BREAK IN TRANSCRIPT
Mr. WARNER. Mr. President, first of all, I rise today to address the important legislation pending before this body, S. 3414, the Cybersecurity Act of 2012. I followed this debate, and I want to particularly compliment Senator Lieberman, Senator Collins, Senator Rockefeller, Senator Feinstein, and folks such as Senator Kyl and Senator Whitehouse who have been trying to find some common ground in this area. I hope at some point in the next day or so we will be able to proceed to this bill and have it fully debated.
Many Senators bring different levels of expertise to this issue. As someone who spent 20 years in the technology field and in telecom in particular before entering government service, and has had the honor to serve for the last 3 1/2 years on the Intelligence Committee, the Commerce Committee, and the Banking Committee, three of the committees that all immediately intersect with the challenges around cyber, I can add a bit of my perspective to this debate.
Let me start with concerns that have been raised by some of the opponents to this legislation. In the area around cyber, we need to make sure we have appropriate information sharing. How do we set some standards? Who should enforce those standards? I think most all of us, and anyone who has looked into this area, would recognize it is not a question of when we are going to have a major cyber attack or if we are going to have a cyber attack, it is only a question of when. We have already--as has been reported in the press in a number of fashions--been attacked on a daily basis by foreign agents, criminal elements, hackers who are
constantly probing our country's cyber defenses on the public and private side. One of the reasons I think it is so important to move on this legislation soon is I have great fears that when we have a major cyber element or cyber attack, Congress may, as they have done so many times in the past, overreact because we didn't take action on something we knew was imminent.
I do think this piece of legislation--and, candidly, I could have supported an even stronger piece of legislation--is a great first step in this area. I am going to come back in a moment to some amendments I hope to offer to this legislation to deal with some of the concerns other Members and folks have raised on this issue.
Let's talk about why we need cyber legislation and why we need it now. Inaction is not a solution. Every national security expert--not just from the current administration but previous administrations, and most Members of Congress--agrees that the status quo is not sustainable. Over a 5-month period between October of 2011 and February of 2012, there were 50,000 cyber attacks on private and government networks. We are told between 2009 and 2011 attacks on U.S. infrastructure increased by a factor of 17.
As more and more nations and rogue actors get more sophisticated with computer and technological knowledge, these numbers are going to grow exponentially. As the FBI has said, cyber espionage, computer crime, attacks on critical infrastructure will surpass terrorism as the No. 1 threat facing the United States. Think how many things we have done appropriately in the previous administration and this administration in terms of homeland security to protect our Nation against the threat of terrorists. We now have the Director of the FBI saying the cyber threat will soon surpass terrorism in terms of a threat to our Nation.
I know as a former businessman that we are already seeing manifestations of this threat in other areas. Intellectual property theft is one of the most insidious threats we face right now. A former FBI agent who specialized in counterintelligence and computer intrusion has said that in most cases companies don't realize they have been burned until years later when a foreign competitor puts out the very same product, only making it 30 percent cheaper. We have lost our manufacturing base in many ways. By not putting appropriate cyber protections in place, are we really prepared to lose our R&D base as well?
Some say cyber is different. Cyber is different in certain ways, but in many ways it is similar. Just as we would never have a nuclear facility without guards and a wall and a fence or--I see my good friend, the Senator from Louisiana--we would never have power facilities or levees without appropriate protections, how is it we would not have some level of standards and information sharing of threats that are coming in amongst not only our public sector entities but our private sector entities as well?
As a matter of fact, as a former businessman, I have been surprised at some of the resistance from some business organizations that are saying this requirement of both information sharing and some minimum standards would actually be a burden on us. In many ways I actually think somewhat the opposite because there are a number of businesses right now that have taken the responsible step and put in place significant cyber protections while competitors in their industry, because they are not putting those same protections in place, are actually free riders on the system. Yet, not if but when we have a major cyber event, if one of those companies that has not put appropriate protections in place ends up causing dramatic harm to our economy or to that industry sector, all the industries and all the businesses in that sector will in one way or another end up paying the price. Again, this is one of the reasons why we need both this information sharing and some level of standards.
I know to try to move forward in terms of actual or mandatory standards, we are not going to have them at this point. We have set up a measure--and again, I commend Senator Kyl and Senator Whitehouse for working through what I think is a pretty darn good compromise where there would be an industry group that would develop, in effect, best practices. It is hard with the government and bureaucracy moving so slowly to keep up with something like technology that would allow an industry group to come up with, in effect, best practices. Those companies that adhere to those best practices would actually receive legal and other protections so we could encourage folks to make sure we have in place the kind of protections that all industries and our country need.
To make clear that we don't have mandatory standards, we have put in place--I have been working with Senator Snowe on a couple of amendments. I believe there are other Members who will join us on at least one of these amendments. The first amendment is very important and hopefully will go some distance in terms of clarifying one of the issues that seems to be a major subject of debate in this legislation, and that is to modify--again working with the chairs of the committee, we may even move beyond this modification to elimination--a key section of the bill, section 103. It will make clear that the standards set by this bill, the protection of infrastructure, are indeed voluntary. This amendment makes it clear that this bill does not in any way alter the authority of any Federal agency to regulate the security of critical infrastructure.
Again, there were some concerns that there might have been a mistake in the earlier draft. This amendment makes clear that the standards that are developed by industry working groups will be voluntary and that nothing in this legislation will allow any Federal agency to regulate the security of critical infrastructure.
I believe this amendment should alleviate the concerns of some that the bill might put in place mandatory standards for infrastructure protection--again, despite the very clear language that already exists in the bill that standards are voluntary. It is my understanding this amendment will be considered as part of a broader set of solutions negotiated by Senator Lieberman, and whether our amendment comes forward or whether it is broadened into a managers' package, I hope it will clarify this portion of the debate about mandatory versus voluntary.
Voluntary is a good first step. The fact that this will be developed by industry working groups, the fact that this will not be subject to the lagging time of government bureaucracy or rulemaking, hopefully, will move us in the right direction.
A second amendment, again, one I have been working on with Senator Snowe, is a bit more technical, and particularly as to my colleagues on the Commerce Committee, I hope we will be able to gain some support from them. This amendment seeks to ensure that the authority provided to DHS to sole-source highly specialized products will result in the procurement of interoperable, standards-based products and services whenever possible.
What does that mean in English? It means when government goes out, and particularly during sole-sourcing of a solution set, too often--and I have seen this in my old industry of telecom years in and years out--people will develop a particular product or solution that works for that company's only set of standards, and when the government subsequently or other private sector entities go on and buy or replace or expand whatever particular system it is, if it is not interoperable with the rest of the telecommunications system or the rest of the network, then we are really not getting value for our dollar.
Again, this is a small issue in the context of cyber security, but both Senator Snowe and I believe it is important for the purpose of competition, and it should lower the overall cost of key technologies and services for the taxpayer.
So as I close on my first comments, I hope we will be able to move forward before the break on the question of cyber security. I think great progress has been made in the negotiations. I know there are a lot of issues that remain to be resolved, but I would reinforce what so many other colleagues have already said. It is not a question of if we are hit by a cyber attack, it is only a question of when in terms of a major incident. Let's get ahead of the game.
TRIBUTE TO FEDERAL EMPLOYEES
Let me take two more moments and rise on one other issue. As many of my colleagues and the floor staff know, I come down on a fairly regular basis to honor great Federal employees. With all of the challenges we face with the fiscal cliff--I see my good friend and partner here, the Senator from Oklahoma, and both he and I are always trying to look for ways we can get better value for the taxpayer. One of the things we need to do is find ways to reward and recognize the good work of so many Federal employees who share that goal of getting better value for the taxpayer. I know the Senator from Oklahoma has particularly worked with the GAO on a number of occasions to find and root out duplication and other issues of where we can save dollars.
I come down on a regular basis to recognize Federal employees--because so many times they are under assault--when they do good things. Today I do that one more time, with recognition of another great Federal employee, in this case Diane Braunstein, who is the Associate Commissioner for the Office of International Programs for the Social Security Administration. She has overseen the creation of the Compassionate Allowance Program, which has allowed thousands of seriously ill Americans to gain quick approval for much needed Social Security benefits in a matter of days or weeks rather than months or years; although in this area of Social Security disability we need to make sure only the appropriate beneficiaries are receiving those funds.
For years, the Social Security Disability Insurance Program has faced backlogs and delays in processing claims. In 2011 there were on average 700,000 pending cases. We need to do a better job of evaluating and weeding out some of those cases. Couple this with what used to be a lack of caseworker knowledge on rare illnesses, and the result was a number of applications with rare illnesses being incorrectly denied Federal benefits. They then had to face an appeals process which took years to complete.
Beginning in 2008, Ms. Braunstein partnered with patient advocacy groups and NIH to come up with a list of 25 cancers and 25 rare diseases that would automatically qualify an applicant to receive benefits. To further improve the speed and efficiency and cost effectiveness of this process, an easy-to-use reference guide and training program was put together to aid caseworkers.
According to Social Security Commissioner Michael Astrue, when Ms. Braunstein began work on the compassionate allowances, some Americans were waiting 2 to 4 years for a decision. Now those with the most devastating disabilities get approved for benefits in a matter of days. In 2010, the program was able to assist an estimated 45,000 people, and 65,000 people in 2011.
I hope my colleagues will join me in honoring Ms. Braunstein for her innovation and excellent work she has done as well as her commitment to public service.
Again, we have some hard choices to make beyond the question of cyber security, but as we approach this fiscal cliff there will be more asked of all Americans and there will be more asked of our Federal employees. We will have to continue to find ways to ratchet out those programs that are duplicative, those areas where we are not getting value for our dollar.
Again, I know this is an issue of concern to the Senator from Louisiana and the Senator from Oklahoma. But when we find initiatives that work, and we find Federal employees who are helping us provide value, particularly for those in need at a good price, they deserve this recognition.
With that, I yield the floor.
BREAK IN TRANSCRIPT