BREAK IN TRANSCRIPT
Mr. WYDEN. Mr. President, I believe the development of the Internet, its networks, and the digital economy are one of the great achievements of our age.
The Internet links humanity together, facilitating economic growth, bringing education and health resources to remote regions, reshaping societies and advancing human rights.
While networks foster innovation, job creation, and political and social progress, networks can also be used by actors with nefarious motives. It is in our national interest to deter, detect, and destroy real and viable cyber threats, to protect Americans and preserve the benefits of the Internet. Americans must not be afraid to go online.
The Internet works not just because it is open to all but because it is founded on the principle of trust. Users trust that their browsers are visiting real Web sites, not replicated ones. Internet commerce succeeds because people trust that their transactions are private and their financial information won't be shared with others. People trust the Internet because they believe their service providers work for them, not for their advertisers, not for scammers, and not for the government.
Congress's effort to develop a comprehensive approach to cybersecurity must not erode that trust. When Americans go online to consume digital services and goods, they must believe and know with some certainty that their privacy is adequately protected. The content that Americans consume must be at least as private as their library records, their video rentals, and book purchases in the brick-and-mortar world. Our law enforcement and intelligence agencies should not be free to monitor and catalog the speech of Americans just because it is online.
But the legislation passed by the other body, known as CISPA, would erode that trust. As an attempt to protect our networks from real cyber threats, CISPA is an example of what not to do. CISPA repeals important provisions of existing electronic surveillance laws that have been on the books for years, without instituting corresponding privacy, confidentiality, and civil liberty safeguards. It creates uncertainty in place of trust, it erodes statutory and constitutional civil rights protections, and it creates a surveillance regime in place of the targeted, nimble, cybersecurity program that is needed to truly protect our Nation.
Unfortunately, S. 2105, the bill before the Senate, shares some of these defects. Currently, Internet services and service providers have agreements with their customers that allow them to police and protect their networks and users. Rather than simply allowing these Internet companies to share information on users who violate their contracts and pose a security threat, the House and Senate proposals regrettably authorize a broad-based information-sharing regime that can operate with impunity. This would allow the personal data of individual Americans to be shared across a multitude of bureaucratic, military, and law enforcement agencies. This would take place regardless of the privacy agreements individual Americans have with their Internet service providers.
In fact, both the House and Senate bills subordinate all existing privacy rules and constitutional principles to the poorly defined interests of what is called cybersecurity.
These bills would allow law enforcement agencies to mine Internet users' personal data for evidence of acts entirely unrelated to cybersecurity. More than that, they would allow law enforcement to look for evidence of future crimes, opening the door to a dystopian world where law enforcement evaluates your Internet activities for the potential that you might commit a crime.
In establishing this massive new regime, these bills fail to create the necessary incentives for operators of critical networks to keep their networks secure.
It is a fundamental principle of cybersecurity policy that any network whose failure could result in a loss of life or significant property should be physically isolated from the Internet. Unfortunately, many of our critical network operators have violated this principle in order to save money or streamline operations. This sort of gross negligence ought to be the first target in any cybersecurity program--not the privacy of individual Americans.
Congress could target this behavior with yet one more rule book and one more bureaucracy, creating a cybersecurity contractor full employment program.
I am not, however, convinced this is a problem that requires that kind of solution.
At the same time, Congress should not allow our critical network operators to ignore best practices with impunity. It is vital they understand that any liability for a preventable cyber attack is their responsibility. There is not going to be a governmental bailout after the fact in the cybersecurity area. Shareholders and boards of directors must be vigilant and understand the risks to their investments. Executives must understand that ignoring critical cyber threats in the interest of cost savings and convenience will leave them personally exposed.
Internet providers and backbone operators clearly have a role in this fight. When they detect abnormal network activity or have a user violating their contract in a way that constitutes a cyber threat, they can and should inform our cyber defense officials. If it is necessary to grant them immunity to share this kind of information, the Congress could grant it--narrowly and with careful consideration.
Mr. President, there would be bipartisan support for the proposition that the Federal Government also has a significant role that does not necessarily require billing taxpayers for legions of private cybersecurity contractors. The Department of Defense, the Department of National Intelligence, Homeland Security, and the Justice Department--four major parts of our government--all have cybersecurity specialists. The Congress ought to be promoting the cyber capabilities of these agencies and providing the resources that are needed to protect these networks. These Federal agencies should do a better job of consulting the private Internet companies to better understand the attacks that are occurring every day across the net.
Some of these steps may require legislation, but many can be carried out by responsible actors in the public and private sector without waiting for the Congress to act. However, the legislation before the Senate and the cybersecurity legislation that passed the other body leads our country away from the kind of commonsense approach to cybersecurity I have outlined this afternoon.
As they stand, these bills are an overreaction to a legitimate and understandable fear. The American people are going to respond by limiting their online activities. That would be a recipe to stifle speech, innovation, job creation, and social progress. I believe these bills will encourage the development of an industry that profits from fear and whose currency is Americans' private data. These bills create a cyber industrial complex that has an interest in preserving the problem to which it is the solution.
In terms of the process, the Senate ought to proceed in a way that is as open and collaborative as the Internet the Congress seeks to promote and protect. On substance, any cybersecurity bill must contain specific and clear descriptions of what types of data and when such data can be captured, with whom it can be shared, and under what circumstances. Anything not specifically covered ought to remain private. Privacy in the cybersecurity arena should be the default not the exception. Legal immunity to corporations that share information should be the exception not the rule and void if privacy protections or contracts are disregarded.
The Congress and the public must have the ability to know how any cybersecurity program that is established is to be implemented. That means routine public and unclassified reports and hearings to examine whether there were any unintended privacy or civil liberty impacts caused by the program. No secret law, Mr. President.
Bad Internet policy is increasingly premised on false choices. Earlier this year, during the consideration of the Protect IP Act and the Stop Online Piracy Act, the Congress was told again it had a false choice. The Congress was told it either could protect intellectual property or it could protect the integrity of the Internet. This was a false choice. I and others said so at the time because achieving one should not and does not require sacrificing the other.
Now the Congress is being asked once again to make a false choice--a choice between cybersecurity and privacy--and I don't think these two are mutually exclusive. I think we can have both. Our job is to write a cybersecurity bill that protects America's security and the fundamental right to privacy of our people. There is no sound policy reason to sacrifice the privacy rights of law-abiding American citizens in the name of cybersecurity. It is my intent to fight any legislation that would force Members of the Senate to make that choice.
Mr. President, with that I yield the floor.
BREAK IN TRANSCRIPT