[Congressional Record Volume 158, Number 33 (Thursday, March 1, 2012)]
[Senate]
[Pages S1201-S1205]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr. 
        Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson 
        of Wisconsin):
  S. 2151. A bill to improve information security, and for other 
purposes; to the Committee on Commerce, Science, and Transportation.
  Mr. McCAIN. Mr. President, I come to the floor today to introduce the 
Strengthening and Enhancing Cybersecurity by Using Research, Education, 
Information and Technology Act, also known as the SECURE IT Act. I am 
joined today by Senator Hutchison, Senator Chambliss, Senator Grassley, 
Senator Murkowski, Senator Coats, Senator Burr, and Senator Johnson of 
Wisconsin. My colleagues and I believe that passage of this act would 
be a significant step towards improving our Nation's cyber defenses.
  It is clear to most policy makers that the Internet has transformed 
nearly all aspects of our lives by breaking down barriers and 
increasing information efficiencies. Whether you are a student 
searching for an article to complete a homework assignment or a fireman 
trying to remotely determine the landscape of a forest to safely 
extinguish a fire, the Internet has improved our lives because it has 
so greatly transformed how and when we are able to access information.
  While progress is clear, not a week goes by without fresh media 
reports of a major compromise of a cyber network in the United States. 
A recent report by the Government Accountability Office stated that 
cyber attacks against the United States are up 650 percent over the 
last 5 years, and according to one leading cybersecurity firm, the 
annual cost of cyber crime itself is nearly $388 billion. That cost is 
close to the sum of all of the profits of the top 75 Fortune 500 firms 
for 2011. My friends, if the top 75 American businesses lost all of 
their profits in one year, we would be working night and day to solve 
the problem.
  Most of us don't need an analogy like that to appreciate the need to 
improve the current state of cybersecurity in this country. But the 
reality is that advancing much needed legislation has been extremely 
difficult. I will be the first to admit there are honest differences 
within the cybersecurity debate. However, over the course of the last 
few years, several cybersecurity solutions have been brought forth that 
I believe can be advanced and offer insight as to where progress can be 
achieved. These solutions are not insignificant and their passage would 
do plenty to improve our country's cybersecurity defenses. I believe 
that inaction is no longer an option. The stakes are too high and the 
threat is too real.
  The SECURE IT Act is a serious response to the growing cyber threat 
facing our country. Our bill seeks to utilize the world-class engineers 
employed by our private sector, not compliance attorneys in billable by 
the hour law firms. This is why a primary objective of our bill is to 
enter  into a cooperative information sharing relationship with the 
private sector, rather than an adversarial one rooted in prescriptive 
Federal regulations used to dictate technological solutions to 
industry.

  The centerpiece of the SECURE IT Act is a legal framework to provide 
for voluntary information sharing. Our bill provides specific 
authorities relating to the voluntary sharing of cyber threat 
information among private entities, between a private entity and a non-
federal government agency such as a local government, and between any 
entity and a pre-existing Federal cybersecurity center. In setting 
forth our information sharing framework, we do not create any new 
bureaucracy.
  Further, the SECURE IT Act includes no government monitoring, no 
government take-overs of the Internet, and no government intrusions. 
There are plenty of laws that deal with those issues--this bill is not 
one of them. The goal of the information sharing title is to remove the 
legal hurdles which prevent critical information from being shared with 
those who need it most.
  In drafting the information sharing title of our bill, my colleagues 
and I were very sensitive to the issue of privacy and we worked very 
hard to put forth understandable privacy protections. First, we limit 
the type of information involved in information sharing

[[Page S1202]]

to ``cyber threat information'' as it is narrowly defined in the bill. 
There are no legal protections for entities using, receiving, or 
sharing information that falls outside that narrow ``cyber threat 
information'' definition. Second, we include techniques like 
information anonymizing and specifically state that entities can 
restrict the further dissemination of shared information. Additionally, 
after the first year, and then every other year, we will receive 
reports from the Privacy and Civil Liberties Oversight Board which will 
tell us how these authorities are being implemented. We take the issue 
of privacy very seriously.
  In addition to information sharing, the SECURE IT Act requires the 
Federal Government to improve its own cybersecurity by reforming the 
Federal Information Security Management Act--the law that governs 
federal networks. These updates are meant to ensure that the Federal 
Government transitions from paper-based reporting on network security 
to real-time monitoring--a huge step in federal cybersecurity which 
will go a long way to improve how the government addresses its own 
cyber threats. This transition from a checklist approach to continuous 
monitoring will not happen without an associated cost. However, we 
believe our approach to this necessary improvement is the most fiscally 
responsible because we require agencies to meet these requirements by 
using existing budgets, rather than by authorizing new federal 
spending.
  We are all aware that federal government also plays a critical role 
in cybersecurity research. The Defense Advanced Research Projects 
Agency, the Department of Energy laboratories and the National Science 
Foundation are all world-class leaders in research that is essential to 
understanding how to best protect our cyber country's infrastructure. 
This work serves an important purpose and should be a Federal priority 
even in a time of significant budget constraints. However, the 
significance of these programs does not provide us with an excuse to 
authorize new spending or establish new programs. The SECURE IT Act 
ignores this temptation and does not authorize new spending or 
programs.
  Finally, our cybersecurity bill updates our nation's criminal laws to 
account for new cyber crimes and assists the Department of Justice to 
prosecute cyber criminals.
  In sum, it is our belief that the provisions included in the SECURE 
IT Act will dramatically improve cybersecurity in this country. More 
importantly, the approach taken in the SECURE IT Act has a real chance 
of being enacted into law this year. This is real progress that will 
impact nearly all Americans. After all, we are all in this fight 
together, and as we search for solutions, our first goal should be to 
move forward together.
  Mrs. HUTCHISON. Mr. President, I rise to talk about a bill that was 
introduced this morning. The bill is the Strengthening and Enhancing 
Cybersecurity by Using Research, Education, Information, and Technology 
Act, which we refer to as the SECURE IT Act.
  This is a very important piece of legislation because we know that 
cyber attacks are a threat to our country and we need to strengthen our 
laws to ensure we are protecting our assets, our communication systems, 
and all of the infrastructure that is run by communications systems.
  We are working as a group. Senators McCain, Chambliss, Grassley, 
Murkowski, Coats, Burr, and Johnson are original cosponsors. All of us 
are the ranking members on the relevant committees that must deal with 
cybersecurity.
  Senator McCain, the lead sponsor, is, of course, the Armed Services 
ranking member. I am the ranking member of Commerce, Senator Chambliss 
of Intelligence, Senator Grassley certainly of Judiciary, and Senator 
Murkowski of Energy.
  It is very important that our relevant committees have come together 
with our ranking members, and we hope very much to gain support from 
the Democratic side as well on a bill that we think can get through all 
of Congress and be signed by the President because the parts of our 
bill that will strengthen our cybersecurity in this country are, I 
think, accepted by those who have expertise in this area. For instance, 
our bill will help prevent the spread of cyber attacks from network to 
network and across the Internet by removing barriers to sharing 
information about threats, attacks, and strategies for improvement of 
defenses. We remove these barriers through addressing the antitrust 
laws that would allow companies that are sharing information not to be 
threatened with antitrust suits, because this is a security issue, it 
is not a competitive issue. Secondly, we want to have liability 
protection for those who disclose cyber threat information with their 
peers.
  These are things that would be in everyone's interest for us to do, 
and we do need to address them in legislation. The liability and 
antitrust protections are available to all companies that would share 
information, not just those that share with the government but when 
they can talk to each other, to understand each other's systems.
  Further, the SECURE IT Act would require that Federal contractors 
providing electronic communication or cybersecurity services to Federal 
agencies share cyber threat information related to those contracts. Of 
course, when they have contracts with the government, that information 
is going to be very important so we would require the sharing of 
information about threats that might jeopardize the system's security.
  In addition, the government will develop procedures for the timely 
sharing of classified, declassified, and unclassified information to 
ensure that information needed to secure networks is fully accessible 
to trusted parties.
  We are concerned that there are other bills out there that will add 
another new bureaucracy, another layer of regulation that is not 
necessary and brings in another agency that would overlay the security 
agencies that already have systems in place. It would also allow the 
regulatory bodies for certain areas of interest to handle the 
cybersecurity rather than another overlay of a new department.
  I think so many people in our country who are in business feel they 
are overwhelmed with duplicative regulations and different agencies 
they have to report to. We want to streamline whom they have to report 
to and try to use existing structures and existing regulatory 
authorities to deal with each individual company or industry so that we 
don't have to give them yet another new bureaucracy that would then 
have regulations, if they are deemed to be critical infrastructure. 
That is when it becomes the regulatory threat.
  We believe the private sector is more aware of individual security 
needs and better equipped than the Department of Homeland Security to 
secure its own networks, working with its own regulators. According to 
the Office of Management and Budget, the government itself has had 
great difficulty in preventing attacks on Federal systems. So we do 
require that the reporting of Federal contractors go to the Federal 
security agencies, but we don't think the Federal agencies being in 
charge of everything is necessarily an improvement.
  We want to make sure the Federal Information Security Management Act, 
which is the law, is actually updated so that the new forms of cyber 
threats are accommodated in FISMA, the Federal Information Security 
Management Act, and to strengthen that with the updates.
  The legislation also updates the Criminal Code to address cyber 
crimes, strengthening penalties, improving the Department of Justice's 
ability to prosecute this kind of criminal who would take down whole 
systems of our government.
  Our bill will prioritize cybersecurity research and development so we 
can harness innovation to protect our country and our private 
industries from cyber attacks.
  I am very pleased that we have been able to introduce this 
legislation as an alternative to some of the other bills that have come 
out. I believe that if we can go forward with negotiating, perhaps we 
can come to an accommodation with the bills that have been introduced 
with other sponsors. But we don't think the bills that have been 
introduced address our concerns and we want to ensure that we do not 
have another big Federal bureaucracy, that we do not overlay the 
regulators who already have expertise in this area with new regulators 
whom we have to train

[[Page S1203]]

and deal with. We think the defense agencies--the National Security 
Agency, the Defense Intelligence Agency, the CIA, DHS--all of those 
with their cybersecurity assets already in place are the better place 
to put the strength, not reinventing the wheel but better utilizing the 
systems we already have.
  I think it is time for our Senate to address cyber security. I think 
we have good proposals out there; perhaps we can take the best of 
those. I think this is the right approach, and Senators McCain, 
Chambliss, Grassley, and Murkowski were key to drafting this 
legislation that I think will get the support of all of the 
stakeholders, as well as the House of Representatives, to actually pass 
a bill to improve our systems and take it to the President for 
signature.
  Mr. CHAMBLISS. Mr. President, I rise today to speak in support of the 
Strengthening and Enhancing Cybersecurity by Using Research, 
Information, and Technology Act of 2012, otherwise known as the SECURE 
IT Act. This bill provides a strong foundation for Congress to enact 
what I hope can be a truly bipartisan approach for improving the 
ability of all Americans to protect themselves against the ever-
increasing cybersecurity threat.
  This bill was dropped today under the leadership of Senator McCain, 
Senator Hutchison, Senator Grassley, Senator Murkowski, and myself, and 
I am very pleased to be a part of that group who has worked very hard 
on this bill for a number of months.
  There are a few who dispute the significance of the problem posed by 
the threat of cyber attacks. The financial harm inflicted by these 
attacks is now costing Americans billions of dollars each year. Denial-
of-service attacks have been shutting down the Internet presence of 
business and organizations for years. Beyond the economic costs, 
malicious cyber activity is damaging our national security. Every day, 
cyber criminals and foreign adversaries steal large amounts of 
sensitive information from the networks of government and private 
sector entities. These trends need to be reversed before these 
malicious activities are measured in terms of lives lost rather than in 
terms of dollars as we are seeing today.
  For years the Senate Intelligence Committee has been following the 
growing cybersecurity threats. Early on, one of the most common 
questions asked in the cybersecurity context was, Who is in charge? 
While this seems like the natural place to start, it is important to 
understand why this is really not the right question.
  First, there is no consensus on who should be in charge. Some have 
argued it should be the Department of Defense. Some say it should be 
the Department of Homeland Security. Others think it might be best to 
start from scratch. All of these options have very obvious drawbacks.
  Second, and more important, we have been looking through the wrong 
end of the telescope in trying to answer this question. Rather than 
trying to find a governmental entity that should be in charge of 
cybersecurity, it turns out that the answer is actually much simpler: 
each and every one of us is in charge of our own cybersecurity. I know 
some people will scoff at this answer because it is too simplistic for 
such a complicated problem or they just don't trust us to act in our 
own best interests. I think they are wrong on both counts.
  So, if we--and by ``we,'' I mean all of us who use and rely on 
computer networks, whether individuals, groups, organizations, 
corporations, or government agencies--are in charge of our own 
cybersecurity, the real question then is, What should be done to reduce 
the threat of malicious cyber activity? I believe the answer to that 
question is contained in the bill called the SECURE IT Act that we have 
filed today.
  The SECURE IT Act consists of four key areas of common ground 
identified in various legislative efforts: first, information sharing; 
second, Federal Information Security Management Act reform; third, 
enhanced criminal penalties; and fourth, cybersecurity research and 
development.
  We have seen firsthand the positive impact better information sharing 
can have on our national security. Since the 9/11 terrorist attack, 
improved information sharing throughout the government and especially 
within the intelligence community has greatly enhanced our national 
security. I believe a similar improvement to information sharing in the 
cyber context will pay huge, long-term dividends in terms of our safety 
and national security.
  Once there is an understanding that information sharing will work 
best if it empowers the individual rather than a discrete government 
entity, the move from a regulatory approach to one that encourages 
voluntary sharing of cyber threat information by removing unintended 
barriers quickly follows. The information-sharing title of the SECURE 
IT Act is based on this voluntary approach and on the principle that 
government cannot and should not solve every problem.
  The cosponsors of this bill relied upon a number of principles and 
practical considerations to develop the information-sharing provisions 
in this bill.
  First, private sector innovation is the engine that drives our 
economy. Private sector entities have a vested interest in protecting 
their assets, businesses, and investments. What they often lack is 
information to help them better protect themselves. Therefore, our 
information-sharing provision authorizes private sector entities and 
non-Federal Government agencies to voluntarily disclose cyber threat 
information to government and private sector entities. The only time 
cyber threat information must be shared with the government is when it 
is directly related to a contract between a communications service 
provider and the government, which ordinarily is a term included in 
that contract anyway. The only new requirement is that such information 
will ultimately need to be shared with a cybersecurity center.
  Information sharing is and must be a two-way street, but there are no 
quid pro quos here. Because the government often sees different threat 
pictures than the private sector, our bill also encourages the 
government to immediately share more classified, declassified, and 
unclassified cyber threat information. As one example, consider how 
improved information sharing might safeguard transportation industry 
systems. Suppose a commercial airline company detects a virus in their 
reservation system. The virus is stealing information, including 
customers' credit card numbers, and sending it to a hacker's server 
overseas. The airline, after investigating internally, determines where 
the stolen data is being sent. Under our bill, the airline may share 
the Internet address that is receiving the stolen credit card 
information with any other companies, such as other airlines, as well 
as with the government. With this warning from the first airline, other 
transportation companies can check their systems to see if any of their 
data is being sent to the hacker's server. Moreover, using the hacker's 
Internet address, law enforcement is able to begin an investigation to 
identify other victims of the same hacker.
  The cybersecurity centers will also be able to notify private 
entities of the nature of this particular threat. In this example, it 
is unlikely that the airline will ever need to share or release any 
customer's personally identifiable information.
  Second, my cosponsors and I intentionally omitted a critical 
infrastructure title because we believe a top-down regulatory approach 
will stifle the voluntary sharing of cyber threat information by the 
private sector. Consistent with this principle, our information-sharing 
title does not provide any additional authority to any government 
entity to impose new regulations on the private sector. In fact, the 
bill prohibits government agencies from using any shared cyber threat 
information to regulate the lawful activities of an entity. In short, 
the bill leaves the existing regulatory regime unchanged.
  The real difficulty with trying to regulate in this area is that 
malicious cyber activities occur in real time and are constantly 
changing. The bureaucracy-driven regulatory process is simply not 
nimble enough to keep up with the leading cybersecurity practices. 
Another disadvantage to a regulatory approach is that it gives hackers 
insight into existing cybersecurity performance requirements and, as a 
result, potential vulnerabilities. As industry representatives have 
told us, this could actually make us less safe, not more safe.

[[Page S1204]]

  Thirdly, our bill does not create any new bureaucracy to facilitate 
the sharing of cyber threat information. Rather, it relies upon the 
existing cybersecurity centers and gives private entities the 
flexibility to share their cyber threat information with any cyber 
center. To ensure thorough dissemination within the government, each 
cybersecurity center is required to pass on to other centers any cyber 
threat information it receives from an entity. Ultimately, we expect 
that our current decentralized cybersecurity center structure will be 
energized by an increase in shared cyber threat information. We also 
think these centers, with their ongoing relationships with many private 
entities, provide a more robust and secure environment for information 
sharing than creating new cybersecurity exchanges or a new national 
center.
  Another advantage of our ``no new regulatory authorities'' and ``no 
new bureaucracy'' approach is it is also a ``no new spending'' 
approach. Our bill does not authorize any new spending, which is 
particularly important given our current economic situation.
  Fourth, our bill contains clear and unconditional protection from 
civil and criminal liability for entities that rely upon the 
authorities in the information-sharing title. Specifically, a private 
entity cannot be sued or prosecuted for using lawful countermeasures 
and cybersecurity systems to defend its networks and identify threats. 
In addition, neither a private entity nor a Federal Government entity 
can be sued or prosecuted for using, disclosing, or receiving cyber 
threat information or for the subsequent action or inaction by an 
entity to which they gave cyber threat information.
  These clear liability protections are necessary to encourage robust 
information sharing. If they are watered down or made conditional on 
sharing with the government, private sector lawyers will likely 
discourage their clients from sharing cyber threat information and, at 
a minimum, sharing will be delayed while lawyers have to be consulted.
  The final practical consideration that governed the drafting of our 
information-sharing title was to provide sensible safeguards for the 
protection of personal privacy. We accomplished this in a number of 
ways.
  This information-sharing title is focused on the sharing of only 
``cyber threat information.'' It is a key definition in the bill. If 
you study it carefully, you will see it is limited primarily to 
information related to malicious cyber activities. There is no 
authorization or liability protection for using, sharing, or receiving 
information that falls outside of this definition. Nor can private 
entities use their cybersecurity systems to get information that falls 
outside this definition. Moreover, it helps to remember that people 
engaged in malicious cyber activities are essentially trespassers who 
have no standing to assert privacy interests.
  Besides this relatively narrow definition of ``cyber threat 
information,'' there is an additional privacy mechanism that limits the 
collection and disclosure of cyber threat information for the purpose 
of preventing, investigating, or mitigating threats to information 
security. In other words, if what you are doing is not for these 
purposes, then you cannot do it under this bill.
  Another way this bill protects privacy is by requiring the government 
to handle all cyber threat information in a reasonable manner that 
considers the need to protect privacy and allows the use of anonymizing 
information.
  Since information sharing is voluntary under our bill, private sector 
entities can take any steps to protect their own privacy interests and 
the privacy of their customers. Moreover, our bill allows private 
sector entities to require the recipients of their cyber threat 
information to seek their consent before further disseminating the 
information.
  Finally, Congress will be able to conduct its oversight since our 
bill requires an implementation report to Congress within 1 year of 
enactment, with follow-on reports every 2 years thereafter. These 
reports will give Congress detailed insight into a number of areas, 
including the degree to which privacy may be impacted by the provisions 
in this title.
  Now that I have identified the key components and advantages of our 
approach to information sharing, let me explain why we were compelled 
to draft this separate bill.
  All of the cosponsors of the SECURE IT Act agree with Senators 
Lieberman and Collins and the White House that Congress needs to 
address the cybersecurity threat. When we attempted to participate in 
the cyber working groups, it became clear pretty early on that it was 
going to be difficult to come up with a consensus product.
  My experience with working on bipartisan bills such as the 
Intelligence Authorization Act is that we generally start from scratch 
and only put in those provisions that are agreed to by both sides. If a 
provision receives an objection, it is not included, but it is 
understood it may be an amendment during markup or on the floor. This 
approach always gives us a great starting point that enjoys the 
overwhelming support of both sides.
  Since the working group process had essentially reached an impasse on 
the issue of critical infrastructure regulation and how best to promote 
information sharing, the cosponsors of the SECURE IT Act joined 
together to develop a bill that would cover ``common ground'' and could 
serve as a better starting point for negotiations. We have listened to 
all sides in putting this bill together--government, industry, private 
groups, cybersecurity experts, and our colleagues on both sides of the 
aisle in both the Senate and the House. There should be nothing 
surprising in our bill. Our ranking member group has been telegraphing 
our priorities for months now.
  If we are serious about passing cybersecurity legislation in this 
Congress--and I hope we are--we should be working together to pass a 
bill with the support of a large group of Senators far in excess of the 
60 we need, as we have done in the past on many major pieces of 
legislation. I believe the ``common ground'' approach of the SECURE IT 
Act puts us on a clear path to reaching this goal.
  This is important national security legislation. Fortunately, Leaders 
Reid and McConnell have an outstanding record of garnering overwhelming 
bipartisan support for national security legislation, and I am 
confident they will seek to do so again. I look forward to continuing 
these discussions and getting a strong bipartisan bill signed into law.
  Ms. MURKOWSKI. Mr. President, I come to the floor today to speak 
about cybersecurity legislation--legislation we hope will soon be 
before the Senate.
  There is no question--no question at all--that this is a critical 
issue that should be addressed by this Congress, and I am certain that 
every Member of this body is concerned that our Nation may be 
vulnerable to cyber-attacks that could truly have very severe economic 
and security ramifications. We see stories about cyber-attacks daily--
whether they are attacks on individuals, on companies, on government--
and I believe it is time for us to take steps to protect ourselves 
against this emerging threat.
  In the coming weeks, the Senate is expected to take up legislation to 
address this very real problem, and I am hopeful this effort will 
result in legislation we can all agree is worthy of sending to the 
President. But right now it appears we are on track to follow an all-
or-nothing approach. The problem I see with the bill that is expected 
to come to the floor--featuring text that was recently released by the 
Homeland Security and Governmental Affairs Committee--is that it has 
not gone through regular order and, I fear, amounts to regulatory 
overreach. If that is our only option here, it will ultimately prevent 
us from making progress on cybersecurity here in Congress, which I 
think would be an unfortunate outcome.
  Because that outcome is unacceptable, I have introduced an 
alternative bill this morning, along with a number of ranking member 
colleagues. I know Senator Chambliss from Georgia was here on the floor 
earlier, and many of us spoke to it earlier in the day. We call our 
bill the Strengthening and Enhancing Cybersecurity by Using Research, 
Education, Information, and Technology Act of 2012. It has an acronym, 
of course. It is called SECURE IT for short. The bill follows a 
commonsense approach to address our ever-increasing cyber threats.
  Our bill focuses on four different areas we believe can draw 
bipartisan

[[Page S1205]]

support and result in good public law. Those four areas are: 
information sharing, FISMA reform--which is intelligence-sharing 
reform--criminal penalties, as well as additional research.
  What the SECURE IT bill does not do is equally important, because it 
does not simply add new layers of bureaucracy and regulation that will 
serve little purpose and achieve meager results. The Homeland Security 
and Governmental Affairs Committee bill would arm the Department of 
Homeland Security with expansive new authorities to review all sectors 
of our economy and designate what is termed ``covered critical 
infrastructure'' for further regulation. What we hear out there from 
industry is that this amounts to regulation almost for regulation's 
sake. In the electricity industry's case, this is resulting in 
duplicative regulation that I am afraid will lead to a ``compliance 
first'' mentality. Companies will focus on meeting their new Federal 
requirements and passing a seemingly endless stream of audits, but 
these heavyhanded statistic requirements from yet one more Federal 
regulator will not necessarily address the very real threats we face. 
So again, the concern is we will have industry focused on how do we 
comply, how do we avoid a bad audit, instead of using their ingenuity 
and their resources to ensure we stay ahead of any future cyber-attack. 
We need to be more nimble. We have to have a more nimble approach to 
dealing with cyber-related threats that are constantly growing and 
constantly changing. The threat we see today is not necessarily the 
threat we might anticipate tomorrow, so we have to stay ahead of the 
game. This is important, and this is where our SECURE IT bill comes in. 
I think we have simply taken a more pragmatic approach by focusing on 
the areas where we know we can find some bipartisan support.
  One area I think we can all agree on is that the Federal Government 
needs to form a partnership with the private sector. We share the same 
goals, that is clear. The goals are to keep our computer systems and 
our Nation safe from cyber intrusions. We need the private companies to 
be talking with each other and with the government about the cyber 
problems they face as well as the potential strategies and the 
solutions to combat them. To achieve this goal, our legislation 
encourages the voluntary sharing of much needed information by removing 
legal barriers to its use and its disclosure. At the same time, we are 
very careful to safeguard the privacy and prohibit information from 
being used for competitive advantage.
  Our bill also provides necessary updates to the Federal Information 
Security Management Act. This is the FISMA I spoke to a minute ago. 
These FISMA reforms require real-time monitoring of Federal systems. It 
will modernize the way the government manages and mitigates its own 
cyber risks. And unlike other legislation on this subject, the cyber 
bill we have introduced today will update criminal statutes to account 
for cyber activities. Finally, we support advanced cybersecurity 
research by leveraging existing resources without necessarily spending 
new Federal dollars. That is very important for us.
  This straightforward approach to cybersecurity, I think, can go a 
long way in tackling the problem. Clearly, our own government agencies 
here need to be communicating a little bit better with one another. An 
example of this is that the White House and Department of Homeland 
Security are staging an exercise next week. All Members have been 
invited to attend and go through this exercise. It is a mock scenario 
that will feature a cyber-attack on the Nation's grid. And while I 
absolutely think this is a useful exercise, and something that is well 
worthwhile, I do find it quite surprising--quite surprising--that DHS 
would set up a grid attack scenario and fail to include the grid's 
primary regulators. These would be the electric reliability 
organization--what we call NERC--and the Federal Energy Regulatory 
Commission, or FERC. These are the two regulatory agencies currently in 
place that provide for that cyber regulation. It is mandated within our 
grid that these agencies tend to just this issue. So it does make me 
question if DHS is even aware the electric industry is the only 
industry already subject to mandatory cyber standards, or that the NERC 
has the ability to issue time-sensitive alerts to electric utilities in 
the event of emergency situations. It is kind of hard for me to 
understand why DHS would proceed with a grid attack simulation and not 
include the existing governmental entities that already have these 
safeguards in place. It also begs the question as to whether Congress 
should provide DHS with such significant and expansive new authorities 
in the cyber arena.
  Before I close, I wish to take a moment to talk about the process 
behind cybersecurity legislation. While my colleagues and I have 
highlighted the substantive and procedural problems that are associated 
with the Homeland Security and Governmental Affairs Committee bill, the 
majority, and even the press, have attempted to dismiss our arguments 
as nothing more than partisan stall tactics.
  I stand before you to tell you that is simply not true. I want to 
take action on cyber. I know all of the ranking members who have joined 
together on this issue want to take action on cyber. We need to do it. 
I have been calling for action and for legislation since last Congress. 
We have been working on it in the Energy Committee and have moved out 
that cyber energy piece. But I do think it is important around this 
body that there is some meaning to the process; that process really 
does matter. That is how strong, bipartisan pieces of legislation are 
enacted. When we forego that process and refuse to do the hard work in 
the committee--and it is hard. But if we don't do that, we put 
ourselves on a path to failure with that legislation.
  So when we have seven ranking members taking issue with how a bill 
has been put together, I think we had better pay attention. I think we 
need to look at whether our process is working.
  The SECURE IT bill we introduced today is a strong starting point for 
us. Some may argue we need to go a little further. But additional 
layers of bureaucracy and regulations are not the answer at this time. 
Legislating in the four areas we have highlights--in the information 
sharing, the FISMA reform, criminal penalties, and research--these are 
necessary first steps that will make a tremendous amount of difference. 
If we need to do more in the future, we in Congress can certainly make 
that determination. But let's not take an all-or-nothing approach to 
cyber legislation and ultimately end up empty-handed.
  I ask my colleagues to take a look at what we have presented today 
and consider supporting the SECURE IT Act so we can continue to ensure 
our citizens, our companies, and our country are protected.

                          ____________________