[Congressional Record Volume 158, Number 24 (Tuesday, February 14, 2012)]
[Pages S615-S636]


      By Mr. LIEBERMAN (for himself, Ms. Collins, Mr. Rockefeller, and 
        Mrs. Feinstein):
  S. 2105. A bill to enhance the security and resiliency of the cyber 
and communications infrastructure of the United States; read the first 
  Mr. LIEBERMAN. Mr. President, I came to the floor to introduce the 
Cyber Security Act of 2012. I am here with Senator Susan Collins. I 
thank her for all the work we have done together in what has been a 
wonderfully bipartisan, nonpartisan relationship to deal with a very 
serious national problem. I am honored that we are joined in 
introducing this bill by the chairs of the two committees that have 
been most involved in questions of cyber security, chairman of the 
Commerce Committee, Senator Rockefeller, and the chair of the 
Intelligence Committee of the Senate, Senator Feinstein of California. 
We have also had the involvement of the chairs and others on the 
Foreign Relations Committee, Judiciary Committee, and Energy Committee. 
I am very proud this is a bill that Senators Collins and Rockefeller 
and Feinstein and I introduced today.
  I wish to give particular thanks to the majority leader, Senator 
Reid, for his unflagging support, based on his personal concern about 
cyber defenses and based on classified briefings he received on this 
problem. He pushed us to work across party and committee lines to pull 
the bill together that we are introducing today.
  It is interesting to note--since there has been a lot of commentary 
in the last 24 hours about President Obama's budget--that President 
Obama has recognized, in the most tangible terms, the danger that 
confronts us by recommending adding at least $300 million in the coming 
year to our cyber security effort.
  Still, I know that while it is February 14, 2012, those of us who 
have worked on this problem fear that when it comes to protecting 
America from cyber attack, it may be September 10, 2001, all over 
again. The question is whether America will confront this grave threat 
to our security before it happens, before our enemies attack.
  We are being bled of our intellectual property every day by cyber 
thieves. The consequences of their thievery are very real to America's 
economy, our prosperity, and indeed our capacity to create jobs and 
hold the ones we have.
  Enemies probe the weaknesses in our critical national assets every 
day, waiting until the time is right, through cyber attack, to cripple 
our economy or attack, for instance, a city's electric grid with the 
touch of a key on the other side of the world.
  The fact is our cyber defenses are not what they should be, but such 
as they are they are blinking red. Yet, again, I fear we will not be 
able to connect the dots to prevent a 9/11-type cyber attack on America 
before it happens. The aim of this bill is to make sure we don't 
scramble here in Congress after such an attack to do what we can and 
should do today.

[[Page S617]]

  Intellectual property worth billions of dollars has already been 
stolen, giving our international competitors access in the global 
marketplace without ever having to invest a dime in research.
  The fact is that even the most sophisticated companies are being 
penetrated, and our adversaries are using information learned in one 
intrusion to plan the next more sophisticated one.
  Last year, the computer security firm McAfee conducted a study of 70 
specific instances of data theft, and they issued a report on those 
instances. They included 13 defense contractors, 6 industrial plants, 
and 8 American and Canadian Government networks. Based on that report, 
the former vice president of McAfee, Dmitri Alperovitch, issued this 
ominous warning:

       I am convinced that every company in every conceivable 
     industry with significant size and valuable intellectual 
     property and trade secrets has been compromised--or will be 
     shortly--with the great majority of the victims rarely 
     discovering the intrusion or its impact.

  In fact, I divide this entire set of Fortune Global 2000 firms into 
two categories: those that know they've been compromised and those that 
don't yet know.
  These examples, of course, are deeply alarming, but in addition, 
lurking out in the ether are computer worms such as Stuxnet that can 
commandeer the computers that control heavy machinery and potentially 
allow an intruder to open and close key valves and switches in 
pipelines, refineries, factories, water and sewer systems, and electric 
plants in our country without detection by their operators.
  Obviously, this capacity could be used by an enemy to attack our 
country and do damage not only comparable to 9/11 but far in excess of 
it. Depending on the target or targets, these kinds of cyber attacks 
could lead to terrible physical destruction, massive loss of life, 
massive evacuations, and, of course, widespread economic disruption.
  Owners of these critical systems; that is, private sector owners--
and, remember, most of private infrastructure in America is privately 
owned and is what this bill is talking about--have sometimes told us we 
don't need to worry about the security of their systems because they 
are not connected to the Internet. But the reality today is that is 
simply not correct. The experts have told us that a truly air-gapped 
system, as they call it; that is, one not connected to the Internet--is 
as rare as a blizzard in the Caribbean. If it exists, our best cyber 
experts have yet to see it. And Stuxnet has shown us it doesn't matter 
if a system is air gapped, because one thumb drive plugged into a 
computer can lead to an infection that spreads.
  If we don't act now to secure our computer network, sometime in the 
future--and I believe it will be in the near future--we will be forced 
to act in the middle of a mega cyber crisis or right after one that has 
had an enormous, perhaps catastrophic, effect on our country. That is 
why we introduced this bill, and that is why we look forward to the 
debate on it, and why we hope it will pass and be enacted before a 
cyber catastrophe occurs in America.
  Let me briefly describe some of the important work this bill does. 
First, it ensures the computer systems--private systems--that control 
our most critical infrastructure that are currently not secure are made 
secure. Our bill defines critical infrastructure narrowly to include 
those systems that, if brought down, or commandeered in a cyber attack 
would lead to mass casualties, evacuations of major population centers, 
the collapse of financial markets, or degradation of our national 
security. This is critical infrastructure. After identifying the 
precise systems that meet the definition of high risk, the Secretary of 
Homeland Security would, under our legislation, then work with the 
private sector operators of those systems to develop cyber security 
performance requirements based on risk assessments of those sectors. 
The private sector owners would then have some flexibility to meet 
those performance requirements with hardware or software they choose so 
long as it achieves the required level of security.
  The Department of Homeland Security will not be picking technological 
winners and losers, so there is nothing in this bill that would stifle 
innovation. In fact, I think quite the contrary. If a company can show 
it already has met high security standards, it will be exempt from 
these requirements. The bill focuses on securing that which is not 
secure today, not on putting new requirements on industries that are 
doing everything they should be doing to protect themselves and our 
national security.
  Once these improved security systems come on line, I think many 
companies will want to apply them to noncritical systems that are not 
covered by this bill as a way to protect the privacy of their employees 
and customers, as well as giving these companies the chance to offer 
secure e-commerce services. But that will be up to each company.
  This bill also seeks to make compliance easier, more rational for 
covered critical infrastructure operators by creating a more 
streamlined and efficient cyber organization within the Department of 
Homeland Security. And at each step in the process created by our bill, 
the Department of Homeland Security must work with existing Federal 
regulators and the private sector they regulate to ensure no rules or 
regulations are put in place that duplicate or conflict with existing 
requirements. If a company feels the designation of its networks as 
critical infrastructure is somehow wrong, it has the right to appeal 
that decision through a system that the law requires DHS to set up or 
they can go to Federal district court.
  This bill also establishes mechanisms for information sharing between 
the private sector and the Federal Government and among the private 
sector operators themselves.
  Senator Feinstein and her committee made a significant contribution 
to this part of our bill. This is important because computer security 
experts in the private and public sectors need to be able to share 
information, compare notes, in order to protect us against the evolving 
cyber threat.
  Our proposal also creates appropriate security measures and oversight 
to protect privacy and preserve civil liberties. In fact, I was pleased 
to read recently that the American Civil Liberties Union said it had 
studied our bill and found it offers the greatest privacy protections 
of all the cyber security legislation that has been proposed.
  I am going to jump forward a little so I can yield to my 
distinguished ranking member in a moment.
  I have discussed some of the things the bill does, but I want to 
mention two it doesn't do.
  One myth about this bill is that it contains a kill switch that would 
allow the President of the United States in an emergency to seize 
control of the Internet. There is nothing remotely like that in this 
bill. At one time we had considered language that would, in fact, have 
limited powers the President has under the Communications Act of 1934 
to take over electronic communications in times of war. But that 
provision was so widely misunderstood or misrepresented that we dropped 
it rather than risk losing the chance to pass the rest of this urgently 
needed legislation.
  I also want to make clear that nothing in this bill touches on any of 
the issues that quite recently have inflamed our consideration of the 
Stop Online Piracy Act or the Protect IP Act, known as PIPA. Many 
Members in the Chamber have, metaphorically speaking, scars that still 
show from that experience. No need to fear this bill. This bill does 
nothing to affect the day-to-day workings of the Internet. Internet 
piracy and copyright protections are important concerns in the digital 
age. We have to deal with that at some point, but they are simply not 
part of this bill.
  One final thing I do want to deal with is a complaint from, among 
others, our Chamber of Commerce that we are ``rushing forward with 
legislation that has not been fully vetted.'' Not true. This bipartisan 
legislation has been 3 years in the making, and its outlines have not 
only been shared with stakeholders and the public but their input has 
helped shape this final version of the bill we are introducing today.
  More than 20 hearings on cyber security have been held across seven 
different Senate committees, with dozens more held on questions related 
to cyber security. In fact, our own committee, since 2005, has held 
nine hearings on the subject and will hold another one

[[Page S618]]

this Thursday where we will hear reactions to this bill.
  I am very pleased to say that Senator Reid continues to be very 
committed to seeing us do everything we can to adopt legislation to 
protect our American cyber systems. I believe it is the leader's intent 
to bring up this bill in the next work period. I hope so. Because the 
truth is, time is not on our side. We are not adequately protected at 
this moment, and the capabilities of those who are attacking us for 
economic reasons or who prepare to attack us for strategic reasons 
grows larger and larger.
  I do want to say we have a growing number of companies in the private 
sector--information technology, cyber security and other companies in 
critical infrastructure areas--that are coming to support this bill. 
Two I want to mention are SISCO and Oracle, which gives you some sense 
of the range of support for the bill.
  Bottom line, I think this is a subject around which we should have a 
good healthy debate, an open amendment process, and a bipartisan 
agreement, because this is not at all about regulation, it is about our 
most fundamental national economic security and public safety.
  With that, I yield the floor to my distinguished ranking member, 
Senator Collins.
  The PRESIDING OFFICER. The Senator from Maine.
  Ms. COLLINS. Mr. President, I do rise today to introduce with the 
chairman of the Homeland Security Committee Senator Lieberman, as well 
as Senator Rockefeller and Senator Feinstein, the Cyber Security Act of 
2012. As always, it has been a great pleasure to work with my friend 
and colleague from Connecticut on what I believe is the most important 
initiative we have come together on since perhaps our 2004 Intelligence 
Reform and Terrorism Prevention Act.
  I am also delighted that three Senate chairmen who have significant 
jurisdiction in this area--Senators Lieberman, Rockefeller, and 
Feinstein--have come together. We have all worked very hard on this 
bill. I also want to commend the staff of our committee, which has 
worked extraordinarily hard over several years to produce this bill. 
Our legislation would provide the Federal Government and the private 
sector with the tools necessary to protect our most critical 
infrastructure from growing cyber threats.
  Earlier this month, FBI Director Robert Mueller warned that the cyber 
threat will soon equal or surpass the threat from terrorism. He argued 
that we should be addressing the cyber threat with the same intensity 
we have applied to the terrorist threat.
  Director of National Intelligence Jim Clapper made the point even 
more strongly. He described the cyber threat as:

       A profound threat to this country, to its future, its 
     economy and its very being.

  These warnings are the latest in a chorus of warnings from current 
and former officials. Last November, the Director of the Defense 
Advanced Research Projects Agency, or DARPA, warned that malicious 
cyber attacks threaten a growing number of the systems with which we 
interact each and every day--the electric grid, our water treatment 
plants, and key financial systems.
  Similarly, GEN Keith Alexander, commander of U.S. Cyber Command, and 
director of the National Security Agency, has warned that the cyber 
vulnerabilities we face are extraordinary and characterized by ``a 
disturbing trend from exploitation to disruption to destruction. ``
  As Senator Lieberman has pointed out, the threat is not only to our 
national security but also to our economic well-being.
  A study by the company, Norton, last year calculated the cost of 
global cyber crime at $114 billion annually. When combined with the 
value of time that victims lost due to cyber crime, this figure grows 
to $388 billion globally, which Norton described as ``significantly 
more'' than the global black market in marijuana, cocaine, and heroin 
  In an op-ed last month titled, ``China's Cyber Thievery Is National 
Policy--And Must Be Challenged,'' former DNI Mike McConnell, former 
Homeland Security Secretary Michael Chertoff, and former Deputy 
Secretary of Defense William Lynn noted the ability of cyberterrorists 
to cripple our critical infrastructure, and they sounded an even more 
urgent alarm about the threat of economic cyber espionage.
  Citing an October 2011 report to Congress by the Office of the 
National Counterintelligence Executive, they warned of the catastrophic 
impact that cyber espionage--particularly that pursued by China--could 
have on our economy and our competitiveness. They estimated that the 
cost easily means billions of dollars and millions of jobs. This threat 
is all the more menacing because it is being pursued by a global 
competitor seeking to steal the research and development of American 
firms to undermine our economic leadership.
  The evidence of our cyber security vulnerability is overwhelming and 
compels us to act. As the chairman mentioned, since 2005, our Homeland 
Security Committee has held nine hearings on the cyber threat. In 2010, 
Chairman Lieberman, Senator Carper, and I introduced our cyber security 
bill, which was reported by the committee later that same year. Since 
last year, we have been working with Chairman Rockefeller to merge our 
bill with legislation he has championed which was reported by the 
Commerce Committee.
  Lately, after incorporating changes based on the feedback of our 
colleagues, the private sector, and the administration, we have 
produced a new version which we introduced today. Some of our 
colleagues have urged us to focus very narrowly on the Federal 
Information Security Management Act, as well as on Federal research and 
development, and improved information sharing. We do need to address 
those issues, and our bill does address those important issues.
  Again, as did Senator Lieberman, I commend Senator Feinstein for her 
contributions in the area of improved information sharing, and Senator 
Carper for the work he has done on the Federal Information Security 
Management Act. But the fact remains that with 85 percent of our 
Nation's critical infrastructure owned by the private sector, 
government also has a critical role in ensuring that the most vital 
parts of that critical infrastructure--those whose disruption could 
result in truly catastrophic consequences, such as mass casualties or 
mass evacuations--meet reasonable, risk-based performance standards.
  In an editorial this week, the Washington Post concurred, writing 

       Our critical systems have remained unprotected. To accept 
     the status quo would be an unacceptable risk to U.S. national 

  The Post got it exactly right.
  Some of our colleagues are skeptical about the need for any new 
regulations. There is no one who has worked harder than I have to 
oppose regulations that would unnecessarily burden our economy and cost 
us jobs. But we need to distinguish between regulations that hurt our 
economy and are not necessary and hinder our international 
competitiveness versus regulations that are necessary for our national 
security and that promote rather than hinder our economic prosperity, 
those that strengthen our economy and our Nation.
  The fact is the risk-based performance requirements in our bill are 
targeted carefully. They only apply to specific systems and assets--not 
entire companies--that, if damaged, could reasonably be expected to 
result in mass casualties, huge evacuations, catastrophic economic 
damages, or a severe degradation of our national security. In other 
words, we are talking about truly catastrophic impacts. Moreover, the 
owners of critical infrastructure, not the government, would select and 
implement the cyber security measures the owners determine to be best 
suited to satisfy the risk-based cyber security performance 
  Our new bill would also require the Secretary of Homeland Security to 
select from among existing industry practices and standards or choose 
performance requirements proposed by the private sector--lots of 
collaboration and consultation. Only if none of these mitigates the 
risks identified through this public-private collaboration could the 
Secretary propose something different. That is extremely unlikely to 

[[Page S619]]

  The bill prohibits the regulation of the design and development of 
commercial IT products. It would require that existing requirements and 
current regulators be used wherever possible. The bill would allow 
Federal officials to waive the bill's requirements when existing 
regulations or security measures are already sufficiently robust.
  As with our earlier versions of this bill, companies in substantial 
compliance with the performance requirements at the time of a cyber 
incident would receive liability protection from any punitive damages 
associated with an incident, giving them an incentive to comply.
  The fact remains that improving cyber security is absolutely 
essential. We cannot afford to wait for a cyber 9/11 before taking 
action. The warnings could not be clearer about the vulnerabilities and 
the threat to our systems. Every single day nation states, terrorist 
groups, cyber criminals, and hackers probe our systems both in the 
public and the private sectors, and they have been successful over and 
over in their intrusions.
  We don't want to look back after a catastrophic cyber event and say: 
Why didn't we act? How could we have ignored all of these warnings? So 
I would encourage our colleagues to continue to work with us and to 
come together and enact this vitally needed legislation.
  Mr. President, I yield the floor.
  Mr. ROCKEFELLER. Mr. President, when most Americans think of cyber 
security, they conjure up an image of somebody having a credit card 
number stolen, for example, or a prankster using their Twitter account 
or somebody downloading a movie without paying for it. And although 
that is all true and important, it is not dangerous. The internet is 
central to our lives, our economy, and our society. Any insecurity is a 
worry. I will expand.
  We are here today because the experts are warning us that we are on 
the brink of something much worse, something that could bring down our 
economy, rip open our national security or even take lives. The 
prospect of mass casualty is what has propelled us to make cyber 
security a top priority for this year, to make it an issue that 
transcends political parties or ideology.
  Consider the warning signs: Hackers now seem to be able to routinely 
crack the codes of our government agencies, including the most 
sensitive ones. They do so routinely with our Fortune 500 companies, 
and then everything in between. ADM Mike Mullen, former Joint Chiefs of 
Staff Chairman, said that a cyber security threat is the only other 
threat that is on the same level as Russia's stockpile of nuclear 
weapons--loose nukes, if you will. FBI Director Robert Mueller 
testified to Congress very recently that the cyber threat will soon 
overcome terrorism as the top national security focus of the FBI. Think 
about that--cyber threats will be as dangerous as terrorism.
  Cyber threats and the prospects of a widespread cyber attack could 
potentially be as devastating to this country as the terrorist strikes 
that tore apart this country just 10 short years ago. How is that 
possible, you ask. Think about how many people could die if a cyber 
terrorist attacked our air traffic control system--both now and when it 
is made modern--and our planes slammed into one another or if rail-
switching networks were hacked, causing trains carrying people--and 
more than that, perhaps hazardous material, toxic materials--to derail 
or collide in the midst of our most populated urban areas, such as 
Chicago, New York, San Francisco, Washington, DC, et cetera. What about 
an attack on networks that run a pipeline, refinery, or a chemical 
factory, causing temperature and pressure imbalance, leading to an 
explosion equivalent to a massive bomb, or an attack on a power grid, 
shutting down generators and killing electricity going into cities and 
our hospitals. In short, we are on the brink of what could be a 
  President Bush's last Director of National Intelligence and President 
Obama's first Director of National Intelligence in consecutive years 
said that cyber security was the major national security threat facing 
this Nation. Are we paying attention? We can act now and try to prepare 
ourselves as best we can or we can wait and we will be surprised with 
what happens.
  I am here to argue that we should act now to prevent a cyber 
disaster. That is what this bill would do. Working with my friends 
Senator Lieberman and Senator Collins, we have written legislation that 
I believe strikes the right balance, addressing the danger without 
putting an undue new set of regulations on business.
  Our bill would determine the greatest cyber vulnerabilities 
throughout our critical infrastructure; protect and promote private 
sector innovation, creativity, and encourage private sector leadership 
and real accountability in securing their private systems; and improve 
threat and vulnerability information sharing between the government and 
the private sector, while protecting as best as we can privacy and 
civil liberties. It will improve the security of the Federal Government 
networks, including our most sensitive ones that are now being hacked 
into; clarify the roles and responsibilities of Federal agencies; 
strengthen our cyber workforce; coordinate cyber security research and 
development; and promote public awareness of cyber vulnerabilities to 
ensure a better informed and more alert citizenry, frankly.
  Let me say again that this is bipartisan and was written to address 
the many concerns that surfaced 3 years ago when we first raised this 
issue and, frankly, when we started writing this bill. We held meetings 
with all sides and incorporated hundreds of specific suggestions and, 
in short, tried to do what we do with any important and large piece of 
legislation--make a lot of people really think deeply and come up with 
a compromise to which everyone can agree.
  Earlier this month, an association of major high-tech companies 
praised our approach. Generally, they do. We have talked with industry, 
with the White House, with everybody hundreds of times over a period of 
3 years, and in the end we settled on a plan that creates no new 
bureaucracy or heavyhanded regulation. However, it is premised on 
companies taking responsibility for securing their own networks, with 
government assistance as necessary. Will they do that?
  I think back to 2000 and 2001 when we all saw signs of people moving 
in and out of the country. We were not quite sure what that meant. We 
saw dots appear to connect, but did they or didn't they? And we knew 
something new and something different and something dangerous just 
might be upon us, but we didn't drill down. Our intelligence and 
national security leadership took these matters very seriously, as best 
as they possibly could, but in the end not seriously enough. It was too 
late--September 11 happened.
  Today, with a new set of warnings flashing before us on a different 
subject--cyber security and a wide range of new challenges to our 
security and our safety--we again face a choice: act now and put in 
place safeguards to protect this country and our people or act later 
when it is too late. I hope we act now.