Cybersecurity
Floor Speech
Mr. WHITEHOUSE. Madam President, I will speak about a topic that is central to our national security and economic prosperity and which gets far too little notice and attention; that is, the vul ner a bil ity of America's network information systems, and the economic danger and national security risks we face from cyber-theft, cyber-piracy, and cyber-attack.
We live in a wired society. If we sever those wires and the social, economic, and communications linkages that make our way of life possible, we will cease to function. I am gravely concerned that we are not taking the necessary steps to guard against this threat, which I believe is the greatest unmet national security need facing the United States.
Earlier this month, the Intelligence Committee Cyber Task Force submitted a classified final report to the chair and vice chair of the Intelligence Committee. It was an honor to chair this bipartisan initiative and to serve with my distinguished colleagues, Senator Mikulski and Senator Snowe. I thank them for their diligence, their leadership, and their important contributions to this effort. They were excellent and we made a good team.
We spent 6 months investigating cybersecurity threats and our current posture for countering those threats, with a particular focus on the intelligence community. It was a very sobering experience.
There is a concerted and systematic effort underway by nation states to steal our cutting edge technologies. At the same time, criminal hacker communities are conspiring to penetrate financial industry networks, rob consumers of their personal data, and transform our personal computers into botnet zombies that can spread malware and chaos.
It is difficult to put a precise dollar figure on the damage and loss these malicious activities are causing, but it is safe to say it numbers in the many tens of billions of dollars--perhaps as high as $1 trillion.
I believe we are suffering what is probably the biggest transfer of wealth through theft and piracy in the history of mankind.
In addition, we face the risk of attacks--attacks designed to disable critical infrastructure, with grave potential harm to our national security and to our financial, communications, utility, and transportation sectors.
The intelligence community is keenly aware of the threat and is doing all it can within existing laws and authorities to counter it. The bad news is the rest of our country--including the rest of the Federal Government--is not keeping pace with the threat.
I am encouraged by the growing interest in Congress, where there are now more than 40 bills pertaining to cyber. I want to commend Senator Rockefeller and Senator Snowe, in particular, for being at the leading edge of the Senate's efforts. They have spent more than a year fine-tuning their
legislation, which speaks of their commitment to protecting the country and their recognition that we cannot reduce our vul ner a bil i ties without careful study and thoughtful engagement.
Much of the current debate on cybersecurity in the Congress focuses on executive branch organization dealing with this threat. This is obviously an important issue, and it is one that we must resolve sooner rather than later. But the question of how this all gets organized within the executive branch is merely one of the many problem areas we saw during the course of the work of the task force.
What are these other areas? Well, first of all, an overarching issue, we must raise the public's awareness about cyber-threats; otherwise, we face an uphill battle trying to legislate in this challenging and sensitive policy sphere.
What is the problem? Well, threat information affecting the dot.gov and dot.mil domains is largely classified--often very highly classified--and entities in the dot.com, dot.net, and dot.org domains often consider threat information to be proprietary and disclosing it could be a risk to their business. So the result overall is that the public knows very little about the size and scope of the threat their Nation faces.
If the public knew the stakes--knew the cyber-criminals, for example, have pulled off bank heists that would make Willie Sutton, Bonnie and Clyde, and the James Gang look like a bunch of petty thieves, they would demand swift action. If they knew the extent of the cyber-piracy against our intellectual property, and the economic loss that has resulted, the public would demand swift action. If they knew how vulnerable America's critical infrastructure is and the national security risk that has resulted, they would demand action. It is hard to legislate in a democracy when the public has been denied so much of the relevant information.
The first key point is public awareness. We have to share more information with the public about what is going on out there.
Second, we need to establish basic rules of the road. One of the signal features of our cybersecurity risk profile is that the overwhelming majority of malicious cyber-activity could be prevented if some computer users installed simple antivirus protections and allowed automatic updates of their software.
If we followed basic rules of the road, there would be a national security advantage: The Federal Government could focus its cybersecurity efforts on that narrower subset of threats that can evade commercial, off-the-shelf technology. There would be economic advantage from the potentially massive reduction in cyber-crimes, such as identity theft and credit card fraud.
Third, we need to empower the private sector to adopt a more proactive stance against cyber-threats. I am from Rhode Island. My State was founded as a sea trading State. When our traders were attacked by pirates, they got out their guns and fought back. Under current law, companies under cyber-attack can do little more than batten down the hatches. We need to look for more ways to help American companies better defend themselves.
Our courts provide one option. Creative technical experts and smart lawyers at Microsoft were able to mount a very impressive counterattack against the Waledac botnet by obtaining a Federal court order requiring that VeriSign, the domain name registrar, cut off domains associated with the botnet. This disrupted the botnet's command-and-control function, and it highlights an important possible role for our judicial branch.
Additionally, we need to establish lawful and effective means for industry sectors to band together with one another and engage with each other in
common defense strategies and information sharing where appropriate with the government. There are some early examples, such as the defense industrial base, that merit commendation, which we should encourage. But it is still pretty primitive.
Fourth, we must ensure that the Federal Government has the authorities and capabilities necessary to protect our American critical infrastructure against cyber-attack. If a bank, for instance, runs into a solvency problem, there is an established and widely accepted procedure for Federal intervention to protect the bank depositors, stand the bank back up, get it back on its feet, and move back out again.
There is no similar procedure if that bank or American critical infrastructure, such as an electric utility, is failing due to an ongoing cyber-attack. There needs to be clear, lawful processes for the private sector to request technical assistance and clear authority for the government to act when a cyber-incident raises significant risk to American lives and property.
It gets a little bit more complicated than that because you cannot just call 911, such as when there is a fire, and have the government come and put out the fire when it is a cyber-attack. Cyber-attacks happen literally at the speed of light.
The best defense against cyber-threats, particularly the most dangerous cyber-threats, requires speed-of-light awareness and response. For this reason, it is worth considering whether some defensive capabilities should be prepositioned in order to better protect the Nation's most critical private infrastructure.
During medieval times, critical infrastructure, such as water wells and graineries, were inside the castle walls, protected as a precaution against enemy raiders. Can certain critical private infrastructure networks be protected now within virtual castle walls in secure domains where those prepositioned offenses could be both lawful and effective?
This would, obviously, have to be done in a transparent manner, subject to very strict oversight. But with the risks as grave as they are, this question cannot be overlooked.
Fifth, we need to put more cyber-criminals behind bars. Law enforcement engagement against cyber-crime needs to be considerably enhanced at multiple levels, reporting, resources, prosecution strategies, and priority. A lot more folks need to go to jail.
Finally, we must more clearly define the rules of engagement for covert action by our country against cyber-threats. This is an especially sensitive subject and highly classified. But for here, let me simply say that the intelligence community and the Department of Defense must be in a position to provide the President with as many lawful options as possible to counter cyber-threats, and the executive branch must have the appropriate authorities, policies, and procedures for covert cyber-activities, including how to react in real time when the attack comes at the speed of light. This all, of course, must be subject to very vigilant congressional oversight.
Uniquely in the world and uniquely in our own history, America's economy and government now depend on networked information technologies for Americans to communicate with each other, keep the trains running on time and the planes flying safely, keep our lights on, and power our daily lives.
The expansion of this powerful new technology across our great country also makes us uniquely vulnerable to cyber-threats. We have to do a lot better as a nation on cybersecurity. I believe we can do better. I know we must do better. Frankly, we cannot afford not to do better.
I hope these remarks and the structure they have provided helps provide assistance to my colleagues as we begin debating and resolving these important issues.
I yield the floor. I see my distinguished colleague from Minnesota prepared to speak.
BREAK IN TRANSCRIPT
Source