[Congressional Record: November 17, 2010 (Senate)]
[Page S7944-S7946]
Cyber Security
Mr. WHITEHOUSE. Mr. President, I come to the floor to speak about the
legislation that will be required in order to bolster our Nation's
cyber defenses and to protect our Nation's intellectual property from
piracy and from theft.
In the course of my work on the Intelligence and Judiciary
Committees, it has become all too clear that our laws have not kept
pace with the amazing technological developments we have seen, many
information technologies over the past 15 or 20 years. Earlier this
year, I had the privilege of chairing the Intelligence Committee's
bipartisan cyber task force, along with my distinguished colleagues,
Senator Snowe and Senator Mikulski, who made vital contributions and
were great teammates in that effort. We spent 6 months conducting a
thorough review of the threat and the posture of the United States for
countering it.
Based on that review and my work on the Senate Judiciary Committee, I
have identified six areas in which there are overarching problems with
the current statutory framework for protecting our country. The first
is a really basic one; that is, that current law does not adequately
facilitate or encourage public awareness about cyber threats. The
government keeps the damage we are sustaining from cyber attacks secret
because it is classified. The private sector keeps the damage they are
sustaining from cyber attacks secret so as not to look bad to
customers, to regulators, and to investors. The net result of that is
that the American public gets left in the dark.
We do not even have a good public understanding of how extensive and
sophisticated the cyber forces arrayed against America are. Between the
efforts of foreign governments and international organized crime, we
are a long way from the problem of hackers in the basement. It is a big
operation that has been mounted against us, and I would like to be able
to describe it more fully, but it is both unhelpfully and unnecessarily
classified, and so I can't even talk about that.
Americans are sadly uninformed about the extent of the risk and the
extent of the capacity that is being used against us. If Americans
understood the threat and the vital role they themselves can play in
protecting themselves and the country, I think we would all be more
likely to engage in the cyber equivalent of routine maintenance. People
would understand and they would support legislative changes which we
need to protect our intellectual property and our national
infrastructure.
One of the principal findings of our cyber task force was that most
cyber threats--literally the vast majority of cyber threats--can be
countered readily if Americans simply allowed automatic updates to
their computer software, ran up-to-date antivirus programs, and
exercised reasonable vigilance when surfing the Web and opening e-
mails. So we need far more reporting from the government and the
private sector to let Americans know what is happening out there on the
wild Web. Disclosures can be anonymized, where necessary, to safeguard
national security or protect competitive business interests. But
[[Page S7945]]
basic facts, putting Americans on notice of the extent of the present
danger and harm, need to be disclosed.
Second, we need, beyond just public information, to create a
structure of rights and responsibilities where the public, consumers,
technology companies, software manufacturers, and Internet service
providers are all able to take appropriate roles for us to maintain
those basic levels of cyber security. The notion that the Internet is
an open highway with toll takers who have no responsibility for what
comes down the highway, no responsibility no matter how menacing, no
responsibility no matter how piratical, no responsibility no matter how
dangerous can no longer be valid. We protect each other on our physical
highways with basic rules of the road and we need a similar code for
the information highway.
Australia's ISPs have negotiated a cyber security code of conduct,
and ISPs in compliance with the code can display a trust mark. That is
one idea worth exploring. But one way or the other, there needs to be a
code of conduct for safe travel on the information highway just as
there is on our geographic highways.
Third, we need to better empower our private sector to defend itself.
When an industry comes together against cyber attackers to circle the
wagons, to share information, and to engage in a common defense against
those cyber attackers, we should help and not hinder that private
sector effort. Legal barriers to broader information sharing among
private sector entities and between the private sector and government
must be lowered. I believe we can encourage cyber security in this
way--common defense within the private sector--without undermining
other areas of public policy. But it is not going to be a simple task,
and we will have to work our way through it because those other areas
of public policy are serious areas--antitrust protection, the
safeguarding of intellectual property, protecting legal privileges,
liability concerns, and even national security concerns in those areas
where the government may be asked to share classified information.
Bear in mind that there are three levels of threat. As I have said,
the vast majority of our cyber vulnerabilities can be cured by simple
patches and off-the-shelf technology. That is the lowest level--just
follow basic, simple procedures and we can rid ourselves of most of the
attacking. The next is a more sophisticated set of threats that require
the best efforts of the private sector to defend against. Those private
sector efforts are becoming increasingly sophisticated and capable. As
to those types of attacks, the private sector can handle them alone and
particularly so if we have empowered the private sector, industry by
industry, to engage in more effective common defense and information
sharing. The most sophisticated threats and attacks, however, will
require action by our government. The notion that we can leave our
Nation's cyber defense entirely to the private sector is no longer
valid.
This brings us to a fourth question--the increasingly important issue
of cyber 911. When the CIO of a local bank or electric utility is
overwhelmed by a cyber attack, whom do they call and under what terms
does the government respond? Right now, the answers to those questions
are dangerously vague. The Electronic Communications Privacy Act--or
ECPA--is a vitally important statute. In 1986, 25 years ago, Chairman
Patrick Leahy worked hard to establish statutory privacy protections in
a domain where constitutional privacy protections were weak.
It is an enduring legislative accomplishment and we must preserve its
core principles. Since ECPA was enacted, however, the threat has
dramatically changed. Imagine how technology has changed in 25 years.
It is no longer true that private firms are capable of defending their
networks from sophisticated thieves and spies on their own.
As we found in the Cyber Task Force, there is now a subset of threats
that cannot be countered without bringing to bear the U.S. Government's
unique authorities and capabilities. There always needs to be strong
privacy protections for Americans against the government. But we do let
firemen into our house when it is on fire and the police can come into
our house when there is a burglar. A similar principle should apply to
criminals and cyber attacks when private capabilities are overwhelmed.
There is one more step, and here is where it gets a little bit more
tricky. You call 9-1-1 and the police or the ambulance rushes right
over. But in cyber security, by the time you call cyber
9-1-1, it may be too late. Attacks in cyberspace happen at light speed,
as fast as electrons flow. Not all the risks and harms that imperil
Americans can be averted by action after the fact. Some attacks are
actually already there, in our networks, lying in wait for the signal
to activate.
We as a country are naked and vulnerable to some forms of attack if
we have not predeployed our defenses. Because the viruses and cyber
attack nodes can travel in the text portion of messages, we have to
sort out a difficult question: whether, and if so how and when, the
government can scan for dangerous viruses and attack signals.
In medieval times, communities protected their core infrastructure
from raiders by locating the well, the granary, and the treasury inside
castle walls. Not everything needs the same level of protection in
cyberspace, but we need to sort out what does need that kind of
protection, what the castle walls should look like, who gets allowed to
reside inside the walls, and what the rules are.
That leads to the question of a dot-secure domain. I have mentioned
this before, but I would like to highlight it as an option for
improving cyber security, particularly of the critical infrastructure
of our country.
Recently, General Alexander, Director of the NSA and commander of
U.S. Cyber Command, has echoed this as a possibility. His predecessor
at NSA, and a former Director of National Intelligence, Admiral
McConnell, is also an advocate of such a domain for critical
infrastructure. This doesn't have to be complicated or even mandatory.
The most important value of a dot-secure domain is that, like dot-gov
and dot-mil, now we can satisfy consent under the fourth amendment
search requirements for the government's defenses to do their work
within that domain, their work of screening for attack signals,
botnets, and viruses. Critical infrastructure sites could bid for
permission to protect themselves with the dot-secure domain label and
be allowed in if they could show that lives and safety for Americans
would be protected by allowing them entry. Obviously, core elements of
our electric grid, of our financial, transportation, and communications
infrastructure would be obvious candidates. But we simply cannot leave
that core infrastructure on which the life and death of Americans
depends without better security.
Fifth, we must significantly strengthen law enforcement against cyber
crooks. There is simply no better deterrent against cyber crime than a
prospect of a long stretch in prison. We need to put more cyber crooks
behind bars. It is not for want of ingenuity and commitment by our
professionals that there are not more cyber crooks behind bars.
During my work on the Cyber Task Force, I received a number of
briefings and intelligence reports on cyber crime. The FBI and the
Department of Justice have some real success stories under their belts,
such as the arrests of the alleged perpetrators behind the Mariposa
botnet this summer, and our agencies are beginning to work together
better and better over the lines of turf defense that separate them.
The problem is, the criminals are also ingenious and they are greedy
and they are successful and they are astoundingly well funded. Again,
we are not talking about hackers in the basement. We are talking about
substantial criminal enterprise with enormous sums of money at their
disposal and at stake.
Many enterprises appear to work hand-in-hand with foreign
governments, which puts even greater assets for attack at their
disposal. They have a big advantage. The architecture of the Internet
favors offense over defense. Technologically, it is generally easier
for savvy criminals to attack a network and to hide their trail than it
is for savvy defenders to block an attack and trace it back to the
criminals. We are not on a level playing field against cyber criminals.
That is the
[[Page S7946]]
problem not easily overcome. What we can overcome, however, are the
gaps, the weaknesses, the outdated strategies, and the inadequate
resources in our own legal investigative processes.
One example: the most dangerous cyber criminals are usually located
overseas. To identify, investigate, and ultimately prosecute those
criminals under traditional law enforcement authorities, we have to
rely on complex and cumbersome international processes and treaties
established decades ago that are far too slow for the modern cyber
crime environment.
We also need to resource and focus criminal investigation and
prosecution at a level commensurate with the fact that we, America, are
now on the losing end of what is probably the biggest transfer of
wealth through theft and piracy in human history.
I will say that again: We are at the losing end of what is probably
the biggest transfer of wealth through theft and piracy in human
history.
I am pleased that in fiscal year 2010 the FBI received an additional
260 cyber security analysis and investigative positions. DOJ's Computer
Crimes and Intellectual Property Section has not received new resources
in 5 years. With the FBI poised to ramp up its investigatory actions
against our cyber adversaries, I am concerned the DOJ may not have the
resources to keep up.
Sixth, we need clear rules of engagement for our government to deal
with foreign threats. That is, unfortunately, a discussion for another
day since so much of this area is now deeply classified. But here is
one example: Can we adapt traditional doctrines of deterrence to cyber
attacks when we may not know for sure which country or nonstate actor
carried out the attack? If we can't attribute, how can we deter?
With respect to any policy of deterrence, how can it stand on rules
of engagement that the attacker does not know of? Not only do we need
to establish clear rules of engagement, we need to establish and
disclose clear rules of engagement if any policy of deterrence is to be
effective in cyberspace.
Finally, as we go about these six tasks, the government must be as
transparent as possible with the American people. I doubt very much
that the Obama administration would abuse new authorities in cyberspace
to violate Americans' civil liberties. But on principle, I firmly and
strongly believe that maximum transparency to the public and rigorous
congressional oversight are essential. We have to go about this right.
I look forward to working with my Senate colleagues and with the
administration as the Congress moves toward comprehensive cyber
security legislation to protect our country before a great cyber attack
should befall us.
Let me close my remarks by saying the most somber question we need to
face is resilience.
First, resilience of governance: How could we maintain command and
control, run 9-1-1, operate FEMA, deploy local police and fire
services, and activate and direct the National Guard if all of our
systems are down?
Second, resilience of society: How do we make sure people have
confidence during a prolonged attack that food, water, warmth, and
shelter will remain available? Because the Internet supports so many
interdependent systems, a massive or prolonged attack could cascade
across sectors, compromising or taking over our communications systems,
our financial systems, our utility grid, and the transportation and
delivery of the basic necessities of American life.
Third, our American resilience as individuals: Think about it. Your
power is out and has been for a week. Your phone is silent. Your laptop
is dark. You have no access to your bank account. No store is accepting
credit cards. Indeed, the corner store has closed its doors and the
owner is sitting inside with a shotgun to protect against looters.
Gasoline supply is rationed with National Guard soldiers keeping order
at the pumps. Your children are cold and hungry and scared. How, then,
do you behave?
I leave this last question, our resilience as a government, as a
society, and as individuals to another day. But I mention it to
highlight the potentially catastrophic nature of a concerted and
prolonged cyber attack. Again, such an attack could cascade across
multiple sectors and could interrupt all of the different necessities
on which we rely.
When your power is down, it is an inconvenience but you can usually
call somebody on the phone. Now the phone is out, so you can go to the
laptop and try to e-mail somebody, but there is no signal on the
laptop. You need cash. You go to the ATM. It is down. The bank is not
open because a run would take place against its cash assets, given the
fact that it can no longer reliably electronically let its customers
know what their bank account balances are.
We are up against a very significant threat. I hope some of the
guideposts I have laid out will be helpful in designing the necessary
legislation we need to put in place to empower our country to
successfully defend against these sorts of attacks.
I yield the floor. I suggest the absence of a quorum.
The PRESIDING OFFICER. The clerk will call the roll.
The assistant editor of the Daily Digest called the roll.
Mr. WHITEHOUSE. Mr. President, I ask unanimous consent that the order
for the quorum call be rescinded.
The PRESIDING OFFICER. Without objection, it is so ordered.
____________________
