BREAK IN TRANSCRIPT
Mr. LIEBERMAN. Mr. President, I rise to speak on the motion to proceed to S. 3414, which is the Cybersecurity Act of 2012.
This cloture motion has been filed that will ripen sometime tomorrow, but I think it is the hope of Members on both sides of the aisle that we can proceed to vote on the motion to proceed today. I am hopeful colleagues on both sides of the aisle will vote to proceed, because although there continues to be some disagreement about the content of this bill and different approaches taken, I don't think there is any Member of the Senate who doesn't appreciate the fact that our country is currently under cyber attack every day, our businesses are victims of cyber theft every day, with the consequential loss of billions of dollars' worth of investments and, I would say, tens of thousands of jobs going elsewhere.
So this bill is not a solution in search of a problem; it is an attempt to solve a problem. Although there may be differences still on different components of the bill, I hope everybody will join together in at least saying: Let's proceed to the debate, and let's see if we can reach a conclusion before we leave for the August break next week.
I will report in this regard that this morning there was a second meeting held of those who have been most active in supporting different legislation that deals with the cyber threat to America. Senator Collins and I, Senator Feinstein, Senator Rockefeller, Senator Carper--who introduced the pending matter, the Cybersecurity Act of 2012--Senators Hutchison and Chambliss were there today, Senator Coats--who introduced the so-called SECURE IT Act--and then a group of peacemakers-bridge builders, Senators Kyl and Whitehouse, Senator Graham, Senator Coons, Senator Blumenthal, and Senator Coats, again, who sits in two of the three groups, which makes him a superbridge builder.
It was a very good, substantive discussion, in which we were all fleshing out the details of the various proposals. We are seeing some areas where I think we feel we have a real opportunity to agree and some areas where it may be more difficult, but we haven't given up. But overall, I would say this process has been very encouraging. Basically, all the leading parties in the Senate and all the Senators are around the same table talking, which is very constructive to have happen. I appreciate that. To me, it is more reason to vote to proceed.
I wish to begin by thanking the aforementioned Senators Collins, Rockefeller, Feinstein, and Carper, who joined me in sponsoring S. 3414, which I wish to talk about a bit now in this opening statement.
I also wish to thank the majority leader, Senator Reid, for seeing the cyber threat to America in all its urgency and reality last year, urging Senator Collins and me to go forward and work on legislation, to work across party lines to get a bill out and now to thank Senator Reid for keeping his commitment to bring this bill to the floor, even though, as always, there are clearly other important issues vying for this body's attention. But, to me, there is none more important to America's security and prosperity than this topic, which is cybersecurity and the cybersecurity bill that is now pending.
I would like to make three points in my remarks to my colleagues.
First is that the danger of cyber attacks against the United States is clear, present, and growing, with enemies ranging from rival nations to cyber terrorists, to organized crime gangs, to rogue hackers sitting at computers almost anywhere around the world. The pending matter, S. 3414, Cybersecurity Act of 2012, responds directly and effectively to this danger.
Second, this bill has been a long time in coming. In this regard, I note a letter sent out by the U.S. Chamber of Commerce overnight that, I must say, I found very disappointing overall because, if I may state it affirmatively, it doesn't embrace the same spirit I see Members of the Senate embracing; that although we have different positions, we can't afford to be inflexible. We can't be closed to compromise because of the urgency of the threat to our country and because of the general principle that has not been as evident in the Senate and Congress generally as it should be in recent years; that we never get anything done unless there is some compromise. I am not talking about compromise of principle. But if we go into every negotiation saying, I will only accept 100 percent of what I want, ultimately we are not going to get anything, if we can get 80 percent, 75 percent, 60 percent--particularly when we are dealing with a threat to the security of the United States and our prosperity as real as the cyber threat.
I hope our friends at the Chamber will reconsider the tone of their opposition and come to the table to talk with us about their concerns and see if we can't reach common ground because there is a larger national interest at stake than represented by any particular group or any individual
Senator or their point of view.
In their letter of July 25, 2012, signed by R. Bruce Josten, executive VP for government affairs of the U.S. Chamber of Commerce, the Chamber says that:
..... S. 3414, the ``Cybersecurity Act of 2012,'' which has been rushed to the floor without a legislative hearing or markup. The bill was introduced just last week and remains a moving target; new and modified provisions of the bill are expected to be released in the coming days.
If they are, it is going to be a result of the give-and-take compromise that leads to legislation that is going on now. But I wish to respond to the idea that this came out of nowhere.
This bill has been a long time in coming. As a matter of fact, I went back and looked at the records. I attended my first hearing on cybersecurity as a member of the former Senate Governmental Affairs Committee--the predecessor to the current Homeland Security Governmental Affairs Committee--under the leadership of then-Chairman Fred Thompson. That was back in 1998, 14 years ago. I have been concerned ever since about the growing threat of cyber attack.
Along with my dear friend and colleague on the committee, Senator Collins, our committee has held multiple hearings on cybersecurity; that is, the new Homeland Security and Governmental Affairs Committee, and we weren't alone. There have been numerous hearings over the past several years and markups by multiple committees in both the Senate--many held by our colleagues Senator Rockefeller and Senator Feinstein in the Commerce and Senate Intel Committees--as well as in the House. Those deliberations and discussions were informed by numerous government and private sector studies on the dangers that lurk in cyberspace.
So this bill didn't come out of nowhere. We reported a bill out of our committee, with a lot of hearings and an open markup. We began, at the majority leader's direction, to negotiate with the other committees, particularly Commerce and Intel. We reached agreement, which is essentially what this bill is.
Incidentally, we then altered this bill--Senators Collins, Feinstein, Rockefeller, and I, in response to the bipartisan Kyl-Whitehouse group recommendations--to make it nonmandatory but still significant. So this bill has been aired and worked on and is ready for action.
But more to the point, the Senate needs to act. That is why it is so important we adopt the motion to proceed, because this threat is real, dangerous, and growing every day.
Third, this bill, S. 3414, is the result of bipartisan compromise. It is both bipartisan and it is the result of compromise. We cosponsors, as I mentioned, gave up some elements we thought were important that we had in our original bill. Given the cyber threat, we actually thought it was more important to move forward with a bill that will significantly strengthen our cybersecurity, even though it doesn't do everything we want it to do and thought should be done.
We didn't want to lose the chance to pass cyber legislation this year that could prevent a cyber 9/11 attack against the United States before it happens, instead of rushing in the midst of mayhem back to the Senate and House to adopt cybersecurity legislation after we suffer a major attack.
As I said, we have incorporated ideas from Senators Whitehouse, Kyl, and the other Members whom we were working with quite diligently to help us find common ground. I wish to explicitly and enthusiastically thank them for their efforts.
We have heard and responded to Senators Durbin, Franken, Wyden, and others, and advocacy groups across the political spectrum from left to right, who have pressed for greater protections for privacy, personal privacy in this bill. We have made substantial changes designed to address concerns from stakeholders and colleagues.
I am confident we can work through more issues as we debate the bill on the floor. But the main point here, if I may use quite a familiar expression around here with a slightly unique follow-on phrase, I hope: If in our quest for cybersecurity legislation we allow the perfect to be the enemy of the good, we are going to end up allowing our enemies to destroy a lot that is good in the United States of America. We have to act together for the good of the Nation, get the debate started and bring amendments to the floor for an up-or-down vote.
Let me stress at this point that Senator Reid, the majority leader, has been quite clear that his desire, his intention is to have the process be an open amendment process so long as the amendments are germane and relevant to the topic of the bill, cybersecurity, not just open to any amendment about any subject.
I want to go back over these three points and talk about them in a bit more detail. Let me start with the reality of the threat. I want to read from a letter sent to us recently by some of our Nation's most experienced security leaders from both Republican and Democratic administrations. Here is a letter to the majority and minority leader, signed by former Bush administration Secretary of Homeland Security Michael Chertoff; former Bush administration Director of National Intelligence ADM Mike McConnell; former Bush Deputy Defense Secretary Paul Wolfowitz; former NSA and CIA Director General Michael Hayden; former vice chair of the Joint Chiefs of Staff Marine Gen. Jim Cartwright; and former Deputy Defense Secretary William Lynn. I quote from the letter. It is quite an impressive group, clearly bipartisan--nonpartisan.
We write to urge you to bring cybersecurity legislation to the floor as soon as possible. Given the time left in this legislative session and the upcoming election this fall, we are concerned that the window of opportunity to pass legislation that is in our view critically necessary to protect our national and economic security is quickly disappearing.
These security leaders went on to say:
Infrastructure that controls our electricity, water and sewer, nuclear plants, communications backbone, energy pipelines and financial networks must be required to meet appropriate cybersecurity standards. We carry the burden of knowing--
It is really chilling.
We carry the burden of knowing that 9/11 might have been averted with the intelligence that existed at the time. We do not want to be in the same position again when ``cyber 9/11'' hits--it is not a question of whether it will happen--but when.
That is not a statement from a Member of the Senate or an advocate on one side or the other. These are proven national security leaders who have worked in administrations of both political parties. ``It is not a question of whether a cyberattack will happen,'' they say, ``but when.''
Many others have issued similar warnings. Secretary of Defense Panetta has said the next Pearl Harbor-like attack against America will be launched from cyberspace.
Chairman of the Joint Chiefs of Staff Gen. Martin Dempsey has warned: ``A cyberattack could stop our society in its tracks.''
Just this month, National Security Agency Cybercommand Chief Gen. Keith Alexander blamed cyber attacks for: ``The greatest transfer of wealth in history.''
General Alexander estimated that American companies lose about $250 billion a year through intellectual property theft through cyberspace; $114 billion to theft through cyber crime; and another $224 billion in downtime the thefts caused.
We talk a lot here in the Senate these days, as we must, about how we protect American jobs. It turns out that in creating more cybersecurity in our country we are also going to protect tens of thousands of jobs which otherwise are going to end up elsewhere in the world because they will have stolen the industrial secrets that lead to the new industries that create those jobs.
General Alexander concluded this part of the statement he made by saying: `` ..... this is our future disappearing before us.''
These fears are not speculative. Let me go through a recent op-ed in the Wall Street Journal that President Obama wrote.
In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we have seen in past blackouts--
Which were caused by natural disasters, for instance--
the loss of electricity can bring businesses, cities and entire regions to a standstill.
These fears are not speculative. They are not theoretical. They are based on existing facts and existing vulnerabilities. Consider, if you will, this recent story in the Washington Post that detailed how a young man living an ocean away used his computer to hack into the control panel of a small town water utility in Texas. It took him just 10 minutes and required no special tools or training. The utility had no idea of what had happened until the hacker posted screen shots of his exploit online as a warning of how vulnerable all of us are. Imagine if terrorists decided to target a string of small utilities across the United States and either cut off fresh water or dumped raw sewage into our lakes, rivers, and streams. We would have an environmental and economic disaster on our hands. But this is a real possibility.
This brings me to my second point. We need to act and act now. The challenge of cybersecurity has been studied for a long time and there is no need for more studies or hearings or delay, as the Chamber letter requests. I went back to the Congressional Research Service. According to a report that they issued, in the 112th Congress alone there have been 38 hearings and 4 markups in the House and 33 hearings in the Senate on cybersecurity.
In the 112th Congress, the Judiciary Committee also held a markup on the Personal Data and Privacy Security Act and
in previous Congresses the Senate has held markups on cybersecurity legislation in five separate committees under regular order, all of which is included in the bill that is pending before us today.
Since 2005, the Senate Homeland Security Committee alone has held 10 hearings with 48 witnesses testifying and took questions over a total of 18 hours. Look at the bill's cosponsors. S. 3414: Senators Collins and I, along with Senators Feinstein and Rockefeller, have held numerous hearings, forums, and cybersecurity demonstrations for Members and staff. All these hearings and briefings were further informed by, according to the CRS, a total of 60 governmental reports totaling 2,624 pages produced by the GAO, the Department of Defense, the OMB, the Department of Energy, and other Federal agencies. This doesn't count the many more reports from the private sector--computer security firms such as SEMANTEC and think tanks and academic institutions such as MIT and the Center for Strategic and International Studies.
This matter is ready for action. I go back to a 1936 book Winston Churchill wrote, ``When England Slept.'' Not ``Why England Slept'' but ``When England Slept'' . He asked his colleagues in the Parliament who were refusing at that time to act decisively to counter the rise of German military power despite its clear threat to Europe--Churchill said: ``What will you know in a few weeks about this matter that you do not know now ..... and have been not been told any time in the last six months?''
I think the same can be said now. That is why I think it is so important to adopt the motion to proceed and get something done before we leave Washington for the August break.
Finally, in the interest of moving forward, my cosponsors and I, as I indicated earlier, have made a major compromise in the bill we are bringing to the floor in terms of how we deal with critical cyber infrastructure. Here again, we are talking not about small businesses around America, we are talking about powerplants, energy pipelines, water systems, financial systems that we all depend on for our banking, water--sewer systems, for instance--that if sabotaged or commandeered in a cyber attack could lead to catastrophic deaths and economic and environmental losses.
In our original bill, Senators Collins, Feinstein, Rockefeller, and I called for mandatory cyber safety standards for all critical infrastructure after those standards were developed in consultation with the private sector. We did not think this was a unique or onerous requirement but our responsibility in carrying out our constitutional oath to provide for the common defense. Since antiquity, as a matter of fact long before the American Constitution, societies have chosen to adopt safety standards to protect their citizens, particularly safety standards for physical structures starting with the homes we live in, but also our offices, factories, and critical infrastructure such as powerplants and dams. Today we call these building codes. Can you imagine if there were no building codes, the danger that people would take when they walked in our office buildings or factories or apartment houses or residences?
I cannot resist saying these building codes in some sense are as old as the Bible. Here I go to Deuteronomy 22:8 which says:
When you build a new house, you shall build a parapet for your roof, so you shall not bring the guilt of blood upon your house if anyone should fall from it.
There is direct relevance in a very different context from the Biblical context to what we are trying to do here, which is to build a kind of parapet around our cyber systems so we do not bring the guilt of blood on us because somebody has attacked through those cyber systems.
The reason we have done this over antiquity in the physical world is obvious. If one of our homes catches fire because of the wiring not up to code or it happens in an apartment building or an office building, the people in it are endangered, obviously, but also the lives and homes of our neighbors, the community are in danger as well. Numerous bipartisan national security experts have been in total agreement that mandatory requirements are needed to protect our national and economic security from the ever-rising risk of cyber attacks.
But it was this provision, seen in the context of regulation of business while we were seeing it as homeland security, protecting homeland security, that was the most controversial in our compromise bill and drew the most criticism. To be more specific about it, it threatened to prevent passage of any cybersecurity legislation this year which, for the sponsors of this bill, was simply an unacceptable result.
Following the rule that no matter how deeply one believes in the rightness of a provision in a bill, we agreed to change it because there is so much else that is critically important in our bill that will protect America's cybersecurity.
So we withdrew the mandatory provision and created all the standards for performance of how the most critical infrastructure, cyber structure, would protect itself. But then we left it voluntary; however, we did create some incentives. Let me be clear that the decision is to be what we all want it to be, which is as a result of a collaborative, cooperative effort that businesses that operate the most critical cyber structure, such as, electrical systems, water systems, transportation, finance, communications, will want to comply.
Under our revised bill, private industry, which incidentally owns as much as 85 percent of the Nation's critical infrastructure--that is the American way, and that is great. But when that 80 to 85 percent of our critical infrastructure can well and probably will be the target of not just theft but attacks by enemies of the United States, we have to work together to prevent that.
In our bill we give the private sector the opportunity to develop a set of cybersecurity practices which will then be reviewed by the new National Cybersecurity Council that our bill creates. It will be chaired by the Secretary of Homeland Security and made up of representatives of the Department of Defense, Commerce, Justice, and the intelligence community, and presumably the Director of National Intelligence. This National Cybersecurity Council will review the standards agreed upon by the private sector and decide whether they are adequate to provide the necessary level of cybersecurity for the American people.
Owners of critical infrastructure will then have a decision to make. Do they want to essentially opt into the system or do they want to not do so? That is up to them under the bill as is put before them because it is voluntary. If they opt in--and this is what we hope will be an incentive--they will be entitled to receive some benefits, the most significant of which will be immunity from certain forms of liability in case of a cyber attack. We also offer expedited security clearances and prioritize technical assistance from our government on cyber questions from those critical covered cyber-infrastructure companies that opt into the system.
I think our colleague from Rhode Island, Senator Whitehouse, has a very good metaphor for what we are trying to do. As he said, we are trying to build Fort Cybersecurity where we essentially become part of a system that provides greatly enhanced protection from cyber attack and cyber theft, but we are not compelling anybody to come into Fort Cybersecurity. We are encouraging them to do so, and we are giving them some incentives to do so. Of course, we hope that sound and wise administrators of those companies and forces of the marketplace will encourage them to make a decision to come into Fort Cybersecurity.
Finally, our bill contains information-sharing provisions, which I think most people who have looked at the threat of cyber attack and cyber theft think are very important. These provisions will allow the private sector and government to share threat information between each other and among themselves. In other words, one private company can share information about an attack with another private company to see if the attack is part of a broader pattern.
For instance, they can talk about where it may be coming from to raise their cyber defenses against it, and to do so without fear of--well, for instance, any trust action by the State or Federal Government. Also, very often companies that believe they have been a victim of cyber attack will go to the Federal Government, the Department of Homeland Security, or the National Security Administration for help; however, a lot of them don't. Part of the reason for that is they fear, among other things, they may compromise the privacy of their records. Others, quite frankly, don't want to admit they have been attacked. This is a real problem. I will come back to that in just a moment.
We give protection from liability for companies that share their information with the government. Yet there were many individual Senators and many people from outside groups who are focused on privacy who were concerned that in doing this we were opening up a method by which parts of our Federal Government could basically violate privacy restrictions, take personal information off of the information shared by a private company with the government, and they be the victim of some kind of public intrusion or even law enforcement.
So I think we negotiated a good series of agreements on this which, one, will ensure that companies who share cybersecurity information with the government give it directly to civilian agencies and not to military agencies. That was a concern people had.
Second, we ensure that information shared under the program be reasonably necessary and described as a cybersecurity threat. In other words, not just wantonly share it because some of this is private information.
Third, we restrict the government's use of information it receives under the cyber information-sharing authority so that it can be used only for actual cybersecurity purposes and to prosecute cyber crimes with two exceptions broadly agreed on: One is that the information can be used to protect people from imminent threat of death or physical harm; and, two, to protect children from serious threats of one sort or another.
Next, we would require annual reports from the Justice Department, Homeland Security, the defense and intelligence community, and inspectors general to describe what information has been received in the previous year, such as, who got it and what was done with it. Finally, we allow individuals to sue our government if the government intentionally or willfully violates the law; that is to say, the law relating to these privacy protections.
I am very pleased by these changes we made. I want to say this loudly and clearly: This bill is about cybersecurity. But in trying to elevate our cybersecurity, we didn't want to compromise people's privacy or their freedom. So what I have just read was intended to assure that this bill, as best we could, would not compromise privacy or freedom rights.
Then I took this set of compromises to the most important people in our government who are focused on cybersecurity--the Department of Homeland Security, the National Security Agency, the FBI--and they all said, I am pleased to say, these privacy protections will not inhibit their ability to protect America's cybersecurity. They can live with these without the slightest diminishing of their focus, which understandably is not privacy but it is cybersecurity. They said these amendments to our original bill don't inhibit what they are doing.
I conclude by, again, urging my colleagues to vote, presumably today, yes on the motion to proceed so we can get the debate started, so we can continue to work to achieve common ground and a meeting of the minds and enact this piece of crucial national and economic and security legislation in this session of Congress.
I thank the Chair, and I yield the floor.
BREAK IN TRANSCRIPT
Mr. LIEBERMAN. Mr. President, for the information of my colleagues, I know the Senate majority leader is in discussions with the Republican leader, and I know the hope is we can soon have the vote on a motion to proceed to S. 3414. But as yet I have not been informed there has been the necessary meeting of minds. I hope it will be soon, and I hope everyone will support it.
I yield the floor, and I suggest the absence of a quorum.
BREAK IN TRANSCRIPT