Sen. Carper Urges Colleagues to Pass Cybersecurity Information Sharing Legislation

WASHINGTON – In case you missed it, earlier today Sen. Tom Carper (D-Del.), ranking member of the Homeland Security and Governmental Affairs Committee, took to the Senate floor to urge his Senate Colleagues to pass the Cybersecurity Information Sharing Act (CISA) of 2015.

His speech, as prepared for delivery, is below:

“Mr. President, I rise today to speak in support of the cybersecurity information sharing bill introduced by our colleagues, Senators Burr and Feinstein.  I would like to commend my colleagues and their staffs for their leadership and tireless efforts on this extremely important piece of legislation. 

“As Ranking Member and former Chairman of the Homeland Security and Governmental Affairs Committee, I have been following cybersecurity – and this information sharing proposal in particular – for years. 

“In fact, when Senator Feinstein first introduced an information sharing bill in 2012, it was referred to the Homeland Security and Governmental Affairs Committee.  This bill was ultimately folded into a comprehensive cybersecurity bill that I had the honor of cosponsoring along with Senators Lieberman, Collins, Rockefeller and Feinstein.  We were not able to pass that bill, but it paved the way for other cyber legislation.   

“Last Congress, I worked closely with my Ranking Member, Dr. Coburn, and our House counterparts to get four cybersecurity bills enacted into law.  I believe these four bills laid a very strong foundation for some significant improvements in how the Department of Homeland Security carries out its cybersecurity mission.  And really for this bill before us today, as well. 

“What the legislation Dr. Coburn and I worked on during the last Congress did, in essence, was to better equip the Department to operate at the center of the kind of robust information sharing program that the Burr-Feinstein bill would set up.

“Mr. President, sharing more cyber threat information among and between the private sector and federal government players who are on the front lines in cybersecurity is critical to our national security.  Over the last few years, we have witnessed many troubling cyber attacks against our banks, retailers, healthcare providers, and government agencies.  Some of those launching these attacks are just criminals who want to steal and make money off of our personal information or intellectual property. Others just want to be disruptive or make political points.  Some actors, however, are capable – or would like to develop the capability – to use a cyber attack to harm people and cause physical damage.

“It is long past time for this body to take action to more effectively combat these threats we face in cyberspace. That’s why earlier this year I introduced a similar information sharing bill. This bill largely mirrored the Administration’s proposal. But we didn’t stop there. We took input from many experts and stakeholders. The measure we discussing today shares the same goal as my bill: to increase the sharing of cyber threat information between the federal government and private sector. I am so pleased that we are finally discussing this critical issue on the Senate floor.    

“The substitute amendment we are debating makes a number of improvements to the bill that was first made public after the Intelligence Committee reported it out.  It also includes several changes that I, as well as several of my colleagues, have been calling for.  I’d like to thank Senators Burr and Senator Feinstein – and their staffs – for working so closely with me and my staff and others to produce what I believe is a stronger bill.

“Is the bill perfect?  Of course not.  There is always room for improvement and that is why we will still have a debate on a number of amendments. And while there may not be agreement on everything in this bill, I believe most of my colleagues will come to the conclusion that it will help improve our nation’s cybersecurity, and by extension our national security. 

“First, the bill would ensure that the government is providing actionable intelligence to private sector entities seeking to better protect themselves in cyberspace.  Businesses around the country are hungry for information they can use to fend off attacks and better protect their systems and their customers.  This bill would make the federal government a much stronger partner for them.

“Many companies that I have talked to also want to share more information with the federal government about what they’re seeing online every day.  But they’re unsure of the rules of the road.  In other words, Mr. President, companies want more predictability and certainty when it comes to working with the government.  This bill would give them that by clarifying that they won’t be putting themselves in legal jeopardy if they choose to share cyber threat information with the federal government.

“But if companies do want to avail themselves of the legal protections this bill offers, they would have to – with just two narrow exceptions – use the information sharing portal at the Department of Homeland Security.

“This puts the Department of Homeland Security – a civilian entity – at the center of the information sharing process.  I think this is the smart and right thing to do.  In fact, many experts and companies that I have talked to across the country agree with me.  And I know many Americans are very uneasy with companies they do business with directly handing over data to an intelligence or law enforcement agency.         

“DHS will carry out its responsibilities under this bill through its cyber center, known as the National Cybersecurity and Communications Integration Center or “N-Kick”.  One of the bills I worked on with Dr. Coburn last Congress formally authorized this center.  I am very pleased to see that this bill would make the most out of the resources we’ve invested in the “N-kick.”

“Earlier this month, the Secretary of the Department of Homeland Security, Jeh Johnson, told our Homeland Security and Governmental Affairs Committee that beginning in November, the “N-Kick” will have the capability to automate the distribution and receipt of cyber threat indicators.  In other words, Mr. President, DHS will have the ability to share information with other agencies in real time, just as this bill would require.

“I know real time sharing is incredibly important to the bill’s sponsors.  It’s important to me too and probably many of our colleagues and stakeholders.  Equally important, however, is the ability for DHS to apply what I’ve called a “privacy scrub” to the information it receives from industry.  Allowing the Department to do this would provide some additional assurances that personal information unrelated to a cyber threat isn’t disseminated throughout the federal government if a company shares it through the portal.  Protecting privacy is part of the Department’s DNA and has been a key part if its mission since its creation. We should be taking full advantage of the Department’s expertise in this area. 

“I know some of my colleagues are concerned that a privacy scrub would slow down the information sharing process. I share those concerns, but I have been assured by officials at DHS that less than one percent of the information it receives would actually need to be reviewed by a person. 

“The rest – roughly 99 percent – would be shared with other agencies at machine speed.    I am very pleased that DHS has come to agreement on this process with its agency partners and will be up and running with a portal in the coming weeks. 

“One of the amendments I filed speaks to this privacy scrub process.  It would make clear that DHS could carry out an automated “privacy scrub” in real time and without delay.  In fact, my amendment would add just one word to the bill so that DHS could continue to automatically remove irrelevant or erroneous data from cyber threat information.  

“I am very happy that Senators Burr and Feinstein have taken my amendment into consideration and have now modified their substitute amendment to make sure DHS can apply its privacy scrub. 

“The substitute amendment now calls on DHS to work with its agency partners to agree on a process to share information while protecting privacy.  This is the process that DHS is already undertaking.  I would like to thank Senators Burr and Feinstein, as well as our friends at DHS and other agencies, for working so hard to find agreement on this language and for working with my staff and me on this important matter.

“Another amendment that I put forward – this time with our Committee’s Chairman, Senator Johnson – aims to improve what is called “cyber hygiene” across the federal government and prevent attacks against federal agencies.  The language is based on a bill Senator Johnson and I introduced and had reported out of committee by a unanimous vote.  The amendment does three main things:

“First, it would require all federal agencies to implement specific best practices and state-of-the-art technologies to defend against cyberattacks.  For example, we had experts testify about the importance of strong authentication and data encryption.  This amendment would make sure agencies are taking these common sense steps to bolster their cyber defenses.

“Second, the amendment would accelerate the deployment and adoption of the Department of Homeland Security’s cyber intrusion and detection program known as EINSTEIN.  For my colleagues that may not be familiar with EINSTEIN, let me take just a couple of minutes to describe its main features.  EINSTEIN analyzes Internet traffic entering and leaving federal civilian agencies to identify cyber threats and stop attacks.

“The system has been rolled out in phases over the last several years.  EINSTEIN 1 sees and records internet traffic, much like a guard at a checkpoint watching cars go by.  EINSTEIN 2 detects anything out of the ordinary and sets off alarms if a piece of malware is trying to enter a federal network.  EINSTEIN 3A is the latest version and uses unclassified and classified information to actually block cyber attacks. 

“The problem is, less than half of federal civilian agencies currently have EINSTEIN 3A in place, meaning most agencies are currently not benefitting from the protections offered by the system’s most advanced features.  This amendment would make sure agencies have EINSTEIN in place within one year. 

“Finally, our amendment incorporates language originally drafted by Senators Collins, Warner, Ayotte, McCaskill, Coats, and Mikulski.  These provisions would strengthen DHS’s ability to shore up cyber defenses at civilian agencies and address cyber emergencies across the federal government.   

“I am incredibly grateful that Senators Burr and Feinstein agreed to include our language in the Substitute amendment. It is the perfect complement to the information sharing bill we are discussing this week, and I thank the Senators for working with me and Senator Johnson on it. 

“Mr. President, I know a lot of Americans wonder if we’re still able to set aside our partisan differences and summon the political will to do what’s best for America when the stakes are high.  I believe bringing this bill to the floor, debating it, and considering amendments is great way to show the American people we still can.

“Let’s pass this bill so we can go to conference with the House and send a bill to the President.”