Dear Mr. Carter, Thank you for contacting me regarding cybersecurity legislation currently pending in Congress. I appreciate the opportunity to respond. Every day, U.S. businesses and the federal government are targeted by foreign governments and businesses for cyber exploitation and theft. As a Member of the House Defense Appropriations Committee and its liaison to the House Permanent Select Intelligence Committee, I have received numerous classified briefings detailing these types of attacks and the kinds of threats they present to our economy and national security. For example, at an unclassified level, the Chinese government has targeted American businesses and stolen (and then copied) pesticide formulas; stolen merger and acquisition information that would allow it to buy or sell stock at large profits; and stolen client lists that will allow it to market its products in direct competition. These actions have resulted in the loss of huge quantities of valuable intellectual property and sensitive information, costing the United States economy an estimated $200 billion every year. And the threats continue; during the week of April 22, a group threatened to launch a cyber-attack against the New York Stock Exchange (NYSE), putting it and the websites of the NASDAQ Stock Exchange, the Chicago Board of Options Exchange and the Miami Stock Exchange, "into a profound sleep." These types of unlawful, malicious behavior cannot be allowed to terrorize and economically cripple our nation. It is this type of activity – not individual American's internet usage habits or evidence of pirated movies or music – that the pending cybersecurity legislation would address. H.R. 3523, the Cyber Intelligence Sharing and Protection Act, which I co-sponsored, would expressly allow the government to provide private businesses with classified cyber-threat information. It would also allow businesses to voluntarily share information about websites that contain malicious code, identify malware and harmful computer "bots," and exchange data about cyber-attacks being conducted by thieves and those that would collapse our computer networks with each other and with the government. Some have objected that H.R. 3523 invades Americans' privacy. The bill, however, has been carefully crafted to avoid that. Contrary to what you may have heard, H.R. 3523 does not authorize companies to share sensitive or private information or grant the government unfettered access to Americans' internet activities. The bill does not authorize companies to transfer email exchanges, internet searching history, social networking activity, or other personally identifiable information (PII). Instead, it authorizes companies and the government to voluntarily share cyber-threat signatures; known bad websites that will infect computers by launching malicious programming code that is designed to shut down computer networks; computer code for malware, etc. Even then, information is to be made virtually anonymous before it is shared. And, the government can only use the information it receives: 1)For cybersecurity – to protect computer networks from destruction, theft, etc. 2)For investigation and prosecution of cybercrimes – to prosecute those who seek to steal information or collapse vital computer networks; 3)For national security; 4)To prosecute and investigate acts that could cause bodily harm or death; and 5)To protect minors from child pornography. H.R. 3523 does not allow the government to "data mine" the information to look for violations of any other laws or regulations. It does not allow the government to use the information shared to look for or limit Americans' ownership or use of firearms or handguns. H.R. 3523, therefore, has absolutely no impact on Americans' Second Amendment rights. Furthermore, the government will be required to notify any private entity that inadvertently submits information that has not properly been anonymized or does not qualify as cyber-threat information. PII, therefore, will only be shared to identify the government or individuals who launch cyberattacks to steal information, collapse vital computer networks (such as those that run the NYSE or public utilities), threaten to cause bodily harm or death, or to create, exchange or participate in child pornography. H.R. 3523 also requires the Inspector General of the Intelligence Community to review the government's use of information to ensure these restrictions are followed and to recommend future improvements and modifications to address privacy and civil liberties concerns. H.R. 3523, therefore, has several built-in privacy protections. In addition, companies remain bound by state and federal privacy laws, and all privacy agreements between them and their customers. H.R. 3523 does not affect or limit those protections and privacy rights in any way. Furthermore, H.R. 3523 does not impose any additional burdens on American businesses. It does not create any new government agencies, does not establish any new regulations, and does not require any company to report any information at all. Instead, the bill creates an entirely voluntary system that will allow American computer networks to communicate with each other to protect against those who would steal from, attack, or economically harm us. I am happy to report that H.R. 3523 enjoyed bipartisan support and broad support from several large industry leaders, such as Microsoft, AT&T, Symantec, Verizon, Business Software Alliance, TechAmerica, TechNet, and others. On April 26, H.R. 3523 passed the House of Representatives by a vote of 248-168, with my support. On April 26, the House of Representatives also passed H.R. 4257, the Federal Information Security Amendments Act of 2012. This bill would require federal agencies to automatically and continuously conduct threat assessments of their networks, to identify and mitigate risks of cyber attacks, thereby improving the security of our federal information. This requirement would not be imposed on private industry. H.R. 3523 and H.R. 4257 will now be transferred to the Senate for its consideration. On a related note, some have expressed concern that the cybersecurity bills being considered by Congress would give government the ability to "shut down the internet." In fact, the opposite is true. S. 413, the Cybersecurity and Internet Freedom Act of 2011, currently pending before the Senate, would declare that neither the President, the Director of the National Center for Cybersecurity and Communications, nor any officer or employee of the U.S. government shall have the authority to shut down the Internet. This bill was referred to the Senate Committee on Homeland Security and Governmental Affairs and the Committee has held hearings to collect information related to it. Thank you for expressing your concern about cybersecurity. I am aware that a lot of misinformation spread very rapidly about these bills and I appreciate the opportunity to write to you to help clear things up. Rest assured, I take Americans' privacy rights and Second and Fourth Amendment rights very seriously. I will continue to work with my colleagues to enact legislation that improves our national security while – at the same time – ensuring to protect your individual rights. Once again, thank you for your correspondence. I hope you will continue to contact me regarding issues of importance to you and your family. In the meantime, I encourage you to visit my website at www.calvert.house.gov and sign up for my weekly e-newsletters. For urgent updates on critical issues, follow me on Twitter (@KenCalvert) and check out my Facebook page (Congressman Ken Calvert). Sincerely, KEN CALVERT Member of Congress KC: dc