WASHINGTON – Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., Friday outlined five basic principles that he hopes will be included in cyber security legislation he expects to introduce later this year with the Committee’s Ranking Member Susan Collins, R-Me.
“I am convinced that if the federal government and the business community work together, we can make the Internet a secure and reliable communications medium that not only protects our national and economic security, but allows us to expand into new kinds of services and products that will help our economy grow and create the new wave of jobs we need,” Lieberman said in a speech before the Chamber of Commerce Cyber Security Task Force.
The five principles are:
· A Senate-confirmed cyber security coordinator in the Executive Office of the President
· Sufficient authority and personnel for the Department of Homeland Security (DHS) to monitor the federal civilian networks and defend against malicious traffic
· A mandatory risk-based approach, established by DHS, to securing the nation’s most critical infrastructure, including financial systems, electric power, and mass transit, and voluntary guidance for less critical companies.
· New government acquisition policies and practices to tighten the security of government systems, which will drive similar security innovations for products available to the public.
· Address the challenges in hiring, retaining, and training cyber security personnel in the federal government
Text of the Senator’s speech, as it was prepared for delivery, follows:
Good morning. I want to thank Michael Hickey for that introduction and thank the U.S. Chamber of Commerce for inviting me to speak with you on one of the most important topics of our time for the future of both our business community and our national security: “Securing Cyberspace.”
The need for action is obvious. Indeed, the President has correctly described our cyber networks and systems as “strategic national assets” that are keys to our prosperity in the 21st Century. Protecting these assets must be one of our most urgent national priorities.
However, we are well behind the curve.
Consider just these two numbers. Last year, intrusions into U.S. government computers rose 40 percent, while at the World Economic Forum in Davos, Switzerland, researchers released estimates that the global economy has already lost about $1 trillion through computer theft of financial records and intellectual property.
Clearly we need to address these and other threats and, in fact, this morning the Department of Homeland Security will be taking another step forward as it opens its new National Cybersecurity & Communications Integration Center that will bring together the Department’s cyber and telecommunications security efforts into one consolidated watch floor.
This step, along with the new flexibility that the Department was granted by the Office of Personnel Management to hire 1,000 new cyber security professionals, and with the leadership exhibited by Secretary Napolitano and Deputy Undersecretary Philip Reitinger will help transform the DHS into the robust cyber security organization it needs to become.
But securing the Internet isn’t just about playing defense against cyber criminals, terrorists, hackers, nation states and spies. It’s is also about creating a trustworthy communications platform that will allow us to achieve greater efficiencies throughout our economy that will be good for business and make our daily lives safer and easier.
I am thinking of digital signatures so secure you could safely negotiate, sign and store contracts on line and finally move to a completely paperless workplace.
Imagine an Internet so secure that if you ever had a medical emergency – maybe out of town as many of you are today – that medical professionals from the ambulance to the emergency room could know your precise health conditions and treat you accordingly when seconds count – but otherwise your privacy would be protected.
And what about an Internet so open yet so secure that you would never have to stand in line at the Department of Motor Vehicles after your initial driving test?
You all know how much more potential the Internet holds to transform our economy, the way you conduct business, and the way we all live. But, of course, that cannot happen if we don’t protect our cyber assets from those who would do us harm.
I am now drafting legislation to move us in that direction – so I’m delighted to be with you today to offer an outline of my thoughts and to hear your ideas on what such legislation should contain.
The situation we find ourselves in now was somewhat predictable. There’s a saying that: “No good deed goes unpunished” and that pretty much sums up every great communications advance of the past 170 years because every invention – from the telegraph right through to the Internet – spurred revolutions in commerce, culture and convenience, but also opened up new avenues for crime and war.
For instance, in 1844 Samuel Morse gave us the telegraph. Soon the term wire fraud found its way into the English language. President Lincoln was such a fan of the telegraph, he would wire junior officers in the field for battle updates.
But he soon found he also had to dedicate resources to keep these new lines of communication both open and secure from another new phrase that had entered the language – wire tappers, the original hackers.
In a hearing last April of the Senate Homeland Security and Governmental Affairs Committee , we examined in detail the threats to national security brought on by modern hackers, cyber criminals, terrorists and nation states.
We heard, for example, that computers containing information on the joint-strike fighter and our electrical grid have been infiltrated, potentially giving our enemies information that could make our fighters vulnerable and plunge our cities into darkness.
A recent report by the U.S.-China Economic and Security Review Commission said that China is ratcheting up its cyberspying efforts against the U.S. and its attacks are – I quote – “straining the U.S. capacity to respond.”
We also learned that some of these Internet schemes are used by terrorist groups to fund attacks, like the 2002 suicide bombings in Bali that killed more than 200 people and wounded 240.
Former CIA Director James Woolsey, has been warning us for years about the vulnerability of our computer networks to attacks not only from abroad, but tech-savvy teens. Jim calls many of our present security measures ODAV, for “Ostrich Designed, Awesomely Vulnerable.”
And if they are vulnerable to teenage hackers, Jim asks, how do we intend to keep out graduate students in China who are given better grades if they can prove they made a difficult hack into what was thought to be a secure American industrial or government computer?
Jim has especially focused on the vulnerability of our electric grid to physical and cyber attacks. A Defense Science Board Task Force found that our electric grid is seriously vulnerable to cyber attack, which could take it down for months or even years.
The task force warned such power outages have cascading and devastating repercussions because everything depends on electricity: Water treatment systems begin to fail, gas becomes scarce because the pumps won’t work, factories close and economy grinds to a halt.
I have introduced legislation, along with House Homeland Security Chairman Thompson, to improve DHS and FERC’s ability to improve security in this critical sector.
But our broader national security interests’ aside, American businesses are getting hit hard too, especially small- to medium-sized businesses that can’t afford to have large IT staffs on the job 24/7 and often have to eat their cyber theft losses.
We heard that cyber criminals operating out of Eastern Europe have stolen millions of dollars from businesses and local governments by electronically stealing passwords to corporate bank accounts and patiently siphoning off amounts less than the $10,000 that would trigger a bank report under federal anti-money laundering requirements.
Earlier this week, the FBI reported that since 2004 criminals have stolen at least $40 million using these methods and have attempted to steal another $85 million.
And these are just the incidents we know about – the vast majority of cyber attacks go unreported, and are often undetected by the victim.
These attacks on our national and economic security just can’t be allowed to continue. The bill our Committee is working on will build on the December report of the Commission on Cybersecurity for the 44th Presidency and President Obama’s own cyber security assessment, commonly known as the 60-Day Review.
In many ways, the 60-Day Review sums up our present challenges. I quote: “The federal government is not organized to address this growing [cyber security] problem effectively now or in the future.
“Responsibilities for cyber security are distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way.”
I hope our legislation will contain several key components to help us start plugging these holes.
One: I believe we need to establish a cyber security coordinator within the Executive Office of the President.
This would be a Senate confirmed official, accountable to Congress who would coordinate cyber security activities across all federal agencies, provide strategic leadership, and guidance to the President and have necessary authority and resources to make change as needed.
This individual would develop a true national cyber security strategy and ensure that each agency’s operational activities are in line with that vision.
We need this kind of position in the White House specifically to ensure that the classified work conducted by Department of Defense and intelligence agencies is informing the defensive actions taken by our domestic agencies. Only the Office of the President has the authority to ensure that everyone is working off the same playbook.
Two: We need to give the Department of Homeland Security the necessary authority and personnel to monitor the federal civilian networks and defend against malicious traffic.
Currently DHS has this responsibility by executive order, but it lacks both the people and the cooperation from the other federal agencies to succeed.
Under my proposal, DHS will develop a robust operational capability to monitor and defend the federal networks and will become a source of expertise and a force multiplier for agencies with cyber security problems.
In order to make this work, the Federal Information Security Management Act (FISMA) must be reformed to hold each agency accountable for good internal security practices.
We will push agencies to move to a real-time evaluation process that is more reflective of the ever changing cyber environment. And we will empower the Chief Information Security Officers within the agencies to give them the authority and resources to do their jobs.
Three: I also want DHS to do more to help the private sector protect itself from cyber attack.
First and foremost, DHS should focus on ensuring the security of the nation’s critical infrastructure, upon which our way of life depends.
The federal government has an inherent responsibility to its citizens to protect its own networks, but also to work with the private sector and ensure a reliable supply of electricity and water and the continued, orderly functioning of financial, communication and transportation systems.
To that end, I think we should require DHS to identify the most critical cyber infrastructure and ask its operators to perform risk assessments to identify existing vulnerabilities. If problems are found, DHS will work with the companies to decide the best way to mitigate the vulnerabilities but will not mandate a one-size-fits-all strategy to bolster security.
As a part of this process, DHS will be required to develop a two-way information sharing system where the Department not only receives vulnerability and breach information from the private sector but also provides up-to-date threat information and analysis on the state of our nation’s networks.
I also believe DHS should provide guidance for small and medium sized businesses that also must protect themselves from cyber attack.
Under my plan, DHS would establish a voluntary cyber security standards program and encourage members of the private sector to implement those standards through a certification program.
The idea is for the Department to be a resource not a regulator and companies implementing strong security measures might even be awarded a seal to display on their site, much like the “Good Housekeeping” or “Energy Star” seals consumers often use when making purchasing decisions.
Four: We should require new government acquisition policy and practices to tighten the security of government systems, which in turn will drive similar security innovations for products available to the public.
The Federal government alone spends over $75 billion annually on information technology – a number that will only grow, and one that gives the government enormous market influence.
We must ensure that federal agencies address security as they procure IT products and services, instead of after-the-fact through costly patches or additional purchases. In doing so, we believe we can incentivize the industry to offer more secure products and services to all of their clients.
Five, Legislation should address challenges in hiring, retaining, and training cyber security personnel in the federal government. Agencies are competing not only with each other to hire these individuals, but also with the private sector. We must give federal agencies the necessary hiring and pay flexibilities to allow them to compete.
Additionally, we need to develop a cyber security career path in the federal government coupled with the necessary training programs to retain these experts.
These are ideas to be included in the legislation and I welcome the business community’s input before formally drafting the legislation.
Forty years ago the Internet started out as a tiny island of interconnected university computers that was just an interesting – but isolated – academic experiment.
Now it is a global asset – a new critically strategic ground that must be secured just as any military commander would seize and control the critical ground of a battlefield.
But securing cyberspace is much more complicated to do since the Internet is, by nature, a limitless place and security cannot be achieved by the government or private sector alone or even by both easily.
But I am convinced that if the federal government and the business community work together, we can make the Internet a secure and reliable communications medium that not only protects our national and economic security, but allows us to expand into new kinds of services and products that will help our economy grow and create the new wave of jobs we need.