[Congressional Record: February 17, 2011 (Senate)]
[Page S909-S912]
STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS
By Mr. LIEBERMAN (for himself, Ms. Collins, and Mr. Carper):
S. 413. A bill to amend the Homeland Security Act of 2002 and other
laws to enhance the security and resiliency of the cyber and
communications infrastructure of the United States; to the Committee on
Homeland Security and Governmental Affairs.
Ms. COLLINS. Mr. President, I rise today to join Senator Lieberman
and Senator Carper in introducing the Cyber Security and Internet
Freedom Act of 2011. This vital legislation would
[[Page S910]]
fortify the government's efforts to safeguard America's cyber networks
from attack and ensure that access to the Internet is protected and its
availability preserved for every American.
The Internet is vital to almost every facet of Americans' daily
lives--from the water we drink to the power we use to the ways we
communicate. It is essential to the free flow of ideas and information.
The Internet is a manifestation of the ideals that underlie the First
Amendment of our Constitution and the core freedoms that all Americans
hold dear. It is essential that the Internet and our access to it be
protected to ensure both reliability of the critical services that rely
upon it and the availability of the information that travels over it.
While the United States must ensure the security of our nation and its
critical infrastructure, it must do so in a manner that does not
deprive Americans of the ability to lawfully read or express their
views. Neither the President nor any other Federal official should have
the authority to ``shut down'' the Internet.
In June 2010, Senator Lieberman, Senator Carper, and I introduced
legislation to strengthen the government's efforts to safeguard
America's cyber networks from attack; build a public/private
partnership to promote national cyber security priorities; and bolster
the government's ability to set, monitor compliance with, and enforce
standards and policies for securing Federal civilian systems and the
sensitive information they contain. In late June, that bill was
unanimously approved by the Senate Homeland Security and Governmental
Affairs Committee.
Today we are introducing for the 112th Congress the bill unanimously
approved by our committee, but with explicit provisions preventing the
President from shutting down the Internet and providing an opportunity
for judicial review of designations of our most sensitive systems and
assets as ``covered critical infrastructure.''
President Mubarak's actions in January to shut down Internet
communications in Egypt were, and are, totally inappropriate. Freedom
of speech is a fundamental right that must be protected, and his ban
was clearly designed to limit criticisms of his government. Our cyber
security legislation is intended to protect the United States from
external cyber attacks. Yet, some have suggested that the legislation
the Committee reported during the last Congress would empower the
President to deny U.S. citizens access to the Internet. Nothing could
be further from the truth.
I would never sign on to legislation that authorized the President,
or anyone else, to shut down the Internet. Emergency or no, the
exercise of such broad authority would be an affront to our
Constitution.
But our outmoded current laws do give us reason to be concerned. Most
important, under current law, in the event of a cyber attack, the
President's authorities are broad and ambiguous--a recipe for
encroachments on privacy and civil liberties.
For example, in the event of a war or threat of war, the
Communications Act of 1934 authorizes the President to take over or
shut down wire and radio communications providers. This law is a crude
sledgehammer built for another time and technology. Our bill contains a
number of protections to make sure that broad authority cannot be used
to shut down the Internet.
First, section 2 of the bill states explicitly:
Notwithstanding any other provision of this Act, an
amendment made by this Act, or section 706 of the
Communications Act of 1934, neither the President, the
Director of the National Center for Cybersecurity and
Communications, or any officer or employee of the United
States Government shall have the authority to shut down the
Internet.
Second, the emergency measures in our bill apply in a precise and
targeted way only to our most critical infrastructure--vital components
of the electric power grid, telecommunications networks, financial
systems or other critical infrastructure systems that could cause a
national or regional catastrophe if disrupted. This definition would
not cover the entire Internet, the Internet backbone, or even entire
companies.
In defining covered critical infrastructure, our bill directs the
Secretary to consider the consequences of a disruption of a particular
system or asset. To constitute a ``national or regional catastrophe,''
the disruption would need to cause a mass casualty event which includes
an extraordinary number of fatalities; severe economic consequences;
mass evacuations with a prolonged absence; or severe degradation of
national security capabilities, including intelligence and defense
functions.
When the Committee reported this bill last year, the report clarified
what these four factors mean, specifically referencing the current DHS
interpretation of ``national or severe economic consequences; mass
evacuations with a prolonged absence; or regional catastrophe.'' Under
DHS's interpretation, a ``national or regional catastrophe'' includes a
combination of the following factors: more than 2,500 prompt
fatalities; greater than $25 billion in first-year economic
consequences; mass evacuations with a prolonged absence of greater than
one month; or severe degradation of the nation's security capabilities.
As our Committee's report noted, we expect the Department to apply
this standard in determining which particular systems or assets
constitute covered critical infrastructure.
Third, our legislation restricts the President's ability to declare a
national cyber emergency to those circumstances in which an ``actual or
imminent'' cyber attack would disrupt covered critical infrastructure
that would cause these catastrophic consequences.
Fourth, any measures ordered by the President must be ``the least
disruptive means feasible.''
Fifth, the authority our bill would grant is time limited. The
President could only declare a cyber emergency for 30-day period and
only for up to 120 days. After that, Congress would be required to
specifically authorize further measures. Any declaration would be
subject to congressional oversight, as our bill requires the President
to notify Congress regarding the specific threat to our nation's
infrastructure, why existing protections are not sufficient, and what
specific emergency measures are required to respond to the specific
threat.
Sixth, the legislation expressly forbids the designation of any
system or asset as covered critical infrastructure ``based solely on
activities protected by the first amendment to the United States
Constitution.''
Seventh, the bill provides for a robust administrative process for an
owner or operator to challenge the designation of a system or asset as
covered critical infrastructure and expressly permits challenges of a
final agency determination in federal court.
Our bill contains protections to prevent the President from denying
Americans access to the Internet--even as it provides clear and
unambiguous direction to ensure that those most critical systems and
assets that rely on the Internet are protected. And, even though
experts question whether anyone can technically ``shut down'' the
Internet in the United States, we included explicit language
prohibiting the President from doing what President Mubarak did.
I would like to stress that the need for Congress to pass a
comprehensive cyber security bill is more urgent than ever.
Cyber-based threats to U.S. information infrastructure are
increasing, constantly evolving, and growing more dangerous.
In March 2010 the Senate's Sergeant at Arms reported that the
computer systems of Congress and the Executive Branch agencies are now
under cyber attack an average of 1.8 billion times per month. The
annual cost of cyber crime worldwide has climbed to more than $1
trillion.
Coordinated cyber attacks have crippled Estonia, Georgia, and
Kyrgyzstan and compromised critical infrastructure in countries around
the world.
Devastating cyber attacks could disrupt, damage, or even destroy some
of our nation's critical infrastructure, such as the electric power
grid, oil and gas pipelines, dams, or communications networks. These
cyber threats could cause catastrophic damage in the physical world.
Based on media reports, China and Russia already have penetrated the
computer systems of America's electric power grid, leaving behind
malicious
[[Page S911]]
hidden software that could be activated later to disrupt the grid
during a war or other national crisis.
In June 2010, cyber security experts discovered Stuxnet, one of the
most sophisticated viruses ever found. Stuxnet was programmed
specifically to infiltrate certain industrial control systems, allowing
the virus to potentially overwrite commands and to sabotage infected
systems. It had the potential to change instructions, commands, or
alarm thresholds, which, in turn, could damage, disable, or disrupt
equipment supporting the most critical infrastructure.
The private sector is also under attack. In January 2010, Google
announced that attacks originating in China had targeted its systems as
well as the networks of more than 30 other companies. The attacks on
Google sought to access the email accounts of Chinese human
rights activists. For other companies, lucrative information such as
critical corporate data and software source codes were targeted.
According to a report released last week, coordinated and covert
attacks hit more than five major oil, energy, and petrochemical
companies. The focus of the intrusions was oil and gas field production
systems, as well as financial documents related to field exploration
and bidding for new oil and gas leases. The companies also lost
information related to their industrial control systems.
In the cyber domain, the advantage lies with our adversaries, for
whom success could be achieved by exploiting a single vulnerability
that could produce disruptive effects at network speed. Effectively
preventing or containing major cyber attacks requires that response
plans be in place and roles and authorities of Federal government
agencies and entities be clearly delineated in advance.
For too long, our approach to cyber security has been disjointed and
uncoordinated. This cannot continue. The United States requires a
comprehensive cyber security strategy backed by effective
implementation of innovative security measures. There must be strong
coordination among law enforcement, intelligence agencies, the
military, and the private sector owners and operators of critical
infrastructure.
This bill would establish the essential point of coordination across
the Executive branch. The Office of Cyberspace Policy in the Executive
Office of the President would be run by a Senate-confirmed Director who
would advise the President on all cyber security matters. The Director
would lead and harmonize Federal efforts to secure cyberspace and would
develop a strategy that incorporates all elements of cyber security
policy. The Director would oversee all Federal activities related to
the strategy to ensure efficiency and coordination. The Director would
report regularly to Congress to ensure transparency and oversight.
To be clear, the White House official would not be another
unaccountable czar. The Cyber Director would be a Senate-confirmed
position and thus would testify before Congress. The important
responsibilities given to the Director of the Office of Cyberspace
Policy related to cyber security are similar to the responsibilities of
the current Director of the Office of Science and Technology Policy.
The Cyber Director would advise the President and coordinate efforts
across the Executive branch to protect and improve our cyber security
posture and communications networks. And, by working with a strong
operational and tactical partner at the Department of Homeland
Security, the Director would help improve the security of Federal and
private sector networks.
This strong DHS partner would be the National Center for
Cybersecurity and Communications, or Cyber Center. It would be located
within the Department of Homeland Security to elevate and strengthen
the Department's cyber security capabilities and authorities. This
Center also would be led by a Senate-confirmed Director.
The Cyber Center, anchored at DHS, will close the coordination gaps
that currently exist in our disjointed federal cyber security efforts.
For day-to-day operations, the Center would use the resources of DHS,
and the Center Director would report directly to the Secretary of
Homeland Security. On interagency matters related to the security of
Federal networks, the Director would regularly advise the President--a
relationship similar to the Director of the NCTC on counterterrorism
matters or the Chairman of the Joint Chiefs of Staff on military
issues. These dual relationships would give the Center Director
sufficient rank and stature to interact effectively with the heads of
other departments and agencies, and with the private sector.
Congress has dealt with complex challenges involving the need for
interagency coordination in the past with a similar construct. We have
established strong leaders with supporting organizational structures to
coordinate and implement action across agencies, while recognizing and
respecting disparate agency missions.
The establishment of the National Counterterrorism Center within the
Office of the Director of National Intelligence is a prime example of a
successful reorganization that fused the missions of multiple agencies.
The Director of NCTC is responsible for the strategic planning of joint
counterterrorism operations, and in this role reports to the President.
When implementing the information analysis, integration, and sharing
mission of the Center, the Director reports to the Director of National
Intelligence. These dual roles provide access to the President on
strategic, interagency matters, yet provide NCTC with the structural
support and resources of the office of the DNI to complete the day-to-
day work of the NCTC. The DHS Cyber Center would replicate this
successful model for cyber security.
This bill would establish a public/private partnership to improve
cyber security. Working collaboratively with the private sector, the
Center would produce and share useful warning, analysis, and threat
information with the private sector, other Federal agencies,
international partners, and state and local governments. By developing
and promoting best practices and providing voluntary technical
assistance to the private sector, the Center would improve cyber
security across the nation. Best practices developed by the Center
would be based on collaboration and information sharing with the
private sector. Information shared with the Center by the private
sector would be protected.
With respect to the owners and operators of our most critical systems
and assets, the bill would mandate compliance with certain risk-based
performance metrics to close security gaps. These metrics would apply
to vital components of the electric grid, telecommunications networks,
financial systems, or other critical infrastructure systems that could
cause a national or regional catastrophe if disrupted.
This approach would be similar to the current model that DHS employs
with the chemical industry. Rather than setting specific standards, DHS
would employ a risk-based approach to evaluating cyber risk, and the
owners and operators of covered critical infrastructure would develop a
plan for protecting against those risks and mitigating the consequences
of an attack.
These owners and operators would be able to choose which security
measures to implement to meet applicable risk-based performance
metrics. The bill does not authorize any new surveillance authorities
or permit the government to ``take over'' private networks. This model
would allow for continued innovation and dynamism that are fundamental
to the success of the IT sector.
The bill would protect the owners and operators of covered critical
infrastructure from punitive damages when they comply with the new
risk-based performance measures. Covered critical infrastructure also
would be required to report certain significant breaches affecting
vital system functions to the Center. Collaboration with the private
sector would help develop mitigations for these cyber risks.
The Center also would share information, including threat analysis,
with owners and operators of critical infrastructure regarding risks
affecting the security of their sectors. The Center would work with
sector-specific agencies and other Federal agencies with existing
regulatory authority to avoid duplication of requirements, to use
existing expertise, and to ensure government resources are employed in
the most efficient and effective manner.
[[Page S912]]
With regard to Federal networks, the Federal Information Security
Management Act--known as FISMA--gives the Office of Management and
Budget broad authority to oversee agency information security measures.
In practice, however, FISMA is frequently criticized as a ``paperwork
exercise'' that offers little real security and leads to a disjointed
cyber security regime in which each Federal agency haphazardly
implements its own security measures.
The bill we introduce today would transform FISMA from paper based to
real-time responses. It would codify and strengthen DHS authorities to
establish complete situational awareness for Federal networks and
develop tools to improve resilience of Federal Government systems and
networks.
The legislation also would ensure that Federal civilian agencies
consider cyber risks in IT procurements instead of relying on the ad
hoc approach that dominates civilian government cyber efforts. The bill
would charge the Secretary of Homeland Security, working with the
private sector and the heads of other affected departments and
agencies, with developing a supply chain risk management strategy
applicable to Federal procurements. This strategy would emphasize the
security of information systems from development to acquisition and
throughout their operational life cycle. The strategy would be based,
to the maximum extent practicable, on standards developed by the
private sector and would direct agencies to use commercial-off-the-
shelf solutions to the maximum extent consistent with agency needs.
While the Cyber Center should not be responsible for micromanaging
individual procurements or directing investments, we have seen far too
often that security is not a primary concern when agencies procure
their IT systems. Recommending security investments to OMB and
providing strategic guidance on security enhancements early in the
development and acquisition process will help ``bake in'' security.
Cyber security can no longer be an afterthought in our government
agencies.
These improvements in Federal acquisition policy should have
beneficial ripple effects in the larger commercial market. As a large
customer, the Federal Government can contract with companies to
innovate and improve the security of their IT services and products.
These innovations can establish new security baselines for services and
products offered to the private sector and the general public without
mandating specific market outcomes.
Finally, the legislation would direct the Office of Personnel
Management to reform the way cyber security personnel are recruited,
hired, and trained to ensure that the Federal Government and the
private sector have the talent necessary to lead this national effort
and protect its own networks. The bill would also provide DHS with
temporary hiring and pay flexibilities to assist in the establishment
of the Center.
We cannot afford to wait for a ``cyber 9/11'' before our government
finally realizes the importance of protecting our digital resources,
limiting our vulnerabilities, and mitigating the consequences of
penetrations to our networks.
We must be ready. It is vitally important that we build a strong
public-private partnership to protect cyberspace. It is a vital engine
of our economy, our government, our country and our future.
I urge Congress to support this vitally important legislation.
____________________
