WASHINGTON – Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn. – a leader in the drive to enact comprehensive cybersecurity legislation to protect the nation’s most critical infrastructure – called for bipartisan leadership to address the threat to the nation’s cyber networks. As prepared for delivery, the Senator’s speech to the Advanced Persistent Threats Summit presented by RSA, The Security Division of EMC, and TechAmerica, follows:
Good afternoon. I want to thank Art for that introduction and thank RSA and TechAmerica for bringing together some of our nation’s leading information- and cyber-defense specialists for this summit on “Advanced Persistent Threats” – or APTs.
Today you’ll be sharing your ideas. We in government need to hear them as we look for ways to meet these potentially devastating threats to our national and economic security.
At his confirmation hearing last month, Secretary of Defense Leon Panetta warned – and I quote – “the next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.”
Panetta’s warning should serve as a call for swift Congressional action.
Given the already broad agreement among the Congressional committees considering cyber security legislation – coupled with the recent White House cyber proposal that share many of those ideas – there is no reason we cannot come together and get this done this year.
That we need to move with a sense of urgency should be obvious to all.
Consider just a few of the successful computer intrusions of the past several months: Sony, Citigroup, the International Monetary Fund (IMF), and the Gmail accounts of high-ranking U.S. Government officials. On Monday we learned that a Booz Allen database containing 90,000 military email addresses and passwords was compromised.
But when I think of cybersecurity and cyber vulnerabilities, I think not of email scams or stolen credit card numbers. I think about critical infrastructure.
Take Stuxnet for example, which can commandeer certain Siemens industrial control systems. This is a known danger, but in a survey by McAfee and the Center for Strategic and International Studies of 200 critical infrastructure executives in 14 countries, only 57 percent had performed special security audits. Worse yet, only 32 percent of US respondents said that they had conducted an audit. This is alarming, given that 40 percent of those that did check found Stuxnet in their systems.
There are some who believe that Stuxnet was designed to attack the Iranian nuclear facilities and is therefore relatively harmless otherwise. The McAfee/CSIS report sums up this thinking thusly: “I don’t have Siemens, I’m not nuclear – I could care less.”
But we don’t know for sure what Stuxnet’s target really was. What we do know, is that Stuxnet could be adapted to take command of many industrial control systems, including electric utilities, which is where 46 percent of the infections were found. Stuxnet also provides a roadmap for others to follow in creating other kinds of worms. We have to take it more seriously.
Another cyber vulnerability that should worry all of us is the potential for state-sponsored or criminal “actors” to poison the tech supply chain – both hardware and software – with malicious code, according to an FBI intelligence bulletin released last month.
To quote from the bulletin: “The FBI assesses with high confidence that the state-sponsored and criminal threat to supply chain integrity is a high cyber threat.”
The words in these documents were chosen carefully and for a specific reason. The FBI did not say “high confidence” lightly, and we should all take note that they did.
And the bulletin documents several incidents where malware was introduced during the manufacturing process, including a spybot hidden in the flash memory of a Dell Computer server motherboard and a popular Spanish smartphone shipped with the Conficker worm and a keylogger program.
The history of the Internet shows that security has too often been a secondary consideration. It was almost a quarter of a century ago that the first virus went wild on the web – the Morris Worm – knocking offline about 10 percent of the computers then tied to the web and slowing others to a crawl. The call went out at the time for greater security. But there were only about 60,000 computers tied to the web at the time and the Morris Worm did little real damage.
And we quickly slipped back into complacency.
Now the Internet has more than two billion users – one in every three people on the planet – and is an indispensable tool of modern life. We use it for communication, to conduct business, and for industrial and military design and planning work.
It follows that it has become an irresistible target for cyber- thieves, spies and terrorists.
As Willie Sutton would have said: “That’s where the money is.” Or as Mata Hari might have said: “That’s where the secrets are.”
Senators Susan Collins, Tom Carper, and I have proposed legislation that would help strengthen our digital infrastructure against many of these kinds of exploits by creating a new “gold standard” in cyber defenses – from the most sensitive of networks right down to the personal computer.
We would start by giving the Department of Homeland Security (DHS) statutory authority to work with industry to identify and evaluate the risks to the country’s most critical cyber-infrastructure. Once those risks have been identified, owners and operators would select security measures to safeguard their systems. These plans would be reviewed by DHS cyber-experts to ensure they improve security. Our legislation would also provide liability protection for owners and operators who are in compliance with their approved security plans.
This framework would also push the development of cybersecurity “best practices” that would then be available as a model for the private sector. While such use would be voluntary, the development of better security techniques and the creation of industry-wide standards of care would lead commercial networks to install them as a way to keep customers and draw in new ones.
Imagine the bank that has to explain to its customers – or to a court of law – that customer account information was stolen because it did not implement readily available security measures.
Some technology companies ship products with inadequate regard for security, figuring flaws can be plugged later. Our bill would encourage the federal government to do business only with companies that bake in security from the outset and avoid those that try to bolt it on later.
The federal government’s purchasing power would help prod the market to produce more secure products, which would also be available to non-government consumers.
On “supply chain poisoning,” our bill mandates no specific solutions but, instead, calls for the government and the private sector to work together to assess the risks and develop a strategy to mitigate them.
I know this proposal has been controversial to some because there is a fear that companies may lose some flexibility. But the “status quo” is – literally – not an option.
As we speak, the Federal Acquisition Regulation Council is considering how to amend the Federal Acquisition Regulation to address supply chain risk in federal purchases.
By mandating that industry be involved in identifying risks and developing a strategy before regulatory changes are made, our proposal would give the private sector more input into this process than it has today.
Our bill would also give DHS the statutory responsibility to ensure that the federal government is sharing threat, vulnerability and mitigation information with the private sector.
None of this is etched in stone. We are still reaching out to the technology and business communities for input that will improve the bill, and I look forward to hearing your thoughts this afternoon.
But, quite candidly, the major challenge to getting a bill passed this year may have less to do with the merits of the final legislation, than with the present hyper-partisan environment in the Congress, which is making it more difficult to get anything done.
We need Congressional leaders on both sides of the aisle to join together to confront this threat as we always have in the past when our national security was endangered.
I’m reminded of a famous example of this in 1945, when a Republican Senator from Michigan, Arthur Vandenberg, went to the Senate floor and in what is now called “the speech heard round the world” abandoned his isolationist principles and gave his support to the internationalist foreign policies of President Roosevelt – and later President Truman.
Vandenberg helped pave the way for not only bipartisan solutions, but global solutions – and solutions that spanned generations – to the threats and challenges we faced in the post-World War II world. I would like to quote from one of his papers and where you hear the phrase, “foreign policy,” think “cybersecurity.”
“To me ‘bipartisan foreign policy’ means a mutual effort, under our indispensable two-Party system, to unite our official voice at the water’s edge so that America speaks with maximum authority against those who would divide and conquer us and the free world.
“It does not involve the remotest surrender of free debate in determining our position. On the contrary, frank cooperation and free debate are indispensable to ultimate unity.
“In a word, it simply seeks national security ahead of partisan advantage.”
Vandenberg never could have foreseen this new age. When he died in 1951, the first commercial computer, UNIVAC, had just been introduced. But his call for unity across party lines and national boundaries in the face of this new global challenge still rings true.
Our nation’s defense secrets, our financial security and our critical infrastructure are imperiled by attacks launched by keystrokes on computers far away – and by enemies difficult to trace.
There is no such thing as 100 percent security, on- or offline, but we must strive to strengthen our defenses against those who are hard at work trying to exploit any weakness they can find.
There are some in Congress who resist taking action on cyber threats this year, but we must put partisan politics aside, given the real and ominous danger of a massive cyber attack.
The alternative could be a digital Pearl Harbor – and another day of infamy.