[Congressional Record (Bound Edition), Volume 156 (2010), Part 10]
[Senate]
[Pages 14011-14012]
[From the U.S. Government Publishing Office, www.gpo.gov]




                             CYBERSECURITY

  Mr. WHITEHOUSE. Madam President, I will speak about a topic that is 
central to our national security and economic prosperity and which gets 
far too little notice and attention; that is, the vulnerability of 
America's network information systems, and the economic danger and 
national security risks we face from cyber-theft, cyber-piracy, and 
cyber-attack.
  We live in a wired society. If we sever those wires and the social, 
economic, and communications linkages that make our way of life 
possible, we will cease to function. I am gravely concerned that we are 
not taking the necessary steps to guard against this threat, which I 
believe is the greatest unmet national security need facing the United 
States.
  Earlier this month, the Intelligence Committee Cyber Task Force 
submitted a classified final report to the chair and vice chair of the 
Intelligence Committee. It was an honor to chair this bipartisan 
initiative and to serve with my distinguished colleagues, Senator 
Mikulski and Senator Snowe. I thank them for their diligence, their 
leadership, and their important contributions to this effort. They were 
excellent and we made a good team.
  We spent 6 months investigating cybersecurity threats and our current 
posture for countering those threats, with a particular focus on the 
intelligence community. It was a very sobering experience.
  There is a concerted and systematic effort underway by nation states 
to steal our cutting edge technologies. At the same time, criminal 
hacker communities are conspiring to penetrate financial industry 
networks, rob consumers of their personal data, and transform our 
personal computers into botnet zombies that can spread malware and 
chaos.
  It is difficult to put a precise dollar figure on the damage and loss 
these malicious activities are causing, but it is safe to say it 
numbers in the many tens of billions of dollars--perhaps as high as $1 
trillion.
  I believe we are suffering what is probably the biggest transfer of 
wealth through theft and piracy in the history of mankind.
  In addition, we face the risk of attacks--attacks designed to disable 
critical infrastructure, with grave potential harm to our national 
security and to our financial, communications, utility, and 
transportation sectors.
  The intelligence community is keenly aware of the threat and is doing 
all it can within existing laws and authorities to counter it. The bad 
news is the rest of our country--including the rest of the Federal 
Government--is not keeping pace with the threat.
  I am encouraged by the growing interest in Congress, where there are 
now more than 40 bills pertaining to cyber. I want to commend Senator 
Rockefeller and Senator Snowe, in particular, for being at the leading 
edge of the Senate's efforts. They have spent more than a year fine-
tuning their legislation, which speaks of their commitment to 
protecting the country and their recognition that we cannot reduce our 
vulnerabilities without careful study and thoughtful engagement.
  Much of the current debate on cybersecurity in the Congress focuses 
on executive branch organization dealing with this threat. This is 
obviously an important issue, and it is one that we must resolve sooner 
rather than later. But the question of how this all gets organized 
within the executive branch is merely one of the many problem areas we 
saw during the course of the work of the task force.
  What are these other areas? Well, first of all, an overarching issue, 
we must raise the public's awareness about cyber-threats; otherwise, we 
face an uphill battle trying to legislate in this challenging and 
sensitive policy sphere.
  What is the problem? Well, threat information affecting the dot.gov 
and dot.mil domains is largely classified--often very highly 
classified--and entities in the dot.com, dot.net, and dot.org domains 
often consider threat information to be proprietary and disclosing it 
could be a risk to their business. So the result overall is that the 
public knows very little about the size and scope of the threat their 
Nation faces.
  If the public knew the stakes--knew the cyber-criminals, for example, 
have pulled off bank heists that would make Willie Sutton, Bonnie and 
Clyde, and the James Gang look like a bunch of petty thieves, they 
would demand swift action. If they knew the extent of the cyber-piracy 
against our intellectual property, and the economic loss that has 
resulted, the public would demand swift action. If they knew how 
vulnerable America's critical infrastructure is and the national 
security risk that has resulted, they would demand action. It is hard 
to legislate in a democracy when the public has been denied so much of 
the relevant information.
  The first key point is public awareness. We have to share more 
information with the public about what is going on out there.
  Second, we need to establish basic rules of the road. One of the 
signal features of our cybersecurity risk profile is that the 
overwhelming majority of malicious cyber-activity could be prevented if 
some computer users installed simple antivirus protections and allowed 
automatic updates of their software.
  If we followed basic rules of the road, there would be a national 
security advantage: The Federal Government could focus its 
cybersecurity efforts on that narrower subset of threats that can evade 
commercial, off-the-shelf technology. There would be economic advantage 
from the potentially massive reduction in cyber-crimes, such as 
identity theft and credit card fraud.
  Third, we need to empower the private sector to adopt a more 
proactive stance against cyber-threats. I am from Rhode Island. My 
State was founded as a sea trading State. When our traders were 
attacked by pirates, they got out their guns and fought back. Under 
current law, companies under cyber-attack can do little more than 
batten down the hatches. We need to look for more ways to help American 
companies better defend themselves.
  Our courts provide one option. Creative technical experts and smart 
lawyers at Microsoft were able to mount a very impressive counterattack 
against the Waledac botnet by obtaining a Federal court order requiring 
that VeriSign, the domain name registrar, cut off domains associated 
with the botnet. This disrupted the botnet's command-and-control 
function, and it highlights an important possible role for our judicial 
branch.
  Additionally, we need to establish lawful and effective means for 
industry sectors to band together with one another and engage with each 
other in common defense strategies and information sharing where 
appropriate with the government. There are some early examples, such as 
the defense industrial base, that merit commendation, which we should 
encourage. But it is still pretty primitive.
  Fourth, we must ensure that the Federal Government has the 
authorities and capabilities necessary to protect our American critical 
infrastructure against cyber-attack. If a bank, for instance, runs into 
a solvency problem, there is an established and widely accepted 
procedure for Federal intervention to protect the bank depositors, 
stand the bank back up, get it back on its feet, and move back out 
again.
  There is no similar procedure if that bank or American critical 
infrastructure, such as an electric utility, is failing due to an 
ongoing cyber-attack. There needs to be clear, lawful processes for the 
private sector to request technical assistance and clear authority for 
the government to act when a cyber-incident raises significant risk to 
American lives and property.
  It gets a little bit more complicated than that because you cannot 
just call 911, such as when there is a fire, and have the government 
come and put out the fire when it is a cyber-attack. Cyber-attacks 
happen literally at the speed of light.

[[Page 14012]]

  The best defense against cyber-threats, particularly the most 
dangerous cyber-threats, requires speed-of-light awareness and 
response. For this reason, it is worth considering whether some 
defensive capabilities should be prepositioned in order to better 
protect the Nation's most critical private infrastructure.
  During medieval times, critical infrastructure, such as water wells 
and graineries, were inside the castle walls, protected as a precaution 
against enemy raiders. Can certain critical private infrastructure 
networks be protected now within virtual castle walls in secure domains 
where those prepositioned offenses could be both lawful and effective?
  This would, obviously, have to be done in a transparent manner, 
subject to very strict oversight. But with the risks as grave as they 
are, this question cannot be overlooked.
  Fifth, we need to put more cyber-criminals behind bars. Law 
enforcement engagement against cyber-crime needs to be considerably 
enhanced at multiple levels, reporting, resources, prosecution 
strategies, and priority. A lot more folks need to go to jail.
  Finally, we must more clearly define the rules of engagement for 
covert action by our country against cyber-threats. This is an 
especially sensitive subject and highly classified. But for here, let 
me simply say that the intelligence community and the Department of 
Defense must be in a position to provide the President with as many 
lawful options as possible to counter cyber-threats, and the executive 
branch must have the appropriate authorities, policies, and procedures 
for covert cyber-activities, including how to react in real time when 
the attack comes at the speed of light. This all, of course, must be 
subject to very vigilant congressional oversight.
  Uniquely in the world and uniquely in our own history, America's 
economy and government now depend on networked information technologies 
for Americans to communicate with each other, keep the trains running 
on time and the planes flying safely, keep our lights on, and power our 
daily lives.
  The expansion of this powerful new technology across our great 
country also makes us uniquely vulnerable to cyber-threats. We have to 
do a lot better as a nation on cybersecurity. I believe we can do 
better. I know we must do better. Frankly, we cannot afford not to do 
better.
  I hope these remarks and the structure they have provided helps 
provide assistance to my colleagues as we begin debating and resolving 
these important issues.
  I yield the floor. I see my distinguished colleague from Minnesota 
prepared to speak.
  The ACTING PRESIDENT pro tempore. The Senator from Minnesota.

                          ____________________