BREAK IN TRANSCRIPT
Mr. LIEBERMAN. I thank my friend from Delaware for the question. This is now a voluntary system and there is a lot to be said about that.
I want to go back to that meeting yesterday. We had a broad bipartisan group of Senators who have been most active, but from different perspectives, on this question of cyber security legislation who met yesterday with the key cyber security officials in our government from the Department of Defense, Department of Homeland Security, FBI, and the National Security Agency.
I am going to explain why we went to the carrots and took out the sticks by saying, in general terms, these experts--not political people, these are pros who deal with cyber defense--were asked by one of the Senators: What will happen if we don't adopt this legislation or something like it this session?
The cyber security professionals said to us: Our Nation will be more vulnerable to cyber attack.
In other words, this legislation contains authority to share information between the government and the private sector, between two private sector companies, that can't be done now. That is critically necessary to improve our defenses. The requirement of standards being promulgated as a result of a--or resulting from a public-private collaborative operation and then offering the carrot of immunity from liability is something that doesn't exist now. All the experts say, though some of the private sector operators of critical cyber security infrastructure--we are talking, again, about the companies that run the electric grid or the telecommunications system or the entire financial system or dams that hold back water; we are not talking about ma-and-pa businesses back home--some of them are doing a pretty good job at defending that cyber infrastructure, but most of them are not doing enough. That is where the government has to come in and push them in that direction.
Why did we change it from mandatory to voluntary, from sticks to carrots? Because we didn't have the votes to adopt the mandatory, which I think is necessary. Because of the urgency of the threat, as I just reflected that we heard yesterday from the professionals in this area, we said--Senator Collins and I, Senator Rockefeller, Senator Feinstein, Senator Carper--OK, we are not going to get 100 percent of what we want around here, and we understand that, so let's settle for 80 percent. Perhaps the other side will feel they got 80 percent. But what is most important is that we will get something done to protect our security.
I must tell my colleagues we are at a point now in this debate, with the kind of never-ending questions about every detail, not withstanding all the compromises Senator Collins, Senator Carper and I have made and the filing of an amendment by Senator McConnell to repeal ObamaCare--we can have a position on ObamaCare, but to put it on this cyber security bill is not fair, not relevant, not constructive.
I think we are coming to a moment where we are going to have to face a tough decision. I have talked to the majority leader about filing for cloture soon so we can draw this to a choice: Do our colleagues want to act to protect our cyber systems in this session or do they not? That is a tough choice, particularly if a Senator votes no, to have to explain, in light of all the evidence of the constant cyber attacks going on now and the cyber thefts of hundreds of billions of dollars from our industries and tens of thousands of jobs lost as a result to foreign countries, if the Senate is going to say, no, we don't want to take that up now. I hope and pray that is not the case.
The way this is moving right now, this last week of the session before we break, I am afraid we are headed in the wrong direction, and we don't see the kind of willingness to compromise that ought to be there. We are tested again in this Chamber: Are we going to fix national problems? It is hard to do on some of the fiscal issues we have turned away from, but on this one, traditionally, when it came to our national security, we have put the special interests aside and together dealt with the national security interests. I fear at this moment, in response to my friend from Delaware, that is not the direction in which we are going. I hope I am wrong. I am, by nature, an optimist, but right now I am a pessimist.
I yield the floor.
BREAK IN TRANSCRIPT
Mr. LIEBERMAN. Mr. President, I rise to continue the discussion on the cyber security legislation, and particularly S. 3414, the pending business before the Senate, which is the Cybersecurity Act of 2012, the bipartisan piece of legislation to deal with an urgent national crisis.
I want first, again, to speak to our colleagues about the seriousness of the threat. I think sometimes that because most people haven't experienced the consequences of a cyber attack--and most are not aware of the constant cyber theft going on with moving money from bank accounts and stealing industrial secrets--frankly, a lot of the businesses that are victims of the theft don't want to acknowledge them or announce them for fear of exposing their own lack of adequate cyber defenses, but also a kind of general embarrassment. Yet we now know as a public matter--whether it has sunk into the consciousness among most of the American people--that some great companies that are very tech savvy, cyber savvy, have been the victims of cyber attacks.
Sony, RSA, Google, and others have come momentarily to public attention, but I think what this has meant has been unclear to people. It may, in fact, be unclear to many of the leaders of the private corporations that control so much of our critical cyber infrastructure.
In America, 80 to 85 percent of the critical infrastructure is privately owned. That is the American way. That is the way it ought to be. But it means when the private sector owns critical infrastructure which can, and will be, a target of hostile action, enemy attack in this new world of ours, then we have to create a partnership with the private owners of this critical infrastructure to raise our defenses because it is not just their businesses they are defending, it is the security of the United States.
A chief information officer at one of the businesses that owns part of our critical infrastructure said to me at one point that it is hard to get the attention of the CEO on this problem. The CEO is balancing a lot of considerations, looking at annual budgets and quarterly profits. For the average CEO, the threat of cyber attack is distant. For the average chief information officer, it is not so distant.
As the majority leader pointed out earlier, I think it may help to look at something very difficult to look at, which is what is happening in India today where the power system has collapsed for hundreds of millions of people. That is a breakdown, as far as we know--and I believe that is what is the fact--that is a breakdown in parts of the electric grid.
Let me give another example. Last year, in Connecticut, we had a very serious early winter storm where there were still a lot of leaves on the trees; the branches were heavy. A lot of trees fell and took out a lot of power lines in our State. A lot of people were without power for days and days and days. Public buildings were used as shelters for the homeless. Elderly people, particularly, were affected with food spoiling in the refrigerators, the lack of lights in their dwelling, et cetera.
Just imagine for a moment if that was not the result of a weather event but of a cyber attack. Cyber systems are controlling the electric power grid, and I believe they are vulnerable. I think the same of a lot of the other cyber systems that control critical infrastructure in our financial system. The computer systems we depend on for the movement of money from one account to the other, the direct deposits we do, the money in our accounts, the billions of dollars that move between financial institutions every day--what would happen to our country if those systems were knocked out or what would happen if Wall Street and the stock exchanges were knocked out?
Again, as I said earlier today, think about the real nightmare situation, which is that a dam controlled by a cyber system is penetrated by an enemy who opens the dam and unleashes water, and torrents of water knock out communities in the path of that water and kill a lot of people. That is all, unfortunately, the age that we live in and the vulnerability we have.
There was a story in the Washington Post--I believe I talked about it before in this debate, but I will repeat it--about a young man on the other side of the world sitting at his computer at home. He was nothing special, but he was smart and computer savvy. He broke into the computer-controlled system--the cyber system controlling a small water utility in Texas. He had the ability to disrupt the functioning of that entire utility. He didn't do it, thank God. He posted online what he had done--a warning at least, perhaps a bit of bragging that he was able to do it. But think about an enemy who had hostile intent against the United States who would launch similar attacks against several small utilities around the country--or large utilities, for that matter.
Mr. President, last week, the people who are the real experts on cyber space gathered in Las Vegas at the annual--and this is an interesting title--Black Hat Computer Security Conference. They issued yet more warnings.
The conference opened with a very strong warning from Shawn Henry who, until recently, was the Assistant Director of the FBI in charge of the FBI's considerable cyber program. Some people call Shawn Henry the Nation's top cyber cop. He said this at the Black Hat Conference:
The adversary knows that if you want to harm civilized society--take their water away, do away with their electricity. There are terrorist groups that are online now calling for the use of cyber as a weapon.
He went on:
People will not truly get this until they see the real implications of a cyber attack. For example, people knew about Osama bin Laden prior to 9/11, but that awareness had risen by several orders of magnitude after the attacks.
Mr. Henry, former director of cyber programs at the FBI, concluded:
I believe something like that will have to happen in the cyber world before people truly get it.
Obviously, we all hope and pray not, but at this moment in this debate, in the Senate's consideration of the Cybersecurity Act, there are a lot of inflexible positions that are being taken. People are not willing to come together across ideological and political divides to deal with a problem and a threat that faces us all. I fear that Mr. Henry may well have been right.
Mr. President, I urge my colleagues, don't run the risk that it will take a cyber 9/11 to bring us rushing back here to adopt cyber security legislation. It doesn't take much to imagine what will happen if we are the victims of a major cyber attack. Minor cyber attacks are happening every day. Major cyber thefts occur regularly in America every day. Let's heed the warning and come together over special interests to meet a national security interest and challenge.
I yield the floor and suggest the absence of a quorum.
BREAK IN TRANSCRIPT