[Congressional Record: February 17, 2011 (Senate)]
[Page S909-S912]


      By Mr. LIEBERMAN (for himself, Ms. Collins, and Mr. Carper):
  S. 413. A bill to amend the Homeland Security Act of 2002 and other 
laws to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States; to the Committee on 
Homeland Security and Governmental Affairs.
  Ms. COLLINS. Mr. President, I rise today to join Senator Lieberman 
and Senator Carper in introducing the Cyber Security and Internet 
Freedom Act of 2011. This vital legislation would

[[Page S910]]

fortify the government's efforts to safeguard America's cyber networks 
from attack and ensure that access to the Internet is protected and its 
availability preserved for every American.
  The Internet is vital to almost every facet of Americans' daily 
lives--from the water we drink to the power we use to the ways we 
communicate. It is essential to the free flow of ideas and information. 
The Internet is a manifestation of the ideals that underlie the First 
Amendment of our Constitution and the core freedoms that all Americans 
hold dear. It is essential that the Internet and our access to it be 
protected to ensure both reliability of the critical services that rely 
upon it and the availability of the information that travels over it. 
While the United States must ensure the security of our nation and its 
critical infrastructure, it must do so in a manner that does not 
deprive Americans of the ability to lawfully read or express their 
views. Neither the President nor any other Federal official should have 
the authority to ``shut down'' the Internet.
  In June 2010, Senator Lieberman, Senator Carper, and I introduced 
legislation to strengthen the government's efforts to safeguard 
America's cyber networks from attack; build a public/private 
partnership to promote national cyber security priorities; and bolster 
the government's ability to set, monitor compliance with, and enforce 
standards and policies for securing Federal civilian systems and the 
sensitive information they contain. In late June, that bill was 
unanimously approved by the Senate Homeland Security and Governmental 
Affairs Committee.
  Today we are introducing for the 112th Congress the bill unanimously 
approved by our committee, but with explicit provisions preventing the 
President from shutting down the Internet and providing an opportunity 
for judicial review of designations of our most sensitive systems and 
assets as ``covered critical infrastructure.''
  President Mubarak's actions in January to shut down Internet 
communications in Egypt were, and are, totally inappropriate. Freedom 
of speech is a fundamental right that must be protected, and his ban 
was clearly designed to limit criticisms of his government. Our cyber 
security legislation is intended to protect the United States from 
external cyber attacks. Yet, some have suggested that the legislation 
the Committee reported during the last Congress would empower the 
President to deny U.S. citizens access to the Internet. Nothing could 
be further from the truth.
  I would never sign on to legislation that authorized the President, 
or anyone else, to shut down the Internet. Emergency or no, the 
exercise of such broad authority would be an affront to our 
  But our outmoded current laws do give us reason to be concerned. Most 
important, under current law, in the event of a cyber attack, the 
President's authorities are broad and ambiguous--a recipe for 
encroachments on privacy and civil liberties.

  For example, in the event of a war or threat of war, the 
Communications Act of 1934 authorizes the President to take over or 
shut down wire and radio communications providers. This law is a crude 
sledgehammer built for another time and technology. Our bill contains a 
number of protections to make sure that broad authority cannot be used 
to shut down the Internet.
  First, section 2 of the bill states explicitly:

       Notwithstanding any other provision of this Act, an 
     amendment made by this Act, or section 706 of the 
     Communications Act of 1934, neither the President, the 
     Director of the National Center for Cybersecurity and 
     Communications, or any officer or employee of the United 
     States Government shall have the authority to shut down the 

  Second, the emergency measures in our bill apply in a precise and 
targeted way only to our most critical infrastructure--vital components 
of the electric power grid, telecommunications networks, financial 
systems or other critical infrastructure systems that could cause a 
national or regional catastrophe if disrupted. This definition would 
not cover the entire Internet, the Internet backbone, or even entire 
  In defining covered critical infrastructure, our bill directs the 
Secretary to consider the consequences of a disruption of a particular 
system or asset. To constitute a ``national or regional catastrophe,'' 
the disruption would need to cause a mass casualty event which includes 
an extraordinary number of fatalities; severe economic consequences; 
mass evacuations with a prolonged absence; or severe degradation of 
national security capabilities, including intelligence and defense 
  When the Committee reported this bill last year, the report clarified 
what these four factors mean, specifically referencing the current DHS 
interpretation of ``national or severe economic consequences; mass 
evacuations with a prolonged absence; or regional catastrophe.'' Under 
DHS's interpretation, a ``national or regional catastrophe'' includes a 
combination of the following factors: more than 2,500 prompt 
fatalities; greater than $25 billion in first-year economic 
consequences; mass evacuations with a prolonged absence of greater than 
one month; or severe degradation of the nation's security capabilities.
  As our Committee's report noted, we expect the Department to apply 
this standard in determining which particular systems or assets 
constitute covered critical infrastructure.
  Third, our legislation restricts the President's ability to declare a 
national cyber emergency to those circumstances in which an ``actual or 
imminent'' cyber attack would disrupt covered critical infrastructure 
that would cause these catastrophic consequences.
  Fourth, any measures ordered by the President must be ``the least 
disruptive means feasible.''
  Fifth, the authority our bill would grant is time limited. The 
President could only declare a cyber emergency for 30-day period and 
only for up to 120 days. After that, Congress would be required to 
specifically authorize further measures. Any declaration would be 
subject to congressional oversight, as our bill requires the President 
to notify Congress regarding the specific threat to our nation's 
infrastructure, why existing protections are not sufficient, and what 
specific emergency measures are required to respond to the specific 
  Sixth, the legislation expressly forbids the designation of any 
system or asset as covered critical infrastructure ``based solely on 
activities protected by the first amendment to the United States 
  Seventh, the bill provides for a robust administrative process for an 
owner or operator to challenge the designation of a system or asset as 
covered critical infrastructure and expressly permits challenges of a 
final agency determination in federal court.
  Our bill contains protections to prevent the President from denying 
Americans access to the Internet--even as it provides clear and 
unambiguous direction to ensure that those most critical systems and 
assets that rely on the Internet are protected. And, even though 
experts question whether anyone can technically ``shut down'' the 
Internet in the United States, we included explicit language 
prohibiting the President from doing what President Mubarak did.
  I would like to stress that the need for Congress to pass a 
comprehensive cyber security bill is more urgent than ever.
  Cyber-based threats to U.S. information infrastructure are 
increasing, constantly evolving, and growing more dangerous.
  In March 2010 the Senate's Sergeant at Arms reported that the 
computer systems of Congress and the Executive Branch agencies are now 
under cyber attack an average of 1.8 billion times per month. The 
annual cost of cyber crime worldwide has climbed to more than $1 
  Coordinated cyber attacks have crippled Estonia, Georgia, and 
Kyrgyzstan and compromised critical infrastructure in countries around 
the world.
  Devastating cyber attacks could disrupt, damage, or even destroy some 
of our nation's critical infrastructure, such as the electric power 
grid, oil and gas pipelines, dams, or communications networks. These 
cyber threats could cause catastrophic damage in the physical world.
  Based on media reports, China and Russia already have penetrated the 
computer systems of America's electric power grid, leaving behind 

[[Page S911]]

hidden software that could be activated later to disrupt the grid 
during a war or other national crisis.
  In June 2010, cyber security experts discovered Stuxnet, one of the 
most sophisticated viruses ever found. Stuxnet was programmed 
specifically to infiltrate certain industrial control systems, allowing 
the virus to potentially overwrite commands and to sabotage infected 
systems. It had the potential to change instructions, commands, or 
alarm thresholds, which, in turn, could damage, disable, or disrupt 
equipment supporting the most critical infrastructure.
  The private sector is also under attack. In January 2010, Google 
announced that attacks originating in China had targeted its systems as 
well as the networks of more than 30 other companies. The attacks on 
Google sought to access the email accounts of Chinese human 
rights activists. For other companies, lucrative information such as 
critical corporate data and software source codes were targeted.

  According to a report released last week, coordinated and covert 
attacks hit more than five major oil, energy, and petrochemical 
companies. The focus of the intrusions was oil and gas field production 
systems, as well as financial documents related to field exploration 
and bidding for new oil and gas leases. The companies also lost 
information related to their industrial control systems.
  In the cyber domain, the advantage lies with our adversaries, for 
whom success could be achieved by exploiting a single vulnerability 
that could produce disruptive effects at network speed. Effectively 
preventing or containing major cyber attacks requires that response 
plans be in place and roles and authorities of Federal government 
agencies and entities be clearly delineated in advance.
  For too long, our approach to cyber security has been disjointed and 
uncoordinated. This cannot continue. The United States requires a 
comprehensive cyber security strategy backed by effective 
implementation of innovative security measures. There must be strong 
coordination among law enforcement, intelligence agencies, the 
military, and the private sector owners and operators of critical 
  This bill would establish the essential point of coordination across 
the Executive branch. The Office of Cyberspace Policy in the Executive 
Office of the President would be run by a Senate-confirmed Director who 
would advise the President on all cyber security matters. The Director 
would lead and harmonize Federal efforts to secure cyberspace and would 
develop a strategy that incorporates all elements of cyber security 
policy. The Director would oversee all Federal activities related to 
the strategy to ensure efficiency and coordination. The Director would 
report regularly to Congress to ensure transparency and oversight.
  To be clear, the White House official would not be another 
unaccountable czar. The Cyber Director would be a Senate-confirmed 
position and thus would testify before Congress. The important 
responsibilities given to the Director of the Office of Cyberspace 
Policy related to cyber security are similar to the responsibilities of 
the current Director of the Office of Science and Technology Policy.
  The Cyber Director would advise the President and coordinate efforts 
across the Executive branch to protect and improve our cyber security 
posture and communications networks. And, by working with a strong 
operational and tactical partner at the Department of Homeland 
Security, the Director would help improve the security of Federal and 
private sector networks.
  This strong DHS partner would be the National Center for 
Cybersecurity and Communications, or Cyber Center. It would be located 
within the Department of Homeland Security to elevate and strengthen 
the Department's cyber security capabilities and authorities. This 
Center also would be led by a Senate-confirmed Director.
  The Cyber Center, anchored at DHS, will close the coordination gaps 
that currently exist in our disjointed federal cyber security efforts. 
For day-to-day operations, the Center would use the resources of DHS, 
and the Center Director would report directly to the Secretary of 
Homeland Security. On interagency matters related to the security of 
Federal networks, the Director would regularly advise the President--a 
relationship similar to the Director of the NCTC on counterterrorism 
matters or the Chairman of the Joint Chiefs of Staff on military 
issues. These dual relationships would give the Center Director 
sufficient rank and stature to interact effectively with the heads of 
other departments and agencies, and with the private sector.

  Congress has dealt with complex challenges involving the need for 
interagency coordination in the past with a similar construct. We have 
established strong leaders with supporting organizational structures to 
coordinate and implement action across agencies, while recognizing and 
respecting disparate agency missions.
  The establishment of the National Counterterrorism Center within the 
Office of the Director of National Intelligence is a prime example of a 
successful reorganization that fused the missions of multiple agencies. 
The Director of NCTC is responsible for the strategic planning of joint 
counterterrorism operations, and in this role reports to the President. 
When implementing the information analysis, integration, and sharing 
mission of the Center, the Director reports to the Director of National 
Intelligence. These dual roles provide access to the President on 
strategic, interagency matters, yet provide NCTC with the structural 
support and resources of the office of the DNI to complete the day-to-
day work of the NCTC. The DHS Cyber Center would replicate this 
successful model for cyber security.
  This bill would establish a public/private partnership to improve 
cyber security. Working collaboratively with the private sector, the 
Center would produce and share useful warning, analysis, and threat 
information with the private sector, other Federal agencies, 
international partners, and state and local governments. By developing 
and promoting best practices and providing voluntary technical 
assistance to the private sector, the Center would improve cyber 
security across the nation. Best practices developed by the Center 
would be based on collaboration and information sharing with the 
private sector. Information shared with the Center by the private 
sector would be protected.
  With respect to the owners and operators of our most critical systems 
and assets, the bill would mandate compliance with certain risk-based 
performance metrics to close security gaps. These metrics would apply 
to vital components of the electric grid, telecommunications networks, 
financial systems, or other critical infrastructure systems that could 
cause a national or regional catastrophe if disrupted.
  This approach would be similar to the current model that DHS employs 
with the chemical industry. Rather than setting specific standards, DHS 
would employ a risk-based approach to evaluating cyber risk, and the 
owners and operators of covered critical infrastructure would develop a 
plan for protecting against those risks and mitigating the consequences 
of an attack.
  These owners and operators would be able to choose which security 
measures to implement to meet applicable risk-based performance 
metrics. The bill does not authorize any new surveillance authorities 
or permit the government to ``take over'' private networks. This model 
would allow for continued innovation and dynamism that are fundamental 
to the success of the IT sector.

  The bill would protect the owners and operators of covered critical 
infrastructure from punitive damages when they comply with the new 
risk-based performance measures. Covered critical infrastructure also 
would be required to report certain significant breaches affecting 
vital system functions to the Center. Collaboration with the private 
sector would help develop mitigations for these cyber risks.
  The Center also would share information, including threat analysis, 
with owners and operators of critical infrastructure regarding risks 
affecting the security of their sectors. The Center would work with 
sector-specific agencies and other Federal agencies with existing 
regulatory authority to avoid duplication of requirements, to use 
existing expertise, and to ensure government resources are employed in 
the most efficient and effective manner.

[[Page S912]]

  With regard to Federal networks, the Federal Information Security 
Management Act--known as FISMA--gives the Office of Management and 
Budget broad authority to oversee agency information security measures. 
In practice, however, FISMA is frequently criticized as a ``paperwork 
exercise'' that offers little real security and leads to a disjointed 
cyber security regime in which each Federal agency haphazardly 
implements its own security measures.
  The bill we introduce today would transform FISMA from paper based to 
real-time responses. It would codify and strengthen DHS authorities to 
establish complete situational awareness for Federal networks and 
develop tools to improve resilience of Federal Government systems and 
  The legislation also would ensure that Federal civilian agencies 
consider cyber risks in IT procurements instead of relying on the ad 
hoc approach that dominates civilian government cyber efforts. The bill 
would charge the Secretary of Homeland Security, working with the 
private sector and the heads of other affected departments and 
agencies, with developing a supply chain risk management strategy 
applicable to Federal procurements. This strategy would emphasize the 
security of information systems from development to acquisition and 
throughout their operational life cycle. The strategy would be based, 
to the maximum extent practicable, on standards developed by the 
private sector and would direct agencies to use commercial-off-the-
shelf solutions to the maximum extent consistent with agency needs.
  While the Cyber Center should not be responsible for micromanaging 
individual procurements or directing investments, we have seen far too 
often that security is not a primary concern when agencies procure 
their IT systems. Recommending security investments to OMB and 
providing strategic guidance on security enhancements early in the 
development and acquisition process will help ``bake in'' security. 
Cyber security can no longer be an afterthought in our government 
  These improvements in Federal acquisition policy should have 
beneficial ripple effects in the larger commercial market. As a large 
customer, the Federal Government can contract with companies to 
innovate and improve the security of their IT services and products. 
These innovations can establish new security baselines for services and 
products offered to the private sector and the general public without 
mandating specific market outcomes.

  Finally, the legislation would direct the Office of Personnel 
Management to reform the way cyber security personnel are recruited, 
hired, and trained to ensure that the Federal Government and the 
private sector have the talent necessary to lead this national effort 
and protect its own networks. The bill would also provide DHS with 
temporary hiring and pay flexibilities to assist in the establishment 
of the Center.
  We cannot afford to wait for a ``cyber 9/11'' before our government 
finally realizes the importance of protecting our digital resources, 
limiting our vulnerabilities, and mitigating the consequences of 
penetrations to our networks.
  We must be ready. It is vitally important that we build a strong 
public-private partnership to protect cyberspace. It is a vital engine 
of our economy, our government, our country and our future.
  I urge Congress to support this vitally important legislation.