Blumenthal Urges Colleagues To Move Forward On Cybersecurity Bill

(Washington) – Today, U.S. Senator Richard Blumenthal (D-Conn.) delivered a speech on the floor of the Senate urging his colleagues to move forward on consideration of the Cybersecurity Act of 2012 (S. 3414), a bipartisan bill that would enhance the security and resiliency of the cyber and communications infrastructure of the United States. 

Below is a transcript of Blumenthal’s speech: 
   
Thank you, madam president. I want to thank my very distinguished and effective colleague from Delaware for his great work as part of a team that has sought to enhance the protections of privacy in this bill. His perspective as a local official, as a constitutional expert, as someone who cares deeply about privacy and civil liberties, has been invaluable to this effort, and he, too, has participated in the critical infrastructure team that both of us have been privileged to join with Senators Whitehouse and Kyl, who have been so helpful in this effort. I want join him as well in thanking our colleagues, Senators Akaka, Durbin, Franken, Sanders, and Wyden in their very, very important efforts to protect privacy and civil liberties in the information sharing title of the cybersecurity act. 

We have really worked as a team and in many ways a bipartisan team in forging this legislation and, of course, we have followed the lead of Senators Lieberman and Collins, who have really been at the forefront of this effort, as well as senators Rockefeller, Feinstein, and Carper, who deserve our appreciation for drafting the bill, shepherding it through committee, and bringing a modified version to the floor, where now we have the historic opportunity to move forward, and I am here to urge my colleagues, in fact, to move forward and vote to proceed to the bill later today. We've made good progress on this legislation. And I am optimistic that we will pass a cybersecurity bill in the very near future, as we must for all the reasons that have been articulated by me and others. 

This nation is under attack. It is under cyber-attack, literally every day our defense industrial base, our military systems, and our private industry are under attack by nations and by hackers both sophisticated and unsophisticated, abroad and at home. And we must make sure that we provide the tools and the resources, legal resources and authorities, to stop that attack, to deter it, to defeat it, to make sure that our country is defended against it effectively and comprehensively. The nature of defending against cyber-attack involves information sharing. There is no way around that basic fact, that information about the attacks, the sources, the objects and targets, the times, all of the details are in essence the power to defend. 

Information is power when it comes to defending against cyber-attack. And yet we also know that information, when shared, can also be abused, and some of the most tragic chapters of our nation's history have involved snooping, spying, surveying, and then sharing of information that is inappropriate and unnecessary and sometimes illegal.  And we know also that one of our core constitutional protections is, in fact, the right to privacy. It is enshrined in our constitution, it dates from our founding, and it is integral to the fabric of the rule of law. We resisted and rejected the rule of the British in part because they had no respect for the privacy of the colonial. And that basic value has inspired the rule of law since. There is a saying, I believe it is a Latin saying, that in war, law is the first casualty. We are in a cyber-war, but our constitutional law cannot be a casualty. Our right to privacy and civil liberties must be protected. So information sharing must involve the right information shared with the right people and officials for the right purposes.  

There must be red lines and red lights, and there must be consequences if those red lines or red lights are disregarded or dismissed. This bill meets those basic requirements. It is enforceable, and it must be enforced. And, in fact, I will offer an amendment to increase the enforceability and enforcement of these basic protections by increasing the penalties for violating these basic protections. The trust and confidence of our nation in the rule of law depends on our getting it right. Information sharing with the right information to the right people and for the right purposes. And so the kinds of modifications contained in this bill are critically important. They are in sharp contrast to the House-approved version, CSPA which fails, utterly fails to protect civil liberties and privacy rights in sufficient degree. Unlike past versions, this measure establishes unequivocal civilian control of cybersecurity information exchanges. Unlike past versions, this bill bars companies from using cybersecurity as a pretext for violating F.C.C. net neutrality rules. Unlike other versions, this bill bars companies from using cybersecurity as a pretext for violating other guarantees, and it allows citizens to hold companies accountable and take them to court for knowingly or grossly negligent violations of the information sharing provisions of this bill. And equally important, it enables them to hold the United States government and other public officials responsible and take them to court if they violate privacy guarantees in this bill. 

A private company receiving someone's private information while monitoring for cyber threats should protect that information. It is a public trust and a public responsibility. And so this act protects Americans’ privacy by requiring companies that obtain that kind of information, some of it medical, or financial, of the most confidential and private nature, through monitoring, to protect that information.  

And this measure also imposes restrictions on the use of shared information for law enforcement purposes. The government can only provide information to law enforcement if it relates to a cybercrime or a serious threat to public safety. That is, physical safety. Bodily harm. And law enforcement can only use information to prosecute or stop cyber-attacks to prevent that kind of imminent and immediate harm to a person or a child. 

There are other protections. Some of them have been mentioned by Senators Franken and Coons before me, that I will support. For example, Senator Franken mentioned that his amendment would eliminate new authorities in the bill to monitor communications or operate countermeasures. Senator Coons mentioned a five-year sunset on the use of information sharing under this measure to help guard against unforeseen consequences of the legislation, and ensure that congressional oversight occurs on a regular and foreseeable basis. And other measures which I consider important would require federal agencies that suffer a data breach to notify affected individuals and allow those individuals to recover damages and require the creation of a new office in the Office of Management and Budget, Chief Privacy Officer. I support these amendments and I support also increasing the penalty in the event that government or companies violate the protections in this statute. 

We have indeed made progress. There is more to do. I hope that more progress will be made. And I foresee passage of a cybersecurity measure that is desperately and direly needed in this country. Not at some point in the future, but now, as others before me have said on this floor and as I have said before, cybersecurity is national security. And we must protect our national security while at the same time retaining the reason, our fundamental rights and civil liberties that we want to protect our nation and its constitutional values.