[Congressional Record: November 17, 2010 (Senate)]
[Page S7944-S7946]
                     


                             Cyber Security

  Mr. WHITEHOUSE. Mr. President, I come to the floor to speak about the 
legislation that will be required in order to bolster our Nation's 
cyber defenses and to protect our Nation's intellectual property from 
piracy and from theft.
  In the course of my work on the Intelligence and Judiciary 
Committees, it has become all too clear that our laws have not kept 
pace with the amazing technological developments we have seen, many 
information technologies over the past 15 or 20 years. Earlier this 
year, I had the privilege of chairing the Intelligence Committee's 
bipartisan cyber task force, along with my distinguished colleagues, 
Senator Snowe and Senator Mikulski, who made vital contributions and 
were great teammates in that effort. We spent 6 months conducting a 
thorough review of the threat and the posture of the United States for 
countering it.
  Based on that review and my work on the Senate Judiciary Committee, I 
have identified six areas in which there are overarching problems with 
the current statutory framework for protecting our country. The first 
is a really basic one; that is, that current law does not adequately 
facilitate or encourage public awareness about cyber threats. The 
government keeps the damage we are sustaining from cyber attacks secret 
because it is classified. The private sector keeps the damage they are 
sustaining from cyber attacks secret so as not to look bad to 
customers, to regulators, and to investors. The net result of that is 
that the American public gets left in the dark.
  We do not even have a good public understanding of how extensive and 
sophisticated the cyber forces arrayed against America are. Between the 
efforts of foreign governments and international organized crime, we 
are a long way from the problem of hackers in the basement. It is a big 
operation that has been mounted against us, and I would like to be able 
to describe it more fully, but it is both unhelpfully and unnecessarily 
classified, and so I can't even talk about that.
  Americans are sadly uninformed about the extent of the risk and the 
extent of the capacity that is being used against us. If Americans 
understood the threat and the vital role they themselves can play in 
protecting themselves and the country, I think we would all be more 
likely to engage in the cyber equivalent of routine maintenance. People 
would understand and they would support legislative changes which we 
need to protect our intellectual property and our national 
infrastructure.
  One of the principal findings of our cyber task force was that most 
cyber threats--literally the vast majority of cyber threats--can be 
countered readily if Americans simply allowed automatic updates to 
their computer software, ran up-to-date antivirus programs, and 
exercised reasonable vigilance when surfing the Web and opening e-
mails. So we need far more reporting from the government and the 
private sector to let Americans know what is happening out there on the 
wild Web. Disclosures can be anonymized, where necessary, to safeguard 
national security or protect competitive business interests. But

[[Page S7945]]

basic facts, putting Americans on notice of the extent of the present 
danger and harm, need to be disclosed.
  Second, we need, beyond just public information, to create a 
structure of rights and responsibilities where the public, consumers, 
technology companies, software manufacturers, and Internet service 
providers are all able to take appropriate roles for us to maintain 
those basic levels of cyber security. The notion that the Internet is 
an open highway with toll takers who have no responsibility for what 
comes down the highway, no responsibility no matter how menacing, no 
responsibility no matter how piratical, no responsibility no matter how 
dangerous can no longer be valid. We protect each other on our physical 
highways with basic rules of the road and we need a similar code for 
the information highway.
  Australia's ISPs have negotiated a cyber security code of conduct, 
and ISPs in compliance with the code can display a trust mark. That is 
one idea worth exploring. But one way or the other, there needs to be a 
code of conduct for safe travel on the information highway just as 
there is on our geographic highways.
  Third, we need to better empower our private sector to defend itself. 
When an industry comes together against cyber attackers to circle the 
wagons, to share information, and to engage in a common defense against 
those cyber attackers, we should help and not hinder that private 
sector effort. Legal barriers to broader information sharing among 
private sector entities and between the private sector and government 
must be lowered. I believe we can encourage cyber security in this 
way--common defense within the private sector--without undermining 
other areas of public policy. But it is not going to be a simple task, 
and we will have to work our way through it because those other areas 
of public policy are serious areas--antitrust protection, the 
safeguarding of intellectual property, protecting legal privileges, 
liability concerns, and even national security concerns in those areas 
where the government may be asked to share classified information.
  Bear in mind that there are three levels of threat. As I have said, 
the vast majority of our cyber vulnerabilities can be cured by simple 
patches and off-the-shelf technology. That is the lowest level--just 
follow basic, simple procedures and we can rid ourselves of most of the 
attacking. The next is a more sophisticated set of threats that require 
the best efforts of the private sector to defend against. Those private 
sector efforts are becoming increasingly sophisticated and capable. As 
to those types of attacks, the private sector can handle them alone and 
particularly so if we have empowered the private sector, industry by 
industry, to engage in more effective common defense and information 
sharing. The most sophisticated threats and attacks, however, will 
require action by our government. The notion that we can leave our 
Nation's cyber defense entirely to the private sector is no longer 
valid.
  This brings us to a fourth question--the increasingly important issue 
of cyber 911. When the CIO of a local bank or electric utility is 
overwhelmed by a cyber attack, whom do they call and under what terms 
does the government respond? Right now, the answers to those questions 
are dangerously vague. The Electronic Communications Privacy Act--or 
ECPA--is a vitally important statute. In 1986, 25 years ago, Chairman 
Patrick Leahy worked hard to establish statutory privacy protections in 
a domain where constitutional privacy protections were weak.
  It is an enduring legislative accomplishment and we must preserve its 
core principles. Since ECPA was enacted, however, the threat has 
dramatically changed. Imagine how technology has changed in 25 years. 
It is no longer true that private firms are capable of defending their 
networks from sophisticated thieves and spies on their own.
  As we found in the Cyber Task Force, there is now a subset of threats 
that cannot be countered without bringing to bear the U.S. Government's 
unique authorities and capabilities. There always needs to be strong 
privacy protections for Americans against the government. But we do let 
firemen into our house when it is on fire and the police can come into 
our house when there is a burglar. A similar principle should apply to 
criminals and cyber attacks when private capabilities are overwhelmed.
  There is one more step, and here is where it gets a little bit more 
tricky. You call 9-1-1 and the police or the ambulance rushes right 
over. But in cyber security, by the time you call cyber
9-1-1, it may be too late. Attacks in cyberspace happen at light speed, 
as fast as electrons flow. Not all the risks and harms that imperil 
Americans can be averted by action after the fact. Some attacks are 
actually already there, in our networks, lying in wait for the signal 
to activate.
  We as a country are naked and vulnerable to some forms of attack if 
we have not predeployed our defenses. Because the viruses and cyber 
attack nodes can travel in the text portion of messages, we have to 
sort out a difficult question: whether, and if so how and when, the 
government can scan for dangerous viruses and attack signals.
  In medieval times, communities protected their core infrastructure 
from raiders by locating the well, the granary, and the treasury inside 
castle walls. Not everything needs the same level of protection in 
cyberspace, but we need to sort out what does need that kind of 
protection, what the castle walls should look like, who gets allowed to 
reside inside the walls, and what the rules are.
  That leads to the question of a dot-secure domain. I have mentioned 
this before, but I would like to highlight it as an option for 
improving cyber security, particularly of the critical infrastructure 
of our country.
  Recently, General Alexander, Director of the NSA and commander of 
U.S. Cyber Command, has echoed this as a possibility. His predecessor 
at NSA, and a former Director of National Intelligence, Admiral 
McConnell, is also an advocate of such a domain for critical 
infrastructure. This doesn't have to be complicated or even mandatory. 
The most important value of a dot-secure domain is that, like dot-gov 
and dot-mil, now we can satisfy consent under the fourth amendment 
search requirements for the government's defenses to do their work 
within that domain, their work of screening for attack signals, 
botnets, and viruses. Critical infrastructure sites could bid for 
permission to protect themselves with the dot-secure domain label and 
be allowed in if they could show that lives and safety for Americans 
would be protected by allowing them entry. Obviously, core elements of 
our electric grid, of our financial, transportation, and communications 
infrastructure would be obvious candidates. But we simply cannot leave 
that core infrastructure on which the life and death of Americans 
depends without better security.
  Fifth, we must significantly strengthen law enforcement against cyber 
crooks. There is simply no better deterrent against cyber crime than a 
prospect of a long stretch in prison. We need to put more cyber crooks 
behind bars. It is not for want of ingenuity and commitment by our 
professionals that there are not more cyber crooks behind bars.
  During my work on the Cyber Task Force, I received a number of 
briefings and intelligence reports on cyber crime. The FBI and the 
Department of Justice have some real success stories under their belts, 
such as the arrests of the alleged perpetrators behind the Mariposa 
botnet this summer, and our agencies are beginning to work together 
better and better over the lines of turf defense that separate them.
  The problem is, the criminals are also ingenious and they are greedy 
and they are successful and they are astoundingly well funded. Again, 
we are not talking about hackers in the basement. We are talking about 
substantial criminal enterprise with enormous sums of money at their 
disposal and at stake.
  Many enterprises appear to work hand-in-hand with foreign 
governments, which puts even greater assets for attack at their 
disposal. They have a big advantage. The architecture of the Internet 
favors offense over defense. Technologically, it is generally easier 
for savvy criminals to attack a network and to hide their trail than it 
is for savvy defenders to block an attack and trace it back to the 
criminals. We are not on a level playing field against cyber criminals. 
That is the

[[Page S7946]]

problem not easily overcome. What we can overcome, however, are the 
gaps, the weaknesses, the outdated strategies, and the inadequate 
resources in our own legal investigative processes.
  One example: the most dangerous cyber criminals are usually located 
overseas. To identify, investigate, and ultimately prosecute those 
criminals under traditional law enforcement authorities, we have to 
rely on complex and cumbersome international processes and treaties 
established decades ago that are far too slow for the modern cyber 
crime environment.
  We also need to resource and focus criminal investigation and 
prosecution at a level commensurate with the fact that we, America, are 
now on the losing end of what is probably the biggest transfer of 
wealth through theft and piracy in human history.
  I will say that again: We are at the losing end of what is probably 
the biggest transfer of wealth through theft and piracy in human 
history.
  I am pleased that in fiscal year 2010 the FBI received an additional 
260 cyber security analysis and investigative positions. DOJ's Computer 
Crimes and Intellectual Property Section has not received new resources 
in 5 years. With the FBI poised to ramp up its investigatory actions 
against our cyber adversaries, I am concerned the DOJ may not have the 
resources to keep up.
  Sixth, we need clear rules of engagement for our government to deal 
with foreign threats. That is, unfortunately, a discussion for another 
day since so much of this area is now deeply classified. But here is 
one example: Can we adapt traditional doctrines of deterrence to cyber 
attacks when we may not know for sure which country or nonstate actor 
carried out the attack? If we can't attribute, how can we deter?
  With respect to any policy of deterrence, how can it stand on rules 
of engagement that the attacker does not know of? Not only do we need 
to establish clear rules of engagement, we need to establish and 
disclose clear rules of engagement if any policy of deterrence is to be 
effective in cyberspace.
  Finally, as we go about these six tasks, the government must be as 
transparent as possible with the American people. I doubt very much 
that the Obama administration would abuse new authorities in cyberspace 
to violate Americans' civil liberties. But on principle, I firmly and 
strongly believe that maximum transparency to the public and rigorous 
congressional oversight are essential. We have to go about this right.
  I look forward to working with my Senate colleagues and with the 
administration as the Congress moves toward comprehensive cyber 
security legislation to protect our country before a great cyber attack 
should befall us.
  Let me close my remarks by saying the most somber question we need to 
face is resilience.
  First, resilience of governance: How could we maintain command and 
control, run 9-1-1, operate FEMA, deploy local police and fire 
services, and activate and direct the National Guard if all of our 
systems are down?
  Second, resilience of society: How do we make sure people have 
confidence during a prolonged attack that food, water, warmth, and 
shelter will remain available? Because the Internet supports so many 
interdependent systems, a massive or prolonged attack could cascade 
across sectors, compromising or taking over our communications systems, 
our financial systems, our utility grid, and the transportation and 
delivery of the basic necessities of American life.
  Third, our American resilience as individuals: Think about it. Your 
power is out and has been for a week. Your phone is silent. Your laptop 
is dark. You have no access to your bank account. No store is accepting 
credit cards. Indeed, the corner store has closed its doors and the 
owner is sitting inside with a shotgun to protect against looters. 
Gasoline supply is rationed with National Guard soldiers keeping order 
at the pumps. Your children are cold and hungry and scared. How, then, 
do you behave?
  I leave this last question, our resilience as a government, as a 
society, and as individuals to another day. But I mention it to 
highlight the potentially catastrophic nature of a concerted and 
prolonged cyber attack. Again, such an attack could cascade across 
multiple sectors and could interrupt all of the different necessities 
on which we rely.
  When your power is down, it is an inconvenience but you can usually 
call somebody on the phone. Now the phone is out, so you can go to the 
laptop and try to e-mail somebody, but there is no signal on the 
laptop. You need cash. You go to the ATM. It is down. The bank is not 
open because a run would take place against its cash assets, given the 
fact that it can no longer reliably electronically let its customers 
know what their bank account balances are.
  We are up against a very significant threat. I hope some of the 
guideposts I have laid out will be helpful in designing the necessary 
legislation we need to put in place to empower our country to 
successfully defend against these sorts of attacks.
  I yield the floor. I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The assistant editor of the Daily Digest called the roll.
  Mr. WHITEHOUSE. Mr. President, I ask unanimous consent that the order 
for the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.

                          ____________________