[Congressional Record Volume 156, Number 87 (Thursday, June 10, 2010)]
[Senate]
[Pages S4851-S4855]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LIEBERMAN (for himself, Ms. Collins, and Mr. Carper):
  S. 3480. A bill to amend the Homeland Seeurity Act of 2002 And other 
laws to enhance the security and resiliency of the cyber and 
communications infrastructure of the United States; to the Committee on 
Homeland Security and Governmental Affairs.
  Mr. LIEBERMAN. Mr. President, I rise today to introduce the 
Protecting Cyberspace as a National Asset Act of 2010, which I believe 
would help secure the Nation's cyber networks against attack.
  The Internet may have started out as a communications oddity some 40 
years ago but it is now a necessity of modern life and, sadly, one that 
is under constant attack. Today, Senators Collins, Carper, and I are 
introducing legislation which we believe would help secure the most 
critical cyber networks and therefore all Americans.
  For all of its ``user-friendly'' allure, the Internet can also be a 
dangerous place with electronic pipelines that run directly into 
everything from our personal bank accounts to key infrastructure to 
government and industrial secrets. Our economic security, national 
security and public safety are now all at risk from new kinds of 
enemies--cyber-warriors, cyber-spies, cyberterrorists and cyber-
criminals. That risk may be as serious to our homeland security as 
anything we face today.
  Computer networks at the Departments of Defense are being probed 
hundreds of thousands of times a day, and networks at the Departments 
of State, Homeland Security and Commerce, as well as NASA and the 
National Defense University, have all suffered ``major intrusions by 
unknown foreign entities,'' according to reports.
  Key networks that control vital infrastructure, like the electric 
grid, have been probed, possibly giving our enemies information that 
could be used to plunge us into darkness at the press of a button from 
across an ocean. Banks have had millions and millions of dollars stolen 
from accounts by cyber-bandits who have never been anywhere near the 
banks themselves.
  In a report by McAfee--a computer security company, about 54 percent 
of the executives of critical infrastructure companies surveyed said 
their companies had been the victims of denial of service attacks or 
network infiltration by organized crime groups, terrorists, and other 
nation-states. The downtime to recover from these attacks can cost $6 
million to $8 million a day.
  Our present efforts at securing these vital but sprawling government 
and private sector networks have been disjointed, understaffed and 
underfinanced. We have not operated with the sense of urgency that is 
necessary to protect Americans' cyberspace, which the President has 
correctly described as a ``strategic national asset.''
  Our bill would bring these disjointed efforts together so that the 
federal government and the private sector can coordinate their 
activities and work off the same playbook.
  While President Obama's creation of a cyber-security coordinator 
inside the White House was a step in the right direction, we need to 
make that position permanent, transparent and accountable to Congress 
and the American people.
  So, our proposal would create a Senate-confirmed White House cyber-
security coordinator whose job would be to lead all federal cyber-
security efforts; develop a national strategy--that incorporates all 
elements of cyberspace policy, including military, law enforcement, 
intelligence, and diplomatic; give policy advice to the President; and 
resolve interagency disputes.

  The Director of the Office of Cyberspace Policy would oversee all 
related federal cyberspace activities to ensure efficiency and 
coordination and would report regularly to Congress to ensure 
transparency and oversight.
  Our legislation also would create a National Center for Cybersecurity 
an Communications, NCCC, within the Department of Homeland Security, 
DHS, to elevate and strengthen the Department's cyber security 
capabilities and authorities. The NCCC would be run by a Senate-
confirmed Director who would have the authority and resources to work 
with the rest of the Federal Government to protect public and private 
sector cyber networks.
  DHS has shown that vulnerabilities in key private sector networks--
like utilities and communications systems--could bring our economy to 
its knees if attacked or commandeered by a foreign power or cyber-
terrorists. But other than pointing out a vulnerability, DHS has lacked 
the power to do anything about it. Our legislation would give DHS the 
authority to ensure that our nation's most critical infrastructure is 
protected from cyber attack.
  Defense of our cyber networks will only be successful if industry and 
government work together, so this legislation sets up a collaborative 
process where the best ideas of the private sector and the government 
can be used to meet a baseline set of security requirements that DHS 
would oversee.
  Specifically, the NCCC would work with the private sector to 
establish risk-based security requirements that strengthen the cyber 
security for the nation's most critical infrastructure, such as vital 
components of the electric grid, telecommunications networks, and 
financial sector that, if disrupted, would result in a national or 
regional catastrophe. Owners and operators of critical infrastructure 
covered under the act could choose which security measures to implement 
to meet these risk-based performance requirements. The act would 
provide some liability protections to owners/operators who demonstrate 
compliance with the new risk-based security requirements.
  Covered critical infrastructure must also report significant breaches 
to the NCCC to ensure the federal government has a complete picture of 
the security of these networks. In return, the NCCC would share 
information, including threat analysis, with owners and operators 
regarding risks to their networks. The NCCC would also produce and

[[Page S4853]]

share useful warning, analysis, and threat information with other 
Federal agencies, State and local governments, and international 
partners.
  To increase security across the private sector more broadly, the NCCC 
would collaborate with the private sector to develop best practices for 
cyber security. By promoting best practices and providing voluntary 
technical assistance as resources permit, the NCCC would help improve 
cyber security across the Nation. Information the private sector shares 
with the NCCC would be protected from public disclosure, and private 
sector owners and operators may obtain security clearances to access 
information necessary to protect the IT networks the American people 
depend upon.
  Thanks to great work by Senator Carper, our legislation would update 
the Federal Information Security Management Act--or FISMA--to require 
continuous monitoring and protection of our federal networks and do 
away with the paper-based reporting system that currently exists. The 
act also would codify and strengthen DHS authorities to establish 
0 complete situational awareness for Federal networks and develop tools 
to improve resilience of Federal Government systems and networks.

  In the event of an attack--or threat of an attack--that could have 
catastrophic consequences to our economy, national security or public 
safety, our bill would give the President the authority to impose 
emergency measures on a select group of the most critical 
infrastructure to preserve their cyber networks and assets and protect 
our country and the American people. These emergency measures would 
automatically expire within 30 days unless the President ordered an 
extension.
  These measures would be developed in consultation with the private 
sector and would apply if the President has credible evidence a cyber 
vulnerability is being exploited or is about to be exploited. If 
possible, the President must notify Congress in advance about the 
threat and the emergency measures that would be taken to mitigate it. 
Any emergency measures imposed must be the least disruptive necessary 
to respond to the threat. The bill does not authorize any new 
surveillance authorities, or permit the government to ``take over'' 
private networks.
  Of course, DHS would need a lot of talented people to accomplish 
these missions, and our bill gives it the flexibility to recruit, hire, 
and retain the experts it would need to be successful. Our bill would 
require the Office of Personal Management to reform the way cyber 
security personnel are recruited, hired, and trained and would provide 
DHS with temporary hiring and pay flexibilities to assist in the quick 
establishment of the NCCC.
  Finally, our legislation would require the Federal Government to 
develop and implement a strategy to ensure that almost $80 billion of 
the information technology products and services it purchases each year 
are secure and do not provide our adversaries with a backdoor into our 
networks.
  More specifically, the act would require development of a 
comprehensive supply chain risk management strategy to address risks 
and threats to the information technology products and services the 
federal government relies upon. This strategy would allow agencies to 
make informed decisions when purchasing IT products and services. This 
provision would be implemented through the Federal Acquisition 
Regulation, requiring contracting officers to consider the security 
risks inherent in agency IT procurements. The value of this approach is 
that once security features are developed to protect federal networks, 
private sector customers may be able to purchase that same level of 
security in the products they buy.
  The need for this legislation is both obvious and urgent.
  A report by the bipartisan Center for Strategic and International 
Studies, CSIS, concluded that ``we face a long-term challenge in 
cyberspace from foreign intelligence agencies and militaries, criminals 
and others, and losing this struggle would wreak serious damage on the 
economic health and national security of the United States.''
  Given these stakes, Senators Collins, Carper, and I are confident our 
colleagues will join with us and pass the ``Protecting Cyberspace as a 
National Asset Act'' in the 110th Congress.
  Ms. COLLINS. Mr. President, I rise to join Senators Lieberman and 
Carper in introducing the Protecting Cyberspace as a National Asset Act 
of 2010. This vital legislation would fortify the government's efforts 
to safeguard America's cyber networks from attack. It would build a 
public/private partnership to promote national cyber security 
priorities. It would strengthen the government's ability to set, 
monitor compliance with, and enforce standards and policies for 
securing Federal civilian systems and the sensitive information they 
contain.
  The marriage of increasingly robust computer technology to expanding 
and nearly instantaneous global telecommunications networks is a truly 
seismic event in human history. This information revolution touches 
everything, from personal relationships and entertainment to commerce, 
scientific research, and the most sensitive national security 
information. Cyberspace is a place of great, even unparalleled, power.
  But, to tweak the familiar saying, with great power comes great 
vulnerability. Cyberspace is under increasing assault on all fronts: 
cyber vandalism, cyber crime, cyber sabotage, and cyber espionage. 
Across the world at this moment, computer networks are being hacked, 
probed, and infiltrated relentlessly. The purpose of these cyber 
exploits ranges from simple mischief and massive theft to societal 
mayhem and geopolitical advantage.
  In February, Dennis Blair, the former Director of National 
Intelligence, gave this chilling assessment before the Senate Select 
Committee on Intelligence:
  ``Malicious cyber activity is occurring on an unprecedented scale 
with extraordinary sophistication. While both the threats and 
technologies associated with cyberspace are dynamic, the existing 
balance in network technology favors malicious actors, and is likely to 
continue to do so for the foreseeable future.''
  Consider these sobering facts:
  Cyber crime costs our national economy nearly $8 billion annually.
  Hackers can operate in relative safety and anonymity from a laptop or 
desktop anywhere in the world. The expanding capabilities of wireless 
hand-held devices strengthen this cloak of cyber invisibility.
  As our national and global economies become ever more intertwined, 
cyber terrorists have greater potential to attack high-value targets. 
From anywhere in the world, they could disrupt telecommunications 
systems, shut down electric power grids, or freeze financial markets. 
With sufficient know-how and a few keystrokes, they could cause 
billions of dollars in damage and put thousands of lives in jeopardy.
  As the hackers' techniques advance, the number of hacking attempts is 
exploding. Just this March, the Senate's Sergeant at Arms reported that 
the computer systems of Congress and Executive Branch agencies now are 
under cyber attack an average of 1.8 billion times per month.
  Recent examples of cyber attacks are myriad and disturbing:
  Press reports a year ago stated that China and Russia had penetrated 
the computer systems of America's electrical grid. The hackers 
allegedly left behind malicious hidden software that could be activated 
later to disrupt the grid during a war or other national crisis.
  At about the same time, we learned that, beginning in 2007 and 
continuing well into 2008, hackers repeatedly broke into the computer 
systems of the Pentagon's $300-billion Joint Strike Fighter project. 
They stole crucial information about the Defense Department's costliest 
weapons program ever.
  In 2007, the country of Estonia was attacked in cyberspace. A 3-week 
onslaught of botnets overwhelmed the computer systems of the nation's 
parliament, government ministries, banks, telecommunications networks, 
and news organizations. This attack on Estonia is a wake-up call that 
has yet to be sufficiently heeded.
  The private sector is also under attack. In January, Google announced 
that attacks originating in China had targeted its systems as well as 
the networks of more than 30 other companies. The attacks on Google 
sought to access the email accounts of Chinese

[[Page S4854]]

human rights activists. For the other companies, lucrative information, 
such as critical corporate data and software source codes, were 
targeted.
  Last year, cyber thieves secretly implanted circuitry into keypads 
sold to British supermarkets, which were then used to steal account 
information and PIN numbers. This same tactic was used against a large 
supermarket chain in Maine, compromising more than 4 million credit 
cards.
  Nor are small businesses immune. Last summer, a small Maine 
construction firm found that cyber crooks had stolen nearly $600,000 
through an elaborate scheme involving dozens of coconspirators 
throughout the United States.
  These attacks, and the hundreds like them that are occurring at any 
given time whether on our government or private sector systems, have 
ushered us into a new age of cyber crime and, indeed, cyber warfare. 
They underscore the high priority we must give to the security of our 
information technology systems.
  The terrorist attacks of September 11, 2001, exposed the 
vulnerability of our nation to catastrophic attacks. Since that 
terrible day, we have done much to protect potential targets such as 
ports, chemical facilities, transportation systems, water supplies, 
government buildings, and other vital assets. We cannot afford to wait 
for a ``cyber 9/11'' before our government finally realizes the 
importance of protecting our digital resources, limiting our 
vulnerabilities, and mitigating the consequences of penetrations of our 
networks.
  Chairman Lieberman and I have held a number of hearings on cyber 
security in the Senate Homeland Security and Governmental Affairs 
Committee. Senator Carper has been similarly active, particularly on 
exploring modifications to the Federal Information Security Management 
Act that are designed to enhance protections of Federal networks and 
information.
  From our examinations of this issue, we know that there are threats 
to and vulnerabilities in our cyber networks. We also know that the 
tactics used to exploit these vulnerabilities are constantly evolving 
and growing increasingly dangerous. Now, it is time to take action. A 
strong and sustained Federal effort to promote cyber security is a key 
component of effective deterrence.
  For too long, our approach to cyber security has been disjointed and 
uncoordinated. This cannot continue. The United States requires a 
comprehensive cyber security strategy backed by aggressive 
implementation of effective security measures. There must be strong 
coordination among law enforcement, intelligence agencies, the 
military, and the private owners and operators of critical 
infrastructure.
  This bill would establish the essential point of coordination. The 
Office of Cyberspace Policy in the Executive Office of the President 
would be run by a Senate-confirmed Director who would advise the 
President on all cyber security matters. The Director would lead and 
harmonize Federal efforts to secure cyberspace and would develop a 
national strategy that incorporates all elements of cyber security 
policy, including military, law enforcement, intelligence, and 
diplomacy. The Director would oversee all Federal activities related to 
the national strategy to ensure efficiency and coordination. The 
Director would report regularly to Congress to ensure transparency and 
oversight.
  To be clear, the White House official would not be another 
unaccountable czar. The Cyber Director would be a Senate-confirmed 
position and thus would testify before Congress. The important 
responsibilities given to the Director of the Office of Cyberspace 
Policy related to cybersecurity are similar to the responsibilities of 
the current Director of the Office of Science and Technology Policy.
  The Cyber Director would advise the President and coordinate efforts 
across the Executive Branch to protect and improve our cybersecurity 
posture and communications networks. By working with a strong 
operational and tactical partner at the Department of Homeland 
Security, the Director would help improve the security of Federal and 
private sector networks.
  This strong DHS partner would be the National Center for 
Cybersecurity and Communications, or Cyber Center. It would be located 
within the Department of Homeland Security to elevate and strengthen 
the Department's cyber security capabilities and authorities. This 
Center also would be led by a Senate-confirmed Director.
  The Cyber Center, anchored at DHS, with a strong and empowered 
leader, will close the coordination gaps that currently exist in our 
disjointed federal cyber security efforts. For day-to-day operations, 
the Center would use the resources of DHS, and the Center Director 
would report directly to the Secretary of Homeland Security. On 
interagency matters related to the security of federal networks, the 
Director would regularly advise the President--a relationship similar 
to the Director of the NCTC on counterterrorism matters or the Chairman 
of the Joint Chiefs of Staff on military issues. These dual 
relationships would give the Center Director sufficient rank and 
stature to interact effectively with the heads of other departments and 
agencies, and with the private sector.
  Congress has dealt with complex challenges involving the need for 
interagency coordination in the past with a similar construct. We have 
established strong leaders with supporting organizational structures to 
coordinate and implement action across agencies, while recognizing and 
respecting disparate agency missions.
  The establishment of the National Counterterrorism Center within the 
Office of the Director of National Intelligence is a prime example of a 
successful reorganization that fused the missions of multiple agencies. 
The Director of NCTC is responsible for the strategic planning of joint 
counterterrorism operations, and in this role reports to the President. 
When implementing the information analysis, integration, and sharing 
mission of the Center, the Director reports to the Director of National 
Intelligence. These dual roles provide access to the President on 
strategic, interagency matters, yet provide NCTC with the structural 
support and resources of the office of the DNI to complete the day-to-
day work of the NCTC. The DHS Cyber Center would replicate this 
successful model for cyber security.
  As we have seen repeatedly, from the financial crisis to the 
environmental catastrophe in the Gulf of Mexico, what happens in the 
private sector does not always affect just the private sector. The 
ramifications for government and for the taxpayers often are enormous.
  This bill would establish a public/private partnership to improve 
cyber security. Working collaboratively with the private sector, the 
Center would produce and share useful warning, analysis, and threat 
information with the private sector, other Federal agencies, 
international partners, and state and local governments. By developing 
and promoting best practices and providing voluntary technical 
assistance to the private sector, the Center would improve cyber 
security across the nation. Best practices developed by the Center 
would be based on collaboration and information sharing with the 
private sector. Information shared with the Center by the private 
sector would be protected.
  With respect to the owners and operators of our most critical systems 
and assets, the bill would mandate compliance with certain risk-based 
performance requirements to close security gaps. These requirements 
would apply to vital components of the electric grid, 
telecommunications networks, financial systems, or other critical 
infrastructure systems that could cause a national or regional 
catastrophe if disrupted.
  This approach would be similar to the current model that DHS employs 
with the chemical industry. Rather than setting specific standards, DHS 
would employ a risk-based approach to evaluating cyber vulnerabilities, 
and the owners and operators of covered critical infrastructure would 
develop a plan for protecting those vulnerabilities and mitigating the 
consequences of an attack.
  These owners and operators would be able to choose which security 
measures to implement to meet applicable risk-based performance 
requirements. The bill does not authorize any new surveillance 
authorities or permit the government to ``take over'' private networks. 
This model would allow for continued

[[Page S4855]]

innovation and dynamism that are fundamental to the success of the IT 
sector.
  The bill would provide limited liability protections to the owners 
and operators of covered critical infrastructure that comply with the 
new risk-based performance requirements. Covered critical 
infrastructure also would be required to report certain significant 
breaches affecting vital system functions to the center. These reports 
would help ensure that the Federal Government has comprehensive 
awareness of the security risks facing these critical networks.
  If a cyber attack is imminent or occurring, the bill would provide a 
responsible framework, developed in coordination with the private 
sector, for the President to authorize emergency measures to protect 
the Nation's most critical infrastructure. The President would be 
required to notify Congress in advance of the declaration of a national 
cyber emergency, or as soon thereafter as possible. This notice would 
include the nature of the threat, the reason existing protective 
measures are insufficient to respond to the threat, and the emergency 
actions necessary to mitigate the threat. The emergency measures would 
be limited in duration and scope.
  Any emergency actions directed by the President during the 30-day 
period covered by the declaration must be the least disruptive means 
feasible to respond to the threat. Liability protections would apply to 
owners and operators required to implement these measures, and if other 
mitigation options were available, owners and operators could propose 
those alternative measures to the Director and, once approved, 
implement those in lieu of the mandatory emergency measures.
  The center also would share information, including threat analysis, 
with owners and operators of critical infrastructure regarding risks 
affecting the security of their sectors. The center would work with 
sector-specific agencies and other Federal agencies with existing 
regulatory authority to avoid duplication of requirements, to use 
existing expertise, and to ensure government resources are employed in 
the most efficient and effective manner.
  With regard to Federal networks, the Federal Information Security 
Management Act--known as FISMA--gives the Office of Management and 
Budget broad authority to oversee agency information security measures. 
In practice, however, FISMA is frequently criticized as a ``paperwork 
exercise'' that offers little real security and leads to a disjointed 
cyber security regime in which each Federal agency haphazardly 
implements its own security measures.
  The bill we introduce today would transform FISMA from paper-based to 
real-time responses. It would codify and strengthen DHS authorities to 
establish complete situational awareness for Federal networks and 
develop tools to improve resilience of Federal Government systems and 
networks.
  The legislation also would take advantage of the Federal Government's 
massive purchasing power to help bring heightened cyber security 
standards to the marketplace. Specifically, the Director of the Center 
would be charged with developing a supply chain risk management 
strategy applicable to Federal procurements. This strategy would 
emphasize the security of information systems from development to 
acquisition and throughout their operational life cycle.
  While the Director should not be responsible for micromanaging 
individual procurements or directing investments, we have seen far too 
often that security is not a primary concern when agencies procure 
their IT systems. Recommending security investments to OMB and 
providing strategic guidance on security enhancements early in the 
development and acquisition process will help ``bake in'' security. 
Cyber security can no longer be an afterthought in our government 
agencies.
  These improvements in Federal acquisition policy should have 
beneficial ripple effects in the larger commercial market. As a large 
customer, the Federal Government can contract with companies to 
innovate and improve the security of their IT services and products. 
With the Government's vast purchasing power, these innovations can 
establish new security baselines for services and products offered to 
the private sector and the general public.
  Finally, the legislation would direct the Office of Personnel 
Management to reform the way cyber security personnel are recruited, 
hired, and trained to ensure that the Federal Government and the 
private sector have the talent necessary to lead this national effort 
and protect its own networks. The bill would also provide DHS with 
temporary hiring and pay flexibilities to assist in the establishment 
of the center.
  Some have suggested that this effort can be led from the White House 
alone--why create a new center at DHS and two Senate-confirmed Director 
positions? One of the great lessons of 9/11 is that true security 
demands aggressive oversight, expert evaluation, and thorough testing 
of systems. There must be constant, real-time monitoring of security 
and analysis of threats. This task requires much more than a cyber 
czar. It requires strong civilian counterparts to the Secretary of 
Defense and the Director of National Intelligence. These Directors, at 
the White House and at DHS, would serve as those counterparts.
  The National Security Agency and other intelligence agencies possess 
enormous skills and resources, but privacy and civil liberties demands 
preclude these agencies from shouldering a leadership role in the 
security of our civilian information technology systems. The 
intelligence community must play a critical part in providing threat 
information, but it cannot lead the cyber security effort.
  We are all acutely aware that there are those who seek to do harm to 
this country and to our people. If hackers can nearly bring Estonia to 
its knees through cyber attacks, infiltrate our military's most 
closely-guarded project, and, in the case of Google, hack the computers 
owned and operated by some of the world's most successful computer 
experts, we must assume even more spectacular and potentially 
devastating attacks lie ahead.
  We must be ready. It is vitally important that we build a strong 
public-private partnership to protect cyberspace. It is a vital engine 
of our economy, our government, our country and our future. I urge my 
colleagues to support this crucial legislation.
                                 ______