[Congressional Record Volume 158, Number 103 (Wednesday, July 11, 2012)]
[Senate]
[Pages S4846-S4848]
Cybersecurity
Mr. WHITEHOUSE. Madam President, I rise to speak about cybersecurity,
but specifically about the cyber threat to our Nation's critical
infrastructure. By critical infrastructure I mean the power grid that
supplies electricity to our homes that keeps us warm in the winter and
cool in the summer. I mean the financial services' processing systems
that connect our ATMs to our accounts and move money around in our
complex financial system. I mean the communications networks by which
we talk and e-mail and text and message one another.
The men and women we have charged with our Nation's defense and we
have confirmed in these roles in the Senate have repeatedly and
consistently warned us about the danger of cyber attacks on this
critical infrastructure. It provides power and light and heat, tracks
and records financial transactions, allows communication and data
transfer, keeps airlines safe in the air, controls our dams, and
enables our commerce. The consequences of failure in these areas could
be catastrophic. We must pay heed to these warnings about America's
critical infrastructure as we consider cybersecurity legislation.
The administration has described this cyber threat in no uncertain
terms. The Director of National Intelligence, James Clapper, has
stated:
[I]t's clear from all that we've said [that] we all
recognize we need to do something. . . . We all recognize
this as a profound threat to this country, to its future, to
its economy, to its very being.
Secretary of Defense Leon Panetta has warned:
The next Pearl Harbor we confront could very well be a
cyber attack.
Secretary of Homeland Security Janet Napolitano has compared this
threat to the September 11 attacks.
Prior to 9/11, there were all kinds of information out
there that a catastrophic attack was looming. . . . The
information on a cyberattack is at that same frequency and
intensity and is bubbling at the same level, and we should
not wait for an attack in order to do something.
Attorney General Holder stressed the urgency of responding to this
threat in a recent Senate Judiciary Committee hearing. He said:
This a problem that we must address, our nation is
otherwise at risk and to ignore this problem, to think it is
going to go away runs headlong into all of the intelligence
we have gathered, the facts we have been able to accrue which
show that the problem is getting worse instead of getting
better. There are more countries that are becoming more adept
at the use of these tools, there are groups that are becoming
more adept at the use of these tools, and the harm that they
want to do to the United States and to our infrastructure
through these means is extremely real.
Chairman of the Joint Chiefs of Staff Martin Dempsey has warned that
``a cyber attack could stop society in its tracks.''
NSA Director and U.S. Cyber Commander GEN Keith Alexander, a four-
star general, has stated:
We see this as something absolutely vital to the future of
our country. Cybersecurity for government and critical
infrastructure is key to the security of this Nation.
A recent report from the Department of Homeland Security found that
companies which operate critical infrastructure have reported a sharp
rise in cybersecurity incidents over the past 3 years. Companies
reported 198 cyber incidents in 2011, up from 41 incidents in 2010, and
just 9 in 2009. This may reflect that the private sector is just now
beginning to catch on. It is unfortunate but true that the private
sector cannot be counted on to respond to this growing challenge on its
own.
As Deputy Secretary of Defense Ashton Carter has explained, and I
quote again:
There is a market failure at work here. . . . Companies
just aren't willing to admit vulnerability to themselves, or
publicly to shareholders, in such a way as to support the
necessary investments or lead their peers down a certain path
of investment and all that would follow.
These were administration warnings, but the concerns are bipartisan.
A wide range of national security experts from previous Republican
administrations have echoed this alarm. Former Director of National
Intelligence and NSA Director ADM Mike McConnell has said, and I quote:
The United States is fighting a cyber-war today, and we are
losing. It's that simple.
He explained:
As the most wired nation on Earth, we offer the most
targets of significance, yet our cyber defenses are woefully
lacking. . . . The stakes are enormous. To the extent that
the sprawling U.S. economy inhabits a common physical space,
it is in our communications networks. If an enemy disrupted
our financial and accounting transactions, our equities and
bond markets or our retail commerce--or created confusion
about the legitimacy of those transactions--chaos would
result. Our power grids, air and ground transportation,
telecommunications and water filtration systems are in
jeopardy as well.
That ends the quote from Admiral McConnell.
Admiral McConnell also made a comparison to threats from the past.
The cyber-war mirrors the nuclear challenge in terms of the
potential economic and psychological effects. . . . We
prevailed in the Cold War through strong leadership, clear
policies, solid alliances and close integration of our
diplomatic, economic, and military efforts. We backed all of
this up with robust investments--security never comes cheap.
It worked, because we had to make it work. Let's do the same
with cybersecurity. The time to start was yesterday.
Former Deputy Secretary of Defense Paul Wolfowitz has also echoed the
administration's warning that a cyber attack has the potential of
causing devastation on the scale of another September 11. He stated:
I hope we do not have to wait for the cyber-equivalent of
9/11 before people realize that we are vulnerable.
Former Assistant Secretary for Policy at the Department of Homeland
Security Stewart Baker has compared the threat to the catastrophic
effects of Hurricane Katrina.
We must begin now to protect our critical infrastructure
from attack. And so far, we have done little. We are all
living in a digital New Orleans. No one really wants to spend
the money reinforcing the levees. But the alternative is
worse. . . . And it is bearing down on us at speed.
Former NSA Director and CIA Director Michael Hayden has said:
We have entered into a new phase of conflict in which we
use a cyberweapon to create physical destruction, and in this
case, physical destruction in someone else's critical
infrastructure.
Former Republican officials have also noted the cybersecurity gap in
the private sector due to this market failure. Former Secretary of
Homeland Security Chertoff said:
The marketplace is likely to fail in allocating the correct
amount of investment to manage risk across the breadth of the
network on which our society relies.
The following examples are emblematic of the market failure that both
Democratic and Republican national security officials have identified
in this cybersecurity area for critical infrastructure.
When the FBI-led National Cyber Investigative Joint Task Force
informs an American corporation that it has been hacked, 9 times out of
10 that American corporation had no idea.
Kevin Mandia of the leading security firm Mandiant has said, and I
quote:
In over 90 [percent] of the cases we have responded to,
Government notification was required to alert the company
that a security breach was underway. In our last 50
incidents, 48 of the victim companies learned they were
breached from the Federal Bureau of Investigation, the
Department of Defense, or some other third party.
In operation Aurora, the cyber attack which targeted numerous
companies, most prominently Google, only 3 out of the approximately 300
companies
[[Page S4847]]
attacked were aware that they had been attacked before they were
contacted by the government.
We cannot count on the private sector to defend itself against a
threat about which it is so unaware. An advanced persistent intrusion
of the U.S. Chamber of Commerce's systems also went undetected until
the chamber received help from the government. The Wall Street Journal
reported that a group of hackers in China breached the computer
defenses of the U.S. Chamber, gained access to everything stored in its
systems, including information about its 3 million members, and
remained on the network for at least 6 months and possibly more than a
year. The chamber only learned of the break-in, according to the
article, when the FBI told the group that servers in China were
stealing its information. The special expertise of our national
security agencies is a consistent theme through these examples. As
former Assistant Attorney General, OLC Director, and Harvard Law School
Professor Jack Goldsmith has explained:
The government is the only institution with the resources
and the incentives to ensure that the [critical
infrastructure] on which we all depend is secure, and we must
find a way for it to meet its responsibilities.
By the way, that was Goldsmith at the Department of Justice in the
Bush administration. This is a Republican appointee speaking. These
warnings have been repeatedly communicated to us in the Senate. We
cannot plead ignorance of them.
I ask unanimous consent to have printed in the Record a letter to
Senate Majority Leader Reid and Minority Leader McConnell dated January
19, 2012.
There being no objection, the material was ordered to be printed in
the Record, as follows:
January 19, 2012.
Hon. Harry Reid,
Majority Leader, U.S. Senate,
Washington, DC.
Hon. Mitch McConnell,
Minority Leader, U.S. Senate,
Washington, DC.
Dear Majority Leader Reid and Minority Leader McConnell, We
write to urge the Senate to take up, debate, and pass
legislation to strengthen our nation's cybersecurity.
As former executive branch officials who shared the
responsibility for our nation's security, we are deeply
concerned by the severity and sophistication of the cyber
threats facing our nation. These threats demand a response.
Congress must act to ensure that appropriate tools,
authorities, and resources are available to the executive
branch agencies, as well as private sector entities, that are
responsible for our nation's cybersecurity. The Senate is
well-prepared to take up legislation in this important
national security field, and to do so in a bipartisan manner
in the best traditions of the Senate.
Every week brings new reports of cyber intrusions into
American companies or government agencies, new disclosures of
the breach of Americans' private information, or new
revelations of incidents of cyber disruption or sabotage. The
present cyber risk is shocking and unacceptable. Control
system vulnerabilities threaten power plants and the critical
infrastructure they support, from dams to hospitals. Reported
intrusions into defense contractors and military systems
reveal the direct national security cost of cyber attacks.
Evaluations of the Night Dragon and Aurora attacks reveal the
vulnerability of our most advanced and essential industries
to sophisticated hackers. The recent report by the Office of
the National Counterintelligence Executive makes clear that
foreign states are waging sustained campaigns to gather
American intellectual property--the core assets of our
innovation economy--through cyber-enabled espionage. The
growing threat of terrorist organizations acquiring cyber
capabilities and using them against American interests opens
another battlefront in cyberspace. And every day, Americans'
identities are compromised by international criminals who
have built online marketplaces for buying and selling
Americans' bank account numbers and passwords.
This constant barrage of cyber assaults has inflicted
severe damage to our national and economic security, as well
as to the privacy of individual citizens. The threat is only
going to get worse. Inaction is not an acceptable option.
Senate committees of jurisdiction have done important,
bipartisan work developing legislation to strengthen our
nation's cybersecurity. The Administration likewise has
weighed in with a set of legislative proposals. The stage
thus is set for the Senate to take up cybersecurity
legislation. We believe that it can and should undertake this
work in keeping with its best, bipartisan traditions,
addressing this pressing national security need with the
seriousness that it deserves.
We urge the Senate to do so in short order: the rewards of
increased security for our country, particularly our private
sector critical infrastructure, will be rapid and profound.
Sincerely,
Michael Chertoff.
William J. Lynn III.
J. Michael McConnell.
Richard Clarke.
Dr. William J. Perry.
Paul Wolfowitz.
Jamie Gorelick.
Gen. (ret.) James Cartwright, USMC.
Mr. WHITEHOUSE. This explains that the threat is only going to get
worse; inaction is not an acceptable option. This letter was signed by
former Secretary of Homeland Security Michael Chertoff, former Deputy
Secretary of Defense Paul Wolfowitz, former Director of National
Intelligence and NSA Director ADM Mike McConnell, former Vice Chairman
of the Joint Chiefs of Staff General James Cartwright, former Defense
Secretary Dr. Willian Perry, former Deputy Attorney General Jamie
Gorelick, former Deputy Secretary of Defense William J. Lynn, III, and
former Special Advisor to the President for Cyber Security, Richard
Clarke.
I also have a letter written to Majority Leader Reid and Minority
Leader McConnell, dated June 6, 2012, which I ask unanimous consent to
have printed in the Record.
There being no objection, the material was ordered to be printed in
the Record, as follows:
June 6, 2012.
Dear Senators Reid and McConnell, We write to urge you to
bring cyber security legislation to the floor as soon as
possible. Given the time left in this legislative session and
the upcoming election this fall, we are concerned that the
window of opportunity to pass legislation that is in our view
critically necessary to protect our national and economic
security is quickly disappearing.
We have spoken a number of times in recent months on the
cyber threat--that it is imminent, and that it represents one
of the most serious challenges to our national security since
the onset of the nuclear age sixty years ago. It appears that
this message has been received by many in Congress--and yet
we still await conclusive legislative action.
We support the areas that have been addressed so far, most
recently in the House: the importance of strengthening the
security of the federal government's computer networks,
investing in cyber research and development, and fostering
information sharing about cyber threats and vulnerabilities
across government agencies and with the private sector. We
urge the Senate to now keep the ball moving forward in these
areas by bringing legislation to the floor as soon as
possible.
In addition, we also feel that protection of our critical
infrastructure is essential in order to effectively protect
our national and economic security from the growing cyber
threat. Infrastructure that controls our electricity, water
and sewer, nuclear plants, communications backbone, energy
pipelines and financial networks must be required to meet
appropriate cyber security standards. Where market forces and
existing regulations have failed to drive appropriate
security, we believe that our government must do what it can
to ensure the protection of our critical infrastructure.
Performance standards in some cases will be necessary--these
standards should be technology neutral, and risk and outcome
based. We do not believe that this requires the imposition of
detailed security regimes in every instance, but some
standards must be minimally required or promoted through the
offer of positive incentives such as liability protection and
availability of clearances.
Various drafts of legislation have attempted to address
this important area--the Lieberman/Collins bill having
received the most traction until recently. We will not
advocate one approach over another--however, we do feel
strongly that critical infrastructure protection needs to be
addressed in any cyber security legislation. The risk is
simply too great considering the reality of our
interconnected and interdependent world, and the impact that
can result from the failure of even one part of the network
across a wide range of physical, economic and social systems.
Finally, we have commented previously about the important
role that the National Security Agency (NSA) can and does
play in the protection of our country against cyber threats.
A piece of malware sent from Asia to the United States could
take as little as 30 milliseconds to traverse such distance.
Preventing and defending against such attacks requires the
ability to respond to them in real-time. NSA is the only
agency dedicated to breaking the codes and understanding the
capabilities and intentions of potential enemies, even before
they hit ``send.'' Any legislation passed by Congress should
allow the public and private sectors to harness the
capabilities of the NSA to protect our critical
infrastructure from malicious actors.
We carry the burden of knowing that 9/11 might have been
averted with the intelligence that existed at the time. We do
not want to be in the same position again when `cyber 9/11'
hits--it is not a question of `whether' this will happen; it
is a question of `when.'
[[Page S4848]]
Therefore we urge you to bring cyber security legislation
to the floor as soon as possible.
Sincerely,
Hon. Michael Chertoff,
Hon. J. Mike McConnell,
Hon. Paul Wolfowitz,
Gen. Michael Hayden,
Gen. James Cartwright (RET),
Hon. William Lynn III.
Mr. WHITEHOUSE. Secretary Chertoff, Admiral McConnell, Deputy
Secretary Wolfowitz, General Hayden, and General Cartwright urged us
to:
. . . bring cyber security legislation to the floor as soon
as possible. Given the time left in this legislative session
and upcoming election this fall, we are concerned that the
window of opportunity to pass legislation that is in our view
critically necessary to protect our national and economic
security is quickly disappearing.
They specifically focused on the threat to critical infrastructure,
stating that ``protection of our critical infrastructure is essential
in order to effectively protect our national and economic security from
the growing cyber threat.''
We must not ignore this chorus of warnings issued by those who are
the most informed and most alert about the danger to our critical
infrastructure. We must pass cybersecurity legislation, and we must
ensure that the cybersecurity legislation we pass addresses our
Nation's critical infrastructure. No bill that fails to address
critical infrastructure can be said to have done the job of protecting
our country.
Our Nation will be vulnerable if critical infrastructure companies
fail to meet basic security standards, as they do right now.
Legislation must include a mechanism to end this continuing
vulnerability. If operators object to a particular approach to
cybersecurity for our critical infrastructure on the basis that it is
too burdensome or too unwieldy, they will find many Members of the
Senate on both sides--myself and Senator Blumenthal included--who are
ready and eager to work with them. But if the purpose of the exercise
is to come to an end point in which the operators of our critical
infrastructure do not have to reach adequate levels of cybersecurity,
then we need to move on and we need to vote and go beyond that.
The question of how we get to cybersecurity is one we should engage
in the Senate. The question of whether we protect our privately held
critical infrastructure in a responsible way is one we should not allow
to deter us from getting this job done to protect our national and
economic security.
Whatever the ultimate solution, we simply must find a way to improve
the cybersecurity of our critical infrastructure.
I yield the floor to Senator Blumenthal, who has been engaged in
efforts with me to try to find a way through to a bipartisan bill that
will protect our critical infrastructure. He has expertise in this area
as a superbly trained lawyer, a multiply elected Attorney General of
his home State, a former marine dedicated to our national security, and
as a person who brings the highest level of legal talent to this
discussion, having argued, I think, five separate cases before the U.S.
Supreme Court. He has been an enormous asset, and I appreciate his
participation.
I yield the floor.
The ACTING PRESIDENT pro tempore. The Senator from Connecticut.
Mr. BLUMENTHAL. Madam President, I thank the Senator from Rhode
Island, my distinguished colleague, for those very generous remarks.
Actually, I had four arguments in the Supreme Court. The rest was
similarly exaggerated as to my qualifications. But I thank the Senator
from Rhode Island. Most importantly, I thank him for his extraordinary
work on this issue and for his leadership and vision as well as his
courage.
I wish to emphasize a number of the points he made so powerfully in
his remarks earlier. First and most significantly, the United States is
under cyber attack. The question is, How do we respond? It is our
national interests that are at stake.
Every day this Nation suffers attempted intrusions, attempted
interference, and attempted theft of our intellectual property as a
result of the ongoing attacks we need to stop, deter, and answer.
National security is indistinguishable from cybersecurity. In fact,
cybersecurity is a matter of national security and not only so far as
our defense capabilities; our actual weapons systems are potentially
under attack and interference, but also, as my colleague from Rhode
Island said so well, because our critical infrastructure is every day
at risk--our facilities in transportation, our financial systems, our
utilities that power our great cities and our rural areas and our
intellectual property, which is so valuable and which every day is at
risk and, in fact, is taken from us wrongfully, at great cost to our
Nation.
The number and sophistication of cyber attacks has increased
dramatically over the past 5 years. All the warnings--bipartisan
warnings--say those attacks will continue and will be mounted with
increasing intensity. In fact, experts say that with enough time,
motivation, and funding, a determined adversary can penetrate nearly
any system that is accessible directly from the Internet.
The United States today is vulnerable. To take the Pearl Harbor
analysis that our Secretary of Defense has drawn so well, we have our
``ships'' sitting unprotected today, as they were at the time of the
Pearl Harbor attack. Our ships today are not just our vessels in the
sea but our institutions sitting in this country and around the world,
our critical infrastructure, which is equally vulnerable to
sophisticated and unsophisticated hackers.
In fact, the threat ranges from the hackers in developing countries--
unsophisticated hackers--to foreign agents who want to steal our
Nation's secrets, to terrorists who seek ways to disrupt that critical
infrastructure.
It is not a matter simply of convenience. We are not talking about
temporary dislocations, such as the loss of electricity that the
Capital area suffered recently or that our States in New England
suffered as a result of the recent storms last fall; we are talking
about permanent, severe, lasting disruptions and dislocations of our
financial and power systems that may be caused by this interference.
One international group, for example, accessed a financial company's
internal computer network and stole millions of dollars in just 24
hours.
Another such criminal group accessed online commercial bank accounts
and spread malicious computer viruses that cost our financial
institutions nearly $70 million.
One company that was recently a victim of intrusion determined it
lost 10 years' worth of research and development--valued at $1
billion--virtually overnight. These losses are not just for the
shareholders of these companies, they are to all of us who live in the
United States because the losses, in many instances, are losses of
information to defense companies that produce our weapons, losses of
property that has been developed at great cost to them and to our
taxpayers. We should all be concerned about such losses.
As Shawn Henry, the Executive Assistant Director of the FBI, has
said: ``The cyber threat is an existential one, meaning that a major
cyber attack could potentially wipe out whole companies.''
Those threats to our critical infrastructure, as we have heard so
powerfully from my colleague from Rhode Island, are widespread and
spreading.
Industrial control systems, which help control our pipelines,
railroads, water treatment facilities, and powerplants, are at an
elevated risk of cyber exploitation today--not at some point in the
future but today. The FBI warns that a successful cyber attack against
an electrical grid ``could cause serious damage to parts of our cities,
and ultimately even kill people.''
The Department of Homeland Security said that last year they had
received nearly 200 reports of suspected cyber incidents, more than 4
times the number of incidents reported in 2010.
In one such incident, more than 100 computers at a nuclear energy
firm were infected with a virus that could have been used to take
complete control of that company's system.
These reports, these warnings, go on.
In summary, the Director of the FBI said it best: ``We are losing
data, we are losing money, we are losing ideas, and we are losing
innovation. ``
Those threats are existential to our Nation, and we must address them
now--not simply as a luxury, not as a possibility but as a need now.
[[Page S4849]]
I thank the Senator from Rhode Island, as well as my distinguished
fellow Senator from Connecticut, Joseph Lieberman, and others on the
other side, such as Senators McCain, Collins, Graham, and Chambliss, as
well as other colleagues on this side, for their leadership in this
area. They have started this effort with great dedication.
There has been substantial work done already. No one here has ignored
this threat. We must move forward for the sake of our Nation's
security. Our cybersecurity must be addressed as soon as possible.
Cybersecurity is not an issue we can wait to address until we see the
results of failure. The consequences of a debilitating attack would be
catastrophic to our Nation. I hope we can continue to fill the
consensus, which the Senator from Rhode Island has been working to do,
with other colleagues, so we can come together, as he said--not whether
but how--and do it in a bipartisan way. This issue has elicited, very
commendably and impressively, colleagues from both sides who have been
working on this issue with dedication and diligence. I hope the body as
a whole will match the vigor that is appropriate.
Again, I thank the Senator from Rhode Island. Part of our challenge
will be to elicit better agency coordination. If the Senator from Rhode
Island wishes to comment further, I hope perhaps he can respond to the
question of how soon we should come together and work on this issue. Is
it a problem we can delay until the next session or should we try to
address it during the coming months of this session before we close?
The ACTING PRESIDENT pro tempore. The Senator from Rhode Island.
Mr. WHITEHOUSE. Madam President, I am delighted to respond to the
Senator in two ways. First, as the Senator so well pointed out, this is
not a future threat or a prospective threat that we need to prepare
ourselves against; this is an ongoing, current threat. There is a
campaign of attacks into our national security infrastructure, into our
intellectual property, and into our critical infrastructure, such as
the power grids and the communications networks we count on in our
daily lives for what we consider the American standard of living here
at home. So time is not our friend.
As one of the individuals I quoted said--I think Admiral McConnell--
the day to get this done was yesterday. So the sooner the better. We do
need to form a consensus in this body, enough to move through the
parliamentary obstacles that exist in this body, which allows us to go
forward and will allow us to go forward in a way that does something
serious about forcing the operators of our critical infrastructure to
put in adequate cybersecurity protections. If they have to do it
because they have incentives to do it, that is one way of getting
there. If they have to do it because there are regulations that demand
it, that is another way of getting there. There are different ways of
getting there. And as the Senator from Connecticut and I have
discussed--and we are actually working together on this--we are open to
different ways to get there, but it should be agreed amongst us in the
Senate that getting there, getting to the point where America's
critical infrastructure is protected from cyber attack as reasonably
well as we can should be the nonnegotiable goal. Anything short of that
should be seen as failure.
There is another thing I wanted to add. The Senator was very generous
in his remarks and credentialing of a great number of Senators who have
been working very hard. I would also like to single out Senator Coons,
who has been very helpful in our efforts.
I will stay on our side of the aisle at this point and add in
particular Senator Mikulski. Barbara Mikulski serves on the
Intelligence Committee. She is keenly aware of the cyber threat. She
has taken deep dives into this issue in her role as a cardinal on the
Appropriations Committee. She does the appropriations for many of the
national security agencies and law enforcement agencies that are deeply
involved in this. So when she speaks, she speaks with real authority
and she speaks with real impact. Her participation in this effort is
extraordinarily helpful, in addition to the efforts of the many
Senators whom my colleague singled out as well.
With that, I yield the floor. I see the Senator from Louisiana is
here, and I thank the Senator from Connecticut.
Mr. BLUMENTHAL. I thank the Senator and the Chair.
The PRESIDING OFFICER (Mr. Franken). The Senator from Louisiana.
