BREAK IN TRANSCRIPT
Mr. RUPPERSBERGER. Madam Chair, I yield myself such time as I may consume.
First of all, I do want to thank the chairman for working with us in a bipartisan way to protect our country from this very serious threat of cyberattacks.
As the ranking member of the House Intelligence Committee, people often ask me what keeps me up at night. I tell them: weapons of mass destruction entering the country undetected and also a catastrophic cyberattack shutting down our water supply, power grid or banking systems; and those are just a few of the many areas that could be attacked and shut down.
Every day, U.S. Web sites and our Nation's networks are threatened by foreign governments like China, Iran, Russia, and other groups trying to steal our money and valuable trade secrets. According to the National Counterterrorism Executive, the number one thing cyberthieves are trying to steal is information and communication technology, which form the backbone of nearly every other technology. In fact, according to the United States Cyber Command, $300 billion worth of trade secrets are stolen every year. This proves we need to make real changes to how we protect our cybersystems.
The Cyber Intelligence Sharing and Protection Act helps the private sector protect itself and its clients from these attackers and data thieves. The intelligence community has the ability to detect these cyberthreats, these malicious codes and viruses, before they are able to attack our networks; but right now, Federal law prohibits the intelligence community from sharing the classified cyberthreat with the companies that will protect us, that control the network--the AT&Ts, the Verizons, the Comcasts, those groups. We have the ability to give them the information to protect us; yet we have to pass a law to do that, and that's why we are here today.
The Cyber Intelligence Sharing and Protection Act will clearly do that if we pass the bill. It allows the intelligence community to share the codes and signatures associated with malware and viruses and the means to counter the bad stuff with the companies. These companies keep a lookout for these viruses and work to stop them before they are able to attack their system.
Companies then voluntarily give information about the cyberattack back to the government, machine code consisting of strings of zeroes and ones that uniquely identifies the malware. Cyberanalysts will use this information to better understand the attack and try to figure out who launched it and where it came from.
This information will be used to protect against similar attacks in the future.
Now, the Democrats worked hard to protect privacy and civil liberties in this bill throughout the entire process. We fought for additional privacy protections in the original bill that was marked up in committee. In the version we will vote on tomorrow morning, additional changes are also included in the amendments.
Privacy and civil liberty groups and the White House all agree we made important positive changes that went a long way to improve the initial bill that came out of committee. We severely limit what information can be shared with the government and how it can be used.
It is also important to note the entire process is completely voluntary and provides industry the flexibility they need to deal with business realities.
The bill also requires an annual report from the inspector general of the intelligence community to ensure none of the information provided to the government is mishandled or is misused. This is a very important privacy issue.
The review will include annual recommendations to improve the protection of privacy and civil liberties. That review will be done again by the inspector general.
We also made it clear this legislation grants no new authority to the Department of Defense, the National Security Agency, or the intelligence community. At the urging of the White House and others, we included the Department of Homeland Security in the process so that there is not even a perception that our intelligence agencies or military will be in control of this. The Homeland Security Department will be coordinating as a civil body.
In addition, companies that act in good faith to protect systems and networks can receive liability protection. This is what our bill does.
Now, what does it not do? The bill does not allow the government to order companies to turn over private email or other personal information. This is not surveillance. The bill does not allow the government to monitor private networks, read private email, censor, or shut down any Web site.
We have a broad coalition of support with 100 cosponsors, close to 30 companies and industry groups, and dozens of trade organizations like Facebook, Microsoft, IBM, a lot of different groups that are supporting this bill.
This is not a perfect bill, but the threat is great. I believe this legislation is critical for our national security and yet deals with the issue of privacy. We can do better in privacy, and we hope to get the bill to the Senate, where there will be a lot more negotiation. Congress must act now, and I encourage my colleagues to vote for this bill.
I reserve the balance of my time.
BREAK IN TRANSCRIPT
Mr. RUPPERSBERGER. Madam Chair, I have no more speakers, and I yield myself such time as I may consume.
First thing, there were some comments that I would like to respond to.
First thing, this bill does not allow the wholesale violation of privacy rights. This bill is extremely important to our national security, but also important to our citizens of this great country, our privacy rights, and civil liberties.
The chairman and I have taken this very seriously, as have the members of our caucus. We know this is not a perfect bill--there will probably be additional changes. We will have more debate later on this afternoon.
Now, some of the things I want to address. During the drafting of this legislation we put forward a wide range of privacy protections. We worked for the last year with the White House, privacy groups, and business groups to come to a coalition to make sure that we get this bill right.
First, the bill severely limits what kind of information can be shared with the government. Only information directly pertaining to the threat can be shared, which is mostly formulas, X's and O's of the virus code. It's almost something that the companies deal with now in dealing with spam.
Second, the bill encourages companies to voluntarily strip out personal information that may be associated with these zeroes and ones. Occasionally, that does occur, and we have to deal with that, and we'll continue to deal with that issue.
There also are strong use limitations on the data. This information must be used for cybersecurity purposes or the protection of national security. The information cannot be used for regulatory purposes. For example, if there's evidence of tax evasion, that information cannot be used in a criminal proceeding, only in national security, only in the areas of life and limb, or for anything involving juvenile crimes.
The bill prohibits the government from requiring the companies to give information to the government in exchange for receiving the cyberthreat intelligence. That means that when we pass the information of the attacks--it's called the secret sauce--to the providers, it's only voluntarily. The government can't put any restrictions on that whatsoever. That really means that this is not surveillance at all.
The bill does not allow the government to order you to turn over private email or other personal information. This is not, again, surveillance.
The bill does not allow the government to monitor private networks, read private emails, censor or shut down any Web site. This is not SOPA.
In an effort to improve the bill even more, the intelligence community--thank you to the leadership of Chairman Rogers--has been working with privacy groups, the White House, and other interested parties to address these concerns with the legislation. We on our side of the aisle take, again, this issue of privacy very seriously. The committee has maintained an open door policy and made more changes to the bill to make it even better as we have gone on up until today.
The legislation grants no new authority to the Department of Defense, National Security, or the intelligence community that require it to direct any public or private cybersecurity effort. If the government violates any of these restrictions placed on it by the legislation, the government can be sued for damages, costs, and attorneys fees.
I think it is extremely important--we on the Intelligence Committee deal with these issues every day. This is a very sophisticated area that we deal with that most people don't know. So we're attempting, and we have for the last year, to educate as many of our Members as we can. But it's important to know that national security is clear--our effort and what we're attempting to do--but also to maintain the privacy, the constitutional rights of our citizens.
I reserve the balance of my time.
BREAK IN TRANSCRIPT
Mr. RUPPERSBERGER. I yield myself such time as I may consume.
In closing, I want to say again that the purpose of this bill, as the chairman just said, is very basic and simple. We want to protect our citizens from attacks. We are being attacked as we speak right now. Just last year, it was estimated we lost $300 billion worth of trade secrets. We even know that one country is attacking a fertilizer company to find out how we make it better than they do. This is putting our businesses in jeopardy and jobs in jeopardy, and we know we sure need jobs.
More importantly, those of us who work in this field know how serious these threats are. The head of our FBI, whose responsibility it is to provide our domestic national security, has said that one of the most serious threats, if not a bigger threat, in terrorism would be a catastrophic cyberattack. We've already talked today about what that would be. We have Secretary Napolitano, the Director of Homeland Security, who has said the same thing: that it is one of the most serious issues our country has to deal with. It's unfortunate, but most of our citizens aren't aware of how serious this threat is.
So we've attempted to allow our intelligence community, which is one of the best in the world, to have the ability to see these threats coming in from other countries or from terrorist groups and to be able right now to give this information over to the private sector to protect us, you, me, our businesses. That's what this bill does. Nothing more. What we're attempting to do is to move the bill and get the bill to the Senate.
We can always do better in the area of privacy and civil liberties, and we're going to continue to do that. We can always do better in the area of homeland security and go further to protect those institutions and our grid systems and that type of thing; but this is the start, because the one thing that now is stopping our country and is stopping us from protecting our citizens is this Congress.
This Congress needs to pass this bill now. We need to move forward. We need to get it to the Senate. We need to start working with the Senate. Then hopefully we'll deal and work very closely with the White House and find a bill so that we can protect our citizens and also protect our civil liberties and privacy.
I also understand Mr. Lewis. We all respect him and what he has gone through. As a former prosecutor and lawyer who has worked on many search and seizure warrants and that type of thing, I can tell you this: there are no violations in this bill at all. That is not what this bill is about. If it were, I wouldn't be in favor of it.
I thank you, Mr. Rogers, for your cooperation and for working with us in this bipartisan manner. It is a very serious issue.
I yield back the balance of my time.
BREAK IN TRANSCRIPT
Mr. RUPPERSBERGER. I agree with Mr. Issa's comments. This is a joint amendment of Mr. Rogers and me. The amendment would make it clear that while FOIA exemption protects information obtained under the bill, regulatory information required by other authorities remains subject to FOIA requests.
The chairman and I agree the law should not create a broad change. The type of information that is available under the Freedom of Information Act, we have a responsibility to protect classified information from disclosure, but we also understand the need to keep information open to the public. The amendment makes clear that information available under other authorities remains subject to FOIA, and I urge all Members to support this bipartisan amendment.
BREAK IN TRANSCRIPT
Mr. RUPPERSBERGER. As we said before, our bill is extremely limited, and we're attempting again to allow our government, our intelligence community, to give the information that's necessary to protect our citizens from these cyberattacks.
Ours is the most active bill that is out there now. Our bill, hopefully, will pass and go to the Senate, and there will be a lot more negotiation. But there is a lot of work to do in other areas, too, such as Homeland Security; and I know there are other issues involved in the Homeland Security markup, I know that there are issues involving Judiciary.
I can say this: I know that the chairman and I for 1 year now have worked very openly with every group that we think would be involved in this bill. Because of different positions taken, including HLU, we listened. This bill is better, and we hope that it passes.
So we clearly will work with you, but we on the Intelligence Committee are very limited to our jurisdiction, and that's why a lot of these issues we can't deal with other than what is in our bill right now.
I thank the gentleman for yielding.
BREAK IN TRANSCRIPT