To guard against the nation’s increasing vulnerability to cyber attack, a group of Senate Committee leaders introduced bipartisan legislation Tuesday to secure the cyber systems of the essential services that keep our nation running.
The Senators were Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., Ranking Member Susan Collins, R-Maine, Commerce Committee Chairman Jay Rockefeller, D-W.Va., Homeland Security and Select Intelligence Committee Chairman Dianne Feinstein, D-Ca.
The Cybersecurity Act of 2012, S. 2105, and the product of three years worth of hearings, consultations, and negotiations, envisions a public-private partnership to secure those systems which if commandeered or destroyed by a cyber attack could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security.
The text of Senator Collins’ remarks on the Senate floor follow.
Mr. President, I rise today to introduce with Senator Lieberman, Senator Rockefeller, and Senator Feinstein the Cybersecurity Act of 2012. I am delighted that three Senate chairmen with significant jurisdiction over cybersecurity have come together in this effort. This vital legislation would provide the federal government and the private sector with the tools necessary to protect our most critical infrastructure from growing cyber threats.
Earlier this month, FBI Director Robert Mueller warned that the cyber threat will soon equal or surpass the threat from terrorism. He argued that we should be addressing the cyber threat with the same intensity we have applied to the terrorist threat.
Director of National Intelligence James Clapper made the point even more strongly, describing the cyber threat as a “profound threat to this country, to its future, its economy and its very being.”
These warnings are just the latest in a chorus of warnings from current and former officials. Last November, the director of the Defense Advanced Research Projects Agency or DARPA warned that malicious cyber attacks threaten a growing number of the systems we interact with daily – like the power grid, water treatment plants, and key financial systems.
Similarly, General Keith Alexander, commander of U.S. Cyber Command and director of the National Security Agency, warned that the cyber vulnerabilities we face are extraordinary and characterized by “a disturbing trend, from exploitation to disruption to destruction.”
The threat is not just to our national security, but also to our economic well-being. A Norton study last year calculated the cost of global cybercrime at $114 billion annually. When combined with the value of time victims lost due to cybercrime, this figure grows to $388 billion globally, which Norton described as “significantly more” than the global black market in marijuana, cocaine, and heroin combined.
In an op-ed last month titled, “China’s Cyber Thievery Is National Policy-And Must Be Challenged,” former DNI Mike McConnell, former Homeland Security Secretary Michael Chertoff and former Deputy Secretary of Defense William Lynn, noted the ability of cyber terrorists to “cripple” our critical infrastructure, and they sounded an even more urgent alarm about the threat of economic cyber espionage.
Citing an October 2011 report to Congress by the Office of the National Counterintelligence Executive, they warned of the catastrophic impact cyber espionage – particularly espionage pursued by China – could have on our economy and competitiveness. They estimated that the cost “easily means billions of dollars and millions of jobs.” This threat is all the more menacing because it is being pursued by a global competitor seeking to steal the research and development of American firms to undermine our economic leadership.
The evidence of our cybersecurity vulnerability is overwhelming and compels us to act. Since 2005, the Homeland Security Committee has held nine hearings on the cyber threat. In 2010, Chairman Lieberman, Senator Carper, and I introduced our cyber security bill, which was reported by the Committee later the same year. Since last year, we have been working with Chairman Rockefeller to merge our bill with legislation he has championed, which was reported by the Commerce Committee. After incorporating changes based on the feedback of the private sector, our colleagues, and the Administration, we have produced a new version, which we are introducing today.
Some of our colleagues have urged us to focus narrowly on the Federal Information Security Management Act, as well as on federal research and development and improved information sharing. We do need to address these issues – and our bill does.
However, with 85 percent of our nation’s critical infrastructure owned by the private sector, government also has a critical role in ensuring that the most vital parts of our infrastructure – those whose disruption could result in truly catastrophic consequences, such as mass casualties and mass evacuations – meet reasonable, risk-based performance standards.
In an editorial this week, the Washington Post concurred, writing that our “critical systems have remained unprotected. To accept the status quo would be an unacceptable risk to U.S. national security.”
Some of our colleagues are skeptical about the need for any new regulations. I have opposed efforts to expand regulations that would burden our economy. But regulations that are necessary for our national security and that promote – rather than hinder – our economic prosperity strengthen our country.
The risk-based performance requirements in the bill are targeted carefully. They only apply to specific systems or assets – not entire companies – that, if damaged, could reasonably result in mass casualties; mass evacuations; catastrophic economic damage; or a severe degradation of national security. Moreover, the owners of critical infrastructure – not the government – would select and implement the cybersecurity measures the owners determine to be best suited to satisfy the risk-based cybersecurity performance requirements.
The new bill would also:
- Require the Secretary of Homeland Security to select from among existing industry practices and standards, or choose performance requirements proposed by the private sector, unless none of these mitigates the risks identified through public-private collaboration;
- Prohibit the regulation of commercial IT products;
- Use existing requirements and current regulators wherever possible; and
- Allow federal officials to waive the bill’s requirements when existing regulations or security measures are sufficiently robust.
As with our earlier bills, companies in substantial compliance with the performance requirements at the time of a cyber incident would receive liability protection from any punitive damages associated with an incident.
Cybersecurity is vital to our way of life. We cannot afford to wait for a “cyber 9/11” before our taking action on this legislation.