[Congressional Record Volume 156, Number 96 (Thursday, June 24, 2010)]
[Senate]
[Pages S5445-S5447]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. BOND (for himself and Mr. Hatch):
  S. 3538. A bill to improve the cyber security of the United States 
and for other purposes; to the Committee on Homeland Security and 
Government Affairs.
  Mr. BOND. Mr. President, over the past several months, our Homeland 
has experienced direct terrorist attacks against two military bases and 
attempted terrorist attacks on Christmas Day and in Times Square. These 
attacks quickly captured the attention of the American public and stand 
as stark reminders of the threats our Nation continues to face from 
terrorists across the globe.
  After these recent attacks, I have no doubt that every American is 
aware of the threat from a terrorist with a bomb, which could take out 
a city block or bring down an airplane. But I am afraid that right now, 
the American public is largely unaware of a silent threat that could 
devastate our entire Nation--cyber attacks.
  These cyber attacks happen every day, but have remained largely under 
the public radar. Our government, businesses, citizens, and even social 
networking sites all have been hit. Cyber attacks are on the rise and 
unless our private sector and Congress start down a better path to 
protect our information networks, serious damage to our economy and our 
national security will follow.
  In an ever-increasing cyber age, where our financial system conducts 
trades via the Internet, families pay bills online, and the government 
uses computers to calculate benefits and implement war strategies, 
successful cyber attacks can be devastating. The nightmare scenarios no 
longer exist just in Hollywood movies. Imagine if a terrorist disrupted 
our air traffic control on an average day with more than 28,000 
commercial aircraft in our skies; if a hacker took down Wall Street 
trading for just hours; or if an attack destroyed an electrical grid in 
a major city.
  Scenarios like these make it even more important that we listen to 
the recent comments by former Director of National Intelligence Mike 
McConnell who testified that ``[i]f we were in a cyber war today, the 
United States would lose.'' That is no insignificant statement coming 
from a military and intelligence veteran like Mike McConnell and it 
should cause all of us to pause and take a look at how we should 
neutralize this rising threat. Our networks and way of life could be 
taken down by an enemy state, a terrorist group, or a single hacker. 
That is why Senator Hatch and I are introducing the National Cyber 
Infrastructure Protection Act of 2010 today.
  Let me be blunt here: our enemies won't wait for us to do our 
homework, solve our turf battles, or modernize our laws before using 
our networks as a deadly weapon; in fact, the attacks have already 
started. We do not have another day to waste, and I believe our bill is 
the best solution to address this threat.
  This act is built on three principles: first, we must be clear about 
where Congress should, and, more importantly, should not legislate. 
Congress should set lanes in the road to protect our Nation's cyber 
security, but leave flexibility for the private sector and government 
to adapt to changing threats within those lanes.
  In 1978, when the Foreign Intelligence Surveillance Act was enacted, 
it put into law certain technologies. Those technologies changed and 
thus FISA was ineffective in enabling us to listen in on cell phone and 
e-mail traffic between terrorists in foreign countries.
  We have seen within the past few years the national security problems 
that can arise when laws are too rigid to keep pace with technology. We 
have also heard repeated concerns from industry, the private sector, 
and those operating critical infrastructure that overlegislating by 
Congress ultimately will make it harder to protect our networks as 
innovation and quick response get overrun by unnecessary regulatory 
schemes and mandates.
  Second, right now virtually every Federal department or agency has

[[Page S5446]]

someone who is responsible for cyber security issues. But who makes 
sure that all those departments and agencies work together to protect 
all of our government networks? Who is the one person responsible, with 
authority to impact our cyber security strategies and activities? 
Unfortunately, right now, the answer is ``no one.''
  To solve this problem, our bill establishes a National Cyber Center 
and designates a single, Senate-confirmed individual, accountable to 
the Congress and the American people and reporting directly to the 
President, to serve as the Director. The Director has the statutory 
responsibility and authority to coordinate activities to protect 
government networks and develop policies and procedures to help Federal 
agencies do the job.
  In order to reduce the center's operating costs and to capitalize on 
the cyber expertise we all know resides in the Department of Defense, 
the National Cyber Center is administratively placed in DOD. But, out 
of deference to concerns that the military should not have too much 
control over government networks, the center is not run by the Defense 
Department and the Director does not report to the Secretary of 
Defense.
  Because a key part of the center is to make sure the right people are 
talking to each other, the act requires those parts of DOD, the 
Department of Homeland Security, the Office of the Director of National 
Intelligence, and the Federal Bureau of Investigation needed to carry 
out the center's missions to collocate and integrate within the center, 
much like the National Counterterrorism Center integrates elements of 
the intelligence community. Other Federal agencies may also participate 
in the center.
  As we put this bill together, former senior intelligence community 
officials told us that providing strong budget authority was essential 
for the Director to have the clout needed to do the job. And so, this 
act gives the Director clear input into cyber budgets across all 
Federal agencies, much like the Federal drug czar has in coordinating 
counterdrug budgets across different agencies. To hit this point home, 
the act also creates a National Cyber Security Program, similar to the 
National Intelligence Program. Such influence--influence that the 
current cyber czar simply does not have--is essential to creating a 
comprehensive, cost-effective approach to securing our government 
information networks.
  The third and final principle underlying this act is the idea that 
there must be a venue for the government and the private sector to 
collaborate and share information on cyber-related matters. The private 
sector is often on the front lines of cyber attacks, so any information 
it can provide to increase government awareness of the source and 
nature of cyber threats will make both government and the private 
sector stronger. The corollary to this is that the Government must 
share its own cyber threat information, including classified or 
declassified intelligence, with the private sector.
  Moreover, this collaboration, in order to be effective, must be 
voluntary. Once the private sector stands to gain technical advice and 
greater access to cyber threat information, there will be a clear 
incentive to join with the government in protecting our networks.
  Our bill codifies this collaboration, creating a public-private 
partnership known as the Cyber Defense Alliance to facilitate the flow 
of information about cyber threats and the latest technologies between 
the private sector and the government. The Alliance will be the 
clearinghouse for passing sensitive cyber threat information to the 
private and critical infrastructure entities on the front lines, but 
without compromising our intelligence sources and methods.
  We agree with intelligence experts and private sector representatives 
who have told us if the heavy hand of government drives this 
collaboration, it will not be effective. Therefore, the alliance will 
be managed by a board of directors consisting largely of private sector 
representatives and located in the Department of Energy, where the 
existing National Labs have great expertise to share. Because our 
private partners must know the information will not be compromised or 
other consequences will occur, the act gives solid protections from 
FOIA, antitrust restrictions, and other limitations.
  This bill is one of many cyber-bills introduced in Congress, so some 
may be asking why this approach is better.
  A key aspect of this bill is that it provides a practical public-
private cyber infrastructure designed to address effectively the cyber 
threat rather than preserve the jurisdictional turf of any one agency 
or congressional oversight committee. In other words--I don't have a 
dog in this fight--I just want to pass the best bill to protect our 
networks. The cyber threat will only be eliminated when we get all of 
the public and private players working together in harmony under a 
common vision toward common mission objectives.
  Our bill does not impose mandates on industry and the private 
sector--mandates and regulations that form the core of other bills, 
raising substantial concerns among our industry and private sector 
partners. Our economy is in turmoil as it is and the last thing we need 
are mandates imposed on U.S. businesses that will put them at a serious 
competitive disadvantage and jeopardize their proprietary information 
in the global marketplace. Many industry partners have told us that if 
we mandate this it would put them at a competitive disadvantage.
  Finally, our bill moves away from the notion that creating a 
statutory cyber coordinator in the Executive Office of the President 
will solve the cyber security problem. The current cyber security 
coordinator in the White House has neither the authority nor the staff 
to coordinate the government's wide-range of cyber operations and 
strategies. Simply enshrining his position in statute will not overcome 
the claims of ``Executive Privilege'' that are bound to come when 
Congress asks for information and it will not guarantee the leadership 
necessary to address the cyber threat.
  Also, I think many of my colleagues would agree that now is not the 
time to give the Department of Homeland Security more responsibility, 
as some of the cyber bills out there want to do. I don't think many in 
this Chamber would disagree that DHS is already overburdened.
  The bill we are introducing today has already earned praise from the 
electric power sector because of the cooperative relationship that the 
Cyber Defense Alliance created in this bill fosters between the 
government and private sector. The entities that are part of the 
electric power sector recognize that this bill builds on what is 
already working and creates the infrastructure necessary to ensure a 
cooperative relationship between all of the relevant public and private 
cyber players to address the evolving cyber-security threat. I ask 
unanimous consent that this statement from the electric power sector be 
made a part of the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

        The National Cyber Infrastructure Protection Act of 2010

       Protecting the North American electric grid and ensuring a 
     reliable supply of power is the electric power industry's top 
     priority. Reliability is more than a buzzword for the 
     electric industry--it's a mandate. In fact, electric 
     companies can be assessed substantial penalties for failure 
     to comply with reliability standards.
       This focus on reliability, resiliency and recovery requires 
     the power sector to take an all-hazards approach, recognizing 
     risks from natural phenomena such as hurricanes or 
     geomagnetic disturbances to intentional cyber attacks. The 
     electric power sector works closely with the North American 
     Electric Reliability Corporation (NERC) and federal agencies 
     to enhance the cyber security of the bulk power system. This 
     includes coordination with the Federal Energy Regulatory 
     Commission (FERC), the Department of Homeland Security (DHS), 
     and the Department of Energy (DOE), as well as federal 
     intelligence and law enforcement agencies, and various 
     federal and provincial authorities in Canada.
       To complement its cyber security efforts and to address 
     rapidly changing intelligence on evolving threats, the 
     industry welcomes a cooperative relationship with federal 
     authorities to protect against situations that threaten 
     national security or public welfare, and to prioritize the 
     assets that need enhanced security. A well-practiced, public-
     private partnership utilizes all stakeholders' expertise, 
     including the government's ability to gather and share timely 
     and actionable threat information with critical 
     infrastructure asset owners and operators, upon which they 
     can formulate appropriate mitigation strategies to prevent 
     significant adverse consequences to utility operations or 
     assets.

[[Page S5447]]

     The comprehensive draft cyber security legislation under 
     development in the Senate Select Committee on Intelligence 
     attempts to create such a cooperative relationship by: * * *

  Mr. BOND. In addition, because, the vice chairman of the Intelligence 
Committee, believe no legislation in this area should impede the 
intelligence community's ability to protect our nation from terrorist 
attacks and other threats, we asked the Office of the Director of 
National Intelligence for an informal assessment of our bill. They told 
us that, unlike other bills that have been introduced, this bill 
protects intelligence community equities, especially with respect to 
protecting classified intelligence sources and methods.
  The National Cyber Infrastructure Protection Act of 2010 provides 
broad lanes in the road, without micromanaging, to give all partners in 
cyber security, whether government or private, the flexibility to 
defend against threats from our enemies. The private sector already has 
a tremendous incentive to protect their own networks; all the Federal 
Government needs to do is support them with technology and information 
and get out of the way.
  Cyber attackers have been stealing intellectual property, threatening 
to take down our critical infrastructure, and gaining insight into our 
national security networks. The longer Congress waits to act, the more 
our vulnerability to these attacks increases. The National Cyber 
Infrastructure Protection Act will put the Government, our critical 
infrastructure companies, and the private sector on the right path to 
securing our networks. I urge my colleagues to join us in supporting 
this important legislation.
  Mr. HATCH. Mr. President, today I rise to express my support as a 
cosponsor of the National Cyber Infrastructure Protection Act. At long 
last, our Nation is finally recognizing the increasing danger posed by 
cyber threats and the devastating disruption that they can cause 
because of the interdependent nature of information systems that 
support our Nation's critical infrastructure.
  As a Nation, we must develop a strategy that provides a strategic 
framework to prevent cyber attacks against America's critical 
infrastructures. As a government, we must reduce national vulnerability 
to cyber attacks and minimize the damage and recovery time from cyber 
attacks should they occur. I believe that the legislation that my 
colleague from Missouri and I are introducing today will provide a sure 
foundation to put our Nation on a path to begin to address cyber 
vulnerabilities.
  The challenge to protect cyberspace is vast and complex and 
ultimately requires the efforts of the entire government. As a Nation, 
we must recognize that cyber threats are multi-faceted and global in 
nature. These threats operate in an environment that rapidly changes. 
The sharing of information between government and the private sector is 
crucial to our overall national and economic viability.
  Last January, McAfee issued a report that concluded that the use of 
cyber attacks as a strategic weapon by governments and political 
organizations is on the rise. The U.S. is the most targeted nation in 
the world--and our military, government, and private sector systems are 
often attacked with impunity. Our Nation has experienced large-scale 
malicious cyber intrusions from individuals, groups and nations. These 
attacks have dramatically increased in number and complexity.
  Just last year, Google and over 30 other companies linked to our 
energy, finance, defense, technology and media sectors fell prey to 
costly cyber attacks. Too many nations either directly sanction this 
activity or give it tacit approval by failing to investigate or 
prosecute the perpetrators. Many of the major incidents are presently 
coming out of Russia and China.
  The National Cyber Infrastructure Protection Act would establish a 
National Cyber Center, housed within the Department of Defense. The 
mission of the National Cyber Center would be to serve as the primary 
organization for coordinating Federal Government defensive operations, 
cyber intelligence collection and analysis, and activities to protect 
and defend Federal Government information networks. Critical in 
achieving this mission would be the sharing of information between the 
private sector and federal agencies regarding cyber threats. This 
center would be led by a Senate-confirmed director modeled after the 
Director of National Intelligence position. The director reports 
directly to the President and would coordinate cyber activities to 
protect and defend Federal Government information networks. The 
director would serve as the President's principal adviser on such 
matters and developing policies for securing Federal Government 
information networks.
  In our Nation today, over 3/4 of our Nation's critical infrastructure 
is under the control of the private sector. One such example is smart 
grid technology for power grids. The Smart Grid will use automated 
meters, two-way communications and advanced sensors to improve 
electricity efficiency and reliability. The nation's utilities have 
embraced the concept and are installing millions of automated meters on 
homes across the country. However, cyber security experts have 
determined that some types of meters can be hacked. As we rely on 
technology developed by private industry, we must ensure that we harden 
this technology against threats that could leave our citizens 
vulnerable.
  The opening salvos of future conflicts will be launched in 
cyberspace. In 2008, we saw this occur when Russian forces launched a 
cyber attack on Georgian defense and information networks. The Russians 
essentially blinded the Georgian military during the South Ostessia 
conflict. Our reliance on technology and integrated networks certainly 
makes our military and critical infrastructure more efficient. However, 
that efficiency can have its price in the form of cyber vulnerability.
  As Americans, we must be prepared to fight back should we be 
attacked. We must also harden our networks against the tools that 
criminals use to steal a person's identity and a company's trade 
secrets. These are the same tools that today can and will be used by 
terrorists in the future to attack and erode our infrastructure and 
defense systems. The stakes are too high and the risks are too grave to 
delay. If we don't move now to protect our national cyber 
infrastructure, the consequences to our economy, security and citizens 
could be dire. This is a fight we must win. The only way to win is to 
be prepared.

                          ____________________