Resolution Raising a Question of the Priveleges of the House
Floor Speech
BREAK IN TRANSCRIPT
Ms. ZOE LOFGREN of California. Madam Speaker, I yield myself such time as I may consume.
I will note that I have had a chance to discuss this resolution with Congressman Wolf. At the conclusion of our discussion, we will refer this resolution to the House Administration Committee where we will do the appropriate follow-up, and I personally plan to keep in touch with the author of the resolution so that the concerns that he has are fully addressed.
I will just note that when the new majority was elected to the House and I was then appointed to the House Administration Committee, one of the first things I did was to ask to be briefed on our cyber security situation in the House. And I did receive that report. Certainly some things had been done. But more, in my judgment, needed to be done, and we have followed through on that.
I will say that both the Speaker and Leader Boehner have met with the House computer security officials and were told that the sophisticated technology that we do have in place is going to prevent and detect intrusions, but it depends on Members doing what they need to do to work within our security environment.
We have security system programs in place that safeguard against unauthorized system access and disclosure of data, system controls that are in place to identify, verify trace authorized and unauthorized user activity, and to prevent unauthorized modification or destruction of House data.
Chairman Brady has ordered an immediate implementation of additional protections. He's also directed House personnel to work with the FBI and other security agencies to ensure that necessary steps are taken to safeguard House systems. These improvements will help ensure that House network and data remains protected from harm.
In addition to these efforts, the House has instituted a working-smarter series, and we have had actually briefings for staff in the congressional offices asking those staff in Member offices to come in and become aware of the cyber security steps that they need to take in each Member's office. I don't know that every Member has had full staff participation in that, and in discussing this with Mr. Wolf, it would be my intention, perhaps working with Mr. Langevin who is chairing the Homeland Security Subcommittee on Cyber Security, to ask the Democratic caucus and the Republican conference to meet and to highlight this issue so Members will know.
I mean, some Members know all about it, and apparently some Members didn't know enough about it; and I'll take that admission very seriously.
What more do we need to do? Well, we have sophisticated firewalls in place today that monitor all incoming network traffic. We have an intrusion-detection system, and we have multiple anti-virus and spyware programs. That's important because you want redundancy and overlap. You don't want to rely on just one system. We also have--you may have seen in some of the hallways--teams monitoring wireless systems. It's a kind of antenna they're waving around. They're trying to detect unauthorized wireless setups that are a potential problem for our security.
What further can we do?
Well, we have tried to insist that Members use more vigorous passport protection schemes. And one of the things we're looking at is instead of asking Members, forcing Members to do that. Now we get pushback when Members are told what to do in their individual offices, but I think that's one of the things that we need to talk about.
Another thing we're looking at, and this was an issue in the intrusion mentioned a minute ago, is whether we're updating our virus software and whether the patches to this software have been uploaded. And Members don't do it. A lot of times Members just neglect to do it. If you don't put the patches in, you're just bare. So we're thinking about maybe centralizing that function. Again, some Members may not like that, but you've got it one way or the other. I mean, you can't be concerned about intrusion if we don't take the steps necessary to actually protect ourselves.
We also are looking at additional encryption efforts, enhancing our real-time monitoring by the security office, and potentially implementing a digital rights management scheme.
Now, I just want to talk a little bit about Member responsibility.
If Members are going to access Web sites in China, you're engaging in risky behavior, and it may be necessary for some Members who are monitoring human rights to do that. I accept that. But it is not a good idea to visit a Web site in China with the computer that's networked with all of your sensitive data on board because if you do, you're going to get malware, and you are going to lose your data to whoever has put that malware on the site.
So I would strongly suggest, and this is a teachable moment, that if Members feel a need to monitor Web sites in China and other countries, that they get a laptop, get an air card, don't put any other sensitive data on it and monitor to your heart's content, but don't leave yourself vulnerable to your data being removed.
No doubt there are root kits, there are bot nets that are going to be infecting your computer and potentially even turning them into zombie computers. Additional things that we want to look at is data leakage protection and some security assessments which is actually going underway right now.
Just a word on cyber security generally, which Mr. Wolf has mentioned. In the 108th Congress, I had one of the best experiences in my congressional career of serving with Mac Thornberry who chaired the Cyber Security Subcommittee. I was the ranking member, and we worked really hard that Congress together. I think it was the only subcommittee, the end of the Congress, we didn't have majority report and a minority report. We had one report that reflected both of our views, and the view was that the Federal Government was way behind in what we needed to do on cyber security.
I remain a member of the Homeland Security Committee. I serve under Mr. Langevin's chairmanship on the committee with cyber security jurisdiction. We have had many, many public hearings, in addition to classified briefings, on the real deficiencies in our cyber security environment in the Federal Government, and I will tell you, I am frustrated to this very moment that so little has been done to keep us safer. Frankly, the House of Representatives has much more robust cyber security than the Department of Homeland Security. That's kind of a chilling thought, but unfortunately, it is true.
So, at this point, I recognize the gentleman's concern. I certainly plan on working with you, and I also want to make sure that each and every Member of this House understands the environment, what their responsibilities are, what their staffs' responsibilities are, understand what we've done as an institution, and what the tradeoffs are going forward in terms of even more vigorous protection.
With that, I reserve the balance of my time.
BREAK IN TRANSCRIPT
Ms. ZOE LOFGREN of California. Madam Speaker, just a couple of comments.
In terms of protecting ourselves, I can't emphasize enough, it is important for all of us to take steps to secure ourselves.
I had an opportunity to take a look. We keep track of this, the intrusions. I took April by example. The origin of the intrusion in April, the country that originated the largest number of intrusions into the House, the United States of America.
And China wasn't second. So yes, there are intrusions coming from China, from Russia, from European countries, from our own country, and we'd better take precautions to protect our data.
You can't protect a BlackBerry. If you take your BlackBerry overseas--I just thought everyone knew this--and download something, you are opening yourselves up to a vulnerability. Now, we can take a snapshot of where your BlackBerry is before you go and see if it's been compromised while you're gone, but if you're not secure in your activities, you're not secure in your activities.
And so I take very seriously what you're saying, which is that not every Member understands this. We have to change that, and I'm going to be active in playing my part to change that.
BREAK IN TRANSCRIPT
Ms. ZOE LOFGREN of California. Reclaiming my time, let me just note that obviously we don't want sensitive information from the government to be in the hands where it can be compromised. We're not arguing that. I'm just pointing out that if Members use a computer in their office that's networked to visit a Web site in China, you can bet--you're asking for some malware to be put on your computer, and it's going to take everything that is accessible to the other computers in your network. And so you shouldn't do that.
When I travel with my laptop, and I sometimes do, you know, I never hook that laptop into the network of the House. In fact, it's against the rules to do so. And I don't do it because that would compromise the computer network. And so I would just note that the Homeland Security Committee has been very vigorous over the past 5 or 6 years that I'm aware of, I mean, we don't need a wake-up call, we've been yelling ``fire'' for half a decade and we haven't really been heard by those who have responsibility in the administration to act. However, we are moving forward in terms of systems in the House.
What I'm hearing from you, Mr. Wolf, and others, is that Members' level of information is quite variable on this, and we will take that seriously and do an effort of outreach on that.
Madam Speaker, I reserve the balance of my time.
BREAK IN TRANSCRIPT
Ms. ZOE LOFGREN of California. Madam Speaker, I would just note, the thrust of the gentleman's resolution has to do with the House, which is why I'm addressing the House computers. On the other hand, I've been concerned for a long time about cyber security in the Federal Government, in the DOD, in the Homeland Security Department, and frankly, in the private sector. And it is very spotty.
I just wanted to make a correction. I was briefed on the National Journal story. What happened on the nuclear power plant issue, it was not an attack. It was someone who was uploading some software onto a computer that he did not realize was networked, and it was inconsistent with other software. And actually it didn't work as designed because the control system shut it down.
Having said that, I have said in public--so I don't mind saying it here again today--that we have cyber security vulnerabilities, especially SCADA systems that were installed years ago before we were thinking about security. We have not paid enough attention to that either in the private sector or the public sector.
We have had FERC before the Committee on Homeland Security on several occasions urging them to force utilities to take the steps they need to preserve their networks, and they say two things: One, they don't have enough authority; and two, they don't want any more authority. So we've said this is an emergency situation, and we're not getting an emergency response attitude from the agencies with authority.
That is certainly something that other committees may want to look at. I'm just familiar with the efforts that I've been involved in, and they've been substantial, although, regrettably, not yet successful.
I would just like to stand up a little bit for our IT guys here in the House. It was our IT guys who discovered that your computers had been infected and notified you. And it's bad that they were infected, but it's part of the price you pay when you use a network computer to visit a potentially dangerous Web site. But they cleaned it up and responded promptly, and I think they deserve credit for letting that system work.
And just a final note on hits from China. That's not the same as an attack. And we keep track of the hits we have on our Web site. I mean, I get hits on my Web site from all over the world. I don't know why people in other countries come and visit my Web site, but it's not an attack, it's that they're looking at information that I have made publicly available.
What we are concerned about is attempted intrusions, and there are many of those in an astoundingly small successful effort. This is a constant battle. As the hackers become more sophisticated, our defenses need to become more sophisticated, and it never ends. That's why the effort to improve our patches in our security needs to happen every single day. There needs to be continuous monitoring of our systems. And it has to be all of us. This has to be a team. And every Member needs to take responsibility for this, along with the government itself.
Madam Speaker, I reserve the balance of my time.
BREAK IN TRANSCRIPT
Ms. ZOE LOFGREN of California. I will just say that I appreciate Mr. Ehlers' comments. As he has, I have introduced many Members to the concept of the Internet. Luckily that is no longer as necessary today as it was at one time. But some of our colleagues are real white-out-on-the-screen folks, and we need to bring them forward to the modern era.
But you are right. It is not just the Members. As I have mentioned to Mr. Wolf, I have made a commitment that I intend to follow through to ask the Republican Conference and also the Democratic Caucus to appear, not just by myself, but with top-level experts, to explain to Members their responsibilities and vulnerabilities for them when they travel abroad with mobile devices as well as their desktops in their office and how to preserve their network. And it's not just for the staff. I mean how many of us have made clear to the summer interns that if they have their laptop, and they're on a peer-to-peer network for whatever reason at home, and then they plug that laptop into the House network, I might add in violation of our rules, that they have introduced a vulnerability to our system? I don't know how many of us have given that little tutorial to these wonderful young people, but all of us should.
So I think this has been a helpful resolution, Mr. Wolf, because it has opened my eyes to the need to get Members to pay more attention. And I am going to play the most positive role I can to make sure that happens. But it is also going to take the cooperation of the Members themselves, because if this is not taken seriously, it won't happen.
I reserve the balance of my time.
BREAK IN TRANSCRIPT
Ms. ZOE LOFGREN of California. Mr. Speaker, I just want to say that I serve on three committees. I serve on the House Administration Committee. And I am here today in that capacity. I serve on the Homeland Security Committee where I have participated in I would say dozens of hearings on cybersecurity at least over the years. And I serve on the House Judiciary Committee where we have had, we have a little bit of jurisdiction, but we have actually worked pretty hard on our spyware issues and cybersecurity issues. We have paid attention to that.
I know that the Armed Services Committee has also paid attention to the whole issue of cyber warfare and cybersecurity. The Intelligence Committee isn't allowed to tell the rest of us mere mortals who don't serve what they have done, but I certainly hope they are taking this seriously and believe that they are.
I know that the gentleman has the right to close. I would just say that I would like to provide to Mr. Wolf the material from the many, many hearings that we have had. I think that he would value seeing what we have done so far. And also it would be valuable to him to see what remains to be done.
As I said earlier, we have been yelling, actually yelling about this. We have, as a Nation, tremendous vulnerabilities. And you can't always know. You can detect, unless it is spoofed, where an intrusion is coming from. You can't always say who has initiated that intrusion. But I will tell you, these intrusions and hackers are coming from all over the world with all kinds of intentions. And we all ought to take all of this very seriously. And we have failed, I think, to do all of the things that we could have done.
We have worked with the private sector. And at this point, the private sector is so wary of the Department of Homeland Security that there is a reluctance, actually, to work with the department because the information provided to the department will be so insecure. So we have a long ways to go.
I am glad that the gentleman has a strong interest in this. I wish that every Member had a strong interest in it. And maybe after we are through having these presentations to the Republican Conference and the Democratic Caucus, we will have a higher level of Member interest. And maybe instead of just our few voices in the wilderness here in the House, Mr. Ehlers, Mr. Langevin, myself and Mr. Thornberry, who have been working on this for so many years, will have more voices, and maybe we will have a better response. I certainly hope so.
I yield back the balance of my time.
BREAK IN TRANSCRIPT
Source