b"<html>\n<title> - SECURING AMERICA'S FUTURE: THE CYBERSECURITY ACT OF 2012</title>\n<body><pre>[Senate Hearing 112-524]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n                                                        S. Hrg. 112-524\n\n        SECURING AMERICA'S FUTURE: THE CYBERSECURITY ACT OF 2012\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                              COMMITTEE ON\n               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n\n                             SECOND SESSION\n\n                               __________\n\n                           FEBRUARY 16, 2012\n\n                               __________\n\n         Available via the World Wide Web: http://www.fdsys.gov\n\n                       Printed for the use of the\n        Committee on Homeland Security and Governmental Affairs\n\n\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n\n73-673 PDF                WASHINGTON : 2012\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n               JOSEPH I. LIEBERMAN, Connecticut, Chairman\nCARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine\nDANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma\nTHOMAS R. CARPER, Delaware           SCOTT P. BROWN, Massachusetts\nMARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona\nMARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin\nCLAIRE McCASKILL, Missouri           ROB PORTMAN, Ohio\nJON TESTER, Montana                  RAND PAUL, Kentucky\nMARK BEGICH, Alaska                  JERRY MORAN, Kansas\n\n                  Michael L. Alexander, Staff Director\n     Mary Beth Schultz, Associate Staff Director and Chief Counsel\n            for Homeland Security Preparedness and Response\n                   Jeffrey E. Greene, Senior Counsel\n                       Jeffrey D. Ratner, Counsel\n              Matthew R. Grote, Professional Staff Member\n               Nicholas A. Rossi, Minority Staff Director\n   Brendan P. Shields, Minority Director of Homeland Security Policy\n             Denise F. Zheng, Minority Professional Member\n                  Trina Driessnack Tyrer, Chief Clerk\n                 Patricia R. Hogan, Publications Clerk\n                    Laura W. Kilbride, Hearing Clerk\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Lieberman............................................     1\n    Senator Collins..............................................     4\n    Senator McCain...............................................    19\n    Senator Moran................................................    22\n    Senator Pryor................................................    24\n    Senator Carper...............................................    26\n    Senator Levin................................................    28\n    Senator Johnson..............................................    30\n    Senator Akaka................................................    45\nPrepared statements:\n    Senator Lieberman............................................    49\n    Senator Collins..............................................    52\n    Senator Akaka................................................    54\n    Senator Carper...............................................    55\n    Senator McCain with an attached letter.......................    57\n\n                               WITNESSES\n                      Thursday, February 16, 2012\n\nHon. John D. Rockefeller IV, a U.S. Senator from the State of \n  West Virginia..................................................     6\nHon. Dianne Feinstein, a U.S. Senator from the State of \n  California.....................................................     9\nHon. Janet A. Napolitano, Secretary, U.S. Department of Homeland \n  Security.......................................................    12\nHon. Thomas J. Ridge, Chairman, National Security Task Force, \n  U.S. Chamber of Commerce.......................................    33\nHon. Stewart A. Baker, Partner, Steptoe and Johnson LLP..........    38\nJames A. Lewis, Ph.D., Director and Senior Fellow, Technology and \n  Public Policy Program, Center for Strategic and International \n  Studies........................................................    40\nScott Charney, Corporate Vice President, Trustworthy Computing \n  Group, Microsoft Corporation...................................    41\n\n                     Alphabetical List of Witnesses\n\nBaker, Hon. Stewart A.:\n    Testimony....................................................    38\n    Prepared statement with an attachment........................    83\nCharney, Scott:\n    Testimony....................................................    41\n    Prepared statement...........................................    99\nFeinstein, Hon. Dianne:\n    Testimony....................................................     9\n    Prepared statement...........................................    67\nLewis, Ph.D., James A.:\n    Testimony....................................................    40\n    Prepared statement...........................................    92\nNapolitano, Hon. Janet A.:\n    Testimony....................................................    12\n    Prepared statement...........................................    71\nRidge, Hon. Thomas J.:\n    Testimony....................................................    33\n    Prepared statement...........................................    78\nRockefeller IV, Hon. John D.:\n    Testimony....................................................     6\n    Prepared statement...........................................    63\n\n                                APPENDIX\n\nHon. Michael Chertoff, Co-Founder and Managing Principal of the \n  Chertoff Group; Former Secretary of the U.S. Department of \n  Homeland Security, prepared statement..........................   108\nResponses to post-hearing questions for the Record from:\n    Secretary Napolitano with attachments........................   113\n    Mr. Ridge....................................................   274\n    Mr. Baker....................................................   276\n    Mr. Lewis....................................................   278\n    Mr. Charney..................................................   280\n\n \n        SECURING AMERICA'S FUTURE: THE CYBERSECURITY ACT OF 2012\n\n                              ----------                              \n\n\n                      THURSDAY, FEBRUARY 16, 2012\n\n                                     U.S. Senate,  \n                       Committee on Homeland Security and  \n                                      Governmental Affairs,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 2:32 p.m., in \nroom SD-342, Dirksen Senate Office Building, Hon. Joseph I. \nLieberman, Chairman of the Committee, presiding.\n    Present: Senators Lieberman, Levin, Akaka, Carper, Pryor, \nLandrieu, Collins, Brown, McCain, Johnson, and Moran.\n\n            OPENING STATEMENT OF CHAIRMAN LIEBERMAN\n\n    Chairman Lieberman. The hearing will come to order. Senator \nCollins is on her way. I just saw Senator McCain and Governor \nJanet Napolitano together, and it seems to me, with the two of \nyou here, I cannot hesitate to offer my congratulations on the \ncentennial celebration of the great State of Arizona. Hear, \nhear.\n    Senator McCain. I was there at the time. [Laughter.]\n    Chairman Lieberman. You look very well for your age.\n    This is, in fact, the 10th hearing our Committee has held \non cybersecurity, and I hope it is the last before the \ncomprehensive cybersecurity bill before us today is enacted \ninto law.\n    The fact is that time is not on our side.\n    To me it feels like September 10, 2001, and the question is \nwhether we will act to prevent a cyber 9/11 before it happens \ninstead of reacting after it happens.\n    The reason for this legislation is based on fact. Every \nday, rival nations, terrorist groups, criminal syndicates, and \nindividual hackers probe the weaknesses in our most critical \ncomputer networks, seeking to steal government and industrial \nsecrets or to plant cyber agents in the cyber systems that \ncontrol our most critical infrastructure and would enable an \nenemy, for example, to seize control of a city's electric grid, \nwater supply system, our Nation's financial system, or mass \ntransit networks with the touch of a key from a world away.\n    The current ongoing and growing cyber threat not only \nthreatens our security here at home, but it is right now having \na very damaging impact on our economic prosperity because \nextremely valuable intellectual property is being stolen \nregularly through cyber exploitation by individuals, groups, \nand countries abroad and is then being replicated without the \ninitial cost of research done by American companies, meaning \nthat jobs are being created abroad that would otherwise be \ncreated here.\n    So when we talk about cybersecurity, there is a natural way \nin which people focus on the very real danger that an enemy \nwill attack us through cyberspace, but as we think about how to \ngrow our economy again and create jobs again, I have come to \nthe conclusion this is actually one of the most important \nthings we can do to protect the treasures of America's \nintellectual innovation from being stolen by competitors \nabroad.\n    Last year, a very distinguished group of security experts, \nled by former Department of Homeland Security (DHS) Secretary \nMichael Chertoff and former Defense Secretary William Perry, \ngoing across both parties, issued a stark warning:\n    ``The constant assault of cyber assaults has inflicted \nsevere damage to our national and economic security, as well as \nto the property of individual citizens. The threat is only \ngoing to get worse. Inaction is not an acceptable action.'' I \nagree.\n    The bill before us today is the product of hard work across \nboth party lines and Committee jurisdictional lines. I \nparticularly want to thank my colleagues Senator Collins and \nCommerce Chairman Jay Rockefeller and Intelligence Committee \nChairman Dianne Feinstein for all their hard and cooperative \nwork in getting us to this point. We are going to be privileged \nto hear from all three of them shortly.\n    I also want to thank Senator Carper, who is not here yet, \nfor his significant leadership contributions to this effort.\n    And I want to thank the witnesses who are here. We have \nchosen the witnesses deliberately because they hold differing \npoints of view on the problem and on the legislation we have \ncrafted and the challenges we face, and we look forward to \ntheir testimony.\n    So the Cybersecurity Act of 2012 does several important \nthings to beef up our defenses in the new battleground of \ncyberspace.\n    First, it ensures that the cyber systems that control our \nmost critical, privately owned and operated infrastructure are \nsecure, and that is the key here. Privately owned and operated \ncyber infrastructure can well be--probably someday will be--the \ntarget of an enemy attack. Today it is the target of economic \nexploitation, and we have to work together with the private \nsector to better secure those systems, both for their own \ndefense and for our national defense.\n    In this bill, the systems that will be asked to meet \nstandards are defined as those that, if brought down or \ncommandeered, would lead to mass casualties, evacuations of \nmajor population centers, the collapse of financial markets, or \nsignificant degradation of our national security. So this is a \ntight and high standard. After identifying the systems that \nmeet those standards, the Secretary of the Department of \nHomeland Security under the legislation would then work with \nthe private sector operators of the systems to develop \ncybersecurity performance requirements.\n    Owners of the privately operated cyber systems covered \nwould have the flexibility to meet the performance requirements \nwith whatever hardware or software they choose, so long as it \nachieves the required level of security. The Department of \nHomeland Security will not be picking technological winners or \nlosers, and in my opinion, there is nothing in the bill that \nwould stifle innovation. In fact, a letter from Cisco Systems \nand Oracle, two of our most prominent information technology \n(IT) companies, concludes that this legislation, ``includes a \nnumber of tools that will enhance the Nation's cybersecurity \nwithout interfering with the innovation and development \nprocesses of the American IT industry.''\n    If a company can show under our legislation to the \nDepartment of Homeland Security that it already has high \ncybersecurity standards met, then it will be exempt from \nfurther requirements under this law. Failure to meet the \nstandards will result in civil penalties that will be proposed \nby the Department during a standard rulemaking and comment \nprocess.\n    The bill also creates a streamlined and efficient cyber \norganization within DHS that will work with existing Federal \nregulators and the private sector to ensure that no rules or \nregulations are put in place that either duplicate or are in \nconflict with existing requirements.\n    The bill, importantly, also establishes mechanisms for \ninformation sharing between the private sector and the Federal \nGovernment and among the private sector operators themselves. \nThis is important because computer security experts need to be \nable to compare notes in order to protect us from this threat. \nBut the bill also creates security measures and oversight to \nprotect privacy and preserve civil liberties. In fact, the \nAmerican Civil Liberties Union (ACLU) has reviewed our bill and \nsays that it offers the greatest privacy protections of any \ncybersecurity legislation that has yet been proposed.\n    I am going to skip over some of the other things the bill \ndoes and just go to mention that the process by which we \nreached this legislative proposal was very inclusive. We not \nonly worked across Committee lines, but reached out to people \nin business, academics, civil liberties and privacy and \nsecurity experts for advice on many of the difficult issues \nthat any meaningful piece of cybersecurity legislation would \nneed to address. I can tell you that literally hundreds of \nchanges have been made to this bill as a result of their input, \nand we think finally we have struck the right balance.\n    I do want to describe briefly or mention some things that \nare not in this bill. First and foremost, this bill does not \ncontain a so-called kill switch that would allow the President \nto seize or control part of or all of the Internet in a \nnational crisis. It is not there.\n    Senator Collins. It never was.\n    Chairman Lieberman. It never was. Thank you, Senator \nCollins. But we put an exclamation point by dropping a section, \nfrankly, that people thought included a kill switch. It just \nwas not worth it because of the urgent need for this bill.\n    There is also nothing in this bill that touches on the \nbalance between intellectual property and free speech that so \naroused public opinion over the proposed Stop Online Privacy \nAct (SOPA) and the Protect IP Act (PIPA) and has left many \nMembers of Congress with scars or at least a kind of post-\ntraumatic stress syndrome since that happened.\n    So, in fact, this is not the ultimate verification of my \nassertion that there is nothing here anywhere like what \nconcerned people in SOPA or PIPA, but I note with gratitude \nthat one of our witnesses, Stewart Baker, was a leading \nopponent of SOPA but is testifying today in favor of our bill.\n    After the Cybersecurity Act of 2012 becomes law, the \naverage Internet user will go about using the Internet just as \nthey do today. But hopefully as a result of the law and \noutreach pursuant to it, they will be far better equipped to \nprotect their own privacy and resources from cyber attack.\n    The bottom line, a lot of people have worked very hard to \ncome so far and in a very bipartisan way to face a real and \npresent danger to our country that we simply cannot allow this \nmoment to slip away from us. I feel very strongly that we need \nto act now to defend America's cyberspace as a matter of \nnational and economic security.\n    Senator Collins.\n\n              OPENING STATEMENT OF SENATOR COLLINS\n\n    Senator Collins. Thank you, Mr. Chairman.\n    Mr. Chairman, let me first applaud you for your leadership \nin this very important issue, as well as the leadership of our \ntwo lead-off witnesses, Senator Rockefeller and Senator \nFeinstein, who contributed so much to this issue and this bill. \nAnd I personally thank you for holding this important hearing \ntoday.\n    After the 9/11 attacks, we learned of many early warnings \nthat went unheeded, including a Federal Bureau of Investigation \n(FBI) agent, who warned that one day people would die because \nof the ``wall'' that kept law enforcement and intelligence \nagencies apart. When a major cyber attack occurs, the ignored \nwarnings will be even more glaring because our Nation's \nvulnerability has already been demonstrated by the daily \nattempts by nation states, terrorists groups, cyber criminals, \nand hackers to penetrate our systems.\n    The warnings of our vulnerability to a major cyber attack \ncome from all directions and countless experts, and they are \nunderscored by the intrusions that have already occurred. \nEarlier this month, the FBI Director warned that the cyber \nthreat will soon equal or surpass the threat from terrorism. He \nargued that we should be addressing the cyber threat with the \nsame intensity that we have applied to the terrorist threat.\n    Director of National Intelligence (DNI) James Clapper made \nthe point even more strongly, describing the cyber threat as a \n``profound threat to this country, to its future, its economy, \nits very well-being.''\n    In November, the Director of the Defense Advanced Research \nProjects Agency (DARPA) warned that malicious cyber attacks \nthreaten a growing number of the systems with which we interact \nevery day--the electric grid, water treatment plants, and key \nfinancial systems.\n    Similarly, General Keith Alexander, the Commander of U.S. \nCyber Command and the Director of the National Security Agency \n(NSA), has warned that our cyber vulnerabilities are \nextraordinary and characterized by ``a disturbing trend, from \nexploitation to disruption to destruction.''\n    These statements are just the latest in a chorus of \nwarnings from current and former officials, and the threat, as \nthe Chairman has pointed out, is not just to our national \nsecurity but also to our economic well-being. A Norton study \nlast year calculated the cost of global cyber crime at $114 \nbillion annually. When combined with the value of time victims \nlost due to cyber crime, this figure grows to $388 billion. \nNorton described this as ``significantly more'' than the global \nblack market in marijuana, cocaine, and heroin combined.\n    In an op-ed last month entitled, ``China's Cyber Thievery \nIs National Policy--And Must Be Challenged,'' former DNI Mitch \nMcConnell, former Homeland Security Secretary Michael Chertoff, \nand former Deputy Secretary of Defense William Lynn noted the \nability of cyber terrorists to ``cripple'' our critical \ninfrastructure. They sounded an even more urgent alarm about \nthe threat of economic cyber espionage.\n    Citing an October 2011 report by the Office of the National \nCounterintelligence Executive, these experts warned of the \ncatastrophic impact that cyber espionage--particularly that \npursued by China--could have on our economy and \ncompetitiveness. They estimated that the cost ``easily means \nbillions of dollars and millions of jobs.''\n    This threat is all the more menacing because it is being \npursued by a global competitor seeking to steal the research \nand development of American firms to undermine our economic \nleadership.\n    The evidence of our cybersecurity vulnerability is \noverwhelming. It compels us to act now. Some Members have \ncalled for yet more studies, even more hearings, and additional \nmarkups. In other words, more delay. The fact is, since 2005, \nour Committee alone has held 10 hearings on the cyber threat, \nincluding today's hearing. I know that the Commerce and the \nIntelligence Committees have held many more. In 2011, Chairman \nLieberman, Senator Carper, and I introduced our cybersecurity \nbill, which was reported out by this Committee later that same \nyear. Since last year, we have been working with Chairman \nRockefeller to merge our bill with legislation that he \nchampioned, which was reported by the Commerce Committee. \nSenator Feinstein has done ground-breaking work on information \nsharing, which she has been kind enough to share with this \nCommittee, as well.\n    After incorporating changes based on the feedback from the \nprivate sector, our colleagues, and the Administration, we have \nproduced a refined version, which is the subject of today's \nhearing. And it is significant that three Senate chairmen with \njurisdiction over cybersecurity have come together on these \nissues. And each day that we fail to act, the threat increases \nto our national and economic security.\n    Now, other colleagues of ours have urged us to focus \nnarrowly on the Federal Information Security Management Act \n(FISMA), as well as on Federal research and development (R&D) \nand improved information sharing. We do need to address these \nissues, and our bill does just that.\n    However, with 85 percent of our Nation's critical \ninfrastructure owned by the private sector, the government also \nhas a critical role to play in ensuring that the most vital \nparts of that infrastructure--those whose disruption could \nresult in truly catastrophic consequences--meet reasonable, \nrisk-based performance standards.\n    In an editorial this week, the Washington Post concurred, \nwriting that our ``critical systems have remained \nunprotected.''\n    Some of our colleagues are skeptical about the need for any \nnew regulations. I have opposed efforts to expand regulations \nthat would burden our economy. But regulations that are \nnecessary for our national security and that promote--rather \nthan hinder--our economic prosperity strengthen our country. \nThey are in an entirely different category.\n    The fact is the risk-based performance requirements in our \nbill are targeted carefully. They apply only to specific \nsystems and assets, not entire companies, which if damaged \ncould result reasonably in mass casualties, mass evacuations, \ncatastrophic economic damages, or a severe degradation of our \nnational security. In fact, some of the witnesses think that we \nhave gone too far in that direction.\n    Senator Lieberman has described much of what the bill \ncontains, so I will not repeat that in the interest of time. \nLet me just say that this bill is urgent. We cannot wait to \nact. We cannot wait until our country has a catastrophic cyber \nattack. And it would be irresponsible of Congress not to pass \nlegislation due to turf battles or due to claims by some \nbusinesses that we are somehow harming our economy. In fact, \nwhat we are doing is protecting our economy and our way of \nlife.\n    Thank you, Mr. Chairman.\n    Chairman Lieberman. Thank you, Senator Collins, for that \nvery strong statement. I agree with you. I would just correct \none part. You said how pleased you were that three committee \nchairs with jurisdiction have come together on the bill. Since \nI consider you the Co-Chairman of this Committee, I would say \nit was four.\n    Senator Collins. Thank you.\n    Chairman Lieberman. And I appreciate very much your \ncontribution to this effort.\n    We are really grateful to have Senator Rockefeller and \nSenator Feinstein here. Again, I cannot thank you enough for \nthe work that we have done together. I think it is a very \npowerful statement that we agreed on a consensus bill, and I \nhope it enables us to move it through the Senate.\n    I know the Majority Leader is really concerned about the \nthreat and is committed to giving this bill time on the floor \nas soon as possible.\n    Senator Rockefeller, we welcome your testimony now.\n\n  TESTIMONY OF HON. JOHN D. ROCKEFELLER IV,\\1\\ A U.S. SENATOR \n                FROM THE STATE OF WEST VIRGINIA\n\n    Senator Rockefeller. Thank you, Chairman Lieberman and \nSenator Collins. And you are quite right about that--I think \nSenator Harry Reid wants this on the floor as soon as possible. \nAnd, frankly, the thing that scares me more than anything is \nthe fact that we have had so many hearings, and yet that was \nnecessary to get to the agreements that we have all come to. \nAnd they are solid now, they are rock solid. But we still have \nto find the floor time for it. This is not going to be an easy \ntime to do that, so the pressure on this Congress, on both the \nHouse and the Senate, to come through on this in the face of \nall of this danger, this is huge, and not yet guaranteed.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Rockefeller appears in the \nAppendix on page 63.\n---------------------------------------------------------------------------\n    I think our government needs a lead civilian agency to \ncoordinate our civilian cybersecurity efforts, and that agency \nshould, of course, be the Department of Homeland Security under \nthe superb leadership of Secretary Napolitano.\n    I want to emphasize that our bill represents the expertise \nand hard work, as both of you have said, of three Senate \ncommittees, and that is as it should be.\n    We have eagerly sought, as you mentioned, Senator \nLieberman--and have received--constructive criticism and input \nfrom a whole lot of places. I can remember giving a speech, I \nthink 2 years ago, to a business group, presenting ideas that \nOlympia Snowe and I had for this, and they were just surprised \nto hear that somebody was willing to listen to their \ncomplaints. And there were a lot of them.\n    Even when people refused to engage with us--and there have \nbeen those, even within the Senate, who refuse to have staff \ndiscussion, but that does not mean that we do not take some of \ntheir suggestions. We have done that because if they do not \nwant to engage, that is OK. If they have good suggestions, then \nput them in and make it a stronger bill.\n    Beyond this bill's principal authors--Senators Lieberman, \nCollins, Dianne Feinstein and myself--the bill reflects the \ninput, assistance, or requests of Senators on both sides of the \naisle, as it should be, which gives me hope for final passage.\n    Senator Olympia Snowe was my co-author of the bill that the \nCommerce Committee reported out last year, as you know. Senator \nCarper was a co-author of the Lieberman-Collins bill. Both have \nleft major imprints on this bill.\n    Senator Kay Bailey Hutchison and her staff worked with us \nfor a good part of the past 2 years. She is my ranking member \nand absolutely superb--I call her ``Co-Chair,'' too, \nincidentally--and we have tried hard to address all of her \nspecific concerns. And I think that we have, in fact, met most \nof her concerns.\n    We have sought to engage Senator Saxby Chambliss and before \nhim, Senator Kit Bond, in the same fashion. There was some \nreluctance at some point to discuss, or have staff discussions. \nIt did not make any difference. We were interested in what they \nhad, and if it was something good in what they had, we put it \nin the bill. We wanted it in the bill. And then it had to pass \nfuture tests as we combined all the efforts.\n    Senators Jon Kyl and Sheldon Whitehouse contributed an \nentire title regarding cybersecurity awareness. Senators John \nKerry, Dick Lugar, Kirsten Gillibrand, and Orrin Hatch did the \nsame on the title regarding diplomacy.\n    Because of Senator McCain's concerns, we omitted \nsignificant language pertaining to the White House Cyber \nOffice.\n    When colleagues had ongoing questions about a provision \nthat I personally believed to be extremely important, I agreed \nto drop it from the base bill. This provision that I am talking \nabout would clarify private sector companies' existing \nrequirements regarding what ``material risks'' pertaining to \ncyber have to be disclosed to investors in the Securities and \nExchange Commission (SEC) filings because, as you know, at one \npoint out of frustration I went to the SEC and Mary Schapiro \nagreed to claify that if you are hacked into as a company, it \nmust be disclosed on the Web site of that company at SEC, and \nthat has had a substantial impact, actually.\n    I believe this provision is absolutely crucial for the \nmarket to help solve our cyber vulnerabilities and will fight \nfor it as an amendment on the floor. And that is as it should \nbe. That is the way the system works. But in the interest of \nproviding more time to address colleagues' questions, I agreed \nto take it out of the bill that we introduced this week.\n    Any suggestion that this exhaustive process has been \nanything but open and transparent is patently false. This has \nbeen a really open process--and lengthy, as has been pointed \nout.\n    Why have we worked so tirelessly to include the views of \nall sides? Why have we tried so hard to get this right?\n    Because our country and our communities and our citizens \nare at grave risk. They simply are. I am not sure if they are \naware because there are so many things that are reported in a \nnews cycle that it almost diminishes the overall aggregated \nweight of the danger. So our citizens have to be aware of this. \nThis is not a Republican or Democrat issue. It is a life-or-\ndeath issue for the economy and for us as people.\n    I want to be clear: The cyber threat is very real fact. \nThis is not alarmism. Here is why. It is hard to talk about \nthis sometimes without seeming alarmist, and yet it simply \nreflects the truth.\n    Hackers supported by the governments of China and Russia, \nand also sophisticated criminal syndicates with potential \nconnections to terrorist groups, are now able to crack the \ncodes of our government agencies, including sensitive ones, and \nthe Fortune 500. They can do that, and they do that on a \nregular basis.\n    Senator Collins mentioned what Michael Mullen said, and she \npointed out that we are being looted of valuable possessions on \nan unfathomable scale. But that is not the end of the problem.\n    The reason that this cyber theft is a life-or-death issue \nis the same as the reason that a burglar in your house is a \nlife-or-death issue. If a criminal has broken into your home, \nhow do you know what he wants to do? Is it take your belongings \nor is it something more? You do not know. He is in the \nbuilding, in your home. That is where we are now in terms of \nour country.\n    So that is the situation we face. Cyber burglars have \nbroken in. Mike Mullen has said exactly what Senator Collins \nindicated, that the only other threat on the same level to \ncyber threat is Russia's stockpile of nuclear weapons.\n    I remember the first thing after 9/11 we had to pass, \nsadly, pathetically, was a law saying that the Central \nIntelligence Agency (CIA) and the FBI could talk to each other. \nI mean, how pathetic could that be? But that is where we were \nbecause of stovepipes and things of that sort. FBI Director \nRobert Mueller testified to Congress recently that the cyber \nthreat will soon overcome terrorism as his top national \nsecurity emphasis. So it is all very serious, and you cannot \nexaggerate it, and it could happen.\n    So then you think about how people could die if a cyber \nterrorist attacked our air traffic control system. And I was \ntalking with Secretary Napolitano just before this hearing. \nOften over big cities it gets very soupy. Pilots do not like to \nbe in soupy weather. They cannot see above, they cannot see \nbelow. Pilots do not like it. But they are protected because of \nthe air traffic control system. We are going to put in a more \nmodern one, but the same situation will prevail. Cyber hackers \ncan take that out of a city or a group of cities. They can take \nout that capacity so that planes are literally flying in the \ndark, and they will fly into each other and kill a lot of \npeople. And people have to understand that.\n    If rail switching networks are hacked, causing trains which \ncarry toxic materials, deadly materials through our major \ncities, to crash, and there can be a massive explosion from \nthat.\n    So we are on the brink of very serious happenings. We have \nnot reached that, which is one of our problems in getting \nlegislation passed. But we can act now and try and prepare \nourselves.\n    Let me just close by saying that I was on the Intelligence \nCommittee during the time leading up to 2011, and the world was \nrife with reports of people coming in and going out of our \ncountry, dots here and there that appeared to be connected but \nwe were not quite sure. And what about this Moussaoui thing? \nAnd what about folks in that house in San Diego? And all of \nthat was up there. What about the closing down of the bin Laden \nunit or a message that never got to the bin Laden unit? I mean, \nall of that was there, and we knew all of that, and the \nnational security apparatus was working very hard on that. And \nthey took it seriously, but they did not get deep enough \nbecause it was a new phenomenon.\n    Well, here we are in a very similar situation. It is \nalready with us. It is much more obvious than the lead-up to \n2001 was. And so we now have to act. We do not have the luxury \nof waiting to see and develop. We have to act. At some point \nthe Congress has to assert itself. The Federal Government does \nhave roles where this is not a heavy-handed thing, as Senator \nCollins has pointed out. It is not. But the Federal Government \nis involved because it is a matter of national security. And so \nI just wait to work with everybody and anybody to get this \npassed through both Houses of the U.S. Congress.\n    Chairman Lieberman. Thanks very much, Senator Rockefeller. \nThat was great.\n    Chairman Feinstein, welcome, and thank you again. You \ncontributed immensely, particularly on the information-sharing \nsection of the bill, and you bring all the expertise and \nintelligence of the Senate Committee on Intelligence.\n\nTESTIMONY OF HON. DIANNE FEINSTEIN,\\1\\ A U.S. SENATOR FROM THE \n                      STATE OF CALIFORNIA\n\n    Senator Feinstein. Thank you very much. Thank you, Mr. \nChairman, Senator Collins, and Senator Landrieu.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Feinstein appears in the \nAppendix on page 67.\n---------------------------------------------------------------------------\n    I look at this as quite a banner day because finally the \nSenate is coming together, and we are settling on one bill. \nThis is the bill, and if it needs improving, we will improve \nit. But we have a focus now, and with a focus we can hopefully \nmove forward.\n    To this Committee and to Senator Rockefeller's committee, I \nwant to thank you for your hard work, for the dozen hearings \nyou have held, and for all the offers for consultation that you \nhave placed out there to us.\n    Let me speak for a moment on behalf of what I do in the \nIntelligence Committee. We have examined cyber threats to our \nnational and economic security, and just last month, at the \nWorldwide Threats Hearing, which was an open hearing, we heard \nFBI Director Bob Mueller testify that ``the cyber threat, which \ncuts across all programs, will be the number one threat to the \ncountry.'' And already cyber threats are doing great damage to \nthe United States, and the trend is getting worse.\n    Let me give you just four examples, and what is interesting \nis many of us know about these when they happen, but they are \noften classified or kept private because the people that they \nhappen to do not want it released because their clients will \nthink badly of them. And, of course, it is not their fault, \nbut, nonetheless.\n    I think it is fair to say that the Pentagon's networks are \nbeing probed thousands of times daily, and its classified \nmilitary computer networks suffered a ``significant \ncompromise'' in 2008, and that is according to former Deputy \nDefense Secretary William Lynn.\n    In November 2009, the Department of Justice (DOJ) charged \nseven defendants from Estonia, Russia, and Moldova with hacking \ninto the Royal Bank of Scotland and stealing $9 million from \nmore than 2,100 ATMs in 280 cities worldwide in 12 hours.\n    In 2009, Federal officials indicted three men for stealing \ndata from more than 130 million credit cards by hacking into \nfive major companies' computer systems, including 7-Eleven, \nHeartland Payment Systems, and the Hannaford Brothers \nsupermarket chain.\n    Finally, an unclassified report by the intelligence \ncommunity in November 2011 said cyber intrusions against U.S. \ncompanies cost untold billions of dollars annually, and that \nreport named China and Russia as aggressive and persistent \ncyber thieves.\n    Modern warfare is already employing cyber attacks, as seen \nin Estonia and the Republic of Georgia. And, unfortunately, it \nmay only be a matter of time before we see cyber attacks that \ncan cause catastrophic loss of life in the United States, \nwhether by terrorists or state adversaries.\n    Our enemies are constantly on the offensive, and in the \ncyber domain, it is much harder for us to play defense than it \nis for them to attack. The hard question is: What do we do \nabout this dangerous and growing cyber threat?\n    I believe the comprehensive bill that has been introduced--\nthe Cybersecurity Act of 2012--is an essential part of the \nanswer.\n    Mr. Chairman, I would like to speak briefly on the \ncybersecurity information-sharing bill that I introduced on \nMonday and that you have included as Title VII in your \nlegislation.\n    The goal of this bill is to improve the ability of the \nprivate sector and the government to share information on cyber \nthreats that both need to improve their defenses.\n    However, a combination of existing law, the threat of \nlitigation, and standard business practices has prevented or \ndeterred private sector companies from sharing information \nabout the cyber threats they face and the losses of information \nand money they suffer. We need to change that through better \ninformation sharing, in a way that companies will use, that \nprotects privacy interests, and that takes advantage of \nclassified information without putting that information at \nrisk. So here is what we have tried to do in Title VII:\n    One, affirmatively provide private sector companies the \nauthority to monitor and protect the information on their own \ncomputer networks.\n    Two, encourage private companies to share information about \ncyber threats with each other by providing a good-faith defense \nagainst lawsuits for sharing or using that information to \nprotect themselves.\n    Three, require the Federal Government to designate a single \nfocal point for cybersecurity information sharing. We refer to \nthis as a ``Cybersecurity Exchange,'' to serve as a hub for \nappropriately distributing and exchanging cyber threat \ninformation between the private sector and the government. This \nis intended to reduce government bureaucracy and make the \ngovernment a more effective partner in the private sector, but \nwith protections to ensure that private information is not \nmisused. Also, this legislation provides no new authority for \ngovernment surveillance.\n    Four, we establish procedures for the government to share \nclassified cybersecurity threat information with private \ncompanies that can effectively use and protect that \ninformation. This, we believe, is a prudent way to take \nadvantage of the information that the intelligence community \nacquires, without putting our sources and methods at risk, or \nturning private cybersecurity over to our intelligence \nagencies.\n    I would like to raise just one issue of something that is \nnot yet included in this bill, and that is data breach \nnotification.\n    This is an issue I have worked on for over 8 years, since \nCalifornia had a huge data breach that we only inadvertently \nfound out about that had literally hundreds of thousands of \nvictims. It is an urgent need. I have a bill called the Data \nBreach Notification Act. It has been voted out of the Judiciary \nCommittee, and it accomplishes what in my view are the key \ngoals of any data breach notification legislation:\n    One, notice to individuals, who will be better able to \nprotect themselves from identity theft;\n    Two, notice to law enforcement, which can connect the dots \nbetween breaches and cyber attacks;\n    And, three--and this is important--preemption of the 47 \ndifferent State and territorial standards on this issue. This \nis a real problem. We have 47 different laws on this issue in \nthis country. It makes it very difficult for the private \nsector. Companies will not be subjected to conflicting \nregulation if there is one basic standard across the country.\n    I know that Senators Rockefeller and Pryor have a bill in \nthe Commerce Committee and that Senators Patrick Leahy and \nRichard Blumenthal have their own bills that also were reported \nout of the Judiciary Committee.\n    But the differences in our approaches are not so great that \nwe cannot work them out, and I am very prepared to sit down \nwith Members of this Committee, with Senator Rockefeller, and \nothers to find a common solution. But Mr. Chairman, I would \nreally implore you to add a data breach preemption across the \nUnited States so that there is one standard for notification to \nan individual of data breach, and communication with law \nenforcement that goes all across America. Until we have that, \nwe really will not have a sound data breach system.\n    Let me just thank you. I think we are on our way. I am \nreally so proud of both of you on this Committee for coming \ntogether, and I think it is a banner day. So thank you very \nmuch.\n    Chairman Lieberman. Thanks very much, Senator Feinstein. We \ncould not have done it without you. Thanks for your testimony, \nand I am personally very supportive of your aims with the data \nbreach proposal, and I look forward to working with you and, as \nyou say, the others who have bills to see if we cannot find a \nway to include that in this proposal when it comes to the \nfloor.\n    Senator Feinstein. Thank you very much.\n    Chairman Lieberman. Thank you very much.\n    And now, Madam Secretary, I hate to break up a conversation \nbetween the current Secretary and the first Secretary, but--we \nalmost had the trifecta of the three Secretaries of the \nDepartment of Homeland Security here today. Secretary Chertoff \nwanted to testify, but had a previous commitment, and has, I \nwill say, filed a statement for the record strongly in support \nof the legislation.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Secretary Chertoff appears in the \nAppendix on page 108.\n---------------------------------------------------------------------------\n    Secretary Napolitano, thanks very much for being here and \nfor all the work you and people in the Department have done to \nhelp us come to this point with this bill. We welcome your \ntestimony now.\n\n   TESTIMONY OF HON. JANET A. NAPOLITANO,\\2\\ SECRETARY, U.S. \n                DEPARTMENT OF HOMELAND SECURITY\n\n    Secretary Napolitano. Well, thank you, Chairman Lieberman, \nSenator Collins, and Members of the Committee. I am pleased to \nbe here today to discuss the issue of cybersecurity and, in \nparticular, the Department's strong support for the \nCybersecurity Act of 2012.\n---------------------------------------------------------------------------\n    \\2\\ The prepared statement of Secretary Napolitano appears in the \nAppendix on page 71.\n---------------------------------------------------------------------------\n    I appreciate this Committee's support of the Department's \ncybersecurity efforts. Your sustained attention to this issue \nand the leadership you have shown in bringing a bill forward to \nstrengthen and improve our cybersecurity authorities. I also \nappreciate and want to emphasize the urgency of the situation.\n    Indeed, the contrast between the urgent need to respond to \nthe threats we face in this area on the one hand and the \nprofessed desire for more deliberation and sensitivity to \nregulatory burdens on the other reminds me, as several of you \nhave suggested, of lessons we learned from the 9/11 attacks. As \nthe 9/11 Commission noted, those attacks resulted, in \nhindsight, from a failure of imagination because we failed to \nanticipate the vulnerabilities of our security infrastructure.\n    There is no failure of imagination when it comes to \ncybersecurity. We can see the vulnerabilities. We are \nexperiencing the attacks, and we know that this legislation \nwould materially improve our ability to address the threat.\n    No country, industry, community, or individual is immune to \ncyber risks. Our daily life, economic vitality, and national \nsecurity depend on cyberspace. A vast array of interdependent \nIT networks, systems, services, and resources are critical to \ncommunication, travel, powering our homes, running our economy, \nand obtaining government services.\n    Cyber incidents have increased dramatically over the last \ndecade. There have been instances of theft and compromise of \nsensitive information from both government and private sector \nnetworks, and all of this undermines confidence in these \nsystems and the integrity of the data they contain.\n    Combating evolving cyber threats is a shared responsibility \nthat requires the engagement of our entire society, from \ngovernment and law enforcement to the private sector and, most \nimportantly, with members of the public. DHS plays a key role \nin this effort, both in protecting Federal networks and working \nwith owners and operators of critical infrastructure to secure \ntheir networks through risk assessment, mitigation, and \nincident response capabilities.\n    In fiscal year 2011, our U.S. Computer Emergency Readiness \nTeam (US-CERT) teams at DHS received over 106,000 incident \nreports from Federal agencies, critical infrastructure, and our \nindustry partners. We issued over 5,200 actionable cyber alerts \nthat were used by private sector and government network \nadministrators to protect their systems. We conducted 78 \nassessments of control system entities and made recommendations \nto companies about how they can improve their own \ncybersecurity.\n    We distributed 1,150 copies of our cyber evaluation tool. \nWe conducted over 40 training sessions on them, all of which \nmakes owners and operators better equipped to protect their \nnetworks.\n    To protect Federal civilian agency networks, we are \ndeploying technology to detect and block intrusions of these \nnetworks in collaboration with the Department of Defense. We \nare providing guidance on what agencies need to do to protect \nthemselves and are measuring implementation of those efforts.\n    We are also responsible for coordinating the national \nresponse to significant cyber incidents and for creating and \nmaintaining a common operational picture for cyberspace across \nthe entire government.\n    With respect to critical infrastructure, we work with the \nprivate sector to help secure the key systems upon which \nAmericans, including the Federal Government, rely, such as the \nfinancial sector, the power grid, water systems, and \ntransportation networks.\n    We pay particular attention to industrial control systems \nwhich control processes at power plants and transportation \nsystems alike. Last year, we deployed seven response teams to \nsuch critical infrastructure organizations at their request in \nresponse to important cyber intrusions.\n    To combat cyber crime, we leverage the skills and resources \nof DHS components such as the Secret Service, Immigration and \nCustoms Enforcement (ICE), and Customs and Border Protection \n(CBP), and we work very closely with the FBI.\n    DHS serves as the focal point for the government's \ncybersecurity outreach and public awareness efforts. As we \nperform this work, we are mindful that one of our missions is \nto ensure that privacy, confidentiality, and civil liberties \nare not diminished by our efforts. The Department has \nimplemented strong privacy and civil rights and civil liberties \nstandards into all its cybersecurity programs and initiatives \nfrom the outset, and we are pleased to see these in the draft \nbill.\n    Now, Administration and private sector reports going back \ndecades have laid out cybersecurity strategies and highlighted \nthe need for legal authorities. In addition to other statutes, \nthe Homeland Security Act of 2002 specifically directed DHS to \nenhance the security of non-Federal networks by providing \nanalysis and warnings, crisis management support, and technical \nassistance to State and local governments, and the private \nsector. Policy initiatives have had to supplement the existing \nstatutes. These initiatives strike a common chord. Indeed, this \nAdministration's Cyberspace Policy Review in 2009 echoed in \nlarge part a similar review by the Bush Administration, and we \nhave had numerous contributions by private sector groups, \nincluding the Center for Strategic and International Studies \n(CSIS) study led by James Lewis, one of your witnesses today.\n    Still, DHS executes its portion of the Federal \ncybersecurity mission under an amalgam of authorities that have \nfailed to keep up with the responsibilities with which we are \ncharged.\n    To be sure, we have taken significant steps to protect \nagainst evolving cyber threats, but we must recognize that the \ncurrent threat outpaces our existing authorities. Our Nation \ncannot improve its ability to defend against cyber threats \nunless certain laws that govern cybersecurity activities are \nupdated.\n    We have had many interactions with this Committee and with \nthe Congress to provide our perspective on cybersecurity. \nIndeed, in the last 2 years, Department representatives have \ntestified in 16 Committee hearings and provided 161 staff \nbriefings. We have had much bipartisan agreement. In \nparticular, many would agree with the House Republican Cyber \nTask Force, which stated that, ``Congress should consider \ncarefully targeted directives for limited regulation of \nparticular critical infrastructures to advance the protection \nof cybersecurity.''\n    The recently introduced legislation contains great \ncommonality with the Administration's ideas and proposals, \nincluding two crucial concepts that are central to our efforts: \nFirst, addressing the urgent need to bring core critical \ninfrastructure to a baseline level of security; and, second, \nfostering information sharing, which is absolutely key to our \nsecurity efforts.\n    All sides agree that Federal and private networks must be \nbetter protected and that information should be shared more \neasily, yet still more securely. And both our proposal and the \nSenate legislation would provide DHS with clear statutory \nauthority commensurate with our cybersecurity responsibilities \nand remove legal barriers to the sharing of information.\n    S. 2105 would expedite the adoption of the best \ncybersecurity solutions by the owners and operators of critical \ninfrastructure and give businesses, States, and local \ngovernments the immunity they need to share information about \ncyber threats or incidents. There is broad support as well for \nincreasing the penalties for cyber crimes and for creating a \nuniform data breach reporting regime to protect consumers. This \nproposal would make it easier to prosecute cyber criminals and \nestablish national standards, requiring businesses and core \ninfrastructure that have suffered an intrusion to notify those \nof us who have the responsibility for mitigating and helping \nthem mitigating it.\n    I hope that the current legislative debate maintains the \nbipartisan tenor it has benefited from so far and builds from \nthe consensus that spans two Administrations and the \nCommittee's efforts of the last several years.\n    Let me close by saying that now is not the time for half \nmeasures. As the Administration has stressed repeatedly, \naddressing only a portion of the needs of our cybersecurity \nprofessionals will continue to expose our country to serious \nrisk.\n    For example, only providing incentives for the private \nsector to share more information will not in and of itself \nadequately address critical infrastructure vulnerabilities. And \nlet us not forget that innumerable small businesses rely on \nthis critical infrastructure for their own survival.\n    As the President noted in the State of the Union address, \n``The American people expect us to secure the country from the \ngrowing danger of cyber threats and to ensure the Nation's \ncritical infrastructure is protected.'' And as the Secretary of \nHomeland Security, I strongly support the proposed legislation \nbecause it addresses the need, the urgency, and the methodology \nfor protecting our Nation's critical infrastructure. I can \nthink of no more pressing legislative proposal in the current \nenvironment.\n    I want to thank you again for the important work you have \ndone, and I look forward to answering the Committee's \nquestions.\n    Chairman Lieberman. Thanks very much, Madam Secretary.\n    We will do 6-minute rounds of questions because we have a \nlarge number on the following panel, and I know some people \nhave to leave.\n    Madam Secretary, let me get right to one of the issues that \nhas been somewhat in contention, which is that there are some \npeople who have said that the expanded authority here, \nparticularly that related to cyber infrastructure owned and \noperated by the private sector, would better be handled by the \nDepartment of Defense (DOD) or the intelligence community. In \nother words, they should take the lead in protecting Federal \ncivilian networks.\n    I wonder if you would respond as to why you think the \nDepartment of Homeland Security, as obviously we do, is better \nprepared to take on this critical responsibility.\n    Secretary Napolitano. Well, several points. First, the \nDepartment of Homeland Security, as I stated, already is \nexercising authorities in the civilian area, working with the \nprivate sector, working with Federal civilian agencies. So that \nis a space we are already filling and continue to grow our \ncapacity to fill.\n    Second, military and civilian authorities and missions are \ndifferent, and there are significant differences, for example, \nin the privacy protections that we employ within the exercise \nof civil jurisdiction.\n    And then, finally, I would note that both DOD and DHS use \nthe technological expertise of the NSA. We are not proposing \nand have never proposed that two NSAs be created; rather, that \nthere be two different lines of authority that emanate using \nthe NSA, one, of course, for civilian, and one for military.\n    Chairman Lieberman. That is a very important factor. I want \nto come back to that in a minute. But one of the opinions \nexpressed to the Committee as we faced the challenge and \ndecided which part of our government should be responsible for \nresponding was that there would probably be very deep and \nwidespread concern among the public if we, for instance, asked \nthe National Security Agency or the Department of Defense to be \ndirectly in charge of working with the privately owned and \noperated cyber infrastructure. Particularly for NSA, there \nwould be a concern about privacy and civil liberties concerns. \nDoes that make sense to you?\n    Secretary Napolitano. I have heard the same concerns. They \ndo make sense. And, indeed, when Secretary Robert Gates and I, \nby a Memorandum of Understanding, figured out the division of \nresponsibilities and how we were each going to use the NSA, one \nof the things we were careful to elevate was a discussion of \nthe protections of privacy and civil liberties, and make sure \nthat, to the extent we have people over at the NSA, they are \naccompanied by people from our Office of Privacy, our Office of \nGeneral Counsel, to make sure those protections are abided by.\n    Chairman Lieberman. Right. I am glad you mentioned that \nMemorandum of Understanding between the Department of Homeland \nSecurity and DOD because I want to make this point--\nincidentally, Senator McCain and I codified that in law, that \nMemorandum of Understanding, in the National Defense \nAuthorization Act that was passed at the end of last year. But \nthat memorandum, if I can put it this way, does not preempt the \nneed for this legislation. In other words, that memorandum does \nnot allocate responsibility with regard to working with the \nprivate sector, having the authority to require the private \nsector to take steps to defend themselves and our country from \ncyber attack. Is that right?\n    Secretary Napolitano. That is right, Mr. Chairman. It is a \nmemorandum that describes the division of how we would each use \nthe resources of the NSA, but it does not deal with the \nprotection of core critical infrastructure the way the bill \ndoes. It does not deal with the private sector at all the way \nthe bill does. It does not deal with information exchange the \nway the bill does. So it really was designed to make sure that \nat least with respect to how we each use the NSA, we had some \nmeeting of the minds.\n    Chairman Lieberman. So there is nothing in your opinion \ninconsistent between the Memorandum of Understanding between \nDHS and NSA and the Cybersecurity Act of 2012?\n    Secretary Napolitano. Oh, not at all.\n    Chairman Lieberman. I am pleased to note for the record \nthat in testimony earlier this week, Secretary of Defense Leon \nPanetta and the Chairman of the Joint Chiefs of Staff General \nMartin Dempsey both endorsed this legislation, and then this \nmorning, before the Armed Services Committee, the Director of \nNational Intelligence Clapper and General Ronald Burgess, the \nhead of the Defense Intelligence Agency, also endorsed the \nlegislation. Both of those expressions of support were \nunexpected by Senator Collins and me and, therefore, all the \nmore appreciated.\n    DHS's Industrial Control Systems Cyber Emergency Response \nTeam (ICS-CERT) has played a critical role in providing support \nto the owners and operators of critical infrastructure. Can you \ndescribe some of their capabilities and the work that they have \ndone to assist private entities?\n    Secretary Napolitano. Well, what they have done is to help \nisolate and identify--when they have been notified of attacks \non industrial control systems, to help identify the source of \nthe attack, the methodology with which it was conducted, to \nwork with the infiltrated entity to prepare a patch, and then \nto make appropriate disclosures or sharing of information to \nother control systems that could be subject to a similar tack, \neither in that particular industry or in other industries.\n    Chairman Lieberman. So on a voluntary basis, if I can put \nit this way, DHS has developed the capability and relationships \nat working with the private sector that will be strengthened by \nthis legislation?\n    Secretary Napolitano. Yes. Since the passage of the \nNational Information Infrastructure Protection Act (NIIPA) in \n2006, we have been working with critical infrastructure through \ntheir Sector Coordinating Councils. There are a lot of names, \nbut what it basically means is we have a process in place for \ndealing with the private sector and for exchanging some \ninformation on a voluntary basis. But that does not mean we get \nall of the necessary information we get from core critical \ninfrastructure. That is one of the problems the bill address.\n    Chairman Lieberman. Thanks very much. My time is up. \nSenator Collins.\n    Senator Collins. Thank you, Mr. Chairman.\n    Madam Secretary, to follow up on a question that the \nChairman asked you, it is my understanding that DHS has unique \nexpertise in the area of industrial control systems that is not \nreplicated at any other government agency. Is that correct?\n    Secretary Napolitano. Yes.\n    Senator Collins. And that is important because industrial \ncontrol systems are a key part of critical infrastructure, like \nthe electric grid and water treatment plants. Is that also \ncorrect?\n    Secretary Napolitano. Yes, and when you think about it, if \nyou have the ability to interrupt the control system, you can \ntake down an entire protective network. You can interfere with \nall of the activities there. And the attacks on control systems \nare growing more and more sophisticated all of the time.\n    Senator Collins. And could you tell us about work that is \nbeing done by DHS with your ICS-CERT Team and a National Lab \nwith respect to the U.S. electric grid?\n    Secretary Napolitano. Yes, we are working in both of those \ncapacities with the National Labs, with the grids, in terms not \nonly of mitigating attacks that have occurred, but also \npreventive measures that they can employ.\n    Senator Collins. So you are doing training as well and \nhelping the critical infrastructure owners and operators \nidentify vulnerabilities?\n    Secretary Napolitano. That is correct.\n    Senator Collins. It is my understanding that in January the \nAdministration transferred the Defense Department's Defense \nIndustrial Base (DIB) cyber pilot program from DOD to DHS.\n    Secretary Napolitano. That is right, the DIB pilot.\n    Senator Collins. The DIB pilot program, as I understand it, \nshared classified cyber threat indicators with defense \ncontractors in an effort to better defend systems that \ncontained information critical to the Department's programs and \noperations. I understand that DHS is now the lead for \ncoordinating this program with the private sector and that it \nis being expanded to other critical infrastructure sectors.\n    Could you tell the Committee why the Administration decided \nto transfer this pilot program from DOD to the Department of \nHomeland Security?\n    Secretary Napolitano. Well, the DIB pilot really gets to \nthe division of responsibility between military and civilian, \nand what we are talking about here are private companies that \ndo important defense contracting work, but they are in essence \nprivate companies. And so the authorities and the laws that we \nuse are better situated in DHS, which deals in this context as \nopposed to DOD. So we have been working with DOD from the \noutset on the design of the DIB pilot, have been working with \nthem on the initial aspects of it, and now as the decision was \nmade to extend it and to grow it, the decision was also made \nthat it is more appropriately located within the DHS.\n    Senator Collins. The bill provides the authority to DHS to \nset risk-based performance standards for critical \ninfrastructure. Do you believe that we can achieve great \nprogress in improving our cybersecurity in this country absent \nthat authority?\n    Secretary Napolitano. I think it makes it tougher. We have, \nas I said in my testimony, the basic authority under the \nHomeland Security Act. We have authorities by various \nPresidential directives. But nowhere do we have explicit \nauthority to establish on a risk-based level, on a risk-based \nbasis, the protection necessary for critical infrastructure.\n    Senator Collins. Finally, I think that a lot of people are \nunfamiliar with a lot of the work that the Department has \nalready done in the area of cybersecurity, including the fact \nthat there is a 24-hour, 7-day-a-week National Cybersecurity \nand Communications Integration Center (NCCIC).\n    Secretary Napolitano. The NCCIC, yes.\n    Senator Collins. Could you explain to the Committee and \nthose watching this hearing how this center operates and what \nit does with respect to the private sector?\n    Secretary Napolitano. You know, the NCCIC is really an \nintegrated, 24/7 watch center for cyber, and it includes on its \nfloor not only DHS employees but representatives from other \nFederal agencies, from critical infrastructure sectors that \ncoordinate with us through the National Infrastructure \nProtection Plan (NIPP)--lots of acronyms in the cyber world and \nthe government world. And then, finally, it also has \nrepresentatives from State and local governments as well \nbecause a lot of the information sharing is applicable to them.\n    Senator Collins. Thank you. Thank you, Mr. Chairman.\n    Chairman Lieberman. Thanks very much, Senator Collins. \nSenator McCain.\n\n              OPENING STATEMENT OF SENATOR MCCAIN\n\n    Senator McCain. Mr. Chairman and Senator Collins, thank you \nfor holding this hearing on the long-awaited Cybersecurity Act \nof 2012. Obviously, I welcome all of our witnesses, including \nSecretary Napolitano and my old friend Governor Ridge, who will \nhave some different aspects and views on this bill, including \nin his testimony.\n    I would like to state from the outset my fondness and \nrespect for the Chairman and Senator Collins, especially when \nit comes to matters of national security, so the criticisms I \nmay have with the legislation should not be interpreted as \ncriticism of them but, rather on the process by which the bill \nis being debated and its policy implications.\n    All of us recognize the importance of cybersecurity in the \ndigital world. Time and again, we have heard from experts about \nthe importance of possessing the ability to effectively prevent \nand respond to cyber threats. We have listened to accounts of \ncyber espionage originating in countries like China; organized \ncyber criminals in Russia; and rogue outfits with a domestic \npresence like ``Anonymous,'' who unleash cyber attacks on those \nwho dare to politically disagree. Our own Government \nAccountability Office (GAO) has reported that over the last 5 \nyears, cyber attacks against the United States are up 650 \npercent. So all of us agree that the threat is real.\n    It is my opinion that Congress should be able to address \nthis issue with legislation a clear majority of us can support. \nHowever, we should begin with a transparent process which \nallows lawmakers and the American public to let their views be \nknown. Unfortunately, the bill introduced by the Chairman and \nSenator Collins has already been placed on the calendar by the \nMajority Leader, without a single markup or any executive \nbusiness meeting by any committee of relevant jurisdiction. My \nfriends, that is wrong.\n    To suggest that this bill should move directly to the \nSenate floor because it has ``been around'' since 2009 is \noutrageous. First, the bill was introduced 2 days ago. Second, \nwhere do Senate Rules state that a bill's progress in a \nprevious Congress can supplant the necessary work on that bill \nin the present one?\n    Additionally, in 2009, we were in the 111th Congress with a \ndifferent set of Senators. For example, the Minority of this \nCommittee has four Senators on it presently who were not even \nin the Senate, much less on this Committee, in 2009. How can we \nseriously call it a product of this Committee without their \nparticipation in Committee executive business?\n    Respectfully, to treat the last Congress as a legislative \nmulligan by bypassing the Committee process and bringing the \nlegislation directly to the floor is not the appropriate way to \nbegin consideration of an issue as complicated as \ncybersecurity.\n    In addition to these valid process concerns, I also have \npolicy issues with the bill.\n    A few months ago, as Senator Lieberman mentioned, he and I \nintroduced an amendment to the defense authorization bill \ncodifying an existing cybersecurity Memorandum of Agreement \n(MOA) between the Department of Defense and the Department of \nHomeland Security. The purpose of that amendment was to ensure \nthat this relationship endures and to highlight that the best \ngovernment-wide cybersecurity approach is one where DHS \nleverages not duplicates DOD efforts and expertise. This \nlegislation, unfortunately, backtracks on the principles of the \nMOA by expanding the size, scope, and reach of DHS and neglects \nto afford the authorities necessary to protect the homeland to \nthe only institutions currently capable of doing so, U.S. \nCybercommand and the National Security Agency.\n    At a recent FBI-sponsored symposium at Fordham University, \nGeneral Alexander, the Commander of U.S. Cybercommand and the \nDirector of the NSA, stated that if a significant cyber attack \nagainst this country were to take place, there may not be much \nthat he and his teams at either Cybercommand or NSA can legally \ndo to stop it in advance. According to General Alexander, ``in \norder to stop a cyber attack, you have to see it in real time, \nand you have to have those authorities. Those are the \nconditions we have put on the table. Now how and what the \nCongress chooses, that will be a policy decision.''\n    This legislation does nothing to address this significant \nconcern, and I question why we have yet to have a serious \ndiscussion about who is best suited, which agency--who is best \nsuited to protect our country from this threat we all agree is \nvery real and growing.\n    Additionally, if the legislation before us today were \nenacted into law, unelected bureaucrats at the DHS could \npromulgate prescriptive regulations on American businesses--\nwhich own roughly 90 percent of critical cyber infrastructure. \nThe regulations that would be created under this new authority \nwould stymie job creation, blur the definition of private \nproperty rights, and divert resources from actual cybersecurity \nto compliance with government mandates. A super-regulator, like \nDHS under this bill, would impact free market forces which \ncurrently allow our brightest minds to develop the most \neffective network security solutions.\n    I am also concerned about the cost of this bill to the \nAmerican taxpayer. The bill before us fails to include any \nauthorizations or attempt to pay for the real costs associated \nwith the creation of the new regulatory leviathan at DHS. This \nattempt to hide the cost is eclipsed by the reality that the \nassessment of critical infrastructure, the promulgation of \nregulations, and their enforcement will take a small army.\n    Finally, I would like to find out over the next few days \nwhat specific factors went into providing regulatory carve-outs \nfor the IT hardware and software manufacturers? My suspicion is \nthat this had more to do with garnering political support and \nlegislative bullying than sound policy considerations. However, \nI think the fact that such carve-outs are included only lends \ncredence to the notion that we should not be taking the \nregulatory approach in the first place.\n    Because of provisions like these and the threat of a \nhurried process, a total of seven of us--ranking minority \nmembers on seven committees--are left with no choice but to \nintroduce an alternative cybersecurity bill in the coming days. \nThe fundamental difference in our alternative approach is that \nwe aim to enter into a cooperative relationship with the entire \nprivate sector through information sharing rather than an \nadversarial one with prescriptive regulations. Our bill, which \nwill be introduced when we return after the Presidents Day \nrecess, will provide a common-sense path forward to improve our \nNation's cybersecurity defenses. We believe that by improving \ninformation sharing among the private sector and government, \nupdating our criminal code to reflect the threat cyber \ncriminals pose, reforming the Federal Information Security \nManagement Act, and focusing Federal investments in \ncybersecurity, our Nation will be better able to defend itself \nagainst cyber attacks. After all, we are all partners in this \nfight, and as we search for solutions, our first goal should be \nto move forward together.\n    I also would ask permission to enter in the record a letter \nsigned by Senator Chambliss, the Ranking Member on \nIntelligence; myself, Ranking Member on Armed Services; Senator \nJeff Sessions, Ranking Member on Budget; Senator Michael B. \nEnzi, Ranking Member on the HELP Committee; Senator Hutchison, \nRanking Member on the Commerce Committee; Senator Lisa \nMurkowski, Ranking Member on the Energy Committee; and Senator \nChuck Grassley, Ranking Member on the Judiciary Committee; \naddressed to Senator Reid and Senator McConnell, which we have \nasked that with the legislation go through the regular process \nwith the committees of jurisdiction having a say in this \nprocess.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The letter dated February 14, 2012, submitted by Senator McCain \nappears in the Appendix on page 61.\n---------------------------------------------------------------------------\n    So, Mr. Chairman, I thank you, and I yield the remaining \nbalance of my time.\n    Chairman Lieberman. No balance. [Laughter.]\n    Senator McCain. Oh, wow, that is the first time that has \never happened.\n    Chairman Lieberman. No, it is not. [Laughter.]\n    Look, with the same fondness and respect that you expressed \nfor Senator Collins and me when you started, I cannot conceal \nthe fact that I am disappointed by your statement. This bill is \nessentially the one that was marked up by the Committee. But \nthat is not the point. The point is that we have reached out \nnot only to everybody who was possibly interested in this bill \noutside of the Congress, but opened the process to every Member \nof the Senate who wanted to be involved. We pleaded for \ninvolvement. And a lot of people, including yourself, have not \ncome to the table.\n    The most encouraging part of your statement is that you and \nthose working with you are going to introduce some legislation, \nand we will be glad to consider it. The Senate should consider \nit. I think Senator Reid intends to hold an open amendment \nprocess on this bill. But you know, as you stated, that this is \na critical national security problem, and to respond to it with \nbusiness about regulation of business, this is national \nsecurity. As Senator Collins said, there is regulation of \nbusiness that is bad for business and bad for the American \neconomy. There is regulation such as we have worked very hard \nto include in this bill that, in fact, is not only not bad for \nAmerican business and not bad for the American economy but will \nprotect American business and American jobs and help to \nguarantee more American economic growth.\n    On the question of DOD and the intelligence community, I \nindicated for the record earlier that they have supported our \nbill this week. I hear what you said about General Alexander \nfrom NSA, but he has at no point, nor has the Department of \nDefense or the DNI, come before us and offered any suggestions \nfor additions to this bill that would give him more authority. \nI would welcome those suggestions, if he wishes.\n    So I had to be honest with you, as you have been honest \nwith us, and express my disappointment and that the only \nsatisfaction I have from your statement, which is that you are \ngoing to make a proposal that our colleagues in the Senate \nconsider it. Senator Collins and I and the others working on \nthis bill will consider it. And let us get something done on a \nclear and present danger to our country this year.\n    Senator McCain. Well, Mr. Chairman, could I just briefly \nrespond? I speak for seven ranking members of the major \ncommittees of jurisdiction. I do not speak just for myself. \nThere is a breakdown somewhere if seven ranking members of the \nrelevant committees are all joining in this opposition to this \nprocess and this legislation. So if you choose to neglect those \nmany years of legislative experience and time in the Senate, \nthat is fine. But there are seven of us that are deeply \nconcerned about this process and the legislation, and we do not \nthink it should go directly to the floor.\n    Chairman Lieberman. I will say for the record that we have \nreached out to all seven ranking members in various ways to try \nto engage their involvement in this bill. I would have much \nrather preferred to submit a bill--and Senator Collins would \nhave, too--that everybody had been involved in discussing. We \nwere very open to trying to find consensus, as we did with \nother chairs who are here. So nobody is neglecting the \nexpertise. I am saying I am sorry that they have not been \nengaged before, and I am glad they are going to be engaged now.\n    Senator Moran.\n\n               OPENING STATEMENT OF SENATOR MORAN\n\n    Senator Moran. Mr. Chairman, thank you.\n    Madam Secretary, this is my first opportunity to visit with \nyou since the announcement about the President's budget, and I \nwant to talk about a topic unrelated at least to cybersecurity, \nbut certainly related to security. And the Chairman just spoke \nabout clear and present danger. One that you and I have had a \nconversation about over a long period of time is related to our \nfood and animal safety and security in this country. And as you \ncan imagine and can expect the disappointment that I have, \nothers in our congressional delegation have in regard to the \nPresident's failure to include dollars related to construction \nof the National Bio and Agro-Defense Facility (NBAF) to replace \nthe aging Plum Island. You and I have had a number of \nconversations, and I will stay within my 6 minutes today to \ntalk about this non-germane topic but we will have a greater \nchance to visit in the Homeland Security Appropriations hearing \nin which you and I will be together in just a few days.\n    But I would not want this opportunity to pass without again \ndelivering the message to you and to the folks at the \nDepartment of Homeland Security who have throughout this \nprocess been our allies, and we consider that we have been your \nallies in an effort to see that a facility designed to make \ncertain that the food and animal safety of this country is \nprotected.\n    And you and I had a conversation in March of last year, \nless than a year ago, that was in a Homeland Security \nAppropriations Subcommittee, and you told me that NBAF is \nsomething that we are very supportive of. Plum Island does not \nmeet the Nation's needs in this area. There was a highly \ncontested, peer-reviewed competition, and we look forward to \ncontinued construction. We believe that NBAF needs to be built, \nand we need to get on with it.\n    Later, in September of that year, you talked about the \nfuture, we need to get prepared for the next generation, and, \nagain, we need to be confronting the things that we face today \nand the things that we will face 10 years from now. That series \nhas continued with your testimony and others from DHS, the U.S. \nDepartment of Agriculture, and I just would like for you to, I \nhope, reiterate the Department's, your position as Secretary, \ncontinued support and believe in the importance of building \nthis facility and to explain to me the idea of a reassessment, \nwhich, as I read in press reports, is a reassessment in scope \nonly, not in concerns about safety or concerns about location.\n    Secretary Napolitano. That is right, Senator, and you are \nright, the President does not request in the budget an \nappropriation for the NBAF, in part because last year we \nrequested $150 million. The House ultimately appropriated $75 \nmillion, the Senate appropriated zero, we ended up with $50 \nmillion, and a lot of extra requirements put on the project, as \nyou just have stated.\n    What we have done in this year's budget is allocate $10 \nmillion that will go to related animal research at Kansas State \nUniversity. I have talked this over with Governor Sam \nBrownback, among others. And in light of the Budget Control Act \n(BCA) and the other changed circumstances that we have to deal \nwith, and in light of the fact that we have not been able to \npersuade the Congress to really move forward in a substantial \nway on funding the NBAF, we have recommended that there be a \nreassessment in terms not of location, not in terms of need, \nboth of which I firmly stand by the position I have stated, but \nin terms of scoping and what needs to happen so that this \nproject can move forward with the right level of appropriation.\n    Senator Moran. Well, Madam Secretary, thank you. I would \ncomment that the solution to lack of funding by Congress is not \nfor the Administration to not request funding. The solution to \nthat problem is continued support and encouragement for \nCongress to act. As you say, the House appropriated $75 million \nlast year. In a conference committee with the Senate, it was \nagreed upon to $50 million. You also are requesting \nreprogramming for additional planning of money within this \nyear's budget. Again, the money that is there needs to be spent \nas quickly as possible.\n    I will be asking you by letter shortly to continue the \nfunding of the $40 million that is available, is appropriated, \nand now as a result of the report filed this week can be spent \nto complete the Federal share of the utility portion of this \nfacility.\n    Based upon what I have heard you say and what I have read \nthat you have said, it is not about location, it is not about \nthe site, and it may be about the scope of what will occur. But \nthe utility pad is still important and will be necessary, \nregardless of the scope of that project. So we are going to ask \nyou to continue the funding that you already have committed to \nand are authorized to now spend this $40 million on utilities. \nAnd I would add to that point, we have appropriated $200 \nmillion Federal dollars. The State of Kansas has put in nearly \n$150 million. This is a partnership. And we need the Federal \nGovernment to continue its partnership. In fact, on the utility \nportion, we are waiting on the share that you are now \nauthorized to spend to be spent.\n    I appreciate the answer to my question. I have considered \nyou an ally and continue to consider you an ally. And my plea \nis let us work together to see that this Congress moves forward \non an issue that is important, just as cybersecurity is, to the \neconomic security and future of our Nation.\n    Mr. Chairman, thank you.\n    Secretary Napolitano. Senator, I would be happy to work \ntogether with you on this.\n    Senator Moran. Thank you very much. We need your help.\n    Chairman Lieberman. Thanks very much, Senator Moran.\n    For the information of the Members, the order of arrival \ntoday now is Senators Landrieu, Pryor, Brown, Carper, Levin, \nand Johnson. Senator Landrieu is not here, so we will go to \nSenator Pryor.\n\n               OPENING STATEMENT OF SENATOR PRYOR\n\n    Senator Pryor. Thank you, Mr. Chairman. Thank you for this \nvery important meeting. Always good to see you, Madam \nSecretary.\n    Let me start, Madam Secretary, with a question about--I \nthink you have already pretty much said that you feel like we \nneed a statute, but I am curious about what specific authority \nyou think your agency or the Federal Government does not have \nin this area that you need. What specific authority do you feel \nlike you need to accomplish to achieve security in this area?\n    Secretary Napolitano. Well, I think of the specific \nauthorities that the statute contains, the most important is \nthe ability to bring all of the Nation's critical \ninfrastructure up to a certain base standard of security and to \noutline the process with which that will occur.\n    Senator Pryor. And let me ask you a question on a different \ntopic, I know that in reading some of the news stories, trade \npublications, etc., the private sector seems to have hesitation \nabout sharing too much information, and understandably so. They \nmay fear that a competitor will get information or it may \ncreate liability issues for them. But we do have an effective \nmechanism for the private sector stakeholders to share their \nbest practices and potential threats and those concerns without \nraising issues of their own security and liability and even \nantitrust concerns?\n    Secretary Napolitano. No. In fact, another major \nimprovement in the bill over the current situation is it \nclarifies the kind of information sharing that can occur \nwithout violating other Federal statutes--antitrust, the \nElectronic Communications Privacy Act. We have had situations \nwhere we have had delay in being able to get information and to \nrespond because the lawyers of a company or an entity had to \nfirst assess whether they would be violating other Federal law \nby alerting the Department of Homeland Security that an \nintrusion had occurred. And I think as you and I can both \nappreciate, when the lawyers get it, it can take awhile.\n    Senator Pryor. We understand.\n    Secretary Napolitano. So, again, the new bill would clarify \nthat should not be a problem.\n    Senator Pryor. And you are comfortable with how the new \nbill is structured in that area?\n    Secretary Napolitano. Yes, I am.\n    Senator Pryor. And let me ask about lessons learned. DHS \nhas recently discussed--and it has been discussed about DHS--\nthat some of the work being done under the Chemical Facility \nAnti-Terrorism Standards (CFATS) program has not been done as \nquickly or as thoroughly as maybe it should have been. And as \nyou know, this bill provides a requirement that DHS would do \nsimilar type assessments. Are there lessons learned in the \nCFATS experience that might indicate that we can put the \nproblem behind us and we can comply with what this law would \nask you to do?\n    Secretary Napolitano. Yes, Senator. First of all, with \nrespect to CFATS, no one is more displeased than I am with some \nof the problems that have occurred there, and there is an \naction plan in place, there are changes in personnel among \nother things. And that program is going to run smoothly, and \nnow the security plans are being evaluated, the tiering has \noccurred and the like.\n    Senator Pryor. And there are lessons learned there?\n    Secretary Napolitano. And there are lessons learned, as \nthere are in all things. And this bill is less prescriptive \nthan CFATS. First of all, this is a very regulation-like bill. \nThis is a security bill. This is not a regulatory bill per se. \nBut in terms just of management and organization, yes, there \nare some lessons learned from CFATS.\n    Senator Pryor. Great. And I know that a lot of times when \nwe read news media accounts about cybersecurity and even as we \ndiscuss it among ourselves, oftentimes we tend to focus on \nlarge companies and breaches that large companies experience. \nBut the truth is a lot of small and mid-sized companies carry a \nlot of sensitive information. Is DHS working with small to mid-\nsized companies in any way to reach out to them to talk about \nbest practices or anything like that?\n    Secretary Napolitano. We conduct a lot of outreach \nactivities with small and medium-size businesses on a whole \nhost of cyber-related areas, so the answer is yes.\n    Senator Pryor. Great. We always want to make sure that our \nsmall businesses are taken care of, and obviously if they are \nthe weak link in the chain, that is a real problem.\n    Secretary Napolitano. Well, Senator, as I continue to \nemphasize, when we are talking about the security of core \ncritical infrastructure, if that goes down, a lot of these \nsmall businesses are dependent on that, and they will fail.\n    Senator Pryor. Right. That is exactly right. Also, we often \ntalk about the Federal Government, but also State governments \nhave this same issue of cybersecurity, and obviously you are a \nformer governor, former State Attorney General, as is the \nChairman here, so you appreciate that State perspective. Are \nyou working with States to try to talk about their best \npractices and lessons that you have learned?\n    Secretary Napolitano. Yes, we are, and, indeed, we work \nwith a multistate information system, and they are actually \nlocated or provide input into the NCCIC, the center that we \ntalked about.\n    Senator Pryor. Great. Mr. Chairman, that is all I have. I \nyield back the balance of my time. [Laughter.]\n    Chairman Lieberman. Thank you, Senator Pryor. Next is \nSenator Carper.\n    Senator Carper. Could I have his 14 seconds? [Laughter.]\n    Chairman Lieberman. You got it.\n\n              OPENING STATEMENT OF SENATOR CARPER\n\n    Senator Carper. Madam Secretary, good to see you. Good to \nsee a former Secretary out there, a former governor out there, \na former Congressman out there, Tom Ridge. Nice to see all of \nour witnesses. Thank you for being here.\n    One of the things, as my colleagues know, I like to do in \nhearings like this is to see if we cannot develop some \nconsensus. You can never have too much of that in the Senate or \nin the House, and my hope is that when we adjourn here today we \nwill have identified not just where we have differences, but we \nwill have identified where we can actually find some common \nground. So I will ask a couple of questions with that in mind.\n    I want to return to the comment of my colleague from \nArizona who mentioned regulation, and with sort of a cautionary \nnote, I just want to second what the Chairman said. Regulation \ncan be a problem. It can be problematic. If we do not use \ncommon sense, if we do not look at cost/benefit analysis, it \ncan be a bad thing.\n    Having said that, I always remember meeting with a bunch of \nutility chief executive officers (CEOs) 6 or 7 years ago, \nduring my first term in the Senate, and they were meeting with \nme about clean air issues--sulfur dioxide, nitrous oxide, \nmercury, and carbon dioxide. And we were trying to decide what \nour path forward should be.\n    Finally, at the end of this meeting, the CEO from someplace \ndown South, kind of curmudgeonly old guy, he said, ``Look, \nSenator, just do this. Tell us what the rules are going to be, \ngive us some flexibility, give us a reasonable amount of time, \nand get out of the way.'' That is what he said. And I have \nalways remembered those words, and I think they may apply here \ntoday.\n    I want to thank the Chairman and our Ranking Member, Susan \nCollins, for calling our hearing and for working with me. The \nChairman mentioned trying to open up, if you have an idea, \nbring it to us, and I think he has had an open door, and it is \ntoo bad that some have not taken full opportunity of that. But \nwe have a lot of distractions around here, so sometimes that \nhappens.\n    We all know we are being attacked by hackers from across \nthe world and closer to home, and it is likely to get worse, \nnot better. And while some of the hackers are just there to \ncause mischief, some of them are there to steal ideas, steal \nour defense secrets, steal intellectual property, blackmail \nbusinesses and nonprofits, and to do worse.\n    The challenges that I think we have here, I think they \nreally need a bold plan and we need a road map--I call it a \n``common sense road map''--to move forward. And I hope, again, \nthat we can move along that way today.\n    I am especially pleased that the legislation that is being \nintroduced includes a number of security measures that my staff \nand I have worked on with some of our colleagues for years to \nbetter protect our Federal information systems.\n    Having said that, I would like to begin, Madam Secretary, \nby asking you a couple of questions about the Department's \nefforts in this area, if I could.\n    As you know, I have been calling for some major changes to \nthe laws that control how Federal agencies protect their \ninformation, our information systems. And when the Federal \nFinancial Management, Government Information, Federal Services, \nand International Security Subcommittee that I chair first \nlooked at this issue several years ago, we found that Federal \nagencies were wasting millions of dollars on reports that \nnobody read and hardly anybody understood and they did not make \nus any safer.\n    The bill that is before us today includes many improvements \nto the so-called Federal Information Security Management Act, \naffectionately known as FISMA, and that will ensure, we hope, \nour Federal agencies are actively monitoring and responding to \nthreats, not just writing paper reports about them.\n    From what I understand, many agencies are already taking \nmany steps to improve their security networks, largely because \nof the action you have taken in your Department to make FISMA \nmore effective despite the outdated statute. I commend you for \nbeing proactive in this area and for putting forward a budget \nrequest that would ensure that your Department has the \nresources it needs to address this growing area of \nresponsibility.\n    Can you describe some of the current limitations of FISMA \nfor us and why this legislation and some of the new tools we \ngive you just might be needed?\n    Secretary Napolitano. Well, I think, just stepping back, \none of the key things that this bill would do is by clarifying \nand centralizing where the authorities lie within the \ngovernment and how those relate to the FISMA, among other \nthings, so that it really sets, as you say, the common-sense \nroad map for how we move forward.\n    You know, we have done a lot with the civilian networks of \nthe government. As you know, they have been repeatedly and they \nare increasingly attempted to be infiltrated and intruded upon \nall the time. We have almost completed the deployment of what \nis known as EINSTEIN 2. We are working on the next iteration.\n    We have also in the President's budget request asked for a \nbudget that would be held by the Department of Homeland \nSecurity but would be used to help improve or raise the level \nof IT protection within the civilian agencies.\n    Senator Carper. All right. Thank you.\n    Just very quickly, if I could follow up just to get more \nspecific, could you just talk a little bit more about what your \nDepartment will be able to achieve with what the President has \nrequested, I think $200-some million for Federal network \nsecurity, and how this legislation will impact those \nactivities. You talked to it a little bit, but could you just \ndrill down on that just a little for us?\n    Secretary Napolitano. Right. And I can give you more detail \non it, but basically what we will be able to do is have a fund \nout of which we can make sure that the civilian agencies of \ngovernment are deploying best practices, hiring qualified \npersonnel, in other ways strengthening their own cybersecurity \nwithin the Federal Government.\n    Senator Carper. All right. Thanks.\n    Mr. Chairman, if I could just say in conclusion, one of the \nthings that I hear a lot from businesses across the country and \ncertainly in Delaware is they want us to provide for them \ncertainty and predictability, and one of the things we are \ntrying to do with this legislation and the regulations that may \nflow from it is just that, predictability and certainty. And \nwith that in mind, I would say to our witnesses that are \nfollowing, again, it would be really helpful if you all could \nfigure out ways in your testimony not just to kind of divide us \nbut help bring us together. That would be enormously helpful, \nnot just to the Committee and to the Senate, but I think to our \ncountry. Thank you.\n    Chairman Lieberman. Thank you, Senator Carper. Senator \nLevin.\n\n               OPENING STATEMENT OF SENATOR LEVIN\n\n    Senator Levin. Thank you very much, Mr. Chairman and our \nRanking Member, for taking the initiative on this with other \ncolleagues. Thank you, Madam Secretary, for all the work that \nthe White House did on a similar bill which you had worked on, \nwhich I understand is basically part of now this pending bill \nwhich is on the calendar.\n    I am trying to understand what the objections are to the \nbill because it seems to me there is a whole bunch of \nprotections in here for the private sector. As I have read at \nleast a summary of the bill--and I have not read the bill yet--\nthere is a self-certification or a third-party assessment of \ncompliance with the performance requirements. I understand \nthere is an appeal of those requirements if there is objection \nto it. I understand and believe that the owners of covered \ncritical infrastructure that are in substantial compliance with \nthe performance requirements are not liable for punitive \ndamages which arise from an incident related to a cybersecurity \nrisk.\n    So you have here something unusual, I believe, actually, \nfor the private sector, which is a waiver of punitive damages. \nI do not know that it is unique, but I think it is fairly \nunique in legislation to waive the possibility of punitive \ndamages in case of a liability claim.\n    There are a number of other protections in the privacy \narea, as I read the summary of this bill, for the information \nwhich must be provided where there is a significant threat \nwhich is identified. I am trying to identify--and I am not \ngoing to be able to stay to hear from the next panel as to what \nthe objections are. I surely will read the letter from the \nopponents and will study the bill that Senator McCain referred \nto. But I am trying to the best of my ability as we go along to \nsee exactly what those objections are. There seems to be \nprivacy protection here. There seems to be self-certification \nhere which avoids part of a bureaucracy at least. There are \nlimits on liability where there is a good-faith defense for \ncybersecurity activities, as the bill's heading says. There are \na number of other protections.\n    I do not want you to argue for the people who have \nproblems, obviously, but I would like you, to the best of your \nability, to address what you understand are the key objections. \nWe will hear them directly. We will read about them. But I \nthink if you can, give us your response to them so we can have \nthat for the record as well.\n    Secretary Napolitano. Well, I think there are three kind of \nclusters. The first is that the bill is a regulatory bill, and \nit will be burdensome to industry to comply. And the answer is \nit is a security bill, not a regulatory bill. It really is \ndesigned with making sure we have a basic level of security in \nthe cyber structures of our Nation's core critical \ninfrastructure and that we have a way to exchange information \nthat allows us to do that without private sector parties being \nafraid of violating other laws. And so this is not what one \nwould consider a regulatory bill at all, and as Senator Collins \nsaid, it really is designed to protect the American economy, \nnot to burden the American economy.\n    The second set of objections would, I think, revolve around \nthe whole privacy area, but as the ACLU itself acknowledged, \nthis bill really has done a very good job of incorporating \nthose protections right from the get-go. And realize one of the \nreasons what DHS has the role it does is because we have a \nprivacy office with a chief privacy officer who will be \ndirectly engaged in this. So the bill, I think, really \naddresses some of those privacy concerns.\n    And the third cluster would be--and I think Senator McCain \nkind of alluded to it--that it somehow duplicates the NSA. We \ndo not need another NSA, and we do not need to clarify the \nauthorities or the jurisdiction of the DHS. And I think there \nis a misconception there. The plain fact of the matter is, as \nthe Chairman of the Joint Chiefs and Secretary Panetta and \nothers have recognized, both the DOD and the DHS use the NSA, \nbut we use it in different ways. So we are not duplicating or \nmaking a redundant NSA. We are taking the NSA and using it to \nthe extent we can within the framework of the bill to protect \nour civilian cyber networks.\n    Senator Levin. And I understand that the Department of \nDefense basically supports this legislation. From what I can \nunderstand at least it does. Is that your understanding as \nwell?\n    Secretary Napolitano. I think not just basically. I think \nwholeheartedly.\n    Senator Levin. And in terms of the privacy concerns, those \nconcerns are met with the privacy officer. But in terms of the \ninformation which is supplied where there has been a threat, \nthat information when it is submitted to a government entity is \nprotected.\n    Secretary Napolitano. Right. The content is not shared. It \nis the fact of the intrusion----\n    Senator Levin. Tell us more about that protection.\n    Secretary Napolitano. Yes, content is not shared. The \ninformation shared requires minimization. It requires \nelimination of personally identifiable information, all the \nthings necessary to give the public confidence that their own \npersonal communications are not being shared. So it is the fact \nof the intrusion, the methodology, the tactic used, the early \nwarning indicators, all of those sorts of things are to be \nshared, but not the contents of the communication itself.\n    Senator Levin. Thank you. Thank you, Mr. Chairman.\n    Chairman Lieberman. Thanks very much, Senator Levin. That \nwas a really helpful exchange.\n    Senator Johnson.\n\n              OPENING STATEMENT OF SENATOR JOHNSON\n\n    Senator Johnson. Thank you, Mr. Chairman. Madam Secretary, \nnice to see you again.\n    First of all, I would like to say to Senator Lieberman and \nSenator Collins, I appreciate your work on this. This is, I \nthink, critically important. It is also incredibly complex.\n    Is it appropriate for me to ask you a question, Mr. \nChairman? I am new here. I do not want to be breaking protocol.\n    Chairman Lieberman. I may have to consult my counsel, but \ngo ahead.\n    Senator Johnson. You know, I share some of the concerns of \nSenator McCain, and because this is so important--it is \ncertainly not a good way to start out the process. I mean, sort \nof in light of his objection and those of the other ranking \nmembers, are we going to consider not taking this to the floor \ndirectly or, I mean, is that going to be reconsidered on that \nbasis?\n    Chairman Lieberman. I do not believe so. I mean, I suppose \nif people want to raise the question, but I think there has \nbeen a long process here. Bills have been reported out of this \nCommittee, out of Commerce, Intelligence, Foreign Relations had \nsome stuff, all done--not all done on a bipartisan basis, but \nmost of them were. Senator Reid got really agitated about this \nproblem last year and began to convene the chairs and then held \na joint meeting, which in these times is very unusual, a \nbipartisan meeting. Senator Reid and Senator McConnell urged \nthe chairs and ranking members of all the committees to begin \nto work together to reconcile the differences. Some came to the \ntable, as I said; some did not. We worked very hard to try to \nbring people in. I cannot speak for Senator Reid, but I think \nhis intention is to take the bill that is the consensus bill \nnow and bring it to the floor under his authority under Rule \nXIV, but to have a really open amendment process.\n    So I do not think anybody is going to rush this through, \nand there will be plenty of time for people to be involved. I \nam sure I speak for Senator Collins: We are open to any ideas \nanybody has.\n    Senator Johnson. I appreciate that. This is just really \nimportant to get right, so I would be concerned with that.\n    Chairman Lieberman. I could not agree more. To me, the most \nimportant thing is to get it right, but also as quickly as we \npossibly can get it right, we should get it enacted.\n    Senator Johnson. OK.\n    Chairman Lieberman. Because the crisis, the threat is out \nthere. Senator Collins.\n    Senator Collins. Mr. Chairman, if I could just add one \nthing, and that is, this legislation has gone through a lot of \niterations. It was reported first in 2010. I realize Senator \nJohnson was not part of the Committee at that point.\n    Senator Johnson. I am one of those new guys.\n    Senator Collins. But our staff has shared with the \nSenator's staff draft after draft after draft, invited them to \nbriefings. I know the Senator has come to some of the \nclassified briefings that we have had as well. So we have \ninvited input from the Senator's staff.\n    Senator Johnson. Again, I am sincere in my appreciation of \nthe work you are doing in this, and in a desire to get this \nright and move some legislation. So with that in mind, I know \nthe House has worked on a bipartisan bill, H.R. 3523, which is \njust a very slimmed down version, probably an important first \nstep, really trying to get information to be shared between the \ngovernment and the private sector. Is that something you can \nsupport in case this thing gets all snagged up, maybe move \ntoward something like that?\n    Secretary Napolitano. Well, I would have to go back and \nlook at that, but I think that there may be some parts of that \nare included within this bill. But this bill is a much stronger \nand more comprehensive focus on what we actually need in the \ncybersecurity area given the threats that are out there.\n    Senator Johnson. In terms of the carve-outs, I was talking \nto somebody who is far more knowledgeable about this than I am, \nand that was one of the big questions this individual \nexpressed. If you are really trying to create cybersecurity, \nwhy would you carve out Internet Service Providers (ISPs), I \nmean, the people at the heart of it? It is kind of as if you \nare going to steal money, you go to the bank where it is. I \nmean, why would we carve out the service providers?\n    Secretary Napolitano. I think from our standpoint, if you \nfocus on the Nation's critical infrastructure and you really \nfocus on the standards they have to meet, and you want to avoid \nsome of the complexities that deal with like the ISPs and the \nlike and where they are located and international jurisdiction, \namong other things, the carve-out is appropriate. In fact, it \nhelps move the legislation along.\n    Senator Johnson. Have you done a cost assessment in terms \nof the cost of complying with these regulations?\n    Secretary Napolitano. Well, I think talking about cost is \nimportant here. It is not our intent to have an undue cost on \nthe core critical infrastructure of this country. It is, \nhowever, our belief that the costs of making sure you practice \na common base level of cybersecurity, it should be a core \ncompetency within the Nation's critical infrastructure. And so \nwhile we do not want an undue cost, we do want a recognition \nthat this is something that needs to be part of doing business.\n    Senator Johnson. Has there been an attempt to quantify that \nor will there be an attempt to quantify the cost of complying?\n    Secretary Napolitano. I do not know. I would imagine, just \nthinking about it, that there will be many entities that \nalready are at the right level. But, sadly, there are others \nthat are not. And given that we are only talking about \ninfrastructure that if intruded or attacked would have a really \nlarge impact on the economy, on life and limb, on the national \nsecurity, we are talking about a very narrow core part of the \ncritical infrastructure. The fact that they all have to reach a \nbase level is a fairly minimal requirement.\n    Senator Johnson. Just one last quick question. I am aware \nthat the Chamber of Commerce is not for this bill, and the \nAmerican Bankers Association. Do you have a list of private \nsector companies that have to comply with this that are in \nfavor of it?\n    Secretary Napolitano. Oh, there are a number of them, and I \nthink they have been in contact with the Committee, but we can \nget that for you.\n    Senator Johnson. I appreciate that. Thank you, Mr. \nChairman.\n    Chairman Lieberman. Thanks, Senator Johnson.\n    Secretary Napolitano, I appreciate your testimony very \nmuch. You made a really important point here, I think, first \noff that we define the group of owners and operators of private \ncyberspace in our country that are ultimately regulated here, \nthat can be forced to meet the standards very narrowly, to \ninclude only those sectors which, if they were attacked, cyber \nattacked, would have devastating consequences on our society. \nSo you are right. Obviously, it will cost some to enforce this, \nto carry it out, but it will be a fraction of what it would \ncost our society if there was a successful cyber attack. And I \ngo back to the initial question. After 9/11, we just could not \ndo enough to protect ourselves from another 9/11. And we have \nthe opportunity here to do something preemptively, \npreventively, methodically, and at much less cost to our \nsociety overall.\n    Secretary Napolitano. That is right, Mr. Chairman, and I \nthink as you and I both noted, and I think Senator Collins did, \nin our opening statements, it is our responsibility to be \nproactive and not just reactive. We know enough now to chart a \nway ahead, and the bill does that.\n    Chairman Lieberman. Yes, I agree. If we do not legislate, \nwe do not create a system of protection of American cyberspace, \nand God forbid there is an attack, we are all going to be \nrushing around frantically to sort of throw money at the \nproblem, and it is going to be after a lot of suffering that \noccurs as a result. So we have a real opportunity to work \ntogether. Nobody is saying this bill is perfect. I think it is \nvery good after all it has been through. But the process \ncontinues. You have been very helpful today. I thank you very \nmuch, and we look forward to working with you. Senator Collins.\n    Senator Collins. Thank you, Mr. Chairman. I, too, want to \nthank the Secretary for her excellent testimony and the \ntechnical assistance of the Department.\n    General Dempsey, Chairman of the Joint Chief of Staff, made \na very clear statement at a hearing before the Armed Services \nCommittee earlier this week. And General Dempsey said, ``I want \nto mention for the record that we strongly support the \nLieberman-Collins-Rockefeller legislation dealing with \ncybersecurity.'' So the Secretary's comment in response to the \nquestion of Senator Levin about where does the Department \nstands, when she said ``wholeheartedly,'' is exactly right. And \nthe Department testified to that effect.\n    Chairman Lieberman. Thank you, Secretary Napolitano. Have a \ngood rest of the day.\n    Senator Napolitano. Thank you.\n    Chairman Lieberman. We will call the final panel. Secretary \nRidge is first. I know you are under a time pressure. I \napologize for keeping you later than we had hoped, Secretary \nRidge, but we have you, then Stewart Baker, James Lewis, and \nScott Charney.\n    Gentlemen, thank you for your willingness to be here to \ntestify and for your patience, although it got pretty \ninteresting at times during the hearing, didn't it?\n    Secretary Ridge, in a comment that only you and I and two \nother people would appreciate, I do not think we will be going \nto the Common Man together tonight. That is another story.\n    Mr. Ridge. I do not think so. But I would welcome the \nopportunity anytime you are ready.\n    Chairman Lieberman. Thanks very much for being here. We \nwill hear your testimony, and then we will understand if you \nhave to go because I know you have another engagement and you \nare already late. Please proceed.\n\n   TESTIMONY OF HON. THOMAS J. RIDGE,\\1\\ CHAIRMAN, NATIONAL \n         SECURITY TASK FORCE, U.S. CHAMBER OF COMMERCE\n\n    Mr. Ridge. Thank you very much. First of all, let me tell \nyou what a pleasure it is to be back before the Committee. As I \nhave told you before, my 12 years in the Congress of the United \nStates I did enjoy being on that side of the table rather than \nthis, but every time I have appeared before this Committee, the \nengagement has been civil, constructive, and substantive, and I \nhope I have been able to contribute. And I hope the fact that \nwe agree in part and disagree in part today and there is \nsignificant agreement and disagreement does not preclude \nanother invitation at another time. So it is a great pleasure \nto be before you.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Ridge appears in the Appendix on \npage 78.\n---------------------------------------------------------------------------\n    I testify today on behalf of the U.S. Chamber of Commerce, \nwhich, as you well know, is the world's largest business \nfederation representing the interests of more than 3 million \nbusinesses and organizations of every size, every sector, \nthroughout every region in this country.\n    For the past year and a half, I have chaired the Chamber's \nNational Security Task Force, which is responsible for the \ndevelopment and implementation of the Chamber's homeland and \nnational security policies. And very much consistent with the \nPresident's concern, this Committee's concern, concerns on both \nsides of the aisle, you are probably not surprised that \ncybersecurity has been at the top of the list. When we have met \nwith dozens and dozens of private sector companies and their \nvice presidents for security, be it bricks and mortar or cyber, \nthis is very high, maybe at the top of their list right now.\n    So it is in my capacity as chairman but hopefully with a \nperspective also as the first Secretary of Homeland Security \nthat I thank you for this opportunity to appear before you \nregarding cybersecurity and ways in which we can secure \nAmerica's future.\n    At the very outset, Senator Lieberman and Senator Collins, \none of the perspectives that I do want to share with you is \nthat you need to add the Chamber of Commerce to the chorus of \npeople sounding the alarm. They get it. And why do they get it? \nBecause the infrastructure that we are worried about that \nprotects America's national interest and supports the Federal, \nState, and local governments is the infrastructure that they \noperate. And in addition to being concerned about the impact of \ncyber invasion and incursion on their ability to do their job \non behalf of the Federal Government, they also have 300 million \nconsumers one way or the other they have to deal with.\n    So they join you, they join that chorus, not only in terms \nof the urgency of dealing with the threat, but I would dare \nsay, and I say respectfully, they are probably better \npositioned to be able to calculate the consequences of systemic \nfailure vis-a-vis a cyber attack than even an agency in the \nFederal Government. And on top of that, they have their \ninterests to protect, fiduciary interests for shareholders if \nthey are publicly traded. They have their employees. They have \nthe communities they work in. They have the consumers. They \nhave the suppliers. So we are in this together, and I think it \nis very important for you to understand that the Chamber joins \nthe chorus that appreciates both the urgency of dealing with \nsomething, and I would say respectfully better understands from \na macro level the horrific consequences to them and to their \ncommunity and to their brand, their employees, and to this \ncountry from a significant cyber attack.\n    As you also know, the industry for years has been taking \nrobust and proactive steps to protect and make their \ninformation networks more resilient. There has been much \ndiscussion with regard to process here, and let me just talk \nvery briefly, and I am going to ask unanimous consent to get \nanother minute or minute and a half, and I apologize for that. \nBut as the first Secretary, I remember the national strategy \nthat we created in 2002 talked about securing America, but we \ndid not talk just about people, we did not just talk about \nbricks and mortar; we talked about cyber attacks as well.\n    In 2003, as has been referenced by Secretary Napolitano, \nthe enabling legislation talked about cyber attacks as well. \nYou move from the enabling legislation that creates the \nDepartment, and then you get Homeland Security Presidential \nDirective 7 (HSPD-7), and in anticipation of testifying I read \nwhat HSPD-7 says. It says, ``Establish a national policy for \nFederal departments and agencies to identify and prioritize \nUnited States critical infrastructure and key resources and to \nprotect them from terrorists.'' It goes on to talk about \nprotection from cyber attack as well.\n    In 2006, the National Infrastructure Protection Plan was \nestablished. The NIPP, updated in 2009, encompasses all that \nhad gone on before to protect critical infrastructure and is \nspecifically based on HSPD-7. The NIPP helped to create the \nSector-Specific Agencies and the Sector Coordinating Councils--\nthe point being that we do not need a piece of legislature, at \nleast from the Chamber's point of view, that would identify and \nregulate critical infrastructure. We have been working on that \nfor 10 years. It started with the enabling legislation, and you \nunderstand that process.\n    Where we tip the hat because compared to the first mark of \nthe President's bill to this market, the information sharing, \nalthough we would probably like to tinker with it a little bit, \nis a vast improvement from the one that was initially placed \nand initially considered by the Administration. And, again, we \nare not ready to embrace it in its totality, but the concept, \nthe direction, and the focus of it being bilateral we believe \nis the way to go.\n    So at the end of the day, with regard to covered critical \ninfrastructure (CCI), there is really in our judgment no real \nneed for that. We already have the process in place. People \nhave been working together for 10 years, personal and \ninstitutional relationships to develop what that critical \ninfrastructure is. You have cybersecurity experts in these \nSector-Specific Agencies. So not only do you take a definition \nthat appears to have no walls, ceilings, or floors, but it \nappears to be redundant.\n    And, second, it does--somebody used the word \n``requirements.'' And one of the great concerns we have is that \nrequirements and prescriptions are mandates, mandates are \nregulations, and, frankly, the attackers and the technology \nmoves a lot faster than any regulatory body or political body \nwill ever be able to move.\n    So, in my judgment--and, again, we need to talk--the \nChamber agrees. The sections in here with regard to the \ninternational component, the public awareness component, the \nFISMA component, and some of the others, we applaud and \ncelebrate. And hopefully if you tied those together, if you are \nlooking to really deal with this in an immediate way as quickly \nas possible with a more robust information-sharing proposal, \nmarry it with the House and then you will have that bipartisan \nagreement.\n    So I was hurried. I appreciate and respectfully request \nthat my full statement be included as part of the record, and \nthank you for the opportunity of appearing before you.\n    Chairman Lieberman. Thanks, Mr. Secretary, and we will \ndefinitely include your statement in full in the record.\n    Am I right that you have to leave?\n    Mr. Ridge. You were, but I think it is a little too late. I \nappreciate that.\n    Chairman Lieberman. Can you stay?\n    Mr. Ridge. I am prepared to stay to answer questions. I can \nleave at 6 o'clock instead of 5 o'clock. I have to be on a \nplane--but thank you for asking.\n    Chairman Lieberman. Do you want us to ask you a few \nquestions now and then have you go? Or with the sufferance of \nthe----\n    Mr. Ridge. I think that in deference, it is a little late \nto get there, so I appreciate that.\n    Chairman Lieberman. I am going to yield to Senator Collins, \nand if there is anything left to ask when she is done---- \n[Laughter.]\n    Senator Collins. Thank you, Mr. Chairman.\n    First, Secretary Ridge, as you know, I have the greatest \nrespect and affection for you personally and the greatest \nrespect for the Chamber of Commerce, which is why I am \ndisappointed that we do not see this issue exactly in the same \nway.\n    I would also note a certain irony since the Chamber itself \nwas under cyber attack by a group of sophisticated Chinese \nhackers for some 6 months at least, during which time the \nhackers had access to apparently everything in the Chamber's \nsystem, and the Chamber was not even aware of the attack until \nthe FBI alerted the Chamber in May 2010. So there is a little \nbit of irony, but I will assure you that under our bill the \nChamber is not considered critical infrastructure. [Laughter.]\n    Mr. Ridge. But Senator, you raise a very interesting point, \nand I guess the question I have, if it is not critical \ninfrastructure but a significant organization representing the \ncritical economic infrastructure of America, why in the world \ndid the FBI delay informing the organization that represents \nthe economic infrastructure of America? Somebody ought to ask \nthat question. Frankly, I have heard some cases where people in \nthe private sector have reported potential--this has not been \nverified--incidents to the Federal Government and they said, \n``We knew.'' What do you mean you knew?\n    Senator Collins. Well, that is one reason----\n    Mr. Ridge. You cure some of that problem.\n    Senator Collins. I was just going to point to that. We have \nvery robust information-sharing provisions in our bill that \nwill cure that very problem.\n    But the fact is, in drafting this latest version of our \nbill, we have taken to heart many of the concerns raised by the \nChamber, and, thus, just to clarify exactly where the Chamber \nis on these issues, I do want to ask your opinion on some of \nthe changes that we have made in direct response to the \nChamber's concerns.\n    For example, we now have a provision that says that \nentities that are already regulated by existing regulations \nwould be eligible for waivers and entities able to prove that \nthey are sufficiently secure would be exempted from most of the \nrequirements under this bill. The bill would require the use of \nexisting cybersecurity requirements and current regulators.\n    Does the Chamber support those changes that were \nincorporated in response to the Chamber's concerns?\n    Mr. Ridge. Well, I think you have incorporated several \nchanges, Senator Collins, and I cannot speak directly, but I \nbelieve that is one of them. And I think it also goes to the \npoint, however, that some of that oversight is being done \nwithin the existing process and protocol, and with the dramatic \npotential changes in information sharing, it is a system that \nwill work.\n    One of the questions I had when I listened to the chorus of \npeople who support the bill, I just wondered if the Secretary \nof Defense believes that the Defense Industrial Base likes the \ncyber model of information sharing that was announced by the \nDepartment of Defense in June 2011 or they would prefer to be \nregulated. I think there are some unanswered questions here.\n    But I think the point that I want to be very strong about, \nSenator Collins, is that you have heard some of the concerns, \nand we are grateful for that.\n    Senator Collins. Well, that is my point as we, frankly, \nhave bent over backwards to try to listen to legitimate \nconcerns without weakening the bill to the point where it can \nno longer accomplish the goal.\n    Another important provision of the bill is that the owners \nof critical infrastructure, not the government, not DHS, would \nselect and implement the cybersecurity measures that they \ndetermine are best suited to satisfy the risk-based performance \nrequirements. Does the Chamber support having the owners of the \ninfrastructure decide rather than government mandating specific \nmeasures?\n    Mr. Ridge. Well, I think, again, if I recall and interpret \nyour legislation correctly, the Chamber likes the notion and \nembraces the notion that the Sector-Specific Agencies, the \nrespective departments and agencies who have the Sector \nCoordinating Councils, have been working on identifying \ncritical infrastructure and sharing the kind of information \nthat we think is necessary to not immunize us completely \nbecause the technology and the hacking procedures are going to \nchange, but to dramatically reduce the risk. In fact, it is in \neverybody's interest, particularly the owners, to move as \nquickly as possible.\n    The logic that has been applied to relieving, I guess, \nCisco, Microsoft, and others so they can move adroitly and \nrespond to the risk seems to me would be pretty decent logic to \napply to everybody else in the economy as well who do not want \nto be burdened by a series of regulations or prescriptive \nrequirements.\n    Senator Collins. Well, since the private sector under our \nbill is specifically involved in creating the standards, I do \nnot see how that produces burdensome standards since the \nSecretary has to choose from the standards that the private \nsector develops. Again, another change that we strengthened in \nour bill.\n    Another question that I would have for you, I assume that \nthe Chamber supports the liability protections that are \nincluded in this bill, so that if a company abides by the \nperformance standards and there is an attack anyway, the \ncompany is immune from punitive damages.\n    Mr. Ridge. Well, they have not tapped me on the shoulder, \nbut I presume they do.\n    Senator Collins. Well, in back of you a young woman is \nnodding vigorously.\n    Mr. Ridge. I presume they do. If I were the Chamber, I \nwould certainly encourage them to embrace that wholeheartedly.\n    Senator Collins. Well, my time has expired, but my point is \nthat there are many provisions in this bill that we changed in \ndirect response to input from the Chamber, and I would like the \nChamber to acknowledge that.\n    There is one final point that I want to make. When you were \ntalking about that CEOs are invested in cybersecurity because \nof the impact on their customers and their clients, and so it \nis in their own self-interest, I cannot tell you how many chief \ninformation officers (CIOs) with whom I have talked who have \ntold me, ``If only I could get the attention of the CEO on \ncybersecurity. We are not investing enough, we are not \nprotecting our systems enough, and it is just not a priority \nfor the CEO.''\n    So I would suggest to you to talk to some CIOs because I \nthink you would get a totally different picture.\n    Mr. Ridge. Well, I appreciate that, Senator Collins. You \nknow, I am familiar with quite a few major companies in America \nand what they are doing with regard to cyber, and my experience \nis 180 from yours. I realize that there are probably some \npeople out there--I do not imagine too many organizations--and \nanybody in an organization would like a little bit more money \nto enhance their capability to safeguard or to manage the risk. \nBut I will take you at your word that there may be some CIOs \nwho feel very strongly and have reflected that in their \nstatements to you.\n    I think at the end of the day, though, I think you have \nmade a valuable contribution. You have listened to the Chamber. \nWe applaud those things we agree with, and we are just going to \nrespectfully disagree that you are going down the path very \nsimilar to what we are concerned about, a prescriptive regimen. \nI notice some of the literature talks about a light touch, but \na light touch can turn into a stranglehold if it goes too far \ndown the process. And if you take a look at the Chemical \nFacility Anti-Terrorism Standards, what was to be a light touch \nmay become very prescriptive, because once the legislation was \npassed, there were Members of Congress, your colleagues, who \nsaid, well, that is not enough and we may need very specific \ntechnology and we need very specific regulations.\n    So, again, it is that slippery slope that I think they are \nmost concerned about, and I very much appreciate you giving me \na chance to articulate it before the Committee.\n    Senator Collins. Thank you, Mr. Chairman.\n    Chairman Lieberman. Thanks, Senator Collins.\n    I have no further questions, Secretary. Thanks for being \nhere. We are glad to liberate you to catch the next plane.\n    Mr. Ridge. Well, you are very kind. I thank you. It has \nbeen my great pleasure, and as I said before, I look forward to \nfuture opportunities, in the ``what it is worth'' department, \nto share my thoughts with this Committee. I thank my friends.\n    Chairman Lieberman. We do, too.\n    Mr. Ridge. Senator Akaka, best wishes to you, sir. Thank \nyou.\n    Chairman Lieberman. Thank you.\n    Stewart Baker is our next witness, currently a partner in \nthe law firm of Steptoe and Johnson, former General Counsel for \nthe much mentioned today NSA from 1992 to 1994 and Assistant \nSecretary at DHS from 2005 to 2009 during which time we \nbenefited greatly from your counsel and service. Thanks for \nbeing here, and we would welcome your testimony now.\n\n  TESTIMONY OF HON. STEWART A. BAKER,\\1\\ PARTNER, STEPTOE AND \n                          JOHNSON LLP\n\n    Mr. Baker. It is a great pleasure. Thank you, Chairman \nLieberman, Senator Collins, and Senator Akaka. It is a \nnostalgic moment to come back here, and I want to congratulate \nyou on your achievement in moving this bill in a comprehensive \nform as far as it has gone. It is a very valuable contribution \nto our security.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Baker appears in the Appendix on \npage 83.\n---------------------------------------------------------------------------\n    I just have two points, but before I do that, I thought I \nwould address the Stop Online Piracy Act analogy, the idea that \nthis is like SOPA and the Internet will rise up to strike it \ndown.\n    I am proud to say, if I can channel Senator Lloyd Bentsen \nfor a minute, I knew SOPA, I fought SOPA, and, Mr. Chairman, \nthis bill is no SOPA. [Laughter.]\n    Chairman Lieberman. Hear, hear.\n    Mr. Baker. In fact, I opposed SOPA for the same reason that \nI support this bill. As a Nation, as a legislature, our first \nobligation is to protect the security of this country. SOPA \nwould have made us less secure, to serve the interests of \nHollywood. This bill will make us more secure, and that is why \nI support it.\n    Just two points on why I believe that. We know today the \nmost sophisticated security companies in the country have been \nunable to protect their most important secrets. This shows us \nhow deep the security problem runs. We also know from direct \nexperience, things that I saw when I was at DHS and that have \nemerged since, that once you penetrate a network, you can break \nit in ways that leave behind permanent damage. You can break \nindustrial control systems on which refineries, pipelines, the \npower grid, water, and sewage all depend. And we have had a lot \nof analogies today about how this is like September 10, 2001. \nIf you want to know what it would be like to live through an \nevent where someone launches an attack like this, the best \nanalogy is New Orleans, the day after Hurricane Katrina hit. \nYou would have no power; you would have no communications. But \nyou also would not have had the warning and the evacuation of \nmost of the city's population, and you would not have the \nNational Guard in some safe place, ready to relieve the \nsuffering. It could, indeed, be a real disaster, and we have to \ndo something to protect against that possibility. That is not \nsomething the private sector can do on its own. They are not \nbuilt to stand up to the militaries of half a dozen countries, \nand that is why it is important for there to be a government \nrole here.\n    I do think that with this bill--in contrast to the views of \nthe Chamber--you may have gone a little far in accommodating \nthem, and I will just address one point that I think is \nparticularly of concern.\n    I fully support the idea that there should be a set of \nperformance requirements driven by the private sector, \nimplemented by the private sector, and with private sector \nflexibility to meet them as they wish. But the process of \ngetting to that and then getting enforcement is time-consuming. \nIt could take 8 years; it could take 10 years if there is \nresistance from industry or a particular sector. And it may be \nworth it to take that time to get standards that really are \nsomething that the private sector buys into and is willing to \nlive with. But I think we have to recognize that in the next 8 \nto 10 years we could have an attack. We could have an incident. \nWe could have some very serious trouble or a threat that \nrequires that we move faster than that statutory framework \nwould suggest.\n    And so I would suggest that if there is one change that I \nwould make to this bill, it is to put in a provision that says \nthat in an emergency, where there really is an immediate threat \nto life and limb, the Secretary has the ability to compress all \nof the time frames and to move quickly from stage to stage so \nthat if we only have a week to get the grid protected, she is \nin a position to tell the power companies, ``You will be here \non Tuesday and bring your best practices because by Friday you \nare going to have to start implementing them because we know \nthere is an attack coming this week.'' That is something that \nwe need to be able to do and to have the flexibility to do. \nThank you.\n    Chairman Lieberman. Very helpful. Thank you very much. We \nwill talk more about that.\n    Dr. Jim Lewis, thanks for being here. He is Director and \nSenior Fellow of the Technology and Public Policy Program at \nthe Center for Strategic and International Studies. Dr. Lewis \nwas also the Director of the CSIS Commission on Cybersecurity, \nwhich began its work in 2008. Thanks so much. Please proceed.\n\n  TESTIMONY OF JAMES A. LEWIS, PH.D.,\\1\\ DIRECTOR AND SENIOR \n   FELLOW, TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR \n              STRATEGIC AND INTERNATIONAL STUDIES\n\n    Mr. Lewis. Thank you, Senators, for giving me the \nopportunity to testify. You know, when we hear that getting \nincentives right and letting the private sector lead or sharing \nmore information will secure the Nation, remember that we have \nspent the last 15 years repeatedly proving that this does not \nwork, and from an attacker's perspective, America is a big, \nslow target.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Lewis appears in the Appendix on \npage 92.\n---------------------------------------------------------------------------\n    Some people say the threat is exaggerated. This is really \nunfortunate. You have talked about the parallels with September \n11, 2001. But in some ways we are on a path to repeat the \nSeptember 11 error if we do not take action in the very near \nterm.\n    The threat is real and growing. Military and intelligence \nservices with advanced cyber capabilities can penetrate any \ncorporate network with ease. Cyber criminals and government-\nsponsored hackers routinely penetrate corporate networks. And \nnew attackers, ranging from Iran and North Korea to a host of \nanti-government groups, are steadily increasing their skills.\n    The intersection of greatest risk and weakest authority is \ncritical infrastructure. National security requires holding \ncritical infrastructure to a higher standard than the market \nwill produce.\n    This bill has many useful sections on education, research, \nsecuring government networks, and international cooperation, \nand they all deserve support. But the main event is regulating \ncritical infrastructure for better cybersecurity. Without this, \neverything else is an ornament, and America will remain \nvulnerable. Low-hanging fruit will not make us safer, and one \nway to think about this is if you took the section on critical \ninfrastructure regulation out of this bill, it would be like a \ncar without an engine. So I look forward to what we will see \nnext week.\n    There are all sorts of objections to moving ahead. We heard \nthat innovation could be damaged, but well-designed regulation \nwill actually increase innovation. Companies will innovate at \nmaking safer products. We have this with Federal regulation of \ncars, airplanes, even as far back as steamboats. Regulation can \nincentivize innovation.\n    Everyone agrees that we want to avoid burdensome regulation \nand focus new authorities on truly critical systems. The bill \nas drafted takes a minimalist and innovative approach to \nregulation based on commercial practices, so I appreciate the \neffort that has gone into that.\n    Many in Congress recognize the need for legislation, and \nthis Committee, the Senate, and others in the House deserve our \nthanks for taking up this task. But the battle has shifted. \nPeople will try to dilute legislation. They will try to put \nforward slogans instead of solutions, and they will write in \nloopholes. The goal should be to strengthen not to dilute, and \nso two problems need attention.\n    The first is the threshold for designating controlled \ncritical infrastructure. Cyber attacks in the next few years \nare most likely to be targeted and precise. They probably will \nnot cause mass casualties or catastrophic disruption. If we set \nthe threshold too high, it is simply telling our attackers what \nthey should hit. So we need to very carefully limit the scope \nof this regulation, but I fear that we may have gone a bit too \nfar.\n    The second is the carve-out for commercial information \ntechnology, and others have raised this. It makes sense that \nindustry does not want government telling them how to make \ntheir products. That is perfectly reasonable. But a blanket \nexemption on services, maintenance, installation, and repair \nwould, first, undo central work started by the Bush \nAdministration; and, second, leave America open for a Stuxnet-\nlike attack. So these parts of the bill should really be \nremoved, and in particular, I would call your attention to \nparagraph (A) and (B) of Section 104(b)(2).\n    In any important legislation, there is a delicate balance \nbetween protecting the Nation and minimizing the burdens on our \neconomy. This bill, with some strengthening, I think can \nachieve that balance and best serve the national interest. The \nalternative is to wait for the inevitable attack. My motto for \n2012 in cybersecurity is, ``Brace for impact.''\n    I thank the Committee and will be happy to take any \nquestions.\n    Chairman Lieberman. Thank you, Dr. Lewis. Your voice is an \nimportant one to listen to, and we will, we do.\n    Scott Charney is our last witness today. He is the \nCorporate Vice President of the Trustworthy Computing Group--\nthat is a good job--at Microsoft Corporation. Thanks for being \nhere.\n\n   TESTIMONY OF SCOTT CHARNEY,\\1\\ CORPORATE VICE PRESIDENT, \n       TRUSTWORTHY COMPUTING GROUP, MICROSOFT CORPORATION\n\n    Mr. Charney. Chairman Lieberman, Senator Akaka, thank you \nfor the opportunity to appear at this important hearing on \ncybersecurity. In addition to my role as Corporate Vice \nPresident for Trustworthy Computing, I serve on the President's \nNational Security Telecommunications Advisory Committee and was \nCo-chair of the CSIS Commission on Cybersecurity for the 44th \nPresidency.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Charney appears in the Appendix \non page 99.\n---------------------------------------------------------------------------\n    Microsoft has a long history of focusing on cybersecurity. \nIn 2002, Bill Gates launched our Trustworthy Computing \nInitiative. As we celebrate the 10th anniversary of that \neffort, we are proud of both our progress and conscious of how \nmuch work remains to be done. While IT companies are providing \nbetter cybersecurity, the world is increasingly reliant on \ncyber-based systems, and those attacking such systems have \nincreased in both number and sophistication. Cyber attacks \nrepresent one of the more significant and complex threats \nfacing our Nation.\n    With that in mind, I commend the Chairman, the Ranking \nMember, this Committee, and Members of the Senate for your \ncontinuing commitment to addressing cybersecurity. We \nappreciate your leadership in developing the legislation that \nwas introduced earlier this week. Over the past few years, you \nhave helped focus national attention on this urgent problem, \noffered constructive proposals, and conducted an open and \ntransparent process to solicit the views of interested private \nsector stakeholders.\n    Microsoft believes the current legislative proposal \nprovides an appropriate framework to improve the security of \ngovernment and critical infrastructure systems and establishes \nan appropriate security baseline to address current threats. \nFurthermore, the framework is flexible enough to permit future \nimprovements to security, an important point since security \nthreats evolve over time.\n    While the Internet has created unprecedented opportunities \nfor social and commercial interaction, it has also created \nunprecedented opportunities for those bent on attacking IT \nsystems. Securing IT systems remains challenging, and it is \nimportant that legislative efforts designed to improve computer \nsecurity meet three important requirements:\n    First, legislation must embrace sound risk management \nprinciples and recognize that the private sector is best \npositioned to protect private sector assets. Second, the \nlegislation must enable effective information sharing among \ngovernment and industry members. Third, any legislation must \ntake into account the realities of today's global IT \nenvironment. I will discuss each of these important issues in \nturn.\n    First, sound risk management principles require that \nsecurity efforts be directed where the risk is greatest and \nthat those responsible for protecting systems have the \nflexibility to respond to ever changing threats. To ensure that \nthis happens, it is important that the definition of critical \ninfrastructure be scoped appropriately and that the owner of an \nIT system ultimately be responsible for developing and \nimplementing security measures. We believe that the current \nlegislation, which allows the government to define outcomes but \nallows the private sector owner of a critical system or asset \nto select and implement particular measures, is the right \nframework.\n    Second, successful risk management depends on effective \ninformation sharing. For too long, people have cited \ninformation sharing as a ``goal'' when, in fact, it is a tool. \nThe goal should not be to share all information with all \nparties, but rather the right information with the right \nparties, that is, parties who are positioned to take meaningful \naction. We appreciate that this legislation attempts to remove \nbarriers to information sharing by specifically authorizing \ncertain disclosures and protecting the information shared.\n    Finally, as a global business, we are very cognizant of the \nfact that countries around the world are grappling with similar \ncybersecurity challenges and implementing their own \ncybersecurity strategies. We believe that actions taken by the \nU.S. Government may have ramifications beyond our borders, and \nit is important that the United States lead by example, \nadopting policies that are technology neutral and do not stifle \ninnovation. It must also promote cyber norms through \ninternational discussions with other governments.\n    Unlike some traditional international efforts where \ngovernment-to-government discussions may suffice to achieve \ndesired outcomes, it must be remembered that the private sector \nis designing, deploying, and maintaining most of our critical \ninfrastructures. As such, the United States needs to ensure \nthat the owners, operators, and vendors that make cyberspace \npossible are part of any international discussions.\n    I would note in closing that security remains a journey, \nnot a destination. In leading our Trustworthy Computing effort \nover the last 10 years, I have witnessed the continual \nevolution of Microsoft's own security strategies. Technologies \nadvance, threats change, hackers grow stronger, but defenders \ngrow wiser and more agile. The Committee's legislation, which \nfocuses on outcomes and ensures meaningful input by the private \nsector, represents an important step forward. Microsoft is \ncommitted to working with Congress and the Administration to \nhelp ensure this legislation meets these important objectives \nwhile minimizing unintended consequences.\n    Thank you for the leadership that you have shown in \ndeveloping this legislation under consideration today and for \nthe opportunity to testify. I look forward to your questions.\n    Chairman Lieberman. Thanks very much to you, too, Mr. \nCharney.\n    Let me ask all three of you a threshold question, no pun \nintended. As you can hear from some of the testimony and some \nof the questions from Committee Members, there is a question \nstill about whether regulation is necessary here--I am using a \npejorative term. Let me just say government involvement here is \nnecessary. And at its purest, this argument is that obviously \nthe private sector that owns and operates cyber infrastructure \nhas its own set of incentives to protect itself. Why do we need \nthe government to be involved? Mr. Baker, do you want to start?\n    Mr. Baker. Sure. It seems to me that, fundamentally, the \nprivate sector and each private company has an incentive to \nspend about as much on security as is necessary to protect \ntheir revenue streams, to prevent criminals from stealing \nthings from them and the like. It is much less likely that they \nare going to spend money to protect against disasters that \nmight fall on someone else, on their customers down the road, \nthat are unpredictable. And so there are certain kinds of \nharms, especially if you are in a business where it is hard for \npeople to steal money from you but it is easy for them to \nchange your code in a way that could later be disastrous for \nconsumers. That is a situation businesses will view as \nsomething that they are not ever going to get a higher payment \nfor addressing when they sell their products and, therefore, \nnot something that they would want to spend a lot of money on.\n    So it does seem to me that there are a lot of externalities \nhere that require the government to be involved in addition to \nthe problem that if you are the Baltimore Gas and Electric \ncompany, for example, you really do not know how to deal with \nan attack launched by Russian intelligence.\n    Chairman Lieberman. Right. Dr. Lewis.\n    Mr. Lewis. Thank you. Sometimes I call them ``mandatory \nstandards,'' and that is nicer than ``regulation,'' but I \nwanted to say ``regulation'' this time because we have to put \nit out on the table.\n    Chairman Lieberman. Right.\n    Mr. Lewis. We got the incentives wrong in 1998, the first \ntime we thought about protecting critical infrastructure. We \nthought that if you tell them about the threat, get them \ntogether, share a little information, and they will do the \nright thing. And as you have heard, the return on investment is \nsuch that companies will spend up to a certain level. It is not \neven clear that all of them do that, by the way, but they will \nnot spend enough to protect the Nation.\n    So we are stuck with a classic case of a public good, \nnational defense regulation is essential, and if we do not \nregulate, we will fail.\n    Chairman Lieberman. Let me just follow up. You made a \nstatement in your opening remarks--I am going to paraphrase \nit--which is that a hostile party, a nation state, or \nintelligence agency could penetrate any entity's cyberspace in \nthis country if they wanted. Did I hear you right?\n    Mr. Lewis. You did. The full answer is complicated, so I \nwill be happy to provide it to you in writing. But when you \nthink of the high-end opponents who can use a multitude of \ntactics, including tapping your phone line, including hiring \nagents or corrupting employees, these are very hard people to \nstop. And the assumption that is probably safest to make from a \ndefensive point of view is that all networks have been \ncompromised.\n    Chairman Lieberman. Mr. Charney.\n    Mr. Charney. I would say two things. First, I would echo \nwhat Mr. Baker said. I think market forces are actually doing a \nvery good job of providing security. The challenge is market \nforces are not designed to respond to national security \nthreats. You cannot make a market case for the Cold War. And so \nyou really have to think about what will the market give us? \nWhat does national security require? And how do you fill the \ndelta between those gaps?\n    The second thing I would say about looking at regulating \ncritical infrastructure, is in my 10 years at Microsoft, I have \nfound as we have struggled with cybersecurity strategies, we \nreally live in one of three states of play. Sometimes we do not \nknow what to do, and you have to figure out a strategy. \nSometimes you know what to do, but you are not executing very \nwell, in which case you need to go execute better. Sometimes we \nknow what to do and we execute well, but we do not execute at \nscale.\n    I think there are some companies that do a very good job of \nprotecting critical infrastructure today. Are we doing it at \nenough scale to really manage the risk that the country faces? \nAnd I do not think we are today, and that is why in our report \nof the CSIS Commission and in my testimony we are supportive of \nthe framework that has been articulated in the legislation.\n    Chairman Lieberman. I appreciate that. Assuming the \nstatistics are accurate or close to accurate about the \nfrequency of intrusion into cyberspace owned and operated in \nthe private sector, then that makes it self-evident that there \nis not enough being done to protect from that.\n    Dr. Lewis, let me ask you something. You offered a friendly \ncriticism of the bill just before, which is that our definition \nof ``covered critical infrastructure'' is too narrow, too high. \nWe are limiting it too much. Give me an idea about how you \nmight broaden it if you were drafting the legislation.\n    Mr. Lewis. I think we are talking about relatively simple \namendments to the language, Mr. Chairman. I would look at some \nof the thresholds you have put in: Mass casualties. What is a \nmass casualty event? For those of us coming out of the Cold \nWar, that was a very high threshold. Economic disruption on a \ncatastrophic scale--it is not clear to me that Hurricane \nKatrina, for example, would be caught by that definition. So I \nthink it is more an issue of clarifying, more an issue of \nmaking sure that the smaller attacks that we are more likely to \nsee in the near future are caught by this threshold and we are \nnot just looking for the big bang.\n    Chairman Lieberman. Thanks. My time is up. Senator Akaka, \nthank you for being here.\n\n               OPENING STATEMENT OF SENATOR AKAKA\n\n    Senator Akaka. Thank you very much, Mr. Chairman, for \nholding this hearing. I applaud your tenacity and that of \nSenators Collins, Rockefeller, and Feinstein in pursuing the \ncomprehensive cybersecurity legislation we are considering \ntoday. I also want to thank you and the Administration for \nincorporating my suggestions to the cyber workforce provisions \nof the bill. Employees of the Department of Homeland Security \nare on the front lines of countering the cyber threat, and we \nmust make sure the Department has the appropriate tools to \nattract and retain the workforce it needs to meet these complex \nchallenges.\n    Stakeholders have raised concerns about the privacy and \ncivil liberties implications of certain provisions of this \nbill. I want to commend the bill's authors for making progress \nin addressing these concerns. It is important for the final \nproduct to adequately protect Americans' reasonable expectation \nof privacy, and I will continue to closely monitor this issue.\n    FBI Director Robert Mueller's recent statement that the \ndanger of cyber attacks will equal or surpass the danger of \nterrorism in the foreseeable future is a stark reminder that \nstrengthening cybersecurity must be a key priority for this \nCongress. Cyber criminals and terrorists are targeting our \ncritical infrastructure, including our electricity grids, \nfinancial markets, and transportation networks, and these have \nbeen mentioned by the panelists. American businesses face \nconstant cyber attacks that seek to steal their intellectual \nproperty and trade secrets. However, cybersecurity policy has \nbeen slow to adjust to these ever increasing and sophisticated \ncyber threats.\n    The Cybersecurity Act of 2012 will give the Federal \nGovernment and the private sector the tools necessary to \nrespond to these troubling threats, I feel. Finalizing this \nimportant legislation is a pressing priority for this Congress, \nand I look forward to working with you on this.\n    As you know, the bill contains new hiring and pay \nauthorities to bolster the Federal civilian cybersecurity \nworkforce. It also has provisions to educate and train the next \ngeneration of Federal cybersecurity professionals. I would like \nto hear your views on the challenges of recruiting and \nretaining cybersecurity professionals, the provisions in this \nbill, and any other recommendations you may have to address \nthese growing workforce challenges. Mr. Baker.\n    Mr. Baker. If I might, I would like to just defer to Mr. \nCharney, who really has more expertise and experience in this \nfield, and if there is anything else, I will add to it after.\n    Senator Akaka. Fine. Mr. Charney.\n    Mr. Charney. It is very challenging to find well-trained \ncybersecurity professionals even in the private sector. This \ntechnology has just proliferated far faster than educational \ninstitutions could educate people to manage IT security and \nmanage the security.\n    As a result of that, Microsoft has actually committed \nconsiderable resources, supporting programs like science, \ntechnology, engineering, and mathematics (STEM) education, or \nElevate America where we provided over a million vouchers for \nentry-level and more advanced computer basic skills. But it is \na big challenge, and if it is a big challenge for the private \nsector, you can imagine that it would also be a large challenge \nfor the public sector as they do not have the same pay scale \nthat I have available to me.\n    So this is a big challenge. It is a challenge in both \neducation and in proficiency of the workforce. And, in fact, \nthe CSIS Commission issued a report on the challenges of \ngetting an educated, cyber-educated workforce.\n    Mr. Baker. And I would just add to that, indeed, that DHS \nhas had particular difficulty in attracting people and working \nthrough their personnel hiring procedures. Anything that makes \nthat smoother and more responsive to the market is useful.\n    But finally, and most importantly, for every student who is \nwatching this wondering what he is going to do when he \ngraduates from college, these jobs are waiting for you. You owe \nit to your country and you owe it to yourself to pursue these \nopportunities.\n    Senator Akaka. Thank you. Mr. Lewis.\n    Mr. Lewis. Senator, 2 years ago, at the end of July, CSIS \nhad an event here on the Hill, on education for cybersecurity, \nand I was kicking myself because I thought no one is going to \nbe here on July 29. It is just stupid. And so I told them, \n``Cut back on the food. We do not need it.'' And we had \nstanding room only. They had to put chairs in the hall. People \nlove this topic, but there are a couple of issues to think \nabout.\n    On the government side, we need to have a clearer career \npath for people to get promoted up.\n    On the private sector side, the education that we get now \nneeds to be refined and focused. A degree in computer science \nmay not give you the skills. In fact, it probably will not give \nyou the skills for cybersecurity. And so some of the provisions \nin the bill such as the cyber challenge, and other programs, \ntap into this real enthusiasm among teenagers and among college \nstudents to get into this new field. And I think this is one of \nthe stronger parts. Again, doing the education piece is \nimportant, but it will not protect us in the next few years, \nwhich is why we need the other parts of the bill as well.\n    Senator Akaka. Thank you very much, panel. My time has \nexpired, Mr. Chairman.\n    Chairman Lieberman. Thanks, Senator Akaka, and thanks very \nmuch for the contribution you made to the bill, as indicated by \nyour questioning, on the cyber workforce. That was very \nimportant.\n    Senator Collins.\n    Senator Collins. Thank you, Mr. Chairman. The hour is late, \nbut I just want to thank our witnesses for their excellent \ntestimony. Hearing some of our witnesses on this panel raise \nsome legitimate questions about whether we have gone too far in \ntrying to accommodate concerns raised by the Chamber and other \ngroups makes me think that maybe we have gotten it just right \nsince the Chamber is still not happy and you believe we have \ngone too far.\n    But in all seriousness, your expertise has been extremely \nhelpful, as has the input that we have had from Microsoft, from \nthe Chamber, from the tech industry, and from experts and \nacademics. We really have consulted very widely, and it has \nbeen very helpful to us as we try to strike the right balance.\n    This is an enormously important but complicated, complex \nissue for us to tackle, but tackle it we must. And that is \nsomething that I believe unites all of the witnesses from whom \nwe have heard today.\n    Whether we consider this to be a response to a 9/11-like \nattack or a Hurricane Katrina, I just do not want us to be here \nafter a major cyber incident saying, ``If only, and how could \nwe have ignored all these warnings, all these commissions, all \nof these studies, all of these experts?'' I cannot think of \nanother area in homeland security where the threat is greater \nand we have done less.\n    There is a huge gap. Whether we got it exactly right on \nchemical plant security, port security, or reform of the \nFederal Emergency Management Agency, at least we acted and we \nhave made a difference in each of those areas. They are not \nperfect, but we have acted and we have made a difference. And \nin intelligence reform, I think we have made a big difference.\n    But here we have a vulnerability, a threat that is not \ntheoretical. It is happening each and every day, and yet we \nhave seen today by the comments of some of our colleagues this \nis going to be a very difficult job to get this bill through. I \nam confident that we can do it, however, and that in the end we \nwill succeed.\n    And, finally, I do want to say to our colleagues, to those \nwho are listening, to those in the audience, that we need your \nhelp. If you have other good ideas for us, by all means bring \nthem forward. Help us get the best possible bill. But for \nanyone to stand in the way and cause us to fail to act at all \nto pass legislation this year I think would just be a travesty. \nIt would be a disaster waiting to happen for our country.\n    So, Mr. Chairman, I would just encourage you to press \nforward, and I will be at your side, your partner, all along \nthe way. We have done it before against great odds.\n    Chairman Lieberman. And we will do it again. Hear, hear. \nThank you. That meant a lot to me, and it is just expressive \nand characteristic of your independence of spirit and your \ncommitment to do what you think is right for our national \nsecurity.\n    We are going to press forward, and the Majority Leader, \nSenator Reid, I am confident is going to press forward, too. As \nI mentioned earlier, he had a couple of briefings on this \nproblem of cybersecurity last year, and it really troubled him. \nHe feels that there is a clear and present danger to our \nnational security and our economic prosperity from cyber \nattack. That is why he has devoted a lot of time to trying to \nget us to this point that we have reached this week to have at \nleast a foundational consensus bill and why I am confident he \nis going to bring this to the floor with the authority he has \nas Majority Leader. I am optimistic that may well be in the \nnext work period, which is when we come back at the end of \nFebruary and into March.\n    The three of you have added immensely to our work here. I \ndo want to continue to work--I do not want to ask a question \nbecause Senator Collins has brought this to such a wonderful \nending point, but I do want to, over time as we take the bill \nto the floor, invite you--particularly Mr. Baker and Dr. Lewis, \nwho have expressed concerns about the so-called carve-out. \nPeople in the Administration still think that with the \nauthority that we have left in there, the language will allow \nthe government to develop performance standards that will \nrequire owners of systems to protect those systems even if they \nmight include some commercial products. But we hear your \nconcerns, and we invite you to submit thoughts to us as to how \nto do this better, and we promise we will consider those \nconcerns.\n    Any last words from any of the three of you?\n    [No response.]\n    Chairman Lieberman. Thanks very much for all you have \ncontributed. I thank Senator Collins again. It is true, we get \nvery stubborn, the two of us, when we think something is really \nright and necessary. So we are going to plow forward.\n    The record of this hearing will be held open for 10 days \nfor any additional questions or statements for the record. I \nthank you again very much.\n    With that, the hearing is adjourned.\n    [Whereupon, at 5:20 p.m., the Committee was adjourned.]\n\n                            A P P E N D I X\n\n                              ----------                              \n\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n                                 <all>\n\x1a\n</pre></body></html>\n"