BREAK IN TRANSCRIPT
Mr. CHAMBLISS. Mr. President, I rise today to speak in support of the Strengthening and Enhancing Cybersecurity by Using Research, Information, and Technology Act of 2012, otherwise known as the SECURE IT Act. This bill provides a strong foundation for Congress to enact what I hope can be a truly bipartisan approach for improving the ability of all Americans to protect themselves against the ever-increasing cybersecurity threat.
This bill was dropped today under the leadership of Senator McCain, Senator Hutchison, Senator Grassley, Senator Murkowski, and myself, and I am very pleased to be a part of that group who has worked very hard on this bill for a number of months.
There are a few who dispute the significance of the problem posed by the threat of cyber attacks. The financial harm inflicted by these attacks is now costing Americans billions of dollars each year. Denial-of-service attacks have been shutting down the Internet presence of business and organizations for years. Beyond the economic costs, malicious cyber activity is damaging our national security. Every day, cyber criminals and foreign adversaries steal large amounts of sensitive information from the networks of government and private sector entities. These trends need to be reversed before these malicious activities are measured in terms of lives lost rather than in terms of dollars as we are seeing today.
For years the Senate Intelligence Committee has been following the growing cybersecurity threats. Early on, one of the most common questions asked in the cybersecurity context was, Who is in charge? While this seems like the natural place to start, it is important to understand why this is really not the right question.
First, there is no consensus on who should be in charge. Some have argued it should be the Department of Defense. Some say it should be the Department of Homeland Security. Others think it might be best to start from scratch. All of these options have very obvious drawbacks.
Second, and more important, we have been looking through the wrong end of the telescope in trying to answer this question. Rather than trying to find a governmental entity that should be in charge of cybersecurity, it turns out that the answer is actually much simpler: each and every one of us is in charge of our own cybersecurity. I know some people will scoff at this answer because it is too simplistic for such a complicated problem or they just don't trust us to act in our own best interests. I think they are wrong on both counts.
So, if we--and by ``we,'' I mean all of us who use and rely on computer networks, whether individuals, groups, organizations, corporations, or government agencies--are in charge of our own cybersecurity, the real question then is, What should be done to reduce the threat of malicious cyber activity? I believe the answer to that question is contained in the bill called the SECURE IT Act that we have filed today.
The SECURE IT Act consists of four key areas of common ground identified in various legislative efforts: first, information sharing; second, Federal Information Security Management Act reform; third, enhanced criminal penalties; and fourth, cybersecurity research and development.
We have seen firsthand the positive impact better information sharing can have on our national security. Since the 9/11 terrorist attack, improved information sharing throughout the government and especially within the intelligence community has greatly enhanced our national security. I believe a similar improvement to information sharing in the cyber context will pay huge, long-term dividends in terms of our safety and national security.
Once there is an understanding that information sharing will work best if it empowers the individual rather than a discrete government entity, the move from a regulatory approach to one that encourages voluntary sharing of cyber threat information by removing unintended barriers quickly follows. The information-sharing title of the SECURE IT Act is based on this voluntary approach and on the principle that government cannot and should not solve every problem.
The cosponsors of this bill relied upon a number of principles and practical considerations to develop the information-sharing provisions in this bill.
First, private sector innovation is the engine that drives our economy. Private sector entities have a vested interest in protecting their assets, businesses, and investments. What they often lack is information to help them better protect themselves. Therefore, our information-sharing provision authorizes private sector entities and non-Federal Government agencies to voluntarily disclose cyber threat information to government and private sector entities. The only time cyber threat information must be shared with the government is when it is directly related to a contract between a communications service provider and the government, which ordinarily is a term included in that contract anyway. The only new requirement is that such information will ultimately need to be shared with a cybersecurity center.
Information sharing is and must be a two-way street, but there are no quid pro quos here. Because the government often sees different threat pictures than the private sector, our bill also encourages the government to immediately share more classified, declassified, and unclassified cyber threat information. As one example, consider how improved information sharing might safeguard transportation industry systems. Suppose a commercial airline company detects a virus in their reservation system. The virus is stealing information, including customers' credit card numbers, and sending it to a hacker's server overseas. The airline, after investigating internally, determines where the stolen data is being sent. Under our bill, the airline may share the Internet address that is receiving the stolen credit card information with any other companies, such as other airlines, as well as with the government. With this warning from the first airline, other transportation companies can check their systems to see if any of their data is being sent to the hacker's server. Moreover, using the hacker's Internet address, law enforcement is able to begin an investigation to identify other victims of the same hacker.
The cybersecurity centers will also be able to notify private entities of the nature of this particular threat. In this example, it is unlikely that the airline will ever need to share or release any customer's personally identifiable information.
Second, my cosponsors and I intentionally omitted a critical infrastructure title because we believe a top-down regulatory approach will stifle the voluntary sharing of cyber threat information by the private sector. Consistent with this principle, our information-sharing title does not provide any additional authority to any government entity to impose new regulations on the private sector. In fact, the bill prohibits government agencies from using any shared cyber threat information to regulate the lawful activities of an entity. In short, the bill leaves the existing regulatory regime unchanged.
The real difficulty with trying to regulate in this area is that malicious cyber activities occur in real time and are constantly changing. The bureaucracy-driven regulatory process is simply not nimble enough to keep up with the leading cybersecurity practices. Another disadvantage to a regulatory approach is that it gives hackers insight into existing cybersecurity performance requirements and, as a result, potential vulnerabilities. As industry representatives have told us, this could actually make us less safe, not more safe.
Thirdly, our bill does not create any new bureaucracy to facilitate the sharing of cyber threat information. Rather, it relies upon the existing cybersecurity centers and gives private entities the flexibility to share their cyber threat information with any cyber center. To ensure thorough dissemination within the government, each cybersecurity center is required to pass on to other centers any cyber threat information it receives from an entity. Ultimately, we expect that our current decentralized cybersecurity center structure will be energized by an increase in shared cyber threat information. We also think these centers, with their ongoing relationships with many private entities, provide a more robust and secure environment for information sharing than creating new cybersecurity exchanges or a new national center.
Another advantage of our ``no new regulatory authorities'' and ``no new bureaucracy'' approach is it is also a ``no new spending'' approach. Our bill does not authorize any new spending, which is particularly important given our current economic situation.
Fourth, our bill contains clear and unconditional protection from civil and criminal liability for entities that rely upon the authorities in the information-sharing title. Specifically, a private entity cannot be sued or prosecuted for using lawful countermeasures and cybersecurity systems to defend its networks and identify threats. In addition, neither a private entity nor a Federal Government entity can be sued or prosecuted for using, disclosing, or receiving cyber threat information or for the subsequent action or inaction by an entity to which they gave cyber threat information.
These clear liability protections are necessary to encourage robust information sharing. If they are watered down or made conditional on sharing with the government, private sector lawyers will likely discourage their clients from sharing cyber threat information and, at a minimum, sharing will be delayed while lawyers have to be consulted.
The final practical consideration that governed the drafting of our information-sharing title was to provide sensible safeguards for the protection of personal privacy. We accomplished this in a number of ways.
This information-sharing title is focused on the sharing of only ``cyber threat information.'' It is a key definition in the bill. If you study it carefully, you will see it is limited primarily to information related to malicious cyber activities. There is no authorization or liability protection for using, sharing, or receiving information that falls outside of this definition. Nor can private entities use their cybersecurity systems to get information that falls outside this definition. Moreover, it helps to remember that people engaged in malicious cyber activities are essentially trespassers who have no standing to assert privacy interests.
Besides this relatively narrow definition of ``cyber threat information,'' there is an additional privacy mechanism that limits the collection and disclosure of cyber threat information for the purpose of preventing, investigating, or mitigating threats to information security. In other words, if what you are doing is not for these purposes, then you cannot do it under this bill.
Another way this bill protects privacy is by requiring the government to handle all cyber threat information in a reasonable manner that considers the need to protect privacy and allows the use of anonymizing information.
Since information sharing is voluntary under our bill, private sector entities can take any steps to protect their own privacy interests and the privacy of their customers. Moreover, our bill allows private sector entities to require the recipients of their cyber threat information to seek their consent before further disseminating the information.
Finally, Congress will be able to conduct its oversight since our bill requires an implementation report to Congress within 1 year of enactment, with follow-on reports every 2 years thereafter. These reports will give Congress detailed insight into a number of areas, including the degree to which privacy may be impacted by the provisions in this title.
Now that I have identified the key components and advantages of our approach to information sharing, let me explain why we were compelled to draft this separate bill.
All of the cosponsors of the SECURE IT Act agree with Senators LIEBERMAN and COLLINS and the White House that Congress needs to address the cybersecurity threat. When we attempted to participate in the cyber working groups, it became clear pretty early on that it was going to be difficult to come up with a consensus product.
My experience with working on bipartisan bills such as the Intelligence Authorization Act is that we generally start from scratch and only put in those provisions that are agreed to by both sides. If a provision receives an objection, it is not included, but it is understood it may be an amendment during markup or on the floor. This approach always gives us a great starting point that enjoys the overwhelming support of both sides.
Since the working group process had essentially reached an impasse on the issue of critical infrastructure regulation and how best to promote information sharing, the cosponsors of the SECURE IT Act joined together to develop a bill that would cover ``common ground'' and could serve as a better starting point for negotiations. We have listened to all sides in putting this bill together--government, industry, private groups, cybersecurity experts, and our colleagues on both sides of the aisle in both the Senate and the House. There should be nothing surprising in our bill. Our ranking member group has been telegraphing our priorities for months now.
If we are serious about passing cybersecurity legislation in this Congress--and I hope we are--we should be working together to pass a bill with the support of a large group of Senators far in excess of the 60 we need, as we have done in the past on many major pieces of legislation. I believe the ``common ground'' approach of the SECURE IT Act puts us on a clear path to reaching this goal.
This is important national security legislation. Fortunately, Leaders Reid and McConnell have an outstanding record of garnering overwhelming bipartisan support for national security legislation, and I am confident they will seek to do so again. I look forward to continuing these discussions and getting a strong bipartisan bill signed into law.
BREAK IN TRANSCRIPT