BREAK IN TRANSCRIPT
Mr. WHITEHOUSE. Mr. President, I am here this afternoon to speak about the Cybersecurity Act of 2012, the measure that is on the Senate floor right now. This important bill addresses a serious and immediate threat to our Nation's security. I served 4 years on the Intelligence Committee during which I worked hard to understand the cyber security threat. I helped Senator Mikulski and Senator Snowe write the Senate Intelligence Committee Cyber Security Report. I am the chairman of the Judiciary Subcommittee on Crime and Terrorism that has jurisdiction over cyber security. As I have explained before on the floor of the Senate, the cyber threat against our Nation--against our intellectual property, against our privacy, and against our safety--is vast and it is upon us. It is a national security threat. It is a national economic threat. We cannot afford to wait to pass legislation to respond to this threat. The leading national security experts in each party agree: Now is the time to pass comprehensive cyber security legislation.
The Cybersecurity Act of 2012 is a strong, comprehensive bill that will make our Nation safer. It will provide for the sharing of threat information between the government and private sector, and it will provide for the hardening, for the protection of the networks of the private companies that operate America's critical infrastructure--that run our electric grid, that run our financial networks, that run our communications systems and the other infrastructure that is essential to conducting the day-to-day way of life Americans enjoy, that is essential to our national security and to our economic well-being.
The Senate voted to proceed to this bill in a very broad, bipartisan manner--84 votes, as I recall. It has been disappointing in the wake of that that some elements within the business community are failing to cooperate, are failing to, for instance, provide constructive suggestions in areas where they have disagreement with this important legislation. Indeed, some appear intent on just preventing the Senate from passing legislation that would make us all safer.
In some cases these interests are not negotiating to get a bill that protects their interests. They are blockading to stop a bill that will protect all of our interests. To put this blockade into context, consider the views of GEN Keith Alexander, the Director of the National Security Agency and of United States Cyber Command. General Alexander is the most senior and respected cyber security expert in our Nation's military. He runs our two most technically sophisticated and skilled cyber operations. Today he wrote:
The cyber threat facing the Nation is real and demands immediate action. The time to act is now; we simply cannot afford further delay. Moreover, to be most effective in protecting against this threat to our national security, cyber security legislation should address both information sharing and core critical infrastructure hardening.
The Cybersecurity Act addresses both of those issues, information sharing and core critical infrastructure hardening. It does what our military's leading cyber security expert says is necessary to be done to protect the Nation.
That, then, is the view of the leader of our military cyber warriors and cyber defenders based on both deep experience and access to the most deeply classified information held by the U.S. Government.
In contrast, industry arguments against cyber security legislation appear to have been developed with little or no awareness of the threat facing our Nation. Kevin Mandia of the leading security firm Mandiant has explained, for example, that ``in over 90 percent of the cases we have responded to, government notification was required to alert the company that a security breach was underway. In our last 50 incidents, `` he said, ``48 of the victim companies learned they were breached from the Federal Bureau of Investigation, the Department of Defense, or some other third party.''
The FBI's experience was similar. When the FBI-led National Cyber Investigative Joint Task Force informs the corporation it has been hacked, 9 times out of 10, the FBI reports, the corporation had no idea.
In Operation Aurora, the cyber attack which targeted numerous companies, only 3 out of the approximately 300 companies attacked were aware that they had been attacked before they were contacted by the government.
These are not unique incidents. Globally, I have said, General Alexander has said, and others have said that America is right now on the losing end of the largest illicit transfer of wealth in human history through cyber attack and through the theft through cyber attack of our intellectual property. So this is an industrywide problem.
Even the U.S. Chamber of Commerce has been the completely unwitting victim of a long-term and extensive cyber intrusion. Just last year the Wall Street Journal reported that a group of hackers in China breached the computer defenses of the U.S. Chamber, gained access to everything stored on its systems, including information about its 3 million members, and remained on the U.S. Chamber of Commerce's network for at least 6 months and possibly more than a year. The chamber only learned of the break-in when the FBI told the group that servers in China were stealing its information.
Even after the chamber was notified and increased its cyber security, the article stated that the chamber continued to experience suspicious activity, including a ``thermostat at a townhouse the Chamber owns on Capitol Hill ..... communicating with an Internet address in China ..... and ..... a printer used by Chamber executives spontaneously ..... printing pages with Chinese characters.'' These are the people we are supposed to listen to about cyber security.
A recent Bloomberg News article makes it clear that this was not an isolated incident. It describes how hackers linked to China's army have been seen on the networks of a vast array of American businesses. The article describes how what started as assaults on military and defense contractors have widened into a rash of attacks from which no corporate entity is safe. Among other cyber attacks, Bloomberg News reported, the networks of major oil companies have been harvested for seismic maps charting oil reserves--it saves work if you can steal that information rather than find it yourself-- patent law firms have been hacked for their clients' trade secrets--again, free access to valuable information--and investment banks have been hacked into for market analysis that might impact the global ventures of certain state-owned--nation-state-owned, foreign-country-owned operations.
After having been victimized repeatedly by cyber attacks and having learned about them only when the government arrived to help them fix the problem, one would think critical infrastructure operators or their representatives would be keenly aware of the urgent need for cyber security legislation.
One would think they might come to this issue with some sense of humility based on the patent inadequacy of their defenses. One would think that elected officials sworn to the protection of this country might view with some caution and some skepticism claims by folks who are hacked and penetrated virtually at will, usually without even knowing about it, that they can handle this just fine on their own. Yet industry opposition remains, even after the bill has been revised to include a very business-friendly, voluntary, incentive-based approach to hardening up critical infrastructure that we all depend on. Unfortunately, some colleagues can only hear the siren song of the industry lobbyists, even with plain and ominous national security threats staring them in the face.
Some in industry claim that a bill with only information sharing between the government and business would be sufficient and that protection of critical infrastructure is not necessary. This premise is wrong. Statements to the contrary are simply false. Such assertions have been repudiated by the people who lead the charge with our Nation's defense, and who have been confirmed in these roles by the Senate who have repeatedly, and as recently as today, emphasized the need to protect critical infrastructure. These officials include Secretary of Defense Panetta, Director of National Intelligence Clapper, Attorney General Holder, Secretary of Homeland Security Napolitano, and others.
Indeed, it is not just this administration that holds this view. A wide range of national security experts from previous Republican administrations have emphasized the vulnerability of our critical infrastructure, including former Director of National Intelligence and NSA Director ADM Mike McConnell, former Secretary of Homeland Security Michael Chertoff, and former assistant attorney general OLC, and now Harvard Law School professor Jack Goldsmith. These people know what they are talking about, they are not kidding around, and they deserve to be listened to.
Secretary Chertoff has explained that the existing status quo is not generating adequate cyber security for our critical infrastructure. The marketplace, former Homeland Security Secretary Chertoff has explained, is likely to fail in allocating the correct amount of investment to manage risk across the breadth of the networks on which our society relies. One example of this type of market failure is the decision of gas, electric power, and water utility industries to forgo implementation of a powerful new encryption system to shield substations, pipeline compressors, and other key infrastructure from cyber attack because of cost concerns. It should be noted the costs in this case would be approximately $500 per vulnerable device, and they still would not do it.
The unwillingness of industry to adopt necessary security standards is particularly troubling when we consider the scope and scale of the risks associated with a failure of critical infrastructure. The current electricity grid knocked down in India--leaving 600 million people without power--shows how bad things can get when critical infrastructure fails. The cause of this massive failure is not clear, and there is not yet any evidence that it was caused by a cyber attack, but it vividly illustrates the vulnerability of humankind when the critical infrastructure we depend on is knocked down and of the terrible possible consequences of the failure of that critical infrastructure.
The scale of the threat we face, the plain inadequacy of current safeguards in the corporate sector, and the consequences of failure in this area of critical infrastructure all join together to demand passage of comprehensive cyber security legislation. This is a matter of national security. It is our responsibility here in this building to do what we can to make the Nation safer regardless of any parochial interests. Now is the time for us all to come together to get this important job done.
I will conclude by saying we are tantalizingly close to having an agreement. If people will take one last step forward to get that agreement, I think we can do it. If people back away because of the urging of parochial interests, we will fail at this opportunity.
I want to conclude by expressing my congratulations to the chairman of the committee on Homeland Security and his ranking member who have worked hard and who have given an enormous amount. We began with a traditional government-run regulatory procedure, which is one that everybody is familiar with and has lots of checks and balances in it, but it is also a fairly mandatory and top-controlled procedure. As a result of considerable bipartisan discussions, a new model emerged that allows the industry immense independence and control in this area.
The regime it has been moved to is a huge step by the chairman and the ranking member and begins with the rule that originates in the private sector, has it vetted by experts from the private sector, has a national institute for science and technology review as well, ends up with an array of government agencies approving or disapproving that, and whatever standard is ultimately approved by the government council of agencies, the industry companies are free to opt in or opt out. If they think the regulation is unreasonable, they are at liberty to opt out entirely. A comprehensive liability protection structure has been created as an inducement for companies to participate, but it is a strong and powerful check on the standard-setting apparatus that ultimately the industry can choose to opt out if it is unreasonable. An enormous step has been taken by the authors of the current bill toward a compromise. We need a step coming back the other way in order to get this done.
I see my distinguished colleague from Tennessee is here. Let me take one moment as I yield to express my appreciation to Nick Patterson of the Department of Justice who has been on my staff on assignment from the national security division for months and months working on this issue. Today is his last day. I want to thank him for his work on this effort. I want to thank the Department of Justice for loaning him to me and having them lose this valuable member of their national security division to help us develop this legislation. He has been a valuable part of an immensely capable team in my office, led by Stephen Lilley, that has gotten us to at least where I am today on this legislation.
I thank the Presiding Officer, and I thank the Senator from Tennessee for his courtesy.
I yield the floor.
BREAK IN TRANSCRIPT
Mr. WHITEHOUSE. Mr. President, I rise to discuss three amendments to the Cybersecurity Act of 2012 that I am introducing today with Senator Mikulski. This important piece of legislation, which was introduced by Senators LIEBERMAN, COLLINS, FEINSTEIN, ROCKEFELLER, and CARPER, responds to the serious and growing cyber security threat facing our Nation. It will strengthen our national security, our economic well-being, the safety of our families, and our privacy. The three amendments Senator Mikulski and I are introducing today would ensure that the bill also harnesses law enforcement agencies' cyber authorities and capabilities as effectively as possible.
I am very honored that Senator Mikulski is introducing these amendments with me today. She has a long record of continued leadership on law enforcement and national security issues. It has been a privilege to work with her on the challenge of protecting Americans against cyber security threats, first on the Intelligence Committee and more recently in a series of discussion and working groups. As the chairman for the Commerce, Justice, Science, and Related Agencies Subcommittee of the Appropriations Committee, her assessment of the right approach to law enforcement issues in cyberspace draws from a wealth of experience and expertise. I am very grateful to her for her leadership on these issues.
The first amendment we have introduced addresses the scale and structure of law enforcement's cyber resources. Law enforcement agencies have vital roles to play against cyber crime, cyber espionage, and other emerging and growing cyber threats. Congress must ensure that law enforcement agencies are organized and resourced in a manner that allows them to fulfill these important responsibilities. To date, investigatory responsibilities for cyber crime have been assigned within existing agencies, with some held by the FBI and others by the Secret Service or other agencies. Prosecutorial responsibilities have been distributed among the National Security Division, the Computer Crime and Intellectual Property Section, and U.S. attorneys' offices across the country. Law enforcement has had some important successes with this model, such as the FBI's takedown of the Coreflood botnet, but these successes need to be achieved with much greater frequency.
FBI Director Mueller stated that a ``substantial reorientation of the Bureau'' will be necessary to achieve that goal. It is Congress's responsibility to ensure that any reorientation of law enforcement maximizes law enforcement's effectiveness against the cyber threat and uses Federal resources as efficiently as possible. This will require Congress to consider important issues such as whether cyber crime should have a dedicated investigatory agency akin to the DEA or ATF, whether existing task force or strike force models are well suited for addressing the cyber threat, and how cyber resources should be scaled given the future threat.
To address these questions, our amendment would require an expert study of our current cyber law enforcement resources. This study will evaluate the scale and structure of these resources, identifying strengths and weaknesses in the current approach and providing recommendations for the future. This amendment thus will provide Congress a necessary expert assessment to guide our work in the years ahead.
The second amendment we have introduced would ensure that existing and effective cyber law enforcements efforts are not unintentionally disrupted by changes made in title II of the bill, which covers ``Federal Information Security Management and Consolidating Resources.'' This title makes a number of valuable changes and reforms to current law, including the creation of a center within the Department of Homeland Security that will lead efforts to protect Federal Government networks. The creation of this center is an important step forward in protecting Federal networks, but we must ensure that its operations do not disrupt law enforcement relationships and activities that currently are making our country safer. For example, the FBI-led National Cyber Investigative Joint Task Force, NCIJTF, must be allowed to continue its much needed and effective work on cyber law enforcement and intelligence.
Our amendment would clarify that the new center is focused on the protection of Federal networks and that its responsibilities do not extend to law enforcement. Specifically, the amendment would add a savings clause indicating that the title does not pertain to law enforcement or intelligence activities. It also would add definitions that help provide a clearer picture of the new center's role in protecting Federal Government networks and responding to cyber threats, vulnerabilities, or incidents.
The final amendment we are introducing today is to title VI, which covers international cooperation. This title, which incorporates legislation first introduced by Senator Gillibrand and Senator Hatch, will help clarify and strengthen the ability of the Federal Government and particularly the Department of State to develop international cyber security policy. Language in the title, however, could be read to disrupt existing and effective working relationships between American and foreign law enforcement agencies, interfere with the exercise of prosecutorial discretion, and to limit the Department of Justice's accountability to Congress for the law enforcement decisions it makes. Our amendment would ensure that the Department of Justice works collaboratively with the Department of State as it exercises its prosecutorial discretion and that it is accountable to Congress for cyber crime issues for which it is responsible and regarding which it has particular expertise.
I look forward to working with the managers of S. 3414 and any interested colleagues on these important issues. I thank Senator Mikulski for her cosponsorship.
I yield the floor, and I note the absence of a quorum.
BREAK IN TRANSCRIPT