Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman. ID-Conn., Monday urged President Obama to use the full extent of his executive powers to better secure the nation's most important cyber networks, particularly by conducting risk assessments of the most critical cyber infrastructure and establishing security standards.
In the absence of Senate action, and the presence of a real and imminent threat, Lieberman asked the President to consider incentives for owners of critical cyber infrastructure who comply with cyber defense standards.
His letter follows:
September 24, 2012
Dear Mr. President:
Now that Congress has recessed until after the elections, I am writing to you about the continuing failure of the Senate to pass comprehensive cybersecurity legislation. Countless national security leaders from your Administration and the previous Administration have made clear that the threat from cyber attack is similar to the threat we faced from terrorism on September 10, 2001 -- the danger is real and imminent, yet we have not acted to defend against it. We know our adversaries are already stealing valuable intellectual property and exploiting our critical infrastructure -- those systems that control our water, electricity, transportation, finance, and communications systems -- to prepare for attack.
However, notwithstanding the overwhelming evidence of our nation's vulnerability to cyber attack and the potential that such an attack could cost significant loss of American lives and treasure, a filibuster in the Senate derailed S. 3414, the Cybersecurity Act of 2012. This gridlock threatens to prevent the Senate from passing a cyber bill before the end of this Congress.
Therefore, I urge you to use your executive authority to the maximum extent possible to defend the nation from cyber attack. For example, under current law, as set forth in Title II of the Homeland Security Act of 2002, the Department of Homeland Security has clear authority, if directed by you, to conduct risk assessments of critical infrastructure, identify those systems or assets that are most vulnerable to cyber attack, and issue voluntary standards for those critical systems or assets to maintain adequate cybersecurity. Though executive action cannot offer private sector entities liability protections for compliance with these guidelines, I urge you to consider other incentives that you can offer by executive action to companies that own critical cyber infrastructure and decide to comply with the cyber defense standards that result from your Executive Order.
Even though S. 3414, in the interest of finding compromise, did not contain new authority for existing regulators to require the implementation of cybersecurity standards, I have long believed that such requirements are reasonable and warranted in light of the urgent and grave nature of the threat. I urge you to explore any means at your disposal that would encourage regulators to make mandatory the standards developed by the Department of Homeland Security pursuant to your Executive Order so we can guarantee that our most critical infrastructure will be defended against attacks from our adversaries.
In addition, I urge you to consider using your authority to strengthen information sharing mechanisms to the extent possible under current law. The Cybersecurity Act of 2012 contained important provisions that would have allowed companies and the Government to share cybersecurity threat information while protecting and preserving the rights and liberties we hold dear. These provisions received support from industry, privacy and civil liberties advocates and the Director of the National Security Agency.
Executive action cannot make all the changes necessary to facilitate the type of information sharing we urgently need -- only new statutory authorization will be sufficient. While the Senate failed to make these critical changes to the law, I hope that you will use your authority to the extent possible to facilitate greater cybersecurity information sharing.
Of course, I hope and prefer that the Senate passes cybersecurity legislation and works with the House to get a bill to your desk before the end of this session. Though it is hard to be optimistic about the prospects of passing legislation in the lame duck session, I continue to work with my colleagues to find a bipartisan and bicameral compromise.
But our nation's security interests cannot be left inadequately protected because of special interest pressure. Therefore, I urge you to use the full extent of your authorities under the Constitution and those already given to you by Congress to protect the nation from the real and growing threat of cyber attack.
Senator Joe Lieberman