[Congressional Record: June 24, 2010 (Senate)]
[Page S5445-S5447]
STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS
By Mr. BOND (for himself and Mr. Hatch):
S. 3538. A bill to improve the cyber security of the United States
and for other purposes; to the Committee on Homeland Security and
Government Affairs.
Mr. BOND. Mr. President, over the past several months, our Homeland
has experienced direct terrorist attacks against two military bases and
attempted terrorist attacks on Christmas Day and in Times Square. These
attacks quickly captured the attention of the American public and stand
as stark reminders of the threats our Nation continues to face from
terrorists across the globe.
After these recent attacks, I have no doubt that every American is
aware of the threat from a terrorist with a bomb, which could take out
a city block or bring down an airplane. But I am afraid that right now,
the American public is largely unaware of a silent threat that could
devastate our entire Nation--cyber attacks.
These cyber attacks happen every day, but have remained largely under
the public radar. Our government, businesses, citizens, and even social
networking sites all have been hit. Cyber attacks are on the rise and
unless our private sector and Congress start down a better path to
protect our information networks, serious damage to our economy and our
national security will follow.
In an ever-increasing cyber age, where our financial system conducts
trades via the Internet, families pay bills online, and the government
uses computers to calculate benefits and implement war strategies,
successful cyber attacks can be devastating. The nightmare scenarios no
longer exist just in Hollywood movies. Imagine if a terrorist disrupted
our air traffic control on an average day with more than 28,000
commercial aircraft in our skies; if a hacker took down Wall Street
trading for just hours; or if an attack destroyed an electrical grid in
a major city.
Scenarios like these make it even more important that we listen to
the recent comments by former Director of National Intelligence Mike
McConnell who testified that ``[i]f we were in a cyber war today, the
United States would lose.'' That is no insignificant statement coming
from a military and intelligence veteran like Mike McConnell and it
should cause all of us to pause and take a look at how we should
neutralize this rising threat. Our networks and way of life could be
taken down by an enemy state, a terrorist group, or a single hacker.
That is why Senator Hatch and I are introducing the National Cyber
Infrastructure Protection Act of 2010 today.
Let me be blunt here: our enemies won't wait for us to do our
homework, solve our turf battles, or modernize our laws before using
our networks as a deadly weapon; in fact, the attacks have already
started. We do not have another day to waste, and I believe our bill is
the best solution to address this threat.
This act is built on three principles: first, we must be clear about
where Congress should, and, more importantly, should not legislate.
Congress should set lanes in the road to protect our Nation's cyber
security, but leave flexibility for the private sector and government
to adapt to changing threats within those lanes.
In 1978, when the Foreign Intelligence Surveillance Act was enacted,
it put into law certain technologies. Those technologies changed and
thus FISA was ineffective in enabling us to listen in on cell phone and
e-mail traffic between terrorists in foreign countries.
We have seen within the past few years the national security problems
that can arise when laws are too rigid to keep pace with technology. We
have also heard repeated concerns from industry, the private sector,
and those operating critical infrastructure that overlegislating by
Congress ultimately will make it harder to protect our networks as
innovation and quick response get overrun by unnecessary regulatory
schemes and mandates.
Second, right now virtually every Federal department or agency has
[[Page S5446]]
someone who is responsible for cyber security issues. But who makes
sure that all those departments and agencies work together to protect
all of our government networks? Who is the one person responsible, with
authority to impact our cyber security strategies and activities?
Unfortunately, right now, the answer is ``no one.''
To solve this problem, our bill establishes a National Cyber Center
and designates a single, Senate-confirmed individual, accountable to
the Congress and the American people and reporting directly to the
President, to serve as the Director. The Director has the statutory
responsibility and authority to coordinate activities to protect
government networks and develop policies and procedures to help Federal
agencies do the job.
In order to reduce the center's operating costs and to capitalize on
the cyber expertise we all know resides in the Department of Defense,
the National Cyber Center is administratively placed in DOD. But, out
of deference to concerns that the military should not have too much
control over government networks, the center is not run by the Defense
Department and the Director does not report to the Secretary of
Defense.
Because a key part of the center is to make sure the right people are
talking to each other, the act requires those parts of DOD, the
Department of Homeland Security, the Office of the Director of National
Intelligence, and the Federal Bureau of Investigation needed to carry
out the center's missions to collocate and integrate within the center,
much like the National Counterterrorism Center integrates elements of
the intelligence community. Other Federal agencies may also participate
in the center.
As we put this bill together, former senior intelligence community
officials told us that providing strong budget authority was essential
for the Director to have the clout needed to do the job. And so, this
act gives the Director clear input into cyber budgets across all
Federal agencies, much like the Federal drug czar has in coordinating
counterdrug budgets across different agencies. To hit this point home,
the act also creates a National Cyber Security Program, similar to the
National Intelligence Program. Such influence--influence that the
current cyber czar simply does not have--is essential to creating a
comprehensive, cost-effective approach to securing our government
information networks.
The third and final principle underlying this act is the idea that
there must be a venue for the government and the private sector to
collaborate and share information on cyber-related matters. The private
sector is often on the front lines of cyber attacks, so any information
it can provide to increase government awareness of the source and
nature of cyber threats will make both government and the private
sector stronger. The corollary to this is that the Government must
share its own cyber threat information, including classified or
declassified intelligence, with the private sector.
Moreover, this collaboration, in order to be effective, must be
voluntary. Once the private sector stands to gain technical advice and
greater access to cyber threat information, there will be a clear
incentive to join with the government in protecting our networks.
Our bill codifies this collaboration, creating a public-private
partnership known as the Cyber Defense Alliance to facilitate the flow
of information about cyber threats and the latest technologies between
the private sector and the government. The Alliance will be the
clearinghouse for passing sensitive cyber threat information to the
private and critical infrastructure entities on the front lines, but
without compromising our intelligence sources and methods.
We agree with intelligence experts and private sector representatives
who have told us if the heavy hand of government drives this
collaboration, it will not be effective. Therefore, the alliance will
be managed by a board of directors consisting largely of private sector
representatives and located in the Department of Energy, where the
existing National Labs have great expertise to share. Because our
private partners must know the information will not be compromised or
other consequences will occur, the act gives solid protections from
FOIA, antitrust restrictions, and other limitations.
This bill is one of many cyber-bills introduced in Congress, so some
may be asking why this approach is better.
A key aspect of this bill is that it provides a practical public-
private cyber infrastructure designed to address effectively the cyber
threat rather than preserve the jurisdictional turf of any one agency
or congressional oversight committee. In other words--I don't have a
dog in this fight--I just want to pass the best bill to protect our
networks. The cyber threat will only be eliminated when we get all of
the public and private players working together in harmony under a
common vision toward common mission objectives.
Our bill does not impose mandates on industry and the private
sector--mandates and regulations that form the core of other bills,
raising substantial concerns among our industry and private sector
partners. Our economy is in turmoil as it is and the last thing we need
are mandates imposed on U.S. businesses that will put them at a serious
competitive disadvantage and jeopardize their proprietary information
in the global marketplace. Many industry partners have told us that if
we mandate this it would put them at a competitive disadvantage.
Finally, our bill moves away from the notion that creating a
statutory cyber coordinator in the Executive Office of the President
will solve the cyber security problem. The current cyber security
coordinator in the White House has neither the authority nor the staff
to coordinate the government's wide-range of cyber operations and
strategies. Simply enshrining his position in statute will not overcome
the claims of ``Executive Privilege'' that are bound to come when
Congress asks for information and it will not guarantee the leadership
necessary to address the cyber threat.
Also, I think many of my colleagues would agree that now is not the
time to give the Department of Homeland Security more responsibility,
as some of the cyber bills out there want to do. I don't think many in
this Chamber would disagree that DHS is already overburdened.
The bill we are introducing today has already earned praise from the
electric power sector because of the cooperative relationship that the
Cyber Defense Alliance created in this bill fosters between the
government and private sector. The entities that are part of the
electric power sector recognize that this bill builds on what is
already working and creates the infrastructure necessary to ensure a
cooperative relationship between all of the relevant public and private
cyber players to address the evolving cyber-security threat. I ask
unanimous consent that this statement from the electric power sector be
made a part of the Record.
There being no objection, the material was ordered to be printed in
the Record, as follows:
The National Cyber Infrastructure Protection Act of 2010
Protecting the North American electric grid and ensuring a
reliable supply of power is the electric power industry's top
priority. Reliability is more than a buzzword for the
electric industry--it's a mandate. In fact, electric
companies can be assessed substantial penalties for failure
to comply with reliability standards.
This focus on reliability, resiliency and recovery requires
the power sector to take an all-hazards approach, recognizing
risks from natural phenomena such as hurricanes or
geomagnetic disturbances to intentional cyber attacks. The
electric power sector works closely with the North American
Electric Reliability Corporation (NERC) and federal agencies
to enhance the cyber security of the bulk power system. This
includes coordination with the Federal Energy Regulatory
Commission (FERC), the Department of Homeland Security (DHS),
and the Department of Energy (DOE), as well as federal
intelligence and law enforcement agencies, and various
federal and provincial authorities in Canada.
To complement its cyber security efforts and to address
rapidly changing intelligence on evolving threats, the
industry welcomes a cooperative relationship with federal
authorities to protect against situations that threaten
national security or public welfare, and to prioritize the
assets that need enhanced security. A well-practiced, public-
private partnership utilizes all stakeholders' expertise,
including the government's ability to gather and share timely
and actionable threat information with critical
infrastructure asset owners and operators, upon which they
can formulate appropriate mitigation strategies to prevent
significant adverse consequences to utility operations or
assets.
[[Page S5447]]
The comprehensive draft cyber security legislation under
development in the Senate Select Committee on Intelligence
attempts to create such a cooperative relationship by: * * *
Mr. BOND. In addition, because, the vice chairman of the Intelligence
Committee, believe no legislation in this area should impede the
intelligence community's ability to protect our nation from terrorist
attacks and other threats, we asked the Office of the Director of
National Intelligence for an informal assessment of our bill. They told
us that, unlike other bills that have been introduced, this bill
protects intelligence community equities, especially with respect to
protecting classified intelligence sources and methods.
The National Cyber Infrastructure Protection Act of 2010 provides
broad lanes in the road, without micromanaging, to give all partners in
cyber security, whether government or private, the flexibility to
defend against threats from our enemies. The private sector already has
a tremendous incentive to protect their own networks; all the Federal
Government needs to do is support them with technology and information
and get out of the way.
Cyber attackers have been stealing intellectual property, threatening
to take down our critical infrastructure, and gaining insight into our
national security networks. The longer Congress waits to act, the more
our vulnerability to these attacks increases. The National Cyber
Infrastructure Protection Act will put the Government, our critical
infrastructure companies, and the private sector on the right path to
securing our networks. I urge my colleagues to join us in supporting
this important legislation.
Mr. HATCH. Mr. President, today I rise to express my support as a
cosponsor of the National Cyber Infrastructure Protection Act. At long
last, our Nation is finally recognizing the increasing danger posed by
cyber threats and the devastating disruption that they can cause
because of the interdependent nature of information systems that
support our Nation's critical infrastructure.
As a Nation, we must develop a strategy that provides a strategic
framework to prevent cyber attacks against America's critical
infrastructures. As a government, we must reduce national vulnerability
to cyber attacks and minimize the damage and recovery time from cyber
attacks should they occur. I believe that the legislation that my
colleague from Missouri and I are introducing today will provide a sure
foundation to put our Nation on a path to begin to address cyber
vulnerabilities.
The challenge to protect cyberspace is vast and complex and
ultimately requires the efforts of the entire government. As a Nation,
we must recognize that cyber threats are multi-faceted and global in
nature. These threats operate in an environment that rapidly changes.
The sharing of information between government and the private sector is
crucial to our overall national and economic viability.
Last January, McAfee issued a report that concluded that the use of
cyber attacks as a strategic weapon by governments and political
organizations is on the rise. The U.S. is the most targeted nation in
the world--and our military, government, and private sector systems are
often attacked with impunity. Our Nation has experienced large-scale
malicious cyber intrusions from individuals, groups and nations. These
attacks have dramatically increased in number and complexity.
Just last year, Google and over 30 other companies linked to our
energy, finance, defense, technology and media sectors fell prey to
costly cyber attacks. Too many nations either directly sanction this
activity or give it tacit approval by failing to investigate or
prosecute the perpetrators. Many of the major incidents are presently
coming out of Russia and China.
The National Cyber Infrastructure Protection Act would establish a
National Cyber Center, housed within the Department of Defense. The
mission of the National Cyber Center would be to serve as the primary
organization for coordinating Federal Government defensive operations,
cyber intelligence collection and analysis, and activities to protect
and defend Federal Government information networks. Critical in
achieving this mission would be the sharing of information between the
private sector and federal agencies regarding cyber threats. This
center would be led by a Senate-confirmed director modeled after the
Director of National Intelligence position. The director reports
directly to the President and would coordinate cyber activities to
protect and defend Federal Government information networks. The
director would serve as the President's principal adviser on such
matters and developing policies for securing Federal Government
information networks.
In our Nation today, over 3/4 of our Nation's critical infrastructure
is under the control of the private sector. One such example is smart
grid technology for power grids. The Smart Grid will use automated
meters, two-way communications and advanced sensors to improve
electricity efficiency and reliability. The nation's utilities have
embraced the concept and are installing millions of automated meters on
homes across the country. However, cyber security experts have
determined that some types of meters can be hacked. As we rely on
technology developed by private industry, we must ensure that we harden
this technology against threats that could leave our citizens
vulnerable.
The opening salvos of future conflicts will be launched in
cyberspace. In 2008, we saw this occur when Russian forces launched a
cyber attack on Georgian defense and information networks. The Russians
essentially blinded the Georgian military during the South Ostessia
conflict. Our reliance on technology and integrated networks certainly
makes our military and critical infrastructure more efficient. However,
that efficiency can have its price in the form of cyber vulnerability.
As Americans, we must be prepared to fight back should we be
attacked. We must also harden our networks against the tools that
criminals use to steal a person's identity and a company's trade
secrets. These are the same tools that today can and will be used by
terrorists in the future to attack and erode our infrastructure and
defense systems. The stakes are too high and the risks are too grave to
delay. If we don't move now to protect our national cyber
infrastructure, the consequences to our economy, security and citizens
could be dire. This is a fight we must win. The only way to win is to
be prepared.
____________________
