Cybersecurity Information Sharing Act of 2015
Floor Speech
BREAK IN TRANSCRIPT
Mr. WYDEN. Well said. There is nothing better than having Carolina barbecue unless it is Oregon salmon. Yes, we old jocks, former football players and basketball players, we have tough debates and then we go out and enjoy a meal.
Here is how I would like to start this afternoon. The distinguished chairman of the committee is absolutely correct in saying that cyber security is a very substantial problem. My constituents know a lot about that because one of our prominent employers, SolarWorld, a major manufacturer in renewable energy, was hacked by the Chinese simply because this employer was trying to protect its rights under trade law. In fact, our government indicted the People's Liberation Army for their hacking into this major Oregon employer. So no question that cyber security is a major problem.
Second, there is no question in my mind that information sharing can be very valuable in a number of instances. If we know, for example, someone is associated with hackers, malware, this sort of thing, of course it is important to promote that kind of sharing. The difference of opinion is that I believe this bill is badly flawed because it doesn't pass the test of showing that when we share information, we have to have robust privacy standards or else millions of Americans are going to look up and they are going to say that is really not cyber security. They are going to say it is a surveillance bill. So that is what the difference of opinion is.
AMENDMENT NO. 2621, AS MODIFIED
Let me turn to how I have been trying to improve the legislation. I am going to speak for a few minutes on my amendment No. 2621 to the bill that we have been discussing and that is now pending in the Senate. Obviously, anybody who has been watching the debate on this cyber security bill has seen what we would have to call a spirited exchange of views. Senators are debating the substance of the legislation and, as I just indicated to Chairman Burr and I have indicated to ranking minority member Senator Feinstein, there is agreement on a wide variety of points and issues.
Both supporters and opponents of the bill agree that sharing information about cyber security threats, samples of malware, information about malicious hackers, and all of this makes sense and one ought to try to promote more of it. Both supporters and opponents now agree that giving corporations immunity from customer lawsuits isn't going to stop sophisticated attacks such as the OPM personnel records breach.
I am very glad that there has been agreement on that point recently, because proponents of the bill sometimes said that their legislation would stop hacks such as the one that took place at OPM. When technologists reviewed it, that was clearly not the case, and the claim has been withdrawn that somehow this bill would prevent hacks like we saw at OPM.
The differences of opinion between supporters and opponents of the bill--who do agree on a variety of these issues--surround the likely privacy impact of the bill. Supporters have essentially argued that the benefits of this bill, perhaps, are limited--particularly now that they have withdrawn the claim that this would help against an OPM attack--but that every little bit helps. But there is no downside to them to just pass the bill. It makes sense. Pass the bill. There is no downside.
Opponents of the bill, who grow in number virtually every day, have been arguing that the bill is likely to have a significant negative impact on the personal privacy of a large number of Americans and that this greatly outweighs the limited security benefits. If an information sharing bill doesn't include adequate privacy protections, I am telling you, colleagues, I think those proponents are going to have people wake up and say: I really don't see this as a cyber security bill, but it really looks to me like a surveillance bill by another name.
(Mr. TOOMEY assumed the Chair.)
Colleagues who are following this and looking at the bill may be trying to sort through this discussion between proponents and opponents. To help clarify the debate, I would like to get into the text of the bill for just a minute.
If colleagues look at page 17 of the Burr-Feinstein substitute amendment, which is the latest version with respect to this bill, Senators are going to see a key section of the bill. This is the section that discusses the removal of personal information when data is shared with the government. The section says very clearly that in order to get immunity from a lawsuit a private company has to review the data they would provide and remove any information the company knows is personal information unrelated to a cyber security threat. This language, in my view, clearly creates an incentive for companies to dump large quantities of data over to the government with only a cursory review. As long as that company isn't certain that they are providing unrelated personal information, that company gets immunity from lawsuits. Some companies may choose to be more careful than that, but this legislation and the latest version--the Burr-Feinstein substitute amendment--would not require it. This bill says with respect to personal data: When in doubt, you can hand it over.
My amendment No. 2621 is an alternative. It is very simple. It is less than a page long. It would amend this section that I have just described to say that when companies review the data they provide, they ought to ``remove, to the extent feasible, any personal information of or identifying a specific individual that is not necessary to describe or identify a cybersecurity threat.'' The alternative that I am offering gives companies a real responsibility to filter out unrelated personal information before that company hands over large volumes of personal data about customers or people to the government.
The sponsors of the bill have said that they believe that companies should only give the government information that is necessary for cyber security and should remove unrelated personal information. I agree with them, but for reasons that I have just described, I would say respectfully that the current version of this legislation does not accomplish that goal, and that is why I believe the amendment I have offered is so important.
For an example of how this might work in practice, imagine that a health insurance company finds out that millions of its customers' records have been stolen. If that company has any evidence about who the hackers were or how they stole this information, of course it makes sense to share that information with the government. But that company shouldn't simply say here you go, and hand millions of its customers' medical records over for distribution to a broad array of government agencies.
The records of the victims of a hack should not be treated the same way that information about the hacker is treated. Companies should be required to make a reasonable effort to remove personal information that is not needed for cyber security before they hand information over to the government. That is what my amendment seeks to achieve. That is not what is in the substitute amendment.
Furthermore, if colleagues hear the sponsors of the substitute saying this bill's privacy protections are strong and you have heard me making the case that they really don't have any meaningful teeth and they are too weak, don't just take my word for it. Listen to all of the leading technology companies that have come out against the current version of this legislation.
These companies know about the importance of protecting both cyber security and individual privacy. The reason they know--and this is the case in Pennsylvania, Oregon, and everywhere else--is that these companies have to manage the challenge every single day. Companies in Pennsylvania and Oregon have to ensure they are protecting both cyber security and individual privacy. Those companies know that customer confidence is their lifeblood and that the only way to ensure customer confidence is to convince customers that if their product is going to be used, their information will be protected, both from malicious hackers and from unnecessary collections by their government.
I would note that there is another reason why it is important to get the privacy protections I am offering in my amendment at this time. The companies that I just described are competing on a global playing field. These companies have to deal with the impression that U.S. laws do not adequately protect their customers' information. Right now these companies--companies that are located in Pennsylvania and Oregon--are dealing with the fallout of a decision by a European court to strike down the safe harbor data agreement between the United States and the European Union. The court's ruling was based on the argument that U.S. laws in their present form do not adequately protect customer data. Now, I strongly disagree with this ruling. At the same time, I would say to my colleagues and to the Presiding Officer--he and I have worked closely on international trade as members of the Finance Committee--and I would say to colleagues who are following this international trade question and the question of the European Union striking down the safe harbor for our privacy laws, in my view this bill is likely to make things even more difficult for American companies that are trying to get access to those customers in Europe.
To give just a sampling of the leading companies that have come out against the CISA legislation, let me briefly call the roll. There is the Apple company. They have millions of customers. They know a great deal about what we have to do to deal with malicious hackers and to protect privacy. There is also Dropbox, Twitter, Salesforce, Yelp, Reddit, and the Wikimedia Foundation. I point to the strong statement by the Computer & Communications Industry Association. Their members include Google, Amazon, Facebook, Microsoft, Yahoo, Netflix, eBay, and PayPal. Those individual companies I have mentioned have millions of customers. The organization that speaks for them says: ``CISA's prescribed mechanism for sharing of Cyber threat information does not sufficiently protect users' privacy.''
On top of this, there has been widespread opposition from a larger spectrum of privacy advocacy organizations. Here the groups range from the Open Technology Institute to the American Library Association.
I was particularly struck by the American Library Association's comments in opposition to this bill. I think the leadership said--paraphrasing--something to the effect of when the American Library Association opposes legislation that authors say will promote information sharing, they indicate there was a little something more to it than what the sponsors are claiming.
Wrapping up, I want to make clear, as I said yesterday, that I appreciate that the bipartisan leadership of our committee has tried to respond to these concerns. They know that these large companies with expertise in collecting data and promoting cyber security have all come out against the bill. I heard talk about privacy protections. I don't know of a single organization that is looked to by either side of the aisle, Democrats and Republicans, for expertise and privacy that has come out in favor of the bill.
So the sponsors of this legislation and the authors of the substitute amendment, which I have tried to describe at length here this afternoon, are correct in saying that they have made some changes, but those changes do not go to the core of the bill.
For example, the amendment I have described would really, in my view, fix this bill by ensuring that there was a significant effort to filter out unrelated personal and private information that was sent to the government under the bill.
So I hope Senators will listen to what groups and the companies that have expertise in this field have said. I hope Senators on both sides of the aisle will support the amendments I and others have offered. The Senate needs to do better than to produce a bill with minimal effects on the security of Americans and significant downside for their privacy and their liberty.
I yield the floor.
BREAK IN TRANSCRIPT
Source