BREAK IN TRANSCRIPT
Mr. BLUMENTHAL. Madam President, I thank my very distinguished and effective colleague from Delaware for his great work as part of a team that has sought to enhance the protections of privacy in this bill. His perspective as a local official, as a constitutional expert, as someone who cares deeply about privacy and civil liberties, has been invaluable to this effort. He too has participated in the critical infrastructure team which both of us have been privileged to join with Senators Whitehouse and Kyl, who have been so enormously helpful in this effort. I join him as well in thanking our colleagues Senators Akaka, Durbin, Franken, Sanders, and Wyden for their very important efforts to protect privacy and civil liberties in the information-sharing title of the cybersecurity act.
We have truly worked as a team and, in many ways, a bipartisan team in forging this legislation. Of course, we have followed the lead of Senators Lieberman and Collins who have been at the forefront of this effort, as well as Senators Rockefeller, Feinstein, and Carper, who deserve our appreciation for drafting the bill, shepherding it through committee, and bringing a modified version to the floor where now we have the historic opportunity to move forward. I am here to urge my colleagues, in fact, to move forward and vote to proceed to the bill later today.
We have made good progress on this legislation. I am optimistic that we will pass a cybersecurity bill in the very near future--as we must for all the reasons that have been articulated by myself and others. This Nation is under attack. It is under cyber attack. Literally, every day our defense industrial base, our military systems, and our private industry are under attack by nations and by hackers, both sophisticated and unsophisticated, abroad and at home. We must make sure we provide the tools and the resources, legal resources and authority to stop that attack, to deter it, to defeat it, to make sure our country is defended against it effectively and comprehensively.
The nature of defending against cyber attack involves information sharing. There is no way around that basic fact that information about the attacks--the sources, the objects and targets, the times--all the details are, in essence, the power to defend. Information is power when it comes to defending against cyber attack. Yet we also know that information, when shared, can also be abused. Some of the most tragic chapters of our Nation's history have involved snooping, spying, surveilling, and then sharing of information that is inappropriate and unnecessary and sometimes illegal.
We know also that one of our core constitutional protections is, in fact, the right to privacy. It is enshrined in our Constitution. It dates from our founding. It is integral to the fabric of the rule of law. We resisted and rejected the rule of the British, in part, because they had no respect for the privacy of the colonials. That basic value has inspired the rule of law since.
There is a saying--I believe it is a Latin saying--that in war, law is the first casualty. We are in a cyber war, but our constitutional law cannot be a casualty. Our right to privacy and civil liberties must be protected.
Information sharing must involve the right information shared with the right people and officials for the right purposes. There must be red lines and red lights. There must be consequences if those red lines or red lights are disregarded or dismissed.
This bill meets those basic requirements. It is enforceable and it must be enforced. In fact, I will offer an amendment to increase the enforceability and enforcement of these basic protections by increasing the penalties for violating these basic protections. The trust and confidence of our Nation in the rule of law depends on our getting it right: information sharing with the right information to the right people and for the right purposes.
The kinds of modifications contained in this bill are critically important. They are in sharp contrast to the House-approved version of CISPA, which utterly fails to protect civil liberties and privacy rights in sufficient degree. Unlike past versions, this measure establishes unequivocal civilian control of cybersecurity information exchanges. Unlike past versions, this bill bars companies from using cybersecurity as a pretext for violating FCC net neutrality rules. Unlike other versions, this bill bars companies from using cybersecurity as a pretext for violating other guarantees, and it allows citizens to hold companies accountable and take them to court for knowingly or grossly negligent violations of the information-sharing provisions of this bill.
Equally important, it enables them to hold the U.S. Government and other public officials responsible and take them to court if they violate the privacy guarantees in this bill.
A private company receiving someone's private information while monitoring for cyber threat should protect that information. It is a public trust and a public responsibility. This act protects Americans' privacy by requiring companies that obtain that kind of information--some of it medical or financial of the most confidential and private nature--through monitoring, to protect that information.
This measure also imposes restrictions on the use of shared information for law enforcement purposes. The government can only provide information to law enforcement if it relates to a cyber crime or a serious threat to public safety; that is, physical safety--bodily harm. Law enforcement can only use information to prosecute or stop cyber attacks to prevent that kind of imminent and immediate harm to a person or a child.
There are other protections--some of them have been mentioned by Senators Franken and Coons before me--that I will support. For example, Senator Franken mentioned that his amendment would eliminate new authorities in the bill to monitor communications or operate countermeasures. Senator Coons mentioned a 5-year sunset on the use of information sharing under this measure to help guard against unforeseen consequences of the legislation and ensure that congressional oversight occurs on a regular and foreseeable basis. Other measures which I consider important would require Federal agencies that suffer a data breach to notify affected individuals and allow those individuals to recover damages and require the creation of a new office in the Office of Management and Budget, that of Chief Privacy Officer.
I support these amendments and I support also increasing the penalties in the event that government or companies violate the protections in this statute.
We have indeed made progress. There is more to do. I hope more progress will be made. I foresee passage of a cybersecurity measure that is desperately and direly needed in this country--not at some point in the future but now. As others before me have said on this floor and as I have said before, cybersecurity is national security and we must protect our national security while at the same time retaining the reason, our fundamental rights and civil liberties, that we want to protect our Nation and its constitutional values.
I yield the floor.
BREAK IN TRANSCRIPT