Sen. Franken: Improved Cybersecurity Bill Will Better Protect Privacy, Civil Liberties, but Still Needs Work
In Floor Speech, Senator Lauds Privacy Improvements, Calls for Changes to Protect Citizens from Excessive Monitoring
Today, U.S. Sen. Al Franken (D-Minn.) delivered a speech on the floor of the Senate, in which he praised an updated Cybersecurity bill that includes a number of changes to protect the privacy of American citizens, but also called for additional improvements that would remove provisions that give Internet service providers (ISPs) and other companies new authorities to monitor and take action against the private communications of their users. He announced that he plans to offer an amendment that would delete the new monitoring and countermeasures authorities from the bill. The bill passed a key procedural vote today and now moves to the Senate floor for debate and a final vote.
"The Cybersecurity Act is not perfect, but when it comes to striking a balance between cybersecurity and privacy and civil liberties, it is the only game in town," Sen. Franken said in his speech. "It is far more protective of our rights than either CISPA or the SECURE IT Act."
In his speech, Sen. Franken announced that he plans to introduce an amendment that would delete the provisions currently contained in the Cybersecurity Act that would allow ISPs and other companies to freely monitor the communications of their customers and deploy countermeasures - even negligently - without the risk of a lawsuit or any government oversight. He urged his colleagues to support that amendment, which would bring the bill in line with a cybersecurity proposal issued by President Obama.
"I plan to offer an amendment to delete these new monitoring and countermeasures authorities and bring this bill in line with the President's proposal," he continued. "And I hope that my colleagues here in the Senate will join me in passing this amendment-seven of my colleagues have already indicated that they will cosponsor this amendment."
The full text of Sen. Franken's floor speech is available below and video is available here.
Sen. Franken's Remarks on the Cybersecurity Act of 2012
As prepared for delivery
I rise today to talk about our nation's defenses against cyberattacks-and how our nation needs to respond to those threats. News reports and experts confirm that our nation's critical infrastructure-such as our water systems, our power grid, and so forth-are vulnerable to attacks from hackers and foreign governments. And every few weeks, we hear about yet another breach: Yahoo! and Gmail; Citibank; Bank of America; Sony PlayStation. Millions of people who have had their names, passwords, credit card information, or health information compromised.
And it isn't just our national security or economic well-being that's being threatened by these attacks-it's the Internet itself. If you want to use Facebook or a cloud-based email provider to communicate with your friends and loved ones-you need to know that your private communications won't be exposed by hackers.
If you want to use the Internet to spread new ideas or fight for democracy, you need to know that your work won't be disrupted by hackers or repressive regimes.
Unfortunately, it's hard to write a good cybersecurity bill-because when you try to make it easier for the government or Internet companies to detect and stop the work of hackers or other bad actors, you often end up making it very easy for those same entities to snoop in on the lives of innocent Americans. And so until recently, every major cybersecurity bill on the table would have done too much to immunize and expand the authority of the government and industry-and far too little to protect our privacy and civil liberties.
These bills would make it too easy for companies to hand over your emails and other private information to the government-even the military. Setting aside the Fourth Amendment, these bills would allow almost all of that information to go to law enforcement.
And these bills would do far too little to hold those companies and the government accountable for their mistakes.
A few months ago, I teamed up with Senators Durbin, Wyden, Sanders, Coons, Blumenthal and Akaka to try to address this situation. We worked with privacy and civil liberties groups on the left, right and center to come up with a package of proposals. We worked with the ACLU, the Electronic Frontier Foundation and the Center for Democracy and Technology, which are traditionally associated with progressives; we worked with the Constitution Project, which is a bipartisan, centrist think tank; and we worked with TechFreedom and the Competitive Enterprise Institute-which are conservative libertarian organizations.
Together, we approached Chairman Lieberman, Ranking Member Collins, Chairman Rockefeller and Chairman Feinstein, and proposed a package of amendments to the information sharing title of the Cybersecurity Act of 2012.
The information sharing title is the part of the bill that will make it easier for companies to share critical information about cyberattacks with each other and with the government.
These senators engaged with us earnestly and in good faith. And after a lot of hard work and a lot of conversations, the sponsors made a series of changes to the bill that are major, unequivocal victories for privacy and civil liberties. Now, the bill is still not perfect. Far from it. But I can say with confidence that when it comes to protecting both our cybersecurity and our civil liberties, the Cybersecurity Act of 2012 is the only game in town.
I want to take a moment to explain the changes made to the information sharing title, and compare how the Cybersecurity Act now stacks up with its rival bills, the Cyber Intelligence Sharing and Protection Act, or CISPA, which recently passed the House, and the SECURE IT Act, which has been introduced here in the Senate.
First of all, I agree that we need to make it easier for companies to share time-sensitive information with experts in the government.
But the cyberthreat information that companies are sharing often comes from private, sensitive communications like our emails. And so the gatekeeper of any information shared under these proposals should never be the military. It should never be the NSA. Now, the men and women of the NSA are patriots and they are undoubtedly skilled and knowledgeable. But that institution is too shrouded in secrecy-and has too dark a history of spying on innocent Americans-to be trusted with this responsibility, under any Administration.
Under the new, revised Cybersecurity Act of 2012, the one that will soon be before us on the floor, companies can use the authorities in the bill to give cyberthreat information only to civilian agencies.
That is a critical protection for civil liberties-and it is a protection that CISPA and the SECURE IT Act do not have. I want to be very clear: An America with CISPA and an America with the SECURE IT Act is an America where your emails can be shared directly, immediately and with impunity, with the NSA.
Second, any cybersecurity bill should focus on just that-cybersecurity. It should not be a back door for warrantless wiretaps for information entirely unrelated to cyberattacks. In other words, once a company gives the government cyberthreat information, the government shouldn't be able to say "Hey, this email doesn't have a virus. But it does say that Michael is late on his taxes. I'm going to send that to the IRS."
Under the Cybersecurity Act of 2012, once a cyber exchange gets information, it can give that information to law enforcement only to prosecute or stop a cybercrime, or to stop serious imminent harm to adults or serious harm to minors.
CISPA actually has similar protections. But SECURE IT allows a far broader range of disclosures to law enforcement. Here in the Senate, the Cybersecurity Act is the proposal that does the most to respect the spirit and letter of the Fourth Amendment.
Third, a cybersecurity bill should make it easier for a company to share information with experts in the government. But it has to hold companies who abuse that authority accountable for their actions. Both CISPA and the SECURE IT Act give companies immunity for knowing violations of your privacy. Under CISPA and the SECURE IT Act, if a company's CEO knows for a fact that his engineers are sending every one of your emails to the NSA-there is nothing you can do about it. That is not an exaggeration. Thanks to the changes I pushed for along with Senators Durbin, Wyden, Coons, Sanders, Blumenthal and Akaka, the Cybersecurity Act does not protect companies who violate your privacy intentionally, knowingly or with gross negligence.
Fourth and finally, a cybersecurity bill should also hold the government accountable for its actions. Under both CISPA and the SECURE IT Act, companies can start giving the federal government your private information well before the government actually has privacy rules in place for how to handle that information.
Under the SECURE IT Act, the government has total immunity from lawsuits arising out of its cybersecurity operations. Total immunity-for the government. The SECURE IT Act also lacks any regular independent oversight of the federal government's actions under these new authorities.
The Cybersecurity Act of 2012 now has all three of these protections. Under this bill, privacy rules have to be in place on the first day that companies start giving the government information. People can sue the government when it abuses its authority. And there will be recurrent, independent oversight by both the Privacy and Civil Liberties Oversight Board and Inspectors General.
These are just the four main categories of changes that the sponsors of the Cybersecurity Act have adopted. There are other changes, too, that I won't go into now.
Before I close, I want to elaborate on one way I do think we need to improve the Cybersecurity Act to better protect privacy. The sponsors of the bill have rightly adopted several critical protections-I hope that they will accept at least one more amendment that I think is very important. I'll talk about my amendment more on another occasion, but for now I just want to flag it for my colleagues.
For decades, federal law has given Internet Service Providers and other companies the right to monitor their systems to protect themselves and their customers from cybersecurity threats. They also have the right to deploy what are called "countermeasures" to protect their systems against those threats.
So these companies have the right to monitor and protect themselves-but at the same time, federal law prevents them from abusing those rights. If an ISP starts randomly picking customers and reading their emails, their customers-and the government-can take them to court. And the ISP can't throw its hands up and plead "cybersecurity."
This is why when the President of the United States brought together all of the federal agencies to craft a bill that would comprehensively protect our cybersecurity, that proposal included a new authority for companies to disclose information to the government but contained no new authority for companies to monitor email or deploy countermeasures. When the Administration's lawyers were asked why that was, they said that doing so would have been duplicative-because the companies already have those rights.
Right now, the Cybersecurity Act and the President's proposal are not in line with each other-because unlike the President's proposal, the Cybersecurity Act does give ISPs and other companies a brand new right to monitor communications and to deploy countermeasures. That right is very broad. So broad that if a company uses that power negligently to snoop in on your email or damage your computer-they will be immune from any lawsuit.
I plan to offer an amendment to delete these new monitoring and countermeasures authorities and bring this bill in line with the President's proposal. And I hope that my colleagues here in the Senate will join me in passing this amendment-seven of my colleagues have already indicated that they will cosponsor this amendment.
But M. PRESIDENT, I want to end on a high note-I don't want my amendment to cloud my central message here.
So I'll repeat what I said earlier. The Cybersecurity Act is not perfect; but when it comes to striking a balance between cybersecurity and privacy and civil liberties, it is the only game in town. It is far more protective of our rights than either CISPA or the SECURE IT Act. I want to thank the sponsors of the Cybersecurity Act for taking this high road and urge my colleagues to vote to proceed to the bill so we can have good, full debate on it.