[Congressional Record: June 10, 2010 (Senate)] [Page S4852-S4855] STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS By Mr. LIEBERMAN (for himself, Ms. Collins, and Mr. Carper): S. 3480. A bill to amend the Homeland Security Act of 2002 And other laws to enhance the security and resiliency of the cyber and communications infrastructure of the United States; to the Committee on Homeland Security and Governmental Affairs. Mr. LIEBERMAN. Mr. President, I rise today to introduce the Protecting Cyberspace as a National Asset Act of 2010, which I believe would help secure the Nation's cyber networks against attack. The Internet may have started out as a communications oddity some 40 years ago but it is now a necessity of modern life and, sadly, one that is under constant attack. Today, Senators Collins, Carper, and I are introducing legislation which we believe would help secure the most critical cyber networks and therefore all Americans. For all of its ``user-friendly'' allure, the Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets. Our economic security, national security and public safety are now all at risk from new kinds of enemies--cyber-warriors, cyber-spies, cyberterrorists and cyber- criminals. That risk may be as serious to our homeland security as anything we face today. Computer networks at the Departments of Defense are being probed hundreds of thousands of times a day, and networks at the Departments of State, Homeland Security and Commerce, as well as NASA and the National Defense University, have all suffered ``major intrusions by unknown foreign entities,'' according to reports. Key networks that control vital infrastructure, like the electric grid, have been probed, possibly giving our enemies information that could be used to plunge us into darkness at the press of a button from across an ocean. Banks have had millions and millions of dollars stolen from accounts by cyber-bandits who have never been anywhere near the banks themselves. In a report by McAfee--a computer security company, about 54 percent of the executives of critical infrastructure companies surveyed said their companies had been the victims of denial of service attacks or network infiltration by organized crime groups, terrorists, and other nation-states. The downtime to recover from these attacks can cost $6 million to $8 million a day. Our present efforts at securing these vital but sprawling government and private sector networks have been disjointed, understaffed and underfinanced. We have not operated with the sense of urgency that is necessary to protect Americans' cyberspace, which the President has correctly described as a ``strategic national asset.'' Our bill would bring these disjointed efforts together so that the federal government and the private sector can coordinate their activities and work off the same playbook. While President Obama's creation of a cyber-security coordinator inside the White House was a step in the right direction, we need to make that position permanent, transparent and accountable to Congress and the American people. So, our proposal would create a Senate-confirmed White House cyber- security coordinator whose job would be to lead all federal cyber- security efforts; develop a national strategy--that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic; give policy advice to the President; and resolve interagency disputes. The Director of the Office of Cyberspace Policy would oversee all related federal cyberspace activities to ensure efficiency and coordination and would report regularly to Congress to ensure transparency and oversight. Our legislation also would create a National Center for Cybersecurity an Communications, NCCC, within the Department of Homeland Security, DHS, to elevate and strengthen the Department's cyber security capabilities and authorities. The NCCC would be run by a Senate- confirmed Director who would have the authority and resources to work with the rest of the Federal Government to protect public and private sector cyber networks. DHS has shown that vulnerabilities in key private sector networks-- like utilities and communications systems--could bring our economy to its knees if attacked or commandeered by a foreign power or cyber- terrorists. But other than pointing out a vulnerability, DHS has lacked the power to do anything about it. Our legislation would give DHS the authority to ensure that our nation's most critical infrastructure is protected from cyber attack. Defense of our cyber networks will only be successful if industry and government work together, so this legislation sets up a collaborative process where the best ideas of the private sector and the government can be used to meet a baseline set of security requirements that DHS would oversee. Specifically, the NCCC would work with the private sector to establish risk-based security requirements that strengthen the cyber security for the nation's most critical infrastructure, such as vital components of the electric grid, telecommunications networks, and financial sector that, if disrupted, would result in a national or regional catastrophe. Owners and operators of critical infrastructure covered under the act could choose which security measures to implement to meet these risk-based performance requirements. The act would provide some liability protections to owners/operators who demonstrate compliance with the new risk-based security requirements. Covered critical infrastructure must also report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these networks. In return, the NCCC would share information, including threat analysis, with owners and operators regarding risks to their networks. The NCCC would also produce and [[Page S4853]] share useful warning, analysis, and threat information with other Federal agencies, State and local governments, and international partners. To increase security across the private sector more broadly, the NCCC would collaborate with the private sector to develop best practices for cyber security. By promoting best practices and providing voluntary technical assistance as resources permit, the NCCC would help improve cyber security across the Nation. Information the private sector shares with the NCCC would be protected from public disclosure, and private sector owners and operators may obtain security clearances to access information necessary to protect the IT networks the American people depend upon. Thanks to great work by Senator Carper, our legislation would update the Federal Information Security Management Act--or FISMA--to require continuous monitoring and protection of our federal networks and do away with the paper-based reporting system that currently exists. The act also would codify and strengthen DHS authorities to establish 0 complete situational awareness for Federal networks and develop tools to improve resilience of Federal Government systems and networks. In the event of an attack--or threat of an attack--that could have catastrophic consequences to our economy, national security or public safety, our bill would give the President the authority to impose emergency measures on a select group of the most critical infrastructure to preserve their cyber networks and assets and protect our country and the American people. These emergency measures would automatically expire within 30 days unless the President ordered an extension. These measures would be developed in consultation with the private sector and would apply if the President has credible evidence a cyber vulnerability is being exploited or is about to be exploited. If possible, the President must notify Congress in advance about the threat and the emergency measures that would be taken to mitigate it. Any emergency measures imposed must be the least disruptive necessary to respond to the threat. The bill does not authorize any new surveillance authorities, or permit the government to ``take over'' private networks. Of course, DHS would need a lot of talented people to accomplish these missions, and our bill gives it the flexibility to recruit, hire, and retain the experts it would need to be successful. Our bill would require the Office of Personal Management to reform the way cyber security personnel are recruited, hired, and trained and would provide DHS with temporary hiring and pay flexibilities to assist in the quick establishment of the NCCC. Finally, our legislation would require the Federal Government to develop and implement a strategy to ensure that almost $80 billion of the information technology products and services it purchases each year are secure and do not provide our adversaries with a backdoor into our networks. More specifically, the act would require development of a comprehensive supply chain risk management strategy to address risks and threats to the information technology products and services the federal government relies upon. This strategy would allow agencies to make informed decisions when purchasing IT products and services. This provision would be implemented through the Federal Acquisition Regulation, requiring contracting officers to consider the security risks inherent in agency IT procurements. The value of this approach is that once security features are developed to protect federal networks, private sector customers may be able to purchase that same level of security in the products they buy. The need for this legislation is both obvious and urgent. A report by the bipartisan Center for Strategic and International Studies, CSIS, concluded that ``we face a long-term challenge in cyberspace from foreign intelligence agencies and militaries, criminals and others, and losing this struggle would wreak serious damage on the economic health and national security of the United States.'' Given these stakes, Senators Collins, Carper, and I are confident our colleagues will join with us and pass the ``Protecting Cyberspace as a National Asset Act'' in the 110th Congress. Ms. COLLINS. Mr. President, I rise to join Senators Lieberman and Carper in introducing the Protecting Cyberspace as a National Asset Act of 2010. This vital legislation would fortify the government's efforts to safeguard America's cyber networks from attack. It would build a public/private partnership to promote national cyber security priorities. It would strengthen the government's ability to set, monitor compliance with, and enforce standards and policies for securing Federal civilian systems and the sensitive information they contain. The marriage of increasingly robust computer technology to expanding and nearly instantaneous global telecommunications networks is a truly seismic event in human history. This information revolution touches everything, from personal relationships and entertainment to commerce, scientific research, and the most sensitive national security information. Cyberspace is a place of great, even unparalleled, power. But, to tweak the familiar saying, with great power comes great vulnerability. Cyberspace is under increasing assault on all fronts: cyber vandalism, cyber crime, cyber sabotage, and cyber espionage. Across the world at this moment, computer networks are being hacked, probed, and infiltrated relentlessly. The purpose of these cyber exploits ranges from simple mischief and massive theft to societal mayhem and geopolitical advantage. In February, Dennis Blair, the former Director of National Intelligence, gave this chilling assessment before the Senate Select Committee on Intelligence: ``Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication. While both the threats and technologies associated with cyberspace are dynamic, the existing balance in network technology favors malicious actors, and is likely to continue to do so for the foreseeable future.'' Consider these sobering facts: Cyber crime costs our national economy nearly $8 billion annually. Hackers can operate in relative safety and anonymity from a laptop or desktop anywhere in the world. The expanding capabilities of wireless hand-held devices strengthen this cloak of cyber invisibility. As our national and global economies become ever more intertwined, cyber terrorists have greater potential to attack high-value targets. From anywhere in the world, they could disrupt telecommunications systems, shut down electric power grids, or freeze financial markets. With sufficient know-how and a few keystrokes, they could cause billions of dollars in damage and put thousands of lives in jeopardy. As the hackers' techniques advance, the number of hacking attempts is exploding. Just this March, the Senate's Sergeant at Arms reported that the computer systems of Congress and Executive Branch agencies now are under cyber attack an average of 1.8 billion times per month. Recent examples of cyber attacks are myriad and disturbing: Press reports a year ago stated that China and Russia had penetrated the computer systems of America's electrical grid. The hackers allegedly left behind malicious hidden software that could be activated later to disrupt the grid during a war or other national crisis. At about the same time, we learned that, beginning in 2007 and continuing well into 2008, hackers repeatedly broke into the computer systems of the Pentagon's $300-billion Joint Strike Fighter project. They stole crucial information about the Defense Department's costliest weapons program ever. In 2007, the country of Estonia was attacked in cyberspace. A 3-week onslaught of botnets overwhelmed the computer systems of the nation's parliament, government ministries, banks, telecommunications networks, and news organizations. This attack on Estonia is a wake-up call that has yet to be sufficiently heeded. The private sector is also under attack. In January, Google announced that attacks originating in China had targeted its systems as well as the networks of more than 30 other companies. The attacks on Google sought to access the email accounts of Chinese [[Page S4854]] human rights activists. For the other companies, lucrative information, such as critical corporate data and software source codes, were targeted. Last year, cyber thieves secretly implanted circuitry into keypads sold to British supermarkets, which were then used to steal account information and PIN numbers. This same tactic was used against a large supermarket chain in Maine, compromising more than 4 million credit cards. Nor are small businesses immune. Last summer, a small Maine construction firm found that cyber crooks had stolen nearly $600,000 through an elaborate scheme involving dozens of coconspirators throughout the United States. These attacks, and the hundreds like them that are occurring at any given time whether on our government or private sector systems, have ushered us into a new age of cyber crime and, indeed, cyber warfare. They underscore the high priority we must give to the security of our information technology systems. The terrorist attacks of September 11, 2001, exposed the vulnerability of our nation to catastrophic attacks. Since that terrible day, we have done much to protect potential targets such as ports, chemical facilities, transportation systems, water supplies, government buildings, and other vital assets. We cannot afford to wait for a ``cyber 9/11'' before our government finally realizes the importance of protecting our digital resources, limiting our vulnerabilities, and mitigating the consequences of penetrations of our networks. Chairman Lieberman and I have held a number of hearings on cyber security in the Senate Homeland Security and Governmental Affairs Committee. Senator Carper has been similarly active, particularly on exploring modifications to the Federal Information Security Management Act that are designed to enhance protections of Federal networks and information. From our examinations of this issue, we know that there are threats to and vulnerabilities in our cyber networks. We also know that the tactics used to exploit these vulnerabilities are constantly evolving and growing increasingly dangerous. Now, it is time to take action. A strong and sustained Federal effort to promote cyber security is a key component of effective deterrence. For too long, our approach to cyber security has been disjointed and uncoordinated. This cannot continue. The United States requires a comprehensive cyber security strategy backed by aggressive implementation of effective security measures. There must be strong coordination among law enforcement, intelligence agencies, the military, and the private owners and operators of critical infrastructure. This bill would establish the essential point of coordination. The Office of Cyberspace Policy in the Executive Office of the President would be run by a Senate-confirmed Director who would advise the President on all cyber security matters. The Director would lead and harmonize Federal efforts to secure cyberspace and would develop a national strategy that incorporates all elements of cyber security policy, including military, law enforcement, intelligence, and diplomacy. The Director would oversee all Federal activities related to the national strategy to ensure efficiency and coordination. The Director would report regularly to Congress to ensure transparency and oversight. To be clear, the White House official would not be another unaccountable czar. The Cyber Director would be a Senate-confirmed position and thus would testify before Congress. The important responsibilities given to the Director of the Office of Cyberspace Policy related to cybersecurity are similar to the responsibilities of the current Director of the Office of Science and Technology Policy. The Cyber Director would advise the President and coordinate efforts across the Executive Branch to protect and improve our cybersecurity posture and communications networks. By working with a strong operational and tactical partner at the Department of Homeland Security, the Director would help improve the security of Federal and private sector networks. This strong DHS partner would be the National Center for Cybersecurity and Communications, or Cyber Center. It would be located within the Department of Homeland Security to elevate and strengthen the Department's cyber security capabilities and authorities. This Center also would be led by a Senate-confirmed Director. The Cyber Center, anchored at DHS, with a strong and empowered leader, will close the coordination gaps that currently exist in our disjointed federal cyber security efforts. For day-to-day operations, the Center would use the resources of DHS, and the Center Director would report directly to the Secretary of Homeland Security. On interagency matters related to the security of federal networks, the Director would regularly advise the President--a relationship similar to the Director of the NCTC on counterterrorism matters or the Chairman of the Joint Chiefs of Staff on military issues. These dual relationships would give the Center Director sufficient rank and stature to interact effectively with the heads of other departments and agencies, and with the private sector. Congress has dealt with complex challenges involving the need for interagency coordination in the past with a similar construct. We have established strong leaders with supporting organizational structures to coordinate and implement action across agencies, while recognizing and respecting disparate agency missions. The establishment of the National Counterterrorism Center within the Office of the Director of National Intelligence is a prime example of a successful reorganization that fused the missions of multiple agencies. The Director of NCTC is responsible for the strategic planning of joint counterterrorism operations, and in this role reports to the President. When implementing the information analysis, integration, and sharing mission of the Center, the Director reports to the Director of National Intelligence. These dual roles provide access to the President on strategic, interagency matters, yet provide NCTC with the structural support and resources of the office of the DNI to complete the day-to- day work of the NCTC. The DHS Cyber Center would replicate this successful model for cyber security. As we have seen repeatedly, from the financial crisis to the environmental catastrophe in the Gulf of Mexico, what happens in the private sector does not always affect just the private sector. The ramifications for government and for the taxpayers often are enormous. This bill would establish a public/private partnership to improve cyber security. Working collaboratively with the private sector, the Center would produce and share useful warning, analysis, and threat information with the private sector, other Federal agencies, international partners, and state and local governments. By developing and promoting best practices and providing voluntary technical assistance to the private sector, the Center would improve cyber security across the nation. Best practices developed by the Center would be based on collaboration and information sharing with the private sector. Information shared with the Center by the private sector would be protected. With respect to the owners and operators of our most critical systems and assets, the bill would mandate compliance with certain risk-based performance requirements to close security gaps. These requirements would apply to vital components of the electric grid, telecommunications networks, financial systems, or other critical infrastructure systems that could cause a national or regional catastrophe if disrupted. This approach would be similar to the current model that DHS employs with the chemical industry. Rather than setting specific standards, DHS would employ a risk-based approach to evaluating cyber vulnerabilities, and the owners and operators of covered critical infrastructure would develop a plan for protecting those vulnerabilities and mitigating the consequences of an attack. These owners and operators would be able to choose which security measures to implement to meet applicable risk-based performance requirements. The bill does not authorize any new surveillance authorities or permit the government to ``take over'' private networks. This model would allow for continued [[Page S4855]] innovation and dynamism that are fundamental to the success of the IT sector. The bill would provide limited liability protections to the owners and operators of covered critical infrastructure that comply with the new risk-based performance requirements. Covered critical infrastructure also would be required to report certain significant breaches affecting vital system functions to the center. These reports would help ensure that the Federal Government has comprehensive awareness of the security risks facing these critical networks. If a cyber attack is imminent or occurring, the bill would provide a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the Nation's most critical infrastructure. The President would be required to notify Congress in advance of the declaration of a national cyber emergency, or as soon thereafter as possible. This notice would include the nature of the threat, the reason existing protective measures are insufficient to respond to the threat, and the emergency actions necessary to mitigate the threat. The emergency measures would be limited in duration and scope. Any emergency actions directed by the President during the 30-day period covered by the declaration must be the least disruptive means feasible to respond to the threat. Liability protections would apply to owners and operators required to implement these measures, and if other mitigation options were available, owners and operators could propose those alternative measures to the Director and, once approved, implement those in lieu of the mandatory emergency measures. The center also would share information, including threat analysis, with owners and operators of critical infrastructure regarding risks affecting the security of their sectors. The center would work with sector-specific agencies and other Federal agencies with existing regulatory authority to avoid duplication of requirements, to use existing expertise, and to ensure government resources are employed in the most efficient and effective manner. With regard to Federal networks, the Federal Information Security Management Act--known as FISMA--gives the Office of Management and Budget broad authority to oversee agency information security measures. In practice, however, FISMA is frequently criticized as a ``paperwork exercise'' that offers little real security and leads to a disjointed cyber security regime in which each Federal agency haphazardly implements its own security measures. The bill we introduce today would transform FISMA from paper-based to real-time responses. It would codify and strengthen DHS authorities to establish complete situational awareness for Federal networks and develop tools to improve resilience of Federal Government systems and networks. The legislation also would take advantage of the Federal Government's massive purchasing power to help bring heightened cyber security standards to the marketplace. Specifically, the Director of the Center would be charged with developing a supply chain risk management strategy applicable to Federal procurements. This strategy would emphasize the security of information systems from development to acquisition and throughout their operational life cycle. While the Director should not be responsible for micromanaging individual procurements or directing investments, we have seen far too often that security is not a primary concern when agencies procure their IT systems. Recommending security investments to OMB and providing strategic guidance on security enhancements early in the development and acquisition process will help ``bake in'' security. Cyber security can no longer be an afterthought in our government agencies. These improvements in Federal acquisition policy should have beneficial ripple effects in the larger commercial market. As a large customer, the Federal Government can contract with companies to innovate and improve the security of their IT services and products. With the Government's vast purchasing power, these innovations can establish new security baselines for services and products offered to the private sector and the general public. Finally, the legislation would direct the Office of Personnel Management to reform the way cyber security personnel are recruited, hired, and trained to ensure that the Federal Government and the private sector have the talent necessary to lead this national effort and protect its own networks. The bill would also provide DHS with temporary hiring and pay flexibilities to assist in the establishment of the center. Some have suggested that this effort can be led from the White House alone--why create a new center at DHS and two Senate-confirmed Director positions? One of the great lessons of 9/11 is that true security demands aggressive oversight, expert evaluation, and thorough testing of systems. There must be constant, real-time monitoring of security and analysis of threats. This task requires much more than a cyber czar. It requires strong civilian counterparts to the Secretary of Defense and the Director of National Intelligence. These Directors, at the White House and at DHS, would serve as those counterparts. The National Security Agency and other intelligence agencies possess enormous skills and resources, but privacy and civil liberties demands preclude these agencies from shouldering a leadership role in the security of our civilian information technology systems. The intelligence community must play a critical part in providing threat information, but it cannot lead the cyber security effort. We are all acutely aware that there are those who seek to do harm to this country and to our people. If hackers can nearly bring Estonia to its knees through cyber attacks, infiltrate our military's most closely-guarded project, and, in the case of Google, hack the computers owned and operated by some of the world's most successful computer experts, we must assume even more spectacular and potentially devastating attacks lie ahead. We must be ready. It is vitally important that we build a strong public-private partnership to protect cyberspace. It is a vital engine of our economy, our government, our country and our future. I urge my colleagues to support this crucial legislation. ______