BREAK IN TRANSCRIPT
Mr. LIEBERMAN. Mr. President, as the Senate now turns its attention to the pending legislation that aims to enhance our Nation's cyber defenses, I would like to take a few moments to review where we are because I think the bill we now have on the floor brings us closer than ever to an agreement on a way to better defend our country, our prosperity, and our security against what is emerging as the most significant threat we face today, bigger than a conventional attack by a foreign enemy, bigger even than Islamist terrorism, a threat that is very different from anything we have faced before and so probably hard for most Americans to conceptualize but, trust me, it is here. That is why it is so important. We have come closer than ever to an agreement, but we are not there yet.
I have come to the floor to say to my colleagues that those of us who sponsor the pending legislation--Senators Feinstein, Rockefeller, Collins, and I--are eager to continue to work with our colleagues toward a broad bipartisan solution to this urgent national security threat--crisis. Obviously, to do that we have to begin processing amendments, and they have to be what the majority leader has said: germane or relevant. The majority leader has said we will have an open amendment process, and I thank him for that. No filling of the tree here. But the amendments have to be germane or relevant. We are dealing with a national security crisis unlike any we have faced before.
A broad bipartisan group of us met with the leaders of our cyber defense agencies yesterday--not political people, not partisan people--and they urgently appealed to us to pass this legislation in this session of Congress. It gives them authority to protect us that they don't have now. Frankly, they worry that without that authority to share information with the private sector, for the private sector to share cyber threat information with each other without fear of liability, for the government to have the ability to create some standards for the private owners of cyber space and then give them the voluntary option to abide by those standards--that all of those add-ons, all of those realities that will be created by passage of this bill are desperately needed now. The fact is they were needed yesterday. They were needed last year.
That is why I am so disheartened to hear this morning that our friends in the Republican caucus are talking about introducing an amendment to this bill that will repeal ObamaCare, as they call it. There is a day for that, but it is not this week on this bill. Frankly, I feel the same way about some of the gun control amendments that have been submitted by members of the Democratic caucus. Those amendments deserve debate at some point but not this week on this bill.
We can get this bill done and protect our security. Nobody believes that we are going to repeal ObamaCare this week or that we are going to adopt gun control legislation. Those are making a statement. They are sending a political message. And they will get in the way of us protecting our national security.
So I appeal to my colleagues on both sides, pull back these irrelevant amendments. Let's have a full and open debate on cyber security, and let's get it done this week. There are already more than 70 amendments filed that are germane or relevant.
The PRESIDING OFFICER. The time for the majority has expired.
Mr. LIEBERMAN. I ask my friend from Kansas if I could have 2 more minutes.
The PRESIDING OFFICER. Is there objection? Without objection, it is so ordered.
Mr. LIEBERMAN. I thank the Senator from Kansas.
There are already 70 amendments filed, so we don't have time to sit here staring at each other while we could be working through them. The truth is that we have a number of amendments on which we are ready to take votes, but of course we need cooperation from both sides in order to nail down that agreement with the consent that is required.
Before I yield the floor, I wish to underscore that while there are important issues we still need to work through this week, the reality is that because Senators on all sides have been willing to compromise, we have a golden opportunity to prove we can work together when it counts the most, which is in defense of our security and prosperity. Leading sponsors of the pending bill, leading sponsors of the leading opposition bill, SECURE IT, and leaders of the peacemakers in between led by Senators Kyl and Whitehouse have been meeting for the last week and making progress. And I would say that what was once a wide chasm separating us is now a narrow ridge, which we can bridge--and I firmly believe we will--with good faith on all sides, in a willingness to compromise. You can rarely get 100 percent of what you want in a democratic--small ``d''--legislature such as ours, but if each side can get 75 or 80 percent and we can begin to fix a problem and close the vulnerabilities that exist in our cyber infrastructure this week, we will have done exactly what the American people want us to do. That is my appeal to my colleagues.
Mr. President, I thank the Chair, and I yield the floor.
BREAK IN TRANSCRIPT
Mr. LIEBERMAN. Mr. President, I know under the order this hour is reserved for Members of the Republican caucus, and although I am an Independent, I don't qualify exactly under the terms of the agreement to speak now. But seeing no Member of the Republican caucus on the floor, I thought I would take the opportunity to continue to speak about the pending item, S. 3414, the Cybersecurity Act of 2012, and if any of my colleagues arrive, I will yield to them immediately.
Before I yielded to Senator Roberts a short while ago, I made a statement that the two sides, if I can put it that way; that is, the sponsors of the pending legislation, Senators COLLINS, FEINSTEIN, ROCKEFELLER, and myself, and the sponsors of essentially the alternate approach, SECURE IT, sponsored by Senators MCCAIN, CHAMBLISS, HUTCHISON, and others--have been meeting. We have particularly been assisted by the bridge builders here--blessed are the peacemakers--Senators KYL, WHITEHOUSE, and others, and we have been making progress. I said what was once a chasm separating us is now a narrow ridge that we are close to bridging. Let me explain what I mean by that.
The sponsors of S. 3414, the pending legislation, strongly believe that owners of critical cyber infrastructure--and this is a unique aspect of our free society, thank God; 80 to 85 percent of the critical infrastructure in our country is privately owned, including cyber infrastructure. That is the way it ought to be. But it means when critical cyber infrastructure in a new world becomes a target of cyber attack and cyber theft, that we--the rest of us Americans--represented by the government, have to enter into a partnership with the private sector owners of critical cyber infrastructure so they will take steps to protect the cyber space that they own and operate because, if they don't, the whole country is in jeopardy. If an electric grid is knocked out, the kind of awful experiences we have all had at different times when the power grid has been out in our area of the country will be felt perhaps for weeks and weeks.
Think about it. What if the financial cyber system, Wall Street, the hub of the systems that handle millions--trillions, really--of transactions over and over again, were knocked out? It would have a devastating effect on our economy, let alone the most nightmarish, which is that some enemy breaks into the cyber-control system of a dam holding back water and opens the dam and floods surrounding communities with a terrible loss of life. We could go on and on with the nightmare scenarios, but they are out there, and we are vulnerable to them.
So the sponsors of S. 3414 have felt that private sector owners of critical infrastructure should be mandated--that is only the owners of the most critical infrastructure--to adopt the standards that would be set under our legislation to protect their systems and our country. Sponsors of the SECURE IT Act started this debate firmly convinced that the only thing we need to do is to enhance our cyber security information-sharing between private sector operators and between the government and the private sector. We have a section in our bill that does exactly that, but we feel that is not enough. We feel there also needs to be these standards set for the private operators of the electric grid, of the transportation system, of the financial system, et cetera. If both sides had just stuck to their guns, no legislation would be possible. But when it comes to cyber security, no legislation, which is to say the status quo, is not only unacceptable, it is dangerous. Some of our real--really most of our national security leaders in this country from the last two administrations, the George W. Bush administration and the Barack Obama administration--have warned, as if in a single voice, that we are already facing the equivalent of a digital Pearl Harbor or a 9/11 if we don't shore up and defend our exposed cyber flanks. The same is true of the impact of our vulnerability in cyber space to cyber theft.
GEN Keith Alexander, the head of the Defense Department Cyber Command and the National Security Agency, made a speech a week or two ago in which he estimated that more than $1 trillion has been stolen over cyber space from America. He called it the largest transfer of wealth in history. That results from moving money out of bank accounts that a lot of us never hear about because the banks believe it would be embarrassing if we knew, the theft of industrial secrets to other countries that then builds from those industrial secrets and creates the jobs in their countries that our companies wanted to create here. So there is a unified position among national security leaders, apart from which administration they served under, that we need this legislation, and we need it urgently.
Several of us met with the leaders of the cyber security agencies of this administration yesterday. These are not political people; these are professionals from the Department of Homeland Security, the Department of Defense, the FBI, and others. They warned us again that the cyber systems that are privately owned and that are critical to our Nation's security remain terribly vulnerable to attack. They said to us, and I am paraphrasing, that we need this legislation to respond urgently and effectively to an attack on infrastructure as critical as the electric grid or Wall Street itself.
One of the leaders in our government, uniformed leaders, said to him today is a little bit like 1993 when it comes to cyber security; when, as we will remember, al-Qaida launched a precursor attack on the Twin Towers in New York with a truck bomb that blew up in the parking garage. We all know there was a loss of life then, but the damage was relatively small. But al-Qaida persisted and, of course, on 9/11 succeeded in bringing down the two towers of the World Trade Center. This leader of cyber security efforts in our government said our adversaries in cyber space are just about where al-Qaida was in 1993 when they blew up that truck bomb in the parking garage of the World Trade Center.
What I was impressed with yesterday, I will say parenthetically, is though there is some controversy out here about who is capable of what in our Federal Government--and let me speak frankly. Some people don't have much respect for the Department of Homeland Security. I don't understand why because they do a great job, in my opinion, in so many different areas, including the one that is relevant here, cyber security. But it was clear that the Department of Homeland Security, the Department of Defense, and the FBI are working as a team--really, like a seamless team--24/7, 365 days a year to leverage each other's capabilities to provide for the common defense. They all agreed yesterday we need to pass this legislation to give them the tools they urgently need, that they don't have without this legislation, to work with one another and the private sector.
I wish to again give thanks to Senators Kyl and Whitehouse, joined by Senators Mikulski, Blunt, Coons, Graham, Coats, and Blumenthal, who have come together with a compromise proposal after a series of good-faith negotiations and, as a result, Senators Collins, Rockefeller, Feinstein, and I have made major and difficult compromises in our original bill in order to move the legislation forward, to get something started, to protect our cyber security.
I think we now have a broad agreement on a bill containing those same cyber security standards that were in our original bill that resulted from a collaborative public-private sector process and negotiation. But now, instead of mandating them, we are going to create incentives for the private sector to opt into them. We are going to use carrots instead of sticks. We have added some compromises also from the original legislation to guarantee Members of the Senate and millions of people out in the country that when we act to share information from the private sector to the government, we are going to have due regard for the privacy of people's data in cyber space--personal information--without compromising our national security at all.
There are advocates on both sides of both the information-sharing provision and the critical cyber-standards provision that think we have gone too far, and some think we haven't gone far enough. But while advocates on the outside of the Senate can hold fast to their particular positions, legislators on the inside of the Senate need to take all of these deeply held views into account. Ultimately, our responsibility is to get something done to protect our security--it is our responsibility to pass a law--and we have done that here.
I wish to first review some of the broad areas of agreement and then outline the differences that remain because I want my colleagues to understand how much progress has already been made. Sometimes the news stresses the differences between us.
Let me start with title I of the bill, which is the one on critical infrastructure. I think there is a growing, broad agreement now that the private sector owners of critical infrastructure should work with the government to develop what somebody yesterday called the best cyber hygiene or standards of defense that are needed to safeguard their facilities and the rest of us.
In the original bill we had the Department of Homeland Security playing the singular role for the government. We broaden that now in response to, particularly, recommendations from the Kyl-Whitehouse group, and we have created a new interagency council we call the national cyber security council, which will consist of the Department of Homeland Security, the Department of Defense, the Department of Commerce, the FBI, and the Director of National Intelligence, as well as relevant primary regulators when that sector of cyber structure is put forth in the council.
What do I mean by that? If they are dealing with the cyber security of the financial sector of our government, then on those standards we would expect the Securities and Exchange Commission and the Treasury Department, for instance, among others, to be seated at the table to come up with an agreement on those standards.
We have also agreed that adoption of these practices will be voluntary and that there will be no duplication of existing regulations or any new regulatory authorities that will be added to law.
We have also agreed that incentives need to be created--the carrots I spoke about, such as liability protection--to entice private sector owners to adopt these practices once they have been developed--totally voluntary. But I think if we build this right, they will come. Although it is not mandatory, we will set a standard, and private sector operators of critical infrastructure will want to meet that standard because they will want to act in the national interests to protect their customers, but also because when they do they will receive very valuable immunity from liability in the event of an attack or a theft.
Look, I decided that we needed to make the system voluntary in order to get something passed this year. I think it has a good chance of working as a voluntary system. But if it doesn't, and the cyber threat grows as much as I think it will, then some future Congress is going to come along and make it mandatory.
So there will be an incentive on both the public and private sector--particularly the private sector--to make this voluntary system work. God forbid between now and then there is a major cyber attack against our country; Congress will come flying back and adopt mandatory regulations. That is not what we want to happen. This is the time for rational, thoughtful discussion and legislation that will begin a process that will go on for years because the cyber threat is not going away.
So that is title I. That is the compromise we offered on title I, which deals with cyber infrastructure. I go now to title VII. In between there are some very good titles, titles II through VI, but the good news is--maybe I should stress this--there seems to be broad bipartisan agreement on those titles.
Title VII is the one on information sharing, and there is some disagreement on that. But we have come to agree that private sector companies must be able to share cyber-threat information with the government and each other, with protections against liability that will incentivize--really allow--that sharing; that this sharing must be instantaneous.
In other words, to protect--to respond to concerns about private data being shared when a private sector operator of cyber security shares information with the government, we are requiring in this bill, the pending legislation, that the first point of contact for cyber sharing and reporting cyber attack is with a civilian agency--not a military or law enforcement agency or an intelligence agency but a civilian agency, such as the Department of Homeland Security or some other approved civilian exchange.
Some people have worried that if we did that, it would delay the referral of that information to the law enforcement and intelligence and military parts of our government, almost as if when the information of a cyber attack is sent to the Department of Homeland Security, somebody is going to have to go find the Secretary of Homeland Security to make sure she sees it before it goes to the Department of Defense, FBI. The world we are in is very different from that. It has been explained to me and others who met with, particularly, General Alexander, the head of Cyber Command at the Department of Defense that everything travels instantaneously, at cyber speed. That means that according to preset programs, cyber attack, if this bill is passed, will automatically--notification of it--go to the Department of Homeland Security or a civilian exchange, and at the same instant it will go to the Department of Defense, the FBI, and the intelligence community.
But when it first goes to the civilian exchange, there will be software in there to screen out--to prevent the possibility that any personal data--e-mails, private financial information--will not be sent to the law enforcement and defense branches of our government. That is another reason sharing will have to be instantaneous--that existing information-sharing relationships will continue undisturbed; that is, for instance, between the defense contractor and the Defense Department, and that there should be no stovepipes among government agencies. Agencies that need information should have access the instant it is provided to the government.
I know some colleagues want more assurance that while a lead civilian agency will serve as the hub for immediate distribution of cyber-threat information, it will do so without slowing down DOD's and NSA's abilities to access and act on that information. I have just told my colleagues that would be the case. Others want to add further privacy protections. I do want to say in this regard that we have already significantly strengthened the privacy protections, thanks to a lot of good negotiation with a group of Senators--Senators Franken, Durbin, Coons, Wyden, and others--and a broad range of privacy and civil liberties groups ranging, really quite remarkably, from the left to right and in between, who seem generally pleased with what we have done to protect privacy under our legislation.
Here is the good news: The people in charge of cyber security in our government say the privacy protections we have added in the underlying bill to the information-sharing section of this bill will not stop them for a millisecond from receiving the information they need and protecting our national security. So, to me, this is the Senate at its best.
We are not there. My dream--because this is--we are legislating here. We are not in the midst of some traditional sort of government regulation controversy. We are legislating actually in the midst of a war because we are already being attacked every day over cyber space. We have been lucky that it hasn't been a major attack that has actually knocked out part of our cyber infrastructure, but that vulnerability is there.
A few months ago there was a story in the Washington Post about a young man in a country far away that launched an attack against a small utility--I believe it was a water company--in Texas.
He got into their system and actually had the ability to totally disrupt the water supply in that area of Texas. What the hacker did instead--and he just had a computer and was smart--what he did instead was post proof that he had broken into the industrial control system in that small utility in Texas just to show the vulnerability. In a sense, he might have been bragging he could do it, but it also was a warning to us. What if the next time that happens it is a larger utility or a group of smaller utilities around the country--maybe water, maybe electricity, maybe gas--and this time they are not just warning us or showing us our vulnerability, but they are actually going to disrupt the flow of electricity or water to people who depend on that? That is the kind of crisis we face and why it is so urgent that we deal with this.
So let me come back to my dream. My goal here is that as we go on this week, we are able to submit a managers' amendment, but it is not just from the managers--Senators Collins, Rockefeller, Feinstein, and me--that we are joined by a much broader group and we form a broad bipartisan consensus to protect our country from a terrible danger that is real, urgent, and growing.
I always like to think back at these moments--and I was thinking about it again in this case, and since I do not see anybody else on the floor, I will indulge myself and go back--to a hot July day in Philadelphia, over 225 years ago, when the U.S. Senate was created as part of the--I am glad to say, proud to say--Connecticut Compromise offered to the Constitutional Convention by two of Connecticut's delegates to that convention, Roger Sherman and Oliver Ellsworth. It passed by just a single vote, but it helped keep the convention together and to enable our new government, including our Congress, to take shape because the Connecticut Compromise guaranteed the small States that their interests would be protected--small-population States--in the Senate because every State, no matter how big or small its population, would have two Senators, and it guaranteed the larger States that they would have a greater say in the House of Representatives, whose membership would be reflected, as it still is today, by population. Not everyone got everything they wanted that day, but they found a common ground that allowed them to go forward and finish writing our Constitution. That is the kind of position we are in today.
Shortly after the Connecticut Compromise was adopted at the Constitutional Convention, James Madison, as you know, Mr. President, often referred to as the father of the Constitution, wrote--and I am paraphrasing a little bit here--``the nature of the senatorial trust'' would allow it to proceed with ``coolness'' and ``wisdom.'' I think these negotiations on the Cybersecurity Act of 2012 show thus far that we have the ability to put ideological rigidity, partisanship, and politics aside when our security is at risk and move beyond gridlock and fulfill our Founders' vision of what this body can do when it comes to debating the great challenges of our time, with ``coolness'' and ``wisdom,'' as Madison said.
So over the next couple of days, let's debate all the relevant and germane amendments. Let's start voting as soon as we can on them. But then, for the good of the country, let's each compromise some, acknowledging that none of us can get everything we want and we cannot afford to insist on everything we want because if we do, nothing will happen and our country will remain vulnerable to cyber attack until the next opportunity Congress has--which I would guess will be sometime as next year goes on--to deal with this challenge. We cannot wait. We simply cannot wait. I know we can do this. I urge my colleagues, therefore, to come to the floor. I urge the leaders of both parties to agree that the amendments submitted should be germane and relevant and that we can and will finish our work on this legislation this week.
I thank the Presiding Officer.
I yield the floor and suggest the absence of a quorum.
BREAK IN TRANSCRIPT
Mr. LIEBERMAN. Very briefly, Mr. President, I have just received a copy of a letter that has been sent this morning to the majority leader, Senator Reid, and the Republican leader, Senator McConnell, from GEN Keith Alexander of the United States Army, Director of the National Security Agency and Chief of Cyber Command at the Department of Defense. He is a distinguished and honored leader of our military, one of the people who has the greatest single responsibility for protecting our security, both in terms of the extraordinary capabilities the National Security Agency has but now increasingly for the defense of our cyber system.
This is a career military officer, not a politician. He is somebody who has a mission, and it is from that sense of responsibility that General Alexander has written to Senator Reid and Senator McConnell. He writes--and I will ask to have it printed in the RECORD--to express his ``strong support for passage of a comprehensive bipartisan cyber security bill by the Senate this week.'' Why? I continue to quote:
The cyber threat facing the Nation is real and demands immediate action. The time to act is now; we simply cannot afford further delay.
Moreover, to be most effective in protecting against this threat to our national security, cyber security legislation should address both information sharing and core critical infrastructure hardening.
Then he explains both of those in very compelling language. He also says:
Finally, any legislation needs to recognize that cyber security is a team sport. No single public or private entity has all of the required authorities, resources, and capabilities. Within the federal government, the Department of Defense and the Intelligence Community are now closely partnered with the Department of Homeland Security and the Federal Bureau of Investigation. The benefits of this partnership are perhaps best evidenced by the Managed Security Service (MSS) program, which affords protection to certain government components and defense companies. The legislation will help enable us to make these same protections available widely to the private sector.
I cannot thank General Alexander enough. He ends by saying this:
The President and the Congress have rightly made cyber security a national priority. We need to move forward on comprehensive legislation now.
He urged Senators REID and McConnell ``to work together to get it passed.''
I ask unanimous consent that this very compelling letter from GEN Keith Alexander be printed in the Record.
There being no objection, the material was ordered to be printed in the RECORD, as follows:
NATIONAL SECURITY AGENCY,
CENTRAL SECURITY SERVICE,
Fort George G. Meade, MD.
Hon. HARRY REID,
Majority Leader, U.S. Senate, The Capitol, Washington, DC.
DEAR SENATOR REID: I am writing to express my strong support for passage of a comprehensive bipartisan cyber security bill by the Senate this week. The cyber threat facing the Nation is real and demands immediate action. The time to act is now; we simply cannot afford further delay. Moreover, to be most effective in protecting against this threat to our national security, cyber security legislation should address both information sharing and core critical infrastructure hardening.
Both the government and the private sector have unique insights into the cyber threat facing our Nation today. Sharing these insights will enhance our mutual understanding of the threat and enable the operational collaboration that is needed to identify cyber threat indicators and mitigate them. It is important that any legislation establish a clear framework for such sharing, with robust safeguards for the privacy and civil liberties of our citizens. The American people must have confidence that threat information is being shared appropriately and in the most transparent way possible. This is why I support information to be shared through a civilian entity, with real-time, rule-based sharing of cyber security threat indicators with all relevant federal partners.
Information sharing alone, however, is insufficient to address the vulnerabilities to the Nation's core critical infrastructure. Comprehensive cyber security legislation also needs to ensure that this infrastructure is sufficiently hardened and resilient, as it is the storehouse of much of our economic prosperity. And, our national security depends on it. We face sophisticated, well-resourced adversaries who understand this. Key to addressing this peril is the adoption of minimum security requirements to harden these networks, dissuading adversaries and making it more difficult for them to conduct a successful cyber penetration. It is important that these requirements be collaboratively developed with industry and not be too burdensome. While I believe this can be done, I also believe that industry will require some form of incentives to make this happen.
Finally, any legislation needs to recognize that cyber security is a team sport. No single public or private entity has all of the required authorities, resources, and capabilities. Within the federal government, the Department of Defense and the Intelligence Community are now closely partnered with the Department of Homeland Security and the Federal Bureau of Investigation. The benefits of this partnership are perhaps best evidenced by the Managed Security Service (MSS) program, which affords protections to certain government components and defense companies. The legislation will help enable us to make these same protections available widely to the private sector.
The President and the Congress have rightly made cyber security a national priority. We need to move forward on comprehensive legislation now. I urge you to work together to get it passed.
KEITH B. ALEXANDER,
General, U.S. Army,
Mr. LIEBERMAN. Mr. President, I yield the floor.