PROVIDING FOR CONSIDERATION OF H.R. 624, CYBER INTELLIGENCE SHARING AND PROTECTION ACT
(House of Representatives - April 17, 2013)

Text of this article available as:

Formatting necessary for an accurate reading of this text may be shown by tags (e.g., <DELETED> or <BOLD>) or may be missing from this TXT display. For complete and accurate display of this text, see the PDF.

        


[Pages H2078-H2088]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




PROVIDING FOR CONSIDERATION OF H.R. 624, CYBER INTELLIGENCE SHARING AND 
                             PROTECTION ACT

  Mr. WOODALL. Mr. Speaker, by direction of the Committee on Rules, I 
call up House Resolution 164 and ask for its immediate consideration.
  The Clerk read the resolution, as follows:

                              H. Res. 164

       Resolved, That at any time after the adoption of this 
     resolution the Speaker may, pursuant to clause 2(b) of rule 
     XVIII, declare the House resolved into the Committee of the 
     Whole House on the state of the Union for consideration of 
     the bill (H.R. 624) to provide for the sharing of certain 
     cyber threat intelligence and cyber threat information 
     between the intelligence community and cybersecurity 
     entities, and for other purposes. The first reading of the 
     bill shall be dispensed with. All points of order against 
     consideration of the bill are waived. General debate shall be 
     confined to the bill and shall not exceed one hour equally 
     divided and controlled by the chair and ranking minority 
     member of the Permanent Select Committee on Intelligence. 
     After general debate the bill shall be considered for 
     amendment under the five-minute rule. In lieu of the 
     amendment in the nature of a substitute recommended by the 
     Permanent Select Committee on Intelligence now printed in the 
     bill, it shall be in order to consider as an original bill 
     for the purpose of amendment under the five-minute rule an 
     amendment in the nature of a substitute consisting of the 
     text of Rules Committee Print 113-7. That amendment in the 
     nature of a substitute shall be considered as read. All 
     points of order against that amendment in the nature of a 
     substitute are waived. No amendment to that amendment in the 
     nature of a substitute shall be in order except those printed 
     in the report of the Committee on Rules accompanying this 
     resolution. Each such amendment may be offered only in the 
     order printed in the report, may be offered only by a Member 
     designated in the report, shall be considered as read, shall 
     be debatable for the time specified in the report equally 
     divided and controlled by the proponent and an opponent, 
     shall not be subject to amendment, and shall not be subject 
     to a demand for division of the question in the House or in 
     the Committee of the Whole. All points of order against such 
     amendments are waived. At the conclusion of consideration of 
     the bill for amendment the Committee shall rise and report 
     the bill to the House with such amendments as may have been 
     adopted. Any Member may demand a separate vote in the House 
     on any

[[Page H2079]]

     amendment adopted in the Committee of the Whole to the bill 
     or to the amendment in the nature of a substitute made in 
     order as original text. The previous question shall be 
     considered as ordered on the bill and amendments thereto to 
     final passage without intervening motion except one motion to 
     recommit with or without instructions.

  The SPEAKER pro tempore. The gentleman from Georgia is recognized for 
1 hour.
  Mr. WOODALL. Mr. Speaker, for the purpose of debate only, I yield the 
customary 30 minutes to my friend, the gentleman from Florida (Mr. 
Hastings), pending which I yield myself such time as I may consume. 
During consideration of this resolution, all time yielded is for the 
purpose of debate only.


                             General Leave

  Mr. WOODALL. I ask unanimous consent that all Members may have 5 
legislative days to revise and extend their remarks.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Georgia?
  There was no objection.
  Mr. WOODALL. Mr. Speaker, I always enjoy the reading of the 
resolution. There are a lot of readings that you can waive on the floor 
of this House, but not so with a Rules resolution because this 
resolution is framing the nature of the debate we are going to have 
perhaps on the most important issue that we've taken up so far in this 
Congress.
  The underlying bill is H.R. 624. It's the Cyber Intelligence Sharing 
and Protection Act.
  Whenever we start talking about cyber intelligence sharing and 
protection, folks often think that sharing and protection are 
oxymorons--you can't have protected sharing, and you can't have shared 
protection. It's not an easy nut to crack, Mr. Speaker. I don't sit on 
the Intelligence Committee, but I've been down to the classified 
briefings where folks are sharing details of the amazing successes that 
our teams, both domestically and abroad, are having and combating in 
cyber threats; but it's getting harder and harder every day, and we 
have to balance the national security implications of failing to 
address these threats with what we, as all Americans, love, which is 
our liberty here at home--our liberty here at home, our privacy here at 
home.
  In order to try to crack that, Mr. Speaker, you'll know that we 
brought this bill to the floor in the last Congress, and it has been 
changed and improved since that time. Today, this rule makes in order 
an additional 12 amendments. Now, of course we'll have the traditional 
1 hour of debate on the underlying bill, but there will be another 12 
amendments, each debated--2 hours of total additional time--so that 
Members can have their voices heard. Of these additional 12 amendments, 
four of them were offered by Republican Members; seven of them were 
offered by Democratic Members; and one of them is a bipartisan 
amendment. But the rule is designed to allow that further discussion 
because of the very important nature of the underlying bill.
  I rise, of course, in support of the rule to allow for that debate, 
and I rise in support for the underlying bill. In today's world, you 
don't have to have a battlefield full of tanks to wage war on your 
enemy. A nation-state can have a roomful of young computer scientists 
and a couple of computers and begin to be a threat to the largest, most 
democratically controlled country in the world.
  How do we stop that, Mr. Speaker? Because we don't want to close our 
borders. We don't want to have Federal control over the Internet. In so 
many of these nation-states, the government does control the Internet. 
That's never going to happen here in America. That's not who we are. 
That's not what we're about. In fact, 10 private sector providers 
control about 80 percent of the networks here in America--as it should 
be.
  But what can we do to make ourselves safer tomorrow than we are 
today? Here is what the underlying bill does, Mr. Speaker: it enables, 
for the very first time, businesses and governments to share 
information about the threats that they are facing.
  If you go up the road to Maryland, where the NSA is operating today, 
there are some smart, smart folks there, and I'm glad we have every 
single one of them on the front lines of cyber warfare--protecting 
America, protecting American enterprise. Yet today, when they are aware 
of threats that are impending threats to our financial system, threats 
to our economic system, they can't share that information with the 
private sector.
  Back in my home district, Mr. Speaker, we're home to UPS--the United 
Parcel Service--Delta, Home Depot. If those companies come under attack 
today, Delta can't share that information with American Airlines and 
say, Look at what has just happened to us. Be on the lookout. It might 
happen to you. Home Depot can't share with Lowe's today, This is what 
has happened to us. We want you to be on the lookout. Don't let it 
happen to you.

                              {time}  1250

  This bill changes that. This bill, for the first time, says in the 
name of defending America and American interests against cyber threats 
around the globe, you can begin to share with one another what your 
experiences are and opportunities to protect yourself from having that 
happen to you again in the future.
  Now, the real important thing to me about this bill, and I will just 
hold it up for you, Mr. Speaker, the Cyber Intelligence Sharing and 
Protection aspect of this bill, it's the important part. It's the meat 
of this bill. It's what's going to allow us to be safer tomorrow than 
we are today, but the bulk of the words in this bill don't speak to the 
sharing in terms of enabling it. It speaks to the sharing in terms of 
restricting it. Page after page after page after page of this short, 
24-page bill talks about how we as citizens must, must, must continue 
to be safe and secure in the privacy of our own information.
  It's a four-step process the bill lays out, Mr. Speaker, in terms of 
how we can ensure that no personally identifiable information is being 
shared from Home Depot or Delta or UPS or any of the other folks who 
are out there on the Internet when they're sharing that with the 
government or with one another in order to prevent threats to American 
security or economic prosperity, to ensure that personally identifiable 
information is not a part of that information that's shared, because 
privacy is paramount.
  I've been tremendously impressed through this process, Mr. Speaker, 
because I'm one of the folks who is most likely to be suspect when we 
start talking about sharing information with the government. I'm a big 
lover of liberty. There's not many things I'm willing to give liberty 
up for. In fact, I dare say there's not a one that I'm willing to give 
liberty up for.
  But the Intelligence Committee, from which this bill came, has worked 
with Members month after month after month after month to ensure that 
privacy is protected, that we as citizens can be secure. At the same 
time that we're fighting threats that perhaps we're not allowed to talk 
about on this floor, we're protected from threats that each and every 
one of us experiences in our day-to-day lives--a threat to privacy.
  It's not been easy to craft this bill, and it has been an incredible 
bipartisan effort throughout, Mr. Speaker, in order to put this 
language together. Again, we have four Republican amendments made in 
order by this rule, seven Democratic amendments made in order by this 
rule, and one bipartisan amendment made in order by this rule. It is my 
great hope that we can move forward today with this rule, with debate 
on the underlying bill, and move forward with something that is far, 
far, far overdue, Mr. Speaker, and that's protecting America--American 
business and American individuals, American citizens--from the threats 
posed by nation states through cyber warfare from abroad.
  With that, I reserve the balance of my time.
  Mr. HASTINGS of Florida. Mr. Speaker, I thank my friend from Georgia 
for yielding me the customary 30 minutes, and I yield myself such time 
as I may consume.
  Before I begin, I would like to take a moment, as have almost all of 
our colleagues that have spoken here today, to offer my sincerest 
condolences to the people of Boston, Massachusetts, following the 
deadly explosions at

[[Page H2080]]

Monday's marathon. I can't speak for everyone here, but I believe that 
most of us would say that the thoughts and prayers of the United States 
Congress are with the victims, their families and friends at this most 
difficult time. Those responsible for this act of terror will be 
brought to justice.
  Mr. Speaker, while I rise today in support of H.R. 624, the Cyber 
Intelligence Sharing and Protection Act, better known as CISPA, I do 
not support the rule. My friend from Georgia spoke about how important 
it is that we have the reading of the rule, and one of the particular 
efforts of Congress that allows for there not to be any abridgement of 
that, but I do believe that we would be better served if this were an 
open rule.
  Last night, during our Rules Committee hearing, the majority blocked 
several germane Democratic amendments which would have further helped 
to balance cybersecurity concerns with smart policies that protect our 
citizens. I spoke to those issues last night, and I raise them again, 
particularly the two amendments offered by our colleagues, Ms. 
Schakowsky and Mr. Schiff, and others.
  However, the underlying CISPA legislation is, as my friend from 
Georgia said, a bipartisan bill that aims to safeguard our Nation's 
computer networks and critical infrastructure by allowing for two-way 
cyber threat information sharing on an entirely voluntary basis, both 
between the private sector and the Federal Government, and within the 
private sector itself.
  In his March 12, 2013, testimony before the Senate Intelligence 
Committee, the Director of National Intelligence, James Clapper, stated 
for the first time that cyber attacks and cyber espionage have 
supplanted terrorism as the top security threat facing the United 
States.
  In recent months, media reports have highlighted cyber attacks on 
several major U.S. companies, including Facebook, Google, and the 
network security firm RSA, as well as The New York Times, Bloomberg 
News, and The Washington Post newspapers.
  Furthermore, government networks such as those of the Central 
Intelligence Agency and the United States Senate have also been 
targeted by hackers. Waves of cyber attacks have sought to disrupt 
operations at financial institutions and service providers, including 
American Express, JPMorgan Chase, Citigroup, Wells Fargo, Bank of 
America, MasterCard, PayPal, and Visa.
  The fact of the matter is that state actors, terrorist organizations, 
criminal groups, individuals, and countless persons that describe 
themselves as hackers attack our public and private computer networks 
thousands of times every day. Many foreign hackers seek to steal 
valuable trade secrets, which results in the loss of countless American 
jobs. There are estimates that have been quoted of loss from economic 
espionage that range as high as $400 billion a year.
  Unfortunately, the same vulnerabilities used to steal trade secrets 
can be used to attack the critical infrastructure we depend on every 
day. Our economy, our power grids, and our defenses are increasingly 
reliant on computers and network integration. These networks power our 
homes, provide our clean water, protect our bank accounts, defend our 
intellectual property, guard our national security information, and 
manage other critical services. In addition to intellectual property 
and national security intelligence, personal finance, health care, and 
other private records are prime targets for hackers to steal.
  According to the Information Technology Industry Council, 18 adults 
become victims to cyber crime--including identity theft and phishing 
campaigns--every second. This adds up to 1.5 million cyber crime 
victims each day.

                              {time}  1300

  Cyber attacks present a very real and dangerous threat to the United 
States. However, the government currently does not have the authority 
to share classified cyber intelligence information with the private 
sector.
  While private companies have taken considerable measures to protect 
their networks, they often have limited information and can only 
respond to known threats.
  Cyber threats evolve at the speed of technology, and CISPA, this 
measure, helps the private sector protect against cyber attacks by 
providing companies with the latest cyber threat information from the 
intelligence community, which has timely, classified information about 
destructive malware. This cyber threat intelligence is the information 
that companies and the government need to protect and defend their 
networks.
  The so-called ``signatures'' are primarily made up of numerical codes 
consisting of zeros and ones, without any personal information 
attached.
  CISPA is the product of close cooperation between the intelligence 
community, the private sector companies, and trade groups and, to a 
certain degree, the White House, as it pertains to many of the measures 
that are included in this legislation.
  During their efforts to improve the bill, they also maintained a 
dialogue with privacy advocates in an effort to strengthen civil 
liberties protections and oversight.
  I add a personal note here for the reason that, over a period of 10 
years, I served 8 of those years on the Intelligence Committee, and the 
now-chairman of the Intelligence Committee and ranking member were both 
junior members of the committee that I served on. They have risen to 
the position that they are in and have acted in an extremely 
responsible way, over a 2-year period of time, trying to bring a 
measure as complicated as this one, contemplating all of the factors 
that I've identified and more, including the members of the committee.
  I would urge Members of the House of Representatives--many of them 
continue to have concerns, not only about this particular legislation, 
but about other intelligence matters, and rightly so are they 
concerned. But let me remind them that they are Members of a body that 
allows, if they wish to go into the spaces of the Intelligence 
Committee and to be briefed by staff and Members there on classified 
information, upon appropriate undertakings, they too can gain the 
information and insight that's needed in order to make an intelligent 
determination when they are voting, rather than come out here and 
criticize the people that do that hard work. They get no benefits, no 
concerns from the Members, and yet, cannot say all of the things that 
are needed to say or be said to the American public.
  The same holds for Adam Schiff and Jan Schakowsky and others that I 
won't mention that I served on that committee with. These are 
conscientious people who spend more time than almost any Member of 
Congress on any matter that he or she is attending to, and I have great 
respect for them. I don't agree with everything that either or all of 
them say, but I know they put their heart and time, both in the 
amendments that are offered, as well as in this bill and the 
particulars that are being put forward to this body.
  As a result of their work, 19 improvements to enhance privacy and 
protect Americans have been adopted. Chief among them, this CISPA 
measure that requires the government to eliminate any personal 
information it receives that is not necessary to understand the cyber 
threat.
  It creates no new authorities for any agency, and I can't say that 
enough. It creates no new authorities for any agency.
  It gives companies the flexibility to choose which agency within the 
intelligence community they would like to work with to protect the 
cyber networks. It requires an annual review and report by the 
intelligence community's inspector general of the government's use of 
any information shared by the private sector.
  And I would urge Members, when we increase the responsibilities of 
the inspector general that we also give the inspector general the 
resources in order to be able to do the necessary oversight that is 
required in this legislation.
  It includes something that I very much support, and that is a 5-year 
sunset provision. I've supported other 5-year sunset provisions in the 
intelligence community and would have preferred, in this instance, that 
it be a 3-year provision. But the fact of the matter is, it's 5, and we 
will learn an awful lot during that period of time, and we will be back 
here dealing with

[[Page H2081]]

this same subject at some point in the future.
  Allowing for the appropriate sharing of cyber threat information 
between the government and private sector is key to protecting our 
Nation from those who would do us harm. CISPA balances the critical 
need to strengthen our cyber defenses while protecting Americans' 
individual privacy.

  I reserve the balance of my time.
  Mr. WOODALL. Mr. Speaker, at this time it's my great pleasure to 
yield 3 minutes to the gentleman from Texas (Mr. Conaway), one of those 
Members on the Intelligence Committee my friend from Florida spoke of, 
a gentleman who serves us all.
  Mr. CONAWAY. Mr. Speaker, I appreciate the opportunity to speak.
  I rise in strong support of the rule and the underlying legislation 
that is before us this afternoon.
  I also want to congratulate my colleague from Florida. I agree 
wholeheartedly with his reasons why this is important. He walked 
through those very eloquently.
  I'd like to speak quickly as to what this bill does not do. It does 
not create a government surveillance program. It does not give the 
government the authority to monitor private networks or communications 
like email or other activities.
  And it is strictly voluntary. It does not create a mandate on the 
private sector that they participate. In fact, these activities, 
monitoring and surveillance, are specifically excluded from being an 
activity that would be authorized under this bill.
  There are four purposes for which this activity can be conducted, and 
whatever gets done has to fit within one of these four. One is 
cybersecurity. Two is investigating and prosecuting cybersecurity 
crimes. Three would be preventing death and physical injury, and four 
would be protecting minors from physical and psychological harm. So 
whatever gets done under this bill has to fit within those narrow 
categories specifically to make that happen.
  As both speakers have said already, great work has been done in 
trying to protect the privacy and the civil liberties that all of us 
have. Those who have a grave concern that we've not fixed those, I 
would ask them to simply go review the contract they have with their 
Internet service provider. They have ceded immense personal liberties 
and privacies under that contract to simply sign up with that Internet 
service provider.
  So as they look at what we're trying to do with this bill, I would 
argue that they may have already gone past that with respect to those 
guys.
  This bill does nothing like that whatsoever. No personal information 
can be shared. There's a mandate that the government put in place 
filters so that, as that data's coming in at the speed of light, no 
one's reading this information. This is machine-to-machine. That 
personal information is scrubbed from that as it comes in.
  There are immense reporting requirements for this system to be put in 
place, so that if there are occasional breaches, and there may be, that 
those breaches are reported on a timely basis to the committee, not at 
the end of some arbitrary period but as quickly as the system can 
report it to the oversight committees that have jurisdiction.
  There is no ambiguity in this bill. It says what can be done and what 
cannot be done, and it outlines the consequences for breaking the law.
  Let me also agree with my colleague from Florida. It has a sunset 
provision. Five years from now, future Congresses will have to either 
deal with this or it goes away. And so unlike many of our bills that 
just simply go on unless we actually do something, this has the 
protection of allowing those who disagree with it to know that there 
will be another bite at this apple 5 years from now if, in fact, there 
are things we've learned about that intervening 5-year period.
  But this is critical for America to have this. If this were a 
physical attack on this country, there would be no question that the 
Federal Government, through its military, would stand in the breach and 
protect this country. There are no less dangerous attacks conducted 
against infrastructure, banks, airlines, other things every single day 
that we weren't able to help protect the private sector from, and this 
bill goes a long way toward doing that.
  I urge my colleagues to support the rule and the underlying bill.
  Mr. HASTINGS of Florida. Mr. Speaker, I'm privileged to yield 5 
minutes to the distinguished gentleman from Colorado (Mr. Polis), my 
colleague on the Rules Committee.
  Mr. POLIS. Mr. Speaker, where to begin?
  Let's start with process. This, as has been indicated by everyone who 
spoke thus far, is a critical issue for our country, getting the 
balance right between protecting American infrastructure and our way of 
life, with our civil liberties and confidence in the Internet 
ecosystem. And yet, this rule only allows 1 hour of debate in the House 
of Representatives on this bill.

                              {time}  1310

  I might add, the amendments that were talked about in the Rules 
Committee last night, the amendments that actually address some of the 
deficiencies which I'll be getting into about this bill, are not 
allowed under this rule. In fact, out of the 12 amendments allowed, two 
of them are actually the same. The same exact amendment allowed twice. 
And yet a number of other amendments are not even allowed to be debated 
or voted on here on the floor of the House.
  I hold in my hands many, many amendments that were brought forward by 
Members of both parties and under this rule were prevented from being 
debated upon here on the floor of the House, which is why I strongly 
encourage my colleagues to vote ``no'' on the rule and ``no'' on the 
underlying bill in its present form.
  There's no disagreement that cybersecurity is a very real and 
important issue. Threats come from criminal enterprises, they come from 
nation states, they come from corporations, they come from 16-year-
olds. There's a variety of threats to both the public and private 
sector both here and abroad. The question is, What's the solution?
  One of the first fallacies with the premise of this bill at the 
20,000-foot level is, Who helps who? Frankly, it is the government that 
needs to learn and the private sector that leads the way. I've talked 
to a number of technology executives, having been a technology 
executive before I got here, and they are frequently ahead of the 
government. Because everyday they're fighting hacking attempts and 
they're on the front lines of cybersecurity.
  Now it's not a doubt whether they want free help. Who wouldn't want 
free help? Should we in fact as taxpayers subsidize the defense of 
those who have not invested in their own cybersecurity? Should this be 
a bailout of companies with poor cybersecurity? But the truth of the 
matter is most of the learning that needs to occur is from the private 
sector to the government. And, in fact, we're taking some of those 
steps. The government and the NSA are using private contractors who are 
in the forefront of this issue every day, and that's more of the 
direction we need to go.
  The notion that somehow the government would be of assistance to 
companies is laughable to many of the technology executives that I talk 
to; nor would they expect to call the government for help when they 
themselves are so far ahead. But to the extent we want to get the 
government involved with information and with the private sector here, 
we need to be very careful how this information is used, not just from 
a civil liberties perspective, which we'll be talking about, but 
because this is an economic issue; it's a confidence issue.
  The Internet has been a tremendous engine of innovation and economic 
growth. And we should be concerned for the Internet ecosystem, 
concerned for the millions of jobs, concerned for the great value 
that's been created, the benefits to consumers across the country, the 
way it's touched our lives in so many ways.
  What's fundamentally flawed in this approach is it trumps privacy 
agreements in terms of use that Internet companies enter with their 
users. So you could sign up for a service on the Internet, it could say 
explicitly we will not share this information with the government 
unless required by law, in terms of use--and frequently there are

[[Page H2082]]

statements analogous to that in there--and the minute you click send 
and complete it, if this bill were law, the company you gave that 
information to could then turn around, in violation of their own terms 
of use, and provide all that information to the government.
  The limitations on what the government would do with that information 
are completely inadequate. There is a section of the bill on pages 10 
and 11 that deals with those limitations. First, it says that 
information can be used for cybersecurity purposes. Okay, that's the 
purpose of the bill: investigation and prosecution of cybersecurity 
crimes. That's okay. Then it goes far afield into pretty much 
everything. It talks about bodily harm, danger of death. When we look 
at bodily harm and bodily injury, that includes things under USC 
section 18, 365: cuts, abrasions, bruises, disfigurement, including 
mental pain.
  So this is anything the government wants to use the information for. 
Paper that can cause paper cuts. The government can collect who's 
buying paper, who's buying scissors, who's playing football, who's 
organizing gun shows, who's a Tea Party enthusiast.
  The SPEAKER pro tempore. The time of the gentleman has expired.
  Mr. HASTINGS of Florida. I yield the gentleman 1 additional minute.
  Mr. POLIS. And there are absolutely no protections with regard to 
what is done with that information.
  There are a number of improvements that could make this bill viable, 
and these are not allowed under this rule. My colleague, Mr. Schiff, 
has put forward an amendment that would have simply required that 
reasonable precautions were taken to ensure privacy was protected. That 
would be a strong step forward. Real limitations about actually tying 
the use of this information to cybersecurity would be an important step 
forward with the bill.
  What's at danger is, yes, civil liberties; but the danger is the 
confidence in the Internet ecosystem that has driven our economic 
growth over the last decade. There will be great harm if that 
confidence is shaken, great harm if people know that the information 
that they provide and sign up for can immediately be turned over to a 
government agency--indeed, a secretive government agency--with no 
recourse and completely exempt from any liability for the company 
that's done it.
  It's been noted that this program is voluntary. It may be voluntary 
for the corporations. It's not voluntary for the individual. It's not 
voluntary for the citizens of the country who provide that information.
  Mr. WOODALL. Mr. Speaker, I yield myself 1 minute to say I know my 
friend from Colorado's concerns are heartfelt, and he shared those last 
night in the Rules Committee. The gentleman has a great deal of 
experience in this industry. And as heartfelt as his concerns are, I 
know, too, equally heartfelt are his concerns to national security if 
we fail to come together and address this issue.
  I would like to be able to say, Mr. Speaker, that when we pass this 
bill today, it's going directly to the President's desk for signature. 
I don't actually believe that to be true. I think it's a long process 
between now and getting it to the President's desk for signature. And I 
know the gentleman will be raising these concerns throughout that 
process.
  But I just cannot emphasize enough, Mr. Speaker, the dangers to the 
liberties of the American people of failing to begin this process 
today. I'm very proud we're allowing 12 amendments today to work 
through the concerns that the gentleman has, among others. But the 
importance of beginning this process today cannot be overstated.
  I reserve the balance of my time.
  Mr. HASTINGS of Florida. Mr. Speaker, I am very pleased at this time 
to yield 3 minutes to the gentleman from California (Mr. Schiff), my 
friend and a distinguished member of the Intelligence Committee.
  Mr. SCHIFF. I thank the gentleman for yielding.
  Mr. Speaker, I rise in opposition to the rule. At the outset, let me 
say that the cyber threat is real and its damage already devastating. 
And I very much appreciate the work that the chair and ranking member 
of the Intelligence Committee have done on this bill, and I appreciate 
that we have made and are continuing to make improvements.
  But as the bill currently stands and as it will stand even after the 
amendments allowed by the rule are adopted, the bill simply does not do 
enough to protect the private information of Americans. Most 
importantly, I'm disappointed that the proposed rule does not allow an 
amendment that I offered with Ms. Schakowsky, Ms. Eshoo, Mr. Holt, and 
Mr. Thompson of Mississippi. My amendment would fix an issue 
specifically cited by the White House in its Statement of 
Administration Policy in explaining why the President's advisers would 
recommend a veto of CISPA without important change. It would require 
the companies that share cyber threat information either with the 
government or with another private company to make reasonable efforts 
to remove personally identifiable information.
  As the administration stated in its veto threat, the administration 
remains concerned that the bill does not require private entities to 
take reasonable steps to remove irrelevant personal information when 
sending cybersecurity data to the government or other private sector 
entities. Citizens have a right to know that corporations will be held 
accountable--and not granted immunity--for failing to safeguard 
personal information adequately.
  The requirement of government-alone efforts to safeguard or minimize 
personal information is simply not enough. This is most apparent when, 
under the immunized conduct in the bill, private entities can share 
information with each other without ever going through the government. 
In those circumstances, how can the government minimize what it never 
possesses? So government-side minimization alone, which is all this 
bill includes, is not enough.
  We have responded to the concerns of industry by making sure that 
when we ask them to take reasonable efforts to remove personal 
information, they can do so in real-time through automated processes. 
The witnesses who testified before the Intelligence Committee said that 
often the private parties are in the best position to anonymize the 
data. This is something they're doing anyway. And it's more than 
reasonable to require them to do that, particularly if we want to give 
them a broad grant of immunity.

                              {time}  1320

  Mr. Speaker, without an amendment to ensure that companies remove 
private information when they can do so--when they can do so through 
reasonable efforts--I cannot support the underlying bill. I believe 
that Members of both parties who support this change deserve the chance 
to vote on it. I suspect that because that issue would have gathered 
broad support, it is not being brought up for a vote here on the floor, 
and that is very disappointing. Accordingly, I urge a ``no'' vote on 
the rule, and I thank the gentleman for yielding.
  Mr. WOODALL. Mr. Speaker, I yield myself 60 seconds to say I agree 
with my friend, that the private sector is often in the best position 
to get the work done that we're talking about in this bill.
  I would refer my colleague, Mr. Speaker, to the Intelligence 
Committee's Web site--it's intelligence.house.gov--where you can see 
the long list of those private sector actors who are supporting this 
bill here today, that long list of folks in the private sector 
responsible for the security of their firms, of the information that 
Americans have entrusted to them, asking this body to move forward with 
this bill today.
  There's no question, Mr. Speaker, when you're dealing with something 
of the magnitude of the national security threats posed by cyber 
warfare and the privacy protections that everyone in this body is 
committed to, that you're going to end up with conscientious men and 
women on both sides of this issue. But it is important to note that the 
private sector--which is being bombarded each and every day with 
threats from nation-state actors overseas--is asking, pleading with 
this body to move forward with this bill.
  I reserve the balance of my time.
  Mr. HASTINGS of Florida. Mr. Speaker, may I inquire about how much 
time remains on both sides?
  The SPEAKER pro tempore. The gentleman from Florida has 9 minutes 
remaining. The gentleman from Georgia has 17 minutes remaining.

[[Page H2083]]

  Mr. HASTINGS of Florida. With that, Mr. Speaker, in an effort to 
respond to my colleague and friend from Georgia, I yield 1 additional 
minute at this time to the gentleman from California (Mr. Schiff).
  Mr. SCHIFF. I thank the gentleman for yielding the additional time.
  And just to respond to my colleague, I'd be interested to know if 
there is anything you can point to in those 17 amendments that governs 
or requires the private sector, when it shares information with other 
private sector entities, to remove personally identifiable information. 
Because under the bill, the only minimization that's required is being 
done by the government; and in the case of private-to-private sector 
sharing, there is no government role. So this is the big hole.
  While there are many private sector companies that may support the 
bill because it gives them broad immunity without any responsibility, 
that doesn't mean it's good policy, particularly when private companies 
have said they would make reasonable efforts. They're willing to do it; 
they can do it; they have the capacity to do it; we're just not asking 
them to do it or requiring them to do it. And we're giving something of 
great value to them, and that is we're giving them broad immunity. I 
think with that immunity ought to come some responsibility; and it 
shouldn't be too much to ask that that responsibility take the form of 
a reasonable effort, not a herculean one, not an impossible one, but a 
reasonable effort to ensure that Americans' privacy interests are 
observed and they take out that information when they can.
  Mr. WOODALL. Mr. Speaker, I reserve the balance of my time.
  Mr. HASTINGS of Florida. Mr. Speaker, again, for purposes of clarity, 
I yield 1 additional minute to my colleague from Colorado (Mr. Polis).
  Mr. POLIS. Mr. Speaker, I have three documents to submit to the 
Record: one from former Representative Bob Barr, one Statement of 
Administration Policy, and a letter from several tech companies and 
others opposed to the bill.
  I quote, in part:

       Developments over the last year make CISPA's approach even 
     more questionable than before.

  Former Representative Bob Barr:

       Congress must take the civil liberties threats created by 
     this bill just as seriously as it takes the cyber threats the 
     legislation purports to address.

  Mr. Speaker, we should not hurt the Internet to save the Internet; 
and this bill, in its current form, leaves the language wide open with 
potential abuse. Again, when we talk about bodily harm, I have learned 
that in a California statute that includes dog bites. Essentially, 
anything is included in this information without limitation with regard 
to how the government can use it. This is a backdoor attack on the 
Fourth Amendment against unreasonable search and seizures.
  We have criminal procedures and processes around how information can 
and can't be used. This is the biggest government takeover of personal 
information that I've seen during my time here in Congress. Again, I 
believe, on the balance, it harms what it purports to protect.

                 ``Just say no'' to cybersecurity bill

            (By Former Rep. Bob Barr (R-Ga.), Apr. 16, 2013)

       Anyone who has read or watched any news source over the 
     past year knows President Obama, numerous Administration 
     officials, and many leaders in Congress agree that addressing 
     the threat of cyber attacks is a critical national priority. 
     Based on this threat analysis, the administration and many 
     members of Congress continue to push for passage of 
     cybersecurity legislation that would clarify and expand the 
     government's powers to receive and process traffic from 
     American computer networks.
       It would, however, be a mistake for Congress to rush to 
     enact legislation that could militarize our computer 
     networks, and pave the way for private companies to share 
     vast quantities of sensitive and highly personal information 
     with the government, all in the name of ``cybersecurity.'' 
     Although a carefully-crafted ``information sharing'' program 
     that includes robust protections for civil liberties could be 
     an effective approach to cybersecurity, the bill about to 
     come up for a vote in the House clearly fails this test.
       The Cyber Intelligence Sharing and Protection Act (CISPA), 
     H.R. 624, is set to be considered by the full House of 
     Representatives later this month. Although the bill that 
     emerged from markup by the House Permanent Select Committee 
     on Intelligence (HPSCI) includes some improvements in privacy 
     safeguards over the earlier version, CISPA's proponents have 
     overstated the protections incorporated into the bill. As a 
     result, members of Congress should vote against CISPA when it 
     comes to the House floor.
       Last year, The Constitution Project's bipartisan Liberty 
     and Security Committee, on which I serve, prepared a detailed 
     report on ways that Congress could protect our nation's 
     computer networks from cyber threats, while at the same time 
     preserving the constitutionally-guaranteed rights of 
     Americans. Unfortunately, the drafters of CISPA failed to 
     incorporate the robust safeguards we recommended.
       Most critical, CISPA's sponsors have resisted all efforts 
     to ensure that the new cybersecurity program would maintain 
     civilian control of our nation's computer networks. CISPA 
     would allow private companies, cloaked with broad immunity 
     from legal liability, to share sensitive information such as 
     internet records or the content of emails, with any agency in 
     the government, including military and intelligence agencies. 
     Sensitive personal information from private computer networks 
     should not be shared directly with the military or the 
     National Security Agency (NSA), the agency that gained 
     widespread public notoriety seven years ago for its 
     warrantless wiretapping program--hardly the agency we want to 
     see tasked with receiving private internet traffic.
       Sadly, the members of HPSCI voted down an amendment that 
     would have ensured civilian control of computer networks, by 
     specifying that when private companies share information with 
     the federal government, they should not provide it to the NSA 
     or any other military agency or department. This amendment 
     would still have permitted the NSA to share its own expertise 
     on cyber threats with the private sector, but would have 
     protected the information flowing into the government.
       A second critical flaw with CISPA is that it fails to 
     include meaningful limits on the extent of private sensitive 
     information that companies can send into the government. The 
     HPSCI also voted down an amendment requiring that before 
     sharing cyber threat information with the government, 
     companies must ``make reasonable efforts'' to remove ``any 
     information that can be used to identify a specific person 
     unrelated to the cyber threat.'' A similar provision was 
     included in last year's Senate cybersecurity bill, and 
     witnesses at a hearing before HPSCI earlier this year 
     testified that companies can easily strip out personally 
     identifiably information that is not necessary to address 
     cyber threats. Yet CISPA still lacks any such safeguard.
       It is true that from a privacy perspective, this version of 
     CISPA is an improvement over last year's bill. Most notably, 
     the bill no longer permits private information to be used for 
     broad `national security uses'' unrelated to cybersecurity. 
     But it clearly is not sufficient. Congress must take the 
     civil liberties threats created by this bill just as 
     seriously as it takes the cyber threats the legislation 
     purports to address. CISPA does not meet this test, and 
     members of the House should just say no.
                                  ____


                   Statement of Administration Policy


        H.R. 624--vyber Intelligence Sharing and Protection Act

   (Rep. Rogers, R-MI, and Rep. Ruppersberger, D-MD), Apr. 16, 2013)

       Both government and private companies need cyber threat 
     information to allow them to identify, prevent, and respond 
     to malicious activity that can disrupt networks and could 
     potentially damage critical infrastructure. The 
     Administration believes that carefully updating laws to 
     facilitate cybersecurity information sharing is one of 
     several legislative changes essential to protect individuals' 
     privacy and improve the Nation's cybersecurity. While there 
     is bipartisan consensus on the need for such legislation, it 
     should adhere to the following priorities: (1) carefully 
     safeguard privacy and civil liberties; (2) preserve the long-
     standing, respective roles and missions of civilian and 
     intelligence agencies; and (3) provide for appropriate 
     sharing with targeted liability protections.
       The Administration recognizes and appreciates that the 
     House Permanent Select Committee on Intelligence (HPSCI) 
     adopted several amendments to H.R. 624 in an effort to 
     incorporate the Administration's important substantive 
     concerns. However, the Administration still seeks additional 
     improvements and if the bill, as currently crafted, were 
     presented to the President, his senior advisors would 
     recommend that he veto the bill. The Administration seeks to 
     build upon the continuing dialogue with the HPSCI and stands 
     ready to work with members of Congress to incorporate our 
     core priorities to produce cybersecurity information sharing 
     legislation that addresses these critical issues.
       H.R. 624 appropriately requires the Federal Government to 
     protect privacy when handling cybersecurity information. 
     Importantly, the Committee removed the broad national 
     security exemption, which significantly weakened the 
     restrictions on how this information could be used by the 
     government. The Administration, however, remains concerned 
     that the bill does not require private entities to take 
     reasonable steps to remove irrelevant personal information 
     when sending cybersecurity data to the government or other 
     private sector entities. Citizens have a right to know that 
     corporations

[[Page H2084]]

     will be held accountable--and not granted immunity--for 
     failing to safeguard personal information adequately. The 
     Administration is committed to working with all stakeholders 
     to find a workable solution to this challenge. Moreover, the 
     Administration is confident that such measures can be crafted 
     in a way that is not overly onerous or cost prohibitive on 
     the businesses sending the information. Further, the 
     legislation should also explicitly ensure that cyber crime 
     victims continue to report such crimes directly to Federal 
     law enforcement agencies, and continue to receive the same 
     protections that they do today.
       The Administration supports the longstanding tradition to 
     treat the Internet and cyberspace as civilian spheres, while 
     recognizing that the Nation's cybersecurity requires shared 
     responsibility from individual users, private sector network 
     owners and operators, and the appropriate collaboration of 
     civilian, law enforcement, and national security entities in 
     government. H.R. 624 appropriately seeks to make clear that 
     existing public-private relationships--whether voluntary, 
     contractual, or regulatory--should be preserved and 
     uninterrupted by this newly authorized information sharing. 
     However, newly authorized information sharing for 
     cybersecurity purposes from the private sector to the 
     government should enter the government through a civilian 
     agency, the Department of Homeland Security.
       Recognizing that the government will continue to receive 
     cybersecurity information through a range of civilian, law 
     enforcement, and national security agencies, legislation must 
     promote appropriate sharing within the government. As stated 
     above, this sharing must be consistent with cybersecurity use 
     restrictions, the cybersecurity responsibilities of the 
     agencies involved, as well as privacy and civil liberties 
     protections and transparent oversight. Such intra-
     governmental sharing and use should not be subject to undue 
     restrictions by the private sector companies that originally 
     share the information. To be successful in addressing the 
     range of cyber threats the Nation faces, it is vital that 
     intra-governmental sharing be accomplished in as near real-
     time as possible.
       The Administration agrees with the need to clarify the 
     application of existing laws to remove legal barriers to the 
     private sector sharing appropriate, well-defined, 
     cybersecurity information. Further, the Administration 
     supports incentivizing industry to share appropriate 
     cybersecurity information by providing the private sector 
     with targeted liability protections. However, the 
     Administration is concerned about the broad scope of 
     liability limitations in H.R. 624. Specifically, even if 
     there is no clear intent to do harm, the law should not 
     immunize a failure to take reasonable measures, such as the 
     sharing of information, to prevent harm when and if the 
     entity knows that such inaction will cause damage or 
     otherwise injure or endanger other entities or individuals.
       Information sharing is one piece of larger set of 
     legislative requirements to provide the private sector, the 
     Federal Government, and law enforcement with the necessary 
     tools to combat the current and emerging cyber threats facing 
     the Nation. In addition to updating information sharing 
     statutes, the Congress should incorporate privacy and civil 
     liberties safeguards into all aspects of cybersecurity and 
     enact legislation that: (1) strengthens the Nation's critical 
     infrastructure's cybersecurity by promoting the establishment 
     and adoption of standards for critical infrastructure; (2) 
     updates laws guiding Federal agency network security; (3) 
     gives law enforcement the tools to fight crime in the digital 
     age; and (4) creates a National Data Breach Reporting 
     requirement.
                                  ____

                                                   April 15, 2013.
       Dear Representative: Earlier this year, many of our 
     organizations wrote to state our opposition to H.R. 624, the 
     Cyber Intelligence Sharing and Protection Act of 2013 
     (CISPA). We write today to express our continued opposition 
     to this bill following its markup by the House Permanent 
     Select Committee on Intelligence (HPSCI). Although some 
     amendments were adopted in markup to improve the bill's 
     privacy safeguards, these amendments were woefully inadequate 
     to cure the civil liberties threats posed by this bill. In 
     particular, we remain gravely concerned that despite the 
     amendments, this bill will allow companies that hold very 
     sensitive and personal information to liberally share it with 
     the government, including with military agencies.
       CISPA creates an exception to all privacy laws to permit 
     companies to share our information with each other and with 
     the government in the name of cybersecurity. Although a 
     carefully-crafted information sharing program that strictly 
     limits the information to be shared and includes robust 
     privacy safeguards could be an effective approach to 
     cybersecurity, CISPA lacks such protections for individual 
     rights. CISPA's information sharing regime allows the 
     transfer of vast amounts of data, including sensitive 
     information like internet records or the content of emails, 
     to any agency in the government including military and 
     intelligence agencies like the National Security Agency or 
     the Department of Defense Cyber Command.
       Developments over the last year make CISPA's approach even 
     more questionable than before First, the President recently 
     signed Executive Order 13636, which will increase information 
     sharing from the government to the private sector. 
     Information sharing in this direction is often cited as a 
     substantial justification for CISPA and will proceed without 
     legislation. Second, the cybersecurity legislation the Senate 
     considered last year, S. 3414, included privacy protections 
     for information sharing that are entirely absent from CISPA, 
     and the Obama administration, including the intelligence 
     community, has confirmed that those protections would not 
     inhibit cybersecurity programs. These included provisions to 
     ensure that private companies send cyber threat information 
     only to civilian agencies, and a requirement that companies 
     make ``reasonable efforts'' to remove personal information 
     that is unrelated to the cyber threat when sharing data with 
     the government. Finally, witnesses at a hearing before the 
     House Permanent Select Committee on Intelligence confirmed 
     earlier this year that companies can strip out personally 
     identifiably information that is not necessary to address 
     cyber threats, and CISPA omits any requirement that 
     reasonable efforts be undertaken to do so.
       We continue to oppose CISPA and encourage you to vote `no.'
           Sincerely,
       Access; Advocacy for Principled Action in Government; 
     American Arab Anti-Discrimination Committee; American 
     Association of Law Libraries; American Civil Liberties Union; 
     American Library Association; Amicus; Association of Research 
     Libraries; Bill of Rights Defense Committee; Breadpig.com; 
     Center for Democracy & Technology; Center for National 
     Security Studies; Center for Rights; Competitive Enterprise 
     Institute; The Constitution Project; Council on American-
     Islamic Relations; CREDO Action; Daily Kos; Defending Dissent 
     Foundation; Demand Progress.
       DownsizeDC.org, Inc.; Electronic Frontier Foundation; Fight 
     for the Future; Free Press Action Fund; Government 
     Accountability Project; Liberty Coalition; Mozilla; National 
     Association of Criminal Defense Lawyers; New American 
     Foundation's Open Technology Institute; OpenMedia.org; 
     PolitiHacks; Reddit; RootsAction.org; Tech Freedom.

  Mr. WOODALL. Mr. Speaker, I yield myself 60 seconds again to say to 
my friend from Colorado that I know his concerns are heartfelt; but he 
knows, as I do, there's nothing that we can do in statute here today 
that would trump any of our civil liberties that are protected under 
the Constitution of the United States of America. The Constitution of 
the United States of America trumps all.
  What we're doing here today, Mr. Speaker, is responding to a very 
serious national security threat, and we're doing so in a way that can 
give Americans great comfort that their civil liberties are every bit 
as protected today as they were yesterday. In fact, Mr. Speaker, in 
that these nation-states are hacking into these accounts and accessing 
our personal information every single day, I would tell you that we 
will actually have our privacy more protected in the presence of a 
secure Internet than we do today, as nation-states are frequently 
eroding our cybersecurity border here in the United States of America.
  With that, I reserve the balance of my time.
  Mr. HASTINGS of Florida. Mr. Speaker, I would advise my friend from 
Georgia that I'm the last speaker. If he is prepared to close, I am 
prepared to close.
  Mr. WOODALL. I thank my friend. I have one speaker remaining.
  Mr. HASTINGS of Florida. I reserve the balance of my time.
  Mr. WOODALL. Mr. Speaker, at this time it is my great pleasure to 
yield as much time as he may consume to the chairman of the Rules 
Committee, the gentleman from Texas (Mr. Sessions).
  Mr. SESSIONS. Mr. Speaker, I want to thank the gentleman, my dear 
friend from Georgia (Mr. Woodall), not only for managing his rule, but 
for the time that he has invested not into just this issue, but the 
issues that come before the Rules Committee, and I want to thank him 
for his service.
  I also want to thank, if I can, the gentleman from Florida (Mr. 
Hastings)--welcome back to the committee after a couple of days of 
being out with surgery--and for the vigorous hearing that we had 
yesterday at the Rules Committee.
  Mr. Speaker, we had an opportunity to have Mr. Ruppersberger, the 
leader for the Democrats from the Intelligence Committee, as well as 
Mike Rogers from Michigan, the chairman of the committee. Both came and 
vigorously talked about the things which are aimed at our country--
cyber threats, nation-states, nations such as China, North Korea, and 
others who are trying to invade our Internet here in the United States 
and to steal not only information and data, but also thoughts, ideas, 
and money. So it gave

[[Page H2085]]

us an opportunity yesterday to have a great hearing, one which was full 
of detail, one which really offered intrigue by our Members and a lot 
of thought process by all those who came before the committee.
  However, I would like to advise, if I can, that following the closing 
statements on the rule before us, the gentleman from Georgia (Mr. 
Woodall) will be offering an amendment to the rule that seeks to 
address concerns with the role of civilian Federal agencies in 
receiving the cyber information that would be transmitted from the 
private sector that is included in the underlying bill. This amendment 
was in negotiation yesterday and submitted for consideration to the 
Rules Committee, but the final compromise was not ready at the time 
that the committee finished its work product yesterday evening, so 
negotiations continued all last night and through this morning until 
today.
  On a bipartisan basis, these negotiations have given us what I 
consider to be a good amendment with good merits and should be 
considered under this rule. The amendment has been vetted thoroughly by 
the five committees which share jurisdiction in this matter, including 
Ranking Members Thompson and Ruppersberger, and, by the way, my 
colleague, the ranking member of the Rules Committee, Ms. Slaughter.
  If the rule is amended, the language would be offered by Mr. McCaul, 
the chairman of the House Committee on Homeland Security. I'm confident 
that this work product and the work which we are bringing to this floor 
will continue to support not just the rule, but the legislation that 
would be before this House tomorrow by the Rules Committee.
  So I believe that this helps not just the underlying bill, but really 
is a testament to the work on a bipartisan basis among our committees, 
among a lot of people who had a chance to look at not just 
jurisdictional issues, but the actual substance of trying to make 
protecting this country, its assets, and its people a reality now in 
law that the United States House of Representatives will fully debate 
tomorrow, vote on, and support.
  Part of the role of the Rules Committee about this process has been 
to make sure that the final product that came to the floor of the House 
of Representatives was well vetted, received the attention that was 
necessary, and, perhaps more importantly, was leading-edge.

                              {time}  1330

  And, lastly, the most important thing is that we know what we've 
agreed to; that we know what we've agreed to where we're very clear 
about what the law is and the expectations of that performance.
  I thank the gentleman for yielding.
  Mr. HASTINGS of Florida. Mr. Speaker, I yield myself such time as I 
may consume.
  I thank the distinguished chairman of the Rules Committee, my good 
friend, Mr. Sessions, for his explanation of the measure going forward. 
I certainly do not anticipate that my side will oppose the measure as 
offered.
  In addition thereto, I would highlight what he did eloquently point 
out, and that is the bipartisan effort that has been put into this, 
including all of the negotiations leading up to now what will be the 
McCaul amendment offered by Mr. Woodall.
  CISPA, Mr. Speaker, provides the government and private sector with 
the tools they need to secure our networks and prevent future cyber 
attacks, while respecting the privacy of individuals.
  In bringing private companies and trade groups to the table, as well 
as taking into consideration the concerns expressed by civil liberties 
organizations, CISPA has been improved to better address the growing 
cybersecurity risks faced by the Federal Government and private sector, 
provide greater oversight, and protect Americans' privacy. We can take 
significant steps to reduce our vulnerability to cyber threats today.
  I have had the honor and privilege of meeting many of our 
intelligence professionals when I served as a member of the 
Intelligence Committee; and since that time, I cannot overstate how 
much I appreciate, and am humbled by, their service.
  Furthermore, I want to take this moment of personal privilege to 
thank my good friends, Chairman Rogers and Ranking Member 
Ruppersberger, and to underscore one of the unnoticed and hardworking 
staffs' efforts, and that would be the House Intelligence Committee 
staff, for their hard work and dedication in helping to see this and 
other measures having to do with the intelligence of this committee to 
the House floor, as well as in cooperation with their colleagues and 
ours at the United States Senate.
  I urge my colleagues to vote ``no'' on the rule and ``yes'' on the 
underlying bill, and I yield back the balance of my time.
  Mr. WOODALL. Mr. Speaker, I yield myself the balance of my time.
  I thank my friend from Florida for his service on the Rules Committee 
and his service on the Intelligence Committee.
  The work that goes on in the Intelligence Committee, Mr. Speaker, is 
work that so many Members of Congress do not involve themselves in. It 
goes on deep in the bowels of the Capitol Complex. It's under great 
security, all electronic devices left outside the door, so that they 
can discuss things within the four walls of that committee that we're 
not allowed to discuss here on the House floor.
  In fact, when they asked me to handle the rule today, Mr. Speaker, I 
was a little concerned because throughout this process of developing 
CISPA, I traveled down to that committee room time and time again in 
order to understand the threats that this Nation is facing, understand 
the challenges that this community of intelligence professionals is 
grappling with around the globe, and I don't want to be the one who 
shares those stories here on the House floor by mistake. I don't envy 
the gentleman from Florida having to balance being in that committee 
every single day, trying to protect the security of every single 
citizen, and not being able to come out of that committee room and 
share with, not just your colleagues here in the House, but your 
constituents back home, why it is you're doing the things that you do.
  Can you imagine, Mr. Speaker, what would have happened in World War 
II if we had to keep the bombing of Pearl Harbor a secret? It's a 
secret. Nobody knows. What do you think the support would have been, 
Mr. Speaker, for taking affirmative action in World War II? It would 
have been hard to generate that support. I would have voted ``no.''
  There are things going on in this Nation and in this world today, Mr. 
Speaker, that our Intelligence Committee grapples with, that our 
intelligence professionals grapple with, things that are frightening, 
and things that threaten the liberty of this country and the economic 
security of this country. Now, I don't want to be a fear-monger, Mr. 
Speaker. What I love about this country is no matter what the challenge 
is, we are great enough collectively to rise to meet it.
  In this case, we happen to need to rise to meet it in a subject 
matter that is near and dear to the heart of every American, which is 
my Internet privacy. I care a lot about Internet privacy, Mr. Speaker. 
I've got a VPN system set up so nobody is listening in on my Wi-Fi. I 
change my password about every 10 days to make sure nobody is making 
any progress towards hacking my system. I'll occasionally go on the 
Internet and use one of those anonymizers to make sure my IP address 
isn't being tracked when I'm looking at things that perhaps my friends 
in Congress, I'm trying to get a bill done, I don't want you to know 
I'm getting that bill done. Who knows what those people down in HIR, 
House Information Resources, what they're tracking that we do here? We 
have tools available to us in that way, Mr. Speaker.
  But do you know who I can't outsmart? Perhaps I can outsmart my next-
door neighbor who wants to piggyback on my Wi-Fi system. Perhaps I can 
outsmart the guy at the hotel who is trying to piggyback on my 
information there in the hotel room. Perhaps I can even outsmart the 
U.S. House of Representatives. But what I can't outsmart is that team 
of cyber warriors gathered by nation-states around the globe who are 
hacking my information and your information every single day, stealing 
our intellectual property, stealing our military technology, 
threatening the privacies that we've

[[Page H2086]]

talked so much about here on the floor today.
  I'm very glad, Mr. Speaker, that as you page through this bill, you 
will find line after line after line aimed at protecting your and my 
privacy. I think we do a good job of finding that balance. We even will 
offer amendments today on the floor to do even better. But without 
security at the Internet border, I have no protection of my privacy 
because those agents of the state of China, North Korea, and beyond are 
accessing that information today.
  Mr. Speaker, it's been 18 months that we've been working to craft 
that balance of privacy and security. We'll continue to work on that 
throughout 12 amendments here today. I urge my colleagues, look through 
this resolution, look through H.R. 624 to see the efforts that have 
gone into crafting this bipartisan piece of legislation; and look at 
those 12 amendments, look at those 12 amendments that we'll have an 
opportunity to vote on over the next 2 days to make this bill even 
better. But the time for delay, Mr. Speaker, has passed us, and the 
cost of delay is most certainly measured in dollars, and I fear it is 
measured in lives.
  Let's move forward with this bill today, Mr. Speaker. I urge strong 
support for the rule, and I urge strong support after the debate of 
these 12 amendments on the underlying legislation.


                    Amendment Offered by Mr. Woodall

  Mr. WOODALL. Mr. Speaker, at this time, I offer an amendment to the 
resolution.
  The SPEAKER pro tempore. The Clerk will report the amendment.
  The Clerk read as follows:

       At the end of the resolution, add the following:
       Sec. 2.  Notwithstanding any other provision of this 
     resolution, the amendment specified in section 3 shall be in 
     order as though printed as the last amendment in House Report 
     113-41 if offered by Representative McCaul of Texas or his 
     designee. That amendment shall be debatable for 10 minutes 
     equally divided and controlled by the proponent and an 
     opponent.
       Sec. 3.  The amendment referred to in section 2 is as 
     follows: After section 1, insert the following new section 
     (and renumber subsequent sections accordingly):

     ``SEC. 2. FEDERAL GOVERNMENT COORDINATION WITH RESPECT TO 
                   CYBERSECURITY.

       ``(a) Coordinated Activities.--The Federal Government shall 
     conduct cybersecurity activities to provide shared 
     situational awareness that enables integrated operational 
     actions to protect, prevent, mitigate, respond to, and 
     recover from cyber incidents.
       ``(b) Coordinated Information Sharing.--
       ``(1) Designation of coordinating entity for cyber threat 
     information.--The President shall designate an entity within 
     the Department of Homeland Security as the civilian Federal 
     entity to receive cyber threat information that is shared by 
     a cybersecurity provider or self-protected entity in 
     accordance with section 1104(b) of the National Security Act 
     of 1947, as added by section 3(a) of this Act, except as 
     provided in paragraph (2) and subject to the procedures 
     established under paragraph (4).
       ``(2) Designation of a coordinating entity for 
     cybersecurity crimes.--The President shall designate an 
     entity within the Department of Justice as the civilian 
     Federal entity to receive cyber threat information related to 
     cybersecurity crimes that is shared by a cybersecurity 
     provider or self-protected entity in accordance with section 
     1104(b) of the National Security Act of 1947, as added by 
     section 3(a) of this Act, subject to the procedures under 
     paragraph (4).
       ``(3) Sharing by coordinating entities.--The entities 
     designated under paragraphs (1) and (2) shall share cyber 
     threat information shared with such entities in accordance 
     with section 1104(b) of the National Security Act of 1947, as 
     added by section 3(a) of this Act, consistent with the 
     procedures established under paragraphs (4) and (5).
       ``(4) Procedures.--Each department or agency of the Federal 
     Government receiving cyber threat information shared in 
     accordance with section 1104(b) of the National Security Act 
     of 1947, as added by section 3(a) of this Act, shall 
     establish procedures to--
       ``(A) ensure that cyber threat information shared with 
     departments or agencies of the Federal Government in 
     accordance with such section 1104(b) is also shared with 
     appropriate departments and agencies of the Federal 
     Government with a national security mission in real time;
       ``(B) ensure the distribution to other departments and 
     agencies of the Federal Government of cyber threat 
     information in real time; and
       ``(C) facilitate information sharing, interaction, and 
     collaboration among and between the Federal Government; 
     State, local, tribal, and territorial governments; and 
     cybersecurity providers and self-protected entities.
       ``(5) Privacy and civil liberties.--
       ``(A) Policies and procedures.--The Secretary of Homeland 
     Security, the Attorney General, the Director of National 
     Intelligence, and the Secretary of Defense shall jointly 
     establish and periodically review policies and procedures 
     governing the receipt, retention, use, and disclosure of non-
     publicly available cyber threat information shared with the 
     Federal Government in accordance with section 1104(b) of the 
     National Security Act of 1947, as added by section 3(a) of 
     this Act. Such policies and procedures shall, consistent with 
     the need to protect systems and networks from cyber threats 
     and mitigate cyber threats in a timely manner--
       ``(i) minimize the impact on privacy and civil liberties;
       ``(ii) reasonably limit the receipt, retention, use, and 
     disclosure of cyber threat information associated with 
     specific persons that is not necessary to protect systems or 
     networks from cyber threats or mitigate cyber threats in a 
     timely manner;
       ``(iii) include requirements to safeguard non-publicly 
     available cyber threat information that may be used to 
     identify specific persons from unauthorized access or 
     acquisition;
       ``(iv) protect the confidentiality of cyber threat 
     information associated with specific persons to the greatest 
     extent practicable; and
       ``(v) not delay or impede the flow of cyber threat 
     information necessary to defend against or mitigate a cyber 
     threat.
       ``(B) Submission to congress.--The Secretary of Homeland 
     Security, the Attorney General, the Director of National 
     Intelligence, and the Secretary of Defense shall, consistent 
     with the need to protect sources and methods, jointly submit 
     to Congress the policies and procedures required under 
     subparagraph (A) and any updates to such policies and 
     procedures.
       ``(C) Implementation.--The head of each department or 
     agency of the Federal Government receiving cyber threat 
     information shared with the Federal Government under such 
     section 1104(b) shall--
       ``(i) implement the policies and procedures established 
     under subparagraph (A); and
       ``(ii) promptly notify the Secretary of Homeland Security, 
     the Attorney General, the Director of National Intelligence, 
     the Secretary of Defense, and the appropriate congressional 
     committees of any significant violations of such policies and 
     procedures.
       ``(D) Oversight.--The Secretary of Homeland Security, the 
     Attorney General, the Director of National Intelligence, and 
     the Secretary of Defense shall jointly establish a program to 
     monitor and oversee compliance with the policies and 
     procedures established under subparagraph (A).
       ``(6) Information sharing relationships.--Nothing in this 
     section shall be construed to--
       ``(A) alter existing agreements or prohibit new agreements 
     with respect to the sharing of cyber threat information 
     between the Department of Defense and an entity that is part 
     of the defense industrial base;
       ``(B) alter existing information-sharing relationships 
     between a cybersecurity provider, protected entity, or self-
     protected entity and the Federal Government;
       ``(C) prohibit the sharing of cyber threat information 
     directly with a department or agency of the Federal 
     Government for criminal investigative purposes related to 
     crimes described in section 1104(c)(1) of the National 
     Security Act of 1947, as added by section 3(a) of this Act; 
     or
       ``(D) alter existing agreements or prohibit new agreements 
     with respect to the sharing of cyber threat information 
     between the Department of Treasury and an entity that is part 
     of the financial services sector.
       ``(7) Technical assistance.--
       ``(A) Discussions and assistance.--Nothing in this section 
     shall be construed to prohibit any department or agency of 
     the Federal Government from engaging in formal or informal 
     technical discussion regarding cyber threat information with 
     a cybersecurity provider or self-protected entity or from 
     providing technical assistance to address vulnerabilities or 
     mitigate threats at the request of such a provider or such an 
     entity.
       ``(B) Coordination.--Any department or agency of the 
     Federal Government engaging in an activity referred to in 
     subparagraph (A) shall coordinate such activity with the 
     entity of the Department of Homeland Security designated 
     under paragraph (1) and share all significant information 
     resulting from such activity with such entity and all other 
     appropriate departments and agencies of the Federal 
     Government.
       ``(C) Sharing by designated entity.--Consistent with the 
     policies and procedures established under paragraph (5), the 
     entity of the Department of Homeland Security designated 
     under paragraph (1) shall share with all appropriate 
     departments and agencies of the Federal Government all 
     significant information resulting from--
       ``(i) formal or informal technical discussions between such 
     entity of the Department of Homeland Security and a 
     cybersecurity provider or self-protected entity about cyber 
     threat information; or
       ``(ii) any technical assistance such entity of the 
     Department of Homeland Security provides to such 
     cybersecurity provider or such self-protected entity to 
     address vulnerabilities or mitigate threats.
       ``(c) Reports on Information Sharing.--
       ``(1) Inspector general of the department of homeland 
     security report.--The Inspector General of the Department of 
     Homeland Security, in consultation with the

[[Page H2087]]

     Inspector General of the Department of Justice, the Inspector 
     General of the Intelligence Community, the Inspector General 
     of the Department of Defense, and the Privacy and Civil 
     Liberties Oversight Board, shall annually submit to the 
     appropriate congressional committees a report containing a 
     review of the use of information shared with the Federal 
     Government under subsection (b) of section 1104 of the 
     National Security Act of 1947, as added by section 3(a) of 
     this Act, including--
       ``(A) a review of the use by the Federal Government of such 
     information for a purpose other than a cybersecurity purpose;
       ``(B) a review of the type of information shared with the 
     Federal Government under such subsection;
       ``(C) a review of the actions taken by the Federal 
     Government based on such information;
       ``(D) appropriate metrics to determine the impact of the 
     sharing of such information with the Federal Government on 
     privacy and civil liberties, if any;
       ``(E) a list of the departments or agencies receiving such 
     information;
       ``(F) a review of the sharing of such information within 
     the Federal Government to identify inappropriate stovepiping 
     of shared information; and
       ``(G) any recommendations of the Inspector General of the 
     Department of Homeland Security for improvements or 
     modifications to the authorities under such section.
       ``(2) Privacy and civil liberties officers report.--The 
     Officer for Civil Rights and Civil Liberties of the 
     Department of Homeland Security, in consultation with the 
     Privacy and Civil Liberties Oversight Board, the Inspector 
     General of the Intelligence Community, and the senior privacy 
     and civil liberties officer of each department or agency of 
     the Federal Government that receives cyber threat information 
     shared with the Federal Government under such subsection (b), 
     shall annually and jointly submit to Congress a report 
     assessing the privacy and civil liberties impact of the 
     activities conducted by the Federal Government under such 
     section 1104. Such report shall include any recommendations 
     the Civil Liberties Protection Officer and Chief Privacy and 
     Civil Liberties Officer consider appropriate to minimize or 
     mitigate the privacy and civil liberties impact of the 
     sharing of cyber threat information under such section 1104.
       ``(3) Form.--Each report required under paragraph (1) or 
     (2) shall be submitted in unclassified form, but may include 
     a classified annex.
       ``(d) Definitions.--In this section:
       ``(1) Appropriate congressional committees.--The term 
     `appropriate congressional committees' means--
       ``(A) the Committee on Homeland Security, the Committee on 
     the Judiciary, the Permanent Select Committee on 
     Intelligence, and the Committee on Armed Services of the 
     House of Representatives; and
       ``(B) the Committee on Homeland Security and Governmental 
     Affairs, the Committee on the Judiciary, the Select Committee 
     on Intelligence, and the Committee on Armed Services of the 
     Senate.
       ``(2) Cyber threat information, cyber threat intelligence, 
     cybersecurity crimes, cybersecurity provider, cybersecurity 
     purpose, and self-protected entity.--The terms `cyber threat 
     information', `cyber threat intelligence', `cybersecurity 
     crimes', `cybersecurity provider', `cybersecurity purpose', 
     and `self-protected entity' have the meaning given those 
     terms in section 1104 of the National Security Act of 1947, 
     as added by section 3(a) of this Act.
       ``(3) Intelligence community.--The term `intelligence 
     community' has the meaning given the term in section 3(4) of 
     the National Security Act of 1947 (50 U.S.C. 401a(4)).
       ``(4) Shared situational awareness.--The term `shared 
     situational awareness' means an environment where cyber 
     threat information is shared in real time between all 
     designated Federal cyber operations centers to provide 
     actionable information about all known cyber threats.''.
     Page 5, strike line 6 and all that follows through page 6, 
     line 7.
     Page 7, beginning on line 17, strike ``by the department or 
     agency of the Federal Government receiving such cyber threat 
     information''.
     Page 13, strike line 13 and all that follows through page 15, 
     line 23.
     Page 17, strike line 15 and all that follows through page 19, 
     line 19.

  Mr. WOODALL. Mr. Speaker, I yield back the balance of my time, and I 
move the previous question on the amendment and on the resolution.
  The previous question was ordered.
  The SPEAKER pro tempore. The question is on the amendment.
  The amendment was agreed to.
  The SPEAKER pro tempore. The question is on the resolution, as 
amended.
  The question was taken; and the Speaker pro tempore announced that 
the ayes appeared to have it.
  Mr. HASTINGS of Florida. Mr. Speaker, on that I demand the yeas and 
nays.
  The yeas and nays were ordered.
  The vote was taken by electronic device, and there were--yeas 227, 
nays 192, not voting 13, as follows:

                             [Roll No. 109]

                               YEAS--227

     Aderholt
     Alexander
     Amash
     Amodei
     Bachus
     Barber
     Barletta
     Barr
     Barton
     Benishek
     Bentivolio
     Bilirakis
     Bishop (UT)
     Black
     Bonner
     Boustany
     Brady (TX)
     Bridenstine
     Brooks (AL)
     Brooks (IN)
     Broun (GA)
     Buchanan
     Bucshon
     Burgess
     Calvert
     Camp
     Campbell
     Cantor
     Capito
     Carter
     Cassidy
     Chabot
     Chaffetz
     Coble
     Coffman
     Cole
     Collins (GA)
     Collins (NY)
     Conaway
     Cook
     Costa
     Cotton
     Cramer
     Crawford
     Crenshaw
     Culberson
     Daines
     Davis, Rodney
     Denham
     Dent
     DeSantis
     DesJarlais
     Diaz-Balart
     Duffy
     Duncan (SC)
     Duncan (TN)
     Ellmers
     Farenthold
     Fincher
     Fitzpatrick
     Fleischmann
     Fleming
     Flores
     Forbes
     Fortenberry
     Foxx
     Franks (AZ)
     Frelinghuysen
     Gardner
     Garrett
     Gerlach
     Gibbs
     Gibson
     Gingrey (GA)
     Goodlatte
     Gosar
     Gowdy
     Granger
     Graves (GA)
     Graves (MO)
     Griffin (AR)
     Griffith (VA)
     Grimm
     Guthrie
     Gutierrez
     Hall
     Hanna
     Harper
     Harris
     Hartzler
     Hastings (WA)
     Heck (NV)
     Hensarling
     Herrera Beutler
     Hudson
     Huelskamp
     Huizenga (MI)
     Hultgren
     Hunter
     Issa
     Jenkins
     Johnson (OH)
     Johnson, Sam
     Jordan
     Joyce
     Kelly (PA)
     King (IA)
     King (NY)
     Kingston
     Kinzinger (IL)
     Kline
     Labrador
     LaMalfa
     Lamborn
     Lance
     Lankford
     Latham
     Latta
     LoBiondo
     Long
     Lucas
     Luetkemeyer
     Lummis
     Marchant
     Marino
     Massie
     Matheson
     McCarthy (CA)
     McCaul
     McHenry
     McIntyre
     McKeon
     McKinley
     McMorris Rodgers
     Meadows
     Meehan
     Messer
     Mica
     Miller (FL)
     Miller (MI)
     Mullin
     Mulvaney
     Murphy (PA)
     Neugebauer
     Noem
     Nugent
     Nunes
     Nunnelee
     Olson
     Owens
     Palazzo
     Paulsen
     Pearce
     Perry
     Petri
     Pittenger
     Pitts
     Poe (TX)
     Pompeo
     Posey
     Price (GA)
     Radel
     Reed
     Reichert
     Renacci
     Ribble
     Rice (SC)
     Rigell
     Roby
     Roe (TN)
     Rogers (AL)
     Rogers (KY)
     Rogers (MI)
     Rokita
     Rooney
     Ros-Lehtinen
     Roskam
     Ross
     Rothfus
     Royce
     Runyan
     Ruppersberger
     Ryan (WI)
     Salmon
     Scalise
     Schneider
     Schock
     Schweikert
     Scott, Austin
     Sensenbrenner
     Sessions
     Shuster
     Simpson
     Smith (NE)
     Smith (NJ)
     Smith (TX)
     Southerland
     Stewart
     Stivers
     Stutzman
     Terry
     Thompson (PA)
     Thornberry
     Tiberi
     Tipton
     Turner
     Upton
     Valadao
     Wagner
     Walberg
     Walden
     Walorski
     Weber (TX)
     Webster (FL)
     Wenstrup
     Whitfield
     Williams
     Wilson (SC)
     Wittman
     Wolf
     Womack
     Woodall
     Yoder
     Yoho
     Young (AK)
     Young (FL)
     Young (IN)

                               NAYS--192

     Andrews
     Barrow (GA)
     Bass
     Beatty
     Becerra
     Bera (CA)
     Bishop (GA)
     Bishop (NY)
     Blumenauer
     Bonamici
     Brady (PA)
     Braley (IA)
     Brown (FL)
     Brownley (CA)
     Bustos
     Butterfield
     Capps
     Capuano
     Cardenas
     Carney
     Carson (IN)
     Cartwright
     Castor (FL)
     Castro (TX)
     Chu
     Cicilline
     Clarke
     Clay
     Cleaver
     Clyburn
     Cohen
     Connolly
     Conyers
     Cooper
     Courtney
     Crowley
     Cuellar
     Cummings
     Davis (CA)
     Davis, Danny
     DeFazio
     DeGette
     Delaney
     DeLauro
     DelBene
     Deutch
     Dingell
     Doggett
     Doyle
     Duckworth
     Edwards
     Ellison
     Engel
     Enyart
     Eshoo
     Esty
     Farr
     Fattah
     Foster
     Frankel (FL)
     Fudge
     Gabbard
     Gallego
     Garamendi
     Garcia
     Grayson
     Green, Al
     Green, Gene
     Grijalva
     Hahn
     Hanabusa
     Hastings (FL)
     Heck (WA)
     Higgins
     Himes
     Hinojosa
     Holt
     Honda
     Horsford
     Hoyer
     Huffman
     Israel
     Jackson Lee
     Jeffries
     Johnson (GA)
     Johnson, E. B.
     Jones
     Kaptur
     Keating
     Kelly (IL)
     Kildee
     Kilmer
     Kind
     Kirkpatrick
     Kuster
     Langevin
     Larsen (WA)
     Larson (CT)
     Lee (CA)
     Levin
     Lewis
     Lipinski
     Loebsack
     Lofgren
     Lowenthal
     Lowey
     Lujan Grisham (NM)
     Lujan, Ben Ray (NM)
     Maffei
     Maloney, Carolyn
     Maloney, Sean
     Matsui
     McCarthy (NY)
     McClintock
     McCollum
     McDermott
     McGovern
     McNerney
     Meeks
     Meng
     Michaud
     Miller, George
     Moore
     Moran
     Murphy (FL)
     Nadler
     Napolitano
     Negrete McLeod
     Nolan
     O'Rourke
     Pallone
     Pascrell
     Pastor (AZ)
     Payne
     Pelosi
     Perlmutter
     Peters (CA)
     Peters (MI)
     Peterson
     Pingree (ME)
     Pocan
     Polis
     Price (NC)
     Quigley
     Rahall
     Richmond
     Rohrabacher
     Roybal-Allard
     Ruiz
     Rush
     Ryan (OH)
     Sanchez, Linda T.
     Sanchez, Loretta
     Sarbanes
     Schakowsky
     Schiff
     Schrader
     Schwartz
     Scott (VA)
     Scott, David
     Serrano
     Sewell (AL)
     Shea-Porter
     Sherman
     Sinema
     Sires
     Slaughter
     Smith (WA)
     Speier
     Stockman
     Swalwell (CA)
     Takano
     Thompson (CA)
     Thompson (MS)
     Tierney
     Titus
     Tonko
     Tsongas
     Van Hollen
     Vargas
     Veasey
     Vela
     Velazquez
     Visclosky
     Walz
     Wasserman Schultz
     Waters
     Watt
     Waxman
     Welch
     Wilson (FL)
     Yarmuth

[[Page H2088]]



                             NOT VOTING--13

     Bachmann
     Blackburn
     Gohmert
     Holding
     Hurt
     Kennedy
     Lynch
     Markey
     Miller, Gary
     Neal
     Rangel
     Shimkus
     Westmoreland

                              {time}  1418

  Mr. RAHALL, Ms. PELOSI, Ms. BROWNLEY of California, Mr. CARDENAS and 
Ms. WILSON of Florida changed their vote from ``yea'' to ``nay.''
  Messrs. KING of New York, YOHO and AMASH changed their vote from 
``nay'' to ``yea.''
  So the resolution was agreed to.
  The result of the vote was announced as above recorded.
  A motion to reconsider was laid on the table.

                          ____________________