Cybersecurity Information Sharing Act of 2015—Motion to Proceedby Senator Richard Burr
Posted on 2015-08-04
BURR. Mr. President, I want to thank my good friend and vice
chair of the Intelligence Committee, Senator Feinstein. She has been in
the trenches working on cyber security legislation longer than I have.
Her passion is displayed in the product that has come out. There has
been no person more outspoken on privacy than Dianne Feinstein. There
is no person who has been more outspoken on the need for us to get this
right than Senator Feinstein.
Daily, she and I look at some of the most sensitive intelligence information that exists in this country. We are charged as a committee--15 individuals out of a body of 100--to provide the oversight to an intelligence community to make sure they live within the letters of the law or the boundaries set by Executive order. Every day we try to fulfill that job.
We are sometimes tasked with producing legislation, and that is why we are here today with the cyber security bill. It has been referred to that we are here because OPM got hacked. No. We are here because the American people's data will be in jeopardy if government does not help to find a way to help minimize the loss.
So where is the threat? The threat is to business, it is to government, and it is to individuals. There is no part of America that is left out of this. The legislation we are proposing affects everybody in this country--big and small business, State and Federal governments, and individuals, no matter where they live or how much they are worth. I think it is safe to say today that business and government have both been attacked, they have been penetrated, and data has been lost. In some cases that intent was criminal; in some cases the intent was nation-states. It was towards credit cards on one side or Social Security numbers, and on the other side it was plans for the next military platform or intellectual property that was owned by a company. But we are where we are, and now we have a proposal as to how we minimize.
Let me emphasize this. You heard it from the vice chairman. This bill does not prevent cyber attacks. I am not sure that we could craft anything that would do that. What this bill does is for the first time it allows us a pathway to minimizing the amount of data that is lost and for the first time empowering government, once they get the pertinent information, to push out to the rest of business and to individuals and to governments: Here is the type of attack that is happening. Here is the tool they are using. Here is the defensive mechanism you can put on your system that will provide you comfort that they cannot penetrate you and provide the company that has been attacked comfort that it might be able to minimize in real time the amount of data that is lost.
So, as the vice chairman said, these are key points on this piece of legislation: It is voluntary. There is no entity in America that is forced to report. It is a purely voluntary system. To have participation in a voluntary system, you have to listen to the folks who are the subjects of these attacks as to what they need to act in real time and to provide pertinent data.
It is an information-sharing bill. It is not a surveillance bill. I say to those who have characterized it that way that we have done everything we can to clarify with the managers' amendment that there is no surveillance. The only thing we are after is minimizing the loss of data that exists.
Here is how it works. I want to break it into three categories.
This bill covers private to private. It says that if I am a private company and my IT system gets hacked and I get penetrated, I can automatically pick up the phone and call the IT people at my competitor's business, and I am protected under antitrust, that we can carry out a conversation so that I can figure out whether they got hacked, and if they did but they did not get penetrated, what software did they have on their system that secured their data. I can immediately go and put that on my system, and I can minimize the loss of any additional data. So we protect for that private-to-private conversation only for the purposes of sharing cyber information.
We also have private to government. We allow any company, in real time--at the same time they are talking to a competitor, they can transmit electronically the pertinent data that it takes to do the forensics of what happened. What tool did they use? They can transfer that to government, and they are protected from a liability standpoint for the transfer of that--the vice chairman got into all of this, so I do not want to rehash it--with the correct protections of personal data. The company is required not to send personal data. Any government agency that is the recipient of this data, as they go through it, if they see personal data that is not relevant to the determination of what type of attack, what type of tool, what type of response, then they have to minimize that data so it is not released.
In addition, we have government to private, which is the third leg. It amazed me that the government did not have the authority to push out a lot of information. What we do is we empower the government to analyze the attack, to determine the tool that was used, to find the most appropriate defensive software mechanism, and then to say to business broadly: There is an attack that has happened in America. This is the tool they used. This is the defensive mechanism that will protect the data at your company.
If you ask me, I think this is what we are here for. This is what the Congress of the United States is supposed to do--facilitate, through minor tweaks, a voluntary participation to close the door and minimize potential loss. That is all we are attempting to do.
I want to loop back to where the vice chairman was. We are now at the point where we are asking our colleagues for unanimous consent to come to the floor and actually take up this bill. Moving to the bill allows our colleagues to come to the floor with relevant amendments to the bill, where they can be debated and voted on.
I actually believe, Vice Chairman, if we could do that now, we could process this entire bill and all of the amendments that are relevant by this time tomorrow. That would mean we would have to work and we would have to talk and we would have to vote, but we could do it because I think when we look at the array of relevant amendments, they are pretty well defined. Some of them are duplications of others that people have planned to talk about.
But to suggest that this is a problem, which it is--we have seen it with over 22 million government workers whose personal data and in some cases, because of the forms they had to fill out for security clearance, their most sensitive data has gotten out of the OPM system.
[[Page S6262]] Just because OPM was the last one, don't think that somebody wasn't serious. Don't think that Anthem Blue Cross wasn't serious. Don't think that some of the attacks that only acquired credit card information aren't serious.
What we are attempting to do is to minimize the degree of that loss. All we need is the cooperation of every Member of the Senate to say: I am willing to move to the bill. I am willing to bring up amendments-- relevant amendments--willing to debate them and willing to vote on them.
Process is where we are. At the end of the day, we can determine whether this is a bill that is worthy to move on. It is not the end of the road because once we get through in the Senate we have to conference the bill with the House of Representatives. As the vice chairman pointed out, they have produced multiple pieces of legislation. It is the Senate that is now holding us back.
I urge my colleagues: Let's agree to move to the bill. Let's agree to relevant amendments, and let's process this cyber security bill so that when we come back from August, we can actually sit down with our colleagues in the House, conference a bill, and provide the American people with a little bit of security, knowing that we are going to minimize the amount of data that is lost, because of a voluntary program between the private sector and the government.
I think the vice chairman shares my belief that we are not scared to have a debate on relevant amendments on this bill. We understand there are more views than just ours. But we have to get on the bill to be able to offer amendments, to be able to share what we know that might not necessarily support the amendment.
Right now, we are sort of frozen because we cannot offer amendments, including the managers' amendment, which I would say to my colleagues-- and the vice chairman said this in a very specific way--if you will read the managers' amendment, a lot of the concerns that people have will vanish. Nobody will call it a surveillance bill because we have addressed the issues that people were concerned with. Although we didn't think they were problems before, we clarified it in a way that it is limited only to cyber security. I could make a tremendous case that through the cyber security forensic process, if we found another criminal act, the American people probably would want that reported-- without a doubt.