[Congressional Record Volume 161, Number 157 (Monday, October 26, 2015)]
[Senate]
[Pages S7481-S7483]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
CYBERSECURITY INFORMATION SHARING BILL
Ms. COLLINS. Madam President, I rise to speak in favor of the
Cybersecurity Information Sharing Act of 2015, and I urge my colleagues
to support this much needed legislation. Nearly 3 months ago, the
Senate was unable to find a path forward to adopt this important bill.
Let's look at what has happened since the time that the Senate refused
to proceed.
The fact is that our country has continued to endure a wave of
damaging and expensive cyber attacks. These incidents include the first
major hack of Apple's popular App Store, the compromise of 15 million
T-Mobile users due to a breach at Experian, and the exposure of data of
up to 8,000 Army families due to improper procedures followed by the
General Services Administration. For the Army families who were
affected, this sensitive information included medical histories, Social
Security numbers, and child day care details.
Today, I renew my support for this bill in light of the continuing
state of cyber insecurity that affects information held in the public
and private sectors.
Passing the Cybersecurity Information Sharing Act would make it
easier for public and private sector entities to share cyber threat
information and vulnerabilities in order to lessen the theft of trade
secrets, intellectual property, and national security information, as
well as the compromise of sensitive personal information. It would
eliminate some of the legal and
[[Page S7482]]
economic barriers impeding voluntary two-way information sharing
between private industry and government. It is a modest but essential
first step to protect networks and their information.
This bill would not in any way compromise our personal information.
Its purpose is to help safeguard our personal information that breach
after breach, cyber attack after cyber attack has proven to be
vulnerable.
While this bill promotes appropriate information sharing between the
government and the private sector--a good first step, as I have
indicated--it unfortunately does little in its original form to harden
the protection of Federal networks or to guard the critical
infrastructure we rely upon every day. Thus, I have filed two
amendments to further strengthen our Nation's cyber security.
The first amendment is directed at improving the security of
sensitive personal data that is stored on networks of Federal civilian
agencies. The insecurity of Federal databases and networks has been
evident for years. Inspectors general reports have warned of it. Yet,
by and large, those calls for action have not been heeded by Federal
agencies, and certainly the weaknesses in our Federal agencies'
security systems are underscored by recent breaches and intrusions.
In June, more than 20 million--20 million--current, former, and
retired Federal employees learned that their personal data was stolen
from the poorly secured databases of the Office of Personnel
Management. Since that time, we have learned that the personal emails
of the Director of the CIA have been hacked. We have learned from the
State Department's inspector general that the State Department is
``among the worst agencies in the Federal Government at protecting its
computer networks.'' This substandard performance at the Department of
State continued even as an adversary nation breached the Department's
email system last year. According to the IG, compliance with Federal
information security standards remains ``substandard'' at the State
Department.
I know from my many years of service on the committee on homeland
security, where we worked on cyber security issues for literally a
decade, producing legislation in 2010 and 2011 that unfortunately was
not approved by this body, that this problem is long standing and it is
only growing worse. We ignore it at our peril.
This appalling performance in so many agencies and departments led to
my introducing bipartisan legislation with my colleague from Virginia,
Senator Warner, as well as Senator Mikulski, Senator Coats, Senator
Ayotte, and Senator McCaskill, to strengthen the security of the
networks of Federal civilian agencies.
Our bill has five elements, but the most important provision would
grant the Department of Homeland Security the authority to issue
binding operational directives to Federal agencies to respond in the
face of substantial breaches or to take action in the face of an
imminent threat to a Federal network. Although the Secretary of
Homeland Security is tasked with a very similar responsibility to
protect Federal civilian networks, he has far less authority to
accomplish this responsibility than does the Director of the National
Security Agency for the dot-mil networks. We can no longer ignore the
damaging consequences of failing to address these issues.
Our amendment would fortify Federal computer networks from cyber
threats in many ways. The key elements, I am pleased to say, in our
bill were incorporated into an amendment that has been filed by Senator
Carper, along with the chairman of the Homeland Security and
Governmental Affairs Committee, Senator Johnson, and Senator Warner, my
chief cosponsor of the bill we introduced, and, of course, myself.
Our amendment has been included in the managers' substitute
amendment, and I wish to thank Chairman Burr and Vice Chairman
Feinstein for their willingness to include these much needed provisions
to boost the security of the networks at Federal civilian agencies.
Just think of the kind of data that civilian agencies have in the
Federal Government. Whether we are talking about the Social Security
Administration, the Medicare agency, the IRS, the VA or the Department
of Defense, it is evident that millions of Americans--indeed, most
Americans--have personal data, sensitive data, such as Social Security
numbers, that are stored in these networks of Federal civilian
agencies, and we have an obligation to protect as best we can that
data.
I have also filed another amendment to the cyber bill, amendment No.
2623, that is aimed at protecting our country's most vital critical
infrastructure from cyber attack. This bipartisan amendment was
cosponsored by Senator Coats, Senator Warner, and Senator Hirono.
The livelihood and well-being of almost every American depend upon
critical infrastructure that includes the electricity that powers our
communities, the national air transportation system that moves
passengers and cargo safely from one location to another, and the
elements of the financial sector that ensure the $14 trillion of
payments made every day are securely routed through the banking system.
Those are just some examples of critical infrastructure. There are
obviously many more.
Our amendment would have created a second tier of mandatory reporting
to the government for the fewer than 65 entities identified by the
Department of Homeland Security where damage caused by a single cyber
attack would likely result in catastrophic harm in the form of more
than $50 billion in economic damage, 2,500 fatalities or a severe
degradation of our national security. In other words, only cyber
attacks that could cause catastrophic results would fall under this
reporting requirement.
For 99 percent of businesses, the voluntary information sharing
framework established in the bill before us would be enough, and the
decision on whether or not to share cyber threat information should
rightfully be left up to them. A second tier of reporting is necessary,
however, to protect the critical infrastructure that is vital to the
safety, health, and economic well-being of the American people.
Under our amendment, the owners and operators of the country's most
critical infrastructure would report significant cyber attacks just as
incidents of communicable disease outbreaks must be reported to public
health authorities and to the Centers for Disease Control and
Prevention.
Think about the situations we have here. Does it make sense that we
require one case of measles to be reported to a Federal Government
agency but not a cyber attack that could result in the death of more
than 2,500 people? How does that make sense?
The threats to our critical infrastructure are not hypothetical. They
are already occurring and increasing in frequency and severity. At a
recent Armed Services Committee hearing on cyber security, Senator
Donnelly asked the Director of National Intelligence, Jim Clapper, what
the No. 1 cyber challenge was that he was most concerned about.
Director Clapper testified that, obviously, it was a large-scale cyber
attack against the United States infrastructure.
In light of this No. 1 threat, how protected is our country? Well, I
have posed that very question to the Director of the NSA, Admiral Mike
Rogers. His answer, on a scale of 1 to 10, was that we are at about a 5
or 6. That is a failing grade when it comes to protecting critical
infrastructure, no matter what curve we are grading on.
Although I am very disappointed that the Senate will not consider the
original amendment I filed, I do want to acknowledge that Chairman Burr
and Vice Chairman Feinstein have worked closely with me on a compromise
to begin to address the issue of cyber security risks that present such
significant security threats to our critical infrastructure, and I am
grateful for their acknowledging that this is a problem that deserves
our attention.
This new amendment, which is section 407 of the managers' amendment,
requires the DHS Secretary to conduct an assessment of the fewer than
65 critical infrastructure entities at greatest risk and develop a
strategy to mitigate the risks of a catastrophic cyber attack. Let me
stress two things. We are only talking about fewer than 65 entities
that have already been designated by the Department of Homeland
Security as critical infrastructure where a catastrophic cyber attack
would cause terrible consequences.
[[Page S7483]]
Second, let me again describe what we mean by a catastrophic
attack. It means a single cyber attack that would likely result in $50
billion in economic damage, 2,500 Americans dying or a severe
degradation of our national security. We are talking about significant
consequences that would be catastrophic for this country--consequences
we cannot and should not ignore.
There are plenty of cyber threats that cannot be discussed in public
because they are classified--I know that as a member of the Senate
Intelligence Committee--but in light of the cyber threat to critical
infrastructure described by Admiral Rogers and Director of National
Intelligence Clapper in open testimony before the Congress, the bare
minimum we ought to do is to ask to require DHS and the appropriate
Federal agencies to describe to us what more could be done to prevent a
catastrophic cyber attack on our critical infrastructure.
One or two years from now, I don't want us to be standing here after
a cyber 9/11 chastising ourselves, saying: Why didn't we do more to
confront an obvious and serious threat to our critical infrastructure?
By including these two provisions in the managers' substitute
amendment, we are strengthening the protections for Federal civilian
agencies and beginning--not going nearly as far as I would like but
beginning the vital task of protecting our critical infrastructure. We
will be strengthening the cyber defenses of our Nation.
I urge my colleagues to support the managers' amendment and the
underlying bill. By passing this long-overdue legislation, we will
begin the long-overdue work of securing our economic and national
security and our personal information for generations to come.
Thank you, Madam President.
I yield the floor.
Madam President, I suggest the absence of a quorum.
The PRESIDING OFFICER. The clerk will call the roll.
The legislative clerk proceeded to call the roll.
Mr. NELSON. Madam President, I ask unanimous consent that the order
for the quorum call be rescinded.
The PRESIDING OFFICER. Without objection, it is so ordered.
____________________