Copyright ©2009 by Federal News Service, Inc., Ste. 500, 1000 Vermont Ave, Washington, DC 20005 USA. Federal News Service is a private firm not affiliated with the federal government. No portion of this transcript may be copied, sold or retransmitted without the written authority of Federal News Service, Inc. Copyright is not claimed as to any part of the original work prepared by a United States government officer or employee as a part of that person's official duties. For information on subscribing to the FNS Internet Service at www.fednews.com, please email Carina Nyberg at firstname.lastname@example.org or call 1-202-216-2706.
REP. THOMPSON: Good afternoon. I'll keep my remarks brief so we can get to your questions.
The electric grid is highly dependent on computer-based control systems. These systems are increasingly connected to open networks, such as the Internet, exposing them to cyber-risk. Any failure of our electric grid, whether intentional or unintentional, would have a significant and potentially devastating impact on our nation.
The FBI has identified multiple sources of threats to these systems, including terrorists, foreign nation states, domestic criminals and hackers and disgruntled employees.
According to recent news reports, the threats to the grid are not simply theoretical. The Wall Street Journal reported two weeks ago that part of the grid have been penetrated by spies from China, Russia and other countries. For many years, members of the Homeland Security Committee where Peter King is Ranking Member on the House, have conducted and been concerned about this possibility.
As far back as 2007, the committee became concerned that the electric industry was not mitigating a dangerous control system vulnerability known as Aurora and I'm going to ask, Jake, do you want to show a little --
MS. : (Off mike.) Power companies use to bring electricity to your home. It shows -- (inaudible) -- but all it took was a computer -- (inaudible) --
REP. THOMPSON: And what you see here is some of the potential vulnerabilities that this bill will address.
Right now, FERC has the responsibility for working with the electric industry, but the industry polices itself, and so, basically, what we want to do in this bill is to give FERC additional authority to require industry to do what's in their best interest from the cyber standpoint.
They've been good so far, but now that we know that potential threats are out here, and, in fact, hacking and other situations have occurred, we think it's in our best interests that this legislation be put forth today.
I will turn to the chairman of my counterpart committee, Senator Lieberman, and after him, the Ranking Member of the full committee, Peter King from New York, will also give comment.
SEN. LIEBERMAN: Thanks very much, Chairman Thompson, a pleasure to be with you and Congressman King, and thanks for the very important work that you've done to develop a record that leads to the submission of this legislation today.
We just held a hearing on the Senate committee on the overall cyberspace Tuesday morning of this week, and you know, there are two facts that just jump out, one is, maybe the three facts, we rely on cyberspace for so much of what is at the heart of our way of life today and probably we're ahead of most of the rest of the countries of the world in that regard.
Secondly, our cyber systems are under constant attack and Chairman Thompson mentioned some of the cases. We heard testimony at our hearing the other day about a situation a while back where $10 million was taken, transferred by computer out of ATM accounts in 49 different banks within a 30-second period, excuse me, 30-minute period. It's unbelievable. And there could have even been more if the banks hadn't had certain limits on it.
So, okay, second reality, we're under constant attack. Third reality is that we're not adequately defended, and therefore, the basic systems, including, most particularly, electricity on which we depend are not protected.
This has got to change. We've got to close the gap between the attacks on us and our ability to defend them. The White House asked Melissa Hathaway, who I think is -- whose title whose exact name I forget, but she works both with the National Security Council and the Homeland Security Council on cyber matters, just completed a 60-day review of our cybersecurity and we expect the president will announce proposals soon that it will include increased resources. But we're focusing today on an area as the video that Chairman Thompson showed of proven, unfortunate, vulnerability here and it is the area on which just about everything else depends because all the cyber systems are hooked into electricity in one way or the other.
So I'm very happy to be joining with my colleagues here because of the urgency of this situation.
Two years ago, the Department of Homeland Security disclosed serious vulnerabilities in the cyber networks that help support the electric grid, but the truth is that there's not the authority in DHS, Department of Homeland Security or the Federal Energy Regulatory Commission to really do anything about it, to mandate it.
So we are going to give them the authority with this piece of legislation. It starts with the Department of Homeland Security, which has the central responsibility under law today in making a determination that there is a problem, there is a vulnerability, there is a threat to the electric grid. It issues that determination to FERC and then FERC must take action as part of its ongoing regulatory authority over electric utilities around the country.
The bill also directs FERC to immediately address the vulnerabilities that the Department of Homeland Security did identify in 2007 and it authorizes FERC to protect sensitive proprietary information provided to it as part of the security process by the private sector.
Incidentally, we're not the only ones who think this legislation is necessary. The former chairman of FERC, the chairman of NERC, which is the association of the utilities, numerous cyber security experts and even representatives from the industry have told Congress that this additional authority is necessary.
So I think we're taking a step very much in the interests of our national security, hope it can move this bill through both chambers and to the president as soon as possible.
Peter King, my friend and neighbor.
REP. KING: Thank you, Senator Lieberman, Chairman Lieberman and Chairman Thompson.
Let me use the outset and say how vital this issue is and how important it is that it be treated in a bipartisan way and bicameral way. So I want to first thank Chairman Thompson for making this a truly bipartisan effort. I know Dan Lungren, who is the Ranking Member on the Cyber Security Subcommittee, supports this legislation. He intends to be here today, and, of course, Senator Lieberman has always been truly bipartisan and a real champion on the entire issue of Homeland Security, and of course, cyber security being interrelated to that.
I'll make my remarks brief, but we are aware, obviously, of penetration by foreign countries into the electric grid. We know how vital this is. And I just use, really, what turns out now to be a small example, but it speaks volumes, in the summer of 2003 when we had the blackout in the Northeast, I mean, that caused absolute chaos for 24 hours, 48 hours, whatever it was and that was minimal compared to any type of organized or systematic attack. Our country would be vulnerable. Our economy would be vulnerable and I believe this legislation does strike the right balance by establishing Homeland Security as a key department as far as determining whether or not there is a threat or there is a danger and then having FERC, which has the expertise to step in that stage.
So I think, again, it is the appropriate balance. I guess it's always subject to change as you go forward. But I think it's important for us to get this started, and I think right now it appears to me that Senator Lieberman has really put together and Chairman Thompson a bill which does strike that right balance.
So with that, I am proud to be a co-sponsor. I look forward to working with the chairman on it and getting as much bipartisan support we can and also, obviously, working with Senator Lieberman.
Thank you very much.
REP. THOMPSON: We will be happy to entertain any questions, but if I can, let me give you what we think are the high points of the bill. First of all, the bill requires DHS to do ongoing cyber threat and vulnerability assessments to the grid. It gives FERC authority to issue emergency orders upon receipt of findings from DHS that a threat is imminent.
It allows FERC to review existing cyber security standards and, if necessary, make changes to the standards if they are inadequate. It also requires DHS to determine if the security of federally-owned, critical electric infrastructure has been compromised by adversaries.
Right now, under the present scenario, FERC is more or less there for advice and consent and what we want to do in this bill is give them the authority that I've just outlined to carry that to the point of making the assessment and working with the industry on correcting those identified vulnerabilities.
Q (Off mike.)
REP. THOMPSON: Well, I think, the more the merrier. This bill is tailored strictly so that jurisdiction lies within Homeland Security in both bodies and if there is an opportunity to expand it and find others who are interested, likewise, I'm sure none of us would oppose it.
SEN. LIEBERMAN: Yeah. I must just add something that we were talking about this legislation. As you know in the stimulus proposal, there's funding for the so-called smart grid and one of the advantages of a new generation of a smart electric grid is that we can require FERC -- built into it are protections against cyber attack. That would be a great advantage.
Q (Off mike.) There has been criticism about the reporting and the information flow and the procedures that were put in place a couple of years ago to improve the coordination of information to be shared was not adequate and I'm wondering what your concerns are -- (inaudible) --
REP. THOMPSON: Well, I'm not informed on the particular comment that you have. I've heard just opposite. I've heard that information has been forthcoming. Secretary Napolitano has been out front on sharing information, the coordination with HHS and CDC has been very good.
One of the reporting requirements that some people look at is they actually ask state and locals to identify any potential threat that might go with this particular flu incident, and I think those numbers have increased because people are now looking more than they had been earlier.
SEN. LIEBERMAN: I agree with Chairman Thompson. I haven't heard any complaints unless you want to convey some now, but see -- I think that this is one of those cases where, fortunately, the federal government really has been prepared and the preparation is based on some failures to be prepared earlier.
There was a flu outbreak in 2003, I believe, which we didn't handle very well, including some shortages of medicine to treat it and first beginning under the Bush administration and now into this administration, a series of presidential directives were issued. There actually was a preexisting national plan for how to react in a case of a flu/influenza epidemic or a pandemic and that plan has been implemented and there's heavy emphasis in that plan on very open communications, also, because most significantly now as part of that plan and earlier action, we have these 50 million doses of the anti- viral medicine, which is a tremendous asset as we go into this.
REP. KING: Yeah. If I can say in a bipartisan way, certainly, medical officer on the minority staff on the Homeland Security Committee, she tells me she's getting full updates, full briefings from Secretary Napolitano, from the CDC. I spoke with Secretary Napolitano. I certainly can't speak for Mayor Bloomberg, but I believe that in New York City where they did have the outbreak at St. Francis Prep School, they believe there's been extraordinary cooperation.
I don't want to speak for Dan Lungren and I know yesterday at the briefing we had, he stood up and actually commended CDC because there was a case at a school in his district of how quickly they responded and how much cooperation there was.
So I also agree with Senator Lieberman. I think a lot has been in place and maybe this is one of the beneficiaries of being ready for a terrorist attack. We do have stockpiles of antivirals. We do have protocols in place and we're applying them now to this threatened pandemic.
Q If I could follow up on swine flu. If -- (inaudible) -- would you all enforce at the border -- (inaudible) -- and would you ever -- (inaudible) -- closing part or all of the borders?
SEN. LIEBERMAN: If I may because we had Secretary Napolitano before us yesterday and this was discussed for quite a while because, one, if you look at the existing protocols that they put into place when the emergency was declared last Sunday of surveillance or review of people coming across the border from Mexico, they're not really effective and there's a reason for it.
There's a lot of people, hundreds of thousands and one estimate is over 800,000 and we should get that more specifically, a day, come over and some people just come over just to go shopping and then go right back.
It's very hard to stop. Right now, the Customs and Border Protection people are just looking at people going by and I gather if they think -- if they see them sneeze or if they don't sneeze at that moment they go by, they'll pull them aside and they'll be looked at by doctors who are called to the scene.
So the first question that we asked yesterday of Secretary Napolitano was to please take a look at a more aggressive review of people, examination of people as they come over from Mexico. This is all done only because of the fact that, obviously, this swine flu problem began in Mexico and they have more cases than we do at this point and Secretary Napolitano said she would look at ramping up those examinations as people come across the border.
We asked about whether at any point, either one of the witnesses before us could see closing the border temporarily and I was quite interested that the representative of CDC, Admiral Schuchat, said, no, under no circumstances could she see it because the H1N1 virus is already here in the United States.
Well, most of us on the committee of both parties were skeptical about that answer and we're just lay people, I'm hastened to say because my assumption is that, look, the Mexican government is considering banning gatherings of people in public places because they're worried about the contagion passing from one to another. If we get to a point where we're, fortunately, stopping the spread of the flu here and it's not happening yet in Mexico, you have to ask and I just asked as a lay person, don't we reduce the risk of the disease spreading here by just letting people come over from the place where they have more of the flu, Mexico?
And I'm not calling for the border to be closed, and I understand the extraordinary economic dislocation that would result from that on both sides of the border and probably personal dislocation as well. But I'm just saying as we watched this and we hope it doesn't get a lot worse, but there is some feeling that either now or in the next flu season, it will get a lot worse. We have to see where we are then, where Mexico is, where Canada is and decide what's in the interest of the health and safety of the American people.
Q What specifically should be done -- (inaudible) --
SEN. LIEBERMAN: Well, that's the question we asked Secretary Napolitano to consider. Can we carry out more effective screening of people coming into the country, particularly from Mexico than we are now?
There are several countries in Asia that use a kind of thermal imaging, as you come in, you're all photographed, essentially, and if your temperature is higher than normal, it registers and they take you out of line to see whether you have a problem. Well, these systems were put into affect after the SARS outbreak a few years back.
Again, Secretary Napolitano and the admiral from CDC said that they believe that thermal imaging system was not really effective. Those are the kinds of things that, I think, we have to think about.
Look, the best news is we've got the antivirals now and plenty of them to treat people who have -- show signs or confirmed cases of swine flu and it's effective, it's generally effective in treating it and we're working real hard to develop a vaccine for the next flu season, working really 24/7 at CDC and elsewhere, so that's the real hope.
Sorry for the long answer.
REP. KING: I basically agree with Senator Lieberman. It's hard for me to say if you're urging people to stay away from someone who has swine flu, why it may not be appropriate at some time to say, to prevent people from coming from the country where the swine flu originated.
So I don't think we should rule anything in or out and I'm certainly no medical expert. I just think just looking at it common sense-wise that if Mexico is going to be stopping people from going to church and holding public gatherings, then it might make sense for us to minimize the contact also.
And again, Asia which did live through SARS has taken much more aggressive action than we've taken.
Q Let's go back to cyber security.
SEN. LIEBERMAN: Please. Sure.
Q Have any government officials or industry -- (inaudible) -- told you -- (inaudible) -- software bugs that are in our system and we're working to get them out, which was more or less reported a Wall Street Journal article that those bugs are there? Can you verify that?
REP. THOMPSON: Yes.
REP. THOMPSON: Well, we know that the hacking has occurred. We know that, right now, the industry is left to police itself and part of what this bill will do is enhance the entire cyber grid so that if FERC identifies a vulnerability, they'll work with the industry to correct it. Right now, it's a theft correction process and we think given the potential vulnerabilities that are out there, we have to do more and that's why this bill is introduced.
Q (Off mike.) Specific countries, China or Russia?
REP. THOMPSON: Both.
Q Both. Any others?
REP. THOMPSON: Well, some of this has come in a classified setting. I would say that the two you named have been in the print already.
Q Chairman Thompson, can you comment on two things, one, the electric industry behind this bill because I think hearing that -- (inaudible) -- FERC and NERC were kind of iffy -- (inaudible) -- to give FERC more resources, whether it's people or money -- (inaudible) --
REP. THOMPSON: Well, one of the issues is those things that FERC comes up with; the industry already has the ability to generate revenue to fix it through their rate structure. It's anticipated that any of those vulnerabilities that are identified by FERC that need correcting, the industry will do it.
At this point, again, it's a self-correction and we don't have any reason to doubt the industry, but we just think that there has to be another entity from our perspective like FERC with the authority to make it happen.
Q You actually do have reason to doubt -- (inaudible) -- does industry support the bill?
REP. THOMPSON: Well, we've discussed it with them and there's not been a lot of pushback at this point. One of the reasons you put it out like this is to get comment. We anticipate marketing it up in subcommittee on our side and industry representatives will be solicited for their opinions.
SEN. LIEBERMAN: The other factor here and why I think this legislation is so important is that if there is a governmental authority, DHS, to FERC, to the electric utilities, saying, you've got a vulnerability here, you've got to do something about it, then, frankly, they can say -- the executives of the utilities can say to their shareholders, we've got to do this, otherwise, they're going to think, oh, no, let's see, we're under pressure with our rate system. Do I want to spend this money to do this even though I'm worried about it, whereas there was a great politician back in Connecticut, John Bailey used to say at critical moments when he was disappointing somebody usually, "I got to do what I got to do," and this will be one of those circumstances and that's why the law has to speak clearly here.
Q Is there any teeth in the bill to make sure that they do what FERC did?
SEN. LIEBERMAN: Well, FERC has sanctions attached to its authority.
REP. THOMPSON: That's correct.
Q (Off mike.)
REP. THOMPSON: Well, the review was done and some of the things that we identified, we've included in this legislation. Going forward, we think this legislation is the way to go. We've looked at past practices from a best practices standpoint; we think our electrical grid will be in far better shape having DHS as the primary assessment agency for it.
Q Thank you all very much.
SEN. LIEBERMAN: Thank you. Have a good day.