WASHINGTON – U.S. Senator Ben Cardin (D-Md.) issued the following statement after Senate passage of S. 754, the Cybersecurity Information Sharing Act (CISA). While praising his colleagues for finally making some progress on a complicated issue that needs Congressional action and oversight, he voted against the measure for the reasons outlined below.
“We live in a digital world and we need to arm ourselves with the right tools to fend off continuing and relentless attacks from foreign governments, criminal organizations, terrorist organizations, and others that are designed to steal, corrupt, or manipulate sensitive private sector and government data. We need to fight back against such daily intrusions and prevent a digital 9/11 before it occurs, all while simultaneously protecting essential Americans’ privacy and civil liberties. Failure to take such steps to protect our critical infrastructure and our citizens, could wreak untold havoc for millions of Americans and businesses, as well as our national security. Unfortunately, S. 754, the Cybersecurity Information Sharing Act of 2015, fails to find such a balance, opening the door to massive government intrusions of privacy and misallocation of scare government resources, while shielding from liability those who might abuse newfound, expansive powers.
“Maryland is a national hub for cybersecurity activity and I am proud of the work done every day to protect this nation and our citizens by employees at the National Security Agency, Central Security Service, and U.S. Cyber Command at Fort Meade. These hard-working men and women — military and civilian, federal worker and contractor, public and private sector — have a shared responsibility and shared partnership on the front lines of a world-wide national security effort.
“But Congress should remember the lessons learned from our extensive hearings and oversight of the use and misuse of certain sections of FISA and the PATRIOT Act, which ultimately led Congress to prohibit the bulk collection of records of innocent Americans by our intelligence agencies. The CISA bill approved by the Senate today defines ‘cybersecurity threat’ so broadly that more actions than necessary can easily be covered by the provisions, which could have numerous unintended consequences.
“A narrower focus would allow our cyber forces to better focus on events that truly constitute a threat and are more ‘reasonably likely to result in’ harm, so we can better focus our scarce law enforcement and intelligence resources where they could have the most impact. As drafted, CISA may encourage companies to overshare information with the government, including non-cybersecurity related information or personally identifiable information (PII).
“I am particularly concerned that the legislation creates an overly broad and dangerous precedent for Congress to create new exemption from the Freedom of Information Act (FOIA), a bedrock law and bipartisan success which promotes government transparency and accountability, particularly when the government makes mistakes at the expense of their citizens. I am also concerned that the legislation authorizes new ‘disruptive defensive measures’ by companies which could have significant and troubling impacts on our foreign policy.
“While I am disappointed with the Senate action’s today, I am cautiously hopeful that the House of Representatives will improve upon this bill, or be open to improvements as the legislation moves to a conference committee.”