WASHINGTON – Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., Wednesday took to the Senate floor to urge the Senate to pass legislation to protect the nation’s most critical cyber networks from catastrophic attack. His speech follows:
Mr. President, I rise to urge my colleagues to vote yes on the motion to proceed to S. 3414, “The Cybersecurity Act of 2012,” so we can begin the crucial debate about how best to protect our national and economic security in this wired world where threats come not from land, sea or sky – but in invisible strings of ones and zeroes.
I want to thank Senators Collins, Rockefeller, Feinstein and Carper who have joined me in sponsoring this legislation. And I want to thank the Majority Leader for fulfilling his commitment to bring this bill to the floor – even though as always there are clearly other important issues vying for this body’s attention. But I dare say none are as important at this point in our history.
I want to make three points to my colleagues.
First: The threat of cyber attacks is a danger that is clear, present and growing, with enemies ranging from rival nations, to cyber-terrorists, to organized crime, to rogue hackers sitting at computers almost anywhere around the world.
Second: This bill is more than a decade in the making. I attended my first hearing on cybersecurity as a member of the former Senate Governmental Affairs Committee, under the leadership of Chairman Fred Thompson, back in 1998, and have been concerned about this growing threat ever since.
Along with my friend and colleague Sen. Collins, we have held multiple hearings on cybersecurity in the new Homeland Security and Governmental Affairs Committee. And we weren’t alone. There have been numerous hearings over the past several years and markups among multiple committees in both the Senate – many held by my colleagues Senators Rockefeller and Feinstein – as well as in the House.
And those discussions were informed by numerous government and private sector studies on the dangers that lurk in cyberspace.
The bill before us is not something hastily thrown together, but rather – as Isaac Newton once said – was produced by the sponsors who were – and I quote – “standing on the shoulders of giants.”
And my third and final point: The bill I hope we are about to begin debating is already the result of bipartisan compromise. My cosponsors and I didn’t get everything we wanted. In fact, we gave up some things we thought were vitally important to the bill. But given the threat, we thought it was important to move forward with a bill that will significantly strengthen our cyber security. We did not want to lose the chance to pass legislation this year that could help secure our nation for decades to come so we made big compromises.
We have incorporated ideas from Senators Whitehouse, Kyl and others who have been working diligently to help us find common ground. I want to thank them for their efforts. And we have listened to the concerns of Sen. McCain and others who sponsored the SECURE IT bill in the Senate. We have heard and responded to Senators Durbin, Franken, Wyden, and others who pressed for greater protections for privacy and civil liberties.
We have not reached a bill that everyone can support and perhaps we never will. But we have made substantial changes designed to address concerns from stakeholders and colleagues, and we are confident that we can work through more issues on the floor.
If we allow the perfect to become the enemy of the good, our real enemies become the benefactors of our parochial or partisan prides. We must act together for the good of the nation, so let’s get the debate started and bring amendments to the floor for an up or down vote – and then let’s pass this bill and send it to the President.
Let me start with the warnings from some of our nation’s most experienced Republican and Democratic national security leaders.
In a letter last month to the Majority and Minority Leaders, former DHS Secretary Michael Chertoff; former Director of National Intelligence Admiral Michael McConnell; former Deputy Defense Secretary Paul Wolfowitz; former NSA and CIA Director Michael Hayden, former vice chairman of the Joint Chiefs of Staff, Marine General James Cartwright, and former Deputy Defense Secretary William J. Lynn wrote:
“We write to urge you to bring cybersecurity legislation to the floor as soon as possible. Given the time left in this legislative session and the upcoming election this fall, we are concerned that the window of opportunity to pass legislation that is in our view critically necessary to protect our national and economic security is quickly disappearing.
“Infrastructure that controls our electricity, water and sewer, nuclear plants, communications backbone, energy pipelines and financial networks must be required to meet appropriate cybersecurity standards.”
“We carry the burden of knowing that 9/11 might have been averted with the intelligence that existed at the time. We do not want to be in the same position again when ‘cyber 9/11’ hits – it is not a question of whether this will happen; it is a question of ‘when.’”
Let me repeat that Mr. President. It is not a question of whether it will happen – but when!
And many other officials have issued similar warnings.
Secretary of Defense Leon Panetta has said that the next Pearl Harbor will occur in cyberspace.
Chairman of the Joint Chiefs of Staff Gen. Martin Dempsey has warned – and I quote – “a cyber attack could stop society in its tracks.”
This month, National Security Agency Director Gen. Keith Alexander blamed cyber attacks for – I quote –“the greatest transfer of wealth in history,” estimating that U.S. companies lose about $250 billion a year through intellectual property theft, $114 billion to theft through cyber crime and another $224 billion in down time the thefts caused.
As General Alexander said, “this is our future disappearing before us.”
In a recent op-ed in “The Wall Street Journal,” President Obama wrote: “In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we’ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.”
If these warnings aren’t enough to motivate us to pass comprehensive cybersecurity legislation, consider a recent story in “The Washington Post” that detailed how a young man living an ocean away used his computer to hack into the control panel of a small-town water utility in Texas. It took him just 10 minutes and required no special tools or training. And the utility had no idea of what had happened until the hacker posted screen shots of his exploit online as a warning of how vulnerable we all are.
Imagine if terrorists decided to target strings of small utilities across the nation and either cut off fresh water or dump raw sewage into our lakes, rivers and streams. We would have an environmental and economic disaster on our hands.
This brings me to my second point, Mr. President: We need to act – and act now! The challenge of cybersecurity has been studied intensely. There is no need for more studies or hearings.
According to a report from the Congressional Research Service, in the 112th Congress alone there have been 38 hearings and four markups in the House and 33 hearings in the Senate on cybersecurity.
In the 112th Congress, the Judiciary Committee also held a markup on the Personal Data and Privacy Security Act and in previous Congresses the Senate held mark-ups of cybersecurity legislation in five separate committees under regular order.
Since 2005, the Homeland Security and Governmental Affairs Committee alone has held 10 hearings with 48 witnesses testifying and taking questions over a total of 18 hours. And, along with the bill’s co-sponsors – Senators Feinstein and Rockefeller – we’ve held numerous briefings, forums and cybersecurity demonstrations for members and staff.
All these hearings and briefings were further informed by, according to CRS, a total of 60 government reports, totaling 2,624 pages, produced by the Government Accountability Office, the Department of Defense, the Office of Management, and Budget, the Department of Energy and other federal agencies.
And this doesn’t count the many, many more reports from private sector computer security firms, like Symantec, and think tanks and academic institutes, like MIT and the Center for Strategic and International Studies.
In his 1936 book “When England Slept,” Winston Churchill asked his colleagues in Parliament, who refused to act decisively to counter the rise of German military power, despite its clear warlike intentions: “What will you know in a few weeks about this matter that you do not know now . . . and have not been told any time in the last six months?
Colleagues, we have been looking at this for a decade. Our enemies are only getting smarter. The attacks have already started! It’s time to act! What more do we need to know!
Finally, Mr. President, in the interest of moving forward, my cosponsors and I have made a major compromise in the bill we are bringing to the floor on how we deal with critical infrastructure – things like power plants, energy pipelines, and our water and sewer systems – that if sabotaged or commandeered in a cyber attack could lead to deaths and economic and environmental disasters.
Our original bill called for mandatory cyber-safety standards for all critical infrastructure that would be developed in consultation with the private sector.
We did not believe this was a unique or onerous requirement. Since antiquity, societies have chosen to adopt safety standards to protect the physical structures of everyday life – starting with the homes we live in, but also our offices, factories and critical infrastructure, like power plants and dams.
Today we call these building codes, but they are as old as the Bible.
Deuteronomy 22:8 says: “When you build a new house, you shall make a parapet for your roof, that you may not bring the guilt of blood upon your house if anyone should fall from it.”
The reason we do this in the physical world is obvious. If one of our homes catches fire because of wiring not up to code, not only is our family in danger, but the lives and homes of our neighbors are in danger as well.
Numerous bipartisian national security experts have been in solid agreement that mandatory requirements are needed to protect our national and economic security from the ever risking risk of cyber attacks.
But this provision drew the most criticism so we agreed to change it to a voluntary cybersecurity regime.
Under our revised bill, private industry, which owns 80 to 85 percent of the nation’s critical infrastructure, will develop a set of cybersecurity practices, which will then be reviewed by a new National Cybersecurity Council – or NCC – our bill creates. The NCC, which will be chaired by the Secretary of Homeland Security and made up of representatives from the Departments of Defense, Commerce, Justice and other agencies, will review these practices to ensure they provide an adequate level of security.
Owners of critical infrastructure will then have the option of joining a voluntary program in which if they would be entitled to certain benefits, such as certain liability protections in the event of a cyber attack, expedited security clearances, and prioritized technical assistance from the government.
Our bill also contains information sharing provisions that will allow the private sector and government to share threat information among themselves, yet has privacy protections that have won the approval of the ACLU and other privacy groups.
Mr. President, I again urge my colleagues to vote yes on this motion to proceed and get this debate started so we can enact this crucial piece of national and economic security legislation this year.
I yield the floor.
Become a fan of the Committee on Facebook