BREAK IN TRANSCRIPT
Mr. LIEBERMAN. Madam President, I rise to speak about the Cybersecurity Act of 2012, which is numbered S. 3414.
Last night, the majority leader, Senator Reid, filed a cloture motion which would ripen for a vote on tomorrow. Senator Reid said he was saddened to have to file that motion. He also used a word we don't hear much when he said he was ``flummoxed'' by the need to file a cloture motion on bipartisan legislation that responds to what all of the experts in security in our country from the last administration and this one say is a critical threat to our security, which is the lack of defenses in the cyber infrastructure that is owned by the private sector.
Senator Reid was saddened, as I was, that he had to file for cloture because, of course, there can be disagreements about how to respond to this threat to our security and our prosperity. Hundreds of billions of dollars of American ingenuity and money have already been stolen by cyber thieves operating not only from within our country but, more often, from outside. So you can have differences of opinion about how to deal with the problem. But the fact that people started to introduce totally irrelevant amendments, such as the one to repeal ObamaCare--well, that is a debatable issue. We have debated it many times, as the House has, but not on this bill, which we urgently need to pass and send to the House and then go into conference and then, hopefully, pass something and send it to the President.
I was at a briefing with more than a dozen Members of the Senate, representing a wide bipartisan group and ideological group, with leaders of our security agencies--cyber security agencies, including the Department of Defense, Department of Homeland Security, FBI, NSA, and they could not have been clearer about the fact that this cyber threat is not a speculative threat. The fact is we are under attack over cyber space right now. In terms of economics, we have already lost an enormous amount of money. GEN Keith Alexander, Chief of U.S. Cyber Command, described the loss of industrial information and intellectual property, and just plain money, through cyber theft as ``the greatest transfer of wealth in history.'' That is going on.
We are also under cyber attack by enemies who are probing the control systems, the cyber control systems that control not the mom-and-pop businesses at home, not the Internet systems over which so many of us shop these days, but the cyber systems that control the electric supply, that control all of our financial transactions, large and small, that control our transportation system, our telecommunication system--all the things we depend on to sustain our society and our individual lives. That is who we are talking about here.
It is the greatest transfer of wealth in history. But our enemies are already probing those private companies' cyber systems that control that kind of critical infrastructure I have described. There is some reason to believe that because of the vulnerability of those systems and lack of adequate defenses, they have already placed in them malware, bugs--whatever we want to call it. In the old days, we used to call it a sleeper cell of spies and, more recently, in terms of terrorism, a sleeper cell of terrorists.
Let me put it personally, without stating it definitively on the floor. I worry that enemies of the United States have already placed what I call cyber sleeper cells in critical cyber control systems that control critical infrastructure in our country.
Everybody will say that some companies that own critical infrastructure are doing a pretty good job of defending it and us, but some are not. That is one of the reasons this bill has occurred--to try to create a collaborative process where the private sector and the public sector can act together in the national interest.
The businesses themselves that control cyber infrastructure--God forbid there is a major cyber attack on the United States--are going to be enormous losers. They are going to be subject, under the current state of the law, to the kind of liability in court that may bring some of them down. It may end their corporate existence.
BREAK IN TRANSCRIPT
Mr. LIEBERMAN. I thank the Senator from Delaware very much. I think he crystallized the moment we are in.
I mentioned that Senator Reid filed a cloture motion that will ripen tomorrow. Again, he did it in sadness, and I was sad he had to do it. This is an issue on which I had hoped we would overcome gridlock--special interest driven, ideologically driven, politically driven--but we couldn't do it, so the majority leader did exactly what he had to do, in my opinion, in the national security interest.
This does two things. One, as my colleagues know and I repeat just to remind them, we have a 1 p.m. deadline when any Member of the Senate can file a first-degree amendment to this bill. That is important to do. And I want to say that the managers of the bill--Senator Collins' staff, the Republican cloakroom, my staff, the Democratic cloakroom--are going to be working on these amendments to see if we can begin to move toward a finite list so we can give some sense of certainty.
Senator Reid has been very clear. He has not wanted to, to use an idiom of the Senate, fill the tree, which is to say limit amendments. He has wanted to have an open amendment process, which really ought to happen on a bill of this kind, but open for germane and relevant amendments, not amendments on repealing ObamaCare or, I say respectfully, on enacting more gun control. Those are both significant and substantial issues, but they are going to block this bill from passing if people insist on bringing them up here.
So the first and positive consequence of Senator Reid's cloture motion--one we all signed--is to require that amendments people have been talking about filing have to come forward by 1 p.m., and bipartisan staffs will be working to winnow that down to a finite list.
Second, if we don't have an agreement on a finite list and we cannot vitiate the cloture vote for tomorrow, then Members of the Senate--every one, in their own heart and head--will have to make the decision as to whether to vote against taking up this bill while all the nonpolitical experts on our security--GEN Keith Alexander, Director of Cyber Command within the Pentagon, head of the National Security Agency, and one of the jewels and treasures of our government protecting our security, appealed to Senators REID and MCCONNELL in a letter yesterday stating that this legislation is critically necessary now.
This legislation will give our government and the private sector operators of critical cyber infrastructure powers they do not have now, authorities they do not have now to collaborate, to take action, to share information, to adopt what General Alexander in a wonderful phrase said is the best computer hygiene, the best cyber hygiene to protect our country.
So that is the question facing Members of the Senate in the face of that kind of statement of the urgency of some form of cyber security legislation in this session from the Director of Cyber Command, an honored, distinguished veteran of our uniformed military--U.S. Army in this case.
Are we going to find it hard to get 60 Members of the Senate to vote to take up this bill and debate it? I hope not. For me, it would be hard to explain--I will put it that way--why I would vote against it no matter what the controversy is.
I would say to my friend from Delaware, who has been involved, that I will yield to him if he wants to make a statement, but we have been working really hard with three groups: the group who sponsored S. 3414, the Cybersecurity Act of 2012; the group who sponsored SECURE IT, Senators HUTCHISON, Chambliss, MCCAIN, et al.; and the third group, the bipartisan group that sprung up because of the urgency of this clear-and-present danger to America, led by Senator Kyl and Senator Whitehouse, who is also on the floor and really has played an important role in bringing the two sides--if I can put it that way--closer together. Frankly, there was a chasm that separated us at the outset. We have changed our bill. We have made it much more voluntary--carrots instead of sticks, as the Senator and I have said. But still there are differences, and I would just say shame on us if we can't bridge those differences on national security, of all topics.
So this is an important day to see if we can come together. Senator Collins and I are ready and willing to meet with the sponsors of the other bills--Senator Kyl, Senator Whitehouse--to see if we can come to some kind of agreement on critical parts of this legislation and to come up with a finite list we can support.
Just a final word. I wish to thank the majority leader, Senator Reid. Senator Reid has a tough job, and it is obviously battered by the political moment we are in, whenever we are in it. And of course this is a particularly political moment--partisan--because of the election season and the campaign we are in. But I have known Harry Reid for quite a while, and I have the greatest confidence and trust in him and an awful lot of affection. He is a personal friend. He got briefed about the cyber security threat more than a year ago, and he called me in and we talked about it. He said he was really worried, that we had to do something in this session of Congress to protect our security, and he has been steadfast in that belief and has refused to give up.
Senator Reid filed the cloture motion to bring this to a head and hopefully to get to that finite list of amendments. And I think he is going to stretch, within the process and time, the great authority and power the majority leader has--some people say it may be the only power these days, but I think he has more because of his skills--in controlling the schedule. I think if there is a hope that we can bring a bill together and pass a cyber security bill, Senator Reid is going to give us every opportunity to do that. So I wanted to put on the record my thanks to him for his own commitment to improving the cyber security of our country because he has listened to the experts and they have convinced him. This is rising to be a greater threat to America than any other threat we face today, and that is saying a lot, but I believe it.
I thank the Chair, and I yield the floor for my friend from Delaware.
BREAK IN TRANSCRIPT
Mr. LIEBERMAN. Again, I thank our friend from Rhode Island for the extraordinarily constructive role he has played--unusual here, unfortunately--in bringing the group of eight Members, four Democrats and four Republicans, together. Senator Whitehouse, along with Senator Kyl of Arizona, created a bridge that really invited Senators Collins, Feinstein, Rockefeller, Carper, and me to come halfway across to change our bill from mandatory to voluntary.
So my answers to the Senator's two questions are yes and yes. We are a lot closer than we were really just a month ago--a matter of weeks ago. There is a remaining difference, and it is real. But considering where we have come from, if we show a willingness to compromise--and again, as I have said over and over, not a compromise of principle--that acknowledges that if everybody in the Senate insists on getting 100 percent of what they want on a bill, nobody is going to get anything because nothing is going to pass. So we have come back from our 100 percent quite a lot, and we are still open to ideas that will enable us to achieve what we need to achieve here in improving our cyber security, which means changing where we are now.
That is why, as my friend from Rhode Island knows, we are going to keep meeting today with the other leading sponsors of the bill and with the peacemakers in between to see if we can find common ground and avoid what I think could be a very disappointing cloture vote--a very divisive, very destructive cloture vote--tomorrow.
The second point is a very important one; that is, the House has acted, but it has only acted with regard to information sharing. This is important, but it is only half the job. The information sharing, in brief, says that private companies that operate critical infrastructure can share with other private companies if they are attacked or as they begin to defend themselves so they mutually can strengthen each other. They can also share with the government, and the government, particularly through the Department of Homeland Security and the National Security Agency, can help the private sector strengthen itself. Those kinds of communications, which are critical and would seem natural, don't happen now in too many cases because the private sector is anxious about liability that it might incur. Even the public sector is limited in how much it can reach out or help. So it is important that the House has addressed that part of it.
I will say--and not just parenthetically--that there has been very significant concern of a lot of Americans and a quite remarkable coalition of groups--remarkable in the sense that it is right to left, along the ideological spectrum--about the personal privacy rights of the American people, that they not be compromised as a result of this information sharing.
Those privacy advocacy groups are not happy with the House information-sharing bill. I am pleased they have praised what we have tried to do as a result of negotiations with colleagues in this Chamber who are concerned about privacy. The point Senator Whitehouse makes is so true, but that is only half the job. Everybody who cares about cyber security has said it.
There was, I must say, an encouraging, inspiring, for us, editorial in the New York Times today, supporting essentially S. 3414, the underlying bill, and crying out to us to take action and not get dragged down into gridlock by special interest thinking. But here is a statistic that jumped out at me. I saw it once before, but we have not heard it in this debate. In a Times editorial today entitled ``Cybersecurity at Risk,'' this sentence: ``Last year, a survey of more than 9,000 executives in more than 130 countries by the PricewaterhouseCoopers consulting firm found that only 13 percent of those polled had taken adequate defensive action against cyberthreats.''
That is worldwide. But I can tell you from what I know, the number in our country is not much better. That is why we need this set of standards, best practices, computer hygiene--no longer mandatory but we create an incentive. It is as if a company chooses to go into what my friend from Rhode Island has quite vividly described as Fort Cyber Security. We are going to build Fort Cyber Security of the best practices to defend cyber security, and we are going to leave it to the companies that operate critical infrastructure totally on their own whether they want to go into Fort Cyber Security. If they do, they will have some significant immunity from liability in the case of a major attack.
My answer to the Senator's questions are yes and yes. I just want to come back to something the Senator said at the outset of his remarks. I never know how much this argument weighs on Senators' minds, but once again it is being made here, which is this bill has received no hearings; it is not ready for action.
Good God. I went back and looked at the Record. I attended my first hearing on cyber security held in what was then the Governmental Affairs Committee--it is now the Homeland Security and Governmental Affairs Committee--chaired then by Senator Fred Thompson in 1998, 14 years ago. I can tell my colleague that in recent years, Senator Collins and I have held 10 hearings on the subject of cyber security. That is only in our committee. That is not counting judiciary, intelligence, commerce--I think foreign relations may have held some hearings on it too. In fact, we held a hearing just earlier this year, I believe it was March, on cyber security and the legislation that we knew we were going to bring forward. This has been heard.
I wish to say this too. I mentioned Senator Reid's commitment to doing something about cyber security. Last year--I am trying to think, but I cannot remember a time on another bill where I saw this happen--Senator Reid asked the Republican leader, Senator McConnell, to join him in calling in the Democratic chairs and the ranking Republican members of all the relevant committees, relevant to cyber security that we just talked about, and made an appeal that we work together to bring one bill which he would then, as he has done before when a subject covers more than one committee, blend into a single bill and bring to the floor under majority leader's authority pursuant to rule XIV of the Senate rules, which he has done today.
So there has not been a specific hearing on this bill, but Lord knows there have been a lot of hearings and this bill has been vetted and negotiated not only with many Members of the Senate but by our committee and all the other committees--by stakeholders, private stakeholders, by some of the very businesses and business organizations that now seem to be the main block to moving forward on the bill.
I probably responded to my friend at greater length than I might have or perhaps more than he expected, but his questions were right on target, and I thank him for giving me the opportunity.
BREAK IN TRANSCRIPT
Mr. LIEBERMAN. Basically, I would say I agree. There is not much I could add to that. This is not legislation that is a solution in search of a problem. This is a real problem. Again, we are hearing it from all the cyber security experts.
If the private sector owners of critical cyber infrastructure--electric power grids, telecommunications, finance, water dams, et cetera--if they were taking enough defensive action, we wouldn't want to act, but they are not. And we understand why. We have talked about this. A lot of the CIOs--chief information officers--in companies get frustrated that their CEOs don't want to devote enough time and resources to beefing up their cyber defenses.
The Senator said something very important, which is cyber theft and cyber attack is so insidious that a lot of people and companies who are victims of cyber attack don't even know it. My great fear is that there is a lot of malware or bugs--I called it cyber cells earlier--planted in some of our critical cyber control systems in our country waiting for the moment when an enemy wants to attack us.
Senator Reid yesterday pointed to the terrible tragedy in India where the power system has gone out. There is no evidence there was a cyber attack, but I saw today that 600 million people are without electricity. It has had a terrible effect on quality of life, on the economy, et cetera. Unfortunately, this is what an enemy who is capable today could do to us, and they are out there.
BREAK IN TRANSCRIPT