[Congressional Record Volume 158, Number 56 (Wednesday, April 18, 2012)]
[Senate]
[Pages S2458-S2459]
[...]
Cybersecurity
Mr. WHITEHOUSE. Madam President, our Nation's inadequate
cybersecurity poses an ever-growing threat to our safety, our
prosperity, and our privacy. Attackers go after our intellectual
property, our national security, and our critical infrastructure. The
McAfee Night Dragon Report, for example, concluded that foreign
intruders had access to major oil, energy, and petrochemical companies'
computer networks for at least 2 years and likely as many as 4 years.
Government reports are equally sobering, though usually classified.
One that is not classified is the Department of Homeland Security
report recently that attacks on computer systems that control critical
infrastructure, factories, and databases increased almost eightfold in
just the last 12 months. Secretary of Defense Leon Panetta has warned
that ``the next Pearl Harbor we confront could very well be a cyber
attack.''
Majority Leader Reid has recognized the severity of this national and
economic security threat and intends to bring cybersecurity legislation
to the Senate floor soon. We recognize too the hard work of Chairman
Lieberman and Ranking Member Collins of the Homeland Security
Committee, as well as Chairman Feinstein of the Intelligence Committee,
and Senator Rockefeller of the Commerce Committee. The Cybersecurity
Act of 2012, which they introduced--and I am proud to cosponsor--is a
good start toward addressing the many cybersecurity threats that face
this Nation.
The SECURE IT Act, introduced by Senator McCain and seven colleagues,
seeks to improve the sharing of cybersecurity threat information; the
Federal Information Security Management Act, or FISMA, which governs
cybersecurity at Federal agencies; and our cyber research and
development. There is considerable overlap between these bills, which
signals that the Senate could legislate on cybersecurity in a
bipartisan and serious manner.
Support for cybersecurity legislation is also bicameral. The
Cybersecurity Task Force constituted by House Republicans produced
recommendations that share key points with our Cybersecurity Act of
2012. Numerous bills are working their way through the House on a
bipartisan basis. Central to that work in the House are the
contributions of Rhode Island Congressman Jim Langevin. His leadership
is a major reason the House has come to recognize the dangerous
vulnerabilities within our critical infrastructure and that we now
stand on the verge of a breakthrough in improving the security of those
networks.
When a test at the Idaho National Labs showed hackers could blow up a
power generator from thousands of miles away, Congressman Langevin
brought the owners and operators of our electric grid before Congress
and investigated their promise the issue was being addressed. When he
found out that wasn't true, he called them out. His subsequent work as
a cochair of the Center for Strategic and International Study
Commission on Cybersecurity, along with other experts from within and
outside of government, resulted in many of the recommendations
reflected in our legislation. Then, in 2010, Congressman Langevin
passed a landmark cybersecurity amendment in the House that provided a
legislative template for setting standards for critical infrastructure.
I thank Jim Langevin, my colleague from Rhode Island, for his
relentless commitment to keeping America safe in cyberspace.
I am here this morning to stress four points I believe we must keep
in mind as we take up cybersecurity legislation. The first is that
cybersecurity legislation should improve the public's limited awareness
of current cybersecurity threats and the harm those threats present to
our national security economy and privacy. The public, for years, has
been kept in the dark, and that is wrong.
The corporate sector systematically underreports cyber attacks for
fear of scaring customers, for fear of encouraging competitors or for
fear of triggering regulatory review. I was pleased the Securities and
Exchange Commission, after prompting by Senator Rockefeller and myself
and others, issued guidance for when registered companies must disclose
breach information.
The government itself systematically underreports cyber attacks
because it overclassifies information about cyber attacks on government
systems. Jim Lewis of the Center for Strategic and International
Studies, for example, recently explained that cybersecurity has a
unique problem in that some of the most reliable data is classified. It
was a rare exception when a November 2011 report by the Office of the
National Counterintelligence Executive identified China and Russia as
responsible for the systematic theft of American intellectual property
through cyber espionage. The legislation that we pass must shed light
on the scale and severity of the cyber threat to the American public.
In that vein, I am pleased the Cybersecurity Act of 2012 includes
provisions from the Cybersecurity Public Awareness Act, S. 813, which I
introduced with Senator Kyl. These provisions will at least begin to
improve the public's awareness of the current cyber threat environment
we face.
Second, we must recognize that inadequate awareness and inadequate
protection against cyber risks is endemic among our largest
corporations. Part of the problem is a gulf in cybersecurity awareness
between corporate chief information officers and corporate CEOs.
Carnegie Mellon's CyLab recently reported:
Boards and senior management still are not exercising
appropriate governance over the privacy and security of their
digital assets . . . These findings are consistent with the
complaints by CISO/CSOs that they cannot get the attention of
their senior management and boards and their budgets are
inadequate . . . There is still an apparent disconnect.
Nor is this an area in which the market can be trusted to work. As
former Bush Secretary of Homeland Security Michael Chertoff has
explained:
The marketplace is likely to fail in allocating the correct
amount of investment to manage risk across the breadth of the
networks on which our society relies.
This is not an area where corporations manage adequately on their
own. FBI Director Robert Mueller recently explained:
There are only two types of companies: those that have been
hacked and those that will be.
Even more trenchant, the McAfee report on the ``Shady RAT'' attacks
similarly stated it is possible to divide ``the entire set of Fortune
Global 2,000 firms into two categories: those that know they've been
compromised and those that don't yet know.''
Kevin Mandia of the leading security firm Mandiant has explained:
[I]n over 90 percent of the cases we have responded to,
government notification was required to alert the company
that a security breach was underway. In our last 50
incidents, 48 of the victim companies learned they were
breached from the Federal Bureau of Investigation, the
Department of Defense or some other third party.
The National Cybersecurity Investigation Joint Task Force, led by the
FBI, told me the same thing: more than 90 percent of the time the
corporate victim had no idea.
What we can conclude from this is that improved sharing of
cybersecurity threat information is necessary but is not sufficient to
protect our Nation's cybersecurity. Even a perfect information-sharing
process will not prevent cyber attacks if the information being shared
is incomplete. The blindness of most corporations to this threat limits
the effectiveness of corporate-to-corporate information sharing. The
NSA's Defense Industrial Base pilot--the so-called ``DIB'' pilot--
proved the government can share classified information
[[Page S2459]]
with trusted corporations, but it revealed significant risks and
limitations, particularly if the government were to share its most
sensitive intelligence information with a broad set of private
companies.
The third point I want to make this morning, and perhaps the most
important, is that this legislation on cybersecurity will have failed
if it does not ensure that our American critical infrastructure has
adequate cybersecurity. There must be a process for identifying
critical infrastructure, establishing appropriate security standards,
and ensuring that critical infrastructure companies meet the standard.
If an attack comes, we must be sure that America's most capable
defenses and countermeasures are pre-positioned to defend critical
American infrastructure. We simply cannot wait until an attack is
underway on basic needs and services on which we depend, such as our
electric grid, our communications networks, and the servers that
process our financial transactions. So there are two measures here: One
is that we must have a way to define critical infrastructure so we know
what it is and, just as important from a civil liberties perspective,
we know what it isn't. When we identify critical infrastructure on
which our safety and economic and national security depend, we are also
defining what does not qualify and where privacy concerns can be much
more important than national security concerns. Nobody wants government
in our chat rooms, e-mails, or social media; everyone gets why
government should protect the electric grids that bring power to our
homes.
The second is that once we identify our critical infrastructure, we
need to find a way for our national security assets to protect that
critical infrastructure. Our government has unique capabilities to
protect those basics, such as our electric grid.
As Kevin Mandia has explained:
[t]he majority of threat intelligence is currently in the
hands of the government.
Some of this information can be disclosed, but some cannot be, in
order to protect sensitive sources and methods. This requires us to
find other ways for our most sophisticated government capabilities to
protect our critical infrastructure. For example, we should think
seriously about the concept of secure domains and how they can be
deployed effectively while protecting civil liberties. I am glad
section 804 of the Cybersecurity Act of 2012 takes on that task by
requiring expert study of the advantages and disadvantages of
establishing secure domains for critical infrastructure.
If the business community can identify a workable alternative
approach, such as a voluntary or opt-in regulatory system, I am willing
to get to work, but we must not balk at taking on the hard question of
how to secure our critical American infrastructure.
The last point I want to make today is that Congress, in this bill,
should consider the appropriate structure and resources for the
cybersecurity and cyber crime mission of the Department of Justice, the
Federal Bureau of Investigation, and law enforcement components of the
Department of Homeland Security. We do not do enough to investigate,
prosecute, and take other appropriate legal action against cyber crime,
cyber espionage and other cyber threats. Last year's takedown by the
Department of Justice of the Coreflood botnet should be a regular
occurrence, not a special occurrence. But it will not be--it cannot
be--with our current cyber crime resources. The technical,
international, and legal aspects of these investigations are too
complex.
I spent 4 years as a United States attorney, I spent 4 years as our
State's attorney general. These are astonishingly complicated and
difficult cases. They are massively resource intensive. So it is time
for a fundamental rethinking of cyber law enforcement resources: both
the level of resources and the manner in which they are structured. We
should be discussing whether cyber crime should have a dedicated
investigatory agency akin to the DEA or ATF or whether existing task
force models should be used. These are important questions the
legislation has not addressed. Accordingly, I plan to offer a floor
amendment that will require an expert study of our current cyber law
enforcement resources that can recommend a proper level of funding and
structure of forces going forward.
Once again, I thank my colleagues for their hard work to date on
cybersecurity issues. I urge that all of us join together to pass
cybersecurity legislation into law as soon as possible. Two years ago,
I said that because of cyber we in the United States are on the losing
end of the largest transfer of wealth through theft and piracy in the
history of the world. GEN Keith Alexander, who leads the National
Security Agency and U.S. Cyber Command, has reached the same conclusion
when saying recently that cyber theft is ``the greatest transfer of
wealth in history.'' McAfee likewise has recently evaluated the theft
of national secrets, source code, designs, and other documents, and
concluded that what ``we have witnessed over the past 5 to 6 years has
been nothing short of a historically unprecedented transfer of
wealth.''
We are the losers in that transfer of wealth. We cannot afford to
wait to address this enormous and ever-growing threat.
I thank the Chair, and I yield the floor.
The ACTING PRESIDENT pro tempore. The Senator from Oregon.
[...]
