[Congressional Record Volume 158, Number 24 (Tuesday, February 14, 2012)] [Senate] [Pages S615-S636] STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS By Mr. LIEBERMAN (for himself, Ms. Collins, Mr. Rockefeller, and Mrs. Feinstein): S. 2105. A bill to enhance the security and resiliency of the cyber and communications infrastructure of the United States; read the first time. Mr. LIEBERMAN. Mr. President, I came to the floor to introduce the Cyber Security Act of 2012. I am here with Senator Susan Collins. I thank her for all the work we have done together in what has been a wonderfully bipartisan, nonpartisan relationship to deal with a very serious national problem. I am honored that we are joined in introducing this bill by the chairs of the two committees that have been most involved in questions of cyber security, chairman of the Commerce Committee, Senator Rockefeller, and the chair of the Intelligence Committee of the Senate, Senator Feinstein of California. We have also had the involvement of the chairs and others on the Foreign Relations Committee, Judiciary Committee, and Energy Committee. I am very proud this is a bill that Senators Collins and Rockefeller and Feinstein and I introduced today. I wish to give particular thanks to the majority leader, Senator Reid, for his unflagging support, based on his personal concern about cyber defenses and based on classified briefings he received on this problem. He pushed us to work across party and committee lines to pull the bill together that we are introducing today. It is interesting to note--since there has been a lot of commentary in the last 24 hours about President Obama's budget--that President Obama has recognized, in the most tangible terms, the danger that confronts us by recommending adding at least $300 million in the coming year to our cyber security effort. Still, I know that while it is February 14, 2012, those of us who have worked on this problem fear that when it comes to protecting America from cyber attack, it may be September 10, 2001, all over again. The question is whether America will confront this grave threat to our security before it happens, before our enemies attack. We are being bled of our intellectual property every day by cyber thieves. The consequences of their thievery are very real to America's economy, our prosperity, and indeed our capacity to create jobs and hold the ones we have. Enemies probe the weaknesses in our critical national assets every day, waiting until the time is right, through cyber attack, to cripple our economy or attack, for instance, a city's electric grid with the touch of a key on the other side of the world. The fact is our cyber defenses are not what they should be, but such as they are they are blinking red. Yet, again, I fear we will not be able to connect the dots to prevent a 9/11-type cyber attack on America before it happens. The aim of this bill is to make sure we don't scramble here in Congress after such an attack to do what we can and should do today. [[Page S617]] Intellectual property worth billions of dollars has already been stolen, giving our international competitors access in the global marketplace without ever having to invest a dime in research. The fact is that even the most sophisticated companies are being penetrated, and our adversaries are using information learned in one intrusion to plan the next more sophisticated one. Last year, the computer security firm McAfee conducted a study of 70 specific instances of data theft, and they issued a report on those instances. They included 13 defense contractors, 6 industrial plants, and 8 American and Canadian Government networks. Based on that report, the former vice president of McAfee, Dmitri Alperovitch, issued this ominous warning: I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised--or will be shortly--with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide this entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know. These examples, of course, are deeply alarming, but in addition, lurking out in the ether are computer worms such as Stuxnet that can commandeer the computers that control heavy machinery and potentially allow an intruder to open and close key valves and switches in pipelines, refineries, factories, water and sewer systems, and electric plants in our country without detection by their operators. Obviously, this capacity could be used by an enemy to attack our country and do damage not only comparable to 9/11 but far in excess of it. Depending on the target or targets, these kinds of cyber attacks could lead to terrible physical destruction, massive loss of life, massive evacuations, and, of course, widespread economic disruption. Owners of these critical systems; that is, private sector owners-- and, remember, most of private infrastructure in America is privately owned and is what this bill is talking about--have sometimes told us we don't need to worry about the security of their systems because they are not connected to the Internet. But the reality today is that is simply not correct. The experts have told us that a truly air-gapped system, as they call it; that is, one not connected to the Internet--is as rare as a blizzard in the Caribbean. If it exists, our best cyber experts have yet to see it. And Stuxnet has shown us it doesn't matter if a system is air gapped, because one thumb drive plugged into a computer can lead to an infection that spreads. If we don't act now to secure our computer network, sometime in the future--and I believe it will be in the near future--we will be forced to act in the middle of a mega cyber crisis or right after one that has had an enormous, perhaps catastrophic, effect on our country. That is why we introduced this bill, and that is why we look forward to the debate on it, and why we hope it will pass and be enacted before a cyber catastrophe occurs in America. Let me briefly describe some of the important work this bill does. First, it ensures the computer systems--private systems--that control our most critical infrastructure that are currently not secure are made secure. Our bill defines critical infrastructure narrowly to include those systems that, if brought down, or commandeered in a cyber attack would lead to mass casualties, evacuations of major population centers, the collapse of financial markets, or degradation of our national security. This is critical infrastructure. After identifying the precise systems that meet the definition of high risk, the Secretary of Homeland Security would, under our legislation, then work with the private sector operators of those systems to develop cyber security performance requirements based on risk assessments of those sectors. The private sector owners would then have some flexibility to meet those performance requirements with hardware or software they choose so long as it achieves the required level of security. The Department of Homeland Security will not be picking technological winners and losers, so there is nothing in this bill that would stifle innovation. In fact, I think quite the contrary. If a company can show it already has met high security standards, it will be exempt from these requirements. The bill focuses on securing that which is not secure today, not on putting new requirements on industries that are doing everything they should be doing to protect themselves and our national security. Once these improved security systems come on line, I think many companies will want to apply them to noncritical systems that are not covered by this bill as a way to protect the privacy of their employees and customers, as well as giving these companies the chance to offer secure e-commerce services. But that will be up to each company. This bill also seeks to make compliance easier, more rational for covered critical infrastructure operators by creating a more streamlined and efficient cyber organization within the Department of Homeland Security. And at each step in the process created by our bill, the Department of Homeland Security must work with existing Federal regulators and the private sector they regulate to ensure no rules or regulations are put in place that duplicate or conflict with existing requirements. If a company feels the designation of its networks as critical infrastructure is somehow wrong, it has the right to appeal that decision through a system that the law requires DHS to set up or they can go to Federal district court. This bill also establishes mechanisms for information sharing between the private sector and the Federal Government and among the private sector operators themselves. Senator Feinstein and her committee made a significant contribution to this part of our bill. This is important because computer security experts in the private and public sectors need to be able to share information, compare notes, in order to protect us against the evolving cyber threat. Our proposal also creates appropriate security measures and oversight to protect privacy and preserve civil liberties. In fact, I was pleased to read recently that the American Civil Liberties Union said it had studied our bill and found it offers the greatest privacy protections of all the cyber security legislation that has been proposed. I am going to jump forward a little so I can yield to my distinguished ranking member in a moment. I have discussed some of the things the bill does, but I want to mention two it doesn't do. One myth about this bill is that it contains a kill switch that would allow the President of the United States in an emergency to seize control of the Internet. There is nothing remotely like that in this bill. At one time we had considered language that would, in fact, have limited powers the President has under the Communications Act of 1934 to take over electronic communications in times of war. But that provision was so widely misunderstood or misrepresented that we dropped it rather than risk losing the chance to pass the rest of this urgently needed legislation. I also want to make clear that nothing in this bill touches on any of the issues that quite recently have inflamed our consideration of the Stop Online Piracy Act or the Protect IP Act, known as PIPA. Many Members in the Chamber have, metaphorically speaking, scars that still show from that experience. No need to fear this bill. This bill does nothing to affect the day-to-day workings of the Internet. Internet piracy and copyright protections are important concerns in the digital age. We have to deal with that at some point, but they are simply not part of this bill. One final thing I do want to deal with is a complaint from, among others, our Chamber of Commerce that we are ``rushing forward with legislation that has not been fully vetted.'' Not true. This bipartisan legislation has been 3 years in the making, and its outlines have not only been shared with stakeholders and the public but their input has helped shape this final version of the bill we are introducing today. More than 20 hearings on cyber security have been held across seven different Senate committees, with dozens more held on questions related to cyber security. In fact, our own committee, since 2005, has held nine hearings on the subject and will hold another one [[Page S618]] this Thursday where we will hear reactions to this bill. I am very pleased to say that Senator Reid continues to be very committed to seeing us do everything we can to adopt legislation to protect our American cyber systems. I believe it is the leader's intent to bring up this bill in the next work period. I hope so. Because the truth is, time is not on our side. We are not adequately protected at this moment, and the capabilities of those who are attacking us for economic reasons or who prepare to attack us for strategic reasons grows larger and larger. I do want to say we have a growing number of companies in the private sector--information technology, cyber security and other companies in critical infrastructure areas--that are coming to support this bill. Two I want to mention are SISCO and Oracle, which gives you some sense of the range of support for the bill. Bottom line, I think this is a subject around which we should have a good healthy debate, an open amendment process, and a bipartisan agreement, because this is not at all about regulation, it is about our most fundamental national economic security and public safety. With that, I yield the floor to my distinguished ranking member, Senator Collins. The PRESIDING OFFICER. The Senator from Maine. Ms. COLLINS. Mr. President, I do rise today to introduce with the chairman of the Homeland Security Committee Senator Lieberman, as well as Senator Rockefeller and Senator Feinstein, the Cyber Security Act of 2012. As always, it has been a great pleasure to work with my friend and colleague from Connecticut on what I believe is the most important initiative we have come together on since perhaps our 2004 Intelligence Reform and Terrorism Prevention Act. I am also delighted that three Senate chairmen who have significant jurisdiction in this area--Senators Lieberman, Rockefeller, and Feinstein--have come together. We have all worked very hard on this bill. I also want to commend the staff of our committee, which has worked extraordinarily hard over several years to produce this bill. Our legislation would provide the Federal Government and the private sector with the tools necessary to protect our most critical infrastructure from growing cyber threats. Earlier this month, FBI Director Robert Mueller warned that the cyber threat will soon equal or surpass the threat from terrorism. He argued that we should be addressing the cyber threat with the same intensity we have applied to the terrorist threat. Director of National Intelligence Jim Clapper made the point even more strongly. He described the cyber threat as: A profound threat to this country, to its future, its economy and its very being. These warnings are the latest in a chorus of warnings from current and former officials. Last November, the Director of the Defense Advanced Research Projects Agency, or DARPA, warned that malicious cyber attacks threaten a growing number of the systems with which we interact each and every day--the electric grid, our water treatment plants, and key financial systems. Similarly, GEN Keith Alexander, commander of U.S. Cyber Command, and director of the National Security Agency, has warned that the cyber vulnerabilities we face are extraordinary and characterized by ``a disturbing trend from exploitation to disruption to destruction. `` As Senator Lieberman has pointed out, the threat is not only to our national security but also to our economic well-being. A study by the company, Norton, last year calculated the cost of global cyber crime at $114 billion annually. When combined with the value of time that victims lost due to cyber crime, this figure grows to $388 billion globally, which Norton described as ``significantly more'' than the global black market in marijuana, cocaine, and heroin combined. In an op-ed last month titled, ``China's Cyber Thievery Is National Policy--And Must Be Challenged,'' former DNI Mike McConnell, former Homeland Security Secretary Michael Chertoff, and former Deputy Secretary of Defense William Lynn noted the ability of cyberterrorists to cripple our critical infrastructure, and they sounded an even more urgent alarm about the threat of economic cyber espionage. Citing an October 2011 report to Congress by the Office of the National Counterintelligence Executive, they warned of the catastrophic impact that cyber espionage--particularly that pursued by China--could have on our economy and our competitiveness. They estimated that the cost easily means billions of dollars and millions of jobs. This threat is all the more menacing because it is being pursued by a global competitor seeking to steal the research and development of American firms to undermine our economic leadership. The evidence of our cyber security vulnerability is overwhelming and compels us to act. As the chairman mentioned, since 2005, our Homeland Security Committee has held nine hearings on the cyber threat. In 2010, Chairman Lieberman, Senator Carper, and I introduced our cyber security bill, which was reported by the committee later that same year. Since last year, we have been working with Chairman Rockefeller to merge our bill with legislation he has championed which was reported by the Commerce Committee. Lately, after incorporating changes based on the feedback of our colleagues, the private sector, and the administration, we have produced a new version which we introduced today. Some of our colleagues have urged us to focus very narrowly on the Federal Information Security Management Act, as well as on Federal research and development, and improved information sharing. We do need to address those issues, and our bill does address those important issues. Again, as did Senator Lieberman, I commend Senator Feinstein for her contributions in the area of improved information sharing, and Senator Carper for the work he has done on the Federal Information Security Management Act. But the fact remains that with 85 percent of our Nation's critical infrastructure owned by the private sector, government also has a critical role in ensuring that the most vital parts of that critical infrastructure--those whose disruption could result in truly catastrophic consequences, such as mass casualties or mass evacuations--meet reasonable, risk-based performance standards. In an editorial this week, the Washington Post concurred, writing that: Our critical systems have remained unprotected. To accept the status quo would be an unacceptable risk to U.S. national security. The Post got it exactly right. Some of our colleagues are skeptical about the need for any new regulations. There is no one who has worked harder than I have to oppose regulations that would unnecessarily burden our economy and cost us jobs. But we need to distinguish between regulations that hurt our economy and are not necessary and hinder our international competitiveness versus regulations that are necessary for our national security and that promote rather than hinder our economic prosperity, those that strengthen our economy and our Nation. The fact is the risk-based performance requirements in our bill are targeted carefully. They only apply to specific systems and assets--not entire companies--that, if damaged, could reasonably be expected to result in mass casualties, huge evacuations, catastrophic economic damages, or a severe degradation of our national security. In other words, we are talking about truly catastrophic impacts. Moreover, the owners of critical infrastructure, not the government, would select and implement the cyber security measures the owners determine to be best suited to satisfy the risk-based cyber security performance requirements. Our new bill would also require the Secretary of Homeland Security to select from among existing industry practices and standards or choose performance requirements proposed by the private sector--lots of collaboration and consultation. Only if none of these mitigates the risks identified through this public-private collaboration could the Secretary propose something different. That is extremely unlikely to happen. [[Page S619]] The bill prohibits the regulation of the design and development of commercial IT products. It would require that existing requirements and current regulators be used wherever possible. The bill would allow Federal officials to waive the bill's requirements when existing regulations or security measures are already sufficiently robust. As with our earlier versions of this bill, companies in substantial compliance with the performance requirements at the time of a cyber incident would receive liability protection from any punitive damages associated with an incident, giving them an incentive to comply. The fact remains that improving cyber security is absolutely essential. We cannot afford to wait for a cyber 9/11 before taking action. The warnings could not be clearer about the vulnerabilities and the threat to our systems. Every single day nation states, terrorist groups, cyber criminals, and hackers probe our systems both in the public and the private sectors, and they have been successful over and over in their intrusions. We don't want to look back after a catastrophic cyber event and say: Why didn't we act? How could we have ignored all of these warnings? So I would encourage our colleagues to continue to work with us and to come together and enact this vitally needed legislation. Mr. President, I yield the floor. Mr. ROCKEFELLER. Mr. President, when most Americans think of cyber security, they conjure up an image of somebody having a credit card number stolen, for example, or a prankster using their Twitter account or somebody downloading a movie without paying for it. And although that is all true and important, it is not dangerous. The internet is central to our lives, our economy, and our society. Any insecurity is a worry. I will expand. We are here today because the experts are warning us that we are on the brink of something much worse, something that could bring down our economy, rip open our national security or even take lives. The prospect of mass casualty is what has propelled us to make cyber security a top priority for this year, to make it an issue that transcends political parties or ideology. Consider the warning signs: Hackers now seem to be able to routinely crack the codes of our government agencies, including the most sensitive ones. They do so routinely with our Fortune 500 companies, and then everything in between. ADM Mike Mullen, former Joint Chiefs of Staff Chairman, said that a cyber security threat is the only other threat that is on the same level as Russia's stockpile of nuclear weapons--loose nukes, if you will. FBI Director Robert Mueller testified to Congress very recently that the cyber threat will soon overcome terrorism as the top national security focus of the FBI. Think about that--cyber threats will be as dangerous as terrorism. Cyber threats and the prospects of a widespread cyber attack could potentially be as devastating to this country as the terrorist strikes that tore apart this country just 10 short years ago. How is that possible, you ask. Think about how many people could die if a cyber terrorist attacked our air traffic control system--both now and when it is made modern--and our planes slammed into one another or if rail- switching networks were hacked, causing trains carrying people--and more than that, perhaps hazardous material, toxic materials--to derail or collide in the midst of our most populated urban areas, such as Chicago, New York, San Francisco, Washington, DC, et cetera. What about an attack on networks that run a pipeline, refinery, or a chemical factory, causing temperature and pressure imbalance, leading to an explosion equivalent to a massive bomb, or an attack on a power grid, shutting down generators and killing electricity going into cities and our hospitals. In short, we are on the brink of what could be a calamity. President Bush's last Director of National Intelligence and President Obama's first Director of National Intelligence in consecutive years said that cyber security was the major national security threat facing this Nation. Are we paying attention? We can act now and try to prepare ourselves as best we can or we can wait and we will be surprised with what happens. I am here to argue that we should act now to prevent a cyber disaster. That is what this bill would do. Working with my friends Senator Lieberman and Senator Collins, we have written legislation that I believe strikes the right balance, addressing the danger without putting an undue new set of regulations on business. Our bill would determine the greatest cyber vulnerabilities throughout our critical infrastructure; protect and promote private sector innovation, creativity, and encourage private sector leadership and real accountability in securing their private systems; and improve threat and vulnerability information sharing between the government and the private sector, while protecting as best as we can privacy and civil liberties. It will improve the security of the Federal Government networks, including our most sensitive ones that are now being hacked into; clarify the roles and responsibilities of Federal agencies; strengthen our cyber workforce; coordinate cyber security research and development; and promote public awareness of cyber vulnerabilities to ensure a better informed and more alert citizenry, frankly. Let me say again that this is bipartisan and was written to address the many concerns that surfaced 3 years ago when we first raised this issue and, frankly, when we started writing this bill. We held meetings with all sides and incorporated hundreds of specific suggestions and, in short, tried to do what we do with any important and large piece of legislation--make a lot of people really think deeply and come up with a compromise to which everyone can agree. Earlier this month, an association of major high-tech companies praised our approach. Generally, they do. We have talked with industry, with the White House, with everybody hundreds of times over a period of 3 years, and in the end we settled on a plan that creates no new bureaucracy or heavyhanded regulation. However, it is premised on companies taking responsibility for securing their own networks, with government assistance as necessary. Will they do that? I think back to 2000 and 2001 when we all saw signs of people moving in and out of the country. We were not quite sure what that meant. We saw dots appear to connect, but did they or didn't they? And we knew something new and something different and something dangerous just might be upon us, but we didn't drill down. Our intelligence and national security leadership took these matters very seriously, as best as they possibly could, but in the end not seriously enough. It was too late--September 11 happened. Today, with a new set of warnings flashing before us on a different subject--cyber security and a wide range of new challenges to our security and our safety--we again face a choice: act now and put in place safeguards to protect this country and our people or act later when it is too late. I hope we act now. ______