African Growth and Opportunity Amendment Act

Floor Speech

BREAK IN TRANSCRIPT

Ms. SNOWE. Mr. President, I rise today to express my strong support for finding a path to legislation that will at long last confront our Nation's 21st-century vulnerability to cyber crime, global cyber espionage, and cyber attacks. This legislation has been a long time in the making, and over the last several years I have been privileged to work with colleagues on the Senate Intelligence and Commerce Committees to address some of these consequential matters, including Senator Rockefeller, whom I collaborated with closely on cyber security legislation that passed the Commerce Committee unanimously in 2010; Senator Hutchison, who has worked tirelessly with us on these issues as ranking member on the Commerce Committee; Senators Mikulski and Whitehouse, with whom I served on the Intelligence Committee's Cyber Security Task Force; Senator Warner, who has joined me in underscoring the urgency of considering cyber security legislation in a transparent and nonpartisan manner; and Senators Lieberman and Collins, who have led the effort to craft this revised cyber security bill.

Nothing less than the very foundation of our national and economic security is at risk, and it is essential that we be prepared to defend against cyber activity that could cause catastrophic damage and loss of life in this country.

Still, some of my colleagues will undoubtedly make poignant and convincing arguments for why this Chamber should delay consideration of a comprehensive cyber security bill--stressing the complexity of the questions involved, the competing jurisdictions, and the many unknowns associated with a medium where innovation in functionality will continue to outpace innovation in security.

However, last fall the National Counterintelligence Executive warned that the rapidly accelerating rate of change in information technology and communications is likely to ``disrupt security procedures and provide new openings for collection of sensitive U.S. economic and technology information.'' In fact, the counterintelligence report cited Cisco Systems studies predicting that the number of devices such as smartphones and laptops in operation worldwide will increase from about 12.5 billion in 2010 to 25 billion in 2015.

Thus, as a result of this proliferation in the number of operating systems connected to the Internet, the Counterintelligence Executive has assessed that ``the growing complexity and density of cyber space will provide more cover for remote cyber intruders and make it even harder than today to establish attribution for these incidents.''

So as I said during the Senate Commerce Committee's bipartisan, unanimous markup of the Rockefeller-Snowe cyber security legislation over 2 years ago in early 2010, when it comes to the threat we face in cyber space, time is not on our side, and this is further evidence of that irrefutable fact.

This Congress could spend another 2 years debating the merits of various approaches and continuing to operate based on a reactive hodgepodge of government directives and bureaucratic confusion. But at the end of the day, the only way to begin preparing our Nation to defend against this emerging threat is to allow the Senate to work its will in a full and unrestrained debate.

In June, Senator Warner and I urged the Senate's leadership to reach an agreement ensuring cyber security legislation receives an open debate on the Senate floor during the July work period. In calling for a fair amendment process, we in fact were simply repeating the cyber security debate commitment made by the majority leader at the start of the year when he said that ``it is essential that we have a thorough and open debate on the Senate floor, including consideration of amendments to perfect the legislation, insert additional provisions where the majority of the Senate supports them, and remove provisions if such support does not exist.''

So I welcomed the majority leader's commitment to allow an open amendment process, and I joined my colleagues in voting to invoke cloture on the motion to proceed to the bill. As I have said repeatedly, only a bipartisan agreement will achieve our shared goal of passing cyber security legislation to prevent a devastating cyber attack.

That process must begin now, and as one who has served on the Select Committee on Intelligence for the last decade, I believe it is essential to begin by elucidating the nature of the indisputable threat we now face.

In June 2010, the Intelligence Committee's Cyber Security Task Force, on which I served along with Senators Whitehouse and Mikulski, delivered its classified final report illustrating the myriad of challenges to the security of our physical, economic, and social systems in cyber space. I urge my colleagues to review this classified report.

As for some examples we can discuss in an open forum such as this, I encourage my colleagues to read the National Counterintelligence Executive's unclassified report to Congress entitled ``Foreign Spies Stealing U.S. Economic Secrets in Cyberspace.'' The Counterintelligence Executive's report, which was released last fall, is truly the authoritative document when it comes to portraying in detail the nature of the threat and its ramifications on our lives and--increasingly--our livelihoods. s

The report is incredibly eye-opening and represents the first time in which our government has explicitly named China and Russia as the primary points of origin for much of the malicious cyber activity targeting U.S. interests. In fact, the report states that the Governments of China and Russia ``remain aggressive and capable collectors of sensitive U.S. economic information and technologies, particularly in cyberspace'' and it links much of the recent onslaught of computer network intrusions as originating from Internet Protocol addresses in these two countries.

For example, the Counterintelligence Executive's report cites a February 2011 study attributing an intrusion set called ``Night Dragon'' to an IP address located in China. According to the report, these cyber intruders were able to exfiltrate data from computer systems of global oil, energy, and petrochemical companies with the goal of obtaining information on ``sensitive competitive proprietary operations and on financing of oil and gas field bids.'' As the report notes, such activity on behalf of our economic rivals undermines the U.S. economy's ability to ``create jobs, generate revenues, foster innovation, and lay the economic foundation for prosperity and national security.'' And the report estimates that our losses from economic espionage range from ``$2 billion to $400 billion or more a year,'' reflecting the scarcity of data and underscoring how little we currently understand about the total effect these malicious cyber intrusions have on our economic future.

In addition to the threat posed to our Nation's prosperity, the Counterintelligence Executive's report noted that foreign collectors are stealing information ``on the full array of U.S. military technologies in use or under development,'' including marine systems, aerospace and aeronautics technologies used in intelligence gathering and kinetic operations, such as UAVs, and dual-use technologies used for generating energy.

In April, James Lewis of the Center for Strategic and International Studies testified in an unclassified Senate hearing that the delays and cost overruns in the F-35 program may be the result of cyber espionage, which in turn could be linked to the rapid development of China's J-20 stealth fighter. He went on to note that Iran has also been pursuing the acquisition of cyber attack capabilities, noting that FBI Director Mueller has testified that Iran appears increasingly willing to carry out such attacks against the United States and its allies.

As Director of National Intelligence James Clapper remarked during his unclassified testimony to the Select Committee on Intelligence in January, we are observing an ``increased breadth and sophistication of computer network operations by both state and nonstate actors'' and despite our best efforts ``cyber intruders continue to explore new means to circumvent defensive measures.'' To illustrate this point, Director Clapper cited the well-publicized intrusions into the NASDAQ networks and the breach of computer security firm RSA in March 2011, which led to the exfiltration of data on the algorithms used in its authentication system and, subsequently, access to the systems of a U.S. defense contractor.

Consequently, as Director Clapper put it, one of our greatest strategic challenges in the coming years will be ``providing timely, actionable warning of cyber threats and incidents, such as identifying past or present security breaches, definitively attributing them, and accurately distinguishing between cyber espionage intrusions and potentially disruptive cyber attacks.''

As I listened to Director Clapper's assessment of the cyber threat at the Intelligence Committee's annual unclassified worldwide threat hearing this past January, I was reminded of similar statements by several of his predecessors. In fact, on February 2, 2010, then DNI Dennis Blair provided the following cautionary warning:

This cyber domain is exponentially expanding our ability to create and share knowledge, but it is also enabling those who would steal, corrupt, harm or destroy the public and private assets vital to our national interests. The recent intrusions reported by Google are a stark reminder of the importance of these cyber assets, and a wake-up call to those who have not taken this problem seriously.

Similarly, the preceding year, on February 12, 2009, Director Blair said:

Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious. The Intelligence Community expects these trends to continue in the coming year.

As far back as February 5, 2008, then-DNI Michael McConnell warned:

It is no longer sufficient for the US Government to discover cyber intrusions in its networks, clean up the damage, and take legal or political steps to deter further intrusions. We must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage.

It was in response to this cavalcade of wake-up calls and threat briefings that Senator Rockefeller and I, in our role as crossover members of both the Intelligence and Commerce committees, initiated a series of hearings before the Commerce Committee to begin considering proposals for collaborating with the private sector to prevent and defend against attacks in cyber space.

On April 1, 2009, Senator Rockefeller and I introduced one of the first bills aimed at tackling some of our Nation's most vexing challenges when it comes to this issue. Our legislation, the Cybersecurity Act of 2010, was meant to focus the Senate's efforts on several key priorities, including conducting risk assessments to identify and evaluate cyber threats and vulnerabilities, clarifying the responsibilities of government and private sector stakeholders by creating a public-private information sharing clearinghouse, and investing in cyber research and development to expand activities in critical fields like secure coding, which is indispensable in minimizing our vulnerability to cyber intrusions. Our bill also sought to expand efforts to recruit the next generation of ``cyber warriors'' to implement these defenses through the creation of a cyber scholarship-for-service program.

Our cyber security bill was one of the first attempts to confront our vulnerabilities in cyber space, and with approximately 90 percent of the Nation's digital infrastructure controlled by private industry, we made a concerted effort to collaborate with businesses and ensure our bill incorporated input from experts covering the complete spectrum of this issue. Along the way Senator Rockefeller and I have worked together closely, holding meetings with the White House Cyber Security Coordinator, conducting hearings at the Commerce Committee with experts like James Lewis of the Center for Strategic and International Studies and former Director of National Intelligence Mike McConnell, and collaborating on a Wall Street Journal op-ed entitled ``Now Is the Time to Prepare for Cyberwar.''

As a result, our legislation was marked up in a unanimous, bipartisan effort by the Commerce Committee in 2010. Moreover, our proposal received praise from a major telecommunications industry leader who said our 2009 bill ``puts the nation on a much stronger footing'' to confront the cyber threat and a leading telecom association, which said that ``passage of the Rockefeller-Snowe Cybersecurity Act is a necessary and important step in protecting our national infrastructure.''

Additionally, in February 2011, following the Egyptian Government's attempt to quell public protests by denying access to the Internet, I pledged to oppose so-called ``Internet kill switch'' authority here in the United States. Consequently, I was pleased when earlier this year Senators on both sides of the aisle joined me in protecting critical first amendment rights by agreeing to reject any provisions that could be construed as giving our government new authority to restrict access to the Internet.

Thus, although I am not a cosponsor of the legislation before the Senate, I recognize that this proposal reflects many of the core ideas first offered by Senator Rockefeller and I in 2009, and I commend my colleagues for working with us over the last few years to ensure that these essential provisions were made part of the revised cyber security legislation.

Specifically, I support steps taken in the revised bill that require collaboration between the government and the private sector to share information about cyber threats and identify vulnerabilities to protect networks. Such information sharing and sector-by-sector cyber risk assessments were a fundamental part of the Rockefeller-Snowe bill in 2009. Likewise, I support provisions establishing an industry-led--rather than government-led--process for identifying best practices, standards, and guidelines to effectively remediate or mitigate cyber risks, with civil liability protection for those owners and operators of critical infrastructure who have implemented these standards. And I support the cyber outreach, awareness, recruitment, and workforce development provisions that were an essential component of our original bill.

That being said, the private sector is rightly concerned about the prospect of over-regulation by the Federal Government. Specifically, many of my colleagues on the Republican side of the aisle have expressed concerns that passage of a comprehensive cyber security bill could lead to more government redtape, stifling innovation and impeding growth.

Yet I firmly believe these are not insurmountable challenges, and I am optimistic that there is tremendous potential for the Senate to forge a viable solution that incentivizes private sector participation and collaboration.

Although the revised bill takes steps to incentivize the adoption of voluntary cyber security practices, many continue to voice concerns when it comes to the provisions governing ``covered critical infrastructure,'' or in other words, those information systems for our transportation, first responders, airports, hospitals, electric utilities, water systems, and financial networks whose disruption would interrupt life-sustaining services, cause catastrophic economic damage, or severely degrade national security.

I support an effort to raise the bar when it comes to cyber security standards for our most critical, life-sustaining systems. Yet in order to pass a bill that has the momentum to become law, we absolutely must find some middle ground with those who have raised valid concerns about the potential of over-regulation by the Federal Government.

For example, I have heard concerns from the private sector that subsection 103(g) of the revised bill may cause confusion and has led many to believe that the voluntary rules will eventually be forced upon companies who may already have strong security practices in place. Specifically, this subsection mandates that all Federal agencies with responsibilities for regulating critical infrastructure must submit an annual report justifying why they have not acted to make the voluntary standards proposed through this legislation mandatory within their jurisdiction. To remove any confusion about the intent of the bill, I am working with Senator Warner and several of my colleagues on straightforward language to clarify that nothing in the bill should be construed to increase, decrease, or otherwise alter the existing authority of any Federal agency when it comes to the security of critical cyber infrastructure.

Likewise, I share some of my colleagues' concerns that provisions designed to bolster the Department of Homeland Security's role in managing efforts to secure and protect critical infrastructure networks could lead to an unsustainable DHS bureaucracy. Such provisions were not part of the original Rockefeller-Snowe bill, which took a different approach by creating a Senate-confirmed National Cybersecurity Adviser within the Executive Office of the President.

Yet, again, this hurdle is not insurmountable--and I welcome the establishment of the National Cybersecurity Council in the revised bill as an interagency body with members from the Departments of Commerce, Defense, Justice, the Intelligence Community, and other appropriate Federal agencies--in addition to DHS--to assess risks and ensure the primary regulators for each critical system are involved in any final decision.

Furthermore, I remain concerned that the bill lacks specific provisions to assist small businesses in complying with any new cyber security standards adopted by Federal agencies with responsibilities for regulating the security of critical infrastructure. Small businesses remain the primary job creators in this country, responsible for more than two-thirds of all new jobs created. As ranking member of the Senate Committee on Small Business and Entrepreneurship, I have advocated tirelessly for targeted regulatory reform because there is no doubt that regulations are stifling small business. Small firms with fewer than 20 employees bear a disproportionate burden of complying with Federal regulations. These small firms pay an annual regulatory cost of $10,585 per employee, which is 36 percent higher than the regulatory cost facing larger firms.

In response, I have proposed several amendments to ensure the Small Business Administration and other constructive stakeholders are involved in analyzing the implications of cyber security performance standards on small businesses and recommending options for mitigating any costs or unnecessary burdens. And I have filed an amendment that would identify the challenges that prevent the Federal Government from leveraging the capabilities of small businesses to perform classified cyber security work and to develop security-cleared cyber workers.

I have also filed amendments that ensure sector specific regulators have the technical resources and staffing to adequately address cyber threats facing their industry and that focus research efforts on promising technologies that will secure our wireless infrastructure. Additionally, I have joined my colleague, Senator Toomey, in offering an amendment that would implement a national data security breach standard to simplify compliance for businesses and notifications to consumers to reduce undue burden and confusion. More than 540 million records have been reported breached since 2005 according to the Privacy Rights Clearinghouse, and research from Symantec estimates the average organizational cost of a breach is approximately $5.5 million.

Finally, I have filed an amendment to prohibit our government from signing new trade agreements with countries that have been identified by the National Counterintelligence Executive as using cyber tools to steal our trade secrets and threaten our economic security. It is time to send the message that these malicious activities will come with a price, and I view this as a sound and practical means of deterrence.

So again let me reiterate the imperative fact that time is not on our side. As former Secretary of Homeland Security Michael Chertoff and several of his intelligence community and defense colleagues recently wrote in a letter to our Senate leadership, the risk of failing to act on comprehensive cyber security legislation is ``simply too great considering the reality of our interconnected and interdependent world, and the impact that can result from the failure of even one part of the network across a wide range of physical, economic and social systems.''

Therefore, as I wrote in a letter to the majority and minority leaders in June, ``given the nature of the threat we face ..... it is essential that we not miss an opportunity to consider cyber security legislation in a non-partisan manner and pass a bill that has the momentum to become law.''

Now is the moment to prove that the Senate is capable of forging a viable solution to address what Director Clapper called ``a critical national and economic security concern.'' I welcome this debate on what I view as one of the defining national security challenges of our generation, and I urge my colleagues to join me in working for passage of comprehensive cyber security legislation.

BREAK IN TRANSCRIPT

Source