tv U.S. Senate CSPAN October 20, 2015 4:00pm-6:01pm EDT
or willful misconduct. nor does it protect those who do not follow its privacy protections. as i mentioned earlier, there are many -- as i mentioned earlier, there are many privacy protections throughout the bill. because this is a key point of interest for a number of senators, let me list ten of them. one, it's voluntary. the bill doesn't require companies to do anything they choose not to do. there's no requirement to share information with another company or with the government. and the government cannot compel any sharing by the private sector. so, if there's this tech company or that tech company that doesn't want to go into this, don't do it. nothing forces you to do it. this is 100% voluntary. secondly, it narrowly defines the term "cyber threat
indicator" to limit the amount of information that may be shared under the bill. only information that's necessary to describe or identify cyber threats -- describe or identify cyber threats -- can be shared. the authorizations are clear but they're limited. companies are fully authorized to do three things -- monitor their networks or provide monitoring services to their customers to identify cyber threats. use a limited defensive measures to protect against cyber threats on their networks and share and receive cyber information with each other and with federal, state or local governments. no surveillance, no sharing of personal or customer information is allowed. there are mandatory steps that
companies must take before sharing any cyber threat information with other companies or the government. companies must review information before it's shared for irrelevant privacy. am i limited in time? the presiding officer: [inaudible] mrs. feinstein: thank you. companies must review information before it is shared for irrelevant privacy information and they are required to remove any such information -- they're required to remove any such information that's found. a bank would not be able to share a customer's name or account information. things like social security numbers, addresses, passwords, credit information would be unrelated to a cyber threat and would accept in very exceptional circumstances be removed by the company before sharing. the bill requires that the
attorney general establish mandatory guidelines to protect the privacy of any information the government receives. these guidelines will be public. the guidelines will limit how long the government can retain any information and provide notification requirements and a process to destroy mistakenly shared information. it also requires the attorney general to create sanctions for any government official who does not follow these mandatory privacy guidelines. sixth, the department of homeland security, not the department of defense or the intelligence community, is the primary recipient of the shared cyber information. seven, the managers' amendment includes a new provision which was suggested by senator carper, with the backing of a number of privacy groups, to allow the
department of homeland security security -- and i say this again -- to scrub the data as it goes through the portal to make sure it does not contain irrelevant personal information. eight, the bill restricts the government's use of voluntarily sharing information on cybersecurity efforts. imminent threats to public safety, protection of minors and cyber crimes. unlike previous versions, the government can't use this information for general counterterrorism analysis or to prosecute non-cyber crimes. ninth, the bill limits liability protection to only monitoring for cyber threats and sharing information about them when a company complies with the bill's privacy requirements. and it explicitly excludes protection for congress to
negligence or willful misconduct. above and beyond these mandatory protections, there are a number of oversight mechanisms in the bill which involve congress, the head of agencies, the inspectors general and the privacy and civil liberties oversight board. in sum, this bill allows for strictly voluntary sharing of cyber information with many layers of privacy protections. as i've noted, the managers' amendment that we will consider shortly, i hope, includes several key privacy protections and we'll be describing them in more detail when we turn to that amendment. mr. president, i really hope this has made clear that we have really tried to very carefully balance the need for improved cybersecurity with the need to protect privacy and
private-sector interests. as i said earlier, this is the third bill on information sharing. we've learned from the prior two efforts and it's clear from the headlines and multiple data breach notifications that customers and employees are now that this bill is necessary and that we need to act now instead of after a major attack seriously impacts hundreds or thousands of lives or costs us billions or trillions of dollars. mr. president, we have a good bill. i know there are some cynics. i know there are some tech companies who decide, well, they've been called by people, they are worried about what their customers might do. whatever it is, don't participate. whether it's apple or google or anybody else, don't participate.
if you don't want to. but i have talked to enough c.e.o.'s who have said to me please, do this. we need this ability. and it's the only way we can get this ability -- with liability protection for sharing threat material. so this is really, really important and i want to again thank the chairman for everything that he has done to lead this effort. and it's my hope that we will have a good, civil debate and that we will be able to pass this bill with a substantial margin. i thank the chair. i yield the floor. mr. wyden: mr. president? the presiding officer: the senator from oregon. mr. wyden: mr. president, this afternoon we begin the discussion of cybersecurity legislation and i think it's
important to say at the outset that i think everybody who hears the notion that the senate is talking about cybersecurity would say, boy, you've got to be for that. i mean, we all read about cyber hacks regularly. so you say, why not be for what they're talking about in the senate? i want to begin by way of saying that the fact is, not every bill with cybersecurity in the title is necessarily a good idea. i believe this bill will do little month make americans safer but will intentionally reduce the personal privacy of millions of americans in a very substantial way. and in beginning, i think it is
particular telling who opposes positive legislation at this time. the business software alliance has said they cannot support this bill. they have members like apple and i.b.m. and microsoft and they're saying at this time, they can't be for this. the computer and communications industry association. they have members like google and spacebook and amazon -- and facebook and amazon. they have said, mr. president, they cannot support the legislation at this time. america's librarians can't support it at this time. twitter -- can't support it at this time. wikipedia foundation, yelp --
can't support it at this time. the groups that i'm talking about are ones with members who have companies with millions and millions of customers and they're saying they can't support this bill at this time. i think i know. these companies, whop -- who didn't have a problem with previous kinds of versions of this legislation -- are saying they don't support it. these companies, mr. president, are hearing from their customers. and they're worried that their customers are august, this doesn't look like it's going to protect our privacy. of course we want to be safe. we also want to have our liberty. ben franklin famously said, anyone who gives up their liberty to have security really
doesn't deserve either. so we know what, you know, americans, you know, want. i would submit that the reason these comps are coming out -- these companies are coming out in opposition to this legislation is that they don't want their customers to lose confidence in their products and they're looking at this legislation and they're saying that the privacy protections are woefully inadequate and their customers are going to lose confidence in their products. now, i appreciate that the managers are trying to make this bill better. it's quite clear to me, having listened to two colleagues that i respect very much, that they are very much aware that their bill has attracted widespread opposition. widespread opposition. the comment was made apple,
google, everyone should be for this. i would say again, respectfully to my colleagues, the authors -- with whom i've served since we all came on the committee together -- even with the managers' amendment -- even with the managers' amendment, the core privacy issues are not being dealt with. and i'd just like to read now from a few of the comments. maybe i'm missing something. maybe i heard a list of all the privacy issues that had been addressed. i haven't seen any privacy groups that democrats or republicans look to saying they support the privacy protections in the bill. but let me give you an example of a few who are surely don't. here'syelp says.
congress -- and i quote -- "is trying to pass a cybersecurity bill that threatens your privacy." here's what the american librarians are saying. i'll admit, mr. president, i'm a little bit tilted towards librarians because my mother -- my late mother was a librarian. but we all appreciate the lie -- librarians we grew up with. the librarians say that this bill de facto grants broad, new mass data collection powers to many federal as well as and even government agencies. sales force, a major player in the digital space, located in california, says -- and i quote quote -- "at sales force, trust is our number-one value and nothing is more important to our company than the privacy of our
customers' data. sales force does not support sisa and has never supported sisa. and they've got a # #followsisaupdate. here's what the group that represents the computer communications association. this is google and amazon and microsoft, the biggest major tech companies. again, mr. president, these are companies with millions of customers and the companies are worried that this bill lacks privacy protections. and their customers are going to lose confidence in some of what may be done under this. they say they support the goal, of course, as we all do, of dealing with real threats and sharing information. they state, such a system should not come at the expense of
users' privacy, need not be used for purposes unrelated to cybersecurity and must not enable activities that might actively destabilize the infrastructure the bill aims to protect. now, mr. president, we heard my colleague, the chair of the committee, member of the finance committee, who i work with often he said that the most important feature of the legislation is that it's voluntary. the fact is it is voluntary for companies. it will be mandatory for their customers. and the fact is the companies can participate without the knowledge and consent of their
customers, and they are immune from customer oversight and lawsuits if they do so. i am all for, mr. president, companies sharing information about malware and foreign hackers with the government, but there ought to be a strong requirement to filter out unrelated personal information about customers. and i want to emphasize this, mr. president, because this is probably my strongest point of disagreement with my friends who are the sponsors. there is not in this bill a strong requirement to filter out unrelated personal information about these millions of customers who are going to be affected. this bill would allow companies
to hand over a large amount of private and personal information about millions of their customers with only a cursory review. in my judgment, information about those who have been victims of hacks should not be treated in essentially the same way as information about the hackers without a strong requirement to filter out unrelated personal information, that is unfortunately what this bill does. now at the outset of this discussion, mr. president, we were told that this bill would have substantial security benefits. i heard for days, for example, that this bill would have
prevented the o.p.m. attack. it would have stopped the serious attack of government personnel records. after technologists that particular argument, that claim has essentially been withdrawn. there is a saying now in the cybersecurity field, mr. president, if you can't protect it, don't collect it. if more personal consumer information flows to the government without strong protections, my view is that's going to end up being a prime target for hackers. sharing information about cybersecurity threats is clearly a worthy goal, and i would like to find ways to encourage more
of that responsibly. yet, if you share more information without strong privacy protections, millions of americans will say that is not a cybersecurity bill. it is a surveillance bill. my hope is, mr. president, working in a bipartisan way, by the time we have completed this legislation on the floor, that will not be the case. mr. president, i yield the floor. i believe i see my colleagues here. perhaps i'll note the absence of a quorum. the presiding officer: the clerk will call the roll. quorum call:
mr. burr: mr. president? the presiding officer: the senator from minority north car. mr. burr: mr. president, i ask unanimous consent to vitiate the quorum call. the presiding officer: without objection. mr. burr: mr. president, i listened patiently to my friend and colleague. we're on the committee together, so this is not the first time we've had a frank discussion. but let me say to those companies that have reached out to him, and he listed them, i'm not going to bother to go through 53 associations and the
numbers of companies that are represented. it's hundreds and hundreds and hundreds, sectors of our economies. it's the financial industry. it's automotive. it's practically everybody in retail. and there are a couple of things that just shock me still, because i really just can't make the connection. a technology company that has a tremendous amount of users, and those users put their personal data on that -- pick one -- and the companies say there's nothing more important than protecting the data of their users. you know, it strikes me because i was in business for 17 years before i came to this insane place. it strikes me that any business in the world would say, i don't have a problem with putting this in place as long as i don't have to use it. i can make a decision whether i
use it or whether i don't. it may be that when they get an opportunity to see the final product, it's in place and they say, you know what, this isn't so bad. this actually took care of some of the concerns we had. but to make a blanket statement for a company that's number-one concern of their customers is protection of their data, and ignore that the threat today is real, it will be felt by everybody if it hasn't been felt by them, and not have in place something is irresponsible by those companies. again, i point to the fact that if this were a mandatory program, i can understand why they might for market share reasons or marketing reasons go out and say, you know, we're not covered by this. but this is voluntary for everybody. there's not a soul in the world that has to participate. but the ones that are really concerned about their customers'
data, the ones that really understand that there are companies, individuals, countries that are trying to hack their systems, it should come to the fact that something's better than nothing. we say it's sort of like going home in north carolina and i see the leader coming. this year we've had a rash of sharks. it's one thing to know that there are sharks out there and swim and say how could one bite me? you know, you've got harks out out -- hackers out there. it seems like you take precautions when you go swimming. seems like you should take precautions when you act. mr. mcconnell: under the order of august 15, 2015 i ask the chair lay before the senate ps 754. the presiding officer: the clerk will report. the clerk: calendar number 28, s. 754, a bill to improve cybersecurity in the united states through enhanced sharing
of information about cybersecurity threats and for other purposes. the presiding officer: the senator from north carolina. mr. burr: mr. president, as under the previous order, i call up the burr-feinstein amendment which is at the desk and ask that it be reported by number. the presiding officer: without objection, the clerk will report the amendment. the clerk: the senator from north carolina, mr. burr, for himself and mrs. feinstein, proposes an amendment numbered 2716. mr. burr: mr. president, for the information of all senators, this substitute includes agreed-upon language on the following amendments: carper 2615, carper 2627, coats 2604, flake 2580, gardener 2631, kirk 2603, tester 2632, wyden, 2622. and i might add a handful of amendments that have been worked out in addition to those that
were part of that unanimous consent request by both the vice chair and myself. the vice chair and i have a number of amendments to be made pending under the previous consent order, and i would like to ask that they be called up and reported by number. i call up the cotton amendment 2581 as modified to correct the instruction line. the presiding officer: the clerk will report. the clerk: the senator from north carolina, mr. r burr, for mr. cotton proposes an amendment numbered 2581 as modified to amendment number 2716. mr. burr: mr. president? the presiding officer: the senator from north carolina. mr. burr: let me add at this time that the vice chairman and i have worked aggressively, and our staffs, to incorporate the
suggestions, the concerns that members and companies have raised with us. if we believed that it made the legislation stronger, stronger from a standpoint much minimizing data loss and stronger from the standpoint of the privacy concerns, let me assure my colleagues that we have accepted those and we have incorporated them in the managers amendment. if in fact we couldn't agree or felt that it in any way was detrimental to the legislation, the vice chair and i have agreed to oppose those amendments. and i think it's important that this bill represent exactly what we have sold: an information sharing bill. a bill that is voluntary. so i would suggest to those who
hear this debate and say don't really understand all this cyber stuff, hear about it, don't really understand it, let me put it in these terms. what this legislation does is it creates a community watch program. and like any neighborhood watch program, the spirit of what we're trying to do is to protect the neighborhood. it doesn't mean that every resident on every street in that community, in that neighborhood is going to be a participant. but it means that that neighborhood is committed to make sure that if crimes are happening, that they are out there to stop them, to report them, and maybe through reporting them, the number of crimes over time continues to decrease. well, i would share with you that's what we're doing with the cybersecurity bill. that we're out now trying to set up the framework for a community watch program, one that's voluntary. it doesn't require every person to participate, but it says for
those of you that can embrace this and can report the crimes, it's not only beneficial to you, it's beneficial to everybody. so i respect the fact that there are a few companies out there that are saying this is no good, we shouldn't have this. really? do you want to deny everybody of it? because there are a heck of a lot of businesses that have made a determination this is beneficial to their business, it's beneficial to their sector. it is beneficial to the overall u.s. economy. that's what the united states senate is here to do. we're not here to pick winners and losers. we're here to create a framework that everybody can operate in that advances the united states in the right direction. so, shortly we will have an opportunity to make pending some additional amendments, and i
encourage all members, if your amendment is pending, come down, debate it. if you have additional amendments, come down and offer them and debate them. with the cooperation of members, we can process these in a matter of days. we can send it out of the united states senate. we can be at a point where we could conference with the house. with that, i would suggest the absence of a quorum. the presiding officer: the clerk will call the roll. quorum call:
a senator: madam president? the presiding officer: the senator from california. mrs. feinstein: i ask the quorum call be vitiated. the presiding officer: without objection. mrs. feinstein: thank you, madam president. i call up coons 2552, as modified. the presiding officer: the clerk will report the amendment. the clerk: the senator from california, mrs. feinstein, for mr. coons, proposes an amendment numbered 2552, as modified, to amendment 2716. mr. burr: madam president? the presiding officer: the senator from north carolina. mr. burr: madam president, i call up flake number 2582. the presiding officer: the clerk will report the amendment by number. clesh the senator from north carolina, mr. burr, for mr. flake, proposes an amendment numbered 2582 to amendment numbered 2716.
mrs. feinstein: madam president? the presiding officer: the senator from california. mrs. feinstein: i call up franken number 2612, as modified. the presiding officer: the clerk will report the amendment by number. the clerk: the senator from california, mrs. feinstein, for mr. franken, proposes an amendment numbered 2612, as modified, to amendment number 2716. mr. burr: madam president? the presiding officer: the senator from north carolina. mr. burr: burr: madam presidenti call up heller 2548, as modified, to correct the construction line. the presiding officer: the clerk will report by number. the clerk: the senator from north carolina, mr. burr, for mr. heller, proposes an amendment numbered 2548, as modified, to amendment numbered 2716. mrs. feinstein: madam president? the presiding officer: the senator from california. mrs. feinstein: i call up leahy 2587, as modified. the presiding officer: the clerk will report the amendment by number. the clerk: the senator from california, mrs. feinstein, for mr. leahy, proposes an amendment numbered 2587, as modified, to
amendment numbered 2716. mr. burr: madam president? the presiding officer: the senator from north carolina. mr. burr: madam president, i call up the paul 2564 amendment, as modified, to correct the instruction line. the presiding officer: the clerk will report the amendment by number. the clerk: the senator from north carolina, mr. burr, for mr. paul, proposes an amendment numbered 2564, as modified, to amendment numbered 2716. mrs. feinstein: madam president? the presiding officer: the senator from california. mrs. feinstein: i call up mikulski 2557. the presiding officer: the clerk will report the amendment by number. the clerk: the senator from california, mrs. feinstein, for ms. mikulski, proposes an amendment numbered 2557 to amendment numbered 2716. mrs. feinstein: madam president, i call up whitehouse 2626. the presiding officer: the clerk will report the amendment by number. the clerk: the senator from california, mrs. feinstein, for mr. whitehouse, proposes an amendment numbered 2626 to amendment numbered 2716.
mrs. feinstein: madam president? the presiding officer: the senator from california. mrs. feinstein: i call up wyden 2621, as modified. the presiding officer: the clerk will report the amendment by number. the clerk: the senator from california, mrs. feinstein, for mr. wyden, proposes an amendment numbered 2621, as modified, to amendment numbered 2716. mr. burr: madam president? the presiding officer: the senator from north carolina. mr. burr: madam president, as the vice chair and i said numerous -- i have said numerous times this afternoon, nothing would make us happier than for members to come to the floor. we've got amendments pending. we've got a manager' amendment amendment -- a managers' amendment. everybody knows exactly what's in this bill. let's start the debate, let's vote on amendments, let's end this process in a matter of days. we're prepared to vote on every
amendment. so at this time, i would ask unanimous consent that on thursday, october 22, at 11:00 a.m., the senate vote on the pending amendments to the burr-feinstein substitute to s. 754, with a 60-vote threshold. for those amendments that are not germane. and that following the disposition of the amendments, the substitute, as amended, if amended, be agreed to, the bill, as amended, be read a third time and the senate vote on passage with a 60-vote threshold for passage. the presiding officer: is there an objection? mr. wyden: reserving the right to object. the presiding officer: the senator from oregon. mr. wyden: madam president, i -- i certainly support most of the amendments that were just described. however, i am especially troubled about amendment 2626 which would significantly expand a badly outdated computer fraud
and abuse act. i have sought to modernize the computer fraud and abuse act and i believe that amendment 2626 would take that law, the computer fraud and abuse act, in the wrong direction. so i would object to any unanimous consent request that includes that amendment. therefore, i object to this request. the presiding officer: the objection is heard. mr. burr: madam president? the presiding officer: the senator from north carolina. mr. burr: madam president, you know, the united states senate functions best when members are free to come to the floor and offer amendments, debate the amendments and have a vote on the amendments.
i might even share senator wyden's concerns about that particular piece of legislation. i'm not sure. it's a judiciary issue. the vice chair is on the judiciary committee. it's an amendment that we were not able to pass in the managers' amendment. but as the vice chair and i said at the beginning of this process , we would like the senate to function like it's designed, where every member feels invested, that if they've got a great idea, come down, introduce it as an amendment, debate it and let your colleagues vote up or down against it. if we can't move forward with a process like that, then it's difficult to see how in a reasonable amount of time we're going to complete this agenda. so i would only urge my
colleague from oregon, there's nothing to be scared about. this is a -- this is a process we will go through and a nongermane amendment, which i think this would be listed as -- i look for my staff -- it would be a nongermane amendment, requires 630 -- 60 votes. the threshold that the senate's designed to reach to pass practically anything. so i would urge him to reconsider at some point and i will make a similar unanimous consent request once he's had an opportunity to think about it. but also we will work to see if, in fact, that amendment might be modified in a way that might make it a little more acceptable for the debate and for colleagues to vote on it. with that, i would yield the floor. mr. hatch: madam president? the presiding officer: the senator from utah.
mr. hatch: madam president, as the senator turns its focus to legislation related to the critical issue to our nation ace cybersecurity, in the light of chinese president's state visit last month, i would like to reflect on the america's -- reflect on america's security in cyberspace. as the global economy becomes increasingly dependent on the internet, the exponential increase in the number and scale of cyber attacks and cyber threfts are straining our -- she was are straining our relationship with international trading partners throughout the world. this is especially true for our important trade relationship with china. this year alone, the u.s. has experienced some of the largest cyber attacks in our nation's history, many of which are believed to have been perpetrated by the chinese. just last february, hackers breached the customer records of the health insurance company anthem blue cross/blue shield.
many news sources reported that china was responsible for the attack. this cyber attack resulted in the theft of approximately 80 80 million customers' personally identifiable information, including social security numbers and information that can be used for identity theft. in the early summer, cyber criminals also hacked united airlines, compromising manifest data that detailed the movement of millions of americans. according to the news media, china was again believed to have been responsible. but the most devastating cyber attack this year was on the u.s. government's office of personnel management. this past june, sources report that the o.p.m. data breach, considered the worst cyber intrusion ever perpetrated against the u.s. government, affected about 21.35 million federal -- 21.5 million federal employees and contractors. hackers successfully accessed sensitive personal information, including security clearance
files, social security numbers and information about employees' contacts and families. again, china was the suspected culprit. most troubling, the o.p.m. breach included over 19.7 million background investigation records for cleared u.s. government employees. the exposure of this highly sensitive information not only puts our national security at risk but also raises concerns that foreign governments may be keeping detailed databases on federal workers and their associations. i was pleased that during the chinese president's visit to washington last month, president obama expressed his -- quote -- "very serious concerns about growing cyber threats" and stated that the cyber theft of intellectual property and commercial trade secrets -- quote -- "has to stop." president obama and president xi
peng came to an agreement to not conduct or knownly support cyber theft of trade secret. even so, director of intelligence james clapper expressed doubts about the agreement in a hearing before the senate armed services committee last week. when chairman mccain asked mr. clapper if he was optimistic about the deal, he told members of the committee he was not. i have my skepticism of this agreement and a growing course of lawmakers military leaders and personnel who voiced the concern. as admiral rogers, head of the u.s. is cyber command said we must do more to defend ourselves against this growing threat. unfortunately i have been disappointed in this
administration's inability to protect our federal computer systems from cyber intrusions and hold criminals accountable for their participation in cyber attacks committed against the united states. sadly, the cyber threats facing our nation are not limited to china. investigators believe that russia, north korea, iran, and several other nations have also launched cyber attacks against our government, u.s. citizens and of course companies. these attacks are increasing both in severity and in number. in april, russian attackers -- hackers accessed white house networks containing sensitive information, including e-mails sent and received by the president himself. in may, hackers breached i.r.s. servers to gain access to 330,000 american taxpayers' tax returns. that same month the fraudulent
stock traders manipulated u.s. markets, costing the stock exchange an estimated $1 trillion in just 36 minutes. and in july it was reported that a russian spear phishing attack shut down the joint chief of staffs e-mail system for 11 days. one month ago hackers stole the personal data of 15 million t-mobile customers by breaching experion, the company that processes credit checks for prospective customers. this stolen data includes names, birth dates, addresses, social security numbers and credit card information. these breaches have a serious and real cost for the victims. according to the federal trade commission, the average identity fraud victim in 2012 incurred an average of $365 in losses. incredibly all of these
high-profile breaches have occurred this year, making 2015 perhaps the worst year ever in terms of attacks on our national cybersecurity. prior to the 2015, we also saw several high-profile breaches at large american corporations, including target, home depot, sony, and others. our lack of effective cybersecurity policies and procedures threatens the safety of our people, the strength of our national defense, and the future of our economy. we must be more vigilant in reinforcing our cyber infrastructure to better defend ourselves against these attacks. in doing so, congress must create a deterrent for those who seek to commit cyber attacks against our nation. our adversaries must know that they will suffer dire consequences if they attack the united states.
mr. president, finding a solution to this critical problem must be an urgent priority for the united states senate. i agree with leader mcconnell that we must move forward in the senate with legislation to improve our nation's cybersecurity practices and policies. i am supportive of the objectives outlined in chairman burr and vice person feinstein's bipartisan cybersecurity information. i was pleased to see the senate select committee on intelligence pass the burr-feinstein scisa out of committee by a bipartisan vote of 14-1. this important legislation incentivizes and authorized private-sector companies to voluntarily share cyber threat information in real time that can be useful in detecting cyber
attacks and in preventing future cyber intrusions. i commend chairman burr and vice chairman feinstein's efforts to protect personal privacy including a measure that protect the users personally identifiable information from being shared with government agencies. additionally, cisa sets limits on information that can be collected or monitored by allowing information to be used only for cybersecurity purposes. as the american economy grows evermore dependent on the internet, i believe that cisa represents an important first step in protecting our nation's critical infrastructure from the devastating impacts of cyber attacks. congress must do more to adequately protect america's presence in cyberspace. in light of information highlighting our government's
inability to protect sensitive information i join senator carper in introducing the federal information security act, that is the hatch-carper bill, and it shines light on whether our federal government is using the most up-to-date cybersecurity practices and software to protect federal computer systems and databases from both external cyber attackers and insider threats. specifically, this legislation requires federal agency inspectors general to report to congress on the security practices and software used to safeguard classified and personally identifiable information on federal computer systems themselves. this bill also requires each federal agency to submit a report to each respective congressional committee with oversight jurisdiction describing in detail to each committee which security access
controls the agency's implementing to protect unauthorized access to classified and sensitive personally identifiable information on government computers. requiring an accounting of each federal agency's security practices, software and l technology is a logical first step in bolstering our nation's cyber infrastructure. these reports will guide congress in crafting legislation to prevent future large-scale data breaches and ensure that unauthorized users are not able to access classified and sensitive information. agencies should be employing multifactor authentication policies and should be implementing software to detect and monitor cybersecurity threats. they should also be using the most up-to-date technology and security controls. the future of our nation's p cybersecurity starts with our federal government practicing good cyber hygiene.
in strengthening our security infrastructure, the federal government should be accountable to the american people, especially when cyber attacks affect millions of taxpayers. i've heard from many constituents who have expressed concerns about the state of america's cybersecurity. i represent a state that is an emerging center of technological advancement and innovation with the growing hub of computer companies expanding across a metropolitan area known as silicon savings and slopes -- sn slopes. the people of utah recognize our nation's future depends upon our ability to compete in the digital area. they understand we must create effective cybersecurity policies so we can continue to lead the world in innovation and technology advancement. i'm pleased to announce that an amended version of the federal computer security act is included in chairman burr and vice chairman feinstein's managers' package.
i wish to express my appreciation to both the chairman and vice chairman for their willingness to work with me in fine fine-tuning this legislation. i appreciate. i would also like to thank chairman ron johnson and ranking member tom carper of the homeland security and governmental affairs committee for their efforts in this endeavor as well. in addition to broad bipartisan support in the senate, the federal computer security act enjoys support from key industry stakeholders. some of our nation's largest computer security firms support the bill, including semantic, adobe and c.a. technologies. several industry groups voiced their support including the business software alliance and the i.t. alliance for the public sector. i commend intelligence committee chairman burr and vice chairman feinstein for their leadership in managing this critical cybersecurity legislation. as leader mcconnell works to restore the senate to its proper
function, i am grateful that we've been able to consider this legislation in an open and transparent fashion. by reinstating the open amendment process, we have not only been able to vote on dozens of amendments this year, we've been able to refine legislation for robust consideration and debate. i think we voted on approximately 160-plus amendments so far this year. and they are about evenly split between democrats and republicans. with the renewal of long-standing senate practices, we are passing meaningful laws that will better serve the needs of the american people. may we build on the foundation of success as we work to improve this critically important cybersecurity information sharing act. i want to again thank the distinguished leaders of this intelligence committee, having served 18 years on the intelligence committee, i really appreciate the work that both of them have done, especially on
this bill. and i look forward to its passage. with that, madam chairman -- madam president, i yield the floor. mrs. feinstein: madam president? the presiding officer: the senator from california. mrs. feinstein: thank you, madam president. i want to thank the distinguished senator from utah for his words. they are much appreciated, and your friendship is as well, senator. i think you know that. and i believe the chairman feels certainly as strongly, if not more strongly, than i do. i rose to be able to be able to make a brief statement on the sanctuary bill on morning business, if that would be possible. the presiding officer: without objection. mrs. feinstein: thank you very much. madam president, i voted against senator vitter's bill. i believe it goes much too far. my longer statement is in the record, but i want to respond to
some of what i heard here today. i do believe that we should ensure there is a notification prior to release of a dangerous individual with a criminal record, just as senator schumer said on this floor. i do believe we could take a narrow action to do just that. we could focus on dangerous individuals and not on all undocumented immigrants who happen to be taken into state or local custody. we could require notification without threatening vital law enforcement and local government funding, as senator vitter's bill does. i had an amendment prepared for the judiciary committee's consideration when the committee had scheduled the bill for markup over a series of weeks. but the committee canceled its markup, so we were on the floor today with a bill that has never been heard in full by the judiciary committee. mr. president --
madam president, senator vitter's bill includes a notification requirement and a detention requirement. it is not limited to those who are dangerous or have particular criminal records. it would cover a farm worker detained for a broken taillight or a mother who is detained for similar reasons, taking her away from her children. this is the standard that could be abused in another administration, and it is potentially a huge unfunded mandate to impose on states p and localities. the bill would also impose lengthy criminal sentences at the federal level for individuals coming across the border to see their families or to perform work that is vital to the economy of california and the nation. for example, in california virtually the majority, if not all the farm workers, are
undocumented. it happens to be a fact. that's why the ages job bill was part of the immigration reform act which was before this body and passed this body and went to the house and has had no action. and although members on the other side state that the bill has support among law enforcement, i would note that the major cities chiefs association, the major county sheriffs association, the fraternal order of police, the united states conference of mayors, and the national league of cities are opposited to that bill -- are opposed to that bill or have submitted letters opposing threats to federal law enforcement funding over this issue. so, bottom line, i do believe we should do something about the circumstance that led to the tragic murders in my state and in my city of kate steinle and in the middle part of my state to marilyn farris and i would support a reasonable effort to
do just that. but this is not a targeted effort. it is too broad. and so i opposed it. my fuller statement is in the record, but because it was spoken about on the floor, i did want to add these words. thank you very much, madam president. mr. burr: madam president? the presiding officer: the senator from north carolina. mr. burr: madam president, moving back to cyber briefly, we now have s. 754 called back up. we have a manager's amendment that is pending. we have a number of amendments that have been accepted and incorporated in the manager's amendment.
we have several amendments that we could not reach agreement on, but those members have the opportunity to come to the senate floor. the amendments are already pending. they can debate those amendments, and they can have a vote on their amendment. for members who might just now be engaging or they've had an opportunity to further read the bill, there still presents an opportunity to offer perfecting amendments. let me suggest to my colleagues that when the vice chairman and i started down this road, we knew we couldn't reach unanimous consent of every company in the country and every member of congress. it was our goal, and i think we're pretty close to it when we look at the numbers, but there will be companies that for some reason that i might not
recognize, object to this bill. the vice chairman has said this and i have said it and i will reiterate it at another time. this bill is voluntary. it does not require any company in america to participate in this. it does not require any entity to turn over information to the federal government for the purposes of the federal government partnering with that company to determine who hacked their system, who penetrated and who exfiltrateed personal data. if a company has made a determination that they don't want to support this bill, for whatever reason, i have resigned to the fact that that's a debate between their customers and themselves, that it's in fact their customers that have to question the actions of the company. i can confidently tell my colleagues that senator feinstein and i have done everything to make sure that
there is wholesome participation by companies on a voluntary basis because we see tremendous value in those parts of our government that are experts at processing attacks like this to be able to identify who did it and what tool was used, but more importantly what software defensive mechanism can you put on your system to limit any additional exfiltration of data and to more broadly the rest of the business community to say here's an attack that's in progress, here's the tool they're using, here's how you defend your data. now, we leave this open if we passed it, but there may be a company that decides they don't support this legislation. they can still participate in this program. and do you think if they get a call from the department of homeland security or from the national security agency saying here's an attack that's
happening, here's a tool they're using, they're going to look at their system and say is it in our system, and they get the benefit of still participating and partnering with the federal government, even though they didn't support the legislation. i know over the next day or so, the vice chairman and i will concentrate on sharing with members what's actually in the manager's package. we don't leave it up to staff just to cover it, and let me just briefly say there are 15 points that i would make about the manager's package. one, it eliminates the government's use -- uses for non-cyber crimes. in other words, a removal of the serious violent felonies. two, it limits the authorization to share cyber threat information for cybersecurity purposes, period. three, it eliminates new foia
exemptions. in other words, everybody is under the same foia regulations that existed prior to this legislation being enacted. four, it ensures defensive measures are properly limited. we can't get wild and put these things in places that government shouldn't be, regardless of what the threat is. five, it includes the secretary of homeland security as co-author, co-author of government-sharing guidelines. i think this is -- this is an incredibly important part. the individual who is in charge of homeland security, that secretary, is actively involved in the guidelines that are written. six, it clarifies exceptions to the d.h.s. portal entry point for the transfer of information. seven, it adds a requirement
that the procedures for government sharing include procedures for notifying u.s. persons whose personal information is known to have been shared in violation, in violation of this act. in other words, if a company mistakenly transmits information, the government is required to notify that individual, but additionally, theovernment is statutorily required not to disseminate that information to any other federal agency once it comes in and that is identified. eight, it clarifies the real-time automated process for sharing through that d.h.s. portal. nine, it clarifies that private entities are not required to share information with the federal government or another private entity. ten, it adds a federal cybersecurity enhancement title. 11, it adds a study on mobile device security. 12, it adds a requirement for the secretary of state to produce an international
cyberspace policy strategy. 13, it adds a reporting provision concerning the apprehension and prosecution of international cyber criminals. 14, it improves the contents of the by annual -- by annual -- biannial report on systems implementation. some have raised issues on this saying why aren't there more reports. there is biannual report on the implementation and how it's going. and 15 and the last is additional and technical conforming. we didn't get into detail, we will get into detail later, but i say that because if that has in any way triggered with somebody who felt that they were opposed to the bill because of something they were told was in, maybe it was covered by one of those 15 things that i just talked about, things that the
vice chairman and i brought to our attention. we sat down, we looked at it. we didn't feel like it changed the intent of the bill, and we have always erred on the side of protecting personal data, of not letting this legislation extend outside of what it was intended to do. where we have drawn the line is when we believed that the effort was to thwart the effectiveness of this legislation. i remind you one last time, this legislation does not prevent cyber attacks. this legislation is designed to minimize the loss of the personal data of the customers of the companies that are penetrated by the cyber actors. as we stand here today, we've had some rather significant
breaches within the united states, but i remind my colleagues just today they proposed a high school student has hacked the unclassified accounts, personal young people, of the secretary of the department of homeland security and the director of the c.i.a. now, is there anybody that really thinks that this is going to go away? because we're having a debate in the united states senate and the congress of the united states, the people that commit these acts and go without any identification are going to quit. no, it's going to become more rampant and more rampant and more rampant. and from the standpoint of two of 15 members that are designated by the united states senate and its leadership, to on behalf of the other 85 look at the most sensitive information that our country can accumulate
about threats, as many threads of threats as we look at today on the security of the american people, i think i can speak for the vice chairman, we are just as concerned about the economic security of the united states based upon the threat that we're faced with from cyber actors here at home and more importantly around the world. so i would urge my colleagues if you have something to contribute, come to the floor and contribute it. if you have an amendment already pending, come to the floor and debate it and vote on it. but give us the ability to work through the great thoughts of all 100 members but recognize the fact that those individuals who you have entrusted to represent you with the most sensitive information that exists in our country came to a 14-1 vote when they passed this
originally out of the intelligence committee. that's because of how grave we see the threat and how real the attackers are. so i -- i thank the vice chairman. she has been absolutely wonderful to work with through this process. we're going to have a long couple of days if we process all of this, but i'm willing to be here as long as it takes so that we can move on and conference this with the house. i would yield the floor. mrs. feinstein: madam president? the presiding officer: the senator from california. mrs. feinstein: thank you very much, mr. chairman, for those words. i have one little duty left. i call for the regular order with respect to the whitehouse amendment number 2626. the presiding officer: the amendment is now pending. mrs. feinstein: i ask that the amendment be modified with the changes that are at the desk. the presiding officer: the amendment is so modified. mrs. feinstein: i thank the
mr. perdue: madam president, i ask that the quorum call be rescinded. the presiding officer: without objection. mr. perdue: i rise tonight to speak very briefly about the stop sanctuary cities act, which i was proud to cosponsor here in the senate. simply put, this legislation protects american citizens from criminal illegal immigrants. today at least 340 cities across our country are choosing not to enforce our nation's immigration laws. these sanctuary cities have become a safe haven for criminals who are not only in the united states illegally but also are committing additional crimes and repeatedly re-entering our country after being deported. this summer, we witnessed the tragic impact this lawlessness has on american citizens when kate steinle was murdered in san francisco, a sanctuary city, by a felon living in our country illegally and who was previously deported five separate times. three months prior to kate's tragic death, the department of
homeland security actually asked san francisco to detain this murder, but the sanctuary city refused to cooperate and released the criminal back into the community. had they not done that, had they turned that person over to homeland security as they were requested, kate might still be with us. this is unconscionable. mr. president, i do not think i can overstate the importance of this stop sanctuary cities act to the american people and to the people of my home state of georgia. the fact of the matter is that kate steinle did not have to die at the hands of a seven-time convicted felon and a five-time deportee. kate and many others would not have died if our country had a functional immigration system and a government that actually enforces our law. this is why it's absolutely crucial that we stop sanctuary cities and address this illegal immigration crisis, which has also become a national security
crisis. this bill would have done just that, and yet we were not able to even get it on the floor to have a debate. this is what drives people in my home state, mr. president, absolutely apoplectic. we want to get these bills to the floor, have an open debate, and let's let the americans see how we all vote on critical issues like this. it's a very sad day indeed when this body cannot come together to stop rogue cities from breaking our nation's laws, protecting the livelihood of american citizens and support our law enforcement officials. i thank senator vitter and chairman grassley for working closely with the victims' families and law enforcement to produce this legislation. i hope that we can continue to debate this and get this bill back on the floor. i will keep fighting to stop this lawlessness and protect all americans. mr. president, i yield back and i note the absence of a quorum. the presiding officer: the clerk will call the roll. quorum call:
a senator: mr. president? the presiding officer: the senator from rhode island. mr. whitehouse: mr. president, i ask unanimous consent that the pending quorum call be vitiated. the presiding officer: without objection. mr. whitehouse: may i ask to speak in morning business for up to 20 minutes. the presiding officer: without objection. mr. whitehouse: thank you, mr. president. last week, the head of the national oceanic and atmospheric administration, robert m. white, passed away at the age of 92. dr. white served this nation under five presidents and pioneered the peaceful use of satellites to understand our weather and climate. we do have environmental
problems, and they're serious ones. the preservation of species among them, he said. but the climate is the environmental problem that's so pervasive in its effects on this society. the climate is really the only environmental characteristic that can utterly change our society and our civilization. that was in 197. that same year james f. black, a top scientific researcher at the exxon corporation, gave that company's executives a similar warning. there is general scientific agreement, he told exxon's management committee, "that the most likely manner in which mankind is influencing the global climate is through carbon dioxide release from the burping of fossil fuels -- from the imurnburning of fossil fuels." exxon executives kept that a koasly guarded company secret for years. irrise todai rise today to urmig
that we wake up to the threat of climate change. i rise in the midst of a decades-long, purposeful corporate campaign of misinformation which has held this congress and this nation back from taking meaningful action to prevent that utter change. scrutiny of the corporate campaign of misinformation intensifies and scrutiny of the fossil fuel polluters behind it intensifies, and so the regular cast of right-wing climate-denier attack dogs have got their hackles up. on may 6, i gave a speech here on the floor. the speech compared the misinformation campaign by the fossil fuel industry about the dangers of carbon pollution to the tobacco industry's misinformation campaign about the dangers of its product. the relevance of that comparison is that the united states
department of justice, under the civil provisions of the federal racquet tear influenced and corrupt influence, rico, for short, brought an action against the tobacco industry. the united states alleged that the tobacco industry's misinformation campaign was fraudulent and the united states won. in a lengthy and thorough decision by united states district judge glad dis kessler, you could go ahead and read them, d.o.j.'s complaint and the judge's decision can be found at the web site of the justice department and the public health law center, respectively, and they're linked on my web site, whitehouse.senate.gov. her decision is a long one but makes good reading of the comparison strong. there are whole sections of the department of justice civil rico
complaint and whole sections of judge kessler's decision where you can remove the word "tobacco" and put in the word "carbon" and remove the word "health" and put in the word "climate" and the parallel with the fossil fuel climate-denial campaign is virtually perfect. this is not an idea i just cooked up. look at the academic work of professor robert brulle of direction direction he will uni- drexel university. look at the book "merchants of doubt," david michael's book "doubt is their product," and another book "deceit and denial." describing this industry-backed machine of deception. look at the journalistic energy of lisa song, david hasemeyer in
the recent reporting of inside climate news about what exxon knew about climate change versus the falsehoods exxon chose to tell the public. look at a separate probe by journalist sarah jer vivment ng, and susan rust in "the los angeles times." from all their work we know now that exxon, for instance, knew about the affect of its carbon pollution as far back as the late-1970's but ultimately chose to fund a massive misinformation campaign rather than tell the truth. no corporation, said bill mckiven, has ever done anything this book and this bad. and just today the person who probably knows the most about the tobacco litigation, the assistant attorney general of
the united states who prosecuted that case as a civil matter and won it in the united states district court, sharon ubanks, said about the climate denial rico idea, "i think a rico action is plausible and should be considered." here's how judge kessler depicted the culpable decision in that case. "defendants have intentionally maintained and coordinated their fraudulent position on addiction and nicotine as an important part of their overall efforts to influence public opinion and persuade people that smoking is not dangerous." end quote. now, compare that to the findings of dr. brulle, whose research shines light on the dark-money campaigns that fund and support climate denial. this climate denial operation, to quote dr. brulle, is "a
deliberate and organized effort to misdirect the public discussion and distort the public's understanding of climate." end quote. the parallels between what the tobacco industry did and what the fossil fuel industry is doing now are so striking, i suggested in my speech of may 6, that it was worth a look, that civil discovery could reveal whether the fossil fuel industry's activities crossed that same line into racketeering. i said that again in an op-ed piece i wrote in "the washington post" on may 29, regarding the civil rico action against tobacco. and oh, my ... what a catarwalling has ensued from the fossil fuel industry trolls. here is a quick highlight reel. one climate denier, christopher
murchgton declared "senator whitehouse is a fascist goon." and the official exxon responder got so excited about the suggestion that he used th a wod i'm not even allowed to use on this senate floor. he forgot word one in crisis management: don't lose your co cool.. brightbart said the notion that there is an industry-funded effort to mislead the american people about the harm caused by carbon pollution is a joke, a conspiracy theory on par with area 51 or the faking of the moon landing. wcialwell, tell that to the tobo industry. the editorial page editor of the "wall street journal" said global warming concerns with based on computer models, not by
actual evidence of what we've seen so far. tell tha to the scientists who measure the effects of climate change every day. particularly in our oceans. the polluter-funded george marshall institute, a longtime climate denial outfit -- and who knows how they got to take respectable george c. marshal's name and slap it on a climate-denial industry front -- but they did -- they wrote that this was an attack on constitutional rights. well, that kind of presumes the answer because there's no constitutional right to commit fraud. similarly, calvin bisner, founder of another phony baloney industry front called the cornwall alliance, said the same. "the mere suggestion of considering this action represents -- quote -- "a direct attack on the right to freedom of speech and the press
guaranteed by the first amendment and is -- quote -- "horrifically bad for science." coming from a science denial outfit, that concern for science is rich. and, again, fraud is not protected by the first amendment. in the "national review," i was accused of wanting to launch -- and i quote them -- "organized crime investigations against people and institutions that disagree with me about global warming in order to lock people up as ma mafiosi." crime, lock people up? let's remember, mr. president, we're talking about civil rico, not criminal. no one wan went to jail in the tobacco case. investigating the organized climate denial scheme under civil rico is not about putting pipeline people in jail. query why the "national review"
would mislead people about such an obvious fact, and they're not alone. the right-wing backlogosphere is lit up with -- blogosphere is lit up with how this is a criminal charge. read the tobacco complaint. it is on the department of justice web sievment even people who port to be legal scholars are misleading people that way. all a civil rico case does is get people to have to actually tell the truth, under oath, in front of an actual impartial judge or jury and under cross-examination, which the supreme court has described as the greatest legal invention ever invented for the discovery of truth. no more spin and deception. but that's exactly the audience polluters and their allies can't bear. so the flax set off criminal
smoke screens and launch fascist goon and tokimada his stairics. a few weeks ago 20 scientists agreed with me and wrote a letter to attorney general lithuania. that was too much for the troll-in-chief for the fossil fuel industry, the "wall street journal" editorial page. "the wall street journal" editorial page has long been an industry science denial mouthpiece. they use the same playbook every time. one, deny the science, two, question the motives of support,and, three, exaggerate the costs of reforms. for instance, when scientists warned that chlorofloor owe car gons bonus could break down the atmosphere, they devalued the science, attacked scientists and exaggerated the costs associated with regulating c.f.c.'s. turns out they were dead wrong.
when acid rain was falling in the northeast, "the wall street journal" editorial page questioned the science, claimed the sulfur dioxide effort was driven by politics, and said fixing it carried a huge price tag. ultimately, the journal's editorial page after years of this had to recant and admit that the cap-and-trade program for sulfur dioxide -- and i quote them -- "saves about $700 million annually compared with the cost of traditional regulation and has been reducing emissions by 4 million tons annually." end quote. now on climate change, the journal is back to the same pattern -- deny the science, question the motives of climate scientists, exaggerate the costs of tackling carbon pollution. for decades, the journal has been persistently publishing editorials against taking any action to prevent man-made climate change. on this, the editorial page
said, "by talking about civil rico, i'm trying to forcibly silence -- force bligh silence the denial aprater us." first of all, against the billions of the koch brothers and the billions of exxonmobil? fat chance that i have much force to use, and silence? i don't want them silent. i want them testifying in a forum where they have to tell the truth. is the "journal" really sthaig in a forum where climate deny arsers have to tell the truth their only response would have to be silence? making them tell the truth forcibly silences them? because the only thing civil rico silences is fraud. by the way, the "journal" editorial never mentions that
the government won the civil rico case against tobacco and on very similar facts. that would detract from the fable. who does the journal cast as their victim in their fable? well, none other than willie soon who they said i singled out for "having published politically inconvenient political research on changes in solar radiation." politically inconvenient research. actually, what's inconvenient for dr. sun is that "the new york times" reported that he gets more than half his funding from big fossil fuel interests like exxonmobil and the charles g. koch foundation to the tune of $1.2 million and didn't disclose if. -- i it. they even gave his industry backers a chance for permanent
input before he published and he referred to the papers he produced for them as -- quote -- "deliverables." end quote. in case anyone listening doesn't know this, that's not how real science works. of course, none of this sordid financial conflict is even mentioned by "the wall street journal" editorial page. they'd rather pretend that dr. sun is being singled out for politically inconvenient views. please. it gets better. in the editorial, the role of neutral expert commenting on all of this goes to georgia tech's judith curry. she offers the opinion that my -- quote -- "demand for legal persecution represents a new low in the politicization of science." this is a