Keystone XL Pipeline Act

Floor Speech

BREAK IN TRANSCRIPT

Mr. HATCH. Mr. President, I rise to discuss the critical need for cyber security legislation.

Computers control nearly everything we use in our daily lives. They control our cars, our phones, our water supply, our power grid, our financial services, our retail networks, our food production and in many respects our military capabilities.

Fortunately, our adversaries have not yet succeeded in inflicting major physical damage on our Nation's interdependent critical infrastructure.

That is not to say however they are not vulnerable to persistent threats in cyber space. Look no further than in the ``2014 U.S. State of Cybercrime Survey.'' That is a study prepared by PricewaterhouseCoopers, the U.S. Secret Service, Carnegie Mellon University, and CSO magazine.

Of the more than 500 U.S. executives and security experts surveyed, 77 percent of businesses detected an attempted security breach in the previous 12 months, and 34 percent of these businesses said the number of security incidents detected increased over the previous year, with an average number of 135 incidents per organization.

The report makes many key observations, but let me emphasize a key finding that resonated with me. One thing is very clear: Most organizations' cyber security programs do not rival the persistence, tactical skills, and technological prowess of today's cyber adversaries.

Cyber thieves proved their determination just last week when Russian hackers amassed over 1 billion Internet user names and passwords, the largest known collection of Internet credentials.

In the years following the September 11, 2001, attacks, the U.S. Director of National Intelligence consistently ranked terrorism as our No. 1 threat, but that started to change a few years ago. In 2012 then-FBI Director Robert Mueller predicted that ``in the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country.''

He was right.

In 2013 and 2014 the intelligence community's Worldwide Threat Assessment lists cyber as the top threat to our Nation. Terrorism, nuclear proliferation, and unauthorized leaks of classified information remain grave threats to our country, but cyber is now our No. 1 threat.

Yet it is hard to believe no major cyber security legislation has been enacted since 2002, when Congress passed the Federal Information Security Management Act--or FISMA--and the Cybersecurity Research and Development Act. Of course, there have been provisions relevant to cyber security enacted in subsequent laws but nothing as significant or comprehensive as the laws passed 12 years ago.

As we begin a new Congress, let me articulate a few guiding principles that should be included in any cyber security legislation.

First, we must acknowledge the need for the government and the private sector to cooperate in order to fend off cyber attacks, but today businesses are reluctant to share critical information out of fear of legal repercussions. Congress must provide proper incentives, such as liability protection, to encourage the private sector to share cyber threat information with our government.

Next, any cyber security legislation must strike the right balance between protecting our Nation's computer infrastructure and protecting individual privacy rights.

Thus, information sharing between businesses and the government must be tailored to the recipient's actual security responsibilities. Moreover, any legislation should avoid overly broad language that could clash with privacy protections.

Furthermore, a voluntary, nonregulatory approach is most likely to yield consensus legislation. The role of DHS and other government agencies should be to provide advice and resources to improve our Nation's cyber security posture, not to pile on additional burdensome regulations.

Finally, and perhaps most important, we must build a strong cyber security workforce in the public and the private sectors. Enacting cyber security legislation will mean very little if there are no trained professionals prepared to tackle our Nation's cyber security challenges.

In order to build the enduring capabilities capable of protecting our cyber infrastructure, we must encourage young people to pursue high-tech careers and attract highly skilled workers from around the world.

Beyond the civilian realm, the cyber threats we face present critical new challenges to our national security. Arguably, we have not yet faced a similarly novel catalyst for policy formulation and change since the development of our nuclear deterrence strategy more than 60 years ago.

As we face this new world of cyber threats, the fundamental question remains the same: What is the most efficient and effective means to defend our country, the United States, while remaining true to the Constitution at the same time. Answering that question should be the cornerstone of the President's cyber security strategy.

I was encouraged to hear the President say during his visit to the National Cybersecurity Communications Integration Center earlier this week that ``cyber threats are an urgent and growing danger.'' I certainly share that assessment of the dire nature of this very real threat to our national security.

While I applaud the White House for its plans to host a conference on cyber security and consumer protection next month, the nature of the cyber security threat demands a comprehensive strategy to protect our Nation.

Much work remains to be done on this front, especially from the standpoint of the Department of Defense and the Department of Homeland Security. The urgency of this task was amplified when the Congressional Research Service concluded just this month that ``the overarching defense strategy for securing cyberspace is vague and evolving.''

As we face these threats, we must act decisively to ensure that bureaucratic barriers do not hinder the development of an effective strategy to counter threats from cyber space. As it stands, there is not a single agency primarily responsible for cyber defense.

The Department of Homeland Security is charged with protecting civilian networks and working with the private sector. The FBI and Secret Service are responsible for investigating cyber crime, and the Department of Defense is responsible for defending its own systems and partnering to protect the defense industrial base.

Critically, the Defense Department is only tasked with supporting DHS when the cyber attack is directed at our homeland. Yet these differences of responsibility can operate as artificial barriers to the efficient and effective cyber defense system.

Indeed, the lack of a single organization with direct responsibility runs counter to the basic leadership principle of unity of command. It bears remembering that these boundaries only exist for our agencies, not the hackers which seek to exploit the limitless terrain of cyber space. In a world in which the lines between cyber crime and cyber warfare are increasingly blurred, we need to ensure that all of our defensive cyber capabilities are brought to bear against the wide variety of threats facing our infrastructure, private and public, civilian and military.

Nevertheless, the need for a primary agency of responsibility does not necessarily mean the Department of Defense should be that agency, even despite its remarkable capabilities. Such a course would raise both legal and practical concerns.

Beginning with the legal issue, as the Supreme Court has stated, there is a ``traditional and strong resistance of Americans to any military intrusion into civilian affairs.''

The use of the military to enforce the law, with respect to domestic hackers or to virtually patrol on private networks is problematic because of the provisions of 18 U.S.C. section 1835.

In addition, the Defense Department's organization to defend against cyber attacks might not be the most efficient. Currently, U.S. Cyber Command, which is responsible for the training and equipping of our cyber warriors, is also entrusted with the Department's operational activities in cyber space. Such a construct makes sense. Yet unlike a unified combatant command, Cyber Command is a subunified command under U.S. Strategic Command. Though this configuration has been considered and agreed to by the Senate Armed Services Committee, I am still not convinced of its value. Therefore, I also hope the President addresses how our military forces can best be aligned to facilitate the most efficient and effective cyber defense possible.

But returning to the larger question, if concentrating our efforts entirely in the hands of the Defense Department is not advisable, what are we to do?

One possible solution has been presented by Richard Clarke, the noted former member of the National Security Council, in his book, ``Cyber War.''

To be clear, I am not endorsing Mr. Clarke's proposal. We surely do not need another government bureaucracy, but I do believe it is an important concept to be discussed during future debates on cyber security. Specifically, Mr. Clarke argues for a civilian cyber defense administration which would be responsible for protecting ``the dot-gov domain and critical infrastructure during an attack.'' As well as assigning those Federal law enforcement agencies personnel responsible for cyber crime to this centralized cyber defense administration, it would only be logical to ask if such an agency could provide other cyber defense functions.

Accordingly, addressing proposals such as this as part of answering the question as to what is the most effective organization we can employ for cyber security should be a focal point of the President's address.

But we should not just place these questions at the President's door. The Senate itself must consider modifying the way it considers cyber security legislation and issues.

Currently, there are at least five separate Senate committees which are responsible for various aspects of cyber security. Therefore, we, too, have a unity-of-effort issue, and the Senate should consider means to concentrate this body's expertise on this critical matter.

In conclusion, there are a myriad of questions which our government must address before we are able to state we have the most effective, efficient, and constitutional cyber security defense possible.

I hope the President fully utilizes the opportunity presented to him in his State of the Union Address to answer these important questions--and if he doesn't, we have to. So we better solve these problems. I presume the President will speak intelligently on these issues and hopefully in a way that will unify the country, unify the Congress, and get us all working in the same way.

We can't afford to let this drag any longer. This is one of the most important sets of issues we have in our country. It may be one of the most important issues or sets of issues in the world at large.

I suggest the absence of a quorum.

BREAK IN TRANSCRIPT

Source