OFFICIALS LEGISLATION INTEREST GROUPS PUBLIC STATEMENTS COMMITTEES VETOES

Cybersecurity Information Sharing Act of 2015

Floor Speech

Date: Oct. 27, 2015
Location: Washington, DC
Issues: Technology and Communication Business and Consumers

BREAK IN TRANSCRIPT

Mr. President, in today's digital age, many Americans live their lives online. We communicate via email, use photo sharing and social networking Web sites, store documents in the cloud, and access our private financial and medical information through the Internet. The amount of sensitive electronic data that we create and store on the Internet is staggering and will only continue to grow. We know that cyber security is an important component of protecting our critical infrastructure. A cyber attack targeting the electric grid in the Northeast, for example, could have dire effects during a cold Vermont winter. I know that Vermonters care about cyber security, and Congress must act responsibly to strengthen our ability to defend against cyber attacks and breaches. But I also know that Vermonters care deeply about their privacy and civil liberties, and I believe just as strongly that whatever Congress does in the name of cyber security must not inadvertently undermine the privacy and security of Vermonters and all Americans.

For years, Congress has seemed singularly focused on the private sector's desire for voluntary information sharing legislation. While improving the flow of cyber threat information between the government and private sector is a laudable goal that I support, it is not a panacea for our cyber security problems. Information sharing alone would not have prevented the major breaches of the past year, such as the breach at the Office of Personnel Management, OPM, or the breaches at Sony, Home Depot, or Anthem.

Narrowly tailored legislation to facilitate the sharing of technical, cyber threat data could be beneficial, but the Senate Intelligence Committee's bill lacks certain basic safeguards and threatens to significantly harm Americans' privacy. That is why I have heard from a number of Vermonters who oppose the bill and that is why consumer advocacy organizations, privacy and civil liberties groups, and major technology companies like Apple, Dropbox, and Twitter all vocally oppose the bill. The technology companies know firsthand the importance of ensuring our cyber security, and they oppose this bill because they believe it does little to improve our cyber security and would ultimately undermine their users' privacy.

For months, I have worked with Senator Feinstein to improve this bill. She has been receptive to my concerns, and I appreciate that many of the revisions that I suggested are now incorporated into the managers' amendment. The managers' amendment now makes clear that companies can only share information for cyber security purposes, which is an improvement from the original legislation. It also prohibits the government from using information shared by private companies to investigate routine crimes that have nothing to do with cyber security. And it removes a completely unnecessary and destructive new exemption to the Freedom of Information Act, FOIA, which had the potential to greatly restrict government transparency. These are significant improvements, and I am thankful to Senator Feinstein for working with me to incorporate them into the bill.

Unfortunately, the Senate Intelligence Committee's bill still has major flaws. This bill overrides all existing legal restrictions to allow an unprecedented amount of data--including Americans' personal information--to flow to the government without adequate controls and restrictions. It needlessly requires all information shared with the government to be immediately disseminated to a host of Federal agencies, including to the NSA. It fails to adequately require companies to remove irrelevant personal information before sharing with the government. The bill contains broad authorizations that allow companies to monitor traffic on their networks with liability protection and employ ``defensive measures'' that may cause collateral harm to innocent Internet users. The bill also continues to include another unnecessary FOIA exemption that will weaken the existing FOIA framework.

Proponents of the bill have attempted to assuage many of these concerns by arguing that sharing under this bill is voluntary, and if companies do not want to share information with the government or use the authorities in the bill, they do not have to. This bill may be voluntary for companies, but it is not voluntary for consumers. American consumers have no say on whether their information is shared with the government and ends up in an NSA or IRS database. They may have no recourse if a company needlessly monitors their Internet activity or inappropriately shares their personal information with the government.

Rather than limiting the dissemination of information in order to protect the private and proprietary information of Americans and American businesses, this bill goes in the wrong direction by giving companies more liability protection and more leeway on how to share our information. The most effective action Congress can take to improve our cyber security is to pass legislation that requires companies to take greater care of how they use and protect our data, not less. And we should pass my Consumer Privacy Protection Act to require companies to protect our personal information and help prevent breaches in the first place. The cyber security legislation before us today does nothing to address this very real concern, so I cannot support it. I fear that this bill will significantly undermine our privacy, and I urge Senators to vote against passage.

BREAK IN TRANSCRIPT


Source
arrow_upward