BREAK IN TRANSCRIPT
Mr. FRANKEN. Madam President, I rise today to talk about our Nation's defenses against cyber attacks, and I wish to commend the Senator from Maine for her leadership. She is the ranking member, of course, on the Committee on Homeland Security and Governmental Affairs. I wish also to commend all three chairs, Senators Lieberman, Feinstein, and Rockefeller, for their work.
As I said, I rise today to talk about our Nation's defense against cyber attacks and how our Nation needs to respond to those threats which affect our national security, our economic security, and our privacy.
News reports and experts confirm our Nation's critical infrastructure, such as our water systems, our power grid and so forth, are vulnerable to attacks from hackers and foreign governments. Every few weeks we hear about yet another breach--Yahoo and Gmail, Citibank, Bank of America, Sony PlayStation. Millions of people have had their names, passwords, credit card information or health information compromised.
It isn't just our national security or economic well-being that is being threatened by these attacks, it is the Internet itself. If you want to use Facebook or a cloud-based e-mail provider to communicate with your friends and loved ones, you need to know that your private communications won't be exposed by hackers. If you want to use the Internet to spread new ideas or fight for democracy, you need to know your work won't be disrupted by hackers or repressive regimes.
Unfortunately, it is hard to write a good cybersecurity bill, because when you try to make it easier for the government or Internet companies to detect and stop the work of hackers or other bad actors, you often end up making it easier--or very easy--for those same entities to snoop in on the lives of innocent Americans.
Until recently, every major cybersecurity bill on the table would have done too much to immunize and expand the authority of the government and industry and far too little to protect our privacy and civil liberties. These bills would make it too easy for companies to hand over your e-mails and other private information to the government--even to the military. Setting aside the fourth amendment, these bills would allow almost all of that information to go to law enforcement. And these bills do far too little to hold these companies and the government accountable for their mistakes.
A few months ago, I teamed up with Senators Durbin, Wyden, Sanders, Coons, Blumenthal, and Akaka to try to address this situation. We worked with privacy and civil liberties groups on the left, the right, and the center to come up with a package of proposals. We worked with the ACLU, the Electronic Frontier Foundation, and the Center for Democracy and Technology, which are traditionally associated with progressives; we worked with the Constitution Project, which is a bipartisan centrist think tank; and we worked with TechFreedom and the Competitive Enterprise Institute, which are conservative libertarian organizations.
Together, we approached Chairman Lieberman, Ranking Member Collins, Chairman Rockefeller, and Chairman Feinstein, and proposed a package of amendments to the information-sharing title of the Cybersecurity Act of 2012.
The information-sharing title is the part of the bill that will make it easier for companies to share critical information about cyber attacks with each other and with the government. These Senators engaged with us earnestly and in good faith. After a lot of hard work and a lot of conversations, the sponsors made a series of changes to the bill that are major, unequivocal victories for privacy and civil liberties.
The bill is still not perfect, from my point of view, but I can say with confidence that when it comes to protecting both our cybersecurity and our civil liberties, the Cybersecurity Act of 2012 is the only game in town.
I want to take a moment to explain the changes made to the information-sharing title, and compare how the Cybersecurity Act now stacks up with its rival bills, the Cyber Intelligence Sharing and Protection Act, or CISPA, which recently passed the House, and the SECURE IT Act, which has been introduced here in the Senate.
First of all, I agree we need to make it easier for companies to share time-sensitive information with experts in the government. But the cyber threat information that companies are sharing often comes from private, sensitive communications, like our e-mails. And so the gatekeeper of any information shared under these proposals should never be the military. It should never be the NSA. The men and women of the NSA are patriots and they are undoubtedly skilled and knowledgeable. But as Senator Durbin said, that institution is too shrouded in secrecy. And--he didn't say but as I will say--it has too dark a history of spying on innocent Americans to be trusted with this responsibility under any administration.
Under the new, revised Cybersecurity Act of 2012, the one that will soon be before us on the floor, companies can use the authorities in the bill to give cyber threat information only to civilian agencies. That is a critical protection for civil liberties, and it is a protection that CISPA and the SECURE IT Act do not have. I want to be very clear. An America with CISPA and an America with the SECURE IT Act is an America where your e-mails can be shared directly, immediately, and with impunity, with the NSA.
Second, any cybersecurity bill should focus on just that--cybersecurity. It should not be a back door for warrantless wiretaps or information entirely unrelated to cyber attacks. In other words, once a company gives the government cyber threat information, the government shouldn't be able to say, Hey, this e-mail doesn't have a virus, but it does say that Michael is late on his taxes; I am going to send that to the IRS.
Under the Cybersecurity Act of 2012, once a cyber exchange gets information, it can give that information to law enforcement only to prosecute or stop a cyber crime or to stop serious imminent harm to adults or serious harm to minors. CISPA actually has similar protections, but SECURE IT allows a far broader range of disclosures to law enforcement. Here in the Senate, the Cybersecurity Act is the proposal that does the most to respect the spirit and letter of the fourth amendment.
Third, a cybersecurity bill should make it easier for a company to share information with experts in the government. But it has to hold companies that abuse that authority accountable for their actions. Both CISPA and the SECURE IT Act give companies immunity for knowing violations of your privacy. Under CISPA and the SECURE IT Act, if a company's CEO knows for a fact that his engineers are sending every one of your e-mails to the NSA, there is nothing you can do about it. That is not an exaggeration. Thanks to the changes I have pushed for--along with Senators Durbin, Wyden, Coons, Sanders, Blumenthal, and Akaka--the Cybersecurity Act does not protect companies that violate your privacy intentionally, knowingly, or with gross negligence.
Fourth, and finally, a cybersecurity bill should also hold the government accountable for its actions. Under both CISPA and the SECURE IT Act, companies can start giving the Federal Government your private information well before the government actually has privacy rules in place for how to handle that information.
Under the SECURE IT Act, the government has total immunity from lawsuits arising out of its cybersecurity operations--total immunity for the government. The SECURE IT Act also lacks any regular independent oversight of the Federal Government's actions under these new authorities. The Cybersecurity Act of 2012 now has all three of these protections. Under this bill, privacy rules have to be in place on the first day companies start giving the government information. People can sue the government when it abuses its authority. And there will be recurrent, independent oversight by both the Privacy and Civil Liberties Oversight Board and inspectors general.
These are just the four main categories of changes that the sponsors of the Cybersecurity Act have adopted. There are other changes, too, that I won't go into now.
Before I close, I want to elaborate on one way I do think we need to improve the Cybersecurity Act to better protect privacy. The sponsors of the bill have rightly adopted several critical protections. I hope they will accept at least one more amendment that I think is very important. I will talk about my amendment more on another occasion, but for now I want to flag it for my colleagues.
For decades, Federal law has given Internet service providers and other companies the right to monitor their systems to protect themselves and their customers from cybersecurity threats. They also have the right to deploy what are called countermeasures to protect their systems against those threats. So these companies have the right to monitor and protect themselves; but at the same time, Federal law prevents them from abusing those rights. If an ISP starts randomly picking customers and reading their e-mails, their customers--and the government--can take
them to court, and the ISP can't throw its hands up and plead cybersecurity.
This is why, when the President of the United States brought together all of the Federal agencies to craft a bill that would comprehensively protect our cybersecurity, that proposal included a new authority for companies to disclose information to the government but contained no new authority for companies to monitor e-mail or deploy countermeasures. When the administration's lawyers were asked why that was, they said that doing so would have been duplicative--duplicative--because the companies already have those rights.
Right now, the Cybersecurity Act and the President's proposal are not in line with each other, because unlike the President's proposal, the Cybersecurity Act does give ISPs and other companies a brandnew right to monitor communications and to deploy countermeasures. That right is very broad--so broad that if a company uses that power negligently to snoop in on your e-mail or damage your computer, they will be immune from any lawsuit. I plan to offer an amendment to delete these new monitoring and countermeasures authorities and bring this bill in line with the President's proposal. I hope my colleagues here in the Senate will join me in passing this amendment. Seven of my colleagues have already indicated they will cosponsor this amendment.
But I want to end on a high note. I don't want my amendment to cloud my central message here, so I will repeat what I said earlier. The Cybersecurity Act is not perfect, but when it comes to striking a balance between cybersecurity and privacy and civil liberties, it is the only game in town. It is far more protective of our rights than either CISPA or the SECURE IT Act. I thank the sponsors of the Cybersecurity Act for taking this high road, and I urge my colleagues to vote to proceed to the bill so we can have a good, full debate on it.
Madam President, I yield the floor.
BREAK IN TRANSCRIPT