BREAK IN TRANSCRIPT
Ms. MIKULSKI. Mr. President, today I wish to support the Cybersecurity Act of 2012. As a member of the Intelligence Committee, I know that cyber security is the most pressing economic and national security threat facing our country.
There still needs to be a sense of urgency in addressing this issue, and we must pass this legislation. Doing so will allow us to defend our computer networks and critical infrastructure from a hostile, predatory attack. Such an attack is meant to humiliate, intimidate, and cripple us. If we wait until a major attack occurs, we will likely end up over-reacting, over-regulating, and overspending in order to address our weakness.
The threat of a cyber attack is real. Our Nation is already under attack. We are in a cyber war, and cyber attacks are happening every day. Cyber terrorists are working to damage critical infrastructure through efforts to take over the power grid or disrupt our air traffic control systems. Those carrying out these attacks are moving at breakneck speeds to steal state secrets and our Nation's intellectual property. They are stealing financial information and disrupting business operations.
Cyber attacks can disrupt critical infrastructure, wipe out a family's entire life savings, and put human lives at risk. They can take down entire companies by hacking into computer networks where they remain undiscovered for months, even years.
FBI Director Mueller testified before the Senate Intelligence Committee, stating that cyber crime will eventually surpass terrorism as the No. 1 threat to America. The economic losses of cyber crime alone are stunning. A Norton Cybercrime Report valued losses from cyber attacks at $388 billion in 2011.
I have been working on cyber issues since I was elected to the Senate. The National Security Agency--our cyber warriors--are in Maryland. I have been working with the NSA to ensure that signals intelligence is a focus of our national security even before cyber was a method of warfare.
In 2007, Estonia was attacked. Estonia was strengthening its ties to NATO, and Russian hackers swiftly struck back. They waged war on Estonia and threatened its government, rendered Estonia's networks obsolete for days. This attack was designed to intimidate, manipulate, and distort.
The cyber attacks on Estonia raised important questions. Would article 5 of the NATO Charter be invoked? Since the attack was on one member of NATO--was it an attack on all members? How would the U.S. and other allies need respond to future attacks? What would happen if America experienced a similar cyber attack?
As member of the Senate Intelligence Committee, I served on the Cyber Working Group where we developed core findings to guide Congress. The need to get governance right, the need to protect civil liberties, and the need to improve the cyber workforce.
As chair of the Commerce, Justice, Science Appropriations Subcommittee, I fund critical cyber security agencies: the FBI which investigates cyber crime, NIST, which works with the private sector to develop standards for cyber security technology, and NSF, which does research.
As a member of Defense Appropriations Subcommittee, I work to ensure critical funding for Intel and cyber agencies such as the NSA, CIA, and IARPA. These organizations are coming up with the new ideas that will create jobs and keep our country safe. Funding is critical to build the workforce, provide technology and resources, and to make our cyber security smarter, safer, and more secure.
Yet technology will mean nothing unless we have a trained workforce. In order to fight the cyber security war, we have to maintain our technological development, maintain our qualitative advantage, and have our cyber warriors ready at battle stations. In order to develop our cyber shield, we need to train cyber warriors so they can protect our Nation. I have been working with Maryland colleges and universities to create world-class programs, a national model, and for training our next generation of cyber warriors.
I asked Senator Reid to conduct a cyber security exercise, which showed us in real time how the U.S. Government would respond to a predatory cyber attack of great magnitude. I asked for the Senate cyber exercise for three reasons. First, we need a sense of urgency here in the Senate to pass cyber security legislation. Second, we need to put the proper legislative policy in place. Third, I wanted to create a sense of bipartisanship camaraderie.
One example of the impact a cyber attack would have is the power outages caused by our freak storms this summer. We got a glimpse of what an attack on the grid would be like. At least Pepco has the ability to respond and restore and turn the power back on. With an attack on the grid we could lose the power to turn electricity back on because it was shut down by power manipulation. Imagine our largest cities, like New York and Washington, like the Wild West with no power, schools shut down, parents stuck in traffic, public transit crippled, no traffic lights, and 9-1-1 systems failing.
In the financial industry, the FBI currently has 7,600 pending bank robbery cases and over 9,000 pending cyber investigations. According to the FBI, the Bureau is currently investigating over 400 reported cases of corporate account takeovers where cyber criminals have made unauthorized transfers from the bank accounts of U.S. businesses. These cases involve the attempted theft of over $255 million and actual losses of approximately $85 million.
Hackers have repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market. The New York Stock Exchange has been the target of cyber attacks. In the future, successful attempts to shut down or steal information from our financial exchanges could wreak havoc of untold proportions on our economy.
In the 2010 ``flash crash'', the Dow Jones plunged 1,000 points in matter of minutes when automatic computerized traders shut down. This was the result of turbulent trading, not a cyber attack and the market recovered. But this is a micro-example of what could happen if stock market computers are hacked, infected, or go dark.
In November 2008 the American credit card processor RBS Worldpay was hacked--$9 million was stolen in less than 12 hours. The hackers broke into accounts and changed limits on payroll debit cards employees use to withdraw their salaries from ATMs. The cards were used at over 2,100 ATMs in at least 280 cities around the world, United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, Canada, stealing over $9 million from unsuspecting employers and employees.
This heist, one of the most sophisticated and organized computer fraud attacks ever conducted proves that you don't need a visa to steal someone's visa card.
From 2008 to 2010, a Slovenian citizen created ``Butterfly Bot'' and sold it to other criminals worldwide. Cyber criminals developed networks of infected computers. The Mariposa variety from Spain was the most notorious and largest. Mariposa infected personal computers, stole credit card and bank account information, launched denial attacks to shut down online services, and spread viruses to disable computers and networks.
Industry experts estimated the Mariposa Botnet may have infected as many as 8 million to 12 million computers. The size and scope of the infection makes it difficult to quantify financial losses but could easily be tens of millions of dollars.
Speaking simply, this bill does two key things from a national security perspective. It helps businesses voluntarily get cyber standards that they can use to protect themselves, and it allows businesses and the government to share information with each other about cyber threats. That is, to help ``.gov'' to protect ``.com.''
In a constitutional manner, these two things are not necessarily connected, but they can be. The reason why these provisions are such an innovation is that despite all the amazing talent and expertise that companies have, many are being attacked and don't know it. And this legislative framework gives the structure to allow for unprecedented ``.com'' and ``.gov'' cooperation.
There are also other several other key components in the bill focusing on research and development, workforce development, and FISMA reform.
Why do we need a bill to make some of these vital partnerships and exchanges happen?
Because, as I have outlined, America is under attack every second of every day. General Alexander, the head of NSA and U.S. Cyber Command, has said that we have witnessed the greatest transfer of wealth in history in the heist that foreign actors have perpetrated on our country. By stealing our secrets, stealing our intellectual property, and stealing our wealth. It is mindboggling. Take just one example. A theft by a foreign actor that took, among other things, key plans for our F-35 fighter. One attack on the Pentagon made off with so many sensitive documents that they would have filled delivery trucks end-to-end stretching from Washington, DC to Baltimore Harbor.
But don't take my word for it that this issue is urgent and that we need to address critical infrastructure. Who else says it is urgent? Experts from both side of the aisle do. Folks like former CIA Director Mike McConnell, DHS head Michael Chertoff, Vice Chairman of the Joint Chiefs of Staff James Cartwright, former cyber czar Richard Clarke, and many others have said we need to address critical infrastructure.
And our top defense and military leaders such as Defense Secretary Leon Panetta, Chairman of the Joint Chiefs of Staff Dempsey, Director of National Intelligence Clapper, and again, GEN Keith Alexander. The threat is here and it is now. And if we do not act, if we let the perfect be the enemy of the good, then this country will be more vulnerable than ever before, and Congress will have done nothing.
This bill is not perfect, but I want to say upfront that Senators Lieberman and Collins have heard the critics and tried to incorporate their views. DHS's role has been criticized by many, myself included. I have been skeptical that they could perform some of the duties assigned in this bill.
To be honest, I still am skeptical, although less so than before, but I think this bill takes important steps to diversify the government and private sector actors involved. So we are not just focusing on DHS, but also the right civilian agencies in charge because in the end we cannot have intelligence agencies leading this effort with the private sector. Some would like to see that go further, and that is what the amendment process is there for.
We have had people in the civil liberties community worried about whether this bill could allow intrusions by the government into people's privacy. As a Marylander, this was a tantamount concern for me as well. If we don't protect our civil liberties, then all this added security is for naught because we would have lost what we value most, our freedom.
Again, I think the authors of this bill, especially Senator Feinstein, have made key improvements on issues of law enforcement powers and protecting core privacy concerns. I know not everyone is totally pleased. But I think this bill has made important strides to balance information sharing and privacy.
We all have been concerned that the business community has opposed a lot of key critical infrastructure elements of this bill. They fear strangulation and over-regulation. They fear that they will open themselves up to lawsuits if they participate in the program with the government. These are valid concerns, and I have heard them from Maryland businesses. I think this new bill has made the most strides in trying to accommodate business and building a voluntary framework to allow businesses to choose protection.
Protection does not come without responsibility for participants, but I think this bill links the need for cyber security with appropriate liability protection and the expertise of our business community in a way that answers a lot of companies' concerns. We cannot eliminate all government involvement in this issue. That won't work. And we will lose key government expertise in DOD, FBI, and elsewhere. But we work to try to minimize it while maintaining government's role in protecting our national security.
I am so proud that the Senate came together in a bipartisan way to draft this legislation. The Senate must pass this legislation now. Working together we can make our Nation safer and stronger and we can show the American people that we can cooperate to get an important job done.
BREAK IN TRANSCRIPT