importance of these objectives through the provisions of our bill. We support those provisions. We commend your commitment to ensuring that the IT industry maintains the ability to drive innovation and security into technologies and the network." So the ideas we heard this morning on the Senate floor, that somehow we're going to bring innovation in America to a standstill or hurt this important sector of our economy is not supported by a reading of our bill and it is certainly contradicted by the letter that we have received from Cisco and Oracle, leading companies in the high-tech sector. And finally, I would point out that they thank us for our outreach, our willingness to engage in an exhaustive process around this issue set and to consider and to respond to the views of America's technology sector."

Senator Franken: (12:41 PM)
  • Spoke on the Cybersecurity bill/SECURE IT Act.
    • SUMMARY "First of all, I agree that we need to make it easier for companies to share time-sensitive information with experts in the government. But the cyber threat information that companies are sharing often comes from private sensitive communications like our emails, and so the gatekeeper of any information shared under these proposals should never be the military. It should never be the NSA now, the men and women of the NSA are patriots, and they are undoubtedly skilled and knowledgeable, but, as Senator Durbin said, that institution is too shrouded in secrecy. As he didn't say but I will say, it has too dark a history of spying on innocent Americans to be trusted with this responsibility under any, any administration. Under the new revised Cybersecurity Act of 2012, the one that will soon be before us on the floor, companies can use the authorities in the bill to give cyber threat information only to civilian agencies. That is a critical protection for civil liberties and it is a protection that CISPA and the SECURE IT Act do not have. I want to be very clear. An America with CISPA and an America with a SECURE IT Act is an America where your emails can be shared directly, immediately and with impunity with the NSA secondly, any Cybersecurity bill should focus on just that, cybersecurity. It should not be a back door for warrantless wiretaps or information entirely unrelated to cyber attacks. In other words, once a company gives the government cyber threat information, the government shouldn't be able to say hey, this email doesn't have a virus but it does say that Michael was late on his taxes, I'm going to send that to the IRS under the Cybersecurity Act of 2012, once a cyber exchange gets information, it can give that information to law enforcement only to prosecute or stop a cyber crime or to stop serious immediate harm to adults or serious harm to minors. CISPA actually has similar protections, but SECURE IT Allows a far broader range of disclosures to law enforcement. Here in the Senate, the Cybersecurity Act is the proposal that does the most to respect the spirit and letter of the fourth amendment. Third, the Cybersecurity bill should make it easier for a company to share information with experts in the government, but it has to hold companies who abuse that authority accountable for their acts. Both CISPA and the SECURE IT Act give companies immunity for knowing violations of your privacy. Under CISPA and the SECURE Act, if a company's CEO knows for a fact that his engineers are sending every one of your emails to the NSA, there is nothing you can do about it. That is not an exaggeration. Thanks to the changes that I pushed the Cybersecurity Act does not protect companies who violate your privacy intentionally, knowingly or with gross negligence. Fourth and finally, a Cybersecurity bill should also hold the government accountable for its actions. Under both CISPA and the SECURE IT Act, companies can start giving the federal government your private information well before the government actually has privacy rules in place for how to handle that information. Under the SECURE IT Act, the government has total immunity from lawsuits arising out of its cybersecurity operations, total immunity for the government. The SECURE IT Act also lacks any regular independent oversight of the federal government's actions under these new authorities. The Cybersecurity Act of 2012 now has all three of these protections. Under this bill, privacy rules have to be in place on the first day the companies start giving the government information. People can sue the government when it abuses its authority, and there will be recurrent independent oversight by both the privacy and the civil liberties oversight board and inspectors general."

Senator Coons: (12:33 PM)
  • Spoke on the Cybersecurity bill.
    • SUMMARY "I heard this morning a member saying that somehow we're going to be hurting the high-tech sector of our society. Well, that's not what Cisco and Oracle, certainly two of the leading businesses in the high-tech sector, think. This morning they wrote to us . They said that they appreciate the efforts that we've made to craft legislation that addresses the important issue of cybersecurity by supporting American industry in its efforts to continue to be the world's leading innovators. The fact is, it is American businesses that are being robbed of billions of dollars every year due to cyber intrusions from foreign governments, from transnational criminals, from hackers. This is a threat not only to our national security but to our economic prosperity. That's why the letter from Cisco and Oracle goes on to say that "we praise your continued recognition of the importance of these objectives through the provisions of our bill. We support those provisions. We commend your commitment to ensuring that the IT industry maintains the ability to drive innovation and security into technologies and the network." So the ideas we heard this morning on the Senate floor, that somehow we're going to bring innovation in America to a standstill or hurt this important sector of our economy is not supported by a reading of our bill and it is certainly contradicted by the letter that we have received from Cisco and Oracle, leading companies in the high-tech sector. And finally, I would point out that they thank us for our outreach, our willingness to engage in an exhaustive process around this issue set and to consider and to respond to the views of America's technology sector."

Senator Blumenthal: (1:02 PM)
  • Spoke on the Cybersecurity bill.
    • SUMMARY "The kinds of modifications contained in this bill are critically important. They are in sharp contrast to the House-approved version which fails, utterly fails to protect civil liberties and privacy rights in sufficient degree. Unlike past versions, this measure establishes unequivocal civilian control of cybersecurity information exchanges. Unlike past versions, this bill bars companies from using cybersecurity as a pretext for violating FCC net neutrality rules. Unlike will versions, this bill bars companies from using cybersecurity as a pretext for violating other guarantees, and it allows citizens to hold companies accountable and take them to court for knowingly or grossly negligent violations of the information sharing provisions of this bill. And equally important, it enables them to hold the United States government and other public officials responsible and take them to court if they violate privacy guarantees in this bill. A private company receiving someone's private information while monitoring for cyber threats should protect that information. It is a public trust and a public responsibility. And so this act protects Americans' privacy by requiring companies that obtain that kind of information, some of it medical, or financial, of the most confidential and private nature through monitoring to protect that information. And this measure also imposes restrictions on the use of shared information for law enforcement purposes. The government can only provide information to law enforcement if it relates to a cyber crime or a serious threat to public safety. That is, physical safety. Bodily harm. And law enforcement can only use information to prosecute or stop cyber attacks to prevent that kind of imminent and immediate harm to a person or a child. There are other protections Senator Franken mentioned that his amendment would eliminate new authorities in the bill to monitor communications or operate countermeasures. Senator Coons mentioned a five-year sunset on the use of information sharing under this measure to help guard against unforeseen consequences of the legislation, and ensure that congressional oversight occurs on a regular and foreseeable basis. And other measures which I consider important would require federal agencies that suffer a data breach to notify affected individuals and allow those individuals to recover damages and require the creation of a new office in the Office of Management and Budget, Chief Privacy Officer. I will offer an amendment and support one if others join me, in supporting such a measure to create a Chief Privacy Officer in the Office of Management and Budget. I support these amendments and I support also increasing the penalty in the event that government or companies violate the protections in this statute."