[Congressional Record: June 10, 2010 (Senate)]
[Page S4852-S4855]
STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS
By Mr. LIEBERMAN (for himself, Ms. Collins, and Mr. Carper):
S. 3480. A bill to amend the Homeland Security Act of 2002 And other
laws to enhance the security and resiliency of the cyber and
communications infrastructure of the United States; to the Committee on
Homeland Security and Governmental Affairs.
Mr. LIEBERMAN. Mr. President, I rise today to introduce the
Protecting Cyberspace as a National Asset Act of 2010, which I believe
would help secure the Nation's cyber networks against attack.
The Internet may have started out as a communications oddity some 40
years ago but it is now a necessity of modern life and, sadly, one that
is under constant attack. Today, Senators Collins, Carper, and I are
introducing legislation which we believe would help secure the most
critical cyber networks and therefore all Americans.
For all of its ``user-friendly'' allure, the Internet can also be a
dangerous place with electronic pipelines that run directly into
everything from our personal bank accounts to key infrastructure to
government and industrial secrets. Our economic security, national
security and public safety are now all at risk from new kinds of
enemies--cyber-warriors, cyber-spies, cyberterrorists and cyber-
criminals. That risk may be as serious to our homeland security as
anything we face today.
Computer networks at the Departments of Defense are being probed
hundreds of thousands of times a day, and networks at the Departments
of State, Homeland Security and Commerce, as well as NASA and the
National Defense University, have all suffered ``major intrusions by
unknown foreign entities,'' according to reports.
Key networks that control vital infrastructure, like the electric
grid, have been probed, possibly giving our enemies information that
could be used to plunge us into darkness at the press of a button from
across an ocean. Banks have had millions and millions of dollars stolen
from accounts by cyber-bandits who have never been anywhere near the
banks themselves.
In a report by McAfee--a computer security company, about 54 percent
of the executives of critical infrastructure companies surveyed said
their companies had been the victims of denial of service attacks or
network infiltration by organized crime groups, terrorists, and other
nation-states. The downtime to recover from these attacks can cost $6
million to $8 million a day.
Our present efforts at securing these vital but sprawling government
and private sector networks have been disjointed, understaffed and
underfinanced. We have not operated with the sense of urgency that is
necessary to protect Americans' cyberspace, which the President has
correctly described as a ``strategic national asset.''
Our bill would bring these disjointed efforts together so that the
federal government and the private sector can coordinate their
activities and work off the same playbook.
While President Obama's creation of a cyber-security coordinator
inside the White House was a step in the right direction, we need to
make that position permanent, transparent and accountable to Congress
and the American people.
So, our proposal would create a Senate-confirmed White House cyber-
security coordinator whose job would be to lead all federal cyber-
security efforts; develop a national strategy--that incorporates all
elements of cyberspace policy, including military, law enforcement,
intelligence, and diplomatic; give policy advice to the President; and
resolve interagency disputes.
The Director of the Office of Cyberspace Policy would oversee all
related federal cyberspace activities to ensure efficiency and
coordination and would report regularly to Congress to ensure
transparency and oversight.
Our legislation also would create a National Center for Cybersecurity
an Communications, NCCC, within the Department of Homeland Security,
DHS, to elevate and strengthen the Department's cyber security
capabilities and authorities. The NCCC would be run by a Senate-
confirmed Director who would have the authority and resources to work
with the rest of the Federal Government to protect public and private
sector cyber networks.
DHS has shown that vulnerabilities in key private sector networks--
like utilities and communications systems--could bring our economy to
its knees if attacked or commandeered by a foreign power or cyber-
terrorists. But other than pointing out a vulnerability, DHS has lacked
the power to do anything about it. Our legislation would give DHS the
authority to ensure that our nation's most critical infrastructure is
protected from cyber attack.
Defense of our cyber networks will only be successful if industry and
government work together, so this legislation sets up a collaborative
process where the best ideas of the private sector and the government
can be used to meet a baseline set of security requirements that DHS
would oversee.
Specifically, the NCCC would work with the private sector to
establish risk-based security requirements that strengthen the cyber
security for the nation's most critical infrastructure, such as vital
components of the electric grid, telecommunications networks, and
financial sector that, if disrupted, would result in a national or
regional catastrophe. Owners and operators of critical infrastructure
covered under the act could choose which security measures to implement
to meet these risk-based performance requirements. The act would
provide some liability protections to owners/operators who demonstrate
compliance with the new risk-based security requirements.
Covered critical infrastructure must also report significant breaches
to the NCCC to ensure the federal government has a complete picture of
the security of these networks. In return, the NCCC would share
information, including threat analysis, with owners and operators
regarding risks to their networks. The NCCC would also produce and
[[Page S4853]]
share useful warning, analysis, and threat information with other
Federal agencies, State and local governments, and international
partners.
To increase security across the private sector more broadly, the NCCC
would collaborate with the private sector to develop best practices for
cyber security. By promoting best practices and providing voluntary
technical assistance as resources permit, the NCCC would help improve
cyber security across the Nation. Information the private sector shares
with the NCCC would be protected from public disclosure, and private
sector owners and operators may obtain security clearances to access
information necessary to protect the IT networks the American people
depend upon.
Thanks to great work by Senator Carper, our legislation would update
the Federal Information Security Management Act--or FISMA--to require
continuous monitoring and protection of our federal networks and do
away with the paper-based reporting system that currently exists. The
act also would codify and strengthen DHS authorities to establish
0 complete situational awareness for Federal networks and develop tools
to improve resilience of Federal Government systems and networks.
In the event of an attack--or threat of an attack--that could have
catastrophic consequences to our economy, national security or public
safety, our bill would give the President the authority to impose
emergency measures on a select group of the most critical
infrastructure to preserve their cyber networks and assets and protect
our country and the American people. These emergency measures would
automatically expire within 30 days unless the President ordered an
extension.
These measures would be developed in consultation with the private
sector and would apply if the President has credible evidence a cyber
vulnerability is being exploited or is about to be exploited. If
possible, the President must notify Congress in advance about the
threat and the emergency measures that would be taken to mitigate it.
Any emergency measures imposed must be the least disruptive necessary
to respond to the threat. The bill does not authorize any new
surveillance authorities, or permit the government to ``take over''
private networks.
Of course, DHS would need a lot of talented people to accomplish
these missions, and our bill gives it the flexibility to recruit, hire,
and retain the experts it would need to be successful. Our bill would
require the Office of Personal Management to reform the way cyber
security personnel are recruited, hired, and trained and would provide
DHS with temporary hiring and pay flexibilities to assist in the quick
establishment of the NCCC.
Finally, our legislation would require the Federal Government to
develop and implement a strategy to ensure that almost $80 billion of
the information technology products and services it purchases each year
are secure and do not provide our adversaries with a backdoor into our
networks.
More specifically, the act would require development of a
comprehensive supply chain risk management strategy to address risks
and threats to the information technology products and services the
federal government relies upon. This strategy would allow agencies to
make informed decisions when purchasing IT products and services. This
provision would be implemented through the Federal Acquisition
Regulation, requiring contracting officers to consider the security
risks inherent in agency IT procurements. The value of this approach is
that once security features are developed to protect federal networks,
private sector customers may be able to purchase that same level of
security in the products they buy.
The need for this legislation is both obvious and urgent.
A report by the bipartisan Center for Strategic and International
Studies, CSIS, concluded that ``we face a long-term challenge in
cyberspace from foreign intelligence agencies and militaries, criminals
and others, and losing this struggle would wreak serious damage on the
economic health and national security of the United States.''
Given these stakes, Senators Collins, Carper, and I are confident our
colleagues will join with us and pass the ``Protecting Cyberspace as a
National Asset Act'' in the 110th Congress.
Ms. COLLINS. Mr. President, I rise to join Senators Lieberman and
Carper in introducing the Protecting Cyberspace as a National Asset Act
of 2010. This vital legislation would fortify the government's efforts
to safeguard America's cyber networks from attack. It would build a
public/private partnership to promote national cyber security
priorities. It would strengthen the government's ability to set,
monitor compliance with, and enforce standards and policies for
securing Federal civilian systems and the sensitive information they
contain.
The marriage of increasingly robust computer technology to expanding
and nearly instantaneous global telecommunications networks is a truly
seismic event in human history. This information revolution touches
everything, from personal relationships and entertainment to commerce,
scientific research, and the most sensitive national security
information. Cyberspace is a place of great, even unparalleled, power.
But, to tweak the familiar saying, with great power comes great
vulnerability. Cyberspace is under increasing assault on all fronts:
cyber vandalism, cyber crime, cyber sabotage, and cyber espionage.
Across the world at this moment, computer networks are being hacked,
probed, and infiltrated relentlessly. The purpose of these cyber
exploits ranges from simple mischief and massive theft to societal
mayhem and geopolitical advantage.
In February, Dennis Blair, the former Director of National
Intelligence, gave this chilling assessment before the Senate Select
Committee on Intelligence:
``Malicious cyber activity is occurring on an unprecedented scale
with extraordinary sophistication. While both the threats and
technologies associated with cyberspace are dynamic, the existing
balance in network technology favors malicious actors, and is likely to
continue to do so for the foreseeable future.''
Consider these sobering facts:
Cyber crime costs our national economy nearly $8 billion annually.
Hackers can operate in relative safety and anonymity from a laptop or
desktop anywhere in the world. The expanding capabilities of wireless
hand-held devices strengthen this cloak of cyber invisibility.
As our national and global economies become ever more intertwined,
cyber terrorists have greater potential to attack high-value targets.
From anywhere in the world, they could disrupt telecommunications
systems, shut down electric power grids, or freeze financial markets.
With sufficient know-how and a few keystrokes, they could cause
billions of dollars in damage and put thousands of lives in jeopardy.
As the hackers' techniques advance, the number of hacking attempts is
exploding. Just this March, the Senate's Sergeant at Arms reported that
the computer systems of Congress and Executive Branch agencies now are
under cyber attack an average of 1.8 billion times per month.
Recent examples of cyber attacks are myriad and disturbing:
Press reports a year ago stated that China and Russia had penetrated
the computer systems of America's electrical grid. The hackers
allegedly left behind malicious hidden software that could be activated
later to disrupt the grid during a war or other national crisis.
At about the same time, we learned that, beginning in 2007 and
continuing well into 2008, hackers repeatedly broke into the computer
systems of the Pentagon's $300-billion Joint Strike Fighter project.
They stole crucial information about the Defense Department's costliest
weapons program ever.
In 2007, the country of Estonia was attacked in cyberspace. A 3-week
onslaught of botnets overwhelmed the computer systems of the nation's
parliament, government ministries, banks, telecommunications networks,
and news organizations. This attack on Estonia is a wake-up call that
has yet to be sufficiently heeded.
The private sector is also under attack. In January, Google announced
that attacks originating in China had targeted its systems as well as
the networks of more than 30 other companies. The attacks on Google
sought to access the email accounts of Chinese
[[Page S4854]]
human rights activists. For the other companies, lucrative information,
such as critical corporate data and software source codes, were
targeted.
Last year, cyber thieves secretly implanted circuitry into keypads
sold to British supermarkets, which were then used to steal account
information and PIN numbers. This same tactic was used against a large
supermarket chain in Maine, compromising more than 4 million credit
cards.
Nor are small businesses immune. Last summer, a small Maine
construction firm found that cyber crooks had stolen nearly $600,000
through an elaborate scheme involving dozens of coconspirators
throughout the United States.
These attacks, and the hundreds like them that are occurring at any
given time whether on our government or private sector systems, have
ushered us into a new age of cyber crime and, indeed, cyber warfare.
They underscore the high priority we must give to the security of our
information technology systems.
The terrorist attacks of September 11, 2001, exposed the
vulnerability of our nation to catastrophic attacks. Since that
terrible day, we have done much to protect potential targets such as
ports, chemical facilities, transportation systems, water supplies,
government buildings, and other vital assets. We cannot afford to wait
for a ``cyber 9/11'' before our government finally realizes the
importance of protecting our digital resources, limiting our
vulnerabilities, and mitigating the consequences of penetrations of our
networks.
Chairman Lieberman and I have held a number of hearings on cyber
security in the Senate Homeland Security and Governmental Affairs
Committee. Senator Carper has been similarly active, particularly on
exploring modifications to the Federal Information Security Management
Act that are designed to enhance protections of Federal networks and
information.
From our examinations of this issue, we know that there are threats
to and vulnerabilities in our cyber networks. We also know that the
tactics used to exploit these vulnerabilities are constantly evolving
and growing increasingly dangerous. Now, it is time to take action. A
strong and sustained Federal effort to promote cyber security is a key
component of effective deterrence.
For too long, our approach to cyber security has been disjointed and
uncoordinated. This cannot continue. The United States requires a
comprehensive cyber security strategy backed by aggressive
implementation of effective security measures. There must be strong
coordination among law enforcement, intelligence agencies, the
military, and the private owners and operators of critical
infrastructure.
This bill would establish the essential point of coordination. The
Office of Cyberspace Policy in the Executive Office of the President
would be run by a Senate-confirmed Director who would advise the
President on all cyber security matters. The Director would lead and
harmonize Federal efforts to secure cyberspace and would develop a
national strategy that incorporates all elements of cyber security
policy, including military, law enforcement, intelligence, and
diplomacy. The Director would oversee all Federal activities related to
the national strategy to ensure efficiency and coordination. The
Director would report regularly to Congress to ensure transparency and
oversight.
To be clear, the White House official would not be another
unaccountable czar. The Cyber Director would be a Senate-confirmed
position and thus would testify before Congress. The important
responsibilities given to the Director of the Office of Cyberspace
Policy related to cybersecurity are similar to the responsibilities of
the current Director of the Office of Science and Technology Policy.
The Cyber Director would advise the President and coordinate efforts
across the Executive Branch to protect and improve our cybersecurity
posture and communications networks. By working with a strong
operational and tactical partner at the Department of Homeland
Security, the Director would help improve the security of Federal and
private sector networks.
This strong DHS partner would be the National Center for
Cybersecurity and Communications, or Cyber Center. It would be located
within the Department of Homeland Security to elevate and strengthen
the Department's cyber security capabilities and authorities. This
Center also would be led by a Senate-confirmed Director.
The Cyber Center, anchored at DHS, with a strong and empowered
leader, will close the coordination gaps that currently exist in our
disjointed federal cyber security efforts. For day-to-day operations,
the Center would use the resources of DHS, and the Center Director
would report directly to the Secretary of Homeland Security. On
interagency matters related to the security of federal networks, the
Director would regularly advise the President--a relationship similar
to the Director of the NCTC on counterterrorism matters or the Chairman
of the Joint Chiefs of Staff on military issues. These dual
relationships would give the Center Director sufficient rank and
stature to interact effectively with the heads of other departments and
agencies, and with the private sector.
Congress has dealt with complex challenges involving the need for
interagency coordination in the past with a similar construct. We have
established strong leaders with supporting organizational structures to
coordinate and implement action across agencies, while recognizing and
respecting disparate agency missions.
The establishment of the National Counterterrorism Center within the
Office of the Director of National Intelligence is a prime example of a
successful reorganization that fused the missions of multiple agencies.
The Director of NCTC is responsible for the strategic planning of joint
counterterrorism operations, and in this role reports to the President.
When implementing the information analysis, integration, and sharing
mission of the Center, the Director reports to the Director of National
Intelligence. These dual roles provide access to the President on
strategic, interagency matters, yet provide NCTC with the structural
support and resources of the office of the DNI to complete the day-to-
day work of the NCTC. The DHS Cyber Center would replicate this
successful model for cyber security.
As we have seen repeatedly, from the financial crisis to the
environmental catastrophe in the Gulf of Mexico, what happens in the
private sector does not always affect just the private sector. The
ramifications for government and for the taxpayers often are enormous.
This bill would establish a public/private partnership to improve
cyber security. Working collaboratively with the private sector, the
Center would produce and share useful warning, analysis, and threat
information with the private sector, other Federal agencies,
international partners, and state and local governments. By developing
and promoting best practices and providing voluntary technical
assistance to the private sector, the Center would improve cyber
security across the nation. Best practices developed by the Center
would be based on collaboration and information sharing with the
private sector. Information shared with the Center by the private
sector would be protected.
With respect to the owners and operators of our most critical systems
and assets, the bill would mandate compliance with certain risk-based
performance requirements to close security gaps. These requirements
would apply to vital components of the electric grid,
telecommunications networks, financial systems, or other critical
infrastructure systems that could cause a national or regional
catastrophe if disrupted.
This approach would be similar to the current model that DHS employs
with the chemical industry. Rather than setting specific standards, DHS
would employ a risk-based approach to evaluating cyber vulnerabilities,
and the owners and operators of covered critical infrastructure would
develop a plan for protecting those vulnerabilities and mitigating the
consequences of an attack.
These owners and operators would be able to choose which security
measures to implement to meet applicable risk-based performance
requirements. The bill does not authorize any new surveillance
authorities or permit the government to ``take over'' private networks.
This model would allow for continued
[[Page S4855]]
innovation and dynamism that are fundamental to the success of the IT
sector.
The bill would provide limited liability protections to the owners
and operators of covered critical infrastructure that comply with the
new risk-based performance requirements. Covered critical
infrastructure also would be required to report certain significant
breaches affecting vital system functions to the center. These reports
would help ensure that the Federal Government has comprehensive
awareness of the security risks facing these critical networks.
If a cyber attack is imminent or occurring, the bill would provide a
responsible framework, developed in coordination with the private
sector, for the President to authorize emergency measures to protect
the Nation's most critical infrastructure. The President would be
required to notify Congress in advance of the declaration of a national
cyber emergency, or as soon thereafter as possible. This notice would
include the nature of the threat, the reason existing protective
measures are insufficient to respond to the threat, and the emergency
actions necessary to mitigate the threat. The emergency measures would
be limited in duration and scope.
Any emergency actions directed by the President during the 30-day
period covered by the declaration must be the least disruptive means
feasible to respond to the threat. Liability protections would apply to
owners and operators required to implement these measures, and if other
mitigation options were available, owners and operators could propose
those alternative measures to the Director and, once approved,
implement those in lieu of the mandatory emergency measures.
The center also would share information, including threat analysis,
with owners and operators of critical infrastructure regarding risks
affecting the security of their sectors. The center would work with
sector-specific agencies and other Federal agencies with existing
regulatory authority to avoid duplication of requirements, to use
existing expertise, and to ensure government resources are employed in
the most efficient and effective manner.
With regard to Federal networks, the Federal Information Security
Management Act--known as FISMA--gives the Office of Management and
Budget broad authority to oversee agency information security measures.
In practice, however, FISMA is frequently criticized as a ``paperwork
exercise'' that offers little real security and leads to a disjointed
cyber security regime in which each Federal agency haphazardly
implements its own security measures.
The bill we introduce today would transform FISMA from paper-based to
real-time responses. It would codify and strengthen DHS authorities to
establish complete situational awareness for Federal networks and
develop tools to improve resilience of Federal Government systems and
networks.
The legislation also would take advantage of the Federal Government's
massive purchasing power to help bring heightened cyber security
standards to the marketplace. Specifically, the Director of the Center
would be charged with developing a supply chain risk management
strategy applicable to Federal procurements. This strategy would
emphasize the security of information systems from development to
acquisition and throughout their operational life cycle.
While the Director should not be responsible for micromanaging
individual procurements or directing investments, we have seen far too
often that security is not a primary concern when agencies procure
their IT systems. Recommending security investments to OMB and
providing strategic guidance on security enhancements early in the
development and acquisition process will help ``bake in'' security.
Cyber security can no longer be an afterthought in our government
agencies.
These improvements in Federal acquisition policy should have
beneficial ripple effects in the larger commercial market. As a large
customer, the Federal Government can contract with companies to
innovate and improve the security of their IT services and products.
With the Government's vast purchasing power, these innovations can
establish new security baselines for services and products offered to
the private sector and the general public.
Finally, the legislation would direct the Office of Personnel
Management to reform the way cyber security personnel are recruited,
hired, and trained to ensure that the Federal Government and the
private sector have the talent necessary to lead this national effort
and protect its own networks. The bill would also provide DHS with
temporary hiring and pay flexibilities to assist in the establishment
of the center.
Some have suggested that this effort can be led from the White House
alone--why create a new center at DHS and two Senate-confirmed Director
positions? One of the great lessons of 9/11 is that true security
demands aggressive oversight, expert evaluation, and thorough testing
of systems. There must be constant, real-time monitoring of security
and analysis of threats. This task requires much more than a cyber
czar. It requires strong civilian counterparts to the Secretary of
Defense and the Director of National Intelligence. These Directors, at
the White House and at DHS, would serve as those counterparts.
The National Security Agency and other intelligence agencies possess
enormous skills and resources, but privacy and civil liberties demands
preclude these agencies from shouldering a leadership role in the
security of our civilian information technology systems. The
intelligence community must play a critical part in providing threat
information, but it cannot lead the cyber security effort.
We are all acutely aware that there are those who seek to do harm to
this country and to our people. If hackers can nearly bring Estonia to
its knees through cyber attacks, infiltrate our military's most
closely-guarded project, and, in the case of Google, hack the computers
owned and operated by some of the world's most successful computer
experts, we must assume even more spectacular and potentially
devastating attacks lie ahead.
We must be ready. It is vitally important that we build a strong
public-private partnership to protect cyberspace. It is a vital engine
of our economy, our government, our country and our future. I urge my
colleagues to support this crucial legislation.
______
