the information-sharing bill does. and i'm going to break it into three baskets. it's about business to business. what this bill does is it allows a company that has been hacked and somebody has penetrated their computer system and has access to their data to immediately pick up the phone and call their competitor and to ask their competitor whether they have had a similar penetration of their system. it's only reasonable to expect that the first person you would go to is a company that has a business that looks exactly like yours. in that particular case, this legislation provides that company with protection under the antitrust laws. antitrust forbids companies from collaborating together. and what we say is that if it

has to do with minimizing the loss of data, we want to allow the collaboration of competitors for the specific reason of discussion -- discussing a cyber attack. as the president of the senate recognizes, i have designed something in this that doesn't require a corporate lawyer to sit in the room when the decision is made. no dislike i have for lawyers other than the fact that they slow things down. and to minimize the loss of data means that you have to have a process that goes in real time from the bottom of the chain all the way to the decision making and the communication back down not only to that business, but to the entire economy. so having a thrawr -- having a lawyer that has to think through can we legally do this really

defeats the purpose of trying to minimize data loss. so we give them a blanket exemption under antitrust laws so they know up front i can pick up the phone and i can call my competitor and there's no justice department that's going to come down on me as long as i can confine it to the discussion of the cyber attack. at the same time we initiate what i call business to government, meaning that as the i.t. department is talking to their competitor, the i.t. department can notify through the federal portal we've been attacked, and that initiates the exchange of just a limited amount of information that's been predetermined by everybody in federal government that needs to do the forensics of who attacked, what tool did they use, and what defensive mechanism could you put up in the way of software that would eliminate the breach.

we have in statute said, one, you can't transmit personal data unless it is absolutely crucial to understanding the forensics of the attack. we've also said in statutory language to the government agencies, if for some reason personal data makes it through your filters, you cannot transmit that personal data anywhere else within the federal government or to the public. we've gone to great lengths to make sure that personal data is not disclosed through the notification process of a hack. do understand that the personal data has already been accessed by the individual that committed the act but we want to make sure that -- that government doesn't contribute to the distribution of that data. and to create an incentive in a voluntary program for a business

to initiate that notification to the federal government, we provide liability protection. any time a company allows personal data or data on their business to get out, there could potentially be a shareholder suit. what we do is we provide a blanket liability protection to make sure that a company can't be sued for the government notification of a security breach where data has been removed and it's in the best interests of government to know it, to react to it and for the general population of businesses in america to understand it. so we've got business-to-business collaboration with your competitor, antitrust protection business to government, liability protection, no personal data transmitted. and the last piece is government to business. it's hard for me to believe that

the government didn't have the statutory authority to convey to businesses across america when a cyber attack's in progress. the federal government has to be asked to come in and typically you're going to be asked by the company that is the one that's been attacked. but how about their competitors? how about the industry sector? how about the whole u.s. economy? no authority to do that. this bill creates the authority in the federal government to receive that information from a company that's been penetrated, to process it, to understand who did it, to understand the attack tool that they used, to determine the defensive mechanism of software that can be put on and then to notify american businesses, here's an attack that's happening now. here's the attack tool and here's the software that you can buy off the shelf and put on your computer system to protect you.

that's it. that's the entire information sharing bill. and it's voluntary. so let me touch on eight things very briefly. why is there a need for cyber legislation? i don't want to state the obvious but we've already seen individuals and nation states penetrate the private sector and steal personal data and the federal government and steal personal data. i really thought it would hit home with my colleagues up here when the office of personnel management got breached. now we're up to 22 million, 24 million individuals that were compromised. but more importantly, the extent of personal data at o.p.m.

extended to every individual who had ever applied for a security clearance, who had ever been granted a security clearance, who had ever had security clearance, is now retired, for some reason that application remained in the database. in that application of 18 pages, it's the most personal information one can find. it lists your parents and their social security numbers. your brothers, your sisters, where you've lived since you graduated from college. it even has a page that asks you to share how someone might blackmail you. what the most obvious way. probably some of the most damaging personal information that one can have breached. cyber attacks have harmed multiple u.s. companies.

if this wasn't serious, would the president of china and the president of the united states, when they met several weeks ago, have come to an agreement about how they intercede if one considerate or -- country or the other commits a cyber attack against each other? probably not. our bill is completely volunta voluntary. and i think it's safe to say that those that want to share data can, in fact, share data on this. i mentioned the word "realtime." what we want to do is we want to create a realtime system because we want a partnership. we want to partnership with private companies, with other private companies and we want a partnership with the private sector and the public sector. and you can't get a partnership by mandating it. all you can get is an

adversarial relationship. so we maintain that voluntary status so that in hopes, the sharing of that information is, in fact, realtime. we can control, once you transmit to the federal government, how to define realtime. i have no control over a private company's decision once they know they've been breached to the point that they actually make a notification to the federal government. but with the liability protection, with antitrust coverage, we're convinced that we're structured from the beginning to create an incentive for realtime to take place. three, voluntary participation. four, we protect personal privacy. now, many have come to the floor and they have suggested that this is a surveillance bill.

let me say to my colleagues and to the american people, there's no capability for this to become a surveillance bill. the managers' amendment took those things that people were concerned with and we eliminated them. so we can be accused of a lot of things, but to accuse this of being a surveillance bill is either, one, a sign of ignorance or a sign that one's being disingenuousmendisingenuous. it's not a surveillance bill. be critical of what we're attempting to do, be critical of what we do do. but don't use the latitude to suggest that this is something that it's not. we require private companies and the government to eliminate any

irrelevant personal identifiable information before sharing that cyber threat indicators or putting up defensive mechanisms. this bill does not allow the government to monitor private networks or computers. it does not let the government shut down web sites or require companies to turn over personal information. this bill does not permit the government to retain or use cyber threat information for anything other than cybersecurity purposes. identifying a cybersecurity threat, protecting individuals from death or serious bodily harm or economic harm. protecting minors or investigating limited cyber crime offenses. fifth, this bill provides rigorous oversight and requires a periodic interagency inspector general's report to assess whether the government has violated any -- any -- of the

requirements in this bill. the report also will assess any impact that this bill may have on privacy and civil liberties. we require in the report for the i.g. to report to us whether anybody did anything outside what the statute allowed them to do. but we also ask the i.g. to make a gut call on, did we protect privacy and civil liberties? finally, our managers' amendment has incorporated an additional provision to enhance privacy protection. first, our managers' amendment omitted the government's ability to use cyber information to investigate and prosecute serious violent felonies. now, let me raise my hand and say i'm guilty. it was something i felt very strongly hub in the bill. -- should be in the bill. that as we investigate a cyber crime, if we find an individual that has committed a felony and it's not related to cyber, i

thought we should turn that over to law enforcement. but, no, we've dropped it. i don't want there to be any question as to whether this is an effective cybersecurity -- cyber information sharing bill. so, h second, our managers' amendment eliminated cyber threat information sharing authorities to those who are shared for cybersecurity purposes. both of those changes ensure that nothing in our bill -- nothing in our bill -- reaches beyond the focus of cybersecurity threats that intends to prevent and deter. nothing in this bill creates any potential -- any potential -- for surveillance authorities. now, as i said, despite rumors to the contrary, this bill's voluntary. it's voluntary threat indicator

sharing with authorities that do not provide in any way for the government to spy on or use library and book records, gun sales, tax records, educational records and medical records. there's something in that for every member of every state. i can honestly look at my librarians and say that we haven't breached the public library's protection of intellectual property -- of personal data. now, i will say that librarians aren't fans of this legislation. i don't think they've read the managers' amendment that spells out the concerns that we heard and said, this can't go there. i'm not sure that you can statutorily state it any clearer than what we've done. given that cyber attackers have hacked into stolen and publicly disclosed so much private, personal information, it's

astounding to me that privacy groups would oppose this bill. it has nothing to do with surveillance and seeks to protect the private information from being stolen. five, there are no offensive measures. this bill ensures that the government cannot install, employ or otherwise use cybersecurity systems on private sector networks. in other words, no one can hack back into another computer, even if the purpose is to protect against or squash a cyber attack. it can't be done. it's illegal. the government cannot retain or use cyber threat information for anything other than cybersecurity purposes, preventing, investigating, disrupting and prosecuting limited cyber crimes, protecting

minors, protecting individuals from death or serious bodily harm or economic harm. the government cannot use cyber threat information in regulatory proceedings. let me state that again. the government cannot use cyber threat information in regulatory proceedings. if somebody believes this is not voluntary and that there is some attempt to try to get a mandatory hook in here where regulators can turn around and bypass the legislative responsibility of the congress of the united states, let me just say we're explicit. it cannot be done. but we're also explicit that the government cannot retain this information for anything other than the list of items that i just covered. this provides focused liability protection to private companies that monitor their own systems and share cyber threat

indicators and defensive mechanism in accordance with the ability. but the liability protection is not open-ended. the system doesn't provide liability protection for a company that engages in gross negligence or willful misconduct. now, i'm not a lawyer but i have been told that ties it up pretty tight, that it makes a very small, narrow lane that companies can achieve liability protection and that lane means that they're transferring that information to the federal government. and last, independent oversight. mr. president, this bill provides rigorous oversight. it requires a periodic interagency inspector general's report to assess whether the government has violated any hft requirements of this act. the report also will assess any

impact that this bill may have on privacy and civil liberties as well as an assessment of what the government has done to reduce any impact on those. and this bill further requires that an independent privacy and civil liberties oversight board to assess any impact that this bill may have on privacy and civil liberties is in fact reviewed. internally, the inspector general. the inspector general checks to make sure they live by the letter of the law. the inspector general makes an assessment on the privacy and civil liberties. and we set up an independent board to look at whether, in fact, privacy and civil liberties have been protected. i say to my colleagues if there's more that you need in here, tell us what it is. the amendment process is open.

mr. president, here's where we are. the privacy folks don't want to bill, period. some members don't want to bill, period. i'm willing to adopt to that. i only need 60 votes for this to pass, then i have to conference it with the house that has two different versions, and then i have to go to the other end of pennsylvania avenue and i have to convince the president and his whole administration to support this bill. well, let me quote the secretary of the department of homeland security today -- they support this bill. the national security council tomorrow is going to come out in support of this bill. why? because most people recognize the fact that we need this, that this is the responsible thing to do. this is why congress was created

. if, in fact, there are those who object, don't participate. i say to those businesses around the country i'm not going to get into your decisionmaking. i think it's flawed. you hold most of the personal data of any companies out there, yet you don't want to see any coordinated effort to minimize data loss in the u.s. economy? i think that's extremely shortsighted. i think our customers would disagree with you, but the legislation was written in a way that allows you to opt out and to say i don't want to play in this sandbox. now, i say to my colleagues and to the american people is that a reason for us not to allow the

thousands of companies who want to do it, representing hundreds of thousands and millions of customers who want to protect their credit card number, their health records, all the personal data that's out there on them. if they want to see that protected, should they not have that done because some companies say i don't want to play? no. you make it voluntary and you allow them to opt out and for them to explain to their customers why if i am with another tech company and they are participating in this, they must be more interested in protecting my data. i think it's a tough sell myself. there -- as a guy in business for 17 years, i know what's up here. some are looking at this as a marketing tool. they're going to go out and say we don't participate in transferring data to the federal government. oh, really? wait until the day you get

penetrated. wait until the day they download all that personal information on all of your customers. you're going to be begging for a partnership with the federal government. and you know what? we're going to extend it to you whether you liked it or not. whether you voted for the bill or supported the bill or spoke in favor of the bill or ever participated in it. if we pass this bill, which i think we will, we'll have an opportunity to partner with the federal government, to do it in an effective way. in the meantime, i think there will be just as many businesses using the marketing tool that says you know what? we like the cyber information sharing bill, and if we ever need to use it, we're looking forward to partnering with the department of homeland security, the f.b.i., the national security agency, because we want to minimize the exposure of the loss of data that our customers could have. mark my word, there is a real battle getting ready to brew

here. again, putting on my business hat. i like the hand of being able to go out and sell the fact that i'm going to partner if something happens much better than the selling pitch that i'm going to do this alone. think about it. a high school student last week hacked the personal email account of the secretary of the department of homeland security and the director of the c.i.a. i mean, this is almost "star trek" beam me up, scotty, that there are people that believe this is going to go away. it's not going away. every day, there is an attempt to try to penetrate a u.s. company, an agency of the federal government for one reason -- to access personal data. the intent is there, from individuals and from nation states. for companies that think this is going to go away or think that

they're smart enough that it's not going to happen to them, i've seen some of the best. and you're one click away from somebody downloading and entering your system, and that click may not be protected by technology. it may be the lack of ability of an employee to make the right decision on whether they open an email or not. and boom, you've just exposed everybody in your system. so i'll wrap up because i see my good friend and colleague senator wyden here. we will have several days, based upon the process that we've got in front of us, to talk about the good. some will talk about the bad, which i don't think exists. but let me assure you that the ugly part of this, the ugly part of this is that cyber theft is

real. it doesn't discriminate. it goes to where the richest pool of data is, and in the case of the few companies that really are not supportive of this bill, they are the richest depositories of personal data in the world. i hope they wake up and smell the roses. i yield the floor. mr. wyden: mr. president? the presiding officer: the senator from oregon. mr. wyden: before my colleague, the distinguished chairman of our intelligence committee, and i'm always thinking about the history of the committee. i believe chairman burr, ranking minority member senator feinstein and i have been on the intelligence committee almost as long as anybody in history, so i always like to work with my

colleague. this is an area where we have a difference of opinion. i'm going to try to outline what that is and still try to describe how we might be able to work it out. mr. burr: i thank my colleague. i think he diplomatically referred to me as old, but i know that wasn't the case. he's exactly right. we have served on -- served a long time. most issues we agree on. this is one we disagree on, but we do it in a genuine diplomatic way, and contrary to maybe the image that some portray to the american people, we fight during the day and we can have a drink or go to dinner at night, and we're just as likely to work on a piece of legislation together next week. so that's what this institution is and it's why it's so great.

mr. wyden: well said. nothing better than having carolina barbeque unless it's oregon salmon. yes, we old jocks, former football players and basketball players, we have tough debates and then we go out and enjoy a meal. here's how i'd like to start this afternoon, mr. president. the distinguished chairman of the committee is absolutely correct in saying that cybersecurity is a very substantial problem. my constituents know a lot about that because one of our prominent employers, solar world, a major manufacturer in renewable energy was hacked by the chinese simply because this employer was trying to protect its rights under trade law. in fact, our government indicted

the people's liberation army for their hacking in to this major oregon employer. so no question that cybersecurity is a major problem. second, there is no question in my mind that information sharing can be very valuable in a number of instances. if you know, for example, someone's associated with hacker, malware, this sort of thing, of course it is important to promote that kind of sharing. where the difference of opinion is is i believe this bill is badly flawed because it doesn't pass the test of showing that when you share information, you've got to have robust privacy standards or else millions of americans are going

to look up and they're going to say that's really not cybersecurity. they're going to say it's a surveillance bill. so that's what the difference of opinion is. and now let me turn to how i have been trying to improve the legislation. i'm going to speak for a few minutes on my amendment number 2621 to the bill that we have been discussing that's now pending in the senate. obviously, anybody who has been watching the debate on this cybersecurity bill has seen what one has to call a spirited exchange of views. senators are debating the substance of the legislation, and as i just indicated to chairman burr, indicated to ranking minority member feinstein, there is agreement on a wide variety of points and issues. both supporters and opponents of the bill agree that sharing information about cybersecurity

threats, samples of malware, information about malicious hackers, all of this makes sense, and you ought to try to promote more of it. and both supporters and opponents now agree that giving corporations immunity from customer lawsuits isn't going to stop sophisticateed attacks like the o.p.m. personnel records breach. i'm very glad that there has been agreement on that point recently, mr. president, because i know that proponents of the bill for some time said that their legislation would stop hacks like that that took place at o.p.m. when technologists reviewed it, that was clearly not the case and the claim has been withdrawn that somehow this bill would prevent hacks like we saw at o.p.m.

are the difference of opinion between supporters and opponents of the bill who do agree on a variety of these issues, the big differences of opinion surround the likely privacy impact of the bill. supporters have essentially argued that the benefits of this bill, particularly now that they've withdrawn the claim that this would help against an o.p.m. attack, they've said the bill's benefits perhaps are limited but every little bit helps so there's no downside to them to just pass the bill. makes sense. pass the bill and no downside. opponents of the bill who grow in number virtually every day have been arguing that the bill is likely to have a significant neglect tent impact on the personal -- negative impact on the personal privacy of a large number of americans and that this greatly outweighs the limited security benefits.

if an information sharing bill doesn't include adequate privacy protections, i'm telling ya, mr. president, and colleagues, i think those proponents are going to have people wake up and say, i really don't see this as a cybersecurity bill but it really looks to me like a surveillance bill by another name. now, i imagine, you know, colleagues who have been, you know, following this and looking at the bill are trying to sort through this discussion between proponents and opponents and to help clarify the debate, i would like to get into the text of the bill for just a minute. if colleagues look at page 17 of

the burr-feinstein substitute -- and that is the latest with respect to this bill, mr. president -- page 17 of the burr-feinstein substitute amendment, those senators are going to see a key section of the bill. this is the section that discusses the removal of personal information when data is shared with the government. the section says very clearly that in order to get immunity from a lawsuit, a private company has to review the data they would provide and remove any information that the company knows is personal information unrelated to a cybersecurity threat. this language, in my view, clearly creates an incentive for companies to dump large

quantities of data over to the government with only a cursory review. as long as that company isn't certain that they are providing unrelated personal information, that company gets immunity from lawsuits. some companies may choose to be more careful than that, but this legislation and the latest version, the burr-feinstein substitute amendment, would not require it. this bill says with respect to personal data, when in doubt, you can hand it over. my amendment 2621 is an alternative. it's very simple. it's less than a page long. it would amend this section that

i have just described to say that when companies review the data that they provide, they ought to -- quote -- "remove to the extent feasible any personal information or identifying a specific individual that is not necessary to describe or identify a cybersecurity threa threat." so the alternative that i am offering, mr. president, gives companies a real responsibility to filter out unrelated personal information before that company hands over large volumes of personal data about customers and -- or people to the government. now, the sponsors of the bill have said that they believe that companies should only give the government information that's necessary for cybersecurity.

and should remove unrelated personal information. i agree with them. but for reasons that i've just described, i would say, respectfully, that the current version of this legislation does not accomplish that goal. and that's why i believe that the amendment i've offered is so important. so for an example of how this might work in practice, imagine that a health insurance company finds out that millions of its customers' records have been stolen. if that company has any evidence about who the hackers work or how they stole this information, of course it makes sense to share that information with the government. but that company shouldn't simply say, here you go, and hand millions of its customers' financial and medical records over for distribution to a broad

array of government agencies. the records of the victims of a hack should not be treated the same way that information about the hacker is treated. companies should be required to make a reasonable effort to remove personal information that is not needed for cybersecurity before they hand information over to the government. that's what my amendment seeks to achieve. that's not what is in the substitute amendment. i would say to colleagues, furthermore, that if you hear the sponsors of the substitute saying that this bill's privacy protections are strong and you have heard me making the case that they really don't have any

meaningful teeth, they're too weak, don't just take my word for it. listen to all of the leading technology companies that have come out against the current version of this legislation. these companies know about the importance of protecting both cybersecurity and individual privacy. and the reason they know, mr. president -- and this is the case in pennsylvania, in oregon and everywhere else -- these companies have to manage the challenge every single day. every single day companies in pennsylvania and oregon have to make sure that they're protecting both cybersecurity and individual privacy. and those companies, they know that customer confidence is their lifeblood and that the only way to ensure customer confidence is to convince

customers that if your product is going to be used, their information will be protected both from malicious hackers and from unnecessary collection by their government. i'd also like to note, mr. president, that there's another reason why it's important to get the privacy protections that i'm offering in my amendment done at this time. the companies that i've just described are competing on a global playing field. these companies have to deal with the impression that u.s. laws do not adequately protect their customers' information. right now these companies, companies that are located in pennsylvania, in oregon, right now these companies are dealing with the fallout of a decision

by a european court to strike down the safe harbor data agreement between the united states and the european union. the court's ruling was based on the argument that u.s. laws, in their present form, do not adequately protect customer da data. now, i strongly disagree with this ruling. at the same time, i'd like to say to colleagues -- my colleague, the president of the senate, he and i have worked closely on international trade as members of the finance committee -- i'd say to colleagues who are following this international trade question and the question of the european union striking down the safe harbor for our privacy la laws, in my view, this bill is likely to make things even more

difficult for american companies who are trying to get access to those customers in europe. to give just a sampling of the leading companies that have come out against the sisa legislation, let me just briefly call the roll. there's the apple company. they have millions and millions of customers. they know a great deal about what we've got to do to deal with malicious hackers and protect privacy. dropbox, twitter, sales force, yelp, reddick, the wikimedia foundation. and i'd point to the strong statement by the computer and communications industry association. their members include google, amazon, facebook, microsoft, yahoo, netflix, ebay and paypal. their statement and those

companies, mr. president, those individual companies that i've mentioned, they have millions and millions of customers. and the organization that speaks for them says -- quote -- "sisa's proscribed mechanism for sharing of cyber threat information does not sufficiently protect users' privacy." and, of course, on top of this, mr. president, there has been widespread opposition from a larger spectrum of privacy advocacy organizations. here the groups range from the open technology institute to the american library association. i was particularly struck by the library association's comments in opposition to this bill.

i think they said -- and this is really paraphrasing -- mr. president, i think the library association leadership said something like, when the library association opposes legislation that the authors say will promote information shari sharing, they indicated there was a little something more to it than what the sponsors are claiming. and in wrapping up, i want to make it clear, as i said yesterday, that i appreciate that the bipartisan leadership of our committee has tried to respond to these concerns. i mean, they know that these large companies with expertise in collecting data and promoting cybersecurity, they've all come out against the bill. i heard talk about privacy

protections. mr. president, i don't know of a single organization that is looked to by either side of the aisle, democrats and republica republicans, for expertise in privacy that has come out in favor of the bill. so the sponsors of this legislation and the authors of the substitute amendment, which i have tried to describe at length here this afternoon, the sponsors of the amendment to allow for a substitute, they're correct in saying that they have made some changes, but those changes do not go to the core of the bill. for example, the amendment that i've described, which would really, in my view, fix this bill by ensuring that there was a significant effort to filter out unrelated personal and private information that was

sent to the government under the bill. so i ho -- so i hope senators will listen to what the groups and the companies that have expertise in this field have said, and i hope senators on both sides of the aisle will support the amendments that i and others have offered. the senate needs to do better than to produce a bill with minimal effects on the security of americans and significant downside for their privacy and their liberties. with that, mr. president, i yield the floor. the presiding officer: the senator from rhode island. mr. whitehouse: mr. president, i would like to speak for five or six minutes on the cyber bill. and, unfortunately, i'm here to express my distaste for the manner in which this bill has

proceeded. i have an amendment that is not going to be voted on, and let me describe some of the characteristics of that amendment of first of all, it is bipartisan. it is senator graham's and my amendment. second, it's had a hearing. we've had a hearing on it in the judiciary committee and considerable work has gone into it. three, it has the support of the department of justice. it repairs holes in our criminal law for protecting cybersecurity that we worked very carefully on with the department of justice and which we've had testimony in support of from our department of justice prosecutors. and, last, it was in the queue. it was in the list of amendments that were agreed to when we agreed to go to the floor with this bill. so i don't know how many a goino i don't know how i'm going to vote on this bill now, but if you've had a bipartisan amendment that's had a hearing,

that was in the queue and has the support of the department of justice and th and you can't eva vote on it, then something has gone wrong in this process. i remember senator sections seci remember senator sessions coming to the floor and wondering how some appoint themselves masters of the university and go off in a kauaies quiet room somehow ane that certain amendments will and will not be heard. let me tell what you our bill would do. one, there are people out there in this world in this cyber universe of crime who are trafficking in information for the pups of fraud and theft. if they -- for purposes of fraud and theft. if they don't have a technical connection to america, we can't go after them. there is an american victim but we can't go after them. that's a loophole that harms americans that this bill would close. i can't believe there's one member of this institution who

would oppose closing a loophole that allows foreign criminals access to americans' financial information for fraudulent purposes but puts them beyond the reach of our criminal law. that's one part of what our bill does. the second is it raises penalties for people who intrude on critical infrastructure. you can go all around this country, you can go to military installations that have way less security concerns than our critical infrastructure, like our electronic grid, and you will see chainlink fences that say "department of whatever" you you can't go in there and the reason is because there is a national security dpoan what's going on in there. there's a huge national security component to our critical infrastructure, like our electric grid. all this would do is raise the penalties. you can still go in, but if you get caught doing something

illegal there, then it's a little different if you're attacking america's critical infrastructure than if you're just prowling around in some other portion of the web that does not have that. again, i think if that came to a vote, we'd probably get 90% of this body in favor of it. who is in support of allowing people to mess around in our critical infrastructure? the third is botnet brokers. botnets are out there all over the internevment they ar intern. there is no such thing as a good botnebaht in the. there are people who are broke histories allow bein access bece laws are so oust day. if you're just brokers access to a botnet for criminal purposes, there is to offense. why would we not want to empower our department of justice to be able to go after people who are criminal brokers allowing access

for criminals into botnets to use for criminal purposes against americans? i don't understand that. and lastly, botnet takedowns. a botnet is a weed. we wait until somebody actually encounters that weed and is harmed by it before we allow our department of justice to act. we should be out there taking down botnets on a hygiene basis all the time. we're limited because of this artificiality. that's the fourth piece of the bill. it empowers botnet takedowns. we should be doing a lot more of that. unless somebody here is in the botnet caucus and is in favor of more botnets out there, this is something that would probably pass unanimously and yet i can't get a vote. bipartisan, had a hearing, in the queue, supported by the department of justice, and those are the four sub-elements of it, and for some reason the masters

of the universe have gone off and had a meeting if which they decided this was not going to be in the queue. i object to that procedure, and i'm sorry that we're at this stage at this point. because i think that on the merits, this is -- this would win. this is a bipartisan good department of justice-supported law enforcement exercise to protect people against cyber criminals. and i don't know what the sense is that there's some hidden pro-botnet caucus here that won't let a bill like mine get a vote. i've seen senator carper here who's done more great work, to try to be more productive than my amendment reflects and i hope we can sort this out to a point where an amendment like mine that was in the queue and the original deal that got us to this deal can get us back to

some kind of a queue so we can get this done. i yield to my distinguished senior colleague from the great state of delaware. mr. carper: mr. president? the presiding officer: the senator from delaware. mr. carper: i appreciate the yielding by senator whitehouse. let me just say, your provision, senator whitehouse, doesn't end up in this bill and we actually do pass it, we will conference, i'm sure, with the house, and there will be an opportunity to revisit this issue. i hope yo you'll stay in touch h those of us who might be fortunate enough to be a conferee. mr. whitehouse: i appreciate that very much, more than the senator can know. mr. carper: i rise in support of the cybersecurity information bill introduced by senators burr and feinstein. i want to commend my colleagues and their staff for their leadership, for their tireless efforts on this extremely important piece of legislation. as ranking member and former chairman of the homeland security and governmental affairs committee, mr. president, i have been following cybersecurity and this

information-sharing proposal in particular literally for years. in fact, when senator feinstein first introduced an information-sharing bill in 2012, that was like two or three senates -- congresses ago, it was referred to the homeland security and governmental affairs on which i serve. this bill was ultimately followed into -- that bill was ultimately folded into a comprehensive cybersecurity bill that i had the honor of cosponsoring with senators joe lieberman and susan collins and jay rockefeller and senator feinstein. we were not able to pass that bill, but i think it's waived p- it's a paved the way for a number of others amendments that are going to be toferredz that bill. last congress, mr. president, i worked with ranking member on the homeland security, dr. tom coburn, and our house counterparts -- not one, not two, not three, but four cybersecurity bills enacted into law, signed by the president. i believe these bills laid a very strong foundation for some

significant improvements on how the department of homeland security carries out its mission and really for this bill before us, too. what the legislation that dr. coburn and i worked on last congress did in essence was to better-equip the department of homeland security to operate at the center of the kind of robust information-sharing program that the burr-feinstein bill would set up. how did it do that? one, to make sure that the department of homeland security would have the ability to attract and retain top-flight talent, much like the national security agency already has. legislation that actually takes something called the cyber op center within the department of homeland security and make it real and functional and an eye did not that i people -- an eye dent that i people would use. and to take the federal information sharing act and to take something which is a paperwork operation, this legislation, like a once-in-a-year check to see how the cybersecurity agency might be and to turn it into not a paperwork operation, not a once

every 365 day operation, but a 24/7 +sufrl surveillance operatn the lookout for intrusions across the federal government broadly and that legislation affection fatly known as fisma, that legislation was designed it are make clear what the division of labor was between the offings of management and and the department of homeland security on protecting the do dot-gov d domain. it was to steer the ship. that's a good division of labor given o.m.b. only has six employees who work on this stuff. the department of homeland security has hundreds. i think we've figured out the sharing of laker the division of labor and also made sure that the d.h.s. department and homeland security has the resourcesources and the technoly they need. mr. president, sharing more cybersecurity threat information between the private sector and the federal government players

who are on the front line is critical to our national security and over the last couple of years we've witnessed many troubling cyber attacks against our banks -- but not just or banks, against retaile retailers, health providers and government agencies. some of these people launching attacks are just criminals. they want to steal information, make money off our personal information, off our intellectual property, for universities as well. others just want to be disruptive or they want to make political points. some actors, however, are capable -- would like to develop the capability to develop a cyber attack to cause physical damage. it's listening past tim long pae action to combat these threats we face in inties -- in entire . this bill mirrored the administration's proposal.

the president's administration asked me to introduce the information-sharing bill. before i did that we thril actuy had a hearing in the committee on homeland security. part of the centerpiece of the hearing was the administration's proposal. we got some good ideas on thousand make it better. we made it better and introduced that bill to use, if you will, a point-counterpoint in a positive way with the legislation that worked its way through the billion is generals committee. -- through the intelligence committee. we took input from a the love experts and take holders and the measure we are disulsin you disg today shares the same goals. to increase the sharing of cyber threat information between the federal government and the private sector and between different entities within the private sector, and i'm pleased that we're finally discussing these critical issues on the senate floor. the substitute amendment we're debating today makes a number of improvements to the bill that was first made public after the intelligence committee reported it out. it also includes several changes that i as well as several of my

colleagues have been calling for, including the chairman of our committee. i'd like to thank senators burr and feinstein. i want to thank their staffs for working toght closely with our staffs and others to produce what i think is a significantly smarter bill and stronger bill. is it perfect? no, not yet. but there's always room for improvement, and this is why we still have debate on a number of amendments made in order and for those meninged b mentioned by senator whitehouse that may be germane in conference. and while there may not be agreement on everything in this bill, i believe that most of our completion will come to the conclusion that -- colleagues will come to the conclusion that it will help to improve our nation's giewrt and bnation's cr economic security. the bill would ensure that our government is providing actionable intelligence to private-sector entities seeking to better protect themselves in cyberspace. businesses are hungry for

information they can use to fend off attractio attacks and bettet their customers. this bill would make the federal government a much stronger partner for them. many companies i have talked to also want to share more information with the federal government about what they're seeing online every day, but they're unsure of the rules of the road. in other words, mr. president, companies want more predictability, more certainty when it comes to working with our government. this bill would give them that by clarifying that they won't be putting theputting themselves il jeopardy if they choose to share cyber threat information with our federal government. but if companies do want to avail themselves of the legal protections the bill offers, they would have to with just two narrow exceptions use the information-sharing portal at the department of homeland security. this puts the department of homeland security, a civilian entity, at the center of the information-sharing process. i think this is a smart and right thing to do. in fact, many experts and companies that i talked to across the country as recently

as last week in silicon valley, they agree with a i've just said. i know many americans are uneasy with companies they do business with directly handling -- handing over data to an intelligence or law enforcement agency. the department of homeland security will carry out its responsibilities under this bill through its cyber center -- cyber op center that i mentioned earlier called the national cybersecurity and communications integration center. that's a mouthful. we call it affectionately, the ncic. it includes a number of agencies, representatives of financial services, utility industry, retail industry, and so as well. all together under one roof talking and workin working togeo make it strong and more secure. one of the bills i worked with dr. coburn last congress authorized the center. we're pleased to see that bill would make the most out of the

resources we've already invested in the center. earlier this month, jeh johnson told our homeland security and governmental affairs committee, he said, beginning in november, the cyber op center will have the capability to automate the distribution and receipt of cyber threat indicators. i will ale say that again. to automate the distribution and distribution of cyber threat indicator. in other words, mr. president, the department of homeland security will have the ability to share information with other agencies in real-time. not next month, not next week, not tomorrow, not in an hour but in realtime. which is really what this little bill before us today requires. and i know that realtime sharing is incredibly important to the bill's sponsors. it's important to me and probably many of our colleagues and stakeholders. equally important, however, is the ability of the department of homeland security to apply what i call a privacy scrub to the

information -- the information that it receives from industry, the threat indicators that come from industry, see something, say something, stuff they send to the department of homeland security. we allow in the amendment that i've -- actually the bill that i authored with others in my committee, including our chairmen, the ability for the department of homeland security to, if you will, receive information through its portal from various entities that witness threat indicators, to see it and to put it through the port, to bring it through the portal, to do a privacy scrub. and that's of the things the department of homeland security has expertise in doing. i used the example at lunch earlier today. mr. president, i talked about baseball. i know the presiding officer has some interest in baseball with a team called the phillys in philadelphia, the pirates in pittsburgh. and i would just say to him, thinking about baseball for a

minute, let's say you're in the playoffs. let's say you're a team in the playoffs, you're in the ninth inning and you need to get somebody out of the bullpen to close, you have a one-run lead. you look to the bullpen, he's now retired, but you've got mariannmariao rivera. and then you've got two young guys you just brought u. so do you bring one of the best closers in history or one of the young guys? well, you bring in mariano rivera. the department of homeland security, this is what they do. now they have the horses, the ability and the technology to do it even better. i know some of my colleagues are concerned that a privacy scrub would slow down the information sharing process. i share those concerns but i've been assured by the department, the smart people at the department of homeland security, that less than 1% of the information it receives would actually ever need to be reviewed by a human, by a person, the rest roughly 99%

would be shared with other agencies at machine speed -- bingo. i'm very pleased that they've come up with the agreement and will be applied to the portal in the next couple of weeks. one of the amendments speaks to the privacy scrub process. it would make clear that the department of homeland security could carry out a privacy scrub in realtime and without delay. in fact, my amendment would add just one word to the bill so the d.h.s. could automatically i continue to remove erroneous data from cybersecurity legislation. the managers have now modified their substitute amendment to make sure that the department of homeland security can do what it doesst does best and -- does and that is to apply a privacy scrub. personally pulling out privacy stuff and pulling out threat indicators that should be passed on to other federal agencies. the substitute amendment now

says they should work with partners to share information while protecting privacy. this is a process that d.h.s. is already unde undertaking. i want to thank senator burr, feinstein, and our friends at department of homeland security and other agencies for working with my staff and me on this important matter. another amendment i put forward this time with committee chairman, senator johnson, aims to improve what we call cyber hygiene across the federal government and prevent attacks against federal agencies. this language is based on a bill that senator johnson and i introduced and had reported out of our homeland security committee by a unanimous vote. and the amendment does three main things. first, it would require all federal agencies to implement specific best practices and state-of-the-art technologies to defend against cyber attacks. for example, we had experts testify about the importance of strong authentication in data encryption. this amendment would make sure that agencies are taking these commonsense steps to bolster their cybersecurity. second, the amendment would

accelerate the deployment and adoption of the department of homeland security's cyber intrusion and detection program. it's known as einstein, as in albert einstein but you don't have the "albert" in the name of this technology. it's called einstein. for my colleagues that may not be familiar with einstein with respect to the homeland security and cybersecurity, let me just take a couple of minutes to describe its main features. einstein. we have einstein 1, present at the beginning, einstein 2, a follow-on technology, and then there's einstein 3. einstein basically analyzes internet traffic entering and leaving federal civilian agencies to identify cyber threats and to try to stop attacks. the system's been rolled out in phases over the last several years. einstein 1, this is the first step, it sees and actually records internet traffic much like a guard at a checkpoint watching cars go by. maybe writing down the -- the -- recording the license plates. einstein 2 detects anything out of the ordinary and sets off alarms if a piece of malware is

trying to enter a federal network. for example, a car comes through and not supposed to come through, that would set off an alarm and enable einstein 2 to actually detect a cyber intrusion. einstein -- doesn't do anything about blocking. it doesn't block the car, in this example. but einstein 3, the einstein 3, the latest version and uses classified and unclassified information to actually block the cyber attack. so initially einstein 1, record, basically record what's being detected. einstein 2, actually detect bad stuff coming through the -- in terms of an intrusion. and einstein 3-a, block it. to block it. the problem is, less than half of our federal civilian agencies actually have einstein 3-a in place. so they have the ability to record an intrusion, the ability to detect an intrusion, not the ability to block an intrusion. they need the ability to block and what our legislation would do would be to make sure that agencies have einstein in place,

including the ability to block intrusions within one year. finally, my amendment incorporates the language originally drafted by senators collins -- susan collins, former the chair of the homeland security committee, a great member -- a colleague of ours for many years. senator mark warner, kelly ayotte, claire mccaskill, senator dan coats and barbara mikulski. they're all cosponsors of the amendment that senator collins has offered. and these provisions would strengthen the department of homeland security's ability to share -- shore up, rather, cyber defenses at civilian agencies and to address cyber emergencies across the federal government. i am, again, just incredibly grateful that senator feinstein and senator burr agreed to include our language in the substitute amendment, language that worked its way through our committee. we had hearings on this stuff and had the opportunity to mark up the legislation. it's the way this place is supposed to work and i think without exception, it has bipartisan support coming through our committee. it's the perfect complement of the information sharing bill that we are discussing this week.

it makes a good bill i think that much better. and i want to thank the -- the senators for working with me and senator johnson on it. before i close, mr. president, just one more thing. i know the presiding officer thinks a lot about root causes. and rather than just address the symptoms of problems, let's think about what is the root cause of the problem. a fella who's waiting to follow me here on the floor, the former governor of maine, thinks similarly. i do too. and it's not just enough to -- to address the symptoms of these problems. a part of what we need to be thinking about is how do we go at the root cause. how do we go at the root cause? and until fairly recently, a lot of financial services institutions in this country were under constant attack by somebody trying to just overload their web site and essentially try to shut them down. sort of like remember when we were first standing up the affordable care act and they had so much traffic on the web site and it would break down. well, there are folks, cyber threats from around the world, we think iran was behind it, and

they were trying to do that to our financial -- bring down our financial services businesses. and sometimes with some success. about a year ago, when we got really serious about negotiating with the iranians and our partners, the french, the brits, the germans, the russians and the chinese, some kind of agreement where the iranians would give up any hope they had of a nuclear weapon in terms for lifting our economic sanctions, when it became clear that those were serious negotiations and that something might actually happen from those negotiations, guess what happened to those attacks? they call them ddods. what do you suppose happen? well, guess what, they started letting up, little by little, until the time we actually voted here to let that agreement be enacted and hopefully be administered and implemented. that was a root cause being addressed. a root cause. another root cause you had over in china for years, the chinese

have sought to sues cybersecurity -- use cybersecurity to get into some of our most successful businesses, some of our research and develop operations and those businesses. work being done on -- within federal agencies on research and development. actually, the intelligent seeds for creating jobs and opportunity in this country. the cyber attacks, and we believe it was china trying to steal information from our universities. they were doing a lot of research that could lead to economic activity and job creation. and we didn't like it. we don't do that. we don't do that to them and we didn't want them to do that to us. we complained about it, complained about it, called out some of the folks who we thought was behind this in china. and president xi visited us here in this country and the city about three weeks ago and he and our president had some tough, direct, probably not entirely comfortable conversations. and one of them dealt with this issue. and it is, well, we believe the intrusion by the chinese actors

to steal our intellectual seed corn in order to maybe short-step -- get a short cut to economic development, economic activity, not have to spend the money, the time and the energy to do all the research that would lead to this innovation and job creation activities. the agreement that came out of that was the chinese and our country have agreed to -- that they -- neither side will knowingly steal this kind of information from the other. and knowingly is a pretty broad term and so we have to make sure that knowingly actually means something. and the senator -- secretary jeh johnson, head of the homeland security department, and our attorney general, loretta lynch, they've been assigned to build on this initial agreement and see what we can -- can make of it. i'll close with this. a lot of people in our country don't understand what all this cybersecurity stuff is. you know, intrusion, you know, einstein and all the stuff that

we're talking about here that's in the legislation that's before us this week. they do know this. they do know this. it's not good when people can sell -- sell and steal the kind of information that needs to be protected, whether it's a part of the government domain, whether it's military, intelligence secrets, whether it's economic secrets that lead to -- or developments that lead to economic gain, whether it's personally identifiable information that could be used for blackmail purposes or to monetize and somehow make money off of that information. we just know it's not good. we know it's not good. and there's no one silver bullet to actually stop this kind of activity but there are a lot of silver b.b.'s. and some of them are pretty big. some of them are pretty big. the legislation that's before us today, bolstered by some of the legislation that's come out of the committee on homeland security and governmental affairs, a couple of good sized b.b.'s. and they're not going to be able to win this war by themselves

but enable us to make a bit more progress. and make us a little more secure than we have. and knowing that this is an enemy across the globe, a number of enemies that wish us harm and they're not going to give up. there's a lot of money involved and they'll be back at us. and we have to bring our "a" game to work every day. every day at the department of homeland security and our other federal agencies, working in tandem with the privat private . and hopefully with this legislation, the folks in the private sector, if they want to get the liability protection and sharing information with the federal government, we want them to use the portal through the department of homeland security. the department o department of d security, to the extent a privacy scrub is needed, and it often doesn't happen, 1% of the time with the information that comes through the portal, but the legislation before us, with the amendments that are offered, will enable us to have that kind of security about our private information and at the same time they do a very good job, much better job, in protecting what is valuable to us. mr. president, i think that's about it for me. i appreciate very much the opportunity. i think very much the patience

of senator king oamp here -- senator king over here. and i will yield the floor to him. i'll just say in closing, was it -- no, it's senator blunt. senator blunt, i'm going to lead to you next. and it's good to be with both of you and look forward to working with you on these and with respect to the gentleman from missouri, related matters very closely. thanks so much. thanks, mr. president. mr. blunt: thank you, senator carper. you and i have worked on -- the presiding officer: the senator from missouri. mr. blunt: -- worked on issues to try to protect data breach, to try to have one standard for notifying people whose information has been accessed by people who shouldn't have it. and we're going to continue to work on that and look for opportunities, whether it's this bill or some other bill, to add that important element to what we're doing here. but, mr. president, i come to the floor today, as i'm sure

many others are, to express support for this bill, for the cybersecurity information sharing act bill that gives us tools that we don't currently have, and in fact allows us to get beyond some of the barriers that we do currently have, a bill that would allow individuals who see the information that they're responsible for being attacked, to call others in their same business and say here's what's happening to us right now. if you're not seeing it already, you should be looking for it. and when they do that, it doesn't violate any competitive sharing of information. what it does is bring everybody into the loop of defense as quickly as possible and also allow them to look for help from the government as well. so i express support for this. and we know that day after day americans who turn on the news, listen to the news, read the

news, hear news of another cyber attack, some involve attack of government systems themselves while others involve the private sector. and in 2012 and 2013 hacker groups linked to iran targeted american bank web sites and continued to sustain that attack on those web sites in a way that was designed to disrupt business of people trying to do business, trying to pay their own personal bills, trying to do things that people should expect to be able to easily do. early in 2014, we learned that cybercriminals had stolen 40 million credit card numbers from a major retailer and had probably compromised an additional 70 million accounts. over 100 million accounts in one collection of news sources about

the same event. we also have learned that a lot of times you hear about these and they seem bad enough at first, but they seem a whole lot worse later when you find out what really happened, when we really see how deep these criminals were able to go, how deep these terrorists were able to go, how deep these government-sponsored entities were able to go to get at information that they shouldn't have. in september of that same year, september 2014, we learned that another major retailer had suffered a data breach. in that case there were 56 million credit card holders. in february of this year we learned it that a health care provider, an insurance provider, rather, health insurance provider had had hacking into their system and 80 million customers were affected. this is a data breach that particularly impacted my state, particularly impacted

missourians, and we saw a huge change in the i.r.s. fraud that occurred this year because we believe at least because people suddenly had all this information that they got from the other account, suddenly somebody beside you was filing your tax return. and, by the way, your refund was better than it had ever been. and as soon as that card was received, it was taken care of. only later did the people who really had the income tax return to file find out that somebody had filed it for them. in june of this year, maybe the most surprising to all of us who have heard over and over again that the private sector is struggling, but dot.mil is very good and dot-gov is better than anything other than dot.mil but suddenly we find out the u.s. government of personnel management, a previous estimate

of how many files of federal employees and people that were related to those files, 21.5 million people. and then we found out that also included 5.5 million sets of fingerprints. i'm not exactly sure what you could do with somebody's fingerprints on the internet today, but i can only imagine what you might be able to figure out to do with those fingerprints. remember your fingerprints don't change, and probably the government entity responsible for that hacking that has those fingerprints is always going to have those fingerprints as they think of new and malicious ways to use them. so, we're talking about well over 100 million americans who have already had their personal information in hands of people it shouldn't be in the hands of. the challenge before us is as clear as it is urgent. virtually every aspect of our society and our economy rely on

information technology. it's enabled tremendous economic growth. it's enabled tremendous efficiencies in every sector, but it's put all kinds of information out there in ways that looking back we're going to wonder why we made that information so available in so many places and so unprotected. federal, state, and local governments rely on that information technology as well. and as the technology advances, its widespread adoption has also opened us to new dangers. modern cybersecurity threats are sophisticated, they're massive, and they are persistent. this doesn't just happen every day. it happens all the time every day. the culprits of these attacks and intrusions range in terms of their motives and in range of their abilities. we just heard of a teenager who figured out how to get into the

personal account of the c.i.a. director. at least that's the public media report. and the homeland security director. this is not a particularly sophisticated but obviously a pretty capable person who gets to two individuals you'd think would be the most cautious about what they share and how they share it. some of these people are bent on just sheer vanl -- vandalism, just the thrill of cyber vandalism while others want to steal intellectual property from companies, the motive is it's easier to steal it than to go to the hard work of creating it and suddenly that information is out there and the people who created it have been robbed. i hear this all the time when i visit companies in my state. we've seen cyber intrusion used for espionage. we've seen one major company attacked for no other reason

than to embarrass the company because a foreign government didn't like something the company had done. it's quite a way to have a movie review that we're just going to destroy as much as of your technology as we can by a cyber invasion. a great many more of these people are motivated by greed, pilfering other people's identities, getting access to other people's account information and selling that information on the black market becomes a real opportunity for them. the more you remove it from the person who initially got it, the harder it is to find out who initially got that and what they did with it. underneath of all this is the implication of more serious attacks that can cause physical harm, that can cause mass disruption, the critical infrastructure of the country very dependent on cybersecurity.

this really begs the question what are we doing to protect our country and our citizens from these cyber adversaries. i've been in the senate for five years. i've had the great opportunity to represent the people of missouri here for five years. and during every one of those five years we've been talking about it's really important that we do something about cybersecurity. well, this is the only approach i've seen in those five years that has bipartisan support. it has a bicameral consensus. this is something that can happen. this is a problem. it's time to stop talking about it. we want some other government to have p everybody's fingerprints before we start -- before we do something about it? this is now the time to do something about it. as a member of the senate select committee on intelligence, i'm certainly here to support the chairman of that committee and the vice chairman of that

committee to finally pass this bill, a bill to enhance the public-private partnerships that can provide the kind of cyber defense we need. now, we need to -- to do that, we need to encourage lots of sharing. we need to encourage sharing of attacks. we need to encourage, as i said early on, the ability to call somebody else in your same business, to contact them and say this is happening right now. that's the best time to say it. the other option is this happened to us late last night or happened yesterday. but to let others know that this is happening to us, is it happening to you. there's lots of misunderstanding about this concept. without getting too technical, cyber threats are the malicious codes and algorhythms used to

stop computer networks. they use bits and bytes have ones and zeros, way to complicated to protect people that are fighting every day. in very dangerous circumstances these techniques cac -- can be used to remotely control physical infrastructure. i saw something on the news where some hacker had figured out how to take over one of the cars that was driving itself. suddenly the car wasn't driving itself. the hacker was driving itself. when a particular company finds itself subjected to some novel new approach, the quicker they can share that, the better. when the government discovers a new method being used to infiltrate information technology systems abroad or here, they need to be able to share that with american

companies quickly so they can protect themselves. these are things the private sector sees that the government does not, and they are things that the government sees that the private sector does not. this gives the obligation and opportunity to both of them to join in this important fight. modern communications networks move at an incredibly rapid pace. we need to be fighting back at that same kind of rapid pace. it's a strictly voluntary program. unlike some of the other programs we've talked about to secure ourselves in a post-9/11 world, this is a strictly voluntary program that lynches lynches -- leverages american ingenuity to unleash the arsenal for democracy, this time to unleash the arsenal for democracy against cyber adversaries. when it comes to the cyber

threat, we have to act for common purpose. throughout this debate there's been a great deal of discussion about the need to protect liberty in the information age. i really think liberty versus security matters. and when it comes to this bill, this bill comes the closest to having the balance that we'd all like to see. it takes into consideration the importance of liberty, but it also takes into consideration what happens as we protect our security. i just close by saying if -- of all the attacks we've had and as bad as they have been, none of them have been the sort of catastrophic infrastructure attack that we could see that impacts the grid, impacts our ability to communicate, impacts our ability for the water system to work, impacts our ability for the electrical system to work. if that happens, the congress

will not only act, the congress will overreact. this is the right time to have this debate. let's put this information on the books right now. let's give us a law that makes sense at a time when we've got time to debate it instead of the direction we'll turn when we should have debated this and moved in this direction right now. i encourage my colleagues to vote for this bipartisan bill that i think can wind up on the president's desk and become law. and i would yield to my patient friend from maine who's been waiting. he and i serve on the intelligence committee together, and i look forward to his comments. mr. king: mr. president? the presiding officer: the senator from maine. mr. king: mr. president, the united states is under attack.

we are under attack not a week ago, a month ago, september 11 or yesterday, but right at this moment. we are under attack from state actors, from terrorists, nonstate actors and from garden variety criminals. this cyber issue is one of the most serious that we face. when i first got here, i was appointed to the armed services and intelligence committee. and on those two committees, over the past three years, at least half of our hearings have touched upon this issue and the threat that it presents to this country. the leaders of our intelligence community, our military community in open session and in closed session have sounded the alarm over and over and over. the most dramatic, and i don't remember the hearing was one of our witnesses said the next pearl harbor will be cyber.

and as the senator from missouri just pointed out, we're fortunate that we've had a number of warning shots, but none have been devastating. but we have had warning shots at sony, at target, at anthem, at the office of personnel management of the united states government, at the home e-mail of the director of the c.i.a. we've had large and small intrusions and cyber attacks that have been more than annoying, but so far they haven't been catastrophic. that is just a matter of time. and that's why we have to move this bill. and this bill isn't a comprehensive answer to this question, but it's at least a piece of it. it's a beginning. and we're going to have to talk about other aspects of our cyber strategy. but at least we can pass this bill that came out of the committee 14-1. it's bipartisan. it's got support in the house.

let's do something. i do not want to go home to maine and try to explain to my constituents when the natural gas system or the electric system is brought down that we couldn't quite get around to it because of the difference of committee jurisdictions or because we had other priorities or because we were tied up in the budget. this is a priority of the it is something we should be doing immediately. and i'm delighted that we've moved to it. now, as i've sat in the intelligence committee every tuesday and thursday afternoon for the past three years, it occurred to me several months into those debates and discussions of this and other issues that really we and the intelligence committee and also we in this body really are working with and weighing and balancing two constitutional provisions. the first is the preamble to the constitution, the most basic

responsibility of any government anywhere, any time is to provide for the common defense. that's why governments are formed, to provide the security and also to ensure domestic tranquility. those two together are the basic functions of why we're here, to protect our people from harm. and that's clearly what this bill is talking about. but the other constitutional provision that's in the picture that we also have to weigh is the fourth amendment, the right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures shall not be violated." that's a fundamental premise of who we are as a people. these two provisions of the constitution are intentioned, mr. president. they're not -- neither one dominates, neither one controls the other. and it's our job in this body to continuously weigh and calibrate

these two provisions and their balance in light of threats and evolving technologies. when the -- when the fourth amendment was written, nobody ever heard of telephones. they certainly never heard of the internet. they never thought about any of these things. but they said, the rights shall not be violated, it's interesting, unreasonable search and seizures. they don't know the threats we'd be facing when they said it's a fundamental premise of the united states constitution that we should protect against both foreign and domestic enemies. but that's what we have to do and that's what this bill does. this bill is very carefully worked out with a lot of discussion and negotiation to be effective in protecting the public while at the same time be effective in protecting the public's privacy rights and respecting these two principles.

we've had warning after warning after warning and now it is time for us to act. the good news about the united states is that we're the most wired nation in the world. technology has been a huge boon to our economy and to our peop people, and we are -- we are way ahead of a lot of the rest of the world in the -- in our interrelationship with technology and how we've used it to enhance our lives. that's the good news. the bad news is, we're the most wired country in the world because that means we're the most vulnerable. aisymmetric vulnerability. we're more vulnerable because we're more connected. and that means we have to take great care in this country to make sure that we don't allow that vulnerability to result in a catastrophic loss for our people. not only are we talking about

national security issues, we're talking about individual people's lives. if the electric grid went down, people's lives would and could be lost. in hospitals, at traffic intersections across the count country. if the natural gas system, the vast pipeline system that links our country in terms of energy, somehow went awry because of a cyber intrusion into the operating system, that would have devastating consequences for human lives and also, of course, for the economy of our country. somebody could get into the routing system of a railroad and a train carrying hazardous material would be caused to derail. these are the kinds of things that can happen and will likely happen unless we take steps to protect ourselves. some of these attacks and intrusions are sponsored by nation states. we know that.

some of them are sponsored by just garden variety criminals who are trying to steal our money. or some of them are large international criminal organizations that are trying to steal our commercial intelligence, about how we build our products and how we compete. some of them are terrorist organizations who see this as a cheap way to attack america. why go to all the trouble to build a bomb and smuggle into the country and all the risks that that entails when you can disrupt the country in just as great a way with a few strokes on a laptop? economic security, national security. economics -- it's been estimated worldwide this costs our country, cyber crime, $445 billion a year. that's to the global economy. half a trillion dollars a year. 200,000 jobs in the u.s. could and are being affected.

800 million personnel records stolen. 40 million were americans. the cost of cyber crime is estimated to be between 15% and 20% of the value created by the internet. and we always talk about, we don't want any taxes on the internet. this is a tax. this is a tax that we're all paying, that the users of the internet are paying to ward off this epidemic of cyber crime. it's not only the government, mr. president. of course, it's companies. sony, target, anthem, the industrial base, j.p. morgan, home depot. the list goes on and on. and most importantly, it's not just big guys. sometimes we feel that, okay, this is, you know, the large banks, the large insurance companies, that's who has got to worry about this. in the state of maine, we have to worry about it. i've been meeting, my staff in maine has reached out to

businesses large and small across the state. every single one, with one exception, listed cyber intrusion as one of their greatest issues. we've got the maine credit union league, $2.5 million a year, little local credit unions having to deal with cyber intrusion. one of our maine health care providers, thousands of attempts to steal confidential data every year. keeping the data safe is costing them more than a million dollars. that goes into our health care bills. this is costing us real money. one of our maine financial institutions, 60% to 70% of the e-mails they get in the bank are phishing e-mails, trying to compromise their secure data. one of our utilities, over a million dollars a year just on preventive costs to defend against cyber crime. and this is in a state of 1.3 million people. this is real. this is real in our state. i had a forum over the summer

break, over the august break, with businesses throughout maine, mostly small businesses, and homeland security. we had a hundred businesses come just to visit and sit for a day to talk about this issue and these were small businesses. and all of them were seeing these kinds of problems. one was a small business with 35 employees which did a deal overseas and a cyber criminal stole their payment, in effect. they sent a fake invoice to the customer overseas. the customer paid it. the money went to the crook, not to my company in maine. that's the kind of thing that's happening. and that's one of the reasons that we have to take action. today. no business is immune. no individual is immune. and, of course, this country is not immune. the price of inaction, mr. president, is just too high. this is something we must attend

to. as i mentioned, this bill is not the whole answer but it's a part of the answer. and some people say, well, it's not broad enough. and my answer is, okay, i understand that. but let's do what we can do and then take it one step at a time. some people say, it compromises privacy. i don't believe that it does. extraordinary measures were imported into this bill in order to protect the privacy of individuals. this is not about individual data. this is about a company voluntarily telling the government, and perhaps some other companies, here's what i'm seeing as an attack. how can we collectively defend ourselves against it? that's what this bill is really all about. we've got to take action, mr. president. and now is the time. i want to thank the chair and

the vice chair of the intelligence committee, the members of the homeland security committee, members of the judiciary committee, all of those who have contributed to the -- the finalization of this important piece of legislation. there's an attitude out there that we can't get anything done around here. i think this gives us an opportunity to prove that idea wrong. we can get things done. we should get things done. and this is a chance for us to protect our people, to provide for the common defense, which is our most solemn constitutional responsibility, in a way that also protects the interests of the fourth amendment and individual privacy rights. mr. president, i hope that we can move swiftly, complete the consideration of this bill this week, work out our differences with the house and get this matter to the president.

we have no place to hide if we don't get this done. this is what we're here for. and i want to again thank my colleagues who worked so hard to bring us to this point. mr. president, i yield the floor. mr. mccain: mr. president? the presiding officer: the senator from arizona. mr. mccain: before the senator from maine leaves the floor, i'd like to congratulate him on a well-planned, well-thought-out and very convincing presentation and an argument that, frankly, i can add very little to. and so i'll make my remarks very brief. but i want to thank the senator from maine for highlighting the absolute importance of the passage of this legislation. and i might add, he's one of the most serious and hardworking members of the senate armed services committee. as well. i won't go any further.

mr. president, i rise in strong support of s. 754. i want to thank my colleagues, chairman burr and vice chairman feinstein, for their ongoing leadership. in the short two months since this bill was last on the senate floor, the need for action on information sharing has only increased. not for a lack of trying. we have continuously failed to make progress on this bill. as the senator from maine just made clear, that must change. enacting legislation to confront the accumulating dangers of cyber threats must be among the highest national security priorities of the congress. the need for congressional action, in my view, is also enhanced by the administration's inability to develop the policies and framework necessary to deter our adversaries in cyberspace. earlier this week we learned just how ineffective the administration has been in addressing our cyber challenges.

within days of reaching an agreement to cush the stealing of -- curb the stealing of information for economic gain, china -- china -- repeatedly, reportedly, continues its well-coordinated efforts to steal the designs of our critical weapons systems and wage economic espionage against u.s. companies. it's not a surprise but it serves as yet another sad chapter in this administration's inability to address the cyber threat. i guess in the last couple of days, it's been made known that some hacker hacked into the -- into the information of both the director of the c.i.a. and the chairman of the homeland security committee. interesting. as the president's failed china

agreement clearly demonstrate, our response to cyber attacks has been tempered and nonexistent at worst. until and unless the president uses the authority he has to defer, deter, defend and respond to the growing number and severity of cyber threats, we will risk not just more of the same but embolden adversaries and terrorist organizations that will continuously pursue more severe and destructive attacks. addressing our cyber vulnerabilities must be a national security priority. just this week, admiral rogers, the head of cyber command, reiterated, and i quote him -- it's only a matter of time before someone uses cyber as a tool to do damage to critical infrastructure. now my colleagues don't have to agree with the senator from maine or me or anybody else, but shouldn't we listen to admiral rogers, the head of cyber command, probably the most knowledgeable person or one of

the most knowledgeable who said it's only a matter of time, only a matter of time before someone uses cyber as a tool to do damage to critical infrastructure? according to the recently retired chairman of the joint chiefs of staff, general martin dempsey, our military enjoys -- quote -- a significant military advantage in every domain except for one, cyberspace. as general dempsey said, cyber -- quote -- is a level playing field, and that makes this chairman very uncomfortable. i'll tell you, mr. president, it makes this chairman very uncomfortable as well. efforts are under way to begin addressing some of our strategic shortfalls in cyberspace, including the train of 6,200-person cyber force. however, these efforts will be meaningless unless we make the tough policy decisions to establish meaningful cyber deterrents. the president must take steps now to demonstrate to our adversaries that the united

states takes cyber attacks seriously and is prepared to respond. this legislation is one piece of that overall deterrent strategy and it's long past time that congress can move forward on information-sharing legislation. we have been debating similar cyber legislation since at least 2012. i'm glad this body has come a long way since that time in recognizing that government mandates on the private sector which operates the majority of our country's critical infrastructure will do more harm than good in cyberspace. the voluntary framework in this legislation properly defines the role of the private sector and the role of the government in sharing threat information, defending networks and deterring cyber attacks, and at the same time it is unfortunate that it's taken over three years, over three years to advance this commonsense legislation. the threats we face in

cyberspace are real and imminent as well as quickly evolving. all aspects of the federal government, including this body, must commit to more quickly identifying, enacting and executing solutions to counter cyber threats. if we do not. if we do not, we will lose in cyberspace. as chairman of the armed services committee, cybersecurity is one of the committee's top priorities. that's why the national defense authorization act provides a number of critical authorities to ensure that the department of defense can develop the capabilities it needs to deter aggression, defend our national security interests when called upon to defeat our adversaries in cyberspace. i find it unacceptable that the president has signaled has intent to veto this legislation that, among other key department of defense priorities, authorizes military cyber operations and dramatically reforms the broken acquisition system that has inhibited the

development and delivery of key cyber capabilities. more specifically, the national defense authorization act extends liability protections to department of defense contractors who report on cyber incidents or penetrations, and it authorizes the secretary of defense to develop, prepare, coordinate and when authorized by the president conduct a military cyber operation in response to malicious cyber activity carried out against the united states or a united states person by a foreign power. the ndaa authorizes $200 million for the secretary of defense to assess the cyber vulnerabilities of every major d.o.d. weapons system. finally, congress required the president to submit an integrated policy to deter adversaries in cyberspace in the fiscal year 2014 national defense authorization act, and i tell my colleagues we are still waiting on that policy.

this year's ndaa includes funding restrictions that will remain in place until it's delivered. as we dither, our nation grows more vulnerable. our privacy and security are at greater risk, and our adversaries are further emboldened. the stakes are high. it's essential that we pass the cybersecurity information sharing act without further delay. let me also mention in closing, probably the most disturbing comment that i have heard in a long time on this issue and this challenge is when admiral rogers said our biggest challenge is we don't know what we don't know. we don't know what the penetrations have been, what the attacks have been, whether they have succeeded or not, where they are. in this whole realm of cyber and information at all levels.

when the person we have placed in charge of cybersecurity says we don't know what we don't know, my friends that is a very serious situation, and i want to congratulate again both the managers of the bill in their coordination and cooperation on this bipartisan effort. mr. president, i yield the floor. the presiding officer: will the senator yield for a question? mr. king: would you agree, senator, that this bill represents an important part of our cyber defense, but that in order to in the long term deter attacks, we must have a cyber policy that goes beyond simply defensive measures? mr. mccain: i would certainly agree, i would say to my friend from maine, because if -- if the adversaries that want to commit

cyber attacks against the united states of america and our allies believe that there is no price to pay for those attacks, then where is the demote v-8ing factor in all of this which would then just, if they fail, just keep on doing what they're doing. it seems to me if this is an act of war -- and i don't use that term lightly but i'm trying to use it carefully. if you damage intentionally another nation's military or its economy or its ability to function as a government, wouldn't that, i would ask my friend from maine, wouldn't that fit into a -- at least a narrow interpretation of an act of war? and if so, then should we only have defenses? have we ever been in a conflict where we only have defenses and not the capability to go out and deter further aggression?

mr. king: i would suggest to the senator that if you're in a fight and all you can do is defend and never punch, you're going to be eventually lose that fight, and i think this is an important area. the theory of deterrence, as distasteful as it might have been, the mutually assured destruction during the nuclear era, did, in fact, prevent the use of nuclear arms for some 70 years, and i think we need to be thinking about a deterrence that goes beyond simply defensive measures. so i commend the chairman for raising this issue and appreciate your thoughtful consideration. thank you, mr. president. i yield the floor. a senator: mr. president? the presiding officer: the senator from wisconsin. ms. baldwin: thank you, mr. president. last week, when i was back in my home state of wisconsin, i had the privilege of hosting a roundtable with college students from all across the southeastern area of the state. the focus of the conversation

was how we here in congress could help keep college affordable and accessible, and during the course of that conversation, it was abundantly clear that most of the students were very frustrated that congress could not take some of the most commonsense steps to make that happen. i told them that i shared their frustration and ensured them that i would be going back to washington, d.c., this week to fight on their behalf. and just this morning, i hosted a google hangout and spoke with campus newspapers from across the state of wisconsin to reiterate my commitment on this issue. so here i am, mr. president, almost one month from the day that i last stood here on the senate floor, one month since a single united states senator stood up and blocked a

commonsense and bipartisan measure that would have continued to provide critical financial support for america's low-income college students. mr. president, in the short months since our efforts to reauthorize the federal perkins loan program were obstructed, the immediate impacts are already becoming quite clear. last week, the coalition of higher education assistance organizations began surveying colleges and universities that participate in the perkins loan program to learn more about how this object instruction is impacting their students. after just a few days, they heard from over 100 students outlining how perkins -- by allowing perkins to expire, u it's harming students and institutions alike. there are real impacts being

felt by real students right now across america, and if we don't act, this damaging impact will ripple across our community. therefore, mr. president, we cannot sit idly by, and i ask unanimous consent that the senate proceed to immediate consideration of house resolution 3594 which is at the desk and ask that the bill be read a third time and passed and that motions to reconsider be considered made and laid upon the table with no intervening action or debate. the presiding officer: is there objection? mr. mccain: mr. president, on behalf of the leadership, i object. the presiding officer: objection is heard.

ms. baldwin: mr. president, this is incredibly frustrateing, and i'm going to spend a few minutes talking about how this objection , this obstruction is impacting the students of america and the higher education institutions of america. there are real impacts that are being felt right now, and students who have previously received perkins loans will lose their future eligibility if they change institutions or academic programs. students seeking perkins loans for the upcoming winter and spring semesters will not be eligible at all if we don't act soon to reauthorize this program. and finally, all future students will be ineligible for this

program. just this afternoon, just right before i came down to the senate floor, i received a letter from the president of the university of wisconsin system, ray cross, a letter that was cosigned by all of the 14 u.w. system university chancellors. in their message, they shared compelling insight into how the sudden end to the federal perkins loan program is already affecting wisconsin's students. they then closed their letter with this, and i quote -- "we need to keep this program in place. after all, our job is to help students who would not otherwise be able to attend higher education and help them overcome barriers, particularly financial barriers, all of which helps to ensure access, retention,

completion and a skilled work force. these are goals upon which all of us can agree." end quote. mr. president, one month ago, our colleagues in the house of representatives, a body rarely called a place of agreement, took up and passed a measure that would extend this student loan program for one year. and i previously called up that bill here in the senate and asked unanimous consent that we extend the federal perkins loan program. and while i look forward to a broader conversation about improving federal supporters for students as we look to reauthorize the