[Congressional Record: June 16, 2011 (Senate)]
[Page S3884-S3885]
                     

 
                             CYBERSECURITY

  Mr. WHITEHOUSE. Mr. President, I rise today to speak about a serious 
issue that touches on our national security, our economic well-being, 
the safety of our families, and our privacy; that is, America's 
cybersecurity.
  I look forward to conducting an in-depth examination of the aspects 
of this issue that falls within the Senate Judiciary Committee's 
jurisdiction during the Subcommittee on Crime and Terrorism's June 21, 
2011, hearing, ``Cybersecurity: Evaluating the Administration's 
Proposals.'' However, because of the importance of improving our 
cybersecurity, as demonstrated by the recent Gmail spear-fishing 
attacks and hacks at Sony, Epsilon, Lockheed Martin, and even the 
Senate itself, I rise to make some initial remarks today.
  American technological innovation ushered in the Internet age, 
bringing with it Facebook, YouTube, and the rest of the World Wide Web. 
It set off an explosion of new commerce, freedom of expression, and 
economic opportunity even in the smallest details of our lives--
allowing a car company, for instance, to unlock your car doors remotely 
if you have locked yourself out of your car.
  However, this increased connectivity allows criminals, terrorists, 
and hostile nations to exploit cyberspace, to attack America, to invade 
our privacy, to loot our intellectual property, and to expose America's 
core critical infrastructure to cyber sabotage. Entire online 
communities are dedicated to stealing and selling American credit card 
numbers. Consider the disturbing fact that the price of your credit 
card number stolen online actually goes up if the criminal also is 
selling your mother's maiden name. Some criminals have learned how to 
spy on Americans, hacking into our home computers and looking out 
through the video camera attached to the screen. Others run Web sites 
selling stolen entertainment without paying the American companies that 
created it. And millions of American computers--millions of American 
computers--have been compromised by malware slaved to botnets that can 
record your every keystroke and send it instantaneously across the 
world to a criminal's laptop.
  I firmly believe that cyber crime has put our country on the losing 
end of the largest illicit transfer of wealth in world history. Whether 
by copying source code, by industrial espionage of military product 
designs, by identity theft, by online piracy, or by outright old-
fashioned stealing from banks--just doing it the electronic way--cyber 
crime cripples American innovation, kills jobs here at home, and 
undermines our economic and national security.
  Congress must act to protect Americans from these Internet dangers 
and to protect our civil liberties. Let me say at the outset that the 
government must not be allowed to snoop indiscriminately into our 
online activity, to read our e-mail, or to watch us online. There 
simply is no need for such an invasion of privacy, and we must move 
forward with that firmly in mind.
  The majority leader has introduced a leadership bill that will be a 
vehicle for our work. The Commerce Committee, led by Chairman 
Rockefeller and Ranking Member Snowe, both of whom I had the privilege 
to serve with on the Intelligence Committee, and the Homeland Security 
Committee, led by Chairman Lieberman and Ranking Member Collins, 
reported key bills last year. Chairman Leahy and the Judiciary 
Committee have reported important legislation on data breach and other 
issues central to cybersecurity. The Armed Services, Energy, and other 
committees have studied the issue from the perspective of their 
particular jurisdictions and expertise, and under the leadership of 
Chairman Feinstein, the Intelligence Committee Cybersecurity Task Force 
completed its classified report last July, authored by me, Senator 
Mikulski, and Senator Snowe. So we have been ready in Congress.

  The administration has now weighed in with its own proposal, 
recognizing that we need cybersecurity legislation to make our Nation 
safer and launching in earnest our legislative process.
  We have hard work ahead to find the best possible solutions to this 
complex and grave challenge to our national and economic security. As 
we begin, I would like to flag five issues that I believe must be 
addressed as this legislation goes forward.
  First, we need to build greater public awareness of cybersecurity 
threats going forward.
  What is the problem? The problem is that information affecting the 
dot.gov and the dot.mil domains--the government domains--is largely 
classified. And in the dot.com, dot.net, and dot.org domains, threat 
information is often kept proprietary by the victim business so as not 
to worry shareholders, customers, and regulators, or give ammunition to 
competitors. The result is that Americans are left in the dark about 
the level of danger that is actually out there on the Internet.
  The administration's proposal would require covered businesses to 
notify customers if their personal information is stolen, expand 
reporting of cybersecurity threats, and require some public assessments 
of cyber readiness.
  I believe more can still be done on these fronts. I have had the 
pleasure of working with Senator Kyl to introduce S. 931, the Cyber 
Security Public Awareness Act. I would like to urge interested 
colleagues to review it and consider including it as part of our larger 
cybersecurity legislation. That is first.
  Second, the Senate needs to ensure that we give private industry the 
tools necessary for self-defense against cyber attacks.
  Proper sharing among and within industries of cybersecurity threat 
information is vital. The administration took an important step by 
recommending, subject to various safeguards, enhanced sharing of 
cybersecurity threat information by the government with private 
industry. But we may also need to remove legal impediments that 
unnecessarily limit the sharing of threat information within 
industries, and we should be prepared to listen here to the private 
sector's needs as they set up those areas for safe communications about 
the cyber threats they share.
  Third, our Nation does not have basic rules of the road for end 
users, ISPs, and software and hardware suppliers.
  The administration proposal includes important provisions that would 
move us in the right direction. Assuming that ISPs--Verizon and Comcast 
and the companies that are actually providing the service--assuming 
that these companies qualify as critical infrastructure, which is an 
assumption we should clarify before getting too far down this path, the 
administration's proposal would require them to develop a standardized 
framework to address cybersecurity.
  Sensible laws and regulations have made our highways safe, and we 
need similarly to make our information highways safe. Federal 
procurement can encourage effective cybersecurity standards with 
appropriate supply chain security so as to improve cybersecurity across 
the hardware and software industries. These improvements will benefit 
the government directly, but it will also improve the security of all 
products on which business and consumers rely.

[[Page S3885]]

  Americans are too often unaware of dangerous malware that has been 
surreptitiously inserted into our own computers, and we do not take 
readily available measures to protect ourselves and those with whom we 
link.
  One leading ISP, Comcast, deserves credit for developing a new 
mechanism to notify and assist its customers when their computers have 
been compromised by malicious software or botnets. All other ISPs 
should work together to join, strengthen, and standardize this program. 
In Australia, ISPs have developed a code of conduct that may be a model 
for their American counterparts in this regard.
  The fourth point: It is vital that the government have an instant 
response plan that clearly allocates responsibilities for responding to 
a major cyber attack or breach. The administration proposal puts the 
responsibility for such incident response with the Department of 
Homeland Security Cybersecurity Center envisioned by the proposal. I 
look forward to working with the administration and my colleagues on 
that aspect of the proposal.
  More generally, the administration proposal, like bills that have 
been reported in the Senate, gives the Department of Homeland Security 
a leadership role in our Nation's cybersecurity. We have to remember 
this is a relatively new role for the Department of Homeland Security. 
It is one of a great many different responsibilities that the 
Department of Homeland Security bears, and it is a role in which much 
of the government's expertise resides in other agencies than the 
Department of Homeland Security.
  The Department of Homeland Security's role must be configured to 
attract sufficiently high-caliber cybersecurity professionals to ensure 
that DHS properly leverages the cybersecurity expertise at those other 
agencies and to assure sufficient independence and credibility of the 
Cybersecurity Center to perform this vital mission, even as 
administration change and attention to cybersecurity waxes and wanes. 
Cybersecurity is a real and present danger, so we must also plan for 
and minimize the interim period in which DHS builds up its 
cybersecurity expertise, promulgates necessary regulations, and 
otherwise grows into any new role with which it is tasked.
  Cyber attacks happen at the speed of light, so the best defense 
requires that we preposition some of our defensive capabilities. Many 
of our Nation's leading experts who have seen the dark heart of the 
Internet's dangers and understand the cyber threat in its dimensions 
recommend rapidly creating secure domains for our most critical 
infrastructure--our electric grid being the most obvious example. These 
would be domains in which our Nation's best cybersecurity defenses 
could be both lawful and effective. Obviously, this would need to be 
done in a very transparent manner, subject to strict oversight. But we 
as a country have impressive capabilities in this area, and we need to 
make sure those impressive capabilities protect our critical 
infrastructure as soon as possible. They are not deployed to protect 
critical infrastructure now.
  Fifth, countries around the world, including countries that dedicate 
significant resources to exploiting our cyber vulnerabilities, are 
working hard to build their cyber workforces. We must not fall behind.
  This means enabling our colleges and universities, in partnership 
with private companies, government agencies, and other cybersecurity 
innovators, to research the next great cybersecurity technology and to 
build the cyber human capital our Nation needs to defend itself and 
continue to flourish on the Internet.
  Academic and technological leaders in my State, such as the 
University of Rhode Island and Brown University, have been hard at work 
developing new cybersecurity technologies and strengthening our 
Nation's cyber expertise. I look forward to working with them as we go 
forward.
  There are other vital issues we must address, many of which I have 
spoken about previously on this floor. We must work, for example, to 
scale up our Nation's cybersecurity and law enforcement resources to 
match the seriousness of the threat posed by cyber criminals, by 
terrorist organizations, and by hostile nation states using cyberspace 
to attack our Nation.
  The bottom line is we have a lot of important work to do. I am glad 
there is every indication that it will be bipartisan work, undertaken 
with the country's best interests in mind. I look forward to taking on 
this task with my colleagues in the months ahead.
  I yield the floor.

                          ____________________