[Congressional Record Volume 158, Number 56 (Wednesday, April 18, 2012)]
[Senate]
[Pages S2458-S2459]

[...]


                             Cybersecurity

  Mr. WHITEHOUSE. Madam President, our Nation's inadequate 
cybersecurity poses an ever-growing threat to our safety, our 
prosperity, and our privacy. Attackers go after our intellectual 
property, our national security, and our critical infrastructure. The 
McAfee Night Dragon Report, for example, concluded that foreign 
intruders had access to major oil, energy, and petrochemical companies' 
computer networks for at least 2 years and likely as many as 4 years. 
Government reports are equally sobering, though usually classified.
  One that is not classified is the Department of Homeland Security 
report recently that attacks on computer systems that control critical 
infrastructure, factories, and databases increased almost eightfold in 
just the last 12 months. Secretary of Defense Leon Panetta has warned 
that ``the next Pearl Harbor we confront could very well be a cyber 
attack.''
  Majority Leader Reid has recognized the severity of this national and 
economic security threat and intends to bring cybersecurity legislation 
to the Senate floor soon. We recognize too the hard work of Chairman 
Lieberman and Ranking Member Collins of the Homeland Security 
Committee, as well as Chairman Feinstein of the Intelligence Committee, 
and Senator Rockefeller of the Commerce Committee. The Cybersecurity 
Act of 2012, which they introduced--and I am proud to cosponsor--is a 
good start toward addressing the many cybersecurity threats that face 
this Nation.
  The SECURE IT Act, introduced by Senator McCain and seven colleagues, 
seeks to improve the sharing of cybersecurity threat information; the 
Federal Information Security Management Act, or FISMA, which governs 
cybersecurity at Federal agencies; and our cyber research and 
development. There is considerable overlap between these bills, which 
signals that the Senate could legislate on cybersecurity in a 
bipartisan and serious manner.
  Support for cybersecurity legislation is also bicameral. The 
Cybersecurity Task Force constituted by House Republicans produced 
recommendations that share key points with our Cybersecurity Act of 
2012. Numerous bills are working their way through the House on a 
bipartisan basis. Central to that work in the House are the 
contributions of Rhode Island Congressman Jim Langevin. His leadership 
is a major reason the House has come to recognize the dangerous 
vulnerabilities within our critical infrastructure and that we now 
stand on the verge of a breakthrough in improving the security of those 
networks.
  When a test at the Idaho National Labs showed hackers could blow up a 
power generator from thousands of miles away, Congressman Langevin 
brought the owners and operators of our electric grid before Congress 
and investigated their promise the issue was being addressed. When he 
found out that wasn't true, he called them out. His subsequent work as 
a cochair of the Center for Strategic and International Study 
Commission on Cybersecurity, along with other experts from within and 
outside of government, resulted in many of the recommendations 
reflected in our legislation. Then, in 2010, Congressman Langevin 
passed a landmark cybersecurity amendment in the House that provided a 
legislative template for setting standards for critical infrastructure. 
I thank Jim Langevin, my colleague from Rhode Island, for his 
relentless commitment to keeping America safe in cyberspace.
  I am here this morning to stress four points I believe we must keep 
in mind as we take up cybersecurity legislation. The first is that 
cybersecurity legislation should improve the public's limited awareness 
of current cybersecurity threats and the harm those threats present to 
our national security economy and privacy. The public, for years, has 
been kept in the dark, and that is wrong.
  The corporate sector systematically underreports cyber attacks for 
fear of scaring customers, for fear of encouraging competitors or for 
fear of triggering regulatory review. I was pleased the Securities and 
Exchange Commission, after prompting by Senator Rockefeller and myself 
and others, issued guidance for when registered companies must disclose 
breach information.
  The government itself systematically underreports cyber attacks 
because it overclassifies information about cyber attacks on government 
systems. Jim Lewis of the Center for Strategic and International 
Studies, for example, recently explained that cybersecurity has a 
unique problem in that some of the most reliable data is classified. It 
was a rare exception when a November 2011 report by the Office of the 
National Counterintelligence Executive identified China and Russia as 
responsible for the systematic theft of American intellectual property 
through cyber espionage. The legislation that we pass must shed light 
on the scale and severity of the cyber threat to the American public.
  In that vein, I am pleased the Cybersecurity Act of 2012 includes 
provisions from the Cybersecurity Public Awareness Act, S. 813, which I 
introduced with Senator Kyl. These provisions will at least begin to 
improve the public's awareness of the current cyber threat environment 
we face.
  Second, we must recognize that inadequate awareness and inadequate 
protection against cyber risks is endemic among our largest 
corporations. Part of the problem is a gulf in cybersecurity awareness 
between corporate chief information officers and corporate CEOs. 
Carnegie Mellon's CyLab recently reported:

       Boards and senior management still are not exercising 
     appropriate governance over the privacy and security of their 
     digital assets . . . These findings are consistent with the 
     complaints by CISO/CSOs that they cannot get the attention of 
     their senior management and boards and their budgets are 
     inadequate . . . There is still an apparent disconnect.

  Nor is this an area in which the market can be trusted to work. As 
former Bush Secretary of Homeland Security Michael Chertoff has 
explained:

       The marketplace is likely to fail in allocating the correct 
     amount of investment to manage risk across the breadth of the 
     networks on which our society relies.

  This is not an area where corporations manage adequately on their 
own. FBI Director Robert Mueller recently explained:

       There are only two types of companies: those that have been 
     hacked and those that will be.

  Even more trenchant, the McAfee report on the ``Shady RAT'' attacks 
similarly stated it is possible to divide ``the entire set of Fortune 
Global 2,000 firms into two categories: those that know they've been 
compromised and those that don't yet know.''
  Kevin Mandia of the leading security firm Mandiant has explained:

       [I]n over 90 percent of the cases we have responded to, 
     government notification was required to alert the company 
     that a security breach was underway. In our last 50 
     incidents, 48 of the victim companies learned they were 
     breached from the Federal Bureau of Investigation, the 
     Department of Defense or some other third party.

  The National Cybersecurity Investigation Joint Task Force, led by the 
FBI, told me the same thing: more than 90 percent of the time the 
corporate victim had no idea.
  What we can conclude from this is that improved sharing of 
cybersecurity threat information is necessary but is not sufficient to 
protect our Nation's cybersecurity. Even a perfect information-sharing 
process will not prevent cyber attacks if the information being shared 
is incomplete. The blindness of most corporations to this threat limits 
the effectiveness of corporate-to-corporate information sharing. The 
NSA's Defense Industrial Base pilot--the so-called ``DIB'' pilot--
proved the government can share classified information

[[Page S2459]]

with trusted corporations, but it revealed significant risks and 
limitations, particularly if the government were to share its most 
sensitive intelligence information with a broad set of private 
companies.
  The third point I want to make this morning, and perhaps the most 
important, is that this legislation on cybersecurity will have failed 
if it does not ensure that our American critical infrastructure has 
adequate cybersecurity. There must be a process for identifying 
critical infrastructure, establishing appropriate security standards, 
and ensuring that critical infrastructure companies meet the standard.
  If an attack comes, we must be sure that America's most capable 
defenses and countermeasures are pre-positioned to defend critical 
American infrastructure. We simply cannot wait until an attack is 
underway on basic needs and services on which we depend, such as our 
electric grid, our communications networks, and the servers that 
process our financial transactions. So there are two measures here: One 
is that we must have a way to define critical infrastructure so we know 
what it is and, just as important from a civil liberties perspective, 
we know what it isn't. When we identify critical infrastructure on 
which our safety and economic and national security depend, we are also 
defining what does not qualify and where privacy concerns can be much 
more important than national security concerns. Nobody wants government 
in our chat rooms, e-mails, or social media; everyone gets why 
government should protect the electric grids that bring power to our 
homes.

  The second is that once we identify our critical infrastructure, we 
need to find a way for our national security assets to protect that 
critical infrastructure. Our government has unique capabilities to 
protect those basics, such as our electric grid.
  As Kevin Mandia has explained:

     [t]he majority of threat intelligence is currently in the 
     hands of the government.

  Some of this information can be disclosed, but some cannot be, in 
order to protect sensitive sources and methods. This requires us to 
find other ways for our most sophisticated government capabilities to 
protect our critical infrastructure. For example, we should think 
seriously about the concept of secure domains and how they can be 
deployed effectively while protecting civil liberties. I am glad 
section 804 of the Cybersecurity Act of 2012 takes on that task by 
requiring expert study of the advantages and disadvantages of 
establishing secure domains for critical infrastructure.
  If the business community can identify a workable alternative 
approach, such as a voluntary or opt-in regulatory system, I am willing 
to get to work, but we must not balk at taking on the hard question of 
how to secure our critical American infrastructure.
  The last point I want to make today is that Congress, in this bill, 
should consider the appropriate structure and resources for the 
cybersecurity and cyber crime mission of the Department of Justice, the 
Federal Bureau of Investigation, and law enforcement components of the 
Department of Homeland Security. We do not do enough to investigate, 
prosecute, and take other appropriate legal action against cyber crime, 
cyber espionage and other cyber threats. Last year's takedown by the 
Department of Justice of the Coreflood botnet should be a regular 
occurrence, not a special occurrence. But it will not be--it cannot 
be--with our current cyber crime resources. The technical, 
international, and legal aspects of these investigations are too 
complex.
  I spent 4 years as a United States attorney, I spent 4 years as our 
State's attorney general. These are astonishingly complicated and 
difficult cases. They are massively resource intensive. So it is time 
for a fundamental rethinking of cyber law enforcement resources: both 
the level of resources and the manner in which they are structured. We 
should be discussing whether cyber crime should have a dedicated 
investigatory agency akin to the DEA or ATF or whether existing task 
force models should be used. These are important questions the 
legislation has not addressed. Accordingly, I plan to offer a floor 
amendment that will require an expert study of our current cyber law 
enforcement resources that can recommend a proper level of funding and 
structure of forces going forward.
  Once again, I thank my colleagues for their hard work to date on 
cybersecurity issues. I urge that all of us join together to pass 
cybersecurity legislation into law as soon as possible. Two years ago, 
I said that because of cyber we in the United States are on the losing 
end of the largest transfer of wealth through theft and piracy in the 
history of the world. GEN Keith Alexander, who leads the National 
Security Agency and U.S. Cyber Command, has reached the same conclusion 
when saying recently that cyber theft is ``the greatest transfer of 
wealth in history.'' McAfee likewise has recently evaluated the theft 
of national secrets, source code, designs, and other documents, and 
concluded that what ``we have witnessed over the past 5 to 6 years has 
been nothing short of a historically unprecedented transfer of 
wealth.''
  We are the losers in that transfer of wealth. We cannot afford to 
wait to address this enormous and ever-growing threat.
  I thank the Chair, and I yield the floor.
  The ACTING PRESIDENT pro tempore. The Senator from Oregon.

[...]