BREAK IN TRANSCRIPT
Mr. RUPPERSBERGER. Madam Chair, I yield myself such time as I may consume.
Chairman Rogers and I are here today to discuss the Cyber Intelligence Sharing and Protection Act, known as CISPA. The bill simply allows the government to give cyber threat intelligence to the private sector to protect its networks from cyber attacks.
I don't want to repeat a lot of what the chairman has said, but the first thing I want to do is to acknowledge the leadership of the chairman. Three years ago, the chairman and I, when we took over the leadership of the House Select Intelligence Committee, realized how serious the threat of cyber attacks were to our country, to our businesses, to our health, safety, and welfare.
We decided to pull together a group of representatives from different parts of this issue--we had the administration involved, we had the privacy groups involved, including the ACLU, we brought in the industry--because we knew that we had to put together a bill that would pass the House, the Senate and be signed by the President.
So, what we attempted to do was get input, and then we put together a bill. And, by the way, the bill is only 27 pages--it's probably a record in this Congress--and we did read the bill.
Now, what we attempted to do in this bill is to address a situation where now, the government cannot really communicate with the private sector to try to help protect our citizens, our businesses from cyber attacks. The reason for that is in 1947, there is a law that says that the intelligence community cannot communicate or pass information to another entity that does not have clearances. So, basically what our bill does is to allow the sharing of information, which we can't do now, to the private sector.
Now, why is this important? This is something that is very important because most people don't understand this. In the United States of America we have 10 companies, called the providers, that control 80 percent of our network--80 percent of our network. So in order for us to protect the United States of America from cyber attacks, we need to make sure that the government has a partnership with the private sector and that they can pass the threat information so that the government can help protect.
As an example, if your house is being robbed, you call 911 and the police department comes. That's the same scenario that we're looking at here, only it's a lot more sophisticated. Again, as the chairman said, passing information, mostly zeroes and ones, to the government so that we can work together to protect our network.
Now, why is this so important? And I think it's important that we get into some of the issues of threats. Just recently, we understand, and we know, that The Washington Post, The New York Times, The Wall Street Journal, were cyber-attacked. And basically, our understanding is that they did this, especially China, to intimidate the paper sources within China. We had our U.S. banks. It is very serious for U.S. banks to be attacked and hacked. Most of what our banks have are records and information. And to be able to shut down a bank or to be able to manipulate or get privacy information could be very destructive to our banks, and yet this is being done, and it's been done for a period of time.
Media reports have said that Iran, a rogue country that we know exports terrorism--we know what Iran's beliefs are, and yet reports have said that Iran attacked Saudi Arabia's oil company, one of the largest in the world, Aramco, and wiped out 30,000 computers in a weekend. And let me say this: Iran is not a very sophisticated company as it comes to cyber, but they have the sophistication to be able to knock out 30,000 computers and really shut their businesses down for a period of time. This is what's happening in the United States.
Cyber Command, whose job it is to protect our military networks, estimated that in the last couple of years that we have had, the United States of America has had $400 billion--not million, billion--worth of American trade secrets being stolen from U.S. companies every year, costing these companies market share and jobs. That's probably the biggest theft in the history of the world, and yet we still are not able to help government working with business.
You have Secretary Napolitano, the Director of the FBI, you have the Director of the NSA, Alexander, and all three have said one of the biggest fears they have now are these attacks, and that unless we have a sharing opportunity between government and between business, they feel that they cannot protect our country from these cyber attacks the way that they should. It's so important that we need to act now on this bill.
Now, we can pass bills in the House all day long, but if the Senate doesn't pass a bill and the President doesn't sign it, where are we? We were able to pass our bill last year in a bipartisan manner, and yet our bill went to the Senate and it stalled and the bill didn't go anywhere, so Chairman Rogers and I started again.
But, what we said to each other and we discussed was that we need to address the issue of privacy. Even though we felt strongly that our bill does protect privacy, we knew there were groups out there, especially the privacy groups, that felt that there was not enough protection in our bill. So we rolled up our sleeves, we listened to the issues raised by the privacy groups, the administration had issues with respect to privacy, and we changed the bill.
Now, I don't want to repeat what the chairman said, but basically we made some significant changes to our bill to deal with the issue of privacy. We provided that first, there's a privacy and civil liberties oversight board, and now that board must review our program. That's one area of oversight.
In the intelligence community, we have privacy officers in each department, in each area. And these privacy people have to look at the threat information. They must also conduct a classified and unclassified review. That's the second oversight that was changed in the bill.
An annual report must be sent to Congress. We also have what we call the ``inspector general,'' whose job it is to oversee the different agencies they represent. Those are four areas of oversight just in the bill.
Regarding the privacy agreements that we were concerned about, we only have five elements where this bill applies. That means if you're a tax cheat and we pick up some information, that can't be used against you. The privacy agreements were concerned about the issue of national security being one of those elements in this bill. They thought it was too broad. So Chairman Rogers and I got together, and we were able to get the votes from both sides of the aisle, and we were able to take a position that the national security issue is not in the bill anymore. We feel national security is being covered by one of the elements in the bill that says it deals with the issue of protecting people's lives or liberty. So we feel that we have covered national security.
One of the most important issues was the issue of minimization. What is minimization? Most people don't know what it is. Basically, minimization is if private information is passed, there needs to be an entity out there that will take that private information out so that it is not used.
We've now added to the bill that any of the zeroes and ones that are passed--and that's what's happening--if there was some reason why somebody's personal information is passed when those zeroes and ones are coming back and forth, now we have what we call 100 percent minimization, and the government will make sure that every single entity and all the information that is passed will be 100 percent minimized. If there is any personal information in there at all, it will be knocked out. That's very significant, and that gives a lot of coverage.
This is also important: you don't have security if you don't have privacy. That was one of the themes Chairman Rogers and I used in the beginning: if you don't have security, you don't have privacy. Even though we thought our first bill had it, we felt there was a certain perception, we heard what was said and we made these changes.
There is one other issue that is out there that's very important that I think is also extremely relevant. That's the issue of when the information is passed when we're attempting to protect our citizens and our businesses from these attacks and hopefully from a destructive attack like Iran did to Aramco in Saudi Arabia, there was a perception out there which, again, had to deal with perceptions. The perception was that if this information of zeroes and ones that are being passed back and forth, what is the point of entry. We did not want the perception to be that the military in any way would be in charge or would be the entity that is overseeing this. We felt very strongly that it had to be civil.
So Chairman Rogers and I, along with Chairman McCaul of the Homeland Security Committee and Ranking Member Thompson, have an amendment here today which is very significant. I'm sure it will be very well received by the privacy groups in the White House. What the bill will now say is that when information is passed, it will be the Department of Homeland Security. That is very significant, and we would hope that that would truly deal with the majority of these privacy issues.
We know that we have to move and we have to move quickly. We're here today to debate this bill. And, again, Chairman Rogers--he's not listening, but I'll say it anyhow--has shown tremendous leadership. I say this and I say it sometimes in jest, that I was a former investigative prosecutor and he was a former FBI agent and all good FBI agents must listen to their prosecutors, even if we're in the minority. That was a joke. Not withstanding that, he has shown leadership. We threw partisanship out the window. We knew the stakes were high. We have been concerned that we have not been able to protect our country. I believe that Congress needs to act because we're standing in the way of protecting our country.
This reminds me of a situation. We know how serious Hurricane Sandy was. It's similar to if you are a meteorologist and Sandy is coming up the east coast and you can't warn your constituents that Sandy is coming. That's why we need to pass this bill tomorrow, and we need to do it for the benefit of our country.
And I do want to end with this: you do not have security if you don't have privacy. We feel that this bill, along with the amendments that will be introduced today, will effect that.
With that, I reserve the balance of my time.
BREAK IN TRANSCRIPT
Mr. RUPPERSBERGER. Madam Chair, I yield myself as much time as I may consume.
First thing, we've heard testimony today about how serious the cyber attacks are to our country. We know what has occurred already. We know that our banks have been attacked, our major banks. We know that our newspapers, New York Times, Washington Post, have been attacked.
We know that news reports have said that Iran attacked Aramco, Saudi Arabia's largest oil company. They took out 30,000 computers, which means we are subjected to those attacks also.
We also know that Cyber Command has said that we, in the United States, have lost, from the attacks on our businesses, approximately $200 billion. Just think what that equates to in jobs, stealing information about trade secrets, about competing globally with a country like China where they have all of our information, where they're able to shut down banks.
This is a very serious issue, and we need to do a better job to educate the public on how serious it is. And we just hope that we can pass this bill today in the House, a bill in the Senate, and the President signs the bill, so that we can protect our citizens, we can protect our businesses from these attacks.
If we knew that Iran was sending over an airplane with a bomb we would take it out. And yet we have to make sure that we deal with the issue in the United States of America to protect ourselves.
Now, there was a major issue raised, and that issue was privacy. And believe me, I want to say this over and over again. You don't have security if you don't have privacy. And we feel very strongly that this bill provides privacy.
But we also know, Chairman Rogers and I know, that if we pass a bill here, we need to pass a bill in the Senate, and we need the President to sign it. So we got together, and even though we passed our bill in a bipartisan effort last year and it stalled in the Senate, we now have made the bill what we feel is a lot stronger as it deals with the perception of privacy.
And we've added oversight. We have four categories of oversight, privacy. We've made sure that minimization--taking out any privacy information that might pass--we made sure that that is 100 percent minimization so that no one's private information will pass.
But the most important thing is that we have to make sure that we pass a bill because of the fact that 80 percent of our network is controlled by 10 companies in the United States of America. And all of our experts in this area have said that if government and business can't share information about these attacks, zeros and ones, if they can't share information, they cannot protect our country from these ongoing attacks that are occurring as we speak right now.
So let's act. Let's not wait until we have another catastrophic attack like 9/11. Let's deal with this now. Let's pass the bill and make sure that we protect, again, our citizens. And I want to say it one more time. The issue that you can't have security if you don't have privacy.
I do want to also say, I want to thank all those individuals in our government, in the private sector. The privacy groups have all come together. This has been a good debate. It's been a debate about issues that the public needed to know.
And I also want to thank the chairman for his leadership, and the fact that he was willing, even though we had our bill passed a year ago, he was willing to deal with the issue of perception and to make sure we made privacy an element that we could deal with, and that we could change our bill to deal with certain perceptions. I feel that we've done that.
I also want to thank Chairman McCaul from Homeland Security and Ranking Member Bennie Thompson from Homeland Security, who've worked with us to get an amendment that was very important, as you heard from Jan Schakowsky.
That amendment basically says that the point of entry for any communication is on the civil side of our government, Homeland Security, and we hope to pass that amendment.
And I feel very strongly that if we do that, we will have addressed the majority of the issues that are so important to this bill and to our security and to our privacy.
I yield back the balance of my time.
BREAK IN TRANSCRIPT
Mr. RUPPERSBERGER. I thank the gentleman for yielding.
This amendment increases the privacy and civil liberties protections in our bill; therefore, I urge a ``yes'' on Congressman Connolly's amendment.
BREAK IN TRANSCRIPT
Mr. RUPPERSBERGER. Madam Chair, our bill now enables companies and the government to have the option to hire independent contractors to handle cyber threat information. It helps bring talented people into our cybersecurity workforce; it provides jobs; it is good for our economy; and it is good for our national security. Therefore, I urge a ``yes'' vote on this amendment.
I also want to acknowledge Congressman Schneider for his involvement in this issue.
BREAK IN TRANSCRIPT
Mr. RUPPERSBERGER. I thank the gentleman for yielding.
Madam Chair, first, I want to agree with our chairman, and I said it before, that you have been one of the key players in developing legislation to protect our country. From the beginning, when those of us started working on this issue, probably 2006, you were there. You have a tremendous amount of expertise. You have been a great adviser to all of us, and also not only the Intelligence Committee, but the Armed Services Committee, and I appreciate all your work.
I also support your amendment to include political subdivisions within the information, use, and protection requirements in our bill. Your amendment ensures that utility districts are not unnecessarily and unintentionally limited from protecting their own information.
Therefore, I urge a ``yes'' vote on your amendment.