Report text available as:

  • TXT
  • PDF   (PDF provides a complete and accurate display of this text.) Tip ?
                                                        Calendar No. 28
114th Congress     }                                   {         Report
                                 SENATE
 1st Session       }                                   {         114-32

======================================================================



 
             CYBERSECURITY INFORMATION SHARING ACT OF 2015

                                _______
                                

                 April 15, 2015.--Ordered to be printed

                                _______
                                

         Mr. Burr, from the Select Committee on Intelligence, 
                        submitted the following

                              R E P O R T

                             together with

                            ADDITIONAL VIEWS

                         [To accompany S. 754]

    The Select Committee on Intelligence, having considered an 
original bill (S. 754) to improve cybersecurity in the United 
States through enhanced sharing of information about 
cybersecurity threats, and for other purposes, reports 
favorably thereon and recommends that the bill do pass.

                  Background and Need for Legislation

    Over the last several years, the Committee has listened 
with increasing alarm to the testimony of senior intelligence 
officials and private sector experts about the growing 
cybersecurity threats to our nation.
    The Committee has already seen the impact these threats are 
having on the nation's security and its economy as losses to 
consumers, businesses, and the government from cyber attacks, 
penetrations, and disruptions already total billions of 
dollars. Beyond direct monetary losses, the continuing efforts 
of foreign actors to steal intellectual property will have far 
reaching impacts on the innovation upon which a robust economy 
and strong military relies. The Committee has seen widespread 
theft through cyberspace increasingly evolve into disruptive 
and destructive attacks. American financial institutions have 
been subjected to denial of service attacks by foreign actors 
that blocked consumers' access to banking services. Critical 
infrastructure companies abroad and businesses in the United 
States have seen their vital business systems rendered useless 
by hostile actors operating in other countries. The reported 
destructive cyberattacks on the Las Vegas Sands Corporation and 
Sony Pictures Entertainment represent further escalation of 
this disturbing trend, including unprecedented efforts to 
destroy data of U.S. companies. Our nation is growing more 
vulnerable to cyber threats. Every aspect of society is growing 
more dependent on computers which are all linked to networks, 
opening this country up to many known vulnerabilities and many 
yet to be discovered.
    The Committee and its staff have also engaged in hundreds 
of conversations with senior government and private sector 
officials that have demonstrated the need for a legislative 
effort to allow for the increased sharing of information about 
these cyber threats. There are many stakeholders who are 
engaged on these issues and the Committee is convinced that 
legislation is needed to assist them in finding better ways to 
work together to address our nation's shared cybersecurity 
challenges. This legislation is designed to create a voluntary 
cybersecurity information sharing process that will encourage 
public and private sector entities to share cyber threat 
information, removing legal barriers and the threat of 
unnecessary litigation. This in turn allows for greater 
cooperation and collaboration in the face of growing 
cybersecurity threats to national and economic security. 
Additionally, the Committee believes that such increased 
sharing will drive public and private sector cybersecurity 
efforts to develop key new technologies and processes, such as 
an improved ability to share technical threat information 
through an automated process in ``real time'' to counter cyber 
threats at machine speed.
    Through the Committee's oversight of the Intelligence 
Community, it has long recognized the need to better use the 
government's knowledge and expertise about cyber threats for 
defensive purposes. This legislation includes requirements for 
the government to share more information, including classified 
information under appropriate safeguards, with relevant private 
sector entities to further cybersecurity. Often as a result of 
overclassification and parochialism, some cybersecurity 
information that could enable the businesses facing these 
threats to better protect themselves remains exclusively in the 
government. Although sensitive sources and methods must be 
protected, the government does not presently share adequate 
information about cyber threats. This bill encourages the 
government to expand this sharing and to create the appropriate 
processes to do so.
    This legislation also includes positive legal authorities 
for private companies to: (1) monitor their networks, or those 
of their customers upon authorization and written consent, for 
cybersecurity purposes; (2) take defensive measures to stop 
cyber attacks and (3) share cyber threat information with each 
other and with the government to further collective 
cybersecurity. Through extensive hearings, briefings, and 
discussions, the Committee has identified the need to provide 
carefully tailored cybersecurity authorities to address these 
current gaps. The Committee also recognizes the careful balance 
that must be struck in providing increased authorities to 
ensure they are used appropriately. This legislation creates a 
completely voluntary information-sharing framework that 
includes several layers of privacy protections to prevent abuse 
and ensure that the government cannot inappropriately acquire 
or use sensitive information other than for limited 
cybersecurity and public safety purposes.
    In addition to concerns about legal authorities, the 
specter of litigation for monitoring a company's own networks 
or sharing cyber threat indicators or defensive measures for 
cybersecurity purposes has disincentivized private sector 
cybersecurity efforts. Entities appropriately monitoring their 
systems for cybersecurity threats and sharing information 
necessary to protect against those threats should not be 
exposed to costly legal uncertainty for doing so. Moreover, it 
is these same companies who are the victims of malicious cyber 
activity, and their appropriate efforts to protect themselves 
and other future victims from cyber threats should not only be 
authorized but protected from unnecessary litigation. This 
legislation creates narrowly tailored liability protection to 
incentivize companies' efforts to identify cybersecurity 
threats and share information about them. However, this 
liability protection does not extend to defensive measures, nor 
does it protect unauthorized monitoring or sharing, including 
gross negligence or willful misconduct, that risks sensitive 
data rather than safeguarding it.
    The Committee believes that the increased information 
sharing enabled by this bill is critical step forward for 
improving cybersecurity in America.

              Section-by-Section Analysis and Explanation

    The following is a section-by-section analysis and 
explanation of the Cybersecurity Information Sharing Act of 
2015 that is being reported by the Committee.

Section 1. Short title

    Section 1 states that this Act may be cited as the 
``Cybersecurity Information Sharing Act of 2015.''

Section 2. Definitions

    Section 2 provides 18 definitions for this Act, to include 
the following key terms: ``cybersecurity purpose,'' 
``cybersecurity threat,'' ``cyber threat indicator,'' 
``defensive measure,'' and ``monitor.''
    The term ``cybersecurity purpose'' means the purpose of 
protecting an information system or information that is stored 
on, processed by, or transiting an information system from a 
cybersecurity threat or security vulnerability. This definition 
ensures that the authorities of private entities to monitor and 
operate defensive measures must be exercised for the purpose of 
protecting their own networks and those of their customers when 
authorized by the written consent of such customers. The 
definition of ``cybersecurity purpose'' is also one of the main 
limitations on the ability of private and governmental entities 
to use cyber threat indicators and defensive measures.
    The term ``cybersecurity threat'' is defined as an action, 
not protected by the First Amendment to the Constitution of the 
United States, on or through an information system that may 
result in an unauthorized effort to adversely impact the 
security, availability, confidentiality, or integrity of an 
information system that is stored on, processed by, or 
transiting an information system. The term does not include any 
action that solely involves a violation of a consumer term of 
service or a consumer licensing agreement. Many terms of 
service agreements prohibit activities that would also meet the 
``cybersecurity threat'' definition; such activities would 
still be considered a ``cybersecurity threat'' because they 
were not ``solely'' violations of consumer agreements. The 
Committee intends this definition to include activities that 
may have unauthorized and negative results, but to exclude 
authorized activities, such as extensive use of bandwidth that 
may incidentally cause adverse effects. However, this 
definition clearly does not permit hackers to cloak their 
criminal actions like theft of information or destruction of 
property under the ambit of First Amendment protected 
activities.
    The term ``cyber threat indicator'' is one of the most 
important definitions in this Act. It is defined as information 
that is necessary to describe or identify: (1) malicious 
reconnaissance, including anomalous patterns of communications 
that appear to be transmitted for the purpose of gathering 
technical information related to a cybersecurity threat or 
security vulnerability; (2) a method of defeating a security 
control or exploitation of a security vulnerability; (3) a 
security vulnerability, including anomalous activity that 
appears to indicate the existence of a security vulnerability; 
(4) a method of causing a user with legitimate access to an 
information system or information that is stored on, processed 
by, or transiting an information system to unwittingly enable 
the defeat of a security control or exploitation of a security 
vulnerability; (5) malicious cyber command and control; (6) the 
actual or potential harm caused by an incident, including a 
description of the information exfiltrated as a result of a 
particular cybersecurity threat; (7) any other attribute of a 
cybersecurity threat, if disclosure of such attribute is not 
otherwise prohibited by law; or (8) any combination thereof. 
This narrow definition is a key privacy protection in the Act 
because it creates an exhaustive list of the types of cyber 
threat information that can be shared among private and 
governmental entities, and only when they are necessary to 
describe or identify threats to information and information 
systems. Essentially, this definition limits the information 
that can be shared under this Act to the techniques and 
``malware'' used by malicious actors to compromise the computer 
networks of their victims, not sensitive personal and business 
information contained in such networks.
    The term ``defensive measure'' is defined as an action, 
device, procedure, signature, technique, or other measure 
applied to an information system or information that is stored 
on, processed by, or transiting an information system that 
detects, prevents, or mitigates a known or suspected 
cybersecurity threat or security vulnerability. However, a 
defensive measure does not include a measure that destroys, 
renders unusable, or substantially harms an information system 
or data on an information system not belonging to the private 
entity operating such measure or another entity or Federal 
entity that is authorized to provide consent and has provided 
consent to that private entity for operation of such measure. 
Recognizing the inherent right of self-defense that entities 
have to protect their networks and data, the Committee intends 
for this definition to provide a positive legal authority 
allowing private entities to take measures to take appropriate 
steps to defend their own information networks and systems, or 
those of their customers when authorized by the written consent 
of such customers, against malicious cybersecurity threats. For 
example, a defensive measure could be something as simple as a 
security device that protects or limits access to a private 
entity's computer infrastructure or as complex as using 
sophisticated software tools to detect and protect against 
anomalous and unauthorized activities on a private entity's 
information system. Regardless, this definition does not 
authorize the use of measures that are generally to be 
considered ``offensive'' in nature, such as unauthorized access 
of or executing computer code on another entity's information 
systems or taking an action that would substantially harm 
another private entity's information systems. The Committee is 
aware that defensive measures on one entity's network could 
have effects on other networks. It is the Committee's intent 
that the authorization in this Act extends to defensive 
measures on an entity's information systems that do not cause 
substantial harm to another entity's information systems or 
data on such systems, regardless of whether such non-
substantial harm was intended or foreseen by the implementing 
entity.
    The term ``monitor'' means to acquire, identify, or scan, 
or to possess, information that is stored on, processed by, or 
transiting an information system. This definition, as used in 
this Act, is not intended to equate to the meaning of the term 
``monitor'' used in the context of the interception of 
communications under the Federal criminal wiretap statutes or 
electronic surveillance under the Foreign Intelligence 
Surveillance Act. Specifically, private entities are only 
authorized to monitor their own information systems or those of 
another private entity upon the authorization and written 
consent of such other entity. Moreover, such monitoring is 
limited to cybersecurity purposes. Essentially, these important 
limitations ensure that private entities are only authorized to 
monitor their information systems to protect against 
cybersecurity threats and vulnerabilities. Any other monitoring 
would require lawful authority other than that provided in this 
Act.

Section 3. Sharing of Information by the Federal Government

    Section 3 requires the Director of National Intelligence, 
the Secretary of Homeland Security, the Secretary of Defense, 
and the Attorney General to develop and promulgate procedures 
that facilitate and promote the timely sharing of: (1) 
classified cyber threat indicators with cleared representatives 
of relevant entities; (2) declassified cyber threat indicators 
with relevant entities; (3) unclassified cyber threat 
indicators with relevant entities or the public; and (4) 
information in the possession of the Federal Government about 
cybersecurity threats to such entities to prevent or mitigate 
adverse effects from such cybersecurity threats. These 
procedures must ensure that the Federal government has and 
maintains the capability to share cyber threat indicators in 
real time consistent with the protection of classified 
information and incorporate to the greatest extent practicable 
existing processes and existing roles and responsibilities.
    The procedures required by this section must also include a 
process for notifying entities that have received a cyber 
threat indicator from a Federal entity that is known or 
determined to be in error or in contravention of Federal law or 
policy. Federal entities receiving cyber threat indicators will 
also be required to implement and use security controls to 
protect against unauthorized access to or acquisition of such 
indicators. Moreover, the procedures require that a Federal 
entity, prior to sharing a cyber threat indicator, review and 
remove any information that the Federal entity knows at the 
time of the sharing to be personal information of or 
identifying a specific person not directly related to a 
cybersecurity threat or implement and use a technical 
capability configured to remove personal information of or 
identifying a specific person not directly related to a 
cybersecurity threat. In developing these procedures, the 
responsible officials must coordinate with other appropriate 
Federal entities, including the National Laboratories due to 
their technical expertise, so that effective protocols are 
implemented to facilitate and promote sharing in a timely 
manner. Within 60 days of the enactment of this Act, the 
Director of National Intelligence in consultation with the 
heads of the appropriate Federal entities shall submit these 
procedures to the Congress.

Section 4. Authorizations for Preventing, Detecting, Analyzing, and 
        Mitigating Cybersecurity Threats

    Subsection (a) of Section 4 provides a private entity with 
the authority to monitor, for cybersecurity purposes: (1) its 
own information systems; (2) an information system of another 
entity, upon the authorization and written consent of such 
other entity; (3) an information system of a Federal entity, 
upon the authorization and written consent of an authorized 
representative of the Federal entity; and (4) information that 
is stored on, processed by, or transiting an information system 
monitored by the private entity. Nothing in subsection (a) 
shall be construed to authorize the monitoring of information 
systems, or the use of any information obtained through such 
monitoring of such information systems, other than as provided 
in this Act.
    Subsection (b) provides private entities with the authority 
to operate defensive measures, for cybersecurity purposes, that 
are applied to its information systems to protect the rights 
and property of such private entities, those of another entity 
upon written consent of such entity for operation of such 
defensive measures to protect the rights and property of that 
entity, or those of a Federal entity upon written consent of an 
authorized representative of such Federal entity for operation 
of such defensive measures to protect the rights or property of 
the Federal Government. This subsection does not authorize the 
use of defensive measures other than for cybersecurity 
purposes.
    Under subsection (c), an entity is authorized to share with 
or receive from any other entity or the Federal Government 
cyber threat indicators and defensive measures for the purposes 
permitted under this Act, consistent with the protection of 
classified information when applicable. An entity receiving 
cyber threat indicators and defensive measures from another 
entity or Federal entity must comply with otherwise lawful 
restrictions placed on the sharing or use of such cyber threat 
indicators or defensive measures by the sharing entity or 
Federal entity, such as a limitation of future sharing of the 
indicators or measures.
    An entity monitoring information systems, operating 
defensive measures or providing or receiving defensive measures 
under Section 4 must implement and utilize security controls to 
protect against unauthorized access to or acquisition of such 
cyber threat indicators or defensive measures.
    Prior to sharing a cyber threat indicator pursuant to this 
Act, an entity shall review such cyber threat indicator to 
assess whether such indicator contains any information that the 
entity knows at the time of sharing to be personal information 
of or identifying a specific person not directly related to a 
cybersecurity threat and remove such information or implement 
and utilize a technical capability configured to remove any 
information contained with such indicator that the entity knows 
at the time of the sharing to be personal information of or 
identifying a specific person not directly related to a 
cybersecurity threat. During the Committee's drafting of the 
legislation, industry groups and trade associations noted that 
the requirement to remove personal information may preclude 
some companies, especially smaller ones, from participating in 
the information sharing process endorsed by the bill. As a 
private entity must ensure that any information shared meets 
the definition for ``cyber threat indicator'' or ``defensive 
measure'' to comply with the Act, the requirement to remove any 
known unnecessary privacy information strikes the appropriate 
balance between narrowly tailoring what information can be 
shared and providing a practicable standard. Further, the 
Committee hopes that the Attorney General guidance required in 
section 5 and common practices and guidelines will assist 
smaller and middle-sized companies implement this requirement.
    Section 4 authorizes an entity to use cyber threat 
indicators and defensive measures, for cybersecurity purposes, 
to monitor or operate defensive measures on its information 
systems or those of another entity or Federal entity upon 
written consent.
    A cyber threat indicator shared by an entity with a State, 
tribal, or local department or agency may, with the prior 
written consent of such entity, be used for the purpose of 
preventing, investigating, or prosecuting any of the offenses 
described in Section 5(d)(5)(A)(vi). These offenses involve 
imminent threats of death, serious bodily harm, or serious 
economic harm, including a terrorist act or a use of a weapon 
of mass destruction. They also include serious violent felonies 
and offenses related to fraud and identity theft, and 
protection of trade secrets. If the need for immediate use 
prevents a State, tribal, or local department or agency from 
obtaining written consent before such use, consent may be 
provided orally with subsequent documentation of consent. The 
entity providing consent for this use must have the 
authorization to possess and share such a cyber threat 
indicator under this Act and must conduct such sharing 
consistent with the conditions set out.
    Cyber threat indicators shared with a State, tribal, or 
local department or agency under Section 4 are deemed 
voluntarily shared information and exempt from disclosure under 
any State, tribal, or local law requiring disclosure of 
information or records.
    In general, cyber threat indicators shared with a State, 
tribal, or local government under this Act shall not be 
directly used by any State, tribal, or local government to 
regulate, which includes bringing an enforcement action, the 
lawful activity of any entity, including an activity relating 
to monitoring, operating a defensive measure, or sharing of a 
cyber threat indicator. However, a cyber threat indicator or 
defensive measure may, consistent with a State, tribal, or 
local government regulatory authority specifically relating to 
the prevention or mitigation of cybersecurity threats to 
information systems, inform the development or implementation 
of a regulation relating to such information systems. The 
Committee views this as a narrow exception to ensure that 
government agencies with regulatory authority understand the 
current landscape of cyber threats and those facing the 
particular regulatory sector over which they have cognizance.
    Under subsection (e), two or more private entities are not 
to be considered in violation of any provision of antitrust law 
when exchanging or providing a cyber threat indicator, or 
assistance relating to the prevention, investigation, or 
mitigation of a cybersecurity threat, for cybersecurity 
purposes under this Act. This provision should be read in 
conjunction with the rule of construction in Section 8(e) that 
nothing in the Act shall be construed to permit price-fixing, 
allocating a market between competitors, monopolizing or 
attempting to monopolize a market, boycotting, or exchanges of 
price or cost information, customer lists, or information 
regarding future competitive planning. The bill allows for the 
sharing of cybersecurity-related information for cybersecurity 
purposes, acknowledging that doing so might otherwise be a 
potential violation of anti-trust laws that seek to limit 
sharing of information for other purposes. The bill does not 
intend to protect companies from engaging in anti-competitive 
behavior under the guise of cybersecurity.
    Further, this subsection only applies to information that 
is exchanged or assistance provided to the communication or 
disclosure of cyber threat indicators for the facilitation of 
the prevention, investigation, or mitigation of cybersecurity 
threats to an information system or information that is stored 
on, processed by, or transiting an information system.
    Section 4 also clarifies that the sharing of cyber threat 
indicators under this Act shall not create a right or benefit 
to similar information by such entity or another entity.

Section 5. Sharing of Cyber Threat Indicators and Defensive Measures 
        with the Federal Government

    Section 5 directs the Attorney General, in coordination 
with the heads of appropriate Federal entities, to develop and 
submit to Congress not later than 60 days after the enactment 
of this Act interim policies and procedures relating to the 
receipt of cyber threat indicators and defensive measures by 
the Federal Government. Not later than 180 days after the 
enactment of this Act, the Attorney General, in coordination 
with the heads of appropriate Federal entities, is required to 
promulgate a final version of such policies and procedures.
    The policies and procedures developed under Section 5 must 
meet several requirements in addition to being consistent with 
the Attorney General's privacy and civil liberties guidelines 
required by subsection (b). They must ensure that cyber threat 
indicators shared with the Federal Government through the real 
time process described in subsection (c)--the capability and 
process within the DHS--are shared in an automated manner with 
all appropriate Federal entities, are not subject to any delay 
or interference, and may be provided to other Federal entities. 
The Committee intends that these policies and procedures both 
enable the delivery of real time information about 
cybersecurity threats to appropriate Federal entities and 
provide sufficient technical controls to protect privacy 
information.
    For cyber threat indicators shared in a manner other than 
the real-time process described in subsection (c), the policies 
and procedures shall ensure that cyber threat indicators are 
shared as quickly as operationally practicable with all 
appropriate Federal entities, are not subject to unnecessary 
delay, interference, or any other action that could impede 
receipt by all of the appropriate Federal entities, and may be 
provided to other Federal entities. As cyber threat indicators 
received outside of the real-time process in subsection (c) may 
be received by the Federal Government in a format less 
conducive to ``as quickly as operationally practicable'' 
sharing, the Committee intends that this sharing requirement 
will vest when such information is in a format that can 
feasibly be shared. Once a cyber threat indicator can feasibly 
be shared with appropriate Federal entities, the Federal entity 
possessing such indicator must proceed to share it consistent 
with the policies and procedures and without unnecessary delay. 
The Attorney General's policies and procedures should include 
how such cyber threat indicators will be put into a shareable 
format and the proper sharing procedures within the Federal 
Government. Further, the policies and procedures shall govern 
the retention, use, and dissemination of cyber threat 
indicators shared with the Federal Government, consistent with 
this Act, otherwise applicable law, and consistent with the 
applicable sections of the commonly accepted fair information 
practice principles. To ensure compliance, an audit capability 
and appropriate sanctions for officers, employees, or agents of 
a Federal entity who knowingly and willfully conduct 
unauthorized activities are required to be included in the 
policies and procedures.
    In an effort to assist the public and promote sharing of 
cyber threat indicators, Section 5 requires the Attorney 
General to develop and make publicly available guidance that: 
(1) identifies the types of information that would qualify as a 
cyber threat indicator under this Act that would be unlikely to 
include personal information of or identifying a specific 
person not directly related to a cyber security threat; (2) 
identifies the types of information that are protected under 
otherwise applicable privacy laws that are unlikely to be 
directly related to a cybersecurity threat; and (3) contains 
such other matters as the Attorney General considers 
appropriate for entities sharing cyber threat indicators with 
Federal entities under this Act.
    Section 5 also directs the Attorney General, not later than 
60 days after the date of enactment, in coordination with heads 
of the appropriate Federal entities and in consultation with 
privacy and civil liberties officers of such entities, to 
develop, submit to Congress, and make available to the public 
interim guidelines relating to privacy and civil liberties that 
will govern the receipt, retention, use, and dissemination of 
cyber threat indicators by a Federal entity obtained in 
connection with activities authorized under this Act. Not later 
than 180 days after the date of enactment, the Attorney General 
shall, in coordination with the heads of the appropriate 
Federal entities and in consultation with privacy and civil 
liberties officers of such entities and such private entities 
with industry expertise as the Attorney General considers 
relevant, promulgate final privacy guidelines that shall govern 
the receipt, retention, use, and dissemination of cyber threat 
indicators by a Federal entity obtained in connection with 
activities authorized in this Act. The Attorney General is also 
required to periodically review these privacy guidelines, again 
in coordination with the heads of the appropriate Federal 
entities and in consultation with privacy and civil liberties 
officers and industry experts. Consistent with the need to 
protect information from cybersecurity threats and mitigate 
those threats, the guidelines are required to limit the impact 
on privacy and civil liberties from activities by the Federal 
Government under this Act. These guidelines shall also limit 
the receipt, retention, use, and dissemination of cyber threat 
indicators containing personal information of or identifying 
specific persons. As part of these limitations, the guidelines 
will establish a process for the timely destruction of 
information that is known not to be directly related to uses 
authorized under this Act and specific limitations on the 
length of time a cyber threat indicator may be retained by the 
Federal Government.
    The guidelines will include requirements to safeguard cyber 
threat indicators containing personal information of or 
identifying specific persons from unauthorized access or 
acquisition, including appropriate sanctions for activities by 
officers, employees, or agents of the Federal Government in 
contravention of such guidelines. If a Federal entity 
determines or knows that it has received information that does 
not constitute a cyber threat indicator, the guidelines shall 
include a procedure to notify entities and Federal entities. 
The privacy and civil liberties guidelines will protect the 
confidentiality of cyber threat indicators containing personal 
information of or identifying specific persons to the greatest 
extent practicable, and they will require recipients to be 
informed that such indicators may only be used for purposes 
authorized under this Act. They must also include steps that 
may be needed so that dissemination of cyber threat indicators 
is consistent with the protection of classified and other 
sensitive national security information.
    Subsection (c) requires the Secretary of Homeland Security, 
not later than 90 days after the date of the enactment of this 
Act and in coordination with the heads of the appropriate 
Federal entities, to develop and implement a capability and 
process (commonly referred to as a ``portal'') within the DHS 
that accepts cyber threat indicators and defensive measures 
from any entity in real time. The Committee intends that this 
DHS capability should build upon current Federal Government 
efforts to both more efficiently receive cyber threat 
indicators from outside the Federal Government and to more 
efficiently share such indicators within the Federal 
Government.
    Upon certification by the Secretary of Homeland Security, 
this capability shall be the process by which the Federal 
Government receives cyber threat indicators and defensive 
measures shared by a private entity through electronic mail or 
media, an interactive form on an Internet website, or a real 
time, automated process between information systems. There are 
only two exceptions to this requirement: (1) communications 
between a Federal entity and a private entity regarding a 
previously shared cyber threat indicator; and (2) 
communications by a regulated entity with such entity's Federal 
regulatory authority regarding a cybersecurity threat. The 
sharing of cyber threat indicators and defensive measures in 
other formats where there is less privacy risk, such as a 
telephone call, letter, or in-person meeting, receives 
liability protection regardless of whether it is first sent 
through the DHS portal.
    When cyber threat indicators and defensive measures are 
shared through the DHS capability, the Secretary of Homeland 
Security will ensure that all of the appropriate Federal 
entities, as defined, receive them consistent with applicable 
policies, procedures, and guidelines in Section 5.
    The DHS capability and process does not limit or prohibit 
otherwise lawful disclosures of communications, records, or 
other information, including: (1) reporting of known or 
suspected criminal activity, by an entity to any other entity 
or a Federal entity; (2) voluntary or legally compelled 
participation in a Federal investigation; or (3) providing 
cyber threat indicators or defensive measures as part of a 
statutory or authorized contractual requirement.
    Not later than 60 days after the date of enactment, the 
Secretary of Homeland Security shall submit to Congress a 
report on the development and implementation of the capability 
and process required by this section.
    Subsection (d) includes a number of protections for 
information shared with or provided to the Federal Government. 
The provision of cyber threat indicators and defensive measures 
to the Federal Government under this Act does not constitute 
the waiver of any applicable privilege or protection provided 
by law, including trade secret protection. A cyber threat 
indicator or defensive measure provided by an entity to the 
Federal Government under this Act shall be considered the 
commercial, financial, and proprietary information of such 
entity when so designated by the originating entity. Consistent 
with this Act and all privileges, protections, and any claims 
of propriety on such cyber threat indicators or defensive 
measures, the Committee expects that the Federal Government 
will further share and use such information for cybersecurity 
purposes. This sharing and use will be governed by the 
policies, procedures, and guidelines required by Section 5. 
Cyber threat indicators and defensive measures provided to the 
Federal Government under this Act will also be deemed voluntary 
shared information and exempt from disclosure under section 5 
U.S.C. 552 and any State, tribal, or local law requiring 
disclosure of information or records. Additionally, such cyber 
threat indicators and defensive measures shall be withheld 
without discretion from the public under 5 U.S.C. 552(b)(3)(B) 
and any State, tribal, or local law requiring disclosure of 
information or records. The provision of cyber threat 
indicators and defensive measures under this Act shall not be 
subject to the rules of any Federal agency or department or any 
judicial doctrine regarding ex parte communications with a 
decision-making official.
    Cyber threat indicators and defensive measures provided to 
the Federal Government under this Act may be disclosed to, 
retained by, and used by, consistent with otherwise applicable 
Federal law, any Federal agency or department, component, 
officer, employee, or agent of the Federal Government solely 
for the purposes identified by Section 5, and consistent with 
the procedures developed by the Attorney General. These 
purposes are: (1) a cybersecurity purpose; (2) the purpose of 
identifying a cybersecurity threat, including the source of 
such cybersecurity threat, or a security vulnerability; (3) the 
purpose of identifying a cybersecurity threat involving the use 
of an information system by a foreign adversary or terrorist; 
(4) the purpose of responding to, or otherwise preventing or 
mitigating, an imminent threat of death, serious bodily harm, 
or serious economic harm, including a terrorist act or a use of 
a weapon of mass destruction; (5) the purpose of responding to, 
or otherwise preventing or mitigating, a serious threat to a 
minor, including sexual exploitation and threats to physical 
safety; or (6) the purpose of preventing, investigating, 
disrupting, or prosecuting an offense arising out of a 
previously described imminent threat or any of the offenses 
listed in Section 5(d)(5)(vi), including offenses related to 
serious violent felonies, fraud and identity theft, espionage 
and censorship, and protection of trade secrets. The word 
``imminent'' in paragraph 5(d)(5)(A)(iv) is intended to modify 
all the threats listed in that paragraph, to include the threat 
of a terrorist act or use of a weapon of mass destruction.
    Use of cyber threat indicators and defensive measures by 
the Federal Government will be conducted in accordance with the 
policies, procedures, and guidelines required in Section 5, and 
will be done in a manner that protects from unauthorized use or 
disclosure any cyber threat indicators that may contain 
personal information of or identifying specific persons and 
protects the confidentiality of such information.
    Additionally, such cyber threat indicators and defensive 
measures shared with the Federal Government under this Act 
shall not be directly used by any Federal, State, tribal, or 
local government to regulate, including an enforcement action, 
the lawful activities of any entity, including an activity 
relating to monitoring, operating a defensive measure, or 
sharing of a cyber threat indicator. However, a cyber threat 
indicator or defensive measure may, consistent with Federal or 
State regulatory authority specifically relating to the 
prevention or mitigation of cybersecurity threats to 
information systems, inform the development or implementation 
of a regulation relating to such information systems. As 
previously described, the Committee intends for this exception 
to be narrowly constrained to improving the government's 
understanding of cybersecurity threats. The procedures 
developed and implemented under this Act are not to be 
considered regulations within the meaning of this section.

Section 6. Protection from Liability

    Subsection (a) of Section 6 provides that no cause of 
action shall lie or be maintained in any court against any 
private entity, and such action shall be promptly dismissed, 
for the monitoring of information systems and information under 
Section 4 that is conducted in accordance with this Act. The 
Committee intends that monitoring for cybersecurity purposes as 
authorized by this Act should be protected from liability to 
encourage private entities' efforts to identify cybersecurity 
threats.
    Subsection (b) provides that no cause of action shall lie 
or be maintained in any court against any entity, and such 
action shall be promptly dismissed, for the sharing or receipt 
of cyber threat indicators or defensive measures under Section 
4 when conducted in accordance with this Act, including cases 
in which such information is shared with the Federal Government 
in a manner consistent with subsection (c)(1)(B) of Section 5. 
Liability protection for the sharing or receipt of cyber threat 
indicators or defensive measures under Section 4 conducted in 
accordance with this Act, and in a manner consistent with 
subsection (c)(1)(B) of Section 5, does not go into effect 
until the earlier of the date on which the interim policies 
required under Section 5(a)(1) are submitted to Congress or the 
date that is 60 days after this Act's date of enactment. In all 
other cases where the sharing or receipt of cyber threat 
indicators or defensive measures is conducted in accordance 
with the Act, liability protection is effective immediately 
upon enactment of this Act. The Committee intends that the 
sharing between entities of cyber threat indicators and 
defensive measures for cybersecurity purposes in accordance 
with this Act, including the removal of sensitive personal 
information not directly related to a cybersecurity threat, 
should be protected from claims. Activities conducted in 
contravention of this Act's provisions are not entitled to such 
liability protection, but this Act does not create any cause of 
action for such non-compliance. When private entities share 
cyber threat indicators or defensive measures with the Federal 
Government in a manner consistent with subsection (c)(1)(B) of 
Section 5, such entities should also not be subject to 
burdensome litigation. The Committee intends that entities 
sharing such information with the Federal Government should do 
so consistently with required procedures to qualify for such 
protection.
    Subsection (c) clarifies that nothing in this section shall 
be construed to require dismissal of a cause of action against 
an entity that has engaged in gross negligence or willful 
misconduct in the course of conducting activities authorized by 
this Act. Also, nothing in this section shall be construed to 
undermine or limit the availability of otherwise applicable 
common law or statutory defenses. The Committee intends to 
protect the responsible behavior of entities furthering 
cybersecurity under the authorizations and procedures of this 
Act, but it does not seek to protect willful or reckless 
activities that violate the letter and spirit of its 
provisions. Entities should not use Section 6 as an excuse to 
engage in wanton or dangerous activities, nor should they 
consider it to indemnify them for purposes other than the 
purposes authorized by this Act.
    This section does not provide protections from liability 
arising out of a private entity's use of defensive measures, 
because it is the Committee's intent to maintain the status quo 
with respect to the use of cybersecurity defensive measures. 
While section 4 authorizes the use of defensive measures by an 
entity on its information networks or the networks of a 
consenting entity, the Committee notes that the use of 
defensive measures may have significant impact on those 
networks or in physical space. The lack of liability protection 
for the use of defensive measures should not be interpreted as 
the Committee taking any view on whether and how defensive 
measures should or should not be implemented.

Section 7. Oversight of Government Activities

    Section 7 mandates reports on implementation and privacy 
impacts by agency heads, Inspectors General, and the Privacy 
Civil Liberties Oversight Board to ensure that cyber threat 
information is properly received, handled, and shared by the 
federal government.

Section 8. Construction and Preemption

    Section 8 contains 19 construction provisions for this Act. 
Nothing in this Act shall be construed to: (1) limit or 
prohibit otherwise lawful disclosures of communications, 
records, or other information; (2) preempt any employee from 
exercising whistleblower rights currently provided under any 
law, rule, or regulation; (3) create any immunity against, or 
otherwise affecting, any action brought by the Federal 
Government to enforce any law, executive order, or procedure 
governing the appropriate handling, disclosure, or use of 
classified information; (4) affect the conduct of authorized 
law enforcement or intelligence activities; (5) modify the 
authority of the Federal Government to protect classified 
information and sources and methods and the national security 
of the United States; (6) affect any requirement under any 
other provision of law for an entity to provide information to 
the Federal Government; (7) permit price-fixing, allocating a 
market between competitors, monopolizing or attempting to 
monopolize a market, boycotting, or exchanges of price or cost 
information, customer lists, or information regarding future 
competitive planning; (8) limit or modify an existing 
information sharing relationship; (9) prohibit a new 
information sharing relationship; (10) require a new 
information relationship between any entity and the Federal 
Government; (11) require the use of the DHS capability in 
Section 5(c); (12) amend, repeal, or supersede any current or 
future contractual relationship between any entities, or 
between any entity and the Federal Government; (13) abrogate 
trade secret or intellectual property rights of any entity or 
Federal entity; (14) permit the Federal government to require 
an entity to provide information to the Federal Government; 
(15) permit the Federal Government to condition the sharing of 
cyber threat indicators with an entity on such entity's 
provision of cyber threat indicators to the Federal Government; 
(16) permit the Federal Government to condition the award of 
any Federal grant, contract, or purchase on the provision of a 
cyber threat indicator to a Federal entity; (17) subject any 
entity to liability for choosing not to engage in the voluntary 
activities authorized in this Act; (18) authorize, or to modify 
any existing authority of, a department or agency of the 
Federal Government to retain or use any information shared 
under this Act for any use other than permitted in this Act; or 
(19) limit the authority of the Secretary of Defense to 
develop, prepare, coordinate, or, when authorized by the 
President to do so, conduct a military cyber operation in 
response to a malicious cyber activity carried out against the 
United States or a United States person by a foreign government 
or an organization sponsored by a foreign government or a 
terrorist organization.
    This bill supersedes any statute or other law of a State or 
political subdivision of a State that restricts or otherwise 
expressly regulates an activity authorized under this bill. 
However, this bill shall not be construed to supersede any 
statute or other law of a State or political subdivision of a 
State concerning the use of authorized law enforcement 
practices and procedures.
    Nothing in this bill shall be construed to authorized the 
promulgation of any regulations not specifically authorized by 
this bill, establish any regulatory authority not specifically 
established under this bill, or to authorize regulatory actions 
that would duplicate or conflict with regulatory requirements, 
mandatory standards, or related processes under Federal law.

Section 9. Report on Cybersecurity Threats

    Section 9 requires the Director of National Intelligence to 
submit a one-time report to the congressional intelligence 
committees on cybersecurity threats, including cyber attacks, 
theft, and data breaches.

Section 10. Conforming Amendments

    Section 10 makes a technical amendment to 5 U.S.C. 552(b).
    Section 10 also makes a conforming amendment to Section 941 
of the National Defense Authorization Act for Fiscal Year 2013 
(Public Law 112-239) to allow the Secretary of Defense to share 
information received under that section consistent with this 
bill.

                            Committee Action

    On March 12, 2015, a quorum being present, the Committee 
met to consider the bill and amendments. The Committee took the 
following actions:

Votes on amendments to committee bill

    By a voice vote, the Committee made the Chairman and Vice 
Chairman's bill the base text for purposes of amendment. The 
Committee also authorized the staff to make technical and 
conforming changes in the bill following the completion of the 
mark-up.
    The Committee moved to consideration of the managers' 
amendment by the Chairman, which was developed jointly by the 
Chairman and the Vice Chairman, and adopted the managers' 
amendment by a voice vote.
    By a vote of 7 ayes to 8 noes, the Committee rejected an 
amendment by Senator Collins to require entities that own or 
control information systems that are deemed essential to the 
operation of designated critical infrastructure to report 
successful intrusions of those under certain circumstances. 
According to the amendment, such reporting would only be 
required with respect to systems where a cybersecurity incident 
could reasonably result in catastrophic regional or national 
effects on public health or safety, economic security, or 
national security. The votes in person or by proxy were as 
follows: Chairman Burr--no; Senator Risch--no; Senator Coats--
aye; Senator Rubio--no; Senator Collins--aye; Senator Blunt--
no; Senator Lankford--no; Senator Cotton--no; Vice Chairman 
Feinstein--no; Senator Wyden--no; Senator Mikulski-- aye; 
Senator Warner-- aye; Senator Heinrich--aye; Senator King-- 
aye; Senator Hirono--aye.
    By a vote of 3 ayes to 12 noes, the Committee rejected an 
amendment by Senator Wyden to prohibit the federal government 
from mandating that private companies deliberately introduce 
security weaknesses into their products. The votes in person or 
by proxy were as follows: Chairman Burr--no; Senator Coats--no; 
Senator Rubio--no; Senator Collins--no; Senator Blunt--no; 
Senator Lankford--no; Senator Cotton--no; Vice Chairman 
Feinstein--no; Senator Wyden--aye; Senator Mikulski-- no; 
Senator Warner-- no; Senator Heinrich--aye; Senator King-- no; 
Senator Hirono--aye.
    By a voice vote, the Committee adopted an amendment by 
Senator Heinrich to require the Attorney General develop and 
make publicly available guidance to assist entities on the 
types of information that would qualify as cyber threat 
indicators under the bill and identify types of information 
that are protected under otherwise applicable privacy laws.
    By a voice vote, the Committee adopted an amendment by 
Senator Hirono and Senator Rubio to place the Attorney General 
privacy guidelines on the same timeline as the bill requires 
for the Attorney General policies and procedures for the 
receipt of cyber threat indicators and defensive measures by 
the government. The amendment also requires the Attorney 
General to consult with private entities with industry 
expertise that are considered relevant before the promulgation 
of the final privacy guidelines.

Vote to report the committee bill

    The Committee voted to report the bill as amended, by a 
vote of 14 ayes to 1 no. Chairman Burr--aye; Senator Risch--
aye; Senator Coats--aye; Senator Rubio--aye; Senator Collins--
aye; Senator Blunt--aye; Senator Lankford--aye; Senator 
Cotton--aye; Vice Chairman Feinstein--aye; Senator Wyden--no; 
Senator Mikulski--aye; Senator Warner--aye; Senator Heinrich--
aye; Senator King--aye; Senator Hirono--aye.

                       Compliance With Rule XLIV

    Rule XLIV of the Standing Rules of the Senate requires 
publication of a list of any ``congressionally directed 
spending item, limited tax benefit, and limited tariff 
benefit'' that is included in the bill or the committee report 
accompanying the bill. Consistent with the determination of the 
Committee not to create any congressionally directed spending 
items or earmarks, none have been included in the bill or this 
report. The bill and report also contain no limited tax 
benefits or limited tariff benefits.

                           Estimate of Costs

    Pursuant to paragraph 11(a)(1) of rule XXVI of the Standing 
Rules of the Senate, the Committee estimates that implementing 
the bill would have a discretionary cost of about $20 million 
over the 2015-2019 period, assuming appropriation of the 
necessary amounts. Enacting S. 754 would not affect direct 
spending or revenues; therefore pay-as-you-go procedures do not 
apply. On March 17, 2015, the Committee transmitted this bill 
to the Congressional Budget Office and requested it to conduct 
an estimate of the costs incurred in carrying out S. 754.

                    Evaluation of Regulatory Impact

    In accordance with paragraph 11(b) of rule XXVI of the 
Standing Rules of the Senate, the Committee finds that no 
substantial regulatory impact will be incurred by implementing 
the provisions of this legislation.

           ADDITIONAL VIEWS OF SEN. HEINRICH AND SEN. HIRONO

    The rising incidences of cyber attacks on our private and 
public networks increasingly threaten our economic and national 
security. Although the enactment of the Cybersecurity 
Information Sharing Act, or CISA, would not necessarily prevent 
such attacks, there is a general consensus that facilitating 
cybersecurity information sharing between the private sector 
and federal government would promote a common understanding of 
the threats we face and allow the private sector to more 
effectively defend its networks.
    We supported the Cybersecurity Information Sharing Act 
during its consideration in the Senate Intelligence Committee 
because we support the broad aims of this bill. In particular, 
we agree that individuals, companies, and government 
institutions can best protect themselves from cyber-attacks 
when they are aware of the presence and nature of cyber 
threats. But the only way to ensure the broadest dissemination 
of threat information is to develop a framework in which that 
information can be shared and disseminated with appropriate 
restraints, guidance, and oversight.
    The bill as passed out of the Committee provides more 
restraints, guidance, and oversight than did the earlier draft 
version of the legislation, including a narrowing of the 
definition and authorized use of defensive measures, fewer 
exceptions for liability protections for information shared 
outside of the DHS portal, and more limits on how cyber threat 
information is used.
    In addition, we are pleased that the Committee adopted 
amendments we offered during the bill's markup. Senator 
Heinrich's amendment requires the Attorney General to develop 
guidance to help private sector companies understand the types 
of information typically considered to be cyber threat 
indicators, and the types of personal information generally 
considered unrelated to such a threat. Senator Hirono's 
amendment--offered with Senator Rubio--requires the privacy 
guidelines called for in the bill to be developed and 
promulgated in a timely and thorough manner, alongside the 
policies and procedures to be developed for the cyber threat 
information sharing program.
    But we continue to harbor concerns about some of the bill's 
provisions. Vice Chairman Feinstein noted that the goal of the 
bill is for companies and the government to voluntarily share 
information about cybersecurity threats--not about personal 
information. Our concern is that, however well intended, the 
bill's provisions do not adequately direct companies to remove 
personally identifiable information when sharing cyber threat 
indicators with the government. The bill also lacks a directive 
that the Department of Homeland Security scrub cyber threat 
indicators for unnecessary personally identifiable information 
before sharing that information with other areas of the federal 
government. Further, the bill confers broad liability 
protections on companies before requiring them to abide by 
privacy guidelines. We believe that the privacy guidelines 
required in the bill should be treated as a serious component 
of the new cyber threat sharing regime--not as an 
afterthought--and thus should be promulgated before the 
liability protections in this legislation take effect.
    Finally, we are unconvinced that it is necessary to create 
an entirely new exemption to the Freedom of Information Act, or 
FOIA. Government transparency is critical in order for citizens 
to hold their elected officials and bureaucrats accountable; 
however, the bill's inclusion of a new FOIA exemption is 
overbroad and unnecessary as the types of information shared 
with the government through this bill would already be exempt 
from unnecessary public release under current FOIA exemptions. 
And to the extent FOIA exemptions need to be updated, those 
changes should only be made following open hearings in which 
all stakeholders have an opportunity to have their voices 
heard.
    We are committed to addressing some of these issues through 
amendments on the Senate floor, and believe there should be an 
open amendment process as this bill moves forward. A number of 
our colleagues on the Committee offered important amendments 
during the markup that we hope will be offered again for full 
Senate consideration--in particular, a number of those offered 
by Senator Wyden, and one by Sen. Collins to require mandatory 
reporting of cybersecurity intrusions for the most critical 
infrastructure owners and operators.
    As with other countries around the world, the United States 
is still just beginning to find ways to confront and mitigate 
the very real dangers our country faces from cyber threats. 
Thus far, we have seen no perfect answers. But this bill is not 
intended to confront every threat. We support it as a way for 
the government and private sector to begin to address the 
shared threat that cyber attacks represent, and we will look 
forward to a robust debate on the floor.

                  ADDITIONAL VIEWS OF SENATOR COLLINS

    The Cybersecurity Information Sharing Act of 2015 
eliminates some of the legal and economic disincentives 
impeding voluntary two-way information sharing between private 
industry and government and is a first step in improving our 
nation's dangerously inadequate defenses against cyber attacks. 
This bill is insufficient, however, to protect the critical 
infrastructure of the American people who rely upon this 
infrastructure for their safety, health, and economic well-
being. Simply put, the current threat posed by cyber actors is 
too great and the vulnerability of existing information systems 
operating critical infrastructure too widespread to depend 
solely upon voluntary measures to protect the most essential of 
these systems upon which our country and citizens depend.
    Without information about intrusions into our most critical 
infrastructure, our government's ability to defend the country 
against advanced persistent threats will suffer in a domain 
where speed is critical. This threat is not theoretical. 
Admiral Mike Rogers, the director of the National Security 
Agency, has publicly discussed the cyber threat posed against 
critical infrastructure. In addition to stating his belief that 
U.S. Cyber Command will be tasked to help defend critical 
infrastructure, he has said that ``We have . . . observed 
intrusions into industrial control systems . . . what concerns 
us is that . . . capability can be used by nation-states, 
groups or individuals to take down the capability of the 
control systems.''
    A tiered system of information sharing is part of the 
solution to address this significant vulnerability. The first 
tier of reporting should be voluntarily, rely upon the 
procedures established in this legislation, and be utilized by 
99 percent of businesses. The second tier of reporting should 
be mandatory, and it should apply only to a subset of critical 
infrastructure where a cybersecurity incident could reasonably 
be expected to result in catastrophic regional or national 
effects on public health or safety, economic security, or 
national security.
    For this reason, I offered an amendment during the 
Committee's consideration of the bill to implement this tiered 
system by requiring the small number of the owners and 
operators of the country's most critical infrastructure at 
greatest risk to report to the federal government intrusions of 
information systems essential to the operation of critical 
infrastructure.
    Had my amendment been adopted, 99.99 percent of businesses 
and 96 percent of critical infrastructure would still decide 
for themselves whether or not to share information with the 
government. The four percent of critical infrastructure at 
greatest risk of a devastating cyber attack would be mandated 
to report successful cyber intrusions so the government can 
develop and deploy countermeasures to protect its networks and 
the information systems of other critical infrastructure.
    The Department of Homeland Security has already identified 
63 critical infrastructure entities where damage caused by a 
single cyber incident could reasonably result in $50 billion in 
economic damage or $25 billion in damage that occurs in 
conjunction with 2,500 immediate deaths or the severe 
degradation of our national security or defense. Public 
reporting by Mandiant in 2013 and repeated testimony of the 
Intelligence Community leave no doubt that U.S. critical 
infrastructure already faces advanced persistent cyber threats 
posed by nation-states and other actors.
    The critical infrastructure of the United States remains 
woefully unprepared to confront this clear and present threat. 
One former agency head told the 9/11 Commission during its 10th 
anniversary review that, ``We are at September 10th levels in 
terms of cyber preparedness.'' We cannot afford to wait for a 
``cyber 9/11'' before taking legislative action to protect our 
critical infrastructure. By rejecting my amendment, the 
Committee is electing to take just such a risk.
                                   Susan M. Collins.

                 ADDITIONAL VIEWS OF SENATOR RON WYDEN

    Cyber-attacks and hacking against U.S. companies and 
networks are a serious and growing problem, with very real 
consequences for American companies and American consumers, and 
pose a significant challenge for national security. I share my 
colleagues' view that Congress should do what it can to help 
address this problem. The most effective way to protect 
cybersecurity is to ensure that network owners take 
responsibility for security and effectively implement good 
security practices. And it is important to ensure that 
government agencies do not deliberately weaken security 
standards.
    It also makes sense to encourage private companies to share 
information about cybersecurity threats. However, this 
information-sharing must include strong protections for the 
privacy rights of law-abiding American citizens. Any 
information-sharing legislation that lacks adequate privacy 
protections is not simply a cybersecurity bill, but a 
surveillance bill by another name.
    I opposed this bill because I believe its insufficient 
privacy protections will lead to large amounts of personal 
information being shared with the government even when that 
information is not needed for cybersecurity. This could include 
email content, financial records, and a wide variety of other 
personal information. While corporations will have a choice 
about whether or not to participate in this sharing, they could 
do so without the knowledge or consent of their customers, and 
will be granted immunity from liability if they do so. 
Additionally, this bill trumps federal privacy laws and permits 
government agencies to use the collected information for a wide 
variety of purposes, rather than only to protect cybersecurity. 
The bill also creates a problematic double standard, in that 
personal information about individual consumers can be used for 
a variety of non-cybersecurity purposes, including law 
enforcement actions against those consumers, but information 
about the companies supplying the information generally may not 
be used to regulate those companies. A corporation's privacy is 
not more important than an individual's privacy.
    This excessively broad collection may not be the intent of 
this bill, but the language is clearly drafted broadly enough 
to permit it. Most notably, the bill defines a cybersecurity 
threat as anything that ``may result'' in harm to a network. 
This broad definition will incentivize the sharing of 
information even when it is unlikely to pertain to an actual 
cybersecurity threat. A more tailored definition, limited to 
actions that are reasonably likely to harm or interfere with a 
network, would ensure that information-sharing is more narrowly 
focused on actual threats.
    A more tailored approach would also specify that companies 
should only provide the government with individuals' personal 
information if it is necessary to describe a cybersecurity 
threat. This would discourage companies from unnecessarily 
sharing large amounts of their customers' private information. 
This bill unfortunately takes the opposite approach, and only 
requires private companies to withhold information that is 
known at the time of sharing to be personal information 
unrelated to cybersecurity. This approach will disincentivize 
companies from carefully reviewing the information that they 
share and lead to a much greater amount of personal information 
being transferred unnecessarily to law enforcement and 
intelligence agencies.
    I am also concerned that this legislation does not provide 
individuals with an adequate mechanism for redress in cases 
where the government violates the rules established by this 
act. Similar bills have included provisions permitting 
individuals harmed by such violations to recover damages from 
the government, and such a provision is needed in this bill as 
well.
    I am disappointed that the committee did not adopt stronger 
privacy protections in this legislation, and I am also 
disappointed that my amendment to prohibit government agencies 
from requiring U.S. hardware and software companies to build 
weaknesses into their products was not adopted. I have 
introduced this amendment as stand-alone legislation and will 
continue to pursue this goal.
    This bill is likely to significantly increase government 
collection of individuals' personal information, while 
unfortunately doing relatively little to secure American 
networks. I hope to work with colleagues to address this bill's 
shortcomings, and if these flaws are not fixed I will continue 
to oppose it.
    Finally, I remain very concerned that a secret Justice 
Department opinion that is of clear relevance to this debate 
continues to be withheld from the public. This opinion, which 
interprets common commercial service agreements, is 
inconsistent with the public's understanding of the law, and I 
believe it will be difficult for Congress to have a fully 
informed debate on cybersecurity legislation if it does not 
understand how these agreements have been interpreted by the 
Executive Branch.
    I have repeatedly asked the Department of Justice to 
withdraw this opinion, and to release it to the public so that 
anyone who is a party to one of these agreements can consider 
whether their agreement should be revised. The deputy head of 
the Justice Department's Office of Legal Counsel testified to 
the Intelligence Committee that she would not rely on this 
opinion today, but I remain concerned that other government 
officials may be tempted to rely on it in the future. I will 
continue to press the Justice Department to release this 
opinion, so that Congress and the public can debate this bill 
with a full understanding of the facts. And I look forward to 
working with my colleagues to revise this legislation to ensure 
that Americans' privacy rights and American cybersecurity are 
both adequately protected.
                        Changes in Existing Laws

    In the opinion of the Committee, it is necessary to 
dispense with the requirements of paragraph 12 of rule XXVI of 
the Standing Rules of the Senate in order to expedite the 
business of the Senate.

                                 [all]