[Congressional Record Volume 158, Number 103 (Wednesday, July 11, 2012)] [Senate] [Pages S4846-S4848] Cybersecurity Mr. WHITEHOUSE. Madam President, I rise to speak about cybersecurity, but specifically about the cyber threat to our Nation's critical infrastructure. By critical infrastructure I mean the power grid that supplies electricity to our homes that keeps us warm in the winter and cool in the summer. I mean the financial services' processing systems that connect our ATMs to our accounts and move money around in our complex financial system. I mean the communications networks by which we talk and e-mail and text and message one another. The men and women we have charged with our Nation's defense and we have confirmed in these roles in the Senate have repeatedly and consistently warned us about the danger of cyber attacks on this critical infrastructure. It provides power and light and heat, tracks and records financial transactions, allows communication and data transfer, keeps airlines safe in the air, controls our dams, and enables our commerce. The consequences of failure in these areas could be catastrophic. We must pay heed to these warnings about America's critical infrastructure as we consider cybersecurity legislation. The administration has described this cyber threat in no uncertain terms. The Director of National Intelligence, James Clapper, has stated: [I]t's clear from all that we've said [that] we all recognize we need to do something. . . . We all recognize this as a profound threat to this country, to its future, to its economy, to its very being. Secretary of Defense Leon Panetta has warned: The next Pearl Harbor we confront could very well be a cyber attack. Secretary of Homeland Security Janet Napolitano has compared this threat to the September 11 attacks. Prior to 9/11, there were all kinds of information out there that a catastrophic attack was looming. . . . The information on a cyberattack is at that same frequency and intensity and is bubbling at the same level, and we should not wait for an attack in order to do something. Attorney General Holder stressed the urgency of responding to this threat in a recent Senate Judiciary Committee hearing. He said: This a problem that we must address, our nation is otherwise at risk and to ignore this problem, to think it is going to go away runs headlong into all of the intelligence we have gathered, the facts we have been able to accrue which show that the problem is getting worse instead of getting better. There are more countries that are becoming more adept at the use of these tools, there are groups that are becoming more adept at the use of these tools, and the harm that they want to do to the United States and to our infrastructure through these means is extremely real. Chairman of the Joint Chiefs of Staff Martin Dempsey has warned that ``a cyber attack could stop society in its tracks.'' NSA Director and U.S. Cyber Commander GEN Keith Alexander, a four- star general, has stated: We see this as something absolutely vital to the future of our country. Cybersecurity for government and critical infrastructure is key to the security of this Nation. A recent report from the Department of Homeland Security found that companies which operate critical infrastructure have reported a sharp rise in cybersecurity incidents over the past 3 years. Companies reported 198 cyber incidents in 2011, up from 41 incidents in 2010, and just 9 in 2009. This may reflect that the private sector is just now beginning to catch on. It is unfortunate but true that the private sector cannot be counted on to respond to this growing challenge on its own. As Deputy Secretary of Defense Ashton Carter has explained, and I quote again: There is a market failure at work here. . . . Companies just aren't willing to admit vulnerability to themselves, or publicly to shareholders, in such a way as to support the necessary investments or lead their peers down a certain path of investment and all that would follow. These were administration warnings, but the concerns are bipartisan. A wide range of national security experts from previous Republican administrations have echoed this alarm. Former Director of National Intelligence and NSA Director ADM Mike McConnell has said, and I quote: The United States is fighting a cyber-war today, and we are losing. It's that simple. He explained: As the most wired nation on Earth, we offer the most targets of significance, yet our cyber defenses are woefully lacking. . . . The stakes are enormous. To the extent that the sprawling U.S. economy inhabits a common physical space, it is in our communications networks. If an enemy disrupted our financial and accounting transactions, our equities and bond markets or our retail commerce--or created confusion about the legitimacy of those transactions--chaos would result. Our power grids, air and ground transportation, telecommunications and water filtration systems are in jeopardy as well. That ends the quote from Admiral McConnell. Admiral McConnell also made a comparison to threats from the past. The cyber-war mirrors the nuclear challenge in terms of the potential economic and psychological effects. . . . We prevailed in the Cold War through strong leadership, clear policies, solid alliances and close integration of our diplomatic, economic, and military efforts. We backed all of this up with robust investments--security never comes cheap. It worked, because we had to make it work. Let's do the same with cybersecurity. The time to start was yesterday. Former Deputy Secretary of Defense Paul Wolfowitz has also echoed the administration's warning that a cyber attack has the potential of causing devastation on the scale of another September 11. He stated: I hope we do not have to wait for the cyber-equivalent of 9/11 before people realize that we are vulnerable. Former Assistant Secretary for Policy at the Department of Homeland Security Stewart Baker has compared the threat to the catastrophic effects of Hurricane Katrina. We must begin now to protect our critical infrastructure from attack. And so far, we have done little. We are all living in a digital New Orleans. No one really wants to spend the money reinforcing the levees. But the alternative is worse. . . . And it is bearing down on us at speed. Former NSA Director and CIA Director Michael Hayden has said: We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction, and in this case, physical destruction in someone else's critical infrastructure. Former Republican officials have also noted the cybersecurity gap in the private sector due to this market failure. Former Secretary of Homeland Security Chertoff said: The marketplace is likely to fail in allocating the correct amount of investment to manage risk across the breadth of the network on which our society relies. The following examples are emblematic of the market failure that both Democratic and Republican national security officials have identified in this cybersecurity area for critical infrastructure. When the FBI-led National Cyber Investigative Joint Task Force informs an American corporation that it has been hacked, 9 times out of 10 that American corporation had no idea. Kevin Mandia of the leading security firm Mandiant has said, and I quote: In over 90 [percent] of the cases we have responded to, Government notification was required to alert the company that a security breach was underway. In our last 50 incidents, 48 of the victim companies learned they were breached from the Federal Bureau of Investigation, the Department of Defense, or some other third party. In operation Aurora, the cyber attack which targeted numerous companies, most prominently Google, only 3 out of the approximately 300 companies [[Page S4847]] attacked were aware that they had been attacked before they were contacted by the government. We cannot count on the private sector to defend itself against a threat about which it is so unaware. An advanced persistent intrusion of the U.S. Chamber of Commerce's systems also went undetected until the chamber received help from the government. The Wall Street Journal reported that a group of hackers in China breached the computer defenses of the U.S. Chamber, gained access to everything stored in its systems, including information about its 3 million members, and remained on the network for at least 6 months and possibly more than a year. The chamber only learned of the break-in, according to the article, when the FBI told the group that servers in China were stealing its information. The special expertise of our national security agencies is a consistent theme through these examples. As former Assistant Attorney General, OLC Director, and Harvard Law School Professor Jack Goldsmith has explained: The government is the only institution with the resources and the incentives to ensure that the [critical infrastructure] on which we all depend is secure, and we must find a way for it to meet its responsibilities. By the way, that was Goldsmith at the Department of Justice in the Bush administration. This is a Republican appointee speaking. These warnings have been repeatedly communicated to us in the Senate. We cannot plead ignorance of them. I ask unanimous consent to have printed in the Record a letter to Senate Majority Leader Reid and Minority Leader McConnell dated January 19, 2012. There being no objection, the material was ordered to be printed in the Record, as follows: January 19, 2012. Hon. Harry Reid, Majority Leader, U.S. Senate, Washington, DC. Hon. Mitch McConnell, Minority Leader, U.S. Senate, Washington, DC. Dear Majority Leader Reid and Minority Leader McConnell, We write to urge the Senate to take up, debate, and pass legislation to strengthen our nation's cybersecurity. As former executive branch officials who shared the responsibility for our nation's security, we are deeply concerned by the severity and sophistication of the cyber threats facing our nation. These threats demand a response. Congress must act to ensure that appropriate tools, authorities, and resources are available to the executive branch agencies, as well as private sector entities, that are responsible for our nation's cybersecurity. The Senate is well-prepared to take up legislation in this important national security field, and to do so in a bipartisan manner in the best traditions of the Senate. Every week brings new reports of cyber intrusions into American companies or government agencies, new disclosures of the breach of Americans' private information, or new revelations of incidents of cyber disruption or sabotage. The present cyber risk is shocking and unacceptable. Control system vulnerabilities threaten power plants and the critical infrastructure they support, from dams to hospitals. Reported intrusions into defense contractors and military systems reveal the direct national security cost of cyber attacks. Evaluations of the Night Dragon and Aurora attacks reveal the vulnerability of our most advanced and essential industries to sophisticated hackers. The recent report by the Office of the National Counterintelligence Executive makes clear that foreign states are waging sustained campaigns to gather American intellectual property--the core assets of our innovation economy--through cyber-enabled espionage. The growing threat of terrorist organizations acquiring cyber capabilities and using them against American interests opens another battlefront in cyberspace. And every day, Americans' identities are compromised by international criminals who have built online marketplaces for buying and selling Americans' bank account numbers and passwords. This constant barrage of cyber assaults has inflicted severe damage to our national and economic security, as well as to the privacy of individual citizens. The threat is only going to get worse. Inaction is not an acceptable option. Senate committees of jurisdiction have done important, bipartisan work developing legislation to strengthen our nation's cybersecurity. The Administration likewise has weighed in with a set of legislative proposals. The stage thus is set for the Senate to take up cybersecurity legislation. We believe that it can and should undertake this work in keeping with its best, bipartisan traditions, addressing this pressing national security need with the seriousness that it deserves. We urge the Senate to do so in short order: the rewards of increased security for our country, particularly our private sector critical infrastructure, will be rapid and profound. Sincerely, Michael Chertoff. William J. Lynn III. J. Michael McConnell. Richard Clarke. Dr. William J. Perry. Paul Wolfowitz. Jamie Gorelick. Gen. (ret.) James Cartwright, USMC. Mr. WHITEHOUSE. This explains that the threat is only going to get worse; inaction is not an acceptable option. This letter was signed by former Secretary of Homeland Security Michael Chertoff, former Deputy Secretary of Defense Paul Wolfowitz, former Director of National Intelligence and NSA Director ADM Mike McConnell, former Vice Chairman of the Joint Chiefs of Staff General James Cartwright, former Defense Secretary Dr. Willian Perry, former Deputy Attorney General Jamie Gorelick, former Deputy Secretary of Defense William J. Lynn, III, and former Special Advisor to the President for Cyber Security, Richard Clarke. I also have a letter written to Majority Leader Reid and Minority Leader McConnell, dated June 6, 2012, which I ask unanimous consent to have printed in the Record. There being no objection, the material was ordered to be printed in the Record, as follows: June 6, 2012. Dear Senators Reid and McConnell, We write to urge you to bring cyber security legislation to the floor as soon as possible. Given the time left in this legislative session and the upcoming election this fall, we are concerned that the window of opportunity to pass legislation that is in our view critically necessary to protect our national and economic security is quickly disappearing. We have spoken a number of times in recent months on the cyber threat--that it is imminent, and that it represents one of the most serious challenges to our national security since the onset of the nuclear age sixty years ago. It appears that this message has been received by many in Congress--and yet we still await conclusive legislative action. We support the areas that have been addressed so far, most recently in the House: the importance of strengthening the security of the federal government's computer networks, investing in cyber research and development, and fostering information sharing about cyber threats and vulnerabilities across government agencies and with the private sector. We urge the Senate to now keep the ball moving forward in these areas by bringing legislation to the floor as soon as possible. In addition, we also feel that protection of our critical infrastructure is essential in order to effectively protect our national and economic security from the growing cyber threat. Infrastructure that controls our electricity, water and sewer, nuclear plants, communications backbone, energy pipelines and financial networks must be required to meet appropriate cyber security standards. Where market forces and existing regulations have failed to drive appropriate security, we believe that our government must do what it can to ensure the protection of our critical infrastructure. Performance standards in some cases will be necessary--these standards should be technology neutral, and risk and outcome based. We do not believe that this requires the imposition of detailed security regimes in every instance, but some standards must be minimally required or promoted through the offer of positive incentives such as liability protection and availability of clearances. Various drafts of legislation have attempted to address this important area--the Lieberman/Collins bill having received the most traction until recently. We will not advocate one approach over another--however, we do feel strongly that critical infrastructure protection needs to be addressed in any cyber security legislation. The risk is simply too great considering the reality of our interconnected and interdependent world, and the impact that can result from the failure of even one part of the network across a wide range of physical, economic and social systems. Finally, we have commented previously about the important role that the National Security Agency (NSA) can and does play in the protection of our country against cyber threats. A piece of malware sent from Asia to the United States could take as little as 30 milliseconds to traverse such distance. Preventing and defending against such attacks requires the ability to respond to them in real-time. NSA is the only agency dedicated to breaking the codes and understanding the capabilities and intentions of potential enemies, even before they hit ``send.'' Any legislation passed by Congress should allow the public and private sectors to harness the capabilities of the NSA to protect our critical infrastructure from malicious actors. We carry the burden of knowing that 9/11 might have been averted with the intelligence that existed at the time. We do not want to be in the same position again when `cyber 9/11' hits--it is not a question of `whether' this will happen; it is a question of `when.' [[Page S4848]] Therefore we urge you to bring cyber security legislation to the floor as soon as possible. Sincerely, Hon. Michael Chertoff, Hon. J. Mike McConnell, Hon. Paul Wolfowitz, Gen. Michael Hayden, Gen. James Cartwright (RET), Hon. William Lynn III. Mr. WHITEHOUSE. Secretary Chertoff, Admiral McConnell, Deputy Secretary Wolfowitz, General Hayden, and General Cartwright urged us to: . . . bring cyber security legislation to the floor as soon as possible. Given the time left in this legislative session and upcoming election this fall, we are concerned that the window of opportunity to pass legislation that is in our view critically necessary to protect our national and economic security is quickly disappearing. They specifically focused on the threat to critical infrastructure, stating that ``protection of our critical infrastructure is essential in order to effectively protect our national and economic security from the growing cyber threat.'' We must not ignore this chorus of warnings issued by those who are the most informed and most alert about the danger to our critical infrastructure. We must pass cybersecurity legislation, and we must ensure that the cybersecurity legislation we pass addresses our Nation's critical infrastructure. No bill that fails to address critical infrastructure can be said to have done the job of protecting our country. Our Nation will be vulnerable if critical infrastructure companies fail to meet basic security standards, as they do right now. Legislation must include a mechanism to end this continuing vulnerability. If operators object to a particular approach to cybersecurity for our critical infrastructure on the basis that it is too burdensome or too unwieldy, they will find many Members of the Senate on both sides--myself and Senator Blumenthal included--who are ready and eager to work with them. But if the purpose of the exercise is to come to an end point in which the operators of our critical infrastructure do not have to reach adequate levels of cybersecurity, then we need to move on and we need to vote and go beyond that. The question of how we get to cybersecurity is one we should engage in the Senate. The question of whether we protect our privately held critical infrastructure in a responsible way is one we should not allow to deter us from getting this job done to protect our national and economic security. Whatever the ultimate solution, we simply must find a way to improve the cybersecurity of our critical infrastructure. I yield the floor to Senator Blumenthal, who has been engaged in efforts with me to try to find a way through to a bipartisan bill that will protect our critical infrastructure. He has expertise in this area as a superbly trained lawyer, a multiply elected Attorney General of his home State, a former marine dedicated to our national security, and as a person who brings the highest level of legal talent to this discussion, having argued, I think, five separate cases before the U.S. Supreme Court. He has been an enormous asset, and I appreciate his participation. I yield the floor. The ACTING PRESIDENT pro tempore. The Senator from Connecticut. Mr. BLUMENTHAL. Madam President, I thank the Senator from Rhode Island, my distinguished colleague, for those very generous remarks. Actually, I had four arguments in the Supreme Court. The rest was similarly exaggerated as to my qualifications. But I thank the Senator from Rhode Island. Most importantly, I thank him for his extraordinary work on this issue and for his leadership and vision as well as his courage. I wish to emphasize a number of the points he made so powerfully in his remarks earlier. First and most significantly, the United States is under cyber attack. The question is, How do we respond? It is our national interests that are at stake. Every day this Nation suffers attempted intrusions, attempted interference, and attempted theft of our intellectual property as a result of the ongoing attacks we need to stop, deter, and answer. National security is indistinguishable from cybersecurity. In fact, cybersecurity is a matter of national security and not only so far as our defense capabilities; our actual weapons systems are potentially under attack and interference, but also, as my colleague from Rhode Island said so well, because our critical infrastructure is every day at risk--our facilities in transportation, our financial systems, our utilities that power our great cities and our rural areas and our intellectual property, which is so valuable and which every day is at risk and, in fact, is taken from us wrongfully, at great cost to our Nation. The number and sophistication of cyber attacks has increased dramatically over the past 5 years. All the warnings--bipartisan warnings--say those attacks will continue and will be mounted with increasing intensity. In fact, experts say that with enough time, motivation, and funding, a determined adversary can penetrate nearly any system that is accessible directly from the Internet. The United States today is vulnerable. To take the Pearl Harbor analysis that our Secretary of Defense has drawn so well, we have our ``ships'' sitting unprotected today, as they were at the time of the Pearl Harbor attack. Our ships today are not just our vessels in the sea but our institutions sitting in this country and around the world, our critical infrastructure, which is equally vulnerable to sophisticated and unsophisticated hackers. In fact, the threat ranges from the hackers in developing countries-- unsophisticated hackers--to foreign agents who want to steal our Nation's secrets, to terrorists who seek ways to disrupt that critical infrastructure. It is not a matter simply of convenience. We are not talking about temporary dislocations, such as the loss of electricity that the Capital area suffered recently or that our States in New England suffered as a result of the recent storms last fall; we are talking about permanent, severe, lasting disruptions and dislocations of our financial and power systems that may be caused by this interference. One international group, for example, accessed a financial company's internal computer network and stole millions of dollars in just 24 hours. Another such criminal group accessed online commercial bank accounts and spread malicious computer viruses that cost our financial institutions nearly $70 million. One company that was recently a victim of intrusion determined it lost 10 years' worth of research and development--valued at $1 billion--virtually overnight. These losses are not just for the shareholders of these companies, they are to all of us who live in the United States because the losses, in many instances, are losses of information to defense companies that produce our weapons, losses of property that has been developed at great cost to them and to our taxpayers. We should all be concerned about such losses. As Shawn Henry, the Executive Assistant Director of the FBI, has said: ``The cyber threat is an existential one, meaning that a major cyber attack could potentially wipe out whole companies.'' Those threats to our critical infrastructure, as we have heard so powerfully from my colleague from Rhode Island, are widespread and spreading. Industrial control systems, which help control our pipelines, railroads, water treatment facilities, and powerplants, are at an elevated risk of cyber exploitation today--not at some point in the future but today. The FBI warns that a successful cyber attack against an electrical grid ``could cause serious damage to parts of our cities, and ultimately even kill people.'' The Department of Homeland Security said that last year they had received nearly 200 reports of suspected cyber incidents, more than 4 times the number of incidents reported in 2010. In one such incident, more than 100 computers at a nuclear energy firm were infected with a virus that could have been used to take complete control of that company's system. These reports, these warnings, go on. In summary, the Director of the FBI said it best: ``We are losing data, we are losing money, we are losing ideas, and we are losing innovation. `` Those threats are existential to our Nation, and we must address them now--not simply as a luxury, not as a possibility but as a need now. [[Page S4849]] I thank the Senator from Rhode Island, as well as my distinguished fellow Senator from Connecticut, Joseph Lieberman, and others on the other side, such as Senators McCain, Collins, Graham, and Chambliss, as well as other colleagues on this side, for their leadership in this area. They have started this effort with great dedication. There has been substantial work done already. No one here has ignored this threat. We must move forward for the sake of our Nation's security. Our cybersecurity must be addressed as soon as possible. Cybersecurity is not an issue we can wait to address until we see the results of failure. The consequences of a debilitating attack would be catastrophic to our Nation. I hope we can continue to fill the consensus, which the Senator from Rhode Island has been working to do, with other colleagues, so we can come together, as he said--not whether but how--and do it in a bipartisan way. This issue has elicited, very commendably and impressively, colleagues from both sides who have been working on this issue with dedication and diligence. I hope the body as a whole will match the vigor that is appropriate. Again, I thank the Senator from Rhode Island. Part of our challenge will be to elicit better agency coordination. If the Senator from Rhode Island wishes to comment further, I hope perhaps he can respond to the question of how soon we should come together and work on this issue. Is it a problem we can delay until the next session or should we try to address it during the coming months of this session before we close? The ACTING PRESIDENT pro tempore. The Senator from Rhode Island. Mr. WHITEHOUSE. Madam President, I am delighted to respond to the Senator in two ways. First, as the Senator so well pointed out, this is not a future threat or a prospective threat that we need to prepare ourselves against; this is an ongoing, current threat. There is a campaign of attacks into our national security infrastructure, into our intellectual property, and into our critical infrastructure, such as the power grids and the communications networks we count on in our daily lives for what we consider the American standard of living here at home. So time is not our friend. As one of the individuals I quoted said--I think Admiral McConnell-- the day to get this done was yesterday. So the sooner the better. We do need to form a consensus in this body, enough to move through the parliamentary obstacles that exist in this body, which allows us to go forward and will allow us to go forward in a way that does something serious about forcing the operators of our critical infrastructure to put in adequate cybersecurity protections. If they have to do it because they have incentives to do it, that is one way of getting there. If they have to do it because there are regulations that demand it, that is another way of getting there. There are different ways of getting there. And as the Senator from Connecticut and I have discussed--and we are actually working together on this--we are open to different ways to get there, but it should be agreed amongst us in the Senate that getting there, getting to the point where America's critical infrastructure is protected from cyber attack as reasonably well as we can should be the nonnegotiable goal. Anything short of that should be seen as failure. There is another thing I wanted to add. The Senator was very generous in his remarks and credentialing of a great number of Senators who have been working very hard. I would also like to single out Senator Coons, who has been very helpful in our efforts. I will stay on our side of the aisle at this point and add in particular Senator Mikulski. Barbara Mikulski serves on the Intelligence Committee. She is keenly aware of the cyber threat. She has taken deep dives into this issue in her role as a cardinal on the Appropriations Committee. She does the appropriations for many of the national security agencies and law enforcement agencies that are deeply involved in this. So when she speaks, she speaks with real authority and she speaks with real impact. Her participation in this effort is extraordinarily helpful, in addition to the efforts of the many Senators whom my colleague singled out as well. With that, I yield the floor. I see the Senator from Louisiana is here, and I thank the Senator from Connecticut. Mr. BLUMENTHAL. I thank the Senator and the Chair. The PRESIDING OFFICER (Mr. Franken). The Senator from Louisiana.