[Senate Hearing 112-524]
[From the U.S. Government Publishing Office]






                                                        S. Hrg. 112-524

        SECURING AMERICA'S FUTURE: THE CYBERSECURITY ACT OF 2012

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS


                             SECOND SESSION

                               __________

                           FEBRUARY 16, 2012

                               __________

         Available via the World Wide Web: http://www.fdsys.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs











                  U.S. GOVERNMENT PRINTING OFFICE

73-673 PDF                WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001




        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware           SCOTT P. BROWN, Massachusetts
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri           ROB PORTMAN, Ohio
JON TESTER, Montana                  RAND PAUL, Kentucky
MARK BEGICH, Alaska                  JERRY MORAN, Kansas

                  Michael L. Alexander, Staff Director
     Mary Beth Schultz, Associate Staff Director and Chief Counsel
            for Homeland Security Preparedness and Response
                   Jeffrey E. Greene, Senior Counsel
                       Jeffrey D. Ratner, Counsel
              Matthew R. Grote, Professional Staff Member
               Nicholas A. Rossi, Minority Staff Director
   Brendan P. Shields, Minority Director of Homeland Security Policy
             Denise F. Zheng, Minority Professional Member
                  Trina Driessnack Tyrer, Chief Clerk
                 Patricia R. Hogan, Publications Clerk
                    Laura W. Kilbride, Hearing Clerk












                            C O N T E N T S


                                 ------                                
Opening statements:
                                                                   Page
    Senator Lieberman............................................     1
    Senator Collins..............................................     4
    Senator McCain...............................................    19
    Senator Moran................................................    22
    Senator Pryor................................................    24
    Senator Carper...............................................    26
    Senator Levin................................................    28
    Senator Johnson..............................................    30
    Senator Akaka................................................    45
Prepared statements:
    Senator Lieberman............................................    49
    Senator Collins..............................................    52
    Senator Akaka................................................    54
    Senator Carper...............................................    55
    Senator McCain with an attached letter.......................    57

                               WITNESSES
                      Thursday, February 16, 2012

Hon. John D. Rockefeller IV, a U.S. Senator from the State of 
  West Virginia..................................................     6
Hon. Dianne Feinstein, a U.S. Senator from the State of 
  California.....................................................     9
Hon. Janet A. Napolitano, Secretary, U.S. Department of Homeland 
  Security.......................................................    12
Hon. Thomas J. Ridge, Chairman, National Security Task Force, 
  U.S. Chamber of Commerce.......................................    33
Hon. Stewart A. Baker, Partner, Steptoe and Johnson LLP..........    38
James A. Lewis, Ph.D., Director and Senior Fellow, Technology and 
  Public Policy Program, Center for Strategic and International 
  Studies........................................................    40
Scott Charney, Corporate Vice President, Trustworthy Computing 
  Group, Microsoft Corporation...................................    41

                     Alphabetical List of Witnesses

Baker, Hon. Stewart A.:
    Testimony....................................................    38
    Prepared statement with an attachment........................    83
Charney, Scott:
    Testimony....................................................    41
    Prepared statement...........................................    99
Feinstein, Hon. Dianne:
    Testimony....................................................     9
    Prepared statement...........................................    67
Lewis, Ph.D., James A.:
    Testimony....................................................    40
    Prepared statement...........................................    92
Napolitano, Hon. Janet A.:
    Testimony....................................................    12
    Prepared statement...........................................    71
Ridge, Hon. Thomas J.:
    Testimony....................................................    33
    Prepared statement...........................................    78
Rockefeller IV, Hon. John D.:
    Testimony....................................................     6
    Prepared statement...........................................    63

                                APPENDIX

Hon. Michael Chertoff, Co-Founder and Managing Principal of the 
  Chertoff Group; Former Secretary of the U.S. Department of 
  Homeland Security, prepared statement..........................   108
Responses to post-hearing questions for the Record from:
    Secretary Napolitano with attachments........................   113
    Mr. Ridge....................................................   274
    Mr. Baker....................................................   276
    Mr. Lewis....................................................   278
    Mr. Charney..................................................   280

 
        SECURING AMERICA'S FUTURE: THE CYBERSECURITY ACT OF 2012

                              ----------                              


                      THURSDAY, FEBRUARY 16, 2012

                                     U.S. Senate,  
                       Committee on Homeland Security and  
                                      Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:32 p.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Joseph I. 
Lieberman, Chairman of the Committee, presiding.
    Present: Senators Lieberman, Levin, Akaka, Carper, Pryor, 
Landrieu, Collins, Brown, McCain, Johnson, and Moran.

            OPENING STATEMENT OF CHAIRMAN LIEBERMAN

    Chairman Lieberman. The hearing will come to order. Senator 
Collins is on her way. I just saw Senator McCain and Governor 
Janet Napolitano together, and it seems to me, with the two of 
you here, I cannot hesitate to offer my congratulations on the 
centennial celebration of the great State of Arizona. Hear, 
hear.
    Senator McCain. I was there at the time. [Laughter.]
    Chairman Lieberman. You look very well for your age.
    This is, in fact, the 10th hearing our Committee has held 
on cybersecurity, and I hope it is the last before the 
comprehensive cybersecurity bill before us today is enacted 
into law.
    The fact is that time is not on our side.
    To me it feels like September 10, 2001, and the question is 
whether we will act to prevent a cyber 9/11 before it happens 
instead of reacting after it happens.
    The reason for this legislation is based on fact. Every 
day, rival nations, terrorist groups, criminal syndicates, and 
individual hackers probe the weaknesses in our most critical 
computer networks, seeking to steal government and industrial 
secrets or to plant cyber agents in the cyber systems that 
control our most critical infrastructure and would enable an 
enemy, for example, to seize control of a city's electric grid, 
water supply system, our Nation's financial system, or mass 
transit networks with the touch of a key from a world away.
    The current ongoing and growing cyber threat not only 
threatens our security here at home, but it is right now having 
a very damaging impact on our economic prosperity because 
extremely valuable intellectual property is being stolen 
regularly through cyber exploitation by individuals, groups, 
and countries abroad and is then being replicated without the 
initial cost of research done by American companies, meaning 
that jobs are being created abroad that would otherwise be 
created here.
    So when we talk about cybersecurity, there is a natural way 
in which people focus on the very real danger that an enemy 
will attack us through cyberspace, but as we think about how to 
grow our economy again and create jobs again, I have come to 
the conclusion this is actually one of the most important 
things we can do to protect the treasures of America's 
intellectual innovation from being stolen by competitors 
abroad.
    Last year, a very distinguished group of security experts, 
led by former Department of Homeland Security (DHS) Secretary 
Michael Chertoff and former Defense Secretary William Perry, 
going across both parties, issued a stark warning:
    ``The constant assault of cyber assaults has inflicted 
severe damage to our national and economic security, as well as 
to the property of individual citizens. The threat is only 
going to get worse. Inaction is not an acceptable action.'' I 
agree.
    The bill before us today is the product of hard work across 
both party lines and Committee jurisdictional lines. I 
particularly want to thank my colleagues Senator Collins and 
Commerce Chairman Jay Rockefeller and Intelligence Committee 
Chairman Dianne Feinstein for all their hard and cooperative 
work in getting us to this point. We are going to be privileged 
to hear from all three of them shortly.
    I also want to thank Senator Carper, who is not here yet, 
for his significant leadership contributions to this effort.
    And I want to thank the witnesses who are here. We have 
chosen the witnesses deliberately because they hold differing 
points of view on the problem and on the legislation we have 
crafted and the challenges we face, and we look forward to 
their testimony.
    So the Cybersecurity Act of 2012 does several important 
things to beef up our defenses in the new battleground of 
cyberspace.
    First, it ensures that the cyber systems that control our 
most critical, privately owned and operated infrastructure are 
secure, and that is the key here. Privately owned and operated 
cyber infrastructure can well be--probably someday will be--the 
target of an enemy attack. Today it is the target of economic 
exploitation, and we have to work together with the private 
sector to better secure those systems, both for their own 
defense and for our national defense.
    In this bill, the systems that will be asked to meet 
standards are defined as those that, if brought down or 
commandeered, would lead to mass casualties, evacuations of 
major population centers, the collapse of financial markets, or 
significant degradation of our national security. So this is a 
tight and high standard. After identifying the systems that 
meet those standards, the Secretary of the Department of 
Homeland Security under the legislation would then work with 
the private sector operators of the systems to develop 
cybersecurity performance requirements.
    Owners of the privately operated cyber systems covered 
would have the flexibility to meet the performance requirements 
with whatever hardware or software they choose, so long as it 
achieves the required level of security. The Department of 
Homeland Security will not be picking technological winners or 
losers, and in my opinion, there is nothing in the bill that 
would stifle innovation. In fact, a letter from Cisco Systems 
and Oracle, two of our most prominent information technology 
(IT) companies, concludes that this legislation, ``includes a 
number of tools that will enhance the Nation's cybersecurity 
without interfering with the innovation and development 
processes of the American IT industry.''
    If a company can show under our legislation to the 
Department of Homeland Security that it already has high 
cybersecurity standards met, then it will be exempt from 
further requirements under this law. Failure to meet the 
standards will result in civil penalties that will be proposed 
by the Department during a standard rulemaking and comment 
process.
    The bill also creates a streamlined and efficient cyber 
organization within DHS that will work with existing Federal 
regulators and the private sector to ensure that no rules or 
regulations are put in place that either duplicate or are in 
conflict with existing requirements.
    The bill, importantly, also establishes mechanisms for 
information sharing between the private sector and the Federal 
Government and among the private sector operators themselves. 
This is important because computer security experts need to be 
able to compare notes in order to protect us from this threat. 
But the bill also creates security measures and oversight to 
protect privacy and preserve civil liberties. In fact, the 
American Civil Liberties Union (ACLU) has reviewed our bill and 
says that it offers the greatest privacy protections of any 
cybersecurity legislation that has yet been proposed.
    I am going to skip over some of the other things the bill 
does and just go to mention that the process by which we 
reached this legislative proposal was very inclusive. We not 
only worked across Committee lines, but reached out to people 
in business, academics, civil liberties and privacy and 
security experts for advice on many of the difficult issues 
that any meaningful piece of cybersecurity legislation would 
need to address. I can tell you that literally hundreds of 
changes have been made to this bill as a result of their input, 
and we think finally we have struck the right balance.
    I do want to describe briefly or mention some things that 
are not in this bill. First and foremost, this bill does not 
contain a so-called kill switch that would allow the President 
to seize or control part of or all of the Internet in a 
national crisis. It is not there.
    Senator Collins. It never was.
    Chairman Lieberman. It never was. Thank you, Senator 
Collins. But we put an exclamation point by dropping a section, 
frankly, that people thought included a kill switch. It just 
was not worth it because of the urgent need for this bill.
    There is also nothing in this bill that touches on the 
balance between intellectual property and free speech that so 
aroused public opinion over the proposed Stop Online Privacy 
Act (SOPA) and the Protect IP Act (PIPA) and has left many 
Members of Congress with scars or at least a kind of post-
traumatic stress syndrome since that happened.
    So, in fact, this is not the ultimate verification of my 
assertion that there is nothing here anywhere like what 
concerned people in SOPA or PIPA, but I note with gratitude 
that one of our witnesses, Stewart Baker, was a leading 
opponent of SOPA but is testifying today in favor of our bill.
    After the Cybersecurity Act of 2012 becomes law, the 
average Internet user will go about using the Internet just as 
they do today. But hopefully as a result of the law and 
outreach pursuant to it, they will be far better equipped to 
protect their own privacy and resources from cyber attack.
    The bottom line, a lot of people have worked very hard to 
come so far and in a very bipartisan way to face a real and 
present danger to our country that we simply cannot allow this 
moment to slip away from us. I feel very strongly that we need 
to act now to defend America's cyberspace as a matter of 
national and economic security.
    Senator Collins.

              OPENING STATEMENT OF SENATOR COLLINS

    Senator Collins. Thank you, Mr. Chairman.
    Mr. Chairman, let me first applaud you for your leadership 
in this very important issue, as well as the leadership of our 
two lead-off witnesses, Senator Rockefeller and Senator 
Feinstein, who contributed so much to this issue and this bill. 
And I personally thank you for holding this important hearing 
today.
    After the 9/11 attacks, we learned of many early warnings 
that went unheeded, including a Federal Bureau of Investigation 
(FBI) agent, who warned that one day people would die because 
of the ``wall'' that kept law enforcement and intelligence 
agencies apart. When a major cyber attack occurs, the ignored 
warnings will be even more glaring because our Nation's 
vulnerability has already been demonstrated by the daily 
attempts by nation states, terrorists groups, cyber criminals, 
and hackers to penetrate our systems.
    The warnings of our vulnerability to a major cyber attack 
come from all directions and countless experts, and they are 
underscored by the intrusions that have already occurred. 
Earlier this month, the FBI Director warned that the cyber 
threat will soon equal or surpass the threat from terrorism. He 
argued that we should be addressing the cyber threat with the 
same intensity that we have applied to the terrorist threat.
    Director of National Intelligence (DNI) James Clapper made 
the point even more strongly, describing the cyber threat as a 
``profound threat to this country, to its future, its economy, 
its very well-being.''
    In November, the Director of the Defense Advanced Research 
Projects Agency (DARPA) warned that malicious cyber attacks 
threaten a growing number of the systems with which we interact 
every day--the electric grid, water treatment plants, and key 
financial systems.
    Similarly, General Keith Alexander, the Commander of U.S. 
Cyber Command and the Director of the National Security Agency 
(NSA), has warned that our cyber vulnerabilities are 
extraordinary and characterized by ``a disturbing trend, from 
exploitation to disruption to destruction.''
    These statements are just the latest in a chorus of 
warnings from current and former officials, and the threat, as 
the Chairman has pointed out, is not just to our national 
security but also to our economic well-being. A Norton study 
last year calculated the cost of global cyber crime at $114 
billion annually. When combined with the value of time victims 
lost due to cyber crime, this figure grows to $388 billion. 
Norton described this as ``significantly more'' than the global 
black market in marijuana, cocaine, and heroin combined.
    In an op-ed last month entitled, ``China's Cyber Thievery 
Is National Policy--And Must Be Challenged,'' former DNI Mitch 
McConnell, former Homeland Security Secretary Michael Chertoff, 
and former Deputy Secretary of Defense William Lynn noted the 
ability of cyber terrorists to ``cripple'' our critical 
infrastructure. They sounded an even more urgent alarm about 
the threat of economic cyber espionage.
    Citing an October 2011 report by the Office of the National 
Counterintelligence Executive, these experts warned of the 
catastrophic impact that cyber espionage--particularly that 
pursued by China--could have on our economy and 
competitiveness. They estimated that the cost ``easily means 
billions of dollars and millions of jobs.''
    This threat is all the more menacing because it is being 
pursued by a global competitor seeking to steal the research 
and development of American firms to undermine our economic 
leadership.
    The evidence of our cybersecurity vulnerability is 
overwhelming. It compels us to act now. Some Members have 
called for yet more studies, even more hearings, and additional 
markups. In other words, more delay. The fact is, since 2005, 
our Committee alone has held 10 hearings on the cyber threat, 
including today's hearing. I know that the Commerce and the 
Intelligence Committees have held many more. In 2011, Chairman 
Lieberman, Senator Carper, and I introduced our cybersecurity 
bill, which was reported out by this Committee later that same 
year. Since last year, we have been working with Chairman 
Rockefeller to merge our bill with legislation that he 
championed, which was reported by the Commerce Committee. 
Senator Feinstein has done ground-breaking work on information 
sharing, which she has been kind enough to share with this 
Committee, as well.
    After incorporating changes based on the feedback from the 
private sector, our colleagues, and the Administration, we have 
produced a refined version, which is the subject of today's 
hearing. And it is significant that three Senate chairmen with 
jurisdiction over cybersecurity have come together on these 
issues. And each day that we fail to act, the threat increases 
to our national and economic security.
    Now, other colleagues of ours have urged us to focus 
narrowly on the Federal Information Security Management Act 
(FISMA), as well as on Federal research and development (R&D) 
and improved information sharing. We do need to address these 
issues, and our bill does just that.
    However, with 85 percent of our Nation's critical 
infrastructure owned by the private sector, the government also 
has a critical role to play in ensuring that the most vital 
parts of that infrastructure--those whose disruption could 
result in truly catastrophic consequences--meet reasonable, 
risk-based performance standards.
    In an editorial this week, the Washington Post concurred, 
writing that our ``critical systems have remained 
unprotected.''
    Some of our colleagues are skeptical about the need for any 
new regulations. I have opposed efforts to expand regulations 
that would burden our economy. But regulations that are 
necessary for our national security and that promote--rather 
than hinder--our economic prosperity strengthen our country. 
They are in an entirely different category.
    The fact is the risk-based performance requirements in our 
bill are targeted carefully. They apply only to specific 
systems and assets, not entire companies, which if damaged 
could result reasonably in mass casualties, mass evacuations, 
catastrophic economic damages, or a severe degradation of our 
national security. In fact, some of the witnesses think that we 
have gone too far in that direction.
    Senator Lieberman has described much of what the bill 
contains, so I will not repeat that in the interest of time. 
Let me just say that this bill is urgent. We cannot wait to 
act. We cannot wait until our country has a catastrophic cyber 
attack. And it would be irresponsible of Congress not to pass 
legislation due to turf battles or due to claims by some 
businesses that we are somehow harming our economy. In fact, 
what we are doing is protecting our economy and our way of 
life.
    Thank you, Mr. Chairman.
    Chairman Lieberman. Thank you, Senator Collins, for that 
very strong statement. I agree with you. I would just correct 
one part. You said how pleased you were that three committee 
chairs with jurisdiction have come together on the bill. Since 
I consider you the Co-Chairman of this Committee, I would say 
it was four.
    Senator Collins. Thank you.
    Chairman Lieberman. And I appreciate very much your 
contribution to this effort.
    We are really grateful to have Senator Rockefeller and 
Senator Feinstein here. Again, I cannot thank you enough for 
the work that we have done together. I think it is a very 
powerful statement that we agreed on a consensus bill, and I 
hope it enables us to move it through the Senate.
    I know the Majority Leader is really concerned about the 
threat and is committed to giving this bill time on the floor 
as soon as possible.
    Senator Rockefeller, we welcome your testimony now.

  TESTIMONY OF HON. JOHN D. ROCKEFELLER IV,\1\ A U.S. SENATOR 
                FROM THE STATE OF WEST VIRGINIA

    Senator Rockefeller. Thank you, Chairman Lieberman and 
Senator Collins. And you are quite right about that--I think 
Senator Harry Reid wants this on the floor as soon as possible. 
And, frankly, the thing that scares me more than anything is 
the fact that we have had so many hearings, and yet that was 
necessary to get to the agreements that we have all come to. 
And they are solid now, they are rock solid. But we still have 
to find the floor time for it. This is not going to be an easy 
time to do that, so the pressure on this Congress, on both the 
House and the Senate, to come through on this in the face of 
all of this danger, this is huge, and not yet guaranteed.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Rockefeller appears in the 
Appendix on page 63.
---------------------------------------------------------------------------
    I think our government needs a lead civilian agency to 
coordinate our civilian cybersecurity efforts, and that agency 
should, of course, be the Department of Homeland Security under 
the superb leadership of Secretary Napolitano.
    I want to emphasize that our bill represents the expertise 
and hard work, as both of you have said, of three Senate 
committees, and that is as it should be.
    We have eagerly sought, as you mentioned, Senator 
Lieberman--and have received--constructive criticism and input 
from a whole lot of places. I can remember giving a speech, I 
think 2 years ago, to a business group, presenting ideas that 
Olympia Snowe and I had for this, and they were just surprised 
to hear that somebody was willing to listen to their 
complaints. And there were a lot of them.
    Even when people refused to engage with us--and there have 
been those, even within the Senate, who refuse to have staff 
discussion, but that does not mean that we do not take some of 
their suggestions. We have done that because if they do not 
want to engage, that is OK. If they have good suggestions, then 
put them in and make it a stronger bill.
    Beyond this bill's principal authors--Senators Lieberman, 
Collins, Dianne Feinstein and myself--the bill reflects the 
input, assistance, or requests of Senators on both sides of the 
aisle, as it should be, which gives me hope for final passage.
    Senator Olympia Snowe was my co-author of the bill that the 
Commerce Committee reported out last year, as you know. Senator 
Carper was a co-author of the Lieberman-Collins bill. Both have 
left major imprints on this bill.
    Senator Kay Bailey Hutchison and her staff worked with us 
for a good part of the past 2 years. She is my ranking member 
and absolutely superb--I call her ``Co-Chair,'' too, 
incidentally--and we have tried hard to address all of her 
specific concerns. And I think that we have, in fact, met most 
of her concerns.
    We have sought to engage Senator Saxby Chambliss and before 
him, Senator Kit Bond, in the same fashion. There was some 
reluctance at some point to discuss, or have staff discussions. 
It did not make any difference. We were interested in what they 
had, and if it was something good in what they had, we put it 
in the bill. We wanted it in the bill. And then it had to pass 
future tests as we combined all the efforts.
    Senators Jon Kyl and Sheldon Whitehouse contributed an 
entire title regarding cybersecurity awareness. Senators John 
Kerry, Dick Lugar, Kirsten Gillibrand, and Orrin Hatch did the 
same on the title regarding diplomacy.
    Because of Senator McCain's concerns, we omitted 
significant language pertaining to the White House Cyber 
Office.
    When colleagues had ongoing questions about a provision 
that I personally believed to be extremely important, I agreed 
to drop it from the base bill. This provision that I am talking 
about would clarify private sector companies' existing 
requirements regarding what ``material risks'' pertaining to 
cyber have to be disclosed to investors in the Securities and 
Exchange Commission (SEC) filings because, as you know, at one 
point out of frustration I went to the SEC and Mary Schapiro 
agreed to claify that if you are hacked into as a company, it 
must be disclosed on the Web site of that company at SEC, and 
that has had a substantial impact, actually.
    I believe this provision is absolutely crucial for the 
market to help solve our cyber vulnerabilities and will fight 
for it as an amendment on the floor. And that is as it should 
be. That is the way the system works. But in the interest of 
providing more time to address colleagues' questions, I agreed 
to take it out of the bill that we introduced this week.
    Any suggestion that this exhaustive process has been 
anything but open and transparent is patently false. This has 
been a really open process--and lengthy, as has been pointed 
out.
    Why have we worked so tirelessly to include the views of 
all sides? Why have we tried so hard to get this right?
    Because our country and our communities and our citizens 
are at grave risk. They simply are. I am not sure if they are 
aware because there are so many things that are reported in a 
news cycle that it almost diminishes the overall aggregated 
weight of the danger. So our citizens have to be aware of this. 
This is not a Republican or Democrat issue. It is a life-or-
death issue for the economy and for us as people.
    I want to be clear: The cyber threat is very real fact. 
This is not alarmism. Here is why. It is hard to talk about 
this sometimes without seeming alarmist, and yet it simply 
reflects the truth.
    Hackers supported by the governments of China and Russia, 
and also sophisticated criminal syndicates with potential 
connections to terrorist groups, are now able to crack the 
codes of our government agencies, including sensitive ones, and 
the Fortune 500. They can do that, and they do that on a 
regular basis.
    Senator Collins mentioned what Michael Mullen said, and she 
pointed out that we are being looted of valuable possessions on 
an unfathomable scale. But that is not the end of the problem.
    The reason that this cyber theft is a life-or-death issue 
is the same as the reason that a burglar in your house is a 
life-or-death issue. If a criminal has broken into your home, 
how do you know what he wants to do? Is it take your belongings 
or is it something more? You do not know. He is in the 
building, in your home. That is where we are now in terms of 
our country.
    So that is the situation we face. Cyber burglars have 
broken in. Mike Mullen has said exactly what Senator Collins 
indicated, that the only other threat on the same level to 
cyber threat is Russia's stockpile of nuclear weapons.
    I remember the first thing after 9/11 we had to pass, 
sadly, pathetically, was a law saying that the Central 
Intelligence Agency (CIA) and the FBI could talk to each other. 
I mean, how pathetic could that be? But that is where we were 
because of stovepipes and things of that sort. FBI Director 
Robert Mueller testified to Congress recently that the cyber 
threat will soon overcome terrorism as his top national 
security emphasis. So it is all very serious, and you cannot 
exaggerate it, and it could happen.
    So then you think about how people could die if a cyber 
terrorist attacked our air traffic control system. And I was 
talking with Secretary Napolitano just before this hearing. 
Often over big cities it gets very soupy. Pilots do not like to 
be in soupy weather. They cannot see above, they cannot see 
below. Pilots do not like it. But they are protected because of 
the air traffic control system. We are going to put in a more 
modern one, but the same situation will prevail. Cyber hackers 
can take that out of a city or a group of cities. They can take 
out that capacity so that planes are literally flying in the 
dark, and they will fly into each other and kill a lot of 
people. And people have to understand that.
    If rail switching networks are hacked, causing trains which 
carry toxic materials, deadly materials through our major 
cities, to crash, and there can be a massive explosion from 
that.
    So we are on the brink of very serious happenings. We have 
not reached that, which is one of our problems in getting 
legislation passed. But we can act now and try and prepare 
ourselves.
    Let me just close by saying that I was on the Intelligence 
Committee during the time leading up to 2011, and the world was 
rife with reports of people coming in and going out of our 
country, dots here and there that appeared to be connected but 
we were not quite sure. And what about this Moussaoui thing? 
And what about folks in that house in San Diego? And all of 
that was up there. What about the closing down of the bin Laden 
unit or a message that never got to the bin Laden unit? I mean, 
all of that was there, and we knew all of that, and the 
national security apparatus was working very hard on that. And 
they took it seriously, but they did not get deep enough 
because it was a new phenomenon.
    Well, here we are in a very similar situation. It is 
already with us. It is much more obvious than the lead-up to 
2001 was. And so we now have to act. We do not have the luxury 
of waiting to see and develop. We have to act. At some point 
the Congress has to assert itself. The Federal Government does 
have roles where this is not a heavy-handed thing, as Senator 
Collins has pointed out. It is not. But the Federal Government 
is involved because it is a matter of national security. And so 
I just wait to work with everybody and anybody to get this 
passed through both Houses of the U.S. Congress.
    Chairman Lieberman. Thanks very much, Senator Rockefeller. 
That was great.
    Chairman Feinstein, welcome, and thank you again. You 
contributed immensely, particularly on the information-sharing 
section of the bill, and you bring all the expertise and 
intelligence of the Senate Committee on Intelligence.

TESTIMONY OF HON. DIANNE FEINSTEIN,\1\ A U.S. SENATOR FROM THE 
                      STATE OF CALIFORNIA

    Senator Feinstein. Thank you very much. Thank you, Mr. 
Chairman, Senator Collins, and Senator Landrieu.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Feinstein appears in the 
Appendix on page 67.
---------------------------------------------------------------------------
    I look at this as quite a banner day because finally the 
Senate is coming together, and we are settling on one bill. 
This is the bill, and if it needs improving, we will improve 
it. But we have a focus now, and with a focus we can hopefully 
move forward.
    To this Committee and to Senator Rockefeller's committee, I 
want to thank you for your hard work, for the dozen hearings 
you have held, and for all the offers for consultation that you 
have placed out there to us.
    Let me speak for a moment on behalf of what I do in the 
Intelligence Committee. We have examined cyber threats to our 
national and economic security, and just last month, at the 
Worldwide Threats Hearing, which was an open hearing, we heard 
FBI Director Bob Mueller testify that ``the cyber threat, which 
cuts across all programs, will be the number one threat to the 
country.'' And already cyber threats are doing great damage to 
the United States, and the trend is getting worse.
    Let me give you just four examples, and what is interesting 
is many of us know about these when they happen, but they are 
often classified or kept private because the people that they 
happen to do not want it released because their clients will 
think badly of them. And, of course, it is not their fault, 
but, nonetheless.
    I think it is fair to say that the Pentagon's networks are 
being probed thousands of times daily, and its classified 
military computer networks suffered a ``significant 
compromise'' in 2008, and that is according to former Deputy 
Defense Secretary William Lynn.
    In November 2009, the Department of Justice (DOJ) charged 
seven defendants from Estonia, Russia, and Moldova with hacking 
into the Royal Bank of Scotland and stealing $9 million from 
more than 2,100 ATMs in 280 cities worldwide in 12 hours.
    In 2009, Federal officials indicted three men for stealing 
data from more than 130 million credit cards by hacking into 
five major companies' computer systems, including 7-Eleven, 
Heartland Payment Systems, and the Hannaford Brothers 
supermarket chain.
    Finally, an unclassified report by the intelligence 
community in November 2011 said cyber intrusions against U.S. 
companies cost untold billions of dollars annually, and that 
report named China and Russia as aggressive and persistent 
cyber thieves.
    Modern warfare is already employing cyber attacks, as seen 
in Estonia and the Republic of Georgia. And, unfortunately, it 
may only be a matter of time before we see cyber attacks that 
can cause catastrophic loss of life in the United States, 
whether by terrorists or state adversaries.
    Our enemies are constantly on the offensive, and in the 
cyber domain, it is much harder for us to play defense than it 
is for them to attack. The hard question is: What do we do 
about this dangerous and growing cyber threat?
    I believe the comprehensive bill that has been introduced--
the Cybersecurity Act of 2012--is an essential part of the 
answer.
    Mr. Chairman, I would like to speak briefly on the 
cybersecurity information-sharing bill that I introduced on 
Monday and that you have included as Title VII in your 
legislation.
    The goal of this bill is to improve the ability of the 
private sector and the government to share information on cyber 
threats that both need to improve their defenses.
    However, a combination of existing law, the threat of 
litigation, and standard business practices has prevented or 
deterred private sector companies from sharing information 
about the cyber threats they face and the losses of information 
and money they suffer. We need to change that through better 
information sharing, in a way that companies will use, that 
protects privacy interests, and that takes advantage of 
classified information without putting that information at 
risk. So here is what we have tried to do in Title VII:
    One, affirmatively provide private sector companies the 
authority to monitor and protect the information on their own 
computer networks.
    Two, encourage private companies to share information about 
cyber threats with each other by providing a good-faith defense 
against lawsuits for sharing or using that information to 
protect themselves.
    Three, require the Federal Government to designate a single 
focal point for cybersecurity information sharing. We refer to 
this as a ``Cybersecurity Exchange,'' to serve as a hub for 
appropriately distributing and exchanging cyber threat 
information between the private sector and the government. This 
is intended to reduce government bureaucracy and make the 
government a more effective partner in the private sector, but 
with protections to ensure that private information is not 
misused. Also, this legislation provides no new authority for 
government surveillance.
    Four, we establish procedures for the government to share 
classified cybersecurity threat information with private 
companies that can effectively use and protect that 
information. This, we believe, is a prudent way to take 
advantage of the information that the intelligence community 
acquires, without putting our sources and methods at risk, or 
turning private cybersecurity over to our intelligence 
agencies.
    I would like to raise just one issue of something that is 
not yet included in this bill, and that is data breach 
notification.
    This is an issue I have worked on for over 8 years, since 
California had a huge data breach that we only inadvertently 
found out about that had literally hundreds of thousands of 
victims. It is an urgent need. I have a bill called the Data 
Breach Notification Act. It has been voted out of the Judiciary 
Committee, and it accomplishes what in my view are the key 
goals of any data breach notification legislation:
    One, notice to individuals, who will be better able to 
protect themselves from identity theft;
    Two, notice to law enforcement, which can connect the dots 
between breaches and cyber attacks;
    And, three--and this is important--preemption of the 47 
different State and territorial standards on this issue. This 
is a real problem. We have 47 different laws on this issue in 
this country. It makes it very difficult for the private 
sector. Companies will not be subjected to conflicting 
regulation if there is one basic standard across the country.
    I know that Senators Rockefeller and Pryor have a bill in 
the Commerce Committee and that Senators Patrick Leahy and 
Richard Blumenthal have their own bills that also were reported 
out of the Judiciary Committee.
    But the differences in our approaches are not so great that 
we cannot work them out, and I am very prepared to sit down 
with Members of this Committee, with Senator Rockefeller, and 
others to find a common solution. But Mr. Chairman, I would 
really implore you to add a data breach preemption across the 
United States so that there is one standard for notification to 
an individual of data breach, and communication with law 
enforcement that goes all across America. Until we have that, 
we really will not have a sound data breach system.
    Let me just thank you. I think we are on our way. I am 
really so proud of both of you on this Committee for coming 
together, and I think it is a banner day. So thank you very 
much.
    Chairman Lieberman. Thanks very much, Senator Feinstein. We 
could not have done it without you. Thanks for your testimony, 
and I am personally very supportive of your aims with the data 
breach proposal, and I look forward to working with you and, as 
you say, the others who have bills to see if we cannot find a 
way to include that in this proposal when it comes to the 
floor.
    Senator Feinstein. Thank you very much.
    Chairman Lieberman. Thank you very much.
    And now, Madam Secretary, I hate to break up a conversation 
between the current Secretary and the first Secretary, but--we 
almost had the trifecta of the three Secretaries of the 
Department of Homeland Security here today. Secretary Chertoff 
wanted to testify, but had a previous commitment, and has, I 
will say, filed a statement for the record strongly in support 
of the legislation.\1\
---------------------------------------------------------------------------
    \1\ The prepared statement of Secretary Chertoff appears in the 
Appendix on page 108.
---------------------------------------------------------------------------
    Secretary Napolitano, thanks very much for being here and 
for all the work you and people in the Department have done to 
help us come to this point with this bill. We welcome your 
testimony now.

   TESTIMONY OF HON. JANET A. NAPOLITANO,\2\ SECRETARY, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Secretary Napolitano. Well, thank you, Chairman Lieberman, 
Senator Collins, and Members of the Committee. I am pleased to 
be here today to discuss the issue of cybersecurity and, in 
particular, the Department's strong support for the 
Cybersecurity Act of 2012.
---------------------------------------------------------------------------
    \2\ The prepared statement of Secretary Napolitano appears in the 
Appendix on page 71.
---------------------------------------------------------------------------
    I appreciate this Committee's support of the Department's 
cybersecurity efforts. Your sustained attention to this issue 
and the leadership you have shown in bringing a bill forward to 
strengthen and improve our cybersecurity authorities. I also 
appreciate and want to emphasize the urgency of the situation.
    Indeed, the contrast between the urgent need to respond to 
the threats we face in this area on the one hand and the 
professed desire for more deliberation and sensitivity to 
regulatory burdens on the other reminds me, as several of you 
have suggested, of lessons we learned from the 9/11 attacks. As 
the 9/11 Commission noted, those attacks resulted, in 
hindsight, from a failure of imagination because we failed to 
anticipate the vulnerabilities of our security infrastructure.
    There is no failure of imagination when it comes to 
cybersecurity. We can see the vulnerabilities. We are 
experiencing the attacks, and we know that this legislation 
would materially improve our ability to address the threat.
    No country, industry, community, or individual is immune to 
cyber risks. Our daily life, economic vitality, and national 
security depend on cyberspace. A vast array of interdependent 
IT networks, systems, services, and resources are critical to 
communication, travel, powering our homes, running our economy, 
and obtaining government services.
    Cyber incidents have increased dramatically over the last 
decade. There have been instances of theft and compromise of 
sensitive information from both government and private sector 
networks, and all of this undermines confidence in these 
systems and the integrity of the data they contain.
    Combating evolving cyber threats is a shared responsibility 
that requires the engagement of our entire society, from 
government and law enforcement to the private sector and, most 
importantly, with members of the public. DHS plays a key role 
in this effort, both in protecting Federal networks and working 
with owners and operators of critical infrastructure to secure 
their networks through risk assessment, mitigation, and 
incident response capabilities.
    In fiscal year 2011, our U.S. Computer Emergency Readiness 
Team (US-CERT) teams at DHS received over 106,000 incident 
reports from Federal agencies, critical infrastructure, and our 
industry partners. We issued over 5,200 actionable cyber alerts 
that were used by private sector and government network 
administrators to protect their systems. We conducted 78 
assessments of control system entities and made recommendations 
to companies about how they can improve their own 
cybersecurity.
    We distributed 1,150 copies of our cyber evaluation tool. 
We conducted over 40 training sessions on them, all of which 
makes owners and operators better equipped to protect their 
networks.
    To protect Federal civilian agency networks, we are 
deploying technology to detect and block intrusions of these 
networks in collaboration with the Department of Defense. We 
are providing guidance on what agencies need to do to protect 
themselves and are measuring implementation of those efforts.
    We are also responsible for coordinating the national 
response to significant cyber incidents and for creating and 
maintaining a common operational picture for cyberspace across 
the entire government.
    With respect to critical infrastructure, we work with the 
private sector to help secure the key systems upon which 
Americans, including the Federal Government, rely, such as the 
financial sector, the power grid, water systems, and 
transportation networks.
    We pay particular attention to industrial control systems 
which control processes at power plants and transportation 
systems alike. Last year, we deployed seven response teams to 
such critical infrastructure organizations at their request in 
response to important cyber intrusions.
    To combat cyber crime, we leverage the skills and resources 
of DHS components such as the Secret Service, Immigration and 
Customs Enforcement (ICE), and Customs and Border Protection 
(CBP), and we work very closely with the FBI.
    DHS serves as the focal point for the government's 
cybersecurity outreach and public awareness efforts. As we 
perform this work, we are mindful that one of our missions is 
to ensure that privacy, confidentiality, and civil liberties 
are not diminished by our efforts. The Department has 
implemented strong privacy and civil rights and civil liberties 
standards into all its cybersecurity programs and initiatives 
from the outset, and we are pleased to see these in the draft 
bill.
    Now, Administration and private sector reports going back 
decades have laid out cybersecurity strategies and highlighted 
the need for legal authorities. In addition to other statutes, 
the Homeland Security Act of 2002 specifically directed DHS to 
enhance the security of non-Federal networks by providing 
analysis and warnings, crisis management support, and technical 
assistance to State and local governments, and the private 
sector. Policy initiatives have had to supplement the existing 
statutes. These initiatives strike a common chord. Indeed, this 
Administration's Cyberspace Policy Review in 2009 echoed in 
large part a similar review by the Bush Administration, and we 
have had numerous contributions by private sector groups, 
including the Center for Strategic and International Studies 
(CSIS) study led by James Lewis, one of your witnesses today.
    Still, DHS executes its portion of the Federal 
cybersecurity mission under an amalgam of authorities that have 
failed to keep up with the responsibilities with which we are 
charged.
    To be sure, we have taken significant steps to protect 
against evolving cyber threats, but we must recognize that the 
current threat outpaces our existing authorities. Our Nation 
cannot improve its ability to defend against cyber threats 
unless certain laws that govern cybersecurity activities are 
updated.
    We have had many interactions with this Committee and with 
the Congress to provide our perspective on cybersecurity. 
Indeed, in the last 2 years, Department representatives have 
testified in 16 Committee hearings and provided 161 staff 
briefings. We have had much bipartisan agreement. In 
particular, many would agree with the House Republican Cyber 
Task Force, which stated that, ``Congress should consider 
carefully targeted directives for limited regulation of 
particular critical infrastructures to advance the protection 
of cybersecurity.''
    The recently introduced legislation contains great 
commonality with the Administration's ideas and proposals, 
including two crucial concepts that are central to our efforts: 
First, addressing the urgent need to bring core critical 
infrastructure to a baseline level of security; and, second, 
fostering information sharing, which is absolutely key to our 
security efforts.
    All sides agree that Federal and private networks must be 
better protected and that information should be shared more 
easily, yet still more securely. And both our proposal and the 
Senate legislation would provide DHS with clear statutory 
authority commensurate with our cybersecurity responsibilities 
and remove legal barriers to the sharing of information.
    S. 2105 would expedite the adoption of the best 
cybersecurity solutions by the owners and operators of critical 
infrastructure and give businesses, States, and local 
governments the immunity they need to share information about 
cyber threats or incidents. There is broad support as well for 
increasing the penalties for cyber crimes and for creating a 
uniform data breach reporting regime to protect consumers. This 
proposal would make it easier to prosecute cyber criminals and 
establish national standards, requiring businesses and core 
infrastructure that have suffered an intrusion to notify those 
of us who have the responsibility for mitigating and helping 
them mitigating it.
    I hope that the current legislative debate maintains the 
bipartisan tenor it has benefited from so far and builds from 
the consensus that spans two Administrations and the 
Committee's efforts of the last several years.
    Let me close by saying that now is not the time for half 
measures. As the Administration has stressed repeatedly, 
addressing only a portion of the needs of our cybersecurity 
professionals will continue to expose our country to serious 
risk.
    For example, only providing incentives for the private 
sector to share more information will not in and of itself 
adequately address critical infrastructure vulnerabilities. And 
let us not forget that innumerable small businesses rely on 
this critical infrastructure for their own survival.
    As the President noted in the State of the Union address, 
``The American people expect us to secure the country from the 
growing danger of cyber threats and to ensure the Nation's 
critical infrastructure is protected.'' And as the Secretary of 
Homeland Security, I strongly support the proposed legislation 
because it addresses the need, the urgency, and the methodology 
for protecting our Nation's critical infrastructure. I can 
think of no more pressing legislative proposal in the current 
environment.
    I want to thank you again for the important work you have 
done, and I look forward to answering the Committee's 
questions.
    Chairman Lieberman. Thanks very much, Madam Secretary.
    We will do 6-minute rounds of questions because we have a 
large number on the following panel, and I know some people 
have to leave.
    Madam Secretary, let me get right to one of the issues that 
has been somewhat in contention, which is that there are some 
people who have said that the expanded authority here, 
particularly that related to cyber infrastructure owned and 
operated by the private sector, would better be handled by the 
Department of Defense (DOD) or the intelligence community. In 
other words, they should take the lead in protecting Federal 
civilian networks.
    I wonder if you would respond as to why you think the 
Department of Homeland Security, as obviously we do, is better 
prepared to take on this critical responsibility.
    Secretary Napolitano. Well, several points. First, the 
Department of Homeland Security, as I stated, already is 
exercising authorities in the civilian area, working with the 
private sector, working with Federal civilian agencies. So that 
is a space we are already filling and continue to grow our 
capacity to fill.
    Second, military and civilian authorities and missions are 
different, and there are significant differences, for example, 
in the privacy protections that we employ within the exercise 
of civil jurisdiction.
    And then, finally, I would note that both DOD and DHS use 
the technological expertise of the NSA. We are not proposing 
and have never proposed that two NSAs be created; rather, that 
there be two different lines of authority that emanate using 
the NSA, one, of course, for civilian, and one for military.
    Chairman Lieberman. That is a very important factor. I want 
to come back to that in a minute. But one of the opinions 
expressed to the Committee as we faced the challenge and 
decided which part of our government should be responsible for 
responding was that there would probably be very deep and 
widespread concern among the public if we, for instance, asked 
the National Security Agency or the Department of Defense to be 
directly in charge of working with the privately owned and 
operated cyber infrastructure. Particularly for NSA, there 
would be a concern about privacy and civil liberties concerns. 
Does that make sense to you?
    Secretary Napolitano. I have heard the same concerns. They 
do make sense. And, indeed, when Secretary Robert Gates and I, 
by a Memorandum of Understanding, figured out the division of 
responsibilities and how we were each going to use the NSA, one 
of the things we were careful to elevate was a discussion of 
the protections of privacy and civil liberties, and make sure 
that, to the extent we have people over at the NSA, they are 
accompanied by people from our Office of Privacy, our Office of 
General Counsel, to make sure those protections are abided by.
    Chairman Lieberman. Right. I am glad you mentioned that 
Memorandum of Understanding between the Department of Homeland 
Security and DOD because I want to make this point--
incidentally, Senator McCain and I codified that in law, that 
Memorandum of Understanding, in the National Defense 
Authorization Act that was passed at the end of last year. But 
that memorandum, if I can put it this way, does not preempt the 
need for this legislation. In other words, that memorandum does 
not allocate responsibility with regard to working with the 
private sector, having the authority to require the private 
sector to take steps to defend themselves and our country from 
cyber attack. Is that right?
    Secretary Napolitano. That is right, Mr. Chairman. It is a 
memorandum that describes the division of how we would each use 
the resources of the NSA, but it does not deal with the 
protection of core critical infrastructure the way the bill 
does. It does not deal with the private sector at all the way 
the bill does. It does not deal with information exchange the 
way the bill does. So it really was designed to make sure that 
at least with respect to how we each use the NSA, we had some 
meeting of the minds.
    Chairman Lieberman. So there is nothing in your opinion 
inconsistent between the Memorandum of Understanding between 
DHS and NSA and the Cybersecurity Act of 2012?
    Secretary Napolitano. Oh, not at all.
    Chairman Lieberman. I am pleased to note for the record 
that in testimony earlier this week, Secretary of Defense Leon 
Panetta and the Chairman of the Joint Chiefs of Staff General 
Martin Dempsey both endorsed this legislation, and then this 
morning, before the Armed Services Committee, the Director of 
National Intelligence Clapper and General Ronald Burgess, the 
head of the Defense Intelligence Agency, also endorsed the 
legislation. Both of those expressions of support were 
unexpected by Senator Collins and me and, therefore, all the 
more appreciated.
    DHS's Industrial Control Systems Cyber Emergency Response 
Team (ICS-CERT) has played a critical role in providing support 
to the owners and operators of critical infrastructure. Can you 
describe some of their capabilities and the work that they have 
done to assist private entities?
    Secretary Napolitano. Well, what they have done is to help 
isolate and identify--when they have been notified of attacks 
on industrial control systems, to help identify the source of 
the attack, the methodology with which it was conducted, to 
work with the infiltrated entity to prepare a patch, and then 
to make appropriate disclosures or sharing of information to 
other control systems that could be subject to a similar tack, 
either in that particular industry or in other industries.
    Chairman Lieberman. So on a voluntary basis, if I can put 
it this way, DHS has developed the capability and relationships 
at working with the private sector that will be strengthened by 
this legislation?
    Secretary Napolitano. Yes. Since the passage of the 
National Information Infrastructure Protection Act (NIIPA) in 
2006, we have been working with critical infrastructure through 
their Sector Coordinating Councils. There are a lot of names, 
but what it basically means is we have a process in place for 
dealing with the private sector and for exchanging some 
information on a voluntary basis. But that does not mean we get 
all of the necessary information we get from core critical 
infrastructure. That is one of the problems the bill address.
    Chairman Lieberman. Thanks very much. My time is up. 
Senator Collins.
    Senator Collins. Thank you, Mr. Chairman.
    Madam Secretary, to follow up on a question that the 
Chairman asked you, it is my understanding that DHS has unique 
expertise in the area of industrial control systems that is not 
replicated at any other government agency. Is that correct?
    Secretary Napolitano. Yes.
    Senator Collins. And that is important because industrial 
control systems are a key part of critical infrastructure, like 
the electric grid and water treatment plants. Is that also 
correct?
    Secretary Napolitano. Yes, and when you think about it, if 
you have the ability to interrupt the control system, you can 
take down an entire protective network. You can interfere with 
all of the activities there. And the attacks on control systems 
are growing more and more sophisticated all of the time.
    Senator Collins. And could you tell us about work that is 
being done by DHS with your ICS-CERT Team and a National Lab 
with respect to the U.S. electric grid?
    Secretary Napolitano. Yes, we are working in both of those 
capacities with the National Labs, with the grids, in terms not 
only of mitigating attacks that have occurred, but also 
preventive measures that they can employ.
    Senator Collins. So you are doing training as well and 
helping the critical infrastructure owners and operators 
identify vulnerabilities?
    Secretary Napolitano. That is correct.
    Senator Collins. It is my understanding that in January the 
Administration transferred the Defense Department's Defense 
Industrial Base (DIB) cyber pilot program from DOD to DHS.
    Secretary Napolitano. That is right, the DIB pilot.
    Senator Collins. The DIB pilot program, as I understand it, 
shared classified cyber threat indicators with defense 
contractors in an effort to better defend systems that 
contained information critical to the Department's programs and 
operations. I understand that DHS is now the lead for 
coordinating this program with the private sector and that it 
is being expanded to other critical infrastructure sectors.
    Could you tell the Committee why the Administration decided 
to transfer this pilot program from DOD to the Department of 
Homeland Security?
    Secretary Napolitano. Well, the DIB pilot really gets to 
the division of responsibility between military and civilian, 
and what we are talking about here are private companies that 
do important defense contracting work, but they are in essence 
private companies. And so the authorities and the laws that we 
use are better situated in DHS, which deals in this context as 
opposed to DOD. So we have been working with DOD from the 
outset on the design of the DIB pilot, have been working with 
them on the initial aspects of it, and now as the decision was 
made to extend it and to grow it, the decision was also made 
that it is more appropriately located within the DHS.
    Senator Collins. The bill provides the authority to DHS to 
set risk-based performance standards for critical 
infrastructure. Do you believe that we can achieve great 
progress in improving our cybersecurity in this country absent 
that authority?
    Secretary Napolitano. I think it makes it tougher. We have, 
as I said in my testimony, the basic authority under the 
Homeland Security Act. We have authorities by various 
Presidential directives. But nowhere do we have explicit 
authority to establish on a risk-based level, on a risk-based 
basis, the protection necessary for critical infrastructure.
    Senator Collins. Finally, I think that a lot of people are 
unfamiliar with a lot of the work that the Department has 
already done in the area of cybersecurity, including the fact 
that there is a 24-hour, 7-day-a-week National Cybersecurity 
and Communications Integration Center (NCCIC).
    Secretary Napolitano. The NCCIC, yes.
    Senator Collins. Could you explain to the Committee and 
those watching this hearing how this center operates and what 
it does with respect to the private sector?
    Secretary Napolitano. You know, the NCCIC is really an 
integrated, 24/7 watch center for cyber, and it includes on its 
floor not only DHS employees but representatives from other 
Federal agencies, from critical infrastructure sectors that 
coordinate with us through the National Infrastructure 
Protection Plan (NIPP)--lots of acronyms in the cyber world and 
the government world. And then, finally, it also has 
representatives from State and local governments as well 
because a lot of the information sharing is applicable to them.
    Senator Collins. Thank you. Thank you, Mr. Chairman.
    Chairman Lieberman. Thanks very much, Senator Collins. 
Senator McCain.

              OPENING STATEMENT OF SENATOR MCCAIN

    Senator McCain. Mr. Chairman and Senator Collins, thank you 
for holding this hearing on the long-awaited Cybersecurity Act 
of 2012. Obviously, I welcome all of our witnesses, including 
Secretary Napolitano and my old friend Governor Ridge, who will 
have some different aspects and views on this bill, including 
in his testimony.
    I would like to state from the outset my fondness and 
respect for the Chairman and Senator Collins, especially when 
it comes to matters of national security, so the criticisms I 
may have with the legislation should not be interpreted as 
criticism of them but, rather on the process by which the bill 
is being debated and its policy implications.
    All of us recognize the importance of cybersecurity in the 
digital world. Time and again, we have heard from experts about 
the importance of possessing the ability to effectively prevent 
and respond to cyber threats. We have listened to accounts of 
cyber espionage originating in countries like China; organized 
cyber criminals in Russia; and rogue outfits with a domestic 
presence like ``Anonymous,'' who unleash cyber attacks on those 
who dare to politically disagree. Our own Government 
Accountability Office (GAO) has reported that over the last 5 
years, cyber attacks against the United States are up 650 
percent. So all of us agree that the threat is real.
    It is my opinion that Congress should be able to address 
this issue with legislation a clear majority of us can support. 
However, we should begin with a transparent process which 
allows lawmakers and the American public to let their views be 
known. Unfortunately, the bill introduced by the Chairman and 
Senator Collins has already been placed on the calendar by the 
Majority Leader, without a single markup or any executive 
business meeting by any committee of relevant jurisdiction. My 
friends, that is wrong.
    To suggest that this bill should move directly to the 
Senate floor because it has ``been around'' since 2009 is 
outrageous. First, the bill was introduced 2 days ago. Second, 
where do Senate Rules state that a bill's progress in a 
previous Congress can supplant the necessary work on that bill 
in the present one?
    Additionally, in 2009, we were in the 111th Congress with a 
different set of Senators. For example, the Minority of this 
Committee has four Senators on it presently who were not even 
in the Senate, much less on this Committee, in 2009. How can we 
seriously call it a product of this Committee without their 
participation in Committee executive business?
    Respectfully, to treat the last Congress as a legislative 
mulligan by bypassing the Committee process and bringing the 
legislation directly to the floor is not the appropriate way to 
begin consideration of an issue as complicated as 
cybersecurity.
    In addition to these valid process concerns, I also have 
policy issues with the bill.
    A few months ago, as Senator Lieberman mentioned, he and I 
introduced an amendment to the defense authorization bill 
codifying an existing cybersecurity Memorandum of Agreement 
(MOA) between the Department of Defense and the Department of 
Homeland Security. The purpose of that amendment was to ensure 
that this relationship endures and to highlight that the best 
government-wide cybersecurity approach is one where DHS 
leverages not duplicates DOD efforts and expertise. This 
legislation, unfortunately, backtracks on the principles of the 
MOA by expanding the size, scope, and reach of DHS and neglects 
to afford the authorities necessary to protect the homeland to 
the only institutions currently capable of doing so, U.S. 
Cybercommand and the National Security Agency.
    At a recent FBI-sponsored symposium at Fordham University, 
General Alexander, the Commander of U.S. Cybercommand and the 
Director of the NSA, stated that if a significant cyber attack 
against this country were to take place, there may not be much 
that he and his teams at either Cybercommand or NSA can legally 
do to stop it in advance. According to General Alexander, ``in 
order to stop a cyber attack, you have to see it in real time, 
and you have to have those authorities. Those are the 
conditions we have put on the table. Now how and what the 
Congress chooses, that will be a policy decision.''
    This legislation does nothing to address this significant 
concern, and I question why we have yet to have a serious 
discussion about who is best suited, which agency--who is best 
suited to protect our country from this threat we all agree is 
very real and growing.
    Additionally, if the legislation before us today were 
enacted into law, unelected bureaucrats at the DHS could 
promulgate prescriptive regulations on American businesses--
which own roughly 90 percent of critical cyber infrastructure. 
The regulations that would be created under this new authority 
would stymie job creation, blur the definition of private 
property rights, and divert resources from actual cybersecurity 
to compliance with government mandates. A super-regulator, like 
DHS under this bill, would impact free market forces which 
currently allow our brightest minds to develop the most 
effective network security solutions.
    I am also concerned about the cost of this bill to the 
American taxpayer. The bill before us fails to include any 
authorizations or attempt to pay for the real costs associated 
with the creation of the new regulatory leviathan at DHS. This 
attempt to hide the cost is eclipsed by the reality that the 
assessment of critical infrastructure, the promulgation of 
regulations, and their enforcement will take a small army.
    Finally, I would like to find out over the next few days 
what specific factors went into providing regulatory carve-outs 
for the IT hardware and software manufacturers? My suspicion is 
that this had more to do with garnering political support and 
legislative bullying than sound policy considerations. However, 
I think the fact that such carve-outs are included only lends 
credence to the notion that we should not be taking the 
regulatory approach in the first place.
    Because of provisions like these and the threat of a 
hurried process, a total of seven of us--ranking minority 
members on seven committees--are left with no choice but to 
introduce an alternative cybersecurity bill in the coming days. 
The fundamental difference in our alternative approach is that 
we aim to enter into a cooperative relationship with the entire 
private sector through information sharing rather than an 
adversarial one with prescriptive regulations. Our bill, which 
will be introduced when we return after the Presidents Day 
recess, will provide a common-sense path forward to improve our 
Nation's cybersecurity defenses. We believe that by improving 
information sharing among the private sector and government, 
updating our criminal code to reflect the threat cyber 
criminals pose, reforming the Federal Information Security 
Management Act, and focusing Federal investments in 
cybersecurity, our Nation will be better able to defend itself 
against cyber attacks. After all, we are all partners in this 
fight, and as we search for solutions, our first goal should be 
to move forward together.
    I also would ask permission to enter in the record a letter 
signed by Senator Chambliss, the Ranking Member on 
Intelligence; myself, Ranking Member on Armed Services; Senator 
Jeff Sessions, Ranking Member on Budget; Senator Michael B. 
Enzi, Ranking Member on the HELP Committee; Senator Hutchison, 
Ranking Member on the Commerce Committee; Senator Lisa 
Murkowski, Ranking Member on the Energy Committee; and Senator 
Chuck Grassley, Ranking Member on the Judiciary Committee; 
addressed to Senator Reid and Senator McConnell, which we have 
asked that with the legislation go through the regular process 
with the committees of jurisdiction having a say in this 
process.\1\
---------------------------------------------------------------------------
    \1\ The letter dated February 14, 2012, submitted by Senator McCain 
appears in the Appendix on page 61.
---------------------------------------------------------------------------
    So, Mr. Chairman, I thank you, and I yield the remaining 
balance of my time.
    Chairman Lieberman. No balance. [Laughter.]
    Senator McCain. Oh, wow, that is the first time that has 
ever happened.
    Chairman Lieberman. No, it is not. [Laughter.]
    Look, with the same fondness and respect that you expressed 
for Senator Collins and me when you started, I cannot conceal 
the fact that I am disappointed by your statement. This bill is 
essentially the one that was marked up by the Committee. But 
that is not the point. The point is that we have reached out 
not only to everybody who was possibly interested in this bill 
outside of the Congress, but opened the process to every Member 
of the Senate who wanted to be involved. We pleaded for 
involvement. And a lot of people, including yourself, have not 
come to the table.
    The most encouraging part of your statement is that you and 
those working with you are going to introduce some legislation, 
and we will be glad to consider it. The Senate should consider 
it. I think Senator Reid intends to hold an open amendment 
process on this bill. But you know, as you stated, that this is 
a critical national security problem, and to respond to it with 
business about regulation of business, this is national 
security. As Senator Collins said, there is regulation of 
business that is bad for business and bad for the American 
economy. There is regulation such as we have worked very hard 
to include in this bill that, in fact, is not only not bad for 
American business and not bad for the American economy but will 
protect American business and American jobs and help to 
guarantee more American economic growth.
    On the question of DOD and the intelligence community, I 
indicated for the record earlier that they have supported our 
bill this week. I hear what you said about General Alexander 
from NSA, but he has at no point, nor has the Department of 
Defense or the DNI, come before us and offered any suggestions 
for additions to this bill that would give him more authority. 
I would welcome those suggestions, if he wishes.
    So I had to be honest with you, as you have been honest 
with us, and express my disappointment and that the only 
satisfaction I have from your statement, which is that you are 
going to make a proposal that our colleagues in the Senate 
consider it. Senator Collins and I and the others working on 
this bill will consider it. And let us get something done on a 
clear and present danger to our country this year.
    Senator McCain. Well, Mr. Chairman, could I just briefly 
respond? I speak for seven ranking members of the major 
committees of jurisdiction. I do not speak just for myself. 
There is a breakdown somewhere if seven ranking members of the 
relevant committees are all joining in this opposition to this 
process and this legislation. So if you choose to neglect those 
many years of legislative experience and time in the Senate, 
that is fine. But there are seven of us that are deeply 
concerned about this process and the legislation, and we do not 
think it should go directly to the floor.
    Chairman Lieberman. I will say for the record that we have 
reached out to all seven ranking members in various ways to try 
to engage their involvement in this bill. I would have much 
rather preferred to submit a bill--and Senator Collins would 
have, too--that everybody had been involved in discussing. We 
were very open to trying to find consensus, as we did with 
other chairs who are here. So nobody is neglecting the 
expertise. I am saying I am sorry that they have not been 
engaged before, and I am glad they are going to be engaged now.
    Senator Moran.

               OPENING STATEMENT OF SENATOR MORAN

    Senator Moran. Mr. Chairman, thank you.
    Madam Secretary, this is my first opportunity to visit with 
you since the announcement about the President's budget, and I 
want to talk about a topic unrelated at least to cybersecurity, 
but certainly related to security. And the Chairman just spoke 
about clear and present danger. One that you and I have had a 
conversation about over a long period of time is related to our 
food and animal safety and security in this country. And as you 
can imagine and can expect the disappointment that I have, 
others in our congressional delegation have in regard to the 
President's failure to include dollars related to construction 
of the National Bio and Agro-Defense Facility (NBAF) to replace 
the aging Plum Island. You and I have had a number of 
conversations, and I will stay within my 6 minutes today to 
talk about this non-germane topic but we will have a greater 
chance to visit in the Homeland Security Appropriations hearing 
in which you and I will be together in just a few days.
    But I would not want this opportunity to pass without again 
delivering the message to you and to the folks at the 
Department of Homeland Security who have throughout this 
process been our allies, and we consider that we have been your 
allies in an effort to see that a facility designed to make 
certain that the food and animal safety of this country is 
protected.
    And you and I had a conversation in March of last year, 
less than a year ago, that was in a Homeland Security 
Appropriations Subcommittee, and you told me that NBAF is 
something that we are very supportive of. Plum Island does not 
meet the Nation's needs in this area. There was a highly 
contested, peer-reviewed competition, and we look forward to 
continued construction. We believe that NBAF needs to be built, 
and we need to get on with it.
    Later, in September of that year, you talked about the 
future, we need to get prepared for the next generation, and, 
again, we need to be confronting the things that we face today 
and the things that we will face 10 years from now. That series 
has continued with your testimony and others from DHS, the U.S. 
Department of Agriculture, and I just would like for you to, I 
hope, reiterate the Department's, your position as Secretary, 
continued support and believe in the importance of building 
this facility and to explain to me the idea of a reassessment, 
which, as I read in press reports, is a reassessment in scope 
only, not in concerns about safety or concerns about location.
    Secretary Napolitano. That is right, Senator, and you are 
right, the President does not request in the budget an 
appropriation for the NBAF, in part because last year we 
requested $150 million. The House ultimately appropriated $75 
million, the Senate appropriated zero, we ended up with $50 
million, and a lot of extra requirements put on the project, as 
you just have stated.
    What we have done in this year's budget is allocate $10 
million that will go to related animal research at Kansas State 
University. I have talked this over with Governor Sam 
Brownback, among others. And in light of the Budget Control Act 
(BCA) and the other changed circumstances that we have to deal 
with, and in light of the fact that we have not been able to 
persuade the Congress to really move forward in a substantial 
way on funding the NBAF, we have recommended that there be a 
reassessment in terms not of location, not in terms of need, 
both of which I firmly stand by the position I have stated, but 
in terms of scoping and what needs to happen so that this 
project can move forward with the right level of appropriation.
    Senator Moran. Well, Madam Secretary, thank you. I would 
comment that the solution to lack of funding by Congress is not 
for the Administration to not request funding. The solution to 
that problem is continued support and encouragement for 
Congress to act. As you say, the House appropriated $75 million 
last year. In a conference committee with the Senate, it was 
agreed upon to $50 million. You also are requesting 
reprogramming for additional planning of money within this 
year's budget. Again, the money that is there needs to be spent 
as quickly as possible.
    I will be asking you by letter shortly to continue the 
funding of the $40 million that is available, is appropriated, 
and now as a result of the report filed this week can be spent 
to complete the Federal share of the utility portion of this 
facility.
    Based upon what I have heard you say and what I have read 
that you have said, it is not about location, it is not about 
the site, and it may be about the scope of what will occur. But 
the utility pad is still important and will be necessary, 
regardless of the scope of that project. So we are going to ask 
you to continue the funding that you already have committed to 
and are authorized to now spend this $40 million on utilities. 
And I would add to that point, we have appropriated $200 
million Federal dollars. The State of Kansas has put in nearly 
$150 million. This is a partnership. And we need the Federal 
Government to continue its partnership. In fact, on the utility 
portion, we are waiting on the share that you are now 
authorized to spend to be spent.
    I appreciate the answer to my question. I have considered 
you an ally and continue to consider you an ally. And my plea 
is let us work together to see that this Congress moves forward 
on an issue that is important, just as cybersecurity is, to the 
economic security and future of our Nation.
    Mr. Chairman, thank you.
    Secretary Napolitano. Senator, I would be happy to work 
together with you on this.
    Senator Moran. Thank you very much. We need your help.
    Chairman Lieberman. Thanks very much, Senator Moran.
    For the information of the Members, the order of arrival 
today now is Senators Landrieu, Pryor, Brown, Carper, Levin, 
and Johnson. Senator Landrieu is not here, so we will go to 
Senator Pryor.

               OPENING STATEMENT OF SENATOR PRYOR

    Senator Pryor. Thank you, Mr. Chairman. Thank you for this 
very important meeting. Always good to see you, Madam 
Secretary.
    Let me start, Madam Secretary, with a question about--I 
think you have already pretty much said that you feel like we 
need a statute, but I am curious about what specific authority 
you think your agency or the Federal Government does not have 
in this area that you need. What specific authority do you feel 
like you need to accomplish to achieve security in this area?
    Secretary Napolitano. Well, I think of the specific 
authorities that the statute contains, the most important is 
the ability to bring all of the Nation's critical 
infrastructure up to a certain base standard of security and to 
outline the process with which that will occur.
    Senator Pryor. And let me ask you a question on a different 
topic, I know that in reading some of the news stories, trade 
publications, etc., the private sector seems to have hesitation 
about sharing too much information, and understandably so. They 
may fear that a competitor will get information or it may 
create liability issues for them. But we do have an effective 
mechanism for the private sector stakeholders to share their 
best practices and potential threats and those concerns without 
raising issues of their own security and liability and even 
antitrust concerns?
    Secretary Napolitano. No. In fact, another major 
improvement in the bill over the current situation is it 
clarifies the kind of information sharing that can occur 
without violating other Federal statutes--antitrust, the 
Electronic Communications Privacy Act. We have had situations 
where we have had delay in being able to get information and to 
respond because the lawyers of a company or an entity had to 
first assess whether they would be violating other Federal law 
by alerting the Department of Homeland Security that an 
intrusion had occurred. And I think as you and I can both 
appreciate, when the lawyers get it, it can take awhile.
    Senator Pryor. We understand.
    Secretary Napolitano. So, again, the new bill would clarify 
that should not be a problem.
    Senator Pryor. And you are comfortable with how the new 
bill is structured in that area?
    Secretary Napolitano. Yes, I am.
    Senator Pryor. And let me ask about lessons learned. DHS 
has recently discussed--and it has been discussed about DHS--
that some of the work being done under the Chemical Facility 
Anti-Terrorism Standards (CFATS) program has not been done as 
quickly or as thoroughly as maybe it should have been. And as 
you know, this bill provides a requirement that DHS would do 
similar type assessments. Are there lessons learned in the 
CFATS experience that might indicate that we can put the 
problem behind us and we can comply with what this law would 
ask you to do?
    Secretary Napolitano. Yes, Senator. First of all, with 
respect to CFATS, no one is more displeased than I am with some 
of the problems that have occurred there, and there is an 
action plan in place, there are changes in personnel among 
other things. And that program is going to run smoothly, and 
now the security plans are being evaluated, the tiering has 
occurred and the like.
    Senator Pryor. And there are lessons learned there?
    Secretary Napolitano. And there are lessons learned, as 
there are in all things. And this bill is less prescriptive 
than CFATS. First of all, this is a very regulation-like bill. 
This is a security bill. This is not a regulatory bill per se. 
But in terms just of management and organization, yes, there 
are some lessons learned from CFATS.
    Senator Pryor. Great. And I know that a lot of times when 
we read news media accounts about cybersecurity and even as we 
discuss it among ourselves, oftentimes we tend to focus on 
large companies and breaches that large companies experience. 
But the truth is a lot of small and mid-sized companies carry a 
lot of sensitive information. Is DHS working with small to mid-
sized companies in any way to reach out to them to talk about 
best practices or anything like that?
    Secretary Napolitano. We conduct a lot of outreach 
activities with small and medium-size businesses on a whole 
host of cyber-related areas, so the answer is yes.
    Senator Pryor. Great. We always want to make sure that our 
small businesses are taken care of, and obviously if they are 
the weak link in the chain, that is a real problem.
    Secretary Napolitano. Well, Senator, as I continue to 
emphasize, when we are talking about the security of core 
critical infrastructure, if that goes down, a lot of these 
small businesses are dependent on that, and they will fail.
    Senator Pryor. Right. That is exactly right. Also, we often 
talk about the Federal Government, but also State governments 
have this same issue of cybersecurity, and obviously you are a 
former governor, former State Attorney General, as is the 
Chairman here, so you appreciate that State perspective. Are 
you working with States to try to talk about their best 
practices and lessons that you have learned?
    Secretary Napolitano. Yes, we are, and, indeed, we work 
with a multistate information system, and they are actually 
located or provide input into the NCCIC, the center that we 
talked about.
    Senator Pryor. Great. Mr. Chairman, that is all I have. I 
yield back the balance of my time. [Laughter.]
    Chairman Lieberman. Thank you, Senator Pryor. Next is 
Senator Carper.
    Senator Carper. Could I have his 14 seconds? [Laughter.]
    Chairman Lieberman. You got it.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Madam Secretary, good to see you. Good to 
see a former Secretary out there, a former governor out there, 
a former Congressman out there, Tom Ridge. Nice to see all of 
our witnesses. Thank you for being here.
    One of the things, as my colleagues know, I like to do in 
hearings like this is to see if we cannot develop some 
consensus. You can never have too much of that in the Senate or 
in the House, and my hope is that when we adjourn here today we 
will have identified not just where we have differences, but we 
will have identified where we can actually find some common 
ground. So I will ask a couple of questions with that in mind.
    I want to return to the comment of my colleague from 
Arizona who mentioned regulation, and with sort of a cautionary 
note, I just want to second what the Chairman said. Regulation 
can be a problem. It can be problematic. If we do not use 
common sense, if we do not look at cost/benefit analysis, it 
can be a bad thing.
    Having said that, I always remember meeting with a bunch of 
utility chief executive officers (CEOs) 6 or 7 years ago, 
during my first term in the Senate, and they were meeting with 
me about clean air issues--sulfur dioxide, nitrous oxide, 
mercury, and carbon dioxide. And we were trying to decide what 
our path forward should be.
    Finally, at the end of this meeting, the CEO from someplace 
down South, kind of curmudgeonly old guy, he said, ``Look, 
Senator, just do this. Tell us what the rules are going to be, 
give us some flexibility, give us a reasonable amount of time, 
and get out of the way.'' That is what he said. And I have 
always remembered those words, and I think they may apply here 
today.
    I want to thank the Chairman and our Ranking Member, Susan 
Collins, for calling our hearing and for working with me. The 
Chairman mentioned trying to open up, if you have an idea, 
bring it to us, and I think he has had an open door, and it is 
too bad that some have not taken full opportunity of that. But 
we have a lot of distractions around here, so sometimes that 
happens.
    We all know we are being attacked by hackers from across 
the world and closer to home, and it is likely to get worse, 
not better. And while some of the hackers are just there to 
cause mischief, some of them are there to steal ideas, steal 
our defense secrets, steal intellectual property, blackmail 
businesses and nonprofits, and to do worse.
    The challenges that I think we have here, I think they 
really need a bold plan and we need a road map--I call it a 
``common sense road map''--to move forward. And I hope, again, 
that we can move along that way today.
    I am especially pleased that the legislation that is being 
introduced includes a number of security measures that my staff 
and I have worked on with some of our colleagues for years to 
better protect our Federal information systems.
    Having said that, I would like to begin, Madam Secretary, 
by asking you a couple of questions about the Department's 
efforts in this area, if I could.
    As you know, I have been calling for some major changes to 
the laws that control how Federal agencies protect their 
information, our information systems. And when the Federal 
Financial Management, Government Information, Federal Services, 
and International Security Subcommittee that I chair first 
looked at this issue several years ago, we found that Federal 
agencies were wasting millions of dollars on reports that 
nobody read and hardly anybody understood and they did not make 
us any safer.
    The bill that is before us today includes many improvements 
to the so-called Federal Information Security Management Act, 
affectionately known as FISMA, and that will ensure, we hope, 
our Federal agencies are actively monitoring and responding to 
threats, not just writing paper reports about them.
    From what I understand, many agencies are already taking 
many steps to improve their security networks, largely because 
of the action you have taken in your Department to make FISMA 
more effective despite the outdated statute. I commend you for 
being proactive in this area and for putting forward a budget 
request that would ensure that your Department has the 
resources it needs to address this growing area of 
responsibility.
    Can you describe some of the current limitations of FISMA 
for us and why this legislation and some of the new tools we 
give you just might be needed?
    Secretary Napolitano. Well, I think, just stepping back, 
one of the key things that this bill would do is by clarifying 
and centralizing where the authorities lie within the 
government and how those relate to the FISMA, among other 
things, so that it really sets, as you say, the common-sense 
road map for how we move forward.
    You know, we have done a lot with the civilian networks of 
the government. As you know, they have been repeatedly and they 
are increasingly attempted to be infiltrated and intruded upon 
all the time. We have almost completed the deployment of what 
is known as EINSTEIN 2. We are working on the next iteration.
    We have also in the President's budget request asked for a 
budget that would be held by the Department of Homeland 
Security but would be used to help improve or raise the level 
of IT protection within the civilian agencies.
    Senator Carper. All right. Thank you.
    Just very quickly, if I could follow up just to get more 
specific, could you just talk a little bit more about what your 
Department will be able to achieve with what the President has 
requested, I think $200-some million for Federal network 
security, and how this legislation will impact those 
activities. You talked to it a little bit, but could you just 
drill down on that just a little for us?
    Secretary Napolitano. Right. And I can give you more detail 
on it, but basically what we will be able to do is have a fund 
out of which we can make sure that the civilian agencies of 
government are deploying best practices, hiring qualified 
personnel, in other ways strengthening their own cybersecurity 
within the Federal Government.
    Senator Carper. All right. Thanks.
    Mr. Chairman, if I could just say in conclusion, one of the 
things that I hear a lot from businesses across the country and 
certainly in Delaware is they want us to provide for them 
certainty and predictability, and one of the things we are 
trying to do with this legislation and the regulations that may 
flow from it is just that, predictability and certainty. And 
with that in mind, I would say to our witnesses that are 
following, again, it would be really helpful if you all could 
figure out ways in your testimony not just to kind of divide us 
but help bring us together. That would be enormously helpful, 
not just to the Committee and to the Senate, but I think to our 
country. Thank you.
    Chairman Lieberman. Thank you, Senator Carper. Senator 
Levin.

               OPENING STATEMENT OF SENATOR LEVIN

    Senator Levin. Thank you very much, Mr. Chairman and our 
Ranking Member, for taking the initiative on this with other 
colleagues. Thank you, Madam Secretary, for all the work that 
the White House did on a similar bill which you had worked on, 
which I understand is basically part of now this pending bill 
which is on the calendar.
    I am trying to understand what the objections are to the 
bill because it seems to me there is a whole bunch of 
protections in here for the private sector. As I have read at 
least a summary of the bill--and I have not read the bill yet--
there is a self-certification or a third-party assessment of 
compliance with the performance requirements. I understand 
there is an appeal of those requirements if there is objection 
to it. I understand and believe that the owners of covered 
critical infrastructure that are in substantial compliance with 
the performance requirements are not liable for punitive 
damages which arise from an incident related to a cybersecurity 
risk.
    So you have here something unusual, I believe, actually, 
for the private sector, which is a waiver of punitive damages. 
I do not know that it is unique, but I think it is fairly 
unique in legislation to waive the possibility of punitive 
damages in case of a liability claim.
    There are a number of other protections in the privacy 
area, as I read the summary of this bill, for the information 
which must be provided where there is a significant threat 
which is identified. I am trying to identify--and I am not 
going to be able to stay to hear from the next panel as to what 
the objections are. I surely will read the letter from the 
opponents and will study the bill that Senator McCain referred 
to. But I am trying to the best of my ability as we go along to 
see exactly what those objections are. There seems to be 
privacy protection here. There seems to be self-certification 
here which avoids part of a bureaucracy at least. There are 
limits on liability where there is a good-faith defense for 
cybersecurity activities, as the bill's heading says. There are 
a number of other protections.
    I do not want you to argue for the people who have 
problems, obviously, but I would like you, to the best of your 
ability, to address what you understand are the key objections. 
We will hear them directly. We will read about them. But I 
think if you can, give us your response to them so we can have 
that for the record as well.
    Secretary Napolitano. Well, I think there are three kind of 
clusters. The first is that the bill is a regulatory bill, and 
it will be burdensome to industry to comply. And the answer is 
it is a security bill, not a regulatory bill. It really is 
designed with making sure we have a basic level of security in 
the cyber structures of our Nation's core critical 
infrastructure and that we have a way to exchange information 
that allows us to do that without private sector parties being 
afraid of violating other laws. And so this is not what one 
would consider a regulatory bill at all, and as Senator Collins 
said, it really is designed to protect the American economy, 
not to burden the American economy.
    The second set of objections would, I think, revolve around 
the whole privacy area, but as the ACLU itself acknowledged, 
this bill really has done a very good job of incorporating 
those protections right from the get-go. And realize one of the 
reasons what DHS has the role it does is because we have a 
privacy office with a chief privacy officer who will be 
directly engaged in this. So the bill, I think, really 
addresses some of those privacy concerns.
    And the third cluster would be--and I think Senator McCain 
kind of alluded to it--that it somehow duplicates the NSA. We 
do not need another NSA, and we do not need to clarify the 
authorities or the jurisdiction of the DHS. And I think there 
is a misconception there. The plain fact of the matter is, as 
the Chairman of the Joint Chiefs and Secretary Panetta and 
others have recognized, both the DOD and the DHS use the NSA, 
but we use it in different ways. So we are not duplicating or 
making a redundant NSA. We are taking the NSA and using it to 
the extent we can within the framework of the bill to protect 
our civilian cyber networks.
    Senator Levin. And I understand that the Department of 
Defense basically supports this legislation. From what I can 
understand at least it does. Is that your understanding as 
well?
    Secretary Napolitano. I think not just basically. I think 
wholeheartedly.
    Senator Levin. And in terms of the privacy concerns, those 
concerns are met with the privacy officer. But in terms of the 
information which is supplied where there has been a threat, 
that information when it is submitted to a government entity is 
protected.
    Secretary Napolitano. Right. The content is not shared. It 
is the fact of the intrusion----
    Senator Levin. Tell us more about that protection.
    Secretary Napolitano. Yes, content is not shared. The 
information shared requires minimization. It requires 
elimination of personally identifiable information, all the 
things necessary to give the public confidence that their own 
personal communications are not being shared. So it is the fact 
of the intrusion, the methodology, the tactic used, the early 
warning indicators, all of those sorts of things are to be 
shared, but not the contents of the communication itself.
    Senator Levin. Thank you. Thank you, Mr. Chairman.
    Chairman Lieberman. Thanks very much, Senator Levin. That 
was a really helpful exchange.
    Senator Johnson.

              OPENING STATEMENT OF SENATOR JOHNSON

    Senator Johnson. Thank you, Mr. Chairman. Madam Secretary, 
nice to see you again.
    First of all, I would like to say to Senator Lieberman and 
Senator Collins, I appreciate your work on this. This is, I 
think, critically important. It is also incredibly complex.
    Is it appropriate for me to ask you a question, Mr. 
Chairman? I am new here. I do not want to be breaking protocol.
    Chairman Lieberman. I may have to consult my counsel, but 
go ahead.
    Senator Johnson. You know, I share some of the concerns of 
Senator McCain, and because this is so important--it is 
certainly not a good way to start out the process. I mean, sort 
of in light of his objection and those of the other ranking 
members, are we going to consider not taking this to the floor 
directly or, I mean, is that going to be reconsidered on that 
basis?
    Chairman Lieberman. I do not believe so. I mean, I suppose 
if people want to raise the question, but I think there has 
been a long process here. Bills have been reported out of this 
Committee, out of Commerce, Intelligence, Foreign Relations had 
some stuff, all done--not all done on a bipartisan basis, but 
most of them were. Senator Reid got really agitated about this 
problem last year and began to convene the chairs and then held 
a joint meeting, which in these times is very unusual, a 
bipartisan meeting. Senator Reid and Senator McConnell urged 
the chairs and ranking members of all the committees to begin 
to work together to reconcile the differences. Some came to the 
table, as I said; some did not. We worked very hard to try to 
bring people in. I cannot speak for Senator Reid, but I think 
his intention is to take the bill that is the consensus bill 
now and bring it to the floor under his authority under Rule 
XIV, but to have a really open amendment process.
    So I do not think anybody is going to rush this through, 
and there will be plenty of time for people to be involved. I 
am sure I speak for Senator Collins: We are open to any ideas 
anybody has.
    Senator Johnson. I appreciate that. This is just really 
important to get right, so I would be concerned with that.
    Chairman Lieberman. I could not agree more. To me, the most 
important thing is to get it right, but also as quickly as we 
possibly can get it right, we should get it enacted.
    Senator Johnson. OK.
    Chairman Lieberman. Because the crisis, the threat is out 
there. Senator Collins.
    Senator Collins. Mr. Chairman, if I could just add one 
thing, and that is, this legislation has gone through a lot of 
iterations. It was reported first in 2010. I realize Senator 
Johnson was not part of the Committee at that point.
    Senator Johnson. I am one of those new guys.
    Senator Collins. But our staff has shared with the 
Senator's staff draft after draft after draft, invited them to 
briefings. I know the Senator has come to some of the 
classified briefings that we have had as well. So we have 
invited input from the Senator's staff.
    Senator Johnson. Again, I am sincere in my appreciation of 
the work you are doing in this, and in a desire to get this 
right and move some legislation. So with that in mind, I know 
the House has worked on a bipartisan bill, H.R. 3523, which is 
just a very slimmed down version, probably an important first 
step, really trying to get information to be shared between the 
government and the private sector. Is that something you can 
support in case this thing gets all snagged up, maybe move 
toward something like that?
    Secretary Napolitano. Well, I would have to go back and 
look at that, but I think that there may be some parts of that 
are included within this bill. But this bill is a much stronger 
and more comprehensive focus on what we actually need in the 
cybersecurity area given the threats that are out there.
    Senator Johnson. In terms of the carve-outs, I was talking 
to somebody who is far more knowledgeable about this than I am, 
and that was one of the big questions this individual 
expressed. If you are really trying to create cybersecurity, 
why would you carve out Internet Service Providers (ISPs), I 
mean, the people at the heart of it? It is kind of as if you 
are going to steal money, you go to the bank where it is. I 
mean, why would we carve out the service providers?
    Secretary Napolitano. I think from our standpoint, if you 
focus on the Nation's critical infrastructure and you really 
focus on the standards they have to meet, and you want to avoid 
some of the complexities that deal with like the ISPs and the 
like and where they are located and international jurisdiction, 
among other things, the carve-out is appropriate. In fact, it 
helps move the legislation along.
    Senator Johnson. Have you done a cost assessment in terms 
of the cost of complying with these regulations?
    Secretary Napolitano. Well, I think talking about cost is 
important here. It is not our intent to have an undue cost on 
the core critical infrastructure of this country. It is, 
however, our belief that the costs of making sure you practice 
a common base level of cybersecurity, it should be a core 
competency within the Nation's critical infrastructure. And so 
while we do not want an undue cost, we do want a recognition 
that this is something that needs to be part of doing business.
    Senator Johnson. Has there been an attempt to quantify that 
or will there be an attempt to quantify the cost of complying?
    Secretary Napolitano. I do not know. I would imagine, just 
thinking about it, that there will be many entities that 
already are at the right level. But, sadly, there are others 
that are not. And given that we are only talking about 
infrastructure that if intruded or attacked would have a really 
large impact on the economy, on life and limb, on the national 
security, we are talking about a very narrow core part of the 
critical infrastructure. The fact that they all have to reach a 
base level is a fairly minimal requirement.
    Senator Johnson. Just one last quick question. I am aware 
that the Chamber of Commerce is not for this bill, and the 
American Bankers Association. Do you have a list of private 
sector companies that have to comply with this that are in 
favor of it?
    Secretary Napolitano. Oh, there are a number of them, and I 
think they have been in contact with the Committee, but we can 
get that for you.
    Senator Johnson. I appreciate that. Thank you, Mr. 
Chairman.
    Chairman Lieberman. Thanks, Senator Johnson.
    Secretary Napolitano, I appreciate your testimony very 
much. You made a really important point here, I think, first 
off that we define the group of owners and operators of private 
cyberspace in our country that are ultimately regulated here, 
that can be forced to meet the standards very narrowly, to 
include only those sectors which, if they were attacked, cyber 
attacked, would have devastating consequences on our society. 
So you are right. Obviously, it will cost some to enforce this, 
to carry it out, but it will be a fraction of what it would 
cost our society if there was a successful cyber attack. And I 
go back to the initial question. After 9/11, we just could not 
do enough to protect ourselves from another 9/11. And we have 
the opportunity here to do something preemptively, 
preventively, methodically, and at much less cost to our 
society overall.
    Secretary Napolitano. That is right, Mr. Chairman, and I 
think as you and I both noted, and I think Senator Collins did, 
in our opening statements, it is our responsibility to be 
proactive and not just reactive. We know enough now to chart a 
way ahead, and the bill does that.
    Chairman Lieberman. Yes, I agree. If we do not legislate, 
we do not create a system of protection of American cyberspace, 
and God forbid there is an attack, we are all going to be 
rushing around frantically to sort of throw money at the 
problem, and it is going to be after a lot of suffering that 
occurs as a result. So we have a real opportunity to work 
together. Nobody is saying this bill is perfect. I think it is 
very good after all it has been through. But the process 
continues. You have been very helpful today. I thank you very 
much, and we look forward to working with you. Senator Collins.
    Senator Collins. Thank you, Mr. Chairman. I, too, want to 
thank the Secretary for her excellent testimony and the 
technical assistance of the Department.
    General Dempsey, Chairman of the Joint Chief of Staff, made 
a very clear statement at a hearing before the Armed Services 
Committee earlier this week. And General Dempsey said, ``I want 
to mention for the record that we strongly support the 
Lieberman-Collins-Rockefeller legislation dealing with 
cybersecurity.'' So the Secretary's comment in response to the 
question of Senator Levin about where does the Department 
stands, when she said ``wholeheartedly,'' is exactly right. And 
the Department testified to that effect.
    Chairman Lieberman. Thank you, Secretary Napolitano. Have a 
good rest of the day.
    Senator Napolitano. Thank you.
    Chairman Lieberman. We will call the final panel. Secretary 
Ridge is first. I know you are under a time pressure. I 
apologize for keeping you later than we had hoped, Secretary 
Ridge, but we have you, then Stewart Baker, James Lewis, and 
Scott Charney.
    Gentlemen, thank you for your willingness to be here to 
testify and for your patience, although it got pretty 
interesting at times during the hearing, didn't it?
    Secretary Ridge, in a comment that only you and I and two 
other people would appreciate, I do not think we will be going 
to the Common Man together tonight. That is another story.
    Mr. Ridge. I do not think so. But I would welcome the 
opportunity anytime you are ready.
    Chairman Lieberman. Thanks very much for being here. We 
will hear your testimony, and then we will understand if you 
have to go because I know you have another engagement and you 
are already late. Please proceed.

   TESTIMONY OF HON. THOMAS J. RIDGE,\1\ CHAIRMAN, NATIONAL 
         SECURITY TASK FORCE, U.S. CHAMBER OF COMMERCE

    Mr. Ridge. Thank you very much. First of all, let me tell 
you what a pleasure it is to be back before the Committee. As I 
have told you before, my 12 years in the Congress of the United 
States I did enjoy being on that side of the table rather than 
this, but every time I have appeared before this Committee, the 
engagement has been civil, constructive, and substantive, and I 
hope I have been able to contribute. And I hope the fact that 
we agree in part and disagree in part today and there is 
significant agreement and disagreement does not preclude 
another invitation at another time. So it is a great pleasure 
to be before you.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Ridge appears in the Appendix on 
page 78.
---------------------------------------------------------------------------
    I testify today on behalf of the U.S. Chamber of Commerce, 
which, as you well know, is the world's largest business 
federation representing the interests of more than 3 million 
businesses and organizations of every size, every sector, 
throughout every region in this country.
    For the past year and a half, I have chaired the Chamber's 
National Security Task Force, which is responsible for the 
development and implementation of the Chamber's homeland and 
national security policies. And very much consistent with the 
President's concern, this Committee's concern, concerns on both 
sides of the aisle, you are probably not surprised that 
cybersecurity has been at the top of the list. When we have met 
with dozens and dozens of private sector companies and their 
vice presidents for security, be it bricks and mortar or cyber, 
this is very high, maybe at the top of their list right now.
    So it is in my capacity as chairman but hopefully with a 
perspective also as the first Secretary of Homeland Security 
that I thank you for this opportunity to appear before you 
regarding cybersecurity and ways in which we can secure 
America's future.
    At the very outset, Senator Lieberman and Senator Collins, 
one of the perspectives that I do want to share with you is 
that you need to add the Chamber of Commerce to the chorus of 
people sounding the alarm. They get it. And why do they get it? 
Because the infrastructure that we are worried about that 
protects America's national interest and supports the Federal, 
State, and local governments is the infrastructure that they 
operate. And in addition to being concerned about the impact of 
cyber invasion and incursion on their ability to do their job 
on behalf of the Federal Government, they also have 300 million 
consumers one way or the other they have to deal with.
    So they join you, they join that chorus, not only in terms 
of the urgency of dealing with the threat, but I would dare 
say, and I say respectfully, they are probably better 
positioned to be able to calculate the consequences of systemic 
failure vis-a-vis a cyber attack than even an agency in the 
Federal Government. And on top of that, they have their 
interests to protect, fiduciary interests for shareholders if 
they are publicly traded. They have their employees. They have 
the communities they work in. They have the consumers. They 
have the suppliers. So we are in this together, and I think it 
is very important for you to understand that the Chamber joins 
the chorus that appreciates both the urgency of dealing with 
something, and I would say respectfully better understands from 
a macro level the horrific consequences to them and to their 
community and to their brand, their employees, and to this 
country from a significant cyber attack.
    As you also know, the industry for years has been taking 
robust and proactive steps to protect and make their 
information networks more resilient. There has been much 
discussion with regard to process here, and let me just talk 
very briefly, and I am going to ask unanimous consent to get 
another minute or minute and a half, and I apologize for that. 
But as the first Secretary, I remember the national strategy 
that we created in 2002 talked about securing America, but we 
did not talk just about people, we did not just talk about 
bricks and mortar; we talked about cyber attacks as well.
    In 2003, as has been referenced by Secretary Napolitano, 
the enabling legislation talked about cyber attacks as well. 
You move from the enabling legislation that creates the 
Department, and then you get Homeland Security Presidential 
Directive 7 (HSPD-7), and in anticipation of testifying I read 
what HSPD-7 says. It says, ``Establish a national policy for 
Federal departments and agencies to identify and prioritize 
United States critical infrastructure and key resources and to 
protect them from terrorists.'' It goes on to talk about 
protection from cyber attack as well.
    In 2006, the National Infrastructure Protection Plan was 
established. The NIPP, updated in 2009, encompasses all that 
had gone on before to protect critical infrastructure and is 
specifically based on HSPD-7. The NIPP helped to create the 
Sector-Specific Agencies and the Sector Coordinating Councils--
the point being that we do not need a piece of legislature, at 
least from the Chamber's point of view, that would identify and 
regulate critical infrastructure. We have been working on that 
for 10 years. It started with the enabling legislation, and you 
understand that process.
    Where we tip the hat because compared to the first mark of 
the President's bill to this market, the information sharing, 
although we would probably like to tinker with it a little bit, 
is a vast improvement from the one that was initially placed 
and initially considered by the Administration. And, again, we 
are not ready to embrace it in its totality, but the concept, 
the direction, and the focus of it being bilateral we believe 
is the way to go.
    So at the end of the day, with regard to covered critical 
infrastructure (CCI), there is really in our judgment no real 
need for that. We already have the process in place. People 
have been working together for 10 years, personal and 
institutional relationships to develop what that critical 
infrastructure is. You have cybersecurity experts in these 
Sector-Specific Agencies. So not only do you take a definition 
that appears to have no walls, ceilings, or floors, but it 
appears to be redundant.
    And, second, it does--somebody used the word 
``requirements.'' And one of the great concerns we have is that 
requirements and prescriptions are mandates, mandates are 
regulations, and, frankly, the attackers and the technology 
moves a lot faster than any regulatory body or political body 
will ever be able to move.
    So, in my judgment--and, again, we need to talk--the 
Chamber agrees. The sections in here with regard to the 
international component, the public awareness component, the 
FISMA component, and some of the others, we applaud and 
celebrate. And hopefully if you tied those together, if you are 
looking to really deal with this in an immediate way as quickly 
as possible with a more robust information-sharing proposal, 
marry it with the House and then you will have that bipartisan 
agreement.
    So I was hurried. I appreciate and respectfully request 
that my full statement be included as part of the record, and 
thank you for the opportunity of appearing before you.
    Chairman Lieberman. Thanks, Mr. Secretary, and we will 
definitely include your statement in full in the record.
    Am I right that you have to leave?
    Mr. Ridge. You were, but I think it is a little too late. I 
appreciate that.
    Chairman Lieberman. Can you stay?
    Mr. Ridge. I am prepared to stay to answer questions. I can 
leave at 6 o'clock instead of 5 o'clock. I have to be on a 
plane--but thank you for asking.
    Chairman Lieberman. Do you want us to ask you a few 
questions now and then have you go? Or with the sufferance of 
the----
    Mr. Ridge. I think that in deference, it is a little late 
to get there, so I appreciate that.
    Chairman Lieberman. I am going to yield to Senator Collins, 
and if there is anything left to ask when she is done---- 
[Laughter.]
    Senator Collins. Thank you, Mr. Chairman.
    First, Secretary Ridge, as you know, I have the greatest 
respect and affection for you personally and the greatest 
respect for the Chamber of Commerce, which is why I am 
disappointed that we do not see this issue exactly in the same 
way.
    I would also note a certain irony since the Chamber itself 
was under cyber attack by a group of sophisticated Chinese 
hackers for some 6 months at least, during which time the 
hackers had access to apparently everything in the Chamber's 
system, and the Chamber was not even aware of the attack until 
the FBI alerted the Chamber in May 2010. So there is a little 
bit of irony, but I will assure you that under our bill the 
Chamber is not considered critical infrastructure. [Laughter.]
    Mr. Ridge. But Senator, you raise a very interesting point, 
and I guess the question I have, if it is not critical 
infrastructure but a significant organization representing the 
critical economic infrastructure of America, why in the world 
did the FBI delay informing the organization that represents 
the economic infrastructure of America? Somebody ought to ask 
that question. Frankly, I have heard some cases where people in 
the private sector have reported potential--this has not been 
verified--incidents to the Federal Government and they said, 
``We knew.'' What do you mean you knew?
    Senator Collins. Well, that is one reason----
    Mr. Ridge. You cure some of that problem.
    Senator Collins. I was just going to point to that. We have 
very robust information-sharing provisions in our bill that 
will cure that very problem.
    But the fact is, in drafting this latest version of our 
bill, we have taken to heart many of the concerns raised by the 
Chamber, and, thus, just to clarify exactly where the Chamber 
is on these issues, I do want to ask your opinion on some of 
the changes that we have made in direct response to the 
Chamber's concerns.
    For example, we now have a provision that says that 
entities that are already regulated by existing regulations 
would be eligible for waivers and entities able to prove that 
they are sufficiently secure would be exempted from most of the 
requirements under this bill. The bill would require the use of 
existing cybersecurity requirements and current regulators.
    Does the Chamber support those changes that were 
incorporated in response to the Chamber's concerns?
    Mr. Ridge. Well, I think you have incorporated several 
changes, Senator Collins, and I cannot speak directly, but I 
believe that is one of them. And I think it also goes to the 
point, however, that some of that oversight is being done 
within the existing process and protocol, and with the dramatic 
potential changes in information sharing, it is a system that 
will work.
    One of the questions I had when I listened to the chorus of 
people who support the bill, I just wondered if the Secretary 
of Defense believes that the Defense Industrial Base likes the 
cyber model of information sharing that was announced by the 
Department of Defense in June 2011 or they would prefer to be 
regulated. I think there are some unanswered questions here.
    But I think the point that I want to be very strong about, 
Senator Collins, is that you have heard some of the concerns, 
and we are grateful for that.
    Senator Collins. Well, that is my point as we, frankly, 
have bent over backwards to try to listen to legitimate 
concerns without weakening the bill to the point where it can 
no longer accomplish the goal.
    Another important provision of the bill is that the owners 
of critical infrastructure, not the government, not DHS, would 
select and implement the cybersecurity measures that they 
determine are best suited to satisfy the risk-based performance 
requirements. Does the Chamber support having the owners of the 
infrastructure decide rather than government mandating specific 
measures?
    Mr. Ridge. Well, I think, again, if I recall and interpret 
your legislation correctly, the Chamber likes the notion and 
embraces the notion that the Sector-Specific Agencies, the 
respective departments and agencies who have the Sector 
Coordinating Councils, have been working on identifying 
critical infrastructure and sharing the kind of information 
that we think is necessary to not immunize us completely 
because the technology and the hacking procedures are going to 
change, but to dramatically reduce the risk. In fact, it is in 
everybody's interest, particularly the owners, to move as 
quickly as possible.
    The logic that has been applied to relieving, I guess, 
Cisco, Microsoft, and others so they can move adroitly and 
respond to the risk seems to me would be pretty decent logic to 
apply to everybody else in the economy as well who do not want 
to be burdened by a series of regulations or prescriptive 
requirements.
    Senator Collins. Well, since the private sector under our 
bill is specifically involved in creating the standards, I do 
not see how that produces burdensome standards since the 
Secretary has to choose from the standards that the private 
sector develops. Again, another change that we strengthened in 
our bill.
    Another question that I would have for you, I assume that 
the Chamber supports the liability protections that are 
included in this bill, so that if a company abides by the 
performance standards and there is an attack anyway, the 
company is immune from punitive damages.
    Mr. Ridge. Well, they have not tapped me on the shoulder, 
but I presume they do.
    Senator Collins. Well, in back of you a young woman is 
nodding vigorously.
    Mr. Ridge. I presume they do. If I were the Chamber, I 
would certainly encourage them to embrace that wholeheartedly.
    Senator Collins. Well, my time has expired, but my point is 
that there are many provisions in this bill that we changed in 
direct response to input from the Chamber, and I would like the 
Chamber to acknowledge that.
    There is one final point that I want to make. When you were 
talking about that CEOs are invested in cybersecurity because 
of the impact on their customers and their clients, and so it 
is in their own self-interest, I cannot tell you how many chief 
information officers (CIOs) with whom I have talked who have 
told me, ``If only I could get the attention of the CEO on 
cybersecurity. We are not investing enough, we are not 
protecting our systems enough, and it is just not a priority 
for the CEO.''
    So I would suggest to you to talk to some CIOs because I 
think you would get a totally different picture.
    Mr. Ridge. Well, I appreciate that, Senator Collins. You 
know, I am familiar with quite a few major companies in America 
and what they are doing with regard to cyber, and my experience 
is 180 from yours. I realize that there are probably some 
people out there--I do not imagine too many organizations--and 
anybody in an organization would like a little bit more money 
to enhance their capability to safeguard or to manage the risk. 
But I will take you at your word that there may be some CIOs 
who feel very strongly and have reflected that in their 
statements to you.
    I think at the end of the day, though, I think you have 
made a valuable contribution. You have listened to the Chamber. 
We applaud those things we agree with, and we are just going to 
respectfully disagree that you are going down the path very 
similar to what we are concerned about, a prescriptive regimen. 
I notice some of the literature talks about a light touch, but 
a light touch can turn into a stranglehold if it goes too far 
down the process. And if you take a look at the Chemical 
Facility Anti-Terrorism Standards, what was to be a light touch 
may become very prescriptive, because once the legislation was 
passed, there were Members of Congress, your colleagues, who 
said, well, that is not enough and we may need very specific 
technology and we need very specific regulations.
    So, again, it is that slippery slope that I think they are 
most concerned about, and I very much appreciate you giving me 
a chance to articulate it before the Committee.
    Senator Collins. Thank you, Mr. Chairman.
    Chairman Lieberman. Thanks, Senator Collins.
    I have no further questions, Secretary. Thanks for being 
here. We are glad to liberate you to catch the next plane.
    Mr. Ridge. Well, you are very kind. I thank you. It has 
been my great pleasure, and as I said before, I look forward to 
future opportunities, in the ``what it is worth'' department, 
to share my thoughts with this Committee. I thank my friends.
    Chairman Lieberman. We do, too.
    Mr. Ridge. Senator Akaka, best wishes to you, sir. Thank 
you.
    Chairman Lieberman. Thank you.
    Stewart Baker is our next witness, currently a partner in 
the law firm of Steptoe and Johnson, former General Counsel for 
the much mentioned today NSA from 1992 to 1994 and Assistant 
Secretary at DHS from 2005 to 2009 during which time we 
benefited greatly from your counsel and service. Thanks for 
being here, and we would welcome your testimony now.

  TESTIMONY OF HON. STEWART A. BAKER,\1\ PARTNER, STEPTOE AND 
                          JOHNSON LLP

    Mr. Baker. It is a great pleasure. Thank you, Chairman 
Lieberman, Senator Collins, and Senator Akaka. It is a 
nostalgic moment to come back here, and I want to congratulate 
you on your achievement in moving this bill in a comprehensive 
form as far as it has gone. It is a very valuable contribution 
to our security.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Baker appears in the Appendix on 
page 83.
---------------------------------------------------------------------------
    I just have two points, but before I do that, I thought I 
would address the Stop Online Piracy Act analogy, the idea that 
this is like SOPA and the Internet will rise up to strike it 
down.
    I am proud to say, if I can channel Senator Lloyd Bentsen 
for a minute, I knew SOPA, I fought SOPA, and, Mr. Chairman, 
this bill is no SOPA. [Laughter.]
    Chairman Lieberman. Hear, hear.
    Mr. Baker. In fact, I opposed SOPA for the same reason that 
I support this bill. As a Nation, as a legislature, our first 
obligation is to protect the security of this country. SOPA 
would have made us less secure, to serve the interests of 
Hollywood. This bill will make us more secure, and that is why 
I support it.
    Just two points on why I believe that. We know today the 
most sophisticated security companies in the country have been 
unable to protect their most important secrets. This shows us 
how deep the security problem runs. We also know from direct 
experience, things that I saw when I was at DHS and that have 
emerged since, that once you penetrate a network, you can break 
it in ways that leave behind permanent damage. You can break 
industrial control systems on which refineries, pipelines, the 
power grid, water, and sewage all depend. And we have had a lot 
of analogies today about how this is like September 10, 2001. 
If you want to know what it would be like to live through an 
event where someone launches an attack like this, the best 
analogy is New Orleans, the day after Hurricane Katrina hit. 
You would have no power; you would have no communications. But 
you also would not have had the warning and the evacuation of 
most of the city's population, and you would not have the 
National Guard in some safe place, ready to relieve the 
suffering. It could, indeed, be a real disaster, and we have to 
do something to protect against that possibility. That is not 
something the private sector can do on its own. They are not 
built to stand up to the militaries of half a dozen countries, 
and that is why it is important for there to be a government 
role here.
    I do think that with this bill--in contrast to the views of 
the Chamber--you may have gone a little far in accommodating 
them, and I will just address one point that I think is 
particularly of concern.
    I fully support the idea that there should be a set of 
performance requirements driven by the private sector, 
implemented by the private sector, and with private sector 
flexibility to meet them as they wish. But the process of 
getting to that and then getting enforcement is time-consuming. 
It could take 8 years; it could take 10 years if there is 
resistance from industry or a particular sector. And it may be 
worth it to take that time to get standards that really are 
something that the private sector buys into and is willing to 
live with. But I think we have to recognize that in the next 8 
to 10 years we could have an attack. We could have an incident. 
We could have some very serious trouble or a threat that 
requires that we move faster than that statutory framework 
would suggest.
    And so I would suggest that if there is one change that I 
would make to this bill, it is to put in a provision that says 
that in an emergency, where there really is an immediate threat 
to life and limb, the Secretary has the ability to compress all 
of the time frames and to move quickly from stage to stage so 
that if we only have a week to get the grid protected, she is 
in a position to tell the power companies, ``You will be here 
on Tuesday and bring your best practices because by Friday you 
are going to have to start implementing them because we know 
there is an attack coming this week.'' That is something that 
we need to be able to do and to have the flexibility to do. 
Thank you.
    Chairman Lieberman. Very helpful. Thank you very much. We 
will talk more about that.
    Dr. Jim Lewis, thanks for being here. He is Director and 
Senior Fellow of the Technology and Public Policy Program at 
the Center for Strategic and International Studies. Dr. Lewis 
was also the Director of the CSIS Commission on Cybersecurity, 
which began its work in 2008. Thanks so much. Please proceed.

  TESTIMONY OF JAMES A. LEWIS, PH.D.,\1\ DIRECTOR AND SENIOR 
   FELLOW, TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR 
              STRATEGIC AND INTERNATIONAL STUDIES

    Mr. Lewis. Thank you, Senators, for giving me the 
opportunity to testify. You know, when we hear that getting 
incentives right and letting the private sector lead or sharing 
more information will secure the Nation, remember that we have 
spent the last 15 years repeatedly proving that this does not 
work, and from an attacker's perspective, America is a big, 
slow target.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Lewis appears in the Appendix on 
page 92.
---------------------------------------------------------------------------
    Some people say the threat is exaggerated. This is really 
unfortunate. You have talked about the parallels with September 
11, 2001. But in some ways we are on a path to repeat the 
September 11 error if we do not take action in the very near 
term.
    The threat is real and growing. Military and intelligence 
services with advanced cyber capabilities can penetrate any 
corporate network with ease. Cyber criminals and government-
sponsored hackers routinely penetrate corporate networks. And 
new attackers, ranging from Iran and North Korea to a host of 
anti-government groups, are steadily increasing their skills.
    The intersection of greatest risk and weakest authority is 
critical infrastructure. National security requires holding 
critical infrastructure to a higher standard than the market 
will produce.
    This bill has many useful sections on education, research, 
securing government networks, and international cooperation, 
and they all deserve support. But the main event is regulating 
critical infrastructure for better cybersecurity. Without this, 
everything else is an ornament, and America will remain 
vulnerable. Low-hanging fruit will not make us safer, and one 
way to think about this is if you took the section on critical 
infrastructure regulation out of this bill, it would be like a 
car without an engine. So I look forward to what we will see 
next week.
    There are all sorts of objections to moving ahead. We heard 
that innovation could be damaged, but well-designed regulation 
will actually increase innovation. Companies will innovate at 
making safer products. We have this with Federal regulation of 
cars, airplanes, even as far back as steamboats. Regulation can 
incentivize innovation.
    Everyone agrees that we want to avoid burdensome regulation 
and focus new authorities on truly critical systems. The bill 
as drafted takes a minimalist and innovative approach to 
regulation based on commercial practices, so I appreciate the 
effort that has gone into that.
    Many in Congress recognize the need for legislation, and 
this Committee, the Senate, and others in the House deserve our 
thanks for taking up this task. But the battle has shifted. 
People will try to dilute legislation. They will try to put 
forward slogans instead of solutions, and they will write in 
loopholes. The goal should be to strengthen not to dilute, and 
so two problems need attention.
    The first is the threshold for designating controlled 
critical infrastructure. Cyber attacks in the next few years 
are most likely to be targeted and precise. They probably will 
not cause mass casualties or catastrophic disruption. If we set 
the threshold too high, it is simply telling our attackers what 
they should hit. So we need to very carefully limit the scope 
of this regulation, but I fear that we may have gone a bit too 
far.
    The second is the carve-out for commercial information 
technology, and others have raised this. It makes sense that 
industry does not want government telling them how to make 
their products. That is perfectly reasonable. But a blanket 
exemption on services, maintenance, installation, and repair 
would, first, undo central work started by the Bush 
Administration; and, second, leave America open for a Stuxnet-
like attack. So these parts of the bill should really be 
removed, and in particular, I would call your attention to 
paragraph (A) and (B) of Section 104(b)(2).
    In any important legislation, there is a delicate balance 
between protecting the Nation and minimizing the burdens on our 
economy. This bill, with some strengthening, I think can 
achieve that balance and best serve the national interest. The 
alternative is to wait for the inevitable attack. My motto for 
2012 in cybersecurity is, ``Brace for impact.''
    I thank the Committee and will be happy to take any 
questions.
    Chairman Lieberman. Thank you, Dr. Lewis. Your voice is an 
important one to listen to, and we will, we do.
    Scott Charney is our last witness today. He is the 
Corporate Vice President of the Trustworthy Computing Group--
that is a good job--at Microsoft Corporation. Thanks for being 
here.

   TESTIMONY OF SCOTT CHARNEY,\1\ CORPORATE VICE PRESIDENT, 
       TRUSTWORTHY COMPUTING GROUP, MICROSOFT CORPORATION

    Mr. Charney. Chairman Lieberman, Senator Akaka, thank you 
for the opportunity to appear at this important hearing on 
cybersecurity. In addition to my role as Corporate Vice 
President for Trustworthy Computing, I serve on the President's 
National Security Telecommunications Advisory Committee and was 
Co-chair of the CSIS Commission on Cybersecurity for the 44th 
Presidency.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Charney appears in the Appendix 
on page 99.
---------------------------------------------------------------------------
    Microsoft has a long history of focusing on cybersecurity. 
In 2002, Bill Gates launched our Trustworthy Computing 
Initiative. As we celebrate the 10th anniversary of that 
effort, we are proud of both our progress and conscious of how 
much work remains to be done. While IT companies are providing 
better cybersecurity, the world is increasingly reliant on 
cyber-based systems, and those attacking such systems have 
increased in both number and sophistication. Cyber attacks 
represent one of the more significant and complex threats 
facing our Nation.
    With that in mind, I commend the Chairman, the Ranking 
Member, this Committee, and Members of the Senate for your 
continuing commitment to addressing cybersecurity. We 
appreciate your leadership in developing the legislation that 
was introduced earlier this week. Over the past few years, you 
have helped focus national attention on this urgent problem, 
offered constructive proposals, and conducted an open and 
transparent process to solicit the views of interested private 
sector stakeholders.
    Microsoft believes the current legislative proposal 
provides an appropriate framework to improve the security of 
government and critical infrastructure systems and establishes 
an appropriate security baseline to address current threats. 
Furthermore, the framework is flexible enough to permit future 
improvements to security, an important point since security 
threats evolve over time.
    While the Internet has created unprecedented opportunities 
for social and commercial interaction, it has also created 
unprecedented opportunities for those bent on attacking IT 
systems. Securing IT systems remains challenging, and it is 
important that legislative efforts designed to improve computer 
security meet three important requirements:
    First, legislation must embrace sound risk management 
principles and recognize that the private sector is best 
positioned to protect private sector assets. Second, the 
legislation must enable effective information sharing among 
government and industry members. Third, any legislation must 
take into account the realities of today's global IT 
environment. I will discuss each of these important issues in 
turn.
    First, sound risk management principles require that 
security efforts be directed where the risk is greatest and 
that those responsible for protecting systems have the 
flexibility to respond to ever changing threats. To ensure that 
this happens, it is important that the definition of critical 
infrastructure be scoped appropriately and that the owner of an 
IT system ultimately be responsible for developing and 
implementing security measures. We believe that the current 
legislation, which allows the government to define outcomes but 
allows the private sector owner of a critical system or asset 
to select and implement particular measures, is the right 
framework.
    Second, successful risk management depends on effective 
information sharing. For too long, people have cited 
information sharing as a ``goal'' when, in fact, it is a tool. 
The goal should not be to share all information with all 
parties, but rather the right information with the right 
parties, that is, parties who are positioned to take meaningful 
action. We appreciate that this legislation attempts to remove 
barriers to information sharing by specifically authorizing 
certain disclosures and protecting the information shared.
    Finally, as a global business, we are very cognizant of the 
fact that countries around the world are grappling with similar 
cybersecurity challenges and implementing their own 
cybersecurity strategies. We believe that actions taken by the 
U.S. Government may have ramifications beyond our borders, and 
it is important that the United States lead by example, 
adopting policies that are technology neutral and do not stifle 
innovation. It must also promote cyber norms through 
international discussions with other governments.
    Unlike some traditional international efforts where 
government-to-government discussions may suffice to achieve 
desired outcomes, it must be remembered that the private sector 
is designing, deploying, and maintaining most of our critical 
infrastructures. As such, the United States needs to ensure 
that the owners, operators, and vendors that make cyberspace 
possible are part of any international discussions.
    I would note in closing that security remains a journey, 
not a destination. In leading our Trustworthy Computing effort 
over the last 10 years, I have witnessed the continual 
evolution of Microsoft's own security strategies. Technologies 
advance, threats change, hackers grow stronger, but defenders 
grow wiser and more agile. The Committee's legislation, which 
focuses on outcomes and ensures meaningful input by the private 
sector, represents an important step forward. Microsoft is 
committed to working with Congress and the Administration to 
help ensure this legislation meets these important objectives 
while minimizing unintended consequences.
    Thank you for the leadership that you have shown in 
developing this legislation under consideration today and for 
the opportunity to testify. I look forward to your questions.
    Chairman Lieberman. Thanks very much to you, too, Mr. 
Charney.
    Let me ask all three of you a threshold question, no pun 
intended. As you can hear from some of the testimony and some 
of the questions from Committee Members, there is a question 
still about whether regulation is necessary here--I am using a 
pejorative term. Let me just say government involvement here is 
necessary. And at its purest, this argument is that obviously 
the private sector that owns and operates cyber infrastructure 
has its own set of incentives to protect itself. Why do we need 
the government to be involved? Mr. Baker, do you want to start?
    Mr. Baker. Sure. It seems to me that, fundamentally, the 
private sector and each private company has an incentive to 
spend about as much on security as is necessary to protect 
their revenue streams, to prevent criminals from stealing 
things from them and the like. It is much less likely that they 
are going to spend money to protect against disasters that 
might fall on someone else, on their customers down the road, 
that are unpredictable. And so there are certain kinds of 
harms, especially if you are in a business where it is hard for 
people to steal money from you but it is easy for them to 
change your code in a way that could later be disastrous for 
consumers. That is a situation businesses will view as 
something that they are not ever going to get a higher payment 
for addressing when they sell their products and, therefore, 
not something that they would want to spend a lot of money on.
    So it does seem to me that there are a lot of externalities 
here that require the government to be involved in addition to 
the problem that if you are the Baltimore Gas and Electric 
company, for example, you really do not know how to deal with 
an attack launched by Russian intelligence.
    Chairman Lieberman. Right. Dr. Lewis.
    Mr. Lewis. Thank you. Sometimes I call them ``mandatory 
standards,'' and that is nicer than ``regulation,'' but I 
wanted to say ``regulation'' this time because we have to put 
it out on the table.
    Chairman Lieberman. Right.
    Mr. Lewis. We got the incentives wrong in 1998, the first 
time we thought about protecting critical infrastructure. We 
thought that if you tell them about the threat, get them 
together, share a little information, and they will do the 
right thing. And as you have heard, the return on investment is 
such that companies will spend up to a certain level. It is not 
even clear that all of them do that, by the way, but they will 
not spend enough to protect the Nation.
    So we are stuck with a classic case of a public good, 
national defense regulation is essential, and if we do not 
regulate, we will fail.
    Chairman Lieberman. Let me just follow up. You made a 
statement in your opening remarks--I am going to paraphrase 
it--which is that a hostile party, a nation state, or 
intelligence agency could penetrate any entity's cyberspace in 
this country if they wanted. Did I hear you right?
    Mr. Lewis. You did. The full answer is complicated, so I 
will be happy to provide it to you in writing. But when you 
think of the high-end opponents who can use a multitude of 
tactics, including tapping your phone line, including hiring 
agents or corrupting employees, these are very hard people to 
stop. And the assumption that is probably safest to make from a 
defensive point of view is that all networks have been 
compromised.
    Chairman Lieberman. Mr. Charney.
    Mr. Charney. I would say two things. First, I would echo 
what Mr. Baker said. I think market forces are actually doing a 
very good job of providing security. The challenge is market 
forces are not designed to respond to national security 
threats. You cannot make a market case for the Cold War. And so 
you really have to think about what will the market give us? 
What does national security require? And how do you fill the 
delta between those gaps?
    The second thing I would say about looking at regulating 
critical infrastructure, is in my 10 years at Microsoft, I have 
found as we have struggled with cybersecurity strategies, we 
really live in one of three states of play. Sometimes we do not 
know what to do, and you have to figure out a strategy. 
Sometimes you know what to do, but you are not executing very 
well, in which case you need to go execute better. Sometimes we 
know what to do and we execute well, but we do not execute at 
scale.
    I think there are some companies that do a very good job of 
protecting critical infrastructure today. Are we doing it at 
enough scale to really manage the risk that the country faces? 
And I do not think we are today, and that is why in our report 
of the CSIS Commission and in my testimony we are supportive of 
the framework that has been articulated in the legislation.
    Chairman Lieberman. I appreciate that. Assuming the 
statistics are accurate or close to accurate about the 
frequency of intrusion into cyberspace owned and operated in 
the private sector, then that makes it self-evident that there 
is not enough being done to protect from that.
    Dr. Lewis, let me ask you something. You offered a friendly 
criticism of the bill just before, which is that our definition 
of ``covered critical infrastructure'' is too narrow, too high. 
We are limiting it too much. Give me an idea about how you 
might broaden it if you were drafting the legislation.
    Mr. Lewis. I think we are talking about relatively simple 
amendments to the language, Mr. Chairman. I would look at some 
of the thresholds you have put in: Mass casualties. What is a 
mass casualty event? For those of us coming out of the Cold 
War, that was a very high threshold. Economic disruption on a 
catastrophic scale--it is not clear to me that Hurricane 
Katrina, for example, would be caught by that definition. So I 
think it is more an issue of clarifying, more an issue of 
making sure that the smaller attacks that we are more likely to 
see in the near future are caught by this threshold and we are 
not just looking for the big bang.
    Chairman Lieberman. Thanks. My time is up. Senator Akaka, 
thank you for being here.

               OPENING STATEMENT OF SENATOR AKAKA

    Senator Akaka. Thank you very much, Mr. Chairman, for 
holding this hearing. I applaud your tenacity and that of 
Senators Collins, Rockefeller, and Feinstein in pursuing the 
comprehensive cybersecurity legislation we are considering 
today. I also want to thank you and the Administration for 
incorporating my suggestions to the cyber workforce provisions 
of the bill. Employees of the Department of Homeland Security 
are on the front lines of countering the cyber threat, and we 
must make sure the Department has the appropriate tools to 
attract and retain the workforce it needs to meet these complex 
challenges.
    Stakeholders have raised concerns about the privacy and 
civil liberties implications of certain provisions of this 
bill. I want to commend the bill's authors for making progress 
in addressing these concerns. It is important for the final 
product to adequately protect Americans' reasonable expectation 
of privacy, and I will continue to closely monitor this issue.
    FBI Director Robert Mueller's recent statement that the 
danger of cyber attacks will equal or surpass the danger of 
terrorism in the foreseeable future is a stark reminder that 
strengthening cybersecurity must be a key priority for this 
Congress. Cyber criminals and terrorists are targeting our 
critical infrastructure, including our electricity grids, 
financial markets, and transportation networks, and these have 
been mentioned by the panelists. American businesses face 
constant cyber attacks that seek to steal their intellectual 
property and trade secrets. However, cybersecurity policy has 
been slow to adjust to these ever increasing and sophisticated 
cyber threats.
    The Cybersecurity Act of 2012 will give the Federal 
Government and the private sector the tools necessary to 
respond to these troubling threats, I feel. Finalizing this 
important legislation is a pressing priority for this Congress, 
and I look forward to working with you on this.
    As you know, the bill contains new hiring and pay 
authorities to bolster the Federal civilian cybersecurity 
workforce. It also has provisions to educate and train the next 
generation of Federal cybersecurity professionals. I would like 
to hear your views on the challenges of recruiting and 
retaining cybersecurity professionals, the provisions in this 
bill, and any other recommendations you may have to address 
these growing workforce challenges. Mr. Baker.
    Mr. Baker. If I might, I would like to just defer to Mr. 
Charney, who really has more expertise and experience in this 
field, and if there is anything else, I will add to it after.
    Senator Akaka. Fine. Mr. Charney.
    Mr. Charney. It is very challenging to find well-trained 
cybersecurity professionals even in the private sector. This 
technology has just proliferated far faster than educational 
institutions could educate people to manage IT security and 
manage the security.
    As a result of that, Microsoft has actually committed 
considerable resources, supporting programs like science, 
technology, engineering, and mathematics (STEM) education, or 
Elevate America where we provided over a million vouchers for 
entry-level and more advanced computer basic skills. But it is 
a big challenge, and if it is a big challenge for the private 
sector, you can imagine that it would also be a large challenge 
for the public sector as they do not have the same pay scale 
that I have available to me.
    So this is a big challenge. It is a challenge in both 
education and in proficiency of the workforce. And, in fact, 
the CSIS Commission issued a report on the challenges of 
getting an educated, cyber-educated workforce.
    Mr. Baker. And I would just add to that, indeed, that DHS 
has had particular difficulty in attracting people and working 
through their personnel hiring procedures. Anything that makes 
that smoother and more responsive to the market is useful.
    But finally, and most importantly, for every student who is 
watching this wondering what he is going to do when he 
graduates from college, these jobs are waiting for you. You owe 
it to your country and you owe it to yourself to pursue these 
opportunities.
    Senator Akaka. Thank you. Mr. Lewis.
    Mr. Lewis. Senator, 2 years ago, at the end of July, CSIS 
had an event here on the Hill, on education for cybersecurity, 
and I was kicking myself because I thought no one is going to 
be here on July 29. It is just stupid. And so I told them, 
``Cut back on the food. We do not need it.'' And we had 
standing room only. They had to put chairs in the hall. People 
love this topic, but there are a couple of issues to think 
about.
    On the government side, we need to have a clearer career 
path for people to get promoted up.
    On the private sector side, the education that we get now 
needs to be refined and focused. A degree in computer science 
may not give you the skills. In fact, it probably will not give 
you the skills for cybersecurity. And so some of the provisions 
in the bill such as the cyber challenge, and other programs, 
tap into this real enthusiasm among teenagers and among college 
students to get into this new field. And I think this is one of 
the stronger parts. Again, doing the education piece is 
important, but it will not protect us in the next few years, 
which is why we need the other parts of the bill as well.
    Senator Akaka. Thank you very much, panel. My time has 
expired, Mr. Chairman.
    Chairman Lieberman. Thanks, Senator Akaka, and thanks very 
much for the contribution you made to the bill, as indicated by 
your questioning, on the cyber workforce. That was very 
important.
    Senator Collins.
    Senator Collins. Thank you, Mr. Chairman. The hour is late, 
but I just want to thank our witnesses for their excellent 
testimony. Hearing some of our witnesses on this panel raise 
some legitimate questions about whether we have gone too far in 
trying to accommodate concerns raised by the Chamber and other 
groups makes me think that maybe we have gotten it just right 
since the Chamber is still not happy and you believe we have 
gone too far.
    But in all seriousness, your expertise has been extremely 
helpful, as has the input that we have had from Microsoft, from 
the Chamber, from the tech industry, and from experts and 
academics. We really have consulted very widely, and it has 
been very helpful to us as we try to strike the right balance.
    This is an enormously important but complicated, complex 
issue for us to tackle, but tackle it we must. And that is 
something that I believe unites all of the witnesses from whom 
we have heard today.
    Whether we consider this to be a response to a 9/11-like 
attack or a Hurricane Katrina, I just do not want us to be here 
after a major cyber incident saying, ``If only, and how could 
we have ignored all these warnings, all these commissions, all 
of these studies, all of these experts?'' I cannot think of 
another area in homeland security where the threat is greater 
and we have done less.
    There is a huge gap. Whether we got it exactly right on 
chemical plant security, port security, or reform of the 
Federal Emergency Management Agency, at least we acted and we 
have made a difference in each of those areas. They are not 
perfect, but we have acted and we have made a difference. And 
in intelligence reform, I think we have made a big difference.
    But here we have a vulnerability, a threat that is not 
theoretical. It is happening each and every day, and yet we 
have seen today by the comments of some of our colleagues this 
is going to be a very difficult job to get this bill through. I 
am confident that we can do it, however, and that in the end we 
will succeed.
    And, finally, I do want to say to our colleagues, to those 
who are listening, to those in the audience, that we need your 
help. If you have other good ideas for us, by all means bring 
them forward. Help us get the best possible bill. But for 
anyone to stand in the way and cause us to fail to act at all 
to pass legislation this year I think would just be a travesty. 
It would be a disaster waiting to happen for our country.
    So, Mr. Chairman, I would just encourage you to press 
forward, and I will be at your side, your partner, all along 
the way. We have done it before against great odds.
    Chairman Lieberman. And we will do it again. Hear, hear. 
Thank you. That meant a lot to me, and it is just expressive 
and characteristic of your independence of spirit and your 
commitment to do what you think is right for our national 
security.
    We are going to press forward, and the Majority Leader, 
Senator Reid, I am confident is going to press forward, too. As 
I mentioned earlier, he had a couple of briefings on this 
problem of cybersecurity last year, and it really troubled him. 
He feels that there is a clear and present danger to our 
national security and our economic prosperity from cyber 
attack. That is why he has devoted a lot of time to trying to 
get us to this point that we have reached this week to have at 
least a foundational consensus bill and why I am confident he 
is going to bring this to the floor with the authority he has 
as Majority Leader. I am optimistic that may well be in the 
next work period, which is when we come back at the end of 
February and into March.
    The three of you have added immensely to our work here. I 
do want to continue to work--I do not want to ask a question 
because Senator Collins has brought this to such a wonderful 
ending point, but I do want to, over time as we take the bill 
to the floor, invite you--particularly Mr. Baker and Dr. Lewis, 
who have expressed concerns about the so-called carve-out. 
People in the Administration still think that with the 
authority that we have left in there, the language will allow 
the government to develop performance standards that will 
require owners of systems to protect those systems even if they 
might include some commercial products. But we hear your 
concerns, and we invite you to submit thoughts to us as to how 
to do this better, and we promise we will consider those 
concerns.
    Any last words from any of the three of you?
    [No response.]
    Chairman Lieberman. Thanks very much for all you have 
contributed. I thank Senator Collins again. It is true, we get 
very stubborn, the two of us, when we think something is really 
right and necessary. So we are going to plow forward.
    The record of this hearing will be held open for 10 days 
for any additional questions or statements for the record. I 
thank you again very much.
    With that, the hearing is adjourned.
    [Whereupon, at 5:20 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              






                                 
