[Congressional Record Volume 158, Number 56 (Wednesday, April 18, 2012)] [Senate] [Pages S2458-S2459] [...] Cybersecurity Mr. WHITEHOUSE. Madam President, our Nation's inadequate cybersecurity poses an ever-growing threat to our safety, our prosperity, and our privacy. Attackers go after our intellectual property, our national security, and our critical infrastructure. The McAfee Night Dragon Report, for example, concluded that foreign intruders had access to major oil, energy, and petrochemical companies' computer networks for at least 2 years and likely as many as 4 years. Government reports are equally sobering, though usually classified. One that is not classified is the Department of Homeland Security report recently that attacks on computer systems that control critical infrastructure, factories, and databases increased almost eightfold in just the last 12 months. Secretary of Defense Leon Panetta has warned that ``the next Pearl Harbor we confront could very well be a cyber attack.'' Majority Leader Reid has recognized the severity of this national and economic security threat and intends to bring cybersecurity legislation to the Senate floor soon. We recognize too the hard work of Chairman Lieberman and Ranking Member Collins of the Homeland Security Committee, as well as Chairman Feinstein of the Intelligence Committee, and Senator Rockefeller of the Commerce Committee. The Cybersecurity Act of 2012, which they introduced--and I am proud to cosponsor--is a good start toward addressing the many cybersecurity threats that face this Nation. The SECURE IT Act, introduced by Senator McCain and seven colleagues, seeks to improve the sharing of cybersecurity threat information; the Federal Information Security Management Act, or FISMA, which governs cybersecurity at Federal agencies; and our cyber research and development. There is considerable overlap between these bills, which signals that the Senate could legislate on cybersecurity in a bipartisan and serious manner. Support for cybersecurity legislation is also bicameral. The Cybersecurity Task Force constituted by House Republicans produced recommendations that share key points with our Cybersecurity Act of 2012. Numerous bills are working their way through the House on a bipartisan basis. Central to that work in the House are the contributions of Rhode Island Congressman Jim Langevin. His leadership is a major reason the House has come to recognize the dangerous vulnerabilities within our critical infrastructure and that we now stand on the verge of a breakthrough in improving the security of those networks. When a test at the Idaho National Labs showed hackers could blow up a power generator from thousands of miles away, Congressman Langevin brought the owners and operators of our electric grid before Congress and investigated their promise the issue was being addressed. When he found out that wasn't true, he called them out. His subsequent work as a cochair of the Center for Strategic and International Study Commission on Cybersecurity, along with other experts from within and outside of government, resulted in many of the recommendations reflected in our legislation. Then, in 2010, Congressman Langevin passed a landmark cybersecurity amendment in the House that provided a legislative template for setting standards for critical infrastructure. I thank Jim Langevin, my colleague from Rhode Island, for his relentless commitment to keeping America safe in cyberspace. I am here this morning to stress four points I believe we must keep in mind as we take up cybersecurity legislation. The first is that cybersecurity legislation should improve the public's limited awareness of current cybersecurity threats and the harm those threats present to our national security economy and privacy. The public, for years, has been kept in the dark, and that is wrong. The corporate sector systematically underreports cyber attacks for fear of scaring customers, for fear of encouraging competitors or for fear of triggering regulatory review. I was pleased the Securities and Exchange Commission, after prompting by Senator Rockefeller and myself and others, issued guidance for when registered companies must disclose breach information. The government itself systematically underreports cyber attacks because it overclassifies information about cyber attacks on government systems. Jim Lewis of the Center for Strategic and International Studies, for example, recently explained that cybersecurity has a unique problem in that some of the most reliable data is classified. It was a rare exception when a November 2011 report by the Office of the National Counterintelligence Executive identified China and Russia as responsible for the systematic theft of American intellectual property through cyber espionage. The legislation that we pass must shed light on the scale and severity of the cyber threat to the American public. In that vein, I am pleased the Cybersecurity Act of 2012 includes provisions from the Cybersecurity Public Awareness Act, S. 813, which I introduced with Senator Kyl. These provisions will at least begin to improve the public's awareness of the current cyber threat environment we face. Second, we must recognize that inadequate awareness and inadequate protection against cyber risks is endemic among our largest corporations. Part of the problem is a gulf in cybersecurity awareness between corporate chief information officers and corporate CEOs. Carnegie Mellon's CyLab recently reported: Boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets . . . These findings are consistent with the complaints by CISO/CSOs that they cannot get the attention of their senior management and boards and their budgets are inadequate . . . There is still an apparent disconnect. Nor is this an area in which the market can be trusted to work. As former Bush Secretary of Homeland Security Michael Chertoff has explained: The marketplace is likely to fail in allocating the correct amount of investment to manage risk across the breadth of the networks on which our society relies. This is not an area where corporations manage adequately on their own. FBI Director Robert Mueller recently explained: There are only two types of companies: those that have been hacked and those that will be. Even more trenchant, the McAfee report on the ``Shady RAT'' attacks similarly stated it is possible to divide ``the entire set of Fortune Global 2,000 firms into two categories: those that know they've been compromised and those that don't yet know.'' Kevin Mandia of the leading security firm Mandiant has explained: [I]n over 90 percent of the cases we have responded to, government notification was required to alert the company that a security breach was underway. In our last 50 incidents, 48 of the victim companies learned they were breached from the Federal Bureau of Investigation, the Department of Defense or some other third party. The National Cybersecurity Investigation Joint Task Force, led by the FBI, told me the same thing: more than 90 percent of the time the corporate victim had no idea. What we can conclude from this is that improved sharing of cybersecurity threat information is necessary but is not sufficient to protect our Nation's cybersecurity. Even a perfect information-sharing process will not prevent cyber attacks if the information being shared is incomplete. The blindness of most corporations to this threat limits the effectiveness of corporate-to-corporate information sharing. The NSA's Defense Industrial Base pilot--the so-called ``DIB'' pilot-- proved the government can share classified information [[Page S2459]] with trusted corporations, but it revealed significant risks and limitations, particularly if the government were to share its most sensitive intelligence information with a broad set of private companies. The third point I want to make this morning, and perhaps the most important, is that this legislation on cybersecurity will have failed if it does not ensure that our American critical infrastructure has adequate cybersecurity. There must be a process for identifying critical infrastructure, establishing appropriate security standards, and ensuring that critical infrastructure companies meet the standard. If an attack comes, we must be sure that America's most capable defenses and countermeasures are pre-positioned to defend critical American infrastructure. We simply cannot wait until an attack is underway on basic needs and services on which we depend, such as our electric grid, our communications networks, and the servers that process our financial transactions. So there are two measures here: One is that we must have a way to define critical infrastructure so we know what it is and, just as important from a civil liberties perspective, we know what it isn't. When we identify critical infrastructure on which our safety and economic and national security depend, we are also defining what does not qualify and where privacy concerns can be much more important than national security concerns. Nobody wants government in our chat rooms, e-mails, or social media; everyone gets why government should protect the electric grids that bring power to our homes. The second is that once we identify our critical infrastructure, we need to find a way for our national security assets to protect that critical infrastructure. Our government has unique capabilities to protect those basics, such as our electric grid. As Kevin Mandia has explained: [t]he majority of threat intelligence is currently in the hands of the government. Some of this information can be disclosed, but some cannot be, in order to protect sensitive sources and methods. This requires us to find other ways for our most sophisticated government capabilities to protect our critical infrastructure. For example, we should think seriously about the concept of secure domains and how they can be deployed effectively while protecting civil liberties. I am glad section 804 of the Cybersecurity Act of 2012 takes on that task by requiring expert study of the advantages and disadvantages of establishing secure domains for critical infrastructure. If the business community can identify a workable alternative approach, such as a voluntary or opt-in regulatory system, I am willing to get to work, but we must not balk at taking on the hard question of how to secure our critical American infrastructure. The last point I want to make today is that Congress, in this bill, should consider the appropriate structure and resources for the cybersecurity and cyber crime mission of the Department of Justice, the Federal Bureau of Investigation, and law enforcement components of the Department of Homeland Security. We do not do enough to investigate, prosecute, and take other appropriate legal action against cyber crime, cyber espionage and other cyber threats. Last year's takedown by the Department of Justice of the Coreflood botnet should be a regular occurrence, not a special occurrence. But it will not be--it cannot be--with our current cyber crime resources. The technical, international, and legal aspects of these investigations are too complex. I spent 4 years as a United States attorney, I spent 4 years as our State's attorney general. These are astonishingly complicated and difficult cases. They are massively resource intensive. So it is time for a fundamental rethinking of cyber law enforcement resources: both the level of resources and the manner in which they are structured. We should be discussing whether cyber crime should have a dedicated investigatory agency akin to the DEA or ATF or whether existing task force models should be used. These are important questions the legislation has not addressed. Accordingly, I plan to offer a floor amendment that will require an expert study of our current cyber law enforcement resources that can recommend a proper level of funding and structure of forces going forward. Once again, I thank my colleagues for their hard work to date on cybersecurity issues. I urge that all of us join together to pass cybersecurity legislation into law as soon as possible. Two years ago, I said that because of cyber we in the United States are on the losing end of the largest transfer of wealth through theft and piracy in the history of the world. GEN Keith Alexander, who leads the National Security Agency and U.S. Cyber Command, has reached the same conclusion when saying recently that cyber theft is ``the greatest transfer of wealth in history.'' McAfee likewise has recently evaluated the theft of national secrets, source code, designs, and other documents, and concluded that what ``we have witnessed over the past 5 to 6 years has been nothing short of a historically unprecedented transfer of wealth.'' We are the losers in that transfer of wealth. We cannot afford to wait to address this enormous and ever-growing threat. I thank the Chair, and I yield the floor. The ACTING PRESIDENT pro tempore. The Senator from Oregon. [...]