WASHINGTON – The U.S. Senate Wednesday rejected a second chance to move forward with critical cybersecurity legislation supported by top-ranking members of the nation’s intelligence, national, and homeland security communities.
By a vote of 51-47, the Senate failed to approve a procedural motion to end debate on the bill, S. 3414, and move to a final vote.
Full text of the Senator’s floor statement, as prepared for delivery before the vote , follows:
Mr. President, I want to thank the Majority Leader for giving the Senate this second chance to do something crucial for our nation’s economic and national security – something we should have done before the August recess – and that is pass S. 3414, “The Cybersecurity Act of 2012.”
Colleagues, if you look at what has happened since the cloture vote on the Cybersecurity Act failed back in August, you will see we need to seize this opportunity. We are being given a second chance to raise our defenses against the rival nations, industrial spies, organized crime and cyber-terrorists who are constantly probing our computer networks for weaknesses they can use to steal our secrets or sabotage critical infrastructure, like water and power plants.
Consider this: On August 15th – just two weeks after the cloture vote – a computer virus called Shamoon erased the hard drives of 30,000 computers owned and operated by Saudi Aramco – one of the world’s largest energy company – replacing those data files with images of burning American flags. The computers were rendered useless and had to be replaced.
Experts say it was the most destructive cyber attack against a private company in history.
A similar attack was later carried out on the Qatari natural gas firm, RasGas. And Iran is suspected as the attacker in both instances.
Thanks to quick work by Aramco and many of the world’s leading cybersecurity technologists and experts, the damage was contained. But this could have thrown global oil markets into chaos if orders couldn’t be filled or shipments made.
Then in September, the consumer web banking sites of some great American financial institutions - Bank of America, JPMorgan Chase, Wells Fargo, PNC Bank and others - came under the largest sustained denial of service attack in history. The attacks went on for weeks, knocking many of these sites that are very important to commercial life in our country off line or slowing them to a crawl.
Look at how much commerce is now conducted over the Internet and you see the danger here. These kinds of attacks could bring the banking system, and the economy, to its knees.
And again, some intelligence officials that I respect suspect Iran or its agents launched these attacks against American banks.
Defense Secretary Panetta warned in a recent speech that these and other kinds of attacks show we may be approaching a “cyber-Pearl Harbor” where – and I quote: “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” That’s not science fiction. That is not an alarmist. It is the Secretary of Defense, Leon Panetta.
Time is not on our side. We have to act.
Mr. President, the elections are over. The time for political posturing has passed. The American people, through their votes, have told us in a clear and certain voice that they want us to work together to solve the many challenges our nation confronts.
I know we are focused on going over the so-called “fiscal cliff.” But we have time to deal with cybersecurity as well before this Congress expires.
This week, President Obama is bringing together legislative, business and labor leaders to begin hammering out a compromise package that hopefully will allow us to avert the economic catastrophe that would befall us if the Bush and Obama tax cuts were allowed to expire at the same time the mandated across-the-board defense and domestic spending cuts we call “sequestration” kick in.
It is estimated that combined these would drain at least $630 billion from our already anemic economy next year alone and plunge us back into recession.
But we won’t be getting that package this week. We can use this time to continue debating cybersecurity with an open amendment process that will allow Senators to make their case on how they would improve the bill and then have an up or down vote on those ideas.
I, along with the Majority Leader, have repeatedly urged our colleagues to come forward with a list of relevant amendments that they want votes on. I call on them again today – come forward with amendments, let the legislative process proceed and let the Senate work its will.
Mr. President, the reality is that legislation is desperately needed to make our country more secure. But if Congress fails to act again, the President will in all likelihood issue an executive order to move us forward.
Under existing law, the President has the authority to issue an executive order that will establish cybersecurity standards for all eighteen critical infrastructure sectors and requires that those standards be implemented in certain already-regulated areas. A draft of just such an executive order is already being circulated.
But the President will not have the power under existing law to offer the benefits our bill gives private sector owners of critical infrastructure.
For one thing, the President will not be able to offer the private-sector owners the liability protection our bill offers for voluntarily adopting cybersecurity practices developed jointly by the private sector and the government. Without such protections, the private sector will be exposed to substantial liability once the Executive Branch begins to promulgate industry-wide standards.
In addition, needed changes to law that permit private companies to share cybersecurity threat information amongst themselves and with the government will go unmade. Both sides in this debate have acknowledged that this is a critical piece of any bill – but cannot be implemented by executive action.
Mr. President, an executive order leaves much to be desired. But it is far preferable to inaction, and it is what we will be left with if Congress doesn’t pass this reasonable, bipartisan cybersecurity bill.
I want to sum up by reiterating the three points I made last summer when we first began debating this bill.
First: The threat is real and some of our greatest minds in national security in both parties have urged us to act.
In a letter to the Majority and Minority Leaders, former DHS Secretary Michael Chertoff; former Director of National Intelligence Admiral Michael McConnell; former Deputy Defense Secretary Paul Wolfowitz; former NSA and CIA Director Michael Hayden, former vice chairman of the Joint Chiefs of Staff, Marine General James Cartwright, and former Deputy Defense Secretary William J. Lynn wrote:
“We carry the burden of knowing that 9/11 might have been averted with the intelligence that existed at the time. We do not want to be in the same position again when ‘cyber 9/11’ hits – it is not a question of whether this will happen; it is a question of ‘when.’”
Let me repeat that Mr. President. It is not a question of whether it will happen – but when!
National Security Agency Director Gen. Keith Alexander has blamed cyber attacks for – I quote –“the greatest transfer of wealth in history,” estimating that U.S. companies lose about $250 billion a year through intellectual property theft, $114 billion to theft through cyber crime and another $224 billion in down time the attacks caused.
As General Alexander said, “this is our future disappearing before us.”
And we just have to look at what’s happening in New York, in New Jersey where, three weeks after Sandy, tens of thousands are still without power. A cyber attack could cripple our electric grid, just as surely as a hurricane – and the suffering would be immense.
Second: This bill is not something that was hastily thrown together. It has been more than a decade in the making. I attended my first hearing on cybersecurity back in 1998 as a member of the former Senate Governmental Affairs Committee, under the leadership of Chairman Fred Thompson, and have been concerned about this growing threat ever since.
According to a report from the Congressional Research Service, in the 112th Congress alone there have been 38 hearings and four markups in the House and 33 hearings in the Senate on cybersecurity.
Since 2005, the Homeland Security and Governmental Affairs Committee has held 10 hearings with 48 witnesses testifying and taking questions over a total of 18 hours. And, along with the bill’s co-sponsors – Senators Feinstein and Rockefeller – we’ve held numerous briefings, forums and cybersecurity demonstrations for members and staff.
These hearings and briefings were further informed by, according to CRS, a total of 60 government reports, totaling 2,624 pages, produced by the Government Accountability Office, the Department of Defense, the Office of Management, and Budget, the Department of Energy and other federal agencies.
And this doesn’t count the many additional reports from private sector computer security firms, like Symantec, and think tanks and academic institutes, like MIT and the Center for Strategic and International Studies.
My third and final point: This bill – as I mentioned earlier – is already the result of bipartisan compromise.
We have incorporated ideas from Senators Whitehouse, Kyl and others who have worked diligently to help us find common ground. I want to thank them for their efforts.
We have taken to heart the concerns of Senators Durbin, Franken, Wyden, and others who pressed for greater protections for privacy and civil liberties and have made changes.
And we have listened to the concerns of Sen. McCain and others who sponsored the SECURE IT bill and in the spirit of compromise, agreed to a major change when we moved from mandatory to voluntary cybersecurity compliance.
We did this reluctantly. Many bipartisan national security experts are in solid agreement that mandatory requirements are needed to protect our national and economic security from the ever-rising risk of cyber attacks.
If critical infrastructure firms were allowed to opt out, we feared a race to the bottom as some companies sought a competitive advantage by not investing in strong cybersecurity and saving money – or others who didn’t participate just didn’t realize how vulnerable they were.
But this provision drew the most criticism so we agreed to change it to a voluntary cybersecurity regime.
Under our revised bill, private industry, which owns 80 to 85 percent of the nation’s critical infrastructure, will develop a set of cybersecurity practices, which will then be reviewed by a new National Cybersecurity Council our bill creates. The Council, which will be chaired by the Secretary of Homeland Security and made up of representatives from the Departments of Defense, Commerce, Justice and other agencies, will review these practices to ensure they provide an adequate level of security.
Owners of critical infrastructure will then have the option of joining a voluntary program in which they would be entitled to certain benefits, which I mentioned earlier, such as certain liability protections in the event of a cyber attack, expedited security clearances and prioritized technical assistance from the government.
Even if my colleagues have remaining concerns with provisions in the bill – there is no reason not to vote for cloture. Any legislation passed must be conferenced with the House where we will have ample opportunity to continue negotiating and I am committed to working with my colleagues to address their concerns.
I urge my colleagues to vote for cloture on “The Cybersecurity Act of 2012.”
Again, Mr. President, the Senate is being offered a second chance. The chance to put politics aside and enact legislation to protect the American people from high-tech assaults that could be as lethal and destructive as any conventional attack by air, sea or land.
Partisan differences did not prevent the Senate from passing legislation in 1947 to address the challenges of the Cold War or deter the Senate from passing anti-terrorist legislation in the years following 9/11. It should not prevent us now from passing cybersecurity legislation.
Let’s embrace this second chance to make America safe – and to make some history.
I yield the floor.
Become a fan of the Committee on Facebook