[Congressional Record Volume 158, Number 24 (Tuesday, February 14, 2012)]
[Senate]
[Pages S615-S636]
STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS
By Mr. LIEBERMAN (for himself, Ms. Collins, Mr. Rockefeller, and
Mrs. Feinstein):
S. 2105. A bill to enhance the security and resiliency of the cyber
and communications infrastructure of the United States; read the first
time.
Mr. LIEBERMAN. Mr. President, I came to the floor to introduce the
Cyber Security Act of 2012. I am here with Senator Susan Collins. I
thank her for all the work we have done together in what has been a
wonderfully bipartisan, nonpartisan relationship to deal with a very
serious national problem. I am honored that we are joined in
introducing this bill by the chairs of the two committees that have
been most involved in questions of cyber security, chairman of the
Commerce Committee, Senator Rockefeller, and the chair of the
Intelligence Committee of the Senate, Senator Feinstein of California.
We have also had the involvement of the chairs and others on the
Foreign Relations Committee, Judiciary Committee, and Energy Committee.
I am very proud this is a bill that Senators Collins and Rockefeller
and Feinstein and I introduced today.
I wish to give particular thanks to the majority leader, Senator
Reid, for his unflagging support, based on his personal concern about
cyber defenses and based on classified briefings he received on this
problem. He pushed us to work across party and committee lines to pull
the bill together that we are introducing today.
It is interesting to note--since there has been a lot of commentary
in the last 24 hours about President Obama's budget--that President
Obama has recognized, in the most tangible terms, the danger that
confronts us by recommending adding at least $300 million in the coming
year to our cyber security effort.
Still, I know that while it is February 14, 2012, those of us who
have worked on this problem fear that when it comes to protecting
America from cyber attack, it may be September 10, 2001, all over
again. The question is whether America will confront this grave threat
to our security before it happens, before our enemies attack.
We are being bled of our intellectual property every day by cyber
thieves. The consequences of their thievery are very real to America's
economy, our prosperity, and indeed our capacity to create jobs and
hold the ones we have.
Enemies probe the weaknesses in our critical national assets every
day, waiting until the time is right, through cyber attack, to cripple
our economy or attack, for instance, a city's electric grid with the
touch of a key on the other side of the world.
The fact is our cyber defenses are not what they should be, but such
as they are they are blinking red. Yet, again, I fear we will not be
able to connect the dots to prevent a 9/11-type cyber attack on America
before it happens. The aim of this bill is to make sure we don't
scramble here in Congress after such an attack to do what we can and
should do today.
[[Page S617]]
Intellectual property worth billions of dollars has already been
stolen, giving our international competitors access in the global
marketplace without ever having to invest a dime in research.
The fact is that even the most sophisticated companies are being
penetrated, and our adversaries are using information learned in one
intrusion to plan the next more sophisticated one.
Last year, the computer security firm McAfee conducted a study of 70
specific instances of data theft, and they issued a report on those
instances. They included 13 defense contractors, 6 industrial plants,
and 8 American and Canadian Government networks. Based on that report,
the former vice president of McAfee, Dmitri Alperovitch, issued this
ominous warning:
I am convinced that every company in every conceivable
industry with significant size and valuable intellectual
property and trade secrets has been compromised--or will be
shortly--with the great majority of the victims rarely
discovering the intrusion or its impact.
In fact, I divide this entire set of Fortune Global 2000 firms into
two categories: those that know they've been compromised and those that
don't yet know.
These examples, of course, are deeply alarming, but in addition,
lurking out in the ether are computer worms such as Stuxnet that can
commandeer the computers that control heavy machinery and potentially
allow an intruder to open and close key valves and switches in
pipelines, refineries, factories, water and sewer systems, and electric
plants in our country without detection by their operators.
Obviously, this capacity could be used by an enemy to attack our
country and do damage not only comparable to 9/11 but far in excess of
it. Depending on the target or targets, these kinds of cyber attacks
could lead to terrible physical destruction, massive loss of life,
massive evacuations, and, of course, widespread economic disruption.
Owners of these critical systems; that is, private sector owners--
and, remember, most of private infrastructure in America is privately
owned and is what this bill is talking about--have sometimes told us we
don't need to worry about the security of their systems because they
are not connected to the Internet. But the reality today is that is
simply not correct. The experts have told us that a truly air-gapped
system, as they call it; that is, one not connected to the Internet--is
as rare as a blizzard in the Caribbean. If it exists, our best cyber
experts have yet to see it. And Stuxnet has shown us it doesn't matter
if a system is air gapped, because one thumb drive plugged into a
computer can lead to an infection that spreads.
If we don't act now to secure our computer network, sometime in the
future--and I believe it will be in the near future--we will be forced
to act in the middle of a mega cyber crisis or right after one that has
had an enormous, perhaps catastrophic, effect on our country. That is
why we introduced this bill, and that is why we look forward to the
debate on it, and why we hope it will pass and be enacted before a
cyber catastrophe occurs in America.
Let me briefly describe some of the important work this bill does.
First, it ensures the computer systems--private systems--that control
our most critical infrastructure that are currently not secure are made
secure. Our bill defines critical infrastructure narrowly to include
those systems that, if brought down, or commandeered in a cyber attack
would lead to mass casualties, evacuations of major population centers,
the collapse of financial markets, or degradation of our national
security. This is critical infrastructure. After identifying the
precise systems that meet the definition of high risk, the Secretary of
Homeland Security would, under our legislation, then work with the
private sector operators of those systems to develop cyber security
performance requirements based on risk assessments of those sectors.
The private sector owners would then have some flexibility to meet
those performance requirements with hardware or software they choose so
long as it achieves the required level of security.
The Department of Homeland Security will not be picking technological
winners and losers, so there is nothing in this bill that would stifle
innovation. In fact, I think quite the contrary. If a company can show
it already has met high security standards, it will be exempt from
these requirements. The bill focuses on securing that which is not
secure today, not on putting new requirements on industries that are
doing everything they should be doing to protect themselves and our
national security.
Once these improved security systems come on line, I think many
companies will want to apply them to noncritical systems that are not
covered by this bill as a way to protect the privacy of their employees
and customers, as well as giving these companies the chance to offer
secure e-commerce services. But that will be up to each company.
This bill also seeks to make compliance easier, more rational for
covered critical infrastructure operators by creating a more
streamlined and efficient cyber organization within the Department of
Homeland Security. And at each step in the process created by our bill,
the Department of Homeland Security must work with existing Federal
regulators and the private sector they regulate to ensure no rules or
regulations are put in place that duplicate or conflict with existing
requirements. If a company feels the designation of its networks as
critical infrastructure is somehow wrong, it has the right to appeal
that decision through a system that the law requires DHS to set up or
they can go to Federal district court.
This bill also establishes mechanisms for information sharing between
the private sector and the Federal Government and among the private
sector operators themselves.
Senator Feinstein and her committee made a significant contribution
to this part of our bill. This is important because computer security
experts in the private and public sectors need to be able to share
information, compare notes, in order to protect us against the evolving
cyber threat.
Our proposal also creates appropriate security measures and oversight
to protect privacy and preserve civil liberties. In fact, I was pleased
to read recently that the American Civil Liberties Union said it had
studied our bill and found it offers the greatest privacy protections
of all the cyber security legislation that has been proposed.
I am going to jump forward a little so I can yield to my
distinguished ranking member in a moment.
I have discussed some of the things the bill does, but I want to
mention two it doesn't do.
One myth about this bill is that it contains a kill switch that would
allow the President of the United States in an emergency to seize
control of the Internet. There is nothing remotely like that in this
bill. At one time we had considered language that would, in fact, have
limited powers the President has under the Communications Act of 1934
to take over electronic communications in times of war. But that
provision was so widely misunderstood or misrepresented that we dropped
it rather than risk losing the chance to pass the rest of this urgently
needed legislation.
I also want to make clear that nothing in this bill touches on any of
the issues that quite recently have inflamed our consideration of the
Stop Online Piracy Act or the Protect IP Act, known as PIPA. Many
Members in the Chamber have, metaphorically speaking, scars that still
show from that experience. No need to fear this bill. This bill does
nothing to affect the day-to-day workings of the Internet. Internet
piracy and copyright protections are important concerns in the digital
age. We have to deal with that at some point, but they are simply not
part of this bill.
One final thing I do want to deal with is a complaint from, among
others, our Chamber of Commerce that we are ``rushing forward with
legislation that has not been fully vetted.'' Not true. This bipartisan
legislation has been 3 years in the making, and its outlines have not
only been shared with stakeholders and the public but their input has
helped shape this final version of the bill we are introducing today.
More than 20 hearings on cyber security have been held across seven
different Senate committees, with dozens more held on questions related
to cyber security. In fact, our own committee, since 2005, has held
nine hearings on the subject and will hold another one
[[Page S618]]
this Thursday where we will hear reactions to this bill.
I am very pleased to say that Senator Reid continues to be very
committed to seeing us do everything we can to adopt legislation to
protect our American cyber systems. I believe it is the leader's intent
to bring up this bill in the next work period. I hope so. Because the
truth is, time is not on our side. We are not adequately protected at
this moment, and the capabilities of those who are attacking us for
economic reasons or who prepare to attack us for strategic reasons
grows larger and larger.
I do want to say we have a growing number of companies in the private
sector--information technology, cyber security and other companies in
critical infrastructure areas--that are coming to support this bill.
Two I want to mention are SISCO and Oracle, which gives you some sense
of the range of support for the bill.
Bottom line, I think this is a subject around which we should have a
good healthy debate, an open amendment process, and a bipartisan
agreement, because this is not at all about regulation, it is about our
most fundamental national economic security and public safety.
With that, I yield the floor to my distinguished ranking member,
Senator Collins.
The PRESIDING OFFICER. The Senator from Maine.
Ms. COLLINS. Mr. President, I do rise today to introduce with the
chairman of the Homeland Security Committee Senator Lieberman, as well
as Senator Rockefeller and Senator Feinstein, the Cyber Security Act of
2012. As always, it has been a great pleasure to work with my friend
and colleague from Connecticut on what I believe is the most important
initiative we have come together on since perhaps our 2004 Intelligence
Reform and Terrorism Prevention Act.
I am also delighted that three Senate chairmen who have significant
jurisdiction in this area--Senators Lieberman, Rockefeller, and
Feinstein--have come together. We have all worked very hard on this
bill. I also want to commend the staff of our committee, which has
worked extraordinarily hard over several years to produce this bill.
Our legislation would provide the Federal Government and the private
sector with the tools necessary to protect our most critical
infrastructure from growing cyber threats.
Earlier this month, FBI Director Robert Mueller warned that the cyber
threat will soon equal or surpass the threat from terrorism. He argued
that we should be addressing the cyber threat with the same intensity
we have applied to the terrorist threat.
Director of National Intelligence Jim Clapper made the point even
more strongly. He described the cyber threat as:
A profound threat to this country, to its future, its
economy and its very being.
These warnings are the latest in a chorus of warnings from current
and former officials. Last November, the Director of the Defense
Advanced Research Projects Agency, or DARPA, warned that malicious
cyber attacks threaten a growing number of the systems with which we
interact each and every day--the electric grid, our water treatment
plants, and key financial systems.
Similarly, GEN Keith Alexander, commander of U.S. Cyber Command, and
director of the National Security Agency, has warned that the cyber
vulnerabilities we face are extraordinary and characterized by ``a
disturbing trend from exploitation to disruption to destruction. ``
As Senator Lieberman has pointed out, the threat is not only to our
national security but also to our economic well-being.
A study by the company, Norton, last year calculated the cost of
global cyber crime at $114 billion annually. When combined with the
value of time that victims lost due to cyber crime, this figure grows
to $388 billion globally, which Norton described as ``significantly
more'' than the global black market in marijuana, cocaine, and heroin
combined.
In an op-ed last month titled, ``China's Cyber Thievery Is National
Policy--And Must Be Challenged,'' former DNI Mike McConnell, former
Homeland Security Secretary Michael Chertoff, and former Deputy
Secretary of Defense William Lynn noted the ability of cyberterrorists
to cripple our critical infrastructure, and they sounded an even more
urgent alarm about the threat of economic cyber espionage.
Citing an October 2011 report to Congress by the Office of the
National Counterintelligence Executive, they warned of the catastrophic
impact that cyber espionage--particularly that pursued by China--could
have on our economy and our competitiveness. They estimated that the
cost easily means billions of dollars and millions of jobs. This threat
is all the more menacing because it is being pursued by a global
competitor seeking to steal the research and development of American
firms to undermine our economic leadership.
The evidence of our cyber security vulnerability is overwhelming and
compels us to act. As the chairman mentioned, since 2005, our Homeland
Security Committee has held nine hearings on the cyber threat. In 2010,
Chairman Lieberman, Senator Carper, and I introduced our cyber security
bill, which was reported by the committee later that same year. Since
last year, we have been working with Chairman Rockefeller to merge our
bill with legislation he has championed which was reported by the
Commerce Committee.
Lately, after incorporating changes based on the feedback of our
colleagues, the private sector, and the administration, we have
produced a new version which we introduced today. Some of our
colleagues have urged us to focus very narrowly on the Federal
Information Security Management Act, as well as on Federal research and
development, and improved information sharing. We do need to address
those issues, and our bill does address those important issues.
Again, as did Senator Lieberman, I commend Senator Feinstein for her
contributions in the area of improved information sharing, and Senator
Carper for the work he has done on the Federal Information Security
Management Act. But the fact remains that with 85 percent of our
Nation's critical infrastructure owned by the private sector,
government also has a critical role in ensuring that the most vital
parts of that critical infrastructure--those whose disruption could
result in truly catastrophic consequences, such as mass casualties or
mass evacuations--meet reasonable, risk-based performance standards.
In an editorial this week, the Washington Post concurred, writing
that:
Our critical systems have remained unprotected. To accept
the status quo would be an unacceptable risk to U.S. national
security.
The Post got it exactly right.
Some of our colleagues are skeptical about the need for any new
regulations. There is no one who has worked harder than I have to
oppose regulations that would unnecessarily burden our economy and cost
us jobs. But we need to distinguish between regulations that hurt our
economy and are not necessary and hinder our international
competitiveness versus regulations that are necessary for our national
security and that promote rather than hinder our economic prosperity,
those that strengthen our economy and our Nation.
The fact is the risk-based performance requirements in our bill are
targeted carefully. They only apply to specific systems and assets--not
entire companies--that, if damaged, could reasonably be expected to
result in mass casualties, huge evacuations, catastrophic economic
damages, or a severe degradation of our national security. In other
words, we are talking about truly catastrophic impacts. Moreover, the
owners of critical infrastructure, not the government, would select and
implement the cyber security measures the owners determine to be best
suited to satisfy the risk-based cyber security performance
requirements.
Our new bill would also require the Secretary of Homeland Security to
select from among existing industry practices and standards or choose
performance requirements proposed by the private sector--lots of
collaboration and consultation. Only if none of these mitigates the
risks identified through this public-private collaboration could the
Secretary propose something different. That is extremely unlikely to
happen.
[[Page S619]]
The bill prohibits the regulation of the design and development of
commercial IT products. It would require that existing requirements and
current regulators be used wherever possible. The bill would allow
Federal officials to waive the bill's requirements when existing
regulations or security measures are already sufficiently robust.
As with our earlier versions of this bill, companies in substantial
compliance with the performance requirements at the time of a cyber
incident would receive liability protection from any punitive damages
associated with an incident, giving them an incentive to comply.
The fact remains that improving cyber security is absolutely
essential. We cannot afford to wait for a cyber 9/11 before taking
action. The warnings could not be clearer about the vulnerabilities and
the threat to our systems. Every single day nation states, terrorist
groups, cyber criminals, and hackers probe our systems both in the
public and the private sectors, and they have been successful over and
over in their intrusions.
We don't want to look back after a catastrophic cyber event and say:
Why didn't we act? How could we have ignored all of these warnings? So
I would encourage our colleagues to continue to work with us and to
come together and enact this vitally needed legislation.
Mr. President, I yield the floor.
Mr. ROCKEFELLER. Mr. President, when most Americans think of cyber
security, they conjure up an image of somebody having a credit card
number stolen, for example, or a prankster using their Twitter account
or somebody downloading a movie without paying for it. And although
that is all true and important, it is not dangerous. The internet is
central to our lives, our economy, and our society. Any insecurity is a
worry. I will expand.
We are here today because the experts are warning us that we are on
the brink of something much worse, something that could bring down our
economy, rip open our national security or even take lives. The
prospect of mass casualty is what has propelled us to make cyber
security a top priority for this year, to make it an issue that
transcends political parties or ideology.
Consider the warning signs: Hackers now seem to be able to routinely
crack the codes of our government agencies, including the most
sensitive ones. They do so routinely with our Fortune 500 companies,
and then everything in between. ADM Mike Mullen, former Joint Chiefs of
Staff Chairman, said that a cyber security threat is the only other
threat that is on the same level as Russia's stockpile of nuclear
weapons--loose nukes, if you will. FBI Director Robert Mueller
testified to Congress very recently that the cyber threat will soon
overcome terrorism as the top national security focus of the FBI. Think
about that--cyber threats will be as dangerous as terrorism.
Cyber threats and the prospects of a widespread cyber attack could
potentially be as devastating to this country as the terrorist strikes
that tore apart this country just 10 short years ago. How is that
possible, you ask. Think about how many people could die if a cyber
terrorist attacked our air traffic control system--both now and when it
is made modern--and our planes slammed into one another or if rail-
switching networks were hacked, causing trains carrying people--and
more than that, perhaps hazardous material, toxic materials--to derail
or collide in the midst of our most populated urban areas, such as
Chicago, New York, San Francisco, Washington, DC, et cetera. What about
an attack on networks that run a pipeline, refinery, or a chemical
factory, causing temperature and pressure imbalance, leading to an
explosion equivalent to a massive bomb, or an attack on a power grid,
shutting down generators and killing electricity going into cities and
our hospitals. In short, we are on the brink of what could be a
calamity.
President Bush's last Director of National Intelligence and President
Obama's first Director of National Intelligence in consecutive years
said that cyber security was the major national security threat facing
this Nation. Are we paying attention? We can act now and try to prepare
ourselves as best we can or we can wait and we will be surprised with
what happens.
I am here to argue that we should act now to prevent a cyber
disaster. That is what this bill would do. Working with my friends
Senator Lieberman and Senator Collins, we have written legislation that
I believe strikes the right balance, addressing the danger without
putting an undue new set of regulations on business.
Our bill would determine the greatest cyber vulnerabilities
throughout our critical infrastructure; protect and promote private
sector innovation, creativity, and encourage private sector leadership
and real accountability in securing their private systems; and improve
threat and vulnerability information sharing between the government and
the private sector, while protecting as best as we can privacy and
civil liberties. It will improve the security of the Federal Government
networks, including our most sensitive ones that are now being hacked
into; clarify the roles and responsibilities of Federal agencies;
strengthen our cyber workforce; coordinate cyber security research and
development; and promote public awareness of cyber vulnerabilities to
ensure a better informed and more alert citizenry, frankly.
Let me say again that this is bipartisan and was written to address
the many concerns that surfaced 3 years ago when we first raised this
issue and, frankly, when we started writing this bill. We held meetings
with all sides and incorporated hundreds of specific suggestions and,
in short, tried to do what we do with any important and large piece of
legislation--make a lot of people really think deeply and come up with
a compromise to which everyone can agree.
Earlier this month, an association of major high-tech companies
praised our approach. Generally, they do. We have talked with industry,
with the White House, with everybody hundreds of times over a period of
3 years, and in the end we settled on a plan that creates no new
bureaucracy or heavyhanded regulation. However, it is premised on
companies taking responsibility for securing their own networks, with
government assistance as necessary. Will they do that?
I think back to 2000 and 2001 when we all saw signs of people moving
in and out of the country. We were not quite sure what that meant. We
saw dots appear to connect, but did they or didn't they? And we knew
something new and something different and something dangerous just
might be upon us, but we didn't drill down. Our intelligence and
national security leadership took these matters very seriously, as best
as they possibly could, but in the end not seriously enough. It was too
late--September 11 happened.
Today, with a new set of warnings flashing before us on a different
subject--cyber security and a wide range of new challenges to our
security and our safety--we again face a choice: act now and put in
place safeguards to protect this country and our people or act later
when it is too late. I hope we act now.
______
