Cybersecurity Information Sharing Act of 2015--Motion to Proceed

Floor Speech

BREAK IN TRANSCRIPT

Ms. COLLINS. Mr. President, I rise today to speak in favor of the Cybersecurity Information Sharing Act of 2015.

I wish to first recognize the hard work of Chairman Burr and Vice Chairman Feinstein and their leadership on this very important legislation. As a member of the Senate Intelligence Committee, I am well aware of the need to strengthen our computer networks against our adversaries, whether they be nation-states, such as China, Russia, and Iran, or terrorist groups or international criminal gangs or hacktivists.

Along with former Senator Joe Lieberman, I authored the Intelligence Reform and Terrorism Prevention Act of 2004. This bill implemented many of the recommendations of the 9/11 Commission report in the wake of Al Qaeda's terrorist attack on our country that took the lives of nearly 3,000 people. Many of the reforms enacted in our law were well-known and recommended prior--far before--the attacks on our country on 9/11, but they simply were never implemented, despite the clear and present threat posed by Al Qaeda.

Today, my concern is that we are repeating much the same mistake when it comes to the cyber domain. Our Nation has unparalleled strength, but cyber space allows much weaker adversaries to target our people, our economy, and our military.

Just as modern passenger planes designed in the United States were turned against us and used as weapons back in September of 2001, so too could the digital tools designed in the United States be turned against us to deal a devastating blow to our economy, our national security, and our way of life.

We already know many of the steps necessary to reduce the likelihood of a cyber 9/11, yet many of these actions have not yet been taken in either the government or the private sector. As one former official told the 9/11 Commission last year in preparation for its 10th anniversary report, ``we are at September 10th levels in terms of cyber preparedness.'' How many experts have to tell us that it is not a matter of if we are going to be the subject of a major cyber attack but when? How many more serious intrusions do we have to have in the private sector with banks, major retailers affected or in the public sector, where we have had the huge and serious OPM breach which affects some 21 million Americans? How many more of these do we have to have occur before Congress finally acts?

Consider the fact that the economic and technological advantages that the United States enjoys today required decades of research and development and investment of literally billions of dollars. Yet these competitive edges are eroding because hackers and other countries are stealing the intellectual property that gives us our competitive edge in the world.

Three years ago, when I stood on the Senate floor with Senator Joe Lieberman to urge the passage of the Cyber Security Act of 2012, which we wrote, I quoted the then-NSA chief, General Keith Alexander, who said that we are in the midst of the greatest transfer of wealth in our Nation's history. Yet this transfer of wealth continues and accelerates. Information sharing remains fragmented, and the private sector is still hesitant about sharing and receiving information with government. We have lost 3 years and endured endless, expensive data breaches since the Senate refused to stop a filibuster on our cyber bill in 2012. I urge my colleagues: Let's not make the same mistake today.

Passing the Cybersecurity Information Sharing Act of 2015 would make it easier for public and private sector entities to share cyber threat vulnerability information to stop the theft of trade and national security secrets, to stop the theft of personally identifiable information, and to help stop the theft of important information that all of us hold dear and consider to be private.

The bill would eliminate some of the legal and economic disincentives impeding voluntary two-way information sharing between private industry and government. It is a modest but essential first step, especially for businesses, large and small, trying to protect their networks and information.

Just this week, I met with an individual whose trade association has been compromised, according to the FBI. Indeed, back in 2012, when we were debating whether to bring the Lieberman-Collins cyber security bill to the Senate floor, one of the chief opponents was being hacked at that very time but did not know it until the FBI went to that business organization and informed them.

While this bill promotes sharing between the government and the private sector--and that is an important and essential step--it does little to harden the protection of Federal networks or to guard the critical infrastructure on which we rely every day. Thus, I am introducing, with several of my colleagues, two amendments to further strengthen our Nation's cyber security posture. It would be a good first step if we could just pass this bill as it was reported by the Intelligence Committee, but I believe also strengthening the civilian side of the Federal Government and our critical infrastructure is essential for us to do the job completely and effectively.

I want to make clear that I recognize there is no law we could ever write that is going to prevent every cyber attack. That is not possible. But there are effective actions we can and should take that would lessen the chances of these attacks occurring and that would decrease the opportunities for these intrusions. So we must act. It is incumbent upon us.

For the millions of current, former, and retired Federal employees whose personal data was stolen from the poorly secured databases at the Office of Personnel Management, the threat posed by adversaries to inadequately protected Federal networks is all too real. As the FBI Director testified before the Intelligence Committee in open session last month, this breach is a ``huge deal'' and represents a treasure trove of information for potential adversaries. But this cyber hack also points to a broader problem--the glaring gaps in the process for protecting sensitive information stored in Federal civilian agency networks.

To respond, 2 weeks ago I introduced bipartisan legislation with Senators Warner, Mikulski, Coats, Ayotte, and McCaskill that would strengthen the security of the networks of Federal civilian agencies. Most importantly, our legislation would grant the Department of Homeland Security the authority to issue binding operational directives to Federal agencies to respond in the face of a substantial or imminent threat to Federal networks to ensure that immediate action is taken.

Think of all those IG reports that OPM leaders completely ignored. They go back to 2008. Last fall the IG issued a report which sounded a warning which was so serious that he recommended that certain networks be taken down until they were better protected. But OPM officials largely ignored those warnings, those calls for action. That is why we need to empower the Department of Homeland Security in a situation like that to act, just as NSA acts to protect the dot-mil domain, the military and intelligence agencies in the Federal Government.

I am pleased to report that all of the key elements of our bill were incorporated into legislation unanimously approved last week by the Senate homeland security committee. I thank the chairman, Senator Ron Johnson, and the ranking member, Senator Tom Carper, for making those improvements in their bill and incorporating our bill. We have joined together to file an amendment to add the committee-approved bill to the cyber security legislation.

The primary problem our amendment would solve is that the Department of Homeland Security has the mandate to protect the dot-gov domain, but it only has limited authority to do so. As I said, this approach contrasts sharply with how the National Security Agency defends the dot-mil domain, the information in the military and intelligence agency networks. The Director of the NSA has the responsibility and the authority from the Secretary of Defense to monitor all DOD networks and to deploy countermeasures on those networks. If the Director finds that there is an insecure computer system and wants to take it off the network, he has the authority to do so.

Although the Secretary of Homeland Security is tasked with a similar responsibility to protect Federal civilian networks, he has far less authority to accomplish this task. Yet--think about it--Federal civilian agencies, such as OPM, the Internal Revenue Service, the Social Security Administration, and Medicare, are the repositories of vast quantities of very sensitive personal data of Americans that must be better protected. We have that obligation. Our bill would help ensure that occurs.

Our amendment would harden Federal computer networks from cyber threats. I urge my colleagues to support the Johnson-Carper-Collins-Warner amendment.

I have also filed a second amendment aimed at protecting our country's most vital critical infrastructure from cyber attacks. For 99 percent of private sector entities, the voluntary information sharing framework established in this cyber legislation will be sufficient, and the decision to share cyber threat information should be left up to them. It should be voluntary.

A second tier of reporting is necessary to protect the critical infrastructure that affects the safety, health, and economic well-being of every American. My amendment would create a second tier of reporting to the government that would be mandatory but only for critical infrastructure where a cyber intrusion could reasonably be expected to result in catastrophic regional or national threats on public health or safety, economic security, or national security.

The Department of Homeland Security has already identified fewer than 65 entities--that is all we are talking about--out of all the hundreds of thousands of businesses and private sector entities in the United States, they have identified 65 entities where damage caused by a substantial but single cyber attack could cause catastrophic harm. How is ``catastrophic harm'' defined? It is defined as causing or having the likelihood to cause $50 billion in economic damage, 2,500 fatalities, or a severe degradation of our national security. My amendment would just take that definition and require reporting from those entities--that would be mandatory if there were a cyber attack--and no one else.

Without information about intrusions into our most critical infrastructure, our government's ability to defend our country against advanced persistent threats will suffer in a domain where speed is critical.

Let me further explain why this amendment is necessary. The fact is that 85 percent of our country's critical infrastructure is owned by the private sector, and we are not nearly as prepared as we should be for a cyber attack that could cause deaths, destruction, and devastation. A recent study by the University of Cambridge and Lloyds Insurance found that a major cyber attack on the U.S. electric grid could result in a blackout in 15 States and Washington, DC, that could cause more than $1 trillion in economic impact and $71 billion in insurance claims.

Under my amendment, the owners and operators of our country's most critical infrastructure would be required to report significant cyber intrusions, similar to the manner in which incidents of communicable diseases must be reported to public health authorities and the Centers for Disease Control and Prevention. Think about the ironic situation we have. Does it make sense that we require a single case of measles to be reported to the Federal Government but not an intrusion into the industrial controls controlling a piece of critical infrastructure that if it were attacked successfully could result in the deaths of 2,500 people?

The threats to our critical infrastructure are not hypothetical; they are already occurring in increasing frequency and severity. ADM Mike Rogers, the Director of NSA, has described the cyber threat posed against critical infrastructure this way: ``We have ..... observed intrusions into industrial control systems. ..... What concerns us is that ..... this capability could be used by nation-states, groups or individuals to take down the capability of the control systems.''

Multiple natural gas pipeline companies were the targets of a sophisticated cyber intrusion campaign beginning in December of 2011, and our banks have been under cyber attacks repeatedly, most likely from Iran during the past 2 years.

By implementing this tiered reporting system for our country's critical infrastructure at greatest risk of a devastating cyber attack, our government can develop and deploy countermeasures to protect its own networks as well as the information systems of other critical infrastructure and help these critical infrastructure owners and operators to better safeguard their systems from further attacks.

Simply put, the current threat is too great and the existing vulnerability too widespread for us to depend solely on voluntary measures to protect the critical infrastructure on which our country and citizens depend.

Again, I want to emphasize, 99 percent of private sector entities would just have a voluntary system. I am talking about fewer than 65 entities that operate critical infrastructure that the Department of Homeland Security has identified as at risk and has described that the consequences would be either $50 billion in economic damage, 2,500 deaths or a severe degradation of our national security.

Surely, if we have a cyber attack of that severity, we want to know about it. We will need to act. Our laws have simply not kept pace with the digital revolution. We must not wait any longer to make these reforms or be lulled into the mistaken belief that small incremental steps will be enough to stay ahead of our adversaries in cyber space or, worse yet, that we take no action, that we allow a filibuster against even a modest bill to help us be more secure.

By adopting the underlying legislation, plus the two amendments my colleagues and I have offered, we can begin the long overdue work of securing cyber space. In doing so, we will be securing our economic and national security for the next generation.

I was in the Senate on that terrible day in September of 2001, on 9/11/2001, when our Nation was attacked. I was assigned the responsibility, along with Joe Lieberman and the other members of what was then the Governmental Affairs Committee, to look at whether that attack could have been prevented if the dots had been connected. The 9/11 Commission's conclusion was that most likely it could have been.

I don't want to be here after a massive cyber attack that has resulted in the deaths of thousands of our fellow Americans, severe economic damage or a terrible degradation of our national security and ask the question: Why did we not act? I am not saying any law can prevent every attack. Clearly, that is not the case. Our adversaries are infinitely creative, and they will keep probing our computer systems, our cyber networks, but surely we ought to be doing everything we can to make it far more difficult for any of these attacks to be successful, surely we ought to pass the bill reported with only one dissenting vote by the Intelligence Committee, and surely we ought to strengthen the protection of our critical infrastructure and our Federal civilian agencies.

We need to make sure we are doing everything we responsibly can do to lessen the possibilities of a cyber 9/11. I urge my colleagues to proceed to consider this important bill.

BREAK IN TRANSCRIPT

Ms. COLLINS. Mr. President, for the information of my colleagues, I just wanted to list the cosponsors of the amendment that I described having to do with critical infrastructure. I listed the cosponsors of the amendment that deals with protecting civilian agencies but neglected to do so on the other. It is a bipartisan amendment. It is cosponsored by three other members of the Intelligence Committee: Senator Warner, Senator Coats, and Senator Hirono.

BREAK IN TRANSCRIPT

Source