BREAK IN TRANSCRIPT
Ms. MURKOWSKI. Mr. President, we have had a great deal of conversation these past several days regarding cyber security. There is no question that we all agree it is a critical issue. I am sure every Member of this body shares the concern that our Nation is vulnerable to cyber attacks, and those attacks could have severe economic and national security ramifications.
We saw just this week over 180 amendments filed to the cyber legislation. I think it is pretty clear that a lot of us have ideas on how best to protect our critical infrastructure. I think that is just one of the reasons I was disappointed that the amendment tree was filled and cloture was filed on the cyber measure.
I don't think that was the process we were promised when the Senate overwhelmingly agreed to consider the cyber security bill. Because Members were denied the opportunity to have a thoughtful and complete debate, the cloture vote failed on a bipartisan basis this morning.
We have heard a lot about the electric grid during this debate and how legislation is needed to protect our Nation's transmission systems from cyber attack. What perhaps has been missing from this debate and discussion is a recognition that Congress had already moved to protect our grid system, and they did so 7 years ago. They enacted the bipartisan Energy Policy Act of 2005.
I am the ranking member on the committee of jurisdiction. I reassure my colleagues that we already have mandatory cyber security standards in place for our electric grid. In the 2005 Energy Policy Act, Congress directed the Federal Energy Regulatory Commission, FERC, the grid's regulator, to set mandatory enforceable reliability standards, including standards for cyber security.
And because these standards can be very technical--extremely complex--Congress decided they should be developed through a consensus-driven stakeholder process that is overseen by the Electric Reliability Organization--an organization that we call NERC.
We thought this was so important back in 2005 that we even expanded FERC's traditional jurisdiction to include municipal and cooperatively owned utility systems under these grid reliability standards. Now, it might surprise some to learn that the FERC-NERC mandatory cyber security regime currently regulates over 1,900 different entities and that the electric power sector is already subject to Federal penalties, and these penalties are serious--up to $1 million per day for noncompliance. So there is teeth attached to these standards.
In fact, one of our own government entities--the Southwestern Power Administration--was recently fined by the grid regulators for violating two mandatory cyber standards.
The point is the electric power sector and our grid regulators have been working extremely hard these past 7 years to develop and to implement these cyber standards. We have already taken substantial measures to safeguard our electric utility systems. We have identified our critical assets and established security management controls, performed risk assessments, and trained personnel. We have established sabotage reporting and mandated disaster recovery plans. These are all processes and procedures that have been put in place.
Also, it might surprise some to learn the Nuclear Regulatory Commission--the NRC--has already taken action to protect the Nation's nuclear facilities from cyber attack. The nuclear industry developed a cyber security program for critical assets over a decade ago. The NRC now mandates cyber security plans for nuclear plants, including the identification of critical cyber assets and required contingency and incident response plans. Failure to comply with the NRC cyber requirements also can result in fines and even an order to shut down the nuclear reactor.
So, again, there are standards that have been put in place with compliance requirements and penalties that are attached for failure to comply.
One concern was that the cyber bill was brought to the floor via rule XIV. A concern with this was that it would undermine the existing mandatory framework that Congress has already established within the electric utility grid. By establishing a competing regime--even if that regime was truly voluntary--the Cybersecurity Act the Senate just rejected could duplicate, conflict with, and even supercede the hard work that has already been put in over these past several years to safeguard both our grid and our nuclear facilities.
One of the amendments I had filed to the bill, and I had hoped we would have an opportunity to discuss, was a strong savings clause--a savings clause that would maintain the mandatory protections that are in place. Two competing systems are not workable and could, in fact, make the Nation's grid and nuclear facilities even more vulnerable to cyber attack.
One thing we have learned in the Energy Committee, in overseeing our mandatory cyber practices, is not everything necessarily needs to rise to the level of a foundational standard. But with cyber threats and vulnerabilities that are constantly emerging and constantly changing, I think the one thing we would agree on is that we always need more information.
I think we can also all agree the Federal Government needs to form a partnership with the private sector. The government and the private sector share the same goals--to keep our computer systems and our Nation safe from cyber intrusions. We need the private companies to be talking with each other and with the government about the cyber problems they face as well as potential strategies and the solutions to combat them. We also need our government to provide timely and actionable information to the private sector. It has to go both ways.
So as we go off to our respective States and discuss with our constituents back home the many issues that are out there, I would encourage Members to take a look at what has been introduced by the ranking members--the SECURE IT cyber legislation. Take a look at what has been offered as an alternative. It is a commonsense approach to addressing our ever-increasing cyber threats.
Our bill focuses on four areas where we believe we can reach bipartisan support and which will result in legislation that can get enacted, even given the politics of an election year. The four areas we focus on are information sharing, FISMA reform, criminal penalties, as well as additional research.
Mr. President, I want to close with just some observations quickly about the process. Back in 2005, when the Senate passed the bipartisan Energy Policy Act, it passed by a considerable margin. It was 85 to 12. But we spent a full 2 weeks on the floor considering amendments at that time. We had earlier spent 2 weeks marking up the bill in committee. So what I would like to leave folks with is just the reminder that process really does matter. That is how strong bipartisan pieces of legislation are enacted.
When you forego that process, you don't do that hard work in committee and send an ever-changing bill directly to the floor via rule XIV and then fill the amendment tree, the legislation just doesn't work. It is bound to fail, and that is what we saw today.
A few months ago I came to the floor to advocate for cyber legislation and to express my concern that the all-or-nothing approach to cyber security could result in nothing. After today's vote, that is where we are. That is what we have. I do remain hopeful we can find a path forward on the cyber issue that will result in a truly bipartisan and effective--effective--piece of legislation that will help our Nation's critical infrastructure.
With that, Mr. President, I see my colleague from Louisiana is here, and I yield the floor.
BREAK IN TRANSCRIPT