BREAK IN TRANSCRIPT
Ms. MURKOWSKI. Mr. President, I come to the floor today to speak about cybersecurity legislation--legislation we hope will soon be before the Senate.
There is no question--no question at all--that this is a critical issue that should be addressed by this Congress, and I am certain that every Member of this body is concerned that our Nation may be vulnerable to cyber-attacks that could truly have very severe economic and security ramifications. We see stories about cyber-attacks daily--whether they are attacks on individuals, on companies, on government--and I believe it is time for us to take steps to protect ourselves against this emerging threat.
In the coming weeks, the Senate is expected to take up legislation to address this very real problem, and I am hopeful this effort will result in legislation we can all agree is worthy of sending to the President. But right now it appears we are on track to follow an all-or-nothing approach. The problem I see with the bill that is expected to come to the floor--featuring text that was recently released by the Homeland Security and Governmental Affairs Committee--is that it has not gone through regular order and, I fear, amounts to regulatory overreach. If that is our only option here, it will ultimately prevent us from making progress on cybersecurity here in Congress, which I think would be an unfortunate outcome.
Because that outcome is unacceptable, I have introduced an alternative bill this morning, along with a number of ranking member colleagues. I know Senator Chambliss from Georgia was here on the floor earlier, and many of us spoke to it earlier in the day. We call our bill the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012. It has an acronym, of course. It is called SECURE IT for short. The bill follows a commonsense approach to address our ever-increasing cyber threats.
Our bill focuses on four different areas we believe can draw bipartisan
support and result in good public law. Those four areas are: information sharing, FISMA reform--which is intelligence-sharing reform--criminal penalties, as well as additional research.
What the SECURE IT bill does not do is equally important, because it does not simply add new layers of bureaucracy and regulation that will serve little purpose and achieve meager results. The Homeland Security and Governmental Affairs Committee bill would arm the Department of Homeland Security with expansive new authorities to review all sectors of our economy and designate what is termed ``covered critical infrastructure'' for further regulation. What we hear out there from industry is that this amounts to regulation almost for regulation's sake. In the electricity industry's case, this is resulting in duplicative regulation that I am afraid will lead to a ``compliance first'' mentality. Companies will focus on meeting their new Federal requirements and passing a seemingly endless stream of audits, but these heavyhanded statistic requirements from yet one more Federal regulator will not necessarily address the very real threats we face. So again, the concern is we will have industry focused on how do we comply, how do we avoid a bad audit, instead of using their ingenuity and their resources to ensure we stay ahead of any future cyber-attack. We need to be more nimble. We have to have a more nimble approach to dealing with cyber-related threats that are constantly growing and constantly changing. The threat we see today is not necessarily the threat we might anticipate tomorrow, so we have to stay ahead of the game. This is important, and this is where our SECURE IT bill comes in. I think we have simply taken a more pragmatic approach by focusing on the areas where we know we can find some bipartisan support.
One area I think we can all agree on is that the Federal Government needs to form a partnership with the private sector. We share the same goals, that is clear. The goals are to keep our computer systems and our Nation safe from cyber intrusions. We need the private companies to be talking with each other and with the government about the cyber problems they face as well as the potential strategies and the solutions to combat them. To achieve this goal, our legislation encourages the voluntary sharing of much needed information by removing legal barriers to its use and its disclosure. At the same time, we are very careful to safeguard the privacy and prohibit information from being used for competitive advantage.
Our bill also provides necessary updates to the Federal Information Security Management Act. This is the FISMA I spoke to a minute ago. These FISMA reforms require real-time monitoring of Federal systems. It will modernize the way the government manages and mitigates its own cyber risks. And unlike other legislation on this subject, the cyber bill we have introduced today will update criminal statutes to account for cyber activities. Finally, we support advanced cybersecurity research by leveraging existing resources without necessarily spending new Federal dollars. That is very important for us.
This straightforward approach to cybersecurity, I think, can go a long way in tackling the problem. Clearly, our own government agencies here need to be communicating a little bit better with one another. An example of this is that the White House and Department of Homeland Security are staging an exercise next week. All Members have been invited to attend and go through this exercise. It is a mock scenario that will feature a cyber-attack on the Nation's grid. And while I absolutely think this is a useful exercise, and something that is well worthwhile, I do find it quite surprising--quite surprising--that DHS would set up a grid attack scenario and fail to include the grid's primary regulators. These would be the electric reliability organization--what we call NERC--and the Federal Energy Regulatory Commission, or FERC. These are the two regulatory agencies currently in place that provide for that cyber regulation. It is mandated within our grid that these agencies tend to just this issue. So it does make me question if DHS is even aware the electric industry is the only industry already subject to mandatory cyber standards, or that the NERC has the ability to issue time-sensitive alerts to electric utilities in the event of emergency situations. It is kind of hard for me to understand why DHS would proceed with a grid attack simulation and not include the existing governmental entities that already have these safeguards in place. It also begs the question as to whether Congress should provide DHS with such significant and expansive new authorities in the cyber arena.
Before I close, I wish to take a moment to talk about the process behind cybersecurity legislation. While my colleagues and I have highlighted the substantive and procedural problems that are associated with the Homeland Security and Governmental Affairs Committee bill, the majority, and even the press, have attempted to dismiss our arguments as nothing more than partisan stall tactics.
I stand before you to tell you that is simply not true. I want to take action on cyber. I know all of the ranking members who have joined together on this issue want to take action on cyber. We need to do it. I have been calling for action and for legislation since last Congress. We have been working on it in the Energy Committee and have moved out that cyber energy piece. But I do think it is important around this body that there is some meaning to the process; that process really does matter. That is how strong, bipartisan pieces of legislation are enacted. When we forego that process and refuse to do the hard work in the committee--and it is hard. But if we don't do that, we put ourselves on a path to failure with that legislation.
So when we have seven ranking members taking issue with how a bill has been put together, I think we had better pay attention. I think we need to look at whether our process is working.
The SECURE IT bill we introduced today is a strong starting point for us. Some may argue we need to go a little further. But additional layers of bureaucracy and regulations are not the answer at this time. Legislating in the four areas we have highlights--in the information sharing, the FISMA reform, criminal penalties, and research--these are necessary first steps that will make a tremendous amount of difference. If we need to do more in the future, we in Congress can certainly make that determination. But let's not take an all-or-nothing approach to cyber legislation and ultimately end up empty-handed.
I ask my colleagues to take a look at what we have presented today and consider supporting the SECURE IT Act so we can continue to ensure our citizens, our companies, and our country are protected.