National Defense Authorization Act for Fiscal Year 2016
Floor Speech
Mr. McCAIN. Madam President, I want to say a few words about the Burr
amendment, No. 1921, which has now been made pending. I am thankful for
the leadership of Chairman Burr and Vice Chairman Feinstein.
The language of this amendment, of which I am an original cosponsor,
was overwhelmingly approved by a 14-to-1 vote in the Senate Select
Committee on Intelligence in March.
Implementing legislation to address a long list of cyber threats that
have become all too common is among my highest priorities. Earlier this
month, it was the Office of Personnel Management and the Army. A few
weeks before that, it was the Pentagon network, the White House, and
the State Department. Before that, it was Anthem and Sony. That is just
to name a few.
I am pleased we are able to consider this amendment on the National
Defense Authorization Act. This voluntary information sharing is
critical to addressing these threats and ensuring that mechanisms are
in place to identify those responsible for costly and crippling cyber
attacks and ultimately deterring future attacks.
Our current defenses are inadequate, and our overall cyber strategy
has failed to deter cyber adversaries from continued attacks of
intellectual property theft and cyber espionage against the U.S.
Government and American companies. This failure to develop a meaningful
cyber deterrent strategy has increased the resolve of our adversaries
and will continue to do so at a growing risk to our national security
until we demonstrate that the consequences of exploiting the United
States through cyber greatly outweigh any perceived benefit.
This amendment is a crucial piece of that overall deterrent strategy,
and it is long past time that Congress move forward on information-
sharing legislation. This legislation--again, 14 to 1 from the Select
Committee on Intelligence--complements a number of critical cyber
provisions which are already in the bill which will ensure that the
Department of Defense has the capabilities it needs to deter
aggression, defend our national security interests, and, when called
upon, defeat our adversaries in cyber space.
The bill authorizes the Secretary of Defense to develop, prepare,
coordinate, and, when authorized by the President, conduct a military
cyber operation in response to malicious cyber activity carried out
against the United States or a U.S. person by a foreign power.
The bill includes a provision requiring the Secretary of Defense to
conduct biennial exercises on responding to cyber attacks against
critical infrastructure. It limits $10 million in funds available to
the Department of Defense to provide support services to the Executive
Office of the President until the President submits the integrated
policy to deter adversaries in cyber space, which was required by the
National Defense Authorization Act for Fiscal Year 2014.
It authorizes $200 million for a directed evaluation by the Secretary
of Defense of the cyber vulnerabilities of every major DOD weapons
system by not later than December 31, 2019.
It requires an independent panel on DOD war games to assess the
ability of the national mission forces of the U.S. Cyber Command to
reliably prevent or block large-scale attacks on the United States by
foreign powers with capabilities comparable to those expected of China,
Iran, North Korea, and Russia in years 2020 and 2025.
It establishes a $75 million cyber operations procurement fund for
the commander of U.S. Cyber Command to exercise limited acquisition
authorities.
It directs the Secretary of Defense to designate Department of
Defense entities to be responsible for the acquisition of critical
cyber capabilities.
The cyber security bill was passed through the Select Committee on
Intelligence because that is clearly, in many respects, among the
responsibilities of the Select Committee on Intelligence. But I think
it is obvious to anyone that the Department of Defense is a major
player. I just outlined a number of the provisions of the bill which
are directly overseen and related to the Department of Defense.
So my friends on the other side of the aisle seem to be all torqued-
up about the fact that this cyber bill should be divorced from the
Department of Defense. I know that my colleagues on the other side of
the aisle are very aware that just in the last few days, 4 million
Americans--4 million Americans--had their privacy compromised by a
cyber attack. The Chairman of the Joint Chiefs of Staff has stated that
we are ahead in every aspect of a potential adversary except for one,
and that is cyber. There are great threats that are now literally to
America's supremacy in space and to many other aspects of technology
that have been developed throughout the world and are now part of our
daily lives.
So I am not quite sure why my friends on the other side of the aisle
should take such exception to legislation that addresses our national
security and the threats to it, which literally every expert in America
has agreed is a major threat to our ability to defend the Nation.
So I think there are colleagues who are not on the Intelligence
Committee and are not familiar with the provisions of this bill. It
clearly is not only Department of Defense-related, but it is Department
of Defense-centric, with funds available to DOD to provide services to
the Executive Office of the President, $200 million, cyber
vulnerabilities of major DOD weapons system, an independent panel on
DOD war games, and on and on. It is Department of Defense-related, and
it is the whole purpose of the Defense authorization bill, which is to
defend the Nation. To leave cyber security out of that--yes, there are
some provisions in the underlying bill, but this hones and refines the
requirements that we are badly in need of and gives the President of
the United States and Secretary of Defense tools to try to limit the
damage that is occurring as we speak.
I want to repeat--and to my colleague from Indiana who is a member of
that committee, I would ask him--4 million Americans recently were
compromised by cyber attack.
BREAK IN TRANSCRIPT
Mr. McCAIN. And isn't it true, I would ask my colleague from Indiana,
that the Chairman of the Joint Chiefs of Staff recently stated that in
the potential of our adversaries to threaten our security, we have a
definite superiority in all areas except for one, which is in the issue
of cyber security; is that correct?
BREAK IN TRANSCRIPT
Mr. McCAIN. Could I ask my colleague again: The 4 million people
whose privacy was just breached--4 million Americans--what potential
damage is that to those individual Americans?
BREAK IN TRANSCRIPT
Mr. McCAIN. So it seems to me that to those 4 million Americans, we
owe them and it is our responsibility--in fact, our urgent
responsibility--to try to prevent that same kind of breach from being
perpetrated on 4 million or 8 million or 10 million more Americans. If
they are capable of doing it once to 4 million Americans, what is to
keep them from doing the same thing to millions of Americans more, if
we sit here idly by and do nothing on the grounds that the objection is
that it is not part of the Department of Defense
bill, which seems to me almost ludicrous?
BREAK IN TRANSCRIPT
Source