Text: S.Hrg. 112-524 — SECURING AMERICA'S FUTURE: THE CYBERSECURITY ACT OF 2012
(PDF provides a complete and accurate display of this text.)
[Senate Hearing 112-524]
[From the U.S. Government Publishing Office]
S. Hrg. 112-524
SECURING AMERICA'S FUTURE: THE CYBERSECURITY ACT OF 2012
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FEBRUARY 16, 2012
Available via the World Wide Web: http://www.fdsys.gov
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
73-673 PDF WASHINGTON : 2012
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware SCOTT P. BROWN, Massachusetts
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
MARK BEGICH, Alaska JERRY MORAN, Kansas
Michael L. Alexander, Staff Director
Mary Beth Schultz, Associate Staff Director and Chief Counsel
for Homeland Security Preparedness and Response
Jeffrey E. Greene, Senior Counsel
Jeffrey D. Ratner, Counsel
Matthew R. Grote, Professional Staff Member
Nicholas A. Rossi, Minority Staff Director
Brendan P. Shields, Minority Director of Homeland Security Policy
Denise F. Zheng, Minority Professional Member
Trina Driessnack Tyrer, Chief Clerk
Patricia R. Hogan, Publications Clerk
Laura W. Kilbride, Hearing Clerk
C O N T E N T S
Senator Lieberman............................................ 1
Senator Collins.............................................. 4
Senator McCain............................................... 19
Senator Moran................................................ 22
Senator Pryor................................................ 24
Senator Carper............................................... 26
Senator Levin................................................ 28
Senator Johnson.............................................. 30
Senator Akaka................................................ 45
Senator Lieberman............................................ 49
Senator Collins.............................................. 52
Senator Akaka................................................ 54
Senator Carper............................................... 55
Senator McCain with an attached letter....................... 57
Thursday, February 16, 2012
Hon. John D. Rockefeller IV, a U.S. Senator from the State of
West Virginia.................................................. 6
Hon. Dianne Feinstein, a U.S. Senator from the State of
Hon. Janet A. Napolitano, Secretary, U.S. Department of Homeland
Hon. Thomas J. Ridge, Chairman, National Security Task Force,
U.S. Chamber of Commerce....................................... 33
Hon. Stewart A. Baker, Partner, Steptoe and Johnson LLP.......... 38
James A. Lewis, Ph.D., Director and Senior Fellow, Technology and
Public Policy Program, Center for Strategic and International
Scott Charney, Corporate Vice President, Trustworthy Computing
Group, Microsoft Corporation................................... 41
Alphabetical List of Witnesses
Baker, Hon. Stewart A.:
Prepared statement with an attachment........................ 83
Prepared statement........................................... 99
Feinstein, Hon. Dianne:
Prepared statement........................................... 67
Lewis, Ph.D., James A.:
Prepared statement........................................... 92
Napolitano, Hon. Janet A.:
Prepared statement........................................... 71
Ridge, Hon. Thomas J.:
Prepared statement........................................... 78
Rockefeller IV, Hon. John D.:
Prepared statement........................................... 63
Hon. Michael Chertoff, Co-Founder and Managing Principal of the
Chertoff Group; Former Secretary of the U.S. Department of
Homeland Security, prepared statement.......................... 108
Responses to post-hearing questions for the Record from:
Secretary Napolitano with attachments........................ 113
Mr. Ridge.................................................... 274
Mr. Baker.................................................... 276
Mr. Lewis.................................................... 278
Mr. Charney.................................................. 280
SECURING AMERICA'S FUTURE: THE CYBERSECURITY ACT OF 2012
THURSDAY, FEBRUARY 16, 2012
Committee on Homeland Security and
The Committee met, pursuant to notice, at 2:32 p.m., in
room SD-342, Dirksen Senate Office Building, Hon. Joseph I.
Lieberman, Chairman of the Committee, presiding.
Present: Senators Lieberman, Levin, Akaka, Carper, Pryor,
Landrieu, Collins, Brown, McCain, Johnson, and Moran.
OPENING STATEMENT OF CHAIRMAN LIEBERMAN
Chairman Lieberman. The hearing will come to order. Senator
Collins is on her way. I just saw Senator McCain and Governor
Janet Napolitano together, and it seems to me, with the two of
you here, I cannot hesitate to offer my congratulations on the
centennial celebration of the great State of Arizona. Hear,
Senator McCain. I was there at the time. [Laughter.]
Chairman Lieberman. You look very well for your age.
This is, in fact, the 10th hearing our Committee has held
on cybersecurity, and I hope it is the last before the
comprehensive cybersecurity bill before us today is enacted
The fact is that time is not on our side.
To me it feels like September 10, 2001, and the question is
whether we will act to prevent a cyber 9/11 before it happens
instead of reacting after it happens.
The reason for this legislation is based on fact. Every
day, rival nations, terrorist groups, criminal syndicates, and
individual hackers probe the weaknesses in our most critical
computer networks, seeking to steal government and industrial
secrets or to plant cyber agents in the cyber systems that
control our most critical infrastructure and would enable an
enemy, for example, to seize control of a city's electric grid,
water supply system, our Nation's financial system, or mass
transit networks with the touch of a key from a world away.
The current ongoing and growing cyber threat not only
threatens our security here at home, but it is right now having
a very damaging impact on our economic prosperity because
extremely valuable intellectual property is being stolen
regularly through cyber exploitation by individuals, groups,
and countries abroad and is then being replicated without the
initial cost of research done by American companies, meaning
that jobs are being created abroad that would otherwise be
So when we talk about cybersecurity, there is a natural way
in which people focus on the very real danger that an enemy
will attack us through cyberspace, but as we think about how to
grow our economy again and create jobs again, I have come to
the conclusion this is actually one of the most important
things we can do to protect the treasures of America's
intellectual innovation from being stolen by competitors
Last year, a very distinguished group of security experts,
led by former Department of Homeland Security (DHS) Secretary
Michael Chertoff and former Defense Secretary William Perry,
going across both parties, issued a stark warning:
``The constant assault of cyber assaults has inflicted
severe damage to our national and economic security, as well as
to the property of individual citizens. The threat is only
going to get worse. Inaction is not an acceptable action.'' I
The bill before us today is the product of hard work across
both party lines and Committee jurisdictional lines. I
particularly want to thank my colleagues Senator Collins and
Commerce Chairman Jay Rockefeller and Intelligence Committee
Chairman Dianne Feinstein for all their hard and cooperative
work in getting us to this point. We are going to be privileged
to hear from all three of them shortly.
I also want to thank Senator Carper, who is not here yet,
for his significant leadership contributions to this effort.
And I want to thank the witnesses who are here. We have
chosen the witnesses deliberately because they hold differing
points of view on the problem and on the legislation we have
crafted and the challenges we face, and we look forward to
So the Cybersecurity Act of 2012 does several important
things to beef up our defenses in the new battleground of
First, it ensures that the cyber systems that control our
most critical, privately owned and operated infrastructure are
secure, and that is the key here. Privately owned and operated
cyber infrastructure can well be--probably someday will be--the
target of an enemy attack. Today it is the target of economic
exploitation, and we have to work together with the private
sector to better secure those systems, both for their own
defense and for our national defense.
In this bill, the systems that will be asked to meet
standards are defined as those that, if brought down or
commandeered, would lead to mass casualties, evacuations of
major population centers, the collapse of financial markets, or
significant degradation of our national security. So this is a
tight and high standard. After identifying the systems that
meet those standards, the Secretary of the Department of
Homeland Security under the legislation would then work with
the private sector operators of the systems to develop
cybersecurity performance requirements.
Owners of the privately operated cyber systems covered
would have the flexibility to meet the performance requirements
with whatever hardware or software they choose, so long as it
achieves the required level of security. The Department of
Homeland Security will not be picking technological winners or
losers, and in my opinion, there is nothing in the bill that
would stifle innovation. In fact, a letter from Cisco Systems
and Oracle, two of our most prominent information technology
(IT) companies, concludes that this legislation, ``includes a
number of tools that will enhance the Nation's cybersecurity
without interfering with the innovation and development
processes of the American IT industry.''
If a company can show under our legislation to the
Department of Homeland Security that it already has high
cybersecurity standards met, then it will be exempt from
further requirements under this law. Failure to meet the
standards will result in civil penalties that will be proposed
by the Department during a standard rulemaking and comment
The bill also creates a streamlined and efficient cyber
organization within DHS that will work with existing Federal
regulators and the private sector to ensure that no rules or
regulations are put in place that either duplicate or are in
conflict with existing requirements.
The bill, importantly, also establishes mechanisms for
information sharing between the private sector and the Federal
Government and among the private sector operators themselves.
This is important because computer security experts need to be
able to compare notes in order to protect us from this threat.
But the bill also creates security measures and oversight to
protect privacy and preserve civil liberties. In fact, the
American Civil Liberties Union (ACLU) has reviewed our bill and
says that it offers the greatest privacy protections of any
cybersecurity legislation that has yet been proposed.
I am going to skip over some of the other things the bill
does and just go to mention that the process by which we
reached this legislative proposal was very inclusive. We not
only worked across Committee lines, but reached out to people
in business, academics, civil liberties and privacy and
security experts for advice on many of the difficult issues
that any meaningful piece of cybersecurity legislation would
need to address. I can tell you that literally hundreds of
changes have been made to this bill as a result of their input,
and we think finally we have struck the right balance.
I do want to describe briefly or mention some things that
are not in this bill. First and foremost, this bill does not
contain a so-called kill switch that would allow the President
to seize or control part of or all of the Internet in a
national crisis. It is not there.
Senator Collins. It never was.
Chairman Lieberman. It never was. Thank you, Senator
Collins. But we put an exclamation point by dropping a section,
frankly, that people thought included a kill switch. It just
was not worth it because of the urgent need for this bill.
There is also nothing in this bill that touches on the
balance between intellectual property and free speech that so
aroused public opinion over the proposed Stop Online Privacy
Act (SOPA) and the Protect IP Act (PIPA) and has left many
Members of Congress with scars or at least a kind of post-
traumatic stress syndrome since that happened.
So, in fact, this is not the ultimate verification of my
assertion that there is nothing here anywhere like what
concerned people in SOPA or PIPA, but I note with gratitude
that one of our witnesses, Stewart Baker, was a leading
opponent of SOPA but is testifying today in favor of our bill.
After the Cybersecurity Act of 2012 becomes law, the
average Internet user will go about using the Internet just as
they do today. But hopefully as a result of the law and
outreach pursuant to it, they will be far better equipped to
protect their own privacy and resources from cyber attack.
The bottom line, a lot of people have worked very hard to
come so far and in a very bipartisan way to face a real and
present danger to our country that we simply cannot allow this
moment to slip away from us. I feel very strongly that we need
to act now to defend America's cyberspace as a matter of
national and economic security.
OPENING STATEMENT OF SENATOR COLLINS
Senator Collins. Thank you, Mr. Chairman.
Mr. Chairman, let me first applaud you for your leadership
in this very important issue, as well as the leadership of our
two lead-off witnesses, Senator Rockefeller and Senator
Feinstein, who contributed so much to this issue and this bill.
And I personally thank you for holding this important hearing
After the 9/11 attacks, we learned of many early warnings
that went unheeded, including a Federal Bureau of Investigation
(FBI) agent, who warned that one day people would die because
of the ``wall'' that kept law enforcement and intelligence
agencies apart. When a major cyber attack occurs, the ignored
warnings will be even more glaring because our Nation's
vulnerability has already been demonstrated by the daily
attempts by nation states, terrorists groups, cyber criminals,
and hackers to penetrate our systems.
The warnings of our vulnerability to a major cyber attack
come from all directions and countless experts, and they are
underscored by the intrusions that have already occurred.
Earlier this month, the FBI Director warned that the cyber
threat will soon equal or surpass the threat from terrorism. He
argued that we should be addressing the cyber threat with the
same intensity that we have applied to the terrorist threat.
Director of National Intelligence (DNI) James Clapper made
the point even more strongly, describing the cyber threat as a
``profound threat to this country, to its future, its economy,
its very well-being.''
In November, the Director of the Defense Advanced Research
Projects Agency (DARPA) warned that malicious cyber attacks
threaten a growing number of the systems with which we interact
every day--the electric grid, water treatment plants, and key
Similarly, General Keith Alexander, the Commander of U.S.
Cyber Command and the Director of the National Security Agency
(NSA), has warned that our cyber vulnerabilities are
extraordinary and characterized by ``a disturbing trend, from
exploitation to disruption to destruction.''
These statements are just the latest in a chorus of
warnings from current and former officials, and the threat, as
the Chairman has pointed out, is not just to our national
security but also to our economic well-being. A Norton study
last year calculated the cost of global cyber crime at $114
billion annually. When combined with the value of time victims
lost due to cyber crime, this figure grows to $388 billion.
Norton described this as ``significantly more'' than the global
black market in marijuana, cocaine, and heroin combined.
In an op-ed last month entitled, ``China's Cyber Thievery
Is National Policy--And Must Be Challenged,'' former DNI Mitch
McConnell, former Homeland Security Secretary Michael Chertoff,
and former Deputy Secretary of Defense William Lynn noted the
ability of cyber terrorists to ``cripple'' our critical
infrastructure. They sounded an even more urgent alarm about
the threat of economic cyber espionage.
Citing an October 2011 report by the Office of the National
Counterintelligence Executive, these experts warned of the
catastrophic impact that cyber espionage--particularly that
pursued by China--could have on our economy and
competitiveness. They estimated that the cost ``easily means
billions of dollars and millions of jobs.''
This threat is all the more menacing because it is being
pursued by a global competitor seeking to steal the research
and development of American firms to undermine our economic
The evidence of our cybersecurity vulnerability is
overwhelming. It compels us to act now. Some Members have
called for yet more studies, even more hearings, and additional
markups. In other words, more delay. The fact is, since 2005,
our Committee alone has held 10 hearings on the cyber threat,
including today's hearing. I know that the Commerce and the
Intelligence Committees have held many more. In 2011, Chairman
Lieberman, Senator Carper, and I introduced our cybersecurity
bill, which was reported out by this Committee later that same
year. Since last year, we have been working with Chairman
Rockefeller to merge our bill with legislation that he
championed, which was reported by the Commerce Committee.
Senator Feinstein has done ground-breaking work on information
sharing, which she has been kind enough to share with this
Committee, as well.
After incorporating changes based on the feedback from the
private sector, our colleagues, and the Administration, we have
produced a refined version, which is the subject of today's
hearing. And it is significant that three Senate chairmen with
jurisdiction over cybersecurity have come together on these
issues. And each day that we fail to act, the threat increases
to our national and economic security.
Now, other colleagues of ours have urged us to focus
narrowly on the Federal Information Security Management Act
(FISMA), as well as on Federal research and development (R&D)
and improved information sharing. We do need to address these
issues, and our bill does just that.
However, with 85 percent of our Nation's critical
infrastructure owned by the private sector, the government also
has a critical role to play in ensuring that the most vital
parts of that infrastructure--those whose disruption could
result in truly catastrophic consequences--meet reasonable,
risk-based performance standards.
In an editorial this week, the Washington Post concurred,
writing that our ``critical systems have remained
Some of our colleagues are skeptical about the need for any
new regulations. I have opposed efforts to expand regulations
that would burden our economy. But regulations that are
necessary for our national security and that promote--rather
than hinder--our economic prosperity strengthen our country.
They are in an entirely different category.
The fact is the risk-based performance requirements in our
bill are targeted carefully. They apply only to specific
systems and assets, not entire companies, which if damaged
could result reasonably in mass casualties, mass evacuations,
catastrophic economic damages, or a severe degradation of our
national security. In fact, some of the witnesses think that we
have gone too far in that direction.
Senator Lieberman has described much of what the bill
contains, so I will not repeat that in the interest of time.
Let me just say that this bill is urgent. We cannot wait to
act. We cannot wait until our country has a catastrophic cyber
attack. And it would be irresponsible of Congress not to pass
legislation due to turf battles or due to claims by some
businesses that we are somehow harming our economy. In fact,
what we are doing is protecting our economy and our way of
Thank you, Mr. Chairman.
Chairman Lieberman. Thank you, Senator Collins, for that
very strong statement. I agree with you. I would just correct
one part. You said how pleased you were that three committee
chairs with jurisdiction have come together on the bill. Since
I consider you the Co-Chairman of this Committee, I would say
it was four.
Senator Collins. Thank you.
Chairman Lieberman. And I appreciate very much your
contribution to this effort.
We are really grateful to have Senator Rockefeller and
Senator Feinstein here. Again, I cannot thank you enough for
the work that we have done together. I think it is a very
powerful statement that we agreed on a consensus bill, and I
hope it enables us to move it through the Senate.
I know the Majority Leader is really concerned about the
threat and is committed to giving this bill time on the floor
as soon as possible.
Senator Rockefeller, we welcome your testimony now.
TESTIMONY OF HON. JOHN D. ROCKEFELLER IV,\1\ A U.S. SENATOR
FROM THE STATE OF WEST VIRGINIA
Senator Rockefeller. Thank you, Chairman Lieberman and
Senator Collins. And you are quite right about that--I think
Senator Harry Reid wants this on the floor as soon as possible.
And, frankly, the thing that scares me more than anything is
the fact that we have had so many hearings, and yet that was
necessary to get to the agreements that we have all come to.
And they are solid now, they are rock solid. But we still have
to find the floor time for it. This is not going to be an easy
time to do that, so the pressure on this Congress, on both the
House and the Senate, to come through on this in the face of
all of this danger, this is huge, and not yet guaranteed.
\1\ The prepared statement of Senator Rockefeller appears in the
Appendix on page 63.
I think our government needs a lead civilian agency to
coordinate our civilian cybersecurity efforts, and that agency
should, of course, be the Department of Homeland Security under
the superb leadership of Secretary Napolitano.
I want to emphasize that our bill represents the expertise
and hard work, as both of you have said, of three Senate
committees, and that is as it should be.
We have eagerly sought, as you mentioned, Senator
Lieberman--and have received--constructive criticism and input
from a whole lot of places. I can remember giving a speech, I
think 2 years ago, to a business group, presenting ideas that
Olympia Snowe and I had for this, and they were just surprised
to hear that somebody was willing to listen to their
complaints. And there were a lot of them.
Even when people refused to engage with us--and there have
been those, even within the Senate, who refuse to have staff
discussion, but that does not mean that we do not take some of
their suggestions. We have done that because if they do not
want to engage, that is OK. If they have good suggestions, then
put them in and make it a stronger bill.
Beyond this bill's principal authors--Senators Lieberman,
Collins, Dianne Feinstein and myself--the bill reflects the
input, assistance, or requests of Senators on both sides of the
aisle, as it should be, which gives me hope for final passage.
Senator Olympia Snowe was my co-author of the bill that the
Commerce Committee reported out last year, as you know. Senator
Carper was a co-author of the Lieberman-Collins bill. Both have
left major imprints on this bill.
Senator Kay Bailey Hutchison and her staff worked with us
for a good part of the past 2 years. She is my ranking member
and absolutely superb--I call her ``Co-Chair,'' too,
incidentally--and we have tried hard to address all of her
specific concerns. And I think that we have, in fact, met most
of her concerns.
We have sought to engage Senator Saxby Chambliss and before
him, Senator Kit Bond, in the same fashion. There was some
reluctance at some point to discuss, or have staff discussions.
It did not make any difference. We were interested in what they
had, and if it was something good in what they had, we put it
in the bill. We wanted it in the bill. And then it had to pass
future tests as we combined all the efforts.
Senators Jon Kyl and Sheldon Whitehouse contributed an
entire title regarding cybersecurity awareness. Senators John
Kerry, Dick Lugar, Kirsten Gillibrand, and Orrin Hatch did the
same on the title regarding diplomacy.
Because of Senator McCain's concerns, we omitted
significant language pertaining to the White House Cyber
When colleagues had ongoing questions about a provision
that I personally believed to be extremely important, I agreed
to drop it from the base bill. This provision that I am talking
about would clarify private sector companies' existing
requirements regarding what ``material risks'' pertaining to
cyber have to be disclosed to investors in the Securities and
Exchange Commission (SEC) filings because, as you know, at one
point out of frustration I went to the SEC and Mary Schapiro
agreed to claify that if you are hacked into as a company, it
must be disclosed on the Web site of that company at SEC, and
that has had a substantial impact, actually.
I believe this provision is absolutely crucial for the
market to help solve our cyber vulnerabilities and will fight
for it as an amendment on the floor. And that is as it should
be. That is the way the system works. But in the interest of
providing more time to address colleagues' questions, I agreed
to take it out of the bill that we introduced this week.
Any suggestion that this exhaustive process has been
anything but open and transparent is patently false. This has
been a really open process--and lengthy, as has been pointed
Why have we worked so tirelessly to include the views of
all sides? Why have we tried so hard to get this right?
Because our country and our communities and our citizens
are at grave risk. They simply are. I am not sure if they are
aware because there are so many things that are reported in a
news cycle that it almost diminishes the overall aggregated
weight of the danger. So our citizens have to be aware of this.
This is not a Republican or Democrat issue. It is a life-or-
death issue for the economy and for us as people.
I want to be clear: The cyber threat is very real fact.
This is not alarmism. Here is why. It is hard to talk about
this sometimes without seeming alarmist, and yet it simply
reflects the truth.
Hackers supported by the governments of China and Russia,
and also sophisticated criminal syndicates with potential
connections to terrorist groups, are now able to crack the
codes of our government agencies, including sensitive ones, and
the Fortune 500. They can do that, and they do that on a
Senator Collins mentioned what Michael Mullen said, and she
pointed out that we are being looted of valuable possessions on
an unfathomable scale. But that is not the end of the problem.
The reason that this cyber theft is a life-or-death issue
is the same as the reason that a burglar in your house is a
life-or-death issue. If a criminal has broken into your home,
how do you know what he wants to do? Is it take your belongings
or is it something more? You do not know. He is in the
building, in your home. That is where we are now in terms of
So that is the situation we face. Cyber burglars have
broken in. Mike Mullen has said exactly what Senator Collins
indicated, that the only other threat on the same level to
cyber threat is Russia's stockpile of nuclear weapons.
I remember the first thing after 9/11 we had to pass,
sadly, pathetically, was a law saying that the Central
Intelligence Agency (CIA) and the FBI could talk to each other.
I mean, how pathetic could that be? But that is where we were
because of stovepipes and things of that sort. FBI Director
Robert Mueller testified to Congress recently that the cyber
threat will soon overcome terrorism as his top national
security emphasis. So it is all very serious, and you cannot
exaggerate it, and it could happen.
So then you think about how people could die if a cyber
terrorist attacked our air traffic control system. And I was
talking with Secretary Napolitano just before this hearing.
Often over big cities it gets very soupy. Pilots do not like to
be in soupy weather. They cannot see above, they cannot see
below. Pilots do not like it. But they are protected because of
the air traffic control system. We are going to put in a more
modern one, but the same situation will prevail. Cyber hackers
can take that out of a city or a group of cities. They can take
out that capacity so that planes are literally flying in the
dark, and they will fly into each other and kill a lot of
people. And people have to understand that.
If rail switching networks are hacked, causing trains which
carry toxic materials, deadly materials through our major
cities, to crash, and there can be a massive explosion from
So we are on the brink of very serious happenings. We have
not reached that, which is one of our problems in getting
legislation passed. But we can act now and try and prepare
Let me just close by saying that I was on the Intelligence
Committee during the time leading up to 2011, and the world was
rife with reports of people coming in and going out of our
country, dots here and there that appeared to be connected but
we were not quite sure. And what about this Moussaoui thing?
And what about folks in that house in San Diego? And all of
that was up there. What about the closing down of the bin Laden
unit or a message that never got to the bin Laden unit? I mean,
all of that was there, and we knew all of that, and the
national security apparatus was working very hard on that. And
they took it seriously, but they did not get deep enough
because it was a new phenomenon.
Well, here we are in a very similar situation. It is
already with us. It is much more obvious than the lead-up to
2001 was. And so we now have to act. We do not have the luxury
of waiting to see and develop. We have to act. At some point
the Congress has to assert itself. The Federal Government does
have roles where this is not a heavy-handed thing, as Senator
Collins has pointed out. It is not. But the Federal Government
is involved because it is a matter of national security. And so
I just wait to work with everybody and anybody to get this
passed through both Houses of the U.S. Congress.
Chairman Lieberman. Thanks very much, Senator Rockefeller.
That was great.
Chairman Feinstein, welcome, and thank you again. You
contributed immensely, particularly on the information-sharing
section of the bill, and you bring all the expertise and
intelligence of the Senate Committee on Intelligence.
TESTIMONY OF HON. DIANNE FEINSTEIN,\1\ A U.S. SENATOR FROM THE
STATE OF CALIFORNIA
Senator Feinstein. Thank you very much. Thank you, Mr.
Chairman, Senator Collins, and Senator Landrieu.
\1\ The prepared statement of Senator Feinstein appears in the
Appendix on page 67.
I look at this as quite a banner day because finally the
Senate is coming together, and we are settling on one bill.
This is the bill, and if it needs improving, we will improve
it. But we have a focus now, and with a focus we can hopefully
To this Committee and to Senator Rockefeller's committee, I
want to thank you for your hard work, for the dozen hearings
you have held, and for all the offers for consultation that you
have placed out there to us.
Let me speak for a moment on behalf of what I do in the
Intelligence Committee. We have examined cyber threats to our
national and economic security, and just last month, at the
Worldwide Threats Hearing, which was an open hearing, we heard
FBI Director Bob Mueller testify that ``the cyber threat, which
cuts across all programs, will be the number one threat to the
country.'' And already cyber threats are doing great damage to
the United States, and the trend is getting worse.
Let me give you just four examples, and what is interesting
is many of us know about these when they happen, but they are
often classified or kept private because the people that they
happen to do not want it released because their clients will
think badly of them. And, of course, it is not their fault,
I think it is fair to say that the Pentagon's networks are
being probed thousands of times daily, and its classified
military computer networks suffered a ``significant
compromise'' in 2008, and that is according to former Deputy
Defense Secretary William Lynn.
In November 2009, the Department of Justice (DOJ) charged
seven defendants from Estonia, Russia, and Moldova with hacking
into the Royal Bank of Scotland and stealing $9 million from
more than 2,100 ATMs in 280 cities worldwide in 12 hours.
In 2009, Federal officials indicted three men for stealing
data from more than 130 million credit cards by hacking into
five major companies' computer systems, including 7-Eleven,
Heartland Payment Systems, and the Hannaford Brothers
Finally, an unclassified report by the intelligence
community in November 2011 said cyber intrusions against U.S.
companies cost untold billions of dollars annually, and that
report named China and Russia as aggressive and persistent
Modern warfare is already employing cyber attacks, as seen
in Estonia and the Republic of Georgia. And, unfortunately, it
may only be a matter of time before we see cyber attacks that
can cause catastrophic loss of life in the United States,
whether by terrorists or state adversaries.
Our enemies are constantly on the offensive, and in the
cyber domain, it is much harder for us to play defense than it
is for them to attack. The hard question is: What do we do
about this dangerous and growing cyber threat?
I believe the comprehensive bill that has been introduced--
the Cybersecurity Act of 2012--is an essential part of the
Mr. Chairman, I would like to speak briefly on the
cybersecurity information-sharing bill that I introduced on
Monday and that you have included as Title VII in your
The goal of this bill is to improve the ability of the
private sector and the government to share information on cyber
threats that both need to improve their defenses.
However, a combination of existing law, the threat of
litigation, and standard business practices has prevented or
deterred private sector companies from sharing information
about the cyber threats they face and the losses of information
and money they suffer. We need to change that through better
information sharing, in a way that companies will use, that
protects privacy interests, and that takes advantage of
classified information without putting that information at
risk. So here is what we have tried to do in Title VII:
One, affirmatively provide private sector companies the
authority to monitor and protect the information on their own
Two, encourage private companies to share information about
cyber threats with each other by providing a good-faith defense
against lawsuits for sharing or using that information to
Three, require the Federal Government to designate a single
focal point for cybersecurity information sharing. We refer to
this as a ``Cybersecurity Exchange,'' to serve as a hub for
appropriately distributing and exchanging cyber threat
information between the private sector and the government. This
is intended to reduce government bureaucracy and make the
government a more effective partner in the private sector, but
with protections to ensure that private information is not
misused. Also, this legislation provides no new authority for
Four, we establish procedures for the government to share
classified cybersecurity threat information with private
companies that can effectively use and protect that
information. This, we believe, is a prudent way to take
advantage of the information that the intelligence community
acquires, without putting our sources and methods at risk, or
turning private cybersecurity over to our intelligence
I would like to raise just one issue of something that is
not yet included in this bill, and that is data breach
This is an issue I have worked on for over 8 years, since
California had a huge data breach that we only inadvertently
found out about that had literally hundreds of thousands of
victims. It is an urgent need. I have a bill called the Data
Breach Notification Act. It has been voted out of the Judiciary
Committee, and it accomplishes what in my view are the key
goals of any data breach notification legislation:
One, notice to individuals, who will be better able to
protect themselves from identity theft;
Two, notice to law enforcement, which can connect the dots
between breaches and cyber attacks;
And, three--and this is important--preemption of the 47
different State and territorial standards on this issue. This
is a real problem. We have 47 different laws on this issue in
this country. It makes it very difficult for the private
sector. Companies will not be subjected to conflicting
regulation if there is one basic standard across the country.
I know that Senators Rockefeller and Pryor have a bill in
the Commerce Committee and that Senators Patrick Leahy and
Richard Blumenthal have their own bills that also were reported
out of the Judiciary Committee.
But the differences in our approaches are not so great that
we cannot work them out, and I am very prepared to sit down
with Members of this Committee, with Senator Rockefeller, and
others to find a common solution. But Mr. Chairman, I would
really implore you to add a data breach preemption across the
United States so that there is one standard for notification to
an individual of data breach, and communication with law
enforcement that goes all across America. Until we have that,
we really will not have a sound data breach system.
Let me just thank you. I think we are on our way. I am
really so proud of both of you on this Committee for coming
together, and I think it is a banner day. So thank you very
Chairman Lieberman. Thanks very much, Senator Feinstein. We
could not have done it without you. Thanks for your testimony,
and I am personally very supportive of your aims with the data
breach proposal, and I look forward to working with you and, as
you say, the others who have bills to see if we cannot find a
way to include that in this proposal when it comes to the
Senator Feinstein. Thank you very much.
Chairman Lieberman. Thank you very much.
And now, Madam Secretary, I hate to break up a conversation
between the current Secretary and the first Secretary, but--we
almost had the trifecta of the three Secretaries of the
Department of Homeland Security here today. Secretary Chertoff
wanted to testify, but had a previous commitment, and has, I
will say, filed a statement for the record strongly in support
of the legislation.\1\
\1\ The prepared statement of Secretary Chertoff appears in the
Appendix on page 108.
Secretary Napolitano, thanks very much for being here and
for all the work you and people in the Department have done to
help us come to this point with this bill. We welcome your
TESTIMONY OF HON. JANET A. NAPOLITANO,\2\ SECRETARY, U.S.
DEPARTMENT OF HOMELAND SECURITY
Secretary Napolitano. Well, thank you, Chairman Lieberman,
Senator Collins, and Members of the Committee. I am pleased to
be here today to discuss the issue of cybersecurity and, in
particular, the Department's strong support for the
Cybersecurity Act of 2012.
\2\ The prepared statement of Secretary Napolitano appears in the
Appendix on page 71.
I appreciate this Committee's support of the Department's
cybersecurity efforts. Your sustained attention to this issue
and the leadership you have shown in bringing a bill forward to
strengthen and improve our cybersecurity authorities. I also
appreciate and want to emphasize the urgency of the situation.
Indeed, the contrast between the urgent need to respond to
the threats we face in this area on the one hand and the
professed desire for more deliberation and sensitivity to
regulatory burdens on the other reminds me, as several of you
have suggested, of lessons we learned from the 9/11 attacks. As
the 9/11 Commission noted, those attacks resulted, in
hindsight, from a failure of imagination because we failed to
anticipate the vulnerabilities of our security infrastructure.
There is no failure of imagination when it comes to
cybersecurity. We can see the vulnerabilities. We are
experiencing the attacks, and we know that this legislation
would materially improve our ability to address the threat.
No country, industry, community, or individual is immune to
cyber risks. Our daily life, economic vitality, and national
security depend on cyberspace. A vast array of interdependent
IT networks, systems, services, and resources are critical to
communication, travel, powering our homes, running our economy,
and obtaining government services.
Cyber incidents have increased dramatically over the last
decade. There have been instances of theft and compromise of
sensitive information from both government and private sector
networks, and all of this undermines confidence in these
systems and the integrity of the data they contain.
Combating evolving cyber threats is a shared responsibility
that requires the engagement of our entire society, from
government and law enforcement to the private sector and, most
importantly, with members of the public. DHS plays a key role
in this effort, both in protecting Federal networks and working
with owners and operators of critical infrastructure to secure
their networks through risk assessment, mitigation, and
incident response capabilities.
In fiscal year 2011, our U.S. Computer Emergency Readiness
Team (US-CERT) teams at DHS received over 106,000 incident
reports from Federal agencies, critical infrastructure, and our
industry partners. We issued over 5,200 actionable cyber alerts
that were used by private sector and government network
administrators to protect their systems. We conducted 78
assessments of control system entities and made recommendations
to companies about how they can improve their own
We distributed 1,150 copies of our cyber evaluation tool.
We conducted over 40 training sessions on them, all of which
makes owners and operators better equipped to protect their
To protect Federal civilian agency networks, we are
deploying technology to detect and block intrusions of these
networks in collaboration with the Department of Defense. We
are providing guidance on what agencies need to do to protect
themselves and are measuring implementation of those efforts.
We are also responsible for coordinating the national
response to significant cyber incidents and for creating and
maintaining a common operational picture for cyberspace across
the entire government.
With respect to critical infrastructure, we work with the
private sector to help secure the key systems upon which
Americans, including the Federal Government, rely, such as the
financial sector, the power grid, water systems, and
We pay particular attention to industrial control systems
which control processes at power plants and transportation
systems alike. Last year, we deployed seven response teams to
such critical infrastructure organizations at their request in
response to important cyber intrusions.
To combat cyber crime, we leverage the skills and resources
of DHS components such as the Secret Service, Immigration and
Customs Enforcement (ICE), and Customs and Border Protection
(CBP), and we work very closely with the FBI.
DHS serves as the focal point for the government's
cybersecurity outreach and public awareness efforts. As we
perform this work, we are mindful that one of our missions is
to ensure that privacy, confidentiality, and civil liberties
are not diminished by our efforts. The Department has
implemented strong privacy and civil rights and civil liberties
standards into all its cybersecurity programs and initiatives
from the outset, and we are pleased to see these in the draft
Now, Administration and private sector reports going back
decades have laid out cybersecurity strategies and highlighted
the need for legal authorities. In addition to other statutes,
the Homeland Security Act of 2002 specifically directed DHS to
enhance the security of non-Federal networks by providing
analysis and warnings, crisis management support, and technical
assistance to State and local governments, and the private
sector. Policy initiatives have had to supplement the existing
statutes. These initiatives strike a common chord. Indeed, this
Administration's Cyberspace Policy Review in 2009 echoed in
large part a similar review by the Bush Administration, and we
have had numerous contributions by private sector groups,
including the Center for Strategic and International Studies
(CSIS) study led by James Lewis, one of your witnesses today.
Still, DHS executes its portion of the Federal
cybersecurity mission under an amalgam of authorities that have
failed to keep up with the responsibilities with which we are
To be sure, we have taken significant steps to protect
against evolving cyber threats, but we must recognize that the
current threat outpaces our existing authorities. Our Nation
cannot improve its ability to defend against cyber threats
unless certain laws that govern cybersecurity activities are
We have had many interactions with this Committee and with
the Congress to provide our perspective on cybersecurity.
Indeed, in the last 2 years, Department representatives have
testified in 16 Committee hearings and provided 161 staff
briefings. We have had much bipartisan agreement. In
particular, many would agree with the House Republican Cyber
Task Force, which stated that, ``Congress should consider
carefully targeted directives for limited regulation of
particular critical infrastructures to advance the protection
The recently introduced legislation contains great
commonality with the Administration's ideas and proposals,
including two crucial concepts that are central to our efforts:
First, addressing the urgent need to bring core critical
infrastructure to a baseline level of security; and, second,
fostering information sharing, which is absolutely key to our
All sides agree that Federal and private networks must be
better protected and that information should be shared more
easily, yet still more securely. And both our proposal and the
Senate legislation would provide DHS with clear statutory
authority commensurate with our cybersecurity responsibilities
and remove legal barriers to the sharing of information.
S. 2105 would expedite the adoption of the best
cybersecurity solutions by the owners and operators of critical
infrastructure and give businesses, States, and local
governments the immunity they need to share information about
cyber threats or incidents. There is broad support as well for
increasing the penalties for cyber crimes and for creating a
uniform data breach reporting regime to protect consumers. This
proposal would make it easier to prosecute cyber criminals and
establish national standards, requiring businesses and core
infrastructure that have suffered an intrusion to notify those
of us who have the responsibility for mitigating and helping
them mitigating it.
I hope that the current legislative debate maintains the
bipartisan tenor it has benefited from so far and builds from
the consensus that spans two Administrations and the
Committee's efforts of the last several years.
Let me close by saying that now is not the time for half
measures. As the Administration has stressed repeatedly,
addressing only a portion of the needs of our cybersecurity
professionals will continue to expose our country to serious
For example, only providing incentives for the private
sector to share more information will not in and of itself
adequately address critical infrastructure vulnerabilities. And
let us not forget that innumerable small businesses rely on
this critical infrastructure for their own survival.
As the President noted in the State of the Union address,
``The American people expect us to secure the country from the
growing danger of cyber threats and to ensure the Nation's
critical infrastructure is protected.'' And as the Secretary of
Homeland Security, I strongly support the proposed legislation
because it addresses the need, the urgency, and the methodology
for protecting our Nation's critical infrastructure. I can
think of no more pressing legislative proposal in the current
I want to thank you again for the important work you have
done, and I look forward to answering the Committee's
Chairman Lieberman. Thanks very much, Madam Secretary.
We will do 6-minute rounds of questions because we have a
large number on the following panel, and I know some people
have to leave.
Madam Secretary, let me get right to one of the issues that
has been somewhat in contention, which is that there are some
people who have said that the expanded authority here,
particularly that related to cyber infrastructure owned and
operated by the private sector, would better be handled by the
Department of Defense (DOD) or the intelligence community. In
other words, they should take the lead in protecting Federal
I wonder if you would respond as to why you think the
Department of Homeland Security, as obviously we do, is better
prepared to take on this critical responsibility.
Secretary Napolitano. Well, several points. First, the
Department of Homeland Security, as I stated, already is
exercising authorities in the civilian area, working with the
private sector, working with Federal civilian agencies. So that
is a space we are already filling and continue to grow our
capacity to fill.
Second, military and civilian authorities and missions are
different, and there are significant differences, for example,
in the privacy protections that we employ within the exercise
of civil jurisdiction.
And then, finally, I would note that both DOD and DHS use
the technological expertise of the NSA. We are not proposing
and have never proposed that two NSAs be created; rather, that
there be two different lines of authority that emanate using
the NSA, one, of course, for civilian, and one for military.
Chairman Lieberman. That is a very important factor. I want
to come back to that in a minute. But one of the opinions
expressed to the Committee as we faced the challenge and
decided which part of our government should be responsible for
responding was that there would probably be very deep and
widespread concern among the public if we, for instance, asked
the National Security Agency or the Department of Defense to be
directly in charge of working with the privately owned and
operated cyber infrastructure. Particularly for NSA, there
would be a concern about privacy and civil liberties concerns.
Does that make sense to you?
Secretary Napolitano. I have heard the same concerns. They
do make sense. And, indeed, when Secretary Robert Gates and I,
by a Memorandum of Understanding, figured out the division of
responsibilities and how we were each going to use the NSA, one
of the things we were careful to elevate was a discussion of
the protections of privacy and civil liberties, and make sure
that, to the extent we have people over at the NSA, they are
accompanied by people from our Office of Privacy, our Office of
General Counsel, to make sure those protections are abided by.
Chairman Lieberman. Right. I am glad you mentioned that
Memorandum of Understanding between the Department of Homeland
Security and DOD because I want to make this point--
incidentally, Senator McCain and I codified that in law, that
Memorandum of Understanding, in the National Defense
Authorization Act that was passed at the end of last year. But
that memorandum, if I can put it this way, does not preempt the
need for this legislation. In other words, that memorandum does
not allocate responsibility with regard to working with the
private sector, having the authority to require the private
sector to take steps to defend themselves and our country from
cyber attack. Is that right?
Secretary Napolitano. That is right, Mr. Chairman. It is a
memorandum that describes the division of how we would each use
the resources of the NSA, but it does not deal with the
protection of core critical infrastructure the way the bill
does. It does not deal with the private sector at all the way
the bill does. It does not deal with information exchange the
way the bill does. So it really was designed to make sure that
at least with respect to how we each use the NSA, we had some
meeting of the minds.
Chairman Lieberman. So there is nothing in your opinion
inconsistent between the Memorandum of Understanding between
DHS and NSA and the Cybersecurity Act of 2012?
Secretary Napolitano. Oh, not at all.
Chairman Lieberman. I am pleased to note for the record
that in testimony earlier this week, Secretary of Defense Leon
Panetta and the Chairman of the Joint Chiefs of Staff General
Martin Dempsey both endorsed this legislation, and then this
morning, before the Armed Services Committee, the Director of
National Intelligence Clapper and General Ronald Burgess, the
head of the Defense Intelligence Agency, also endorsed the
legislation. Both of those expressions of support were
unexpected by Senator Collins and me and, therefore, all the
DHS's Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT) has played a critical role in providing support
to the owners and operators of critical infrastructure. Can you
describe some of their capabilities and the work that they have
done to assist private entities?
Secretary Napolitano. Well, what they have done is to help
isolate and identify--when they have been notified of attacks
on industrial control systems, to help identify the source of
the attack, the methodology with which it was conducted, to
work with the infiltrated entity to prepare a patch, and then
to make appropriate disclosures or sharing of information to
other control systems that could be subject to a similar tack,
either in that particular industry or in other industries.
Chairman Lieberman. So on a voluntary basis, if I can put
it this way, DHS has developed the capability and relationships
at working with the private sector that will be strengthened by
Secretary Napolitano. Yes. Since the passage of the
National Information Infrastructure Protection Act (NIIPA) in
2006, we have been working with critical infrastructure through
their Sector Coordinating Councils. There are a lot of names,
but what it basically means is we have a process in place for
dealing with the private sector and for exchanging some
information on a voluntary basis. But that does not mean we get
all of the necessary information we get from core critical
infrastructure. That is one of the problems the bill address.
Chairman Lieberman. Thanks very much. My time is up.
Senator Collins. Thank you, Mr. Chairman.
Madam Secretary, to follow up on a question that the
Chairman asked you, it is my understanding that DHS has unique
expertise in the area of industrial control systems that is not
replicated at any other government agency. Is that correct?
Secretary Napolitano. Yes.
Senator Collins. And that is important because industrial
control systems are a key part of critical infrastructure, like
the electric grid and water treatment plants. Is that also
Secretary Napolitano. Yes, and when you think about it, if
you have the ability to interrupt the control system, you can
take down an entire protective network. You can interfere with
all of the activities there. And the attacks on control systems
are growing more and more sophisticated all of the time.
Senator Collins. And could you tell us about work that is
being done by DHS with your ICS-CERT Team and a National Lab
with respect to the U.S. electric grid?
Secretary Napolitano. Yes, we are working in both of those
capacities with the National Labs, with the grids, in terms not
only of mitigating attacks that have occurred, but also
preventive measures that they can employ.
Senator Collins. So you are doing training as well and
helping the critical infrastructure owners and operators
Secretary Napolitano. That is correct.
Senator Collins. It is my understanding that in January the
Administration transferred the Defense Department's Defense
Industrial Base (DIB) cyber pilot program from DOD to DHS.
Secretary Napolitano. That is right, the DIB pilot.
Senator Collins. The DIB pilot program, as I understand it,
shared classified cyber threat indicators with defense
contractors in an effort to better defend systems that
contained information critical to the Department's programs and
operations. I understand that DHS is now the lead for
coordinating this program with the private sector and that it
is being expanded to other critical infrastructure sectors.
Could you tell the Committee why the Administration decided
to transfer this pilot program from DOD to the Department of
Secretary Napolitano. Well, the DIB pilot really gets to
the division of responsibility between military and civilian,
and what we are talking about here are private companies that
do important defense contracting work, but they are in essence
private companies. And so the authorities and the laws that we
use are better situated in DHS, which deals in this context as
opposed to DOD. So we have been working with DOD from the
outset on the design of the DIB pilot, have been working with
them on the initial aspects of it, and now as the decision was
made to extend it and to grow it, the decision was also made
that it is more appropriately located within the DHS.
Senator Collins. The bill provides the authority to DHS to
set risk-based performance standards for critical
infrastructure. Do you believe that we can achieve great
progress in improving our cybersecurity in this country absent
Secretary Napolitano. I think it makes it tougher. We have,
as I said in my testimony, the basic authority under the
Homeland Security Act. We have authorities by various
Presidential directives. But nowhere do we have explicit
authority to establish on a risk-based level, on a risk-based
basis, the protection necessary for critical infrastructure.
Senator Collins. Finally, I think that a lot of people are
unfamiliar with a lot of the work that the Department has
already done in the area of cybersecurity, including the fact
that there is a 24-hour, 7-day-a-week National Cybersecurity
and Communications Integration Center (NCCIC).
Secretary Napolitano. The NCCIC, yes.
Senator Collins. Could you explain to the Committee and
those watching this hearing how this center operates and what
it does with respect to the private sector?
Secretary Napolitano. You know, the NCCIC is really an
integrated, 24/7 watch center for cyber, and it includes on its
floor not only DHS employees but representatives from other
Federal agencies, from critical infrastructure sectors that
coordinate with us through the National Infrastructure
Protection Plan (NIPP)--lots of acronyms in the cyber world and
the government world. And then, finally, it also has
representatives from State and local governments as well
because a lot of the information sharing is applicable to them.
Senator Collins. Thank you. Thank you, Mr. Chairman.
Chairman Lieberman. Thanks very much, Senator Collins.
OPENING STATEMENT OF SENATOR MCCAIN
Senator McCain. Mr. Chairman and Senator Collins, thank you
for holding this hearing on the long-awaited Cybersecurity Act
of 2012. Obviously, I welcome all of our witnesses, including
Secretary Napolitano and my old friend Governor Ridge, who will
have some different aspects and views on this bill, including
in his testimony.
I would like to state from the outset my fondness and
respect for the Chairman and Senator Collins, especially when
it comes to matters of national security, so the criticisms I
may have with the legislation should not be interpreted as
criticism of them but, rather on the process by which the bill
is being debated and its policy implications.
All of us recognize the importance of cybersecurity in the
digital world. Time and again, we have heard from experts about
the importance of possessing the ability to effectively prevent
and respond to cyber threats. We have listened to accounts of
cyber espionage originating in countries like China; organized
cyber criminals in Russia; and rogue outfits with a domestic
presence like ``Anonymous,'' who unleash cyber attacks on those
who dare to politically disagree. Our own Government
Accountability Office (GAO) has reported that over the last 5
years, cyber attacks against the United States are up 650
percent. So all of us agree that the threat is real.
It is my opinion that Congress should be able to address
this issue with legislation a clear majority of us can support.
However, we should begin with a transparent process which
allows lawmakers and the American public to let their views be
known. Unfortunately, the bill introduced by the Chairman and
Senator Collins has already been placed on the calendar by the
Majority Leader, without a single markup or any executive
business meeting by any committee of relevant jurisdiction. My
friends, that is wrong.
To suggest that this bill should move directly to the
Senate floor because it has ``been around'' since 2009 is
outrageous. First, the bill was introduced 2 days ago. Second,
where do Senate Rules state that a bill's progress in a
previous Congress can supplant the necessary work on that bill
in the present one?
Additionally, in 2009, we were in the 111th Congress with a
different set of Senators. For example, the Minority of this
Committee has four Senators on it presently who were not even
in the Senate, much less on this Committee, in 2009. How can we
seriously call it a product of this Committee without their
participation in Committee executive business?
Respectfully, to treat the last Congress as a legislative
mulligan by bypassing the Committee process and bringing the
legislation directly to the floor is not the appropriate way to
begin consideration of an issue as complicated as
In addition to these valid process concerns, I also have
policy issues with the bill.
A few months ago, as Senator Lieberman mentioned, he and I
introduced an amendment to the defense authorization bill
codifying an existing cybersecurity Memorandum of Agreement
(MOA) between the Department of Defense and the Department of
Homeland Security. The purpose of that amendment was to ensure
that this relationship endures and to highlight that the best
government-wide cybersecurity approach is one where DHS
leverages not duplicates DOD efforts and expertise. This
legislation, unfortunately, backtracks on the principles of the
MOA by expanding the size, scope, and reach of DHS and neglects
to afford the authorities necessary to protect the homeland to
the only institutions currently capable of doing so, U.S.
Cybercommand and the National Security Agency.
At a recent FBI-sponsored symposium at Fordham University,
General Alexander, the Commander of U.S. Cybercommand and the
Director of the NSA, stated that if a significant cyber attack
against this country were to take place, there may not be much
that he and his teams at either Cybercommand or NSA can legally
do to stop it in advance. According to General Alexander, ``in
order to stop a cyber attack, you have to see it in real time,
and you have to have those authorities. Those are the
conditions we have put on the table. Now how and what the
Congress chooses, that will be a policy decision.''
This legislation does nothing to address this significant
concern, and I question why we have yet to have a serious
discussion about who is best suited, which agency--who is best
suited to protect our country from this threat we all agree is
very real and growing.
Additionally, if the legislation before us today were
enacted into law, unelected bureaucrats at the DHS could
promulgate prescriptive regulations on American businesses--
which own roughly 90 percent of critical cyber infrastructure.
The regulations that would be created under this new authority
would stymie job creation, blur the definition of private
property rights, and divert resources from actual cybersecurity
to compliance with government mandates. A super-regulator, like
DHS under this bill, would impact free market forces which
currently allow our brightest minds to develop the most
effective network security solutions.
I am also concerned about the cost of this bill to the
American taxpayer. The bill before us fails to include any
authorizations or attempt to pay for the real costs associated
with the creation of the new regulatory leviathan at DHS. This
attempt to hide the cost is eclipsed by the reality that the
assessment of critical infrastructure, the promulgation of
regulations, and their enforcement will take a small army.
Finally, I would like to find out over the next few days
what specific factors went into providing regulatory carve-outs
for the IT hardware and software manufacturers? My suspicion is
that this had more to do with garnering political support and
legislative bullying than sound policy considerations. However,
I think the fact that such carve-outs are included only lends
credence to the notion that we should not be taking the
regulatory approach in the first place.
Because of provisions like these and the threat of a
hurried process, a total of seven of us--ranking minority
members on seven committees--are left with no choice but to
introduce an alternative cybersecurity bill in the coming days.
The fundamental difference in our alternative approach is that
we aim to enter into a cooperative relationship with the entire
private sector through information sharing rather than an
adversarial one with prescriptive regulations. Our bill, which
will be introduced when we return after the Presidents Day
recess, will provide a common-sense path forward to improve our
Nation's cybersecurity defenses. We believe that by improving
information sharing among the private sector and government,
updating our criminal code to reflect the threat cyber
criminals pose, reforming the Federal Information Security
Management Act, and focusing Federal investments in
cybersecurity, our Nation will be better able to defend itself
against cyber attacks. After all, we are all partners in this
fight, and as we search for solutions, our first goal should be
to move forward together.
I also would ask permission to enter in the record a letter
signed by Senator Chambliss, the Ranking Member on
Intelligence; myself, Ranking Member on Armed Services; Senator
Jeff Sessions, Ranking Member on Budget; Senator Michael B.
Enzi, Ranking Member on the HELP Committee; Senator Hutchison,
Ranking Member on the Commerce Committee; Senator Lisa
Murkowski, Ranking Member on the Energy Committee; and Senator
Chuck Grassley, Ranking Member on the Judiciary Committee;
addressed to Senator Reid and Senator McConnell, which we have
asked that with the legislation go through the regular process
with the committees of jurisdiction having a say in this
\1\ The letter dated February 14, 2012, submitted by Senator McCain
appears in the Appendix on page 61.
So, Mr. Chairman, I thank you, and I yield the remaining
balance of my time.
Chairman Lieberman. No balance. [Laughter.]
Senator McCain. Oh, wow, that is the first time that has
Chairman Lieberman. No, it is not. [Laughter.]
Look, with the same fondness and respect that you expressed
for Senator Collins and me when you started, I cannot conceal
the fact that I am disappointed by your statement. This bill is
essentially the one that was marked up by the Committee. But
that is not the point. The point is that we have reached out
not only to everybody who was possibly interested in this bill
outside of the Congress, but opened the process to every Member
of the Senate who wanted to be involved. We pleaded for
involvement. And a lot of people, including yourself, have not
come to the table.
The most encouraging part of your statement is that you and
those working with you are going to introduce some legislation,
and we will be glad to consider it. The Senate should consider
it. I think Senator Reid intends to hold an open amendment
process on this bill. But you know, as you stated, that this is
a critical national security problem, and to respond to it with
business about regulation of business, this is national
security. As Senator Collins said, there is regulation of
business that is bad for business and bad for the American
economy. There is regulation such as we have worked very hard
to include in this bill that, in fact, is not only not bad for
American business and not bad for the American economy but will
protect American business and American jobs and help to
guarantee more American economic growth.
On the question of DOD and the intelligence community, I
indicated for the record earlier that they have supported our
bill this week. I hear what you said about General Alexander
from NSA, but he has at no point, nor has the Department of
Defense or the DNI, come before us and offered any suggestions
for additions to this bill that would give him more authority.
I would welcome those suggestions, if he wishes.
So I had to be honest with you, as you have been honest
with us, and express my disappointment and that the only
satisfaction I have from your statement, which is that you are
going to make a proposal that our colleagues in the Senate
consider it. Senator Collins and I and the others working on
this bill will consider it. And let us get something done on a
clear and present danger to our country this year.
Senator McCain. Well, Mr. Chairman, could I just briefly
respond? I speak for seven ranking members of the major
committees of jurisdiction. I do not speak just for myself.
There is a breakdown somewhere if seven ranking members of the
relevant committees are all joining in this opposition to this
process and this legislation. So if you choose to neglect those
many years of legislative experience and time in the Senate,
that is fine. But there are seven of us that are deeply
concerned about this process and the legislation, and we do not
think it should go directly to the floor.
Chairman Lieberman. I will say for the record that we have
reached out to all seven ranking members in various ways to try
to engage their involvement in this bill. I would have much
rather preferred to submit a bill--and Senator Collins would
have, too--that everybody had been involved in discussing. We
were very open to trying to find consensus, as we did with
other chairs who are here. So nobody is neglecting the
expertise. I am saying I am sorry that they have not been
engaged before, and I am glad they are going to be engaged now.
OPENING STATEMENT OF SENATOR MORAN
Senator Moran. Mr. Chairman, thank you.
Madam Secretary, this is my first opportunity to visit with
you since the announcement about the President's budget, and I
want to talk about a topic unrelated at least to cybersecurity,
but certainly related to security. And the Chairman just spoke
about clear and present danger. One that you and I have had a
conversation about over a long period of time is related to our
food and animal safety and security in this country. And as you
can imagine and can expect the disappointment that I have,
others in our congressional delegation have in regard to the
President's failure to include dollars related to construction
of the National Bio and Agro-Defense Facility (NBAF) to replace
the aging Plum Island. You and I have had a number of
conversations, and I will stay within my 6 minutes today to
talk about this non-germane topic but we will have a greater
chance to visit in the Homeland Security Appropriations hearing
in which you and I will be together in just a few days.
But I would not want this opportunity to pass without again
delivering the message to you and to the folks at the
Department of Homeland Security who have throughout this
process been our allies, and we consider that we have been your
allies in an effort to see that a facility designed to make
certain that the food and animal safety of this country is
And you and I had a conversation in March of last year,
less than a year ago, that was in a Homeland Security
Appropriations Subcommittee, and you told me that NBAF is
something that we are very supportive of. Plum Island does not
meet the Nation's needs in this area. There was a highly
contested, peer-reviewed competition, and we look forward to
continued construction. We believe that NBAF needs to be built,
and we need to get on with it.
Later, in September of that year, you talked about the
future, we need to get prepared for the next generation, and,
again, we need to be confronting the things that we face today
and the things that we will face 10 years from now. That series
has continued with your testimony and others from DHS, the U.S.
Department of Agriculture, and I just would like for you to, I
hope, reiterate the Department's, your position as Secretary,
continued support and believe in the importance of building
this facility and to explain to me the idea of a reassessment,
which, as I read in press reports, is a reassessment in scope
only, not in concerns about safety or concerns about location.
Secretary Napolitano. That is right, Senator, and you are
right, the President does not request in the budget an
appropriation for the NBAF, in part because last year we
requested $150 million. The House ultimately appropriated $75
million, the Senate appropriated zero, we ended up with $50
million, and a lot of extra requirements put on the project, as
you just have stated.
What we have done in this year's budget is allocate $10
million that will go to related animal research at Kansas State
University. I have talked this over with Governor Sam
Brownback, among others. And in light of the Budget Control Act
(BCA) and the other changed circumstances that we have to deal
with, and in light of the fact that we have not been able to
persuade the Congress to really move forward in a substantial
way on funding the NBAF, we have recommended that there be a
reassessment in terms not of location, not in terms of need,
both of which I firmly stand by the position I have stated, but
in terms of scoping and what needs to happen so that this
project can move forward with the right level of appropriation.
Senator Moran. Well, Madam Secretary, thank you. I would
comment that the solution to lack of funding by Congress is not
for the Administration to not request funding. The solution to
that problem is continued support and encouragement for
Congress to act. As you say, the House appropriated $75 million
last year. In a conference committee with the Senate, it was
agreed upon to $50 million. You also are requesting
reprogramming for additional planning of money within this
year's budget. Again, the money that is there needs to be spent
as quickly as possible.
I will be asking you by letter shortly to continue the
funding of the $40 million that is available, is appropriated,
and now as a result of the report filed this week can be spent
to complete the Federal share of the utility portion of this
Based upon what I have heard you say and what I have read
that you have said, it is not about location, it is not about
the site, and it may be about the scope of what will occur. But
the utility pad is still important and will be necessary,
regardless of the scope of that project. So we are going to ask
you to continue the funding that you already have committed to
and are authorized to now spend this $40 million on utilities.
And I would add to that point, we have appropriated $200
million Federal dollars. The State of Kansas has put in nearly
$150 million. This is a partnership. And we need the Federal
Government to continue its partnership. In fact, on the utility
portion, we are waiting on the share that you are now
authorized to spend to be spent.
I appreciate the answer to my question. I have considered
you an ally and continue to consider you an ally. And my plea
is let us work together to see that this Congress moves forward
on an issue that is important, just as cybersecurity is, to the
economic security and future of our Nation.
Mr. Chairman, thank you.
Secretary Napolitano. Senator, I would be happy to work
together with you on this.
Senator Moran. Thank you very much. We need your help.
Chairman Lieberman. Thanks very much, Senator Moran.
For the information of the Members, the order of arrival
today now is Senators Landrieu, Pryor, Brown, Carper, Levin,
and Johnson. Senator Landrieu is not here, so we will go to
OPENING STATEMENT OF SENATOR PRYOR
Senator Pryor. Thank you, Mr. Chairman. Thank you for this
very important meeting. Always good to see you, Madam
Let me start, Madam Secretary, with a question about--I
think you have already pretty much said that you feel like we
need a statute, but I am curious about what specific authority
you think your agency or the Federal Government does not have
in this area that you need. What specific authority do you feel
like you need to accomplish to achieve security in this area?
Secretary Napolitano. Well, I think of the specific
authorities that the statute contains, the most important is
the ability to bring all of the Nation's critical
infrastructure up to a certain base standard of security and to
outline the process with which that will occur.
Senator Pryor. And let me ask you a question on a different
topic, I know that in reading some of the news stories, trade
publications, etc., the private sector seems to have hesitation
about sharing too much information, and understandably so. They
may fear that a competitor will get information or it may
create liability issues for them. But we do have an effective
mechanism for the private sector stakeholders to share their
best practices and potential threats and those concerns without
raising issues of their own security and liability and even
Secretary Napolitano. No. In fact, another major
improvement in the bill over the current situation is it
clarifies the kind of information sharing that can occur
without violating other Federal statutes--antitrust, the
Electronic Communications Privacy Act. We have had situations
where we have had delay in being able to get information and to
respond because the lawyers of a company or an entity had to
first assess whether they would be violating other Federal law
by alerting the Department of Homeland Security that an
intrusion had occurred. And I think as you and I can both
appreciate, when the lawyers get it, it can take awhile.
Senator Pryor. We understand.
Secretary Napolitano. So, again, the new bill would clarify
that should not be a problem.
Senator Pryor. And you are comfortable with how the new
bill is structured in that area?
Secretary Napolitano. Yes, I am.
Senator Pryor. And let me ask about lessons learned. DHS
has recently discussed--and it has been discussed about DHS--
that some of the work being done under the Chemical Facility
Anti-Terrorism Standards (CFATS) program has not been done as
quickly or as thoroughly as maybe it should have been. And as
you know, this bill provides a requirement that DHS would do
similar type assessments. Are there lessons learned in the
CFATS experience that might indicate that we can put the
problem behind us and we can comply with what this law would
ask you to do?
Secretary Napolitano. Yes, Senator. First of all, with
respect to CFATS, no one is more displeased than I am with some
of the problems that have occurred there, and there is an
action plan in place, there are changes in personnel among
other things. And that program is going to run smoothly, and
now the security plans are being evaluated, the tiering has
occurred and the like.
Senator Pryor. And there are lessons learned there?
Secretary Napolitano. And there are lessons learned, as
there are in all things. And this bill is less prescriptive
than CFATS. First of all, this is a very regulation-like bill.
This is a security bill. This is not a regulatory bill per se.
But in terms just of management and organization, yes, there
are some lessons learned from CFATS.
Senator Pryor. Great. And I know that a lot of times when
we read news media accounts about cybersecurity and even as we
discuss it among ourselves, oftentimes we tend to focus on
large companies and breaches that large companies experience.
But the truth is a lot of small and mid-sized companies carry a
lot of sensitive information. Is DHS working with small to mid-
sized companies in any way to reach out to them to talk about
best practices or anything like that?
Secretary Napolitano. We conduct a lot of outreach
activities with small and medium-size businesses on a whole
host of cyber-related areas, so the answer is yes.
Senator Pryor. Great. We always want to make sure that our
small businesses are taken care of, and obviously if they are
the weak link in the chain, that is a real problem.
Secretary Napolitano. Well, Senator, as I continue to
emphasize, when we are talking about the security of core
critical infrastructure, if that goes down, a lot of these
small businesses are dependent on that, and they will fail.
Senator Pryor. Right. That is exactly right. Also, we often
talk about the Federal Government, but also State governments
have this same issue of cybersecurity, and obviously you are a
former governor, former State Attorney General, as is the
Chairman here, so you appreciate that State perspective. Are
you working with States to try to talk about their best
practices and lessons that you have learned?
Secretary Napolitano. Yes, we are, and, indeed, we work
with a multistate information system, and they are actually
located or provide input into the NCCIC, the center that we
Senator Pryor. Great. Mr. Chairman, that is all I have. I
yield back the balance of my time. [Laughter.]
Chairman Lieberman. Thank you, Senator Pryor. Next is
Senator Carper. Could I have his 14 seconds? [Laughter.]
Chairman Lieberman. You got it.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Madam Secretary, good to see you. Good to
see a former Secretary out there, a former governor out there,
a former Congressman out there, Tom Ridge. Nice to see all of
our witnesses. Thank you for being here.
One of the things, as my colleagues know, I like to do in
hearings like this is to see if we cannot develop some
consensus. You can never have too much of that in the Senate or
in the House, and my hope is that when we adjourn here today we
will have identified not just where we have differences, but we
will have identified where we can actually find some common
ground. So I will ask a couple of questions with that in mind.
I want to return to the comment of my colleague from
Arizona who mentioned regulation, and with sort of a cautionary
note, I just want to second what the Chairman said. Regulation
can be a problem. It can be problematic. If we do not use
common sense, if we do not look at cost/benefit analysis, it
can be a bad thing.
Having said that, I always remember meeting with a bunch of
utility chief executive officers (CEOs) 6 or 7 years ago,
during my first term in the Senate, and they were meeting with
me about clean air issues--sulfur dioxide, nitrous oxide,
mercury, and carbon dioxide. And we were trying to decide what
our path forward should be.
Finally, at the end of this meeting, the CEO from someplace
down South, kind of curmudgeonly old guy, he said, ``Look,
Senator, just do this. Tell us what the rules are going to be,
give us some flexibility, give us a reasonable amount of time,
and get out of the way.'' That is what he said. And I have
always remembered those words, and I think they may apply here
I want to thank the Chairman and our Ranking Member, Susan
Collins, for calling our hearing and for working with me. The
Chairman mentioned trying to open up, if you have an idea,
bring it to us, and I think he has had an open door, and it is
too bad that some have not taken full opportunity of that. But
we have a lot of distractions around here, so sometimes that
We all know we are being attacked by hackers from across
the world and closer to home, and it is likely to get worse,
not better. And while some of the hackers are just there to
cause mischief, some of them are there to steal ideas, steal
our defense secrets, steal intellectual property, blackmail
businesses and nonprofits, and to do worse.
The challenges that I think we have here, I think they
really need a bold plan and we need a road map--I call it a
``common sense road map''--to move forward. And I hope, again,
that we can move along that way today.
I am especially pleased that the legislation that is being
introduced includes a number of security measures that my staff
and I have worked on with some of our colleagues for years to
better protect our Federal information systems.
Having said that, I would like to begin, Madam Secretary,
by asking you a couple of questions about the Department's
efforts in this area, if I could.
As you know, I have been calling for some major changes to
the laws that control how Federal agencies protect their
information, our information systems. And when the Federal
Financial Management, Government Information, Federal Services,
and International Security Subcommittee that I chair first
looked at this issue several years ago, we found that Federal
agencies were wasting millions of dollars on reports that
nobody read and hardly anybody understood and they did not make
us any safer.
The bill that is before us today includes many improvements
to the so-called Federal Information Security Management Act,
affectionately known as FISMA, and that will ensure, we hope,
our Federal agencies are actively monitoring and responding to
threats, not just writing paper reports about them.
From what I understand, many agencies are already taking
many steps to improve their security networks, largely because
of the action you have taken in your Department to make FISMA
more effective despite the outdated statute. I commend you for
being proactive in this area and for putting forward a budget
request that would ensure that your Department has the
resources it needs to address this growing area of
Can you describe some of the current limitations of FISMA
for us and why this legislation and some of the new tools we
give you just might be needed?
Secretary Napolitano. Well, I think, just stepping back,
one of the key things that this bill would do is by clarifying
and centralizing where the authorities lie within the
government and how those relate to the FISMA, among other
things, so that it really sets, as you say, the common-sense
road map for how we move forward.
You know, we have done a lot with the civilian networks of
the government. As you know, they have been repeatedly and they
are increasingly attempted to be infiltrated and intruded upon
all the time. We have almost completed the deployment of what
is known as EINSTEIN 2. We are working on the next iteration.
We have also in the President's budget request asked for a
budget that would be held by the Department of Homeland
Security but would be used to help improve or raise the level
of IT protection within the civilian agencies.
Senator Carper. All right. Thank you.
Just very quickly, if I could follow up just to get more
specific, could you just talk a little bit more about what your
Department will be able to achieve with what the President has
requested, I think $200-some million for Federal network
security, and how this legislation will impact those
activities. You talked to it a little bit, but could you just
drill down on that just a little for us?
Secretary Napolitano. Right. And I can give you more detail
on it, but basically what we will be able to do is have a fund
out of which we can make sure that the civilian agencies of
government are deploying best practices, hiring qualified
personnel, in other ways strengthening their own cybersecurity
within the Federal Government.
Senator Carper. All right. Thanks.
Mr. Chairman, if I could just say in conclusion, one of the
things that I hear a lot from businesses across the country and
certainly in Delaware is they want us to provide for them
certainty and predictability, and one of the things we are
trying to do with this legislation and the regulations that may
flow from it is just that, predictability and certainty. And
with that in mind, I would say to our witnesses that are
following, again, it would be really helpful if you all could
figure out ways in your testimony not just to kind of divide us
but help bring us together. That would be enormously helpful,
not just to the Committee and to the Senate, but I think to our
country. Thank you.
Chairman Lieberman. Thank you, Senator Carper. Senator
OPENING STATEMENT OF SENATOR LEVIN
Senator Levin. Thank you very much, Mr. Chairman and our
Ranking Member, for taking the initiative on this with other
colleagues. Thank you, Madam Secretary, for all the work that
the White House did on a similar bill which you had worked on,
which I understand is basically part of now this pending bill
which is on the calendar.
I am trying to understand what the objections are to the
bill because it seems to me there is a whole bunch of
protections in here for the private sector. As I have read at
least a summary of the bill--and I have not read the bill yet--
there is a self-certification or a third-party assessment of
compliance with the performance requirements. I understand
there is an appeal of those requirements if there is objection
to it. I understand and believe that the owners of covered
critical infrastructure that are in substantial compliance with
the performance requirements are not liable for punitive
damages which arise from an incident related to a cybersecurity
So you have here something unusual, I believe, actually,
for the private sector, which is a waiver of punitive damages.
I do not know that it is unique, but I think it is fairly
unique in legislation to waive the possibility of punitive
damages in case of a liability claim.
There are a number of other protections in the privacy
area, as I read the summary of this bill, for the information
which must be provided where there is a significant threat
which is identified. I am trying to identify--and I am not
going to be able to stay to hear from the next panel as to what
the objections are. I surely will read the letter from the
opponents and will study the bill that Senator McCain referred
to. But I am trying to the best of my ability as we go along to
see exactly what those objections are. There seems to be
privacy protection here. There seems to be self-certification
here which avoids part of a bureaucracy at least. There are
limits on liability where there is a good-faith defense for
cybersecurity activities, as the bill's heading says. There are
a number of other protections.
I do not want you to argue for the people who have
problems, obviously, but I would like you, to the best of your
ability, to address what you understand are the key objections.
We will hear them directly. We will read about them. But I
think if you can, give us your response to them so we can have
that for the record as well.
Secretary Napolitano. Well, I think there are three kind of
clusters. The first is that the bill is a regulatory bill, and
it will be burdensome to industry to comply. And the answer is
it is a security bill, not a regulatory bill. It really is
designed with making sure we have a basic level of security in
the cyber structures of our Nation's core critical
infrastructure and that we have a way to exchange information
that allows us to do that without private sector parties being
afraid of violating other laws. And so this is not what one
would consider a regulatory bill at all, and as Senator Collins
said, it really is designed to protect the American economy,
not to burden the American economy.
The second set of objections would, I think, revolve around
the whole privacy area, but as the ACLU itself acknowledged,
this bill really has done a very good job of incorporating
those protections right from the get-go. And realize one of the
reasons what DHS has the role it does is because we have a
privacy office with a chief privacy officer who will be
directly engaged in this. So the bill, I think, really
addresses some of those privacy concerns.
And the third cluster would be--and I think Senator McCain
kind of alluded to it--that it somehow duplicates the NSA. We
do not need another NSA, and we do not need to clarify the
authorities or the jurisdiction of the DHS. And I think there
is a misconception there. The plain fact of the matter is, as
the Chairman of the Joint Chiefs and Secretary Panetta and
others have recognized, both the DOD and the DHS use the NSA,
but we use it in different ways. So we are not duplicating or
making a redundant NSA. We are taking the NSA and using it to
the extent we can within the framework of the bill to protect
our civilian cyber networks.
Senator Levin. And I understand that the Department of
Defense basically supports this legislation. From what I can
understand at least it does. Is that your understanding as
Secretary Napolitano. I think not just basically. I think
Senator Levin. And in terms of the privacy concerns, those
concerns are met with the privacy officer. But in terms of the
information which is supplied where there has been a threat,
that information when it is submitted to a government entity is
Secretary Napolitano. Right. The content is not shared. It
is the fact of the intrusion----
Senator Levin. Tell us more about that protection.
Secretary Napolitano. Yes, content is not shared. The
information shared requires minimization. It requires
elimination of personally identifiable information, all the
things necessary to give the public confidence that their own
personal communications are not being shared. So it is the fact
of the intrusion, the methodology, the tactic used, the early
warning indicators, all of those sorts of things are to be
shared, but not the contents of the communication itself.
Senator Levin. Thank you. Thank you, Mr. Chairman.
Chairman Lieberman. Thanks very much, Senator Levin. That
was a really helpful exchange.
OPENING STATEMENT OF SENATOR JOHNSON
Senator Johnson. Thank you, Mr. Chairman. Madam Secretary,
nice to see you again.
First of all, I would like to say to Senator Lieberman and
Senator Collins, I appreciate your work on this. This is, I
think, critically important. It is also incredibly complex.
Is it appropriate for me to ask you a question, Mr.
Chairman? I am new here. I do not want to be breaking protocol.
Chairman Lieberman. I may have to consult my counsel, but
Senator Johnson. You know, I share some of the concerns of
Senator McCain, and because this is so important--it is
certainly not a good way to start out the process. I mean, sort
of in light of his objection and those of the other ranking
members, are we going to consider not taking this to the floor
directly or, I mean, is that going to be reconsidered on that
Chairman Lieberman. I do not believe so. I mean, I suppose
if people want to raise the question, but I think there has
been a long process here. Bills have been reported out of this
Committee, out of Commerce, Intelligence, Foreign Relations had
some stuff, all done--not all done on a bipartisan basis, but
most of them were. Senator Reid got really agitated about this
problem last year and began to convene the chairs and then held
a joint meeting, which in these times is very unusual, a
bipartisan meeting. Senator Reid and Senator McConnell urged
the chairs and ranking members of all the committees to begin
to work together to reconcile the differences. Some came to the
table, as I said; some did not. We worked very hard to try to
bring people in. I cannot speak for Senator Reid, but I think
his intention is to take the bill that is the consensus bill
now and bring it to the floor under his authority under Rule
XIV, but to have a really open amendment process.
So I do not think anybody is going to rush this through,
and there will be plenty of time for people to be involved. I
am sure I speak for Senator Collins: We are open to any ideas
Senator Johnson. I appreciate that. This is just really
important to get right, so I would be concerned with that.
Chairman Lieberman. I could not agree more. To me, the most
important thing is to get it right, but also as quickly as we
possibly can get it right, we should get it enacted.
Senator Johnson. OK.
Chairman Lieberman. Because the crisis, the threat is out
there. Senator Collins.
Senator Collins. Mr. Chairman, if I could just add one
thing, and that is, this legislation has gone through a lot of
iterations. It was reported first in 2010. I realize Senator
Johnson was not part of the Committee at that point.
Senator Johnson. I am one of those new guys.
Senator Collins. But our staff has shared with the
Senator's staff draft after draft after draft, invited them to
briefings. I know the Senator has come to some of the
classified briefings that we have had as well. So we have
invited input from the Senator's staff.
Senator Johnson. Again, I am sincere in my appreciation of
the work you are doing in this, and in a desire to get this
right and move some legislation. So with that in mind, I know
the House has worked on a bipartisan bill, H.R. 3523, which is
just a very slimmed down version, probably an important first
step, really trying to get information to be shared between the
government and the private sector. Is that something you can
support in case this thing gets all snagged up, maybe move
toward something like that?
Secretary Napolitano. Well, I would have to go back and
look at that, but I think that there may be some parts of that
are included within this bill. But this bill is a much stronger
and more comprehensive focus on what we actually need in the
cybersecurity area given the threats that are out there.
Senator Johnson. In terms of the carve-outs, I was talking
to somebody who is far more knowledgeable about this than I am,
and that was one of the big questions this individual
expressed. If you are really trying to create cybersecurity,
why would you carve out Internet Service Providers (ISPs), I
mean, the people at the heart of it? It is kind of as if you
are going to steal money, you go to the bank where it is. I
mean, why would we carve out the service providers?
Secretary Napolitano. I think from our standpoint, if you
focus on the Nation's critical infrastructure and you really
focus on the standards they have to meet, and you want to avoid
some of the complexities that deal with like the ISPs and the
like and where they are located and international jurisdiction,
among other things, the carve-out is appropriate. In fact, it
helps move the legislation along.
Senator Johnson. Have you done a cost assessment in terms
of the cost of complying with these regulations?
Secretary Napolitano. Well, I think talking about cost is
important here. It is not our intent to have an undue cost on
the core critical infrastructure of this country. It is,
however, our belief that the costs of making sure you practice
a common base level of cybersecurity, it should be a core
competency within the Nation's critical infrastructure. And so
while we do not want an undue cost, we do want a recognition
that this is something that needs to be part of doing business.
Senator Johnson. Has there been an attempt to quantify that
or will there be an attempt to quantify the cost of complying?
Secretary Napolitano. I do not know. I would imagine, just
thinking about it, that there will be many entities that
already are at the right level. But, sadly, there are others
that are not. And given that we are only talking about
infrastructure that if intruded or attacked would have a really
large impact on the economy, on life and limb, on the national
security, we are talking about a very narrow core part of the
critical infrastructure. The fact that they all have to reach a
base level is a fairly minimal requirement.
Senator Johnson. Just one last quick question. I am aware
that the Chamber of Commerce is not for this bill, and the
American Bankers Association. Do you have a list of private
sector companies that have to comply with this that are in
favor of it?
Secretary Napolitano. Oh, there are a number of them, and I
think they have been in contact with the Committee, but we can
get that for you.
Senator Johnson. I appreciate that. Thank you, Mr.
Chairman Lieberman. Thanks, Senator Johnson.
Secretary Napolitano, I appreciate your testimony very
much. You made a really important point here, I think, first
off that we define the group of owners and operators of private
cyberspace in our country that are ultimately regulated here,
that can be forced to meet the standards very narrowly, to
include only those sectors which, if they were attacked, cyber
attacked, would have devastating consequences on our society.
So you are right. Obviously, it will cost some to enforce this,
to carry it out, but it will be a fraction of what it would
cost our society if there was a successful cyber attack. And I
go back to the initial question. After 9/11, we just could not
do enough to protect ourselves from another 9/11. And we have
the opportunity here to do something preemptively,
preventively, methodically, and at much less cost to our
Secretary Napolitano. That is right, Mr. Chairman, and I
think as you and I both noted, and I think Senator Collins did,
in our opening statements, it is our responsibility to be
proactive and not just reactive. We know enough now to chart a
way ahead, and the bill does that.
Chairman Lieberman. Yes, I agree. If we do not legislate,
we do not create a system of protection of American cyberspace,
and God forbid there is an attack, we are all going to be
rushing around frantically to sort of throw money at the
problem, and it is going to be after a lot of suffering that
occurs as a result. So we have a real opportunity to work
together. Nobody is saying this bill is perfect. I think it is
very good after all it has been through. But the process
continues. You have been very helpful today. I thank you very
much, and we look forward to working with you. Senator Collins.
Senator Collins. Thank you, Mr. Chairman. I, too, want to
thank the Secretary for her excellent testimony and the
technical assistance of the Department.
General Dempsey, Chairman of the Joint Chief of Staff, made
a very clear statement at a hearing before the Armed Services
Committee earlier this week. And General Dempsey said, ``I want
to mention for the record that we strongly support the
Lieberman-Collins-Rockefeller legislation dealing with
cybersecurity.'' So the Secretary's comment in response to the
question of Senator Levin about where does the Department
stands, when she said ``wholeheartedly,'' is exactly right. And
the Department testified to that effect.
Chairman Lieberman. Thank you, Secretary Napolitano. Have a
good rest of the day.
Senator Napolitano. Thank you.
Chairman Lieberman. We will call the final panel. Secretary
Ridge is first. I know you are under a time pressure. I
apologize for keeping you later than we had hoped, Secretary
Ridge, but we have you, then Stewart Baker, James Lewis, and
Gentlemen, thank you for your willingness to be here to
testify and for your patience, although it got pretty
interesting at times during the hearing, didn't it?
Secretary Ridge, in a comment that only you and I and two
other people would appreciate, I do not think we will be going
to the Common Man together tonight. That is another story.
Mr. Ridge. I do not think so. But I would welcome the
opportunity anytime you are ready.
Chairman Lieberman. Thanks very much for being here. We
will hear your testimony, and then we will understand if you
have to go because I know you have another engagement and you
are already late. Please proceed.
TESTIMONY OF HON. THOMAS J. RIDGE,\1\ CHAIRMAN, NATIONAL
SECURITY TASK FORCE, U.S. CHAMBER OF COMMERCE
Mr. Ridge. Thank you very much. First of all, let me tell
you what a pleasure it is to be back before the Committee. As I
have told you before, my 12 years in the Congress of the United
States I did enjoy being on that side of the table rather than
this, but every time I have appeared before this Committee, the
engagement has been civil, constructive, and substantive, and I
hope I have been able to contribute. And I hope the fact that
we agree in part and disagree in part today and there is
significant agreement and disagreement does not preclude
another invitation at another time. So it is a great pleasure
to be before you.
\1\ The prepared statement of Mr. Ridge appears in the Appendix on
I testify today on behalf of the U.S. Chamber of Commerce,
which, as you well know, is the world's largest business
federation representing the interests of more than 3 million
businesses and organizations of every size, every sector,
throughout every region in this country.
For the past year and a half, I have chaired the Chamber's
National Security Task Force, which is responsible for the
development and implementation of the Chamber's homeland and
national security policies. And very much consistent with the
President's concern, this Committee's concern, concerns on both
sides of the aisle, you are probably not surprised that
cybersecurity has been at the top of the list. When we have met
with dozens and dozens of private sector companies and their
vice presidents for security, be it bricks and mortar or cyber,
this is very high, maybe at the top of their list right now.
So it is in my capacity as chairman but hopefully with a
perspective also as the first Secretary of Homeland Security
that I thank you for this opportunity to appear before you
regarding cybersecurity and ways in which we can secure
At the very outset, Senator Lieberman and Senator Collins,
one of the perspectives that I do want to share with you is
that you need to add the Chamber of Commerce to the chorus of
people sounding the alarm. They get it. And why do they get it?
Because the infrastructure that we are worried about that
protects America's national interest and supports the Federal,
State, and local governments is the infrastructure that they
operate. And in addition to being concerned about the impact of
cyber invasion and incursion on their ability to do their job
on behalf of the Federal Government, they also have 300 million
consumers one way or the other they have to deal with.
So they join you, they join that chorus, not only in terms
of the urgency of dealing with the threat, but I would dare
say, and I say respectfully, they are probably better
positioned to be able to calculate the consequences of systemic
failure vis-a-vis a cyber attack than even an agency in the
Federal Government. And on top of that, they have their
interests to protect, fiduciary interests for shareholders if
they are publicly traded. They have their employees. They have
the communities they work in. They have the consumers. They
have the suppliers. So we are in this together, and I think it
is very important for you to understand that the Chamber joins
the chorus that appreciates both the urgency of dealing with
something, and I would say respectfully better understands from
a macro level the horrific consequences to them and to their
community and to their brand, their employees, and to this
country from a significant cyber attack.
As you also know, the industry for years has been taking
robust and proactive steps to protect and make their
information networks more resilient. There has been much
discussion with regard to process here, and let me just talk
very briefly, and I am going to ask unanimous consent to get
another minute or minute and a half, and I apologize for that.
But as the first Secretary, I remember the national strategy
that we created in 2002 talked about securing America, but we
did not talk just about people, we did not just talk about
bricks and mortar; we talked about cyber attacks as well.
In 2003, as has been referenced by Secretary Napolitano,
the enabling legislation talked about cyber attacks as well.
You move from the enabling legislation that creates the
Department, and then you get Homeland Security Presidential
Directive 7 (HSPD-7), and in anticipation of testifying I read
what HSPD-7 says. It says, ``Establish a national policy for
Federal departments and agencies to identify and prioritize
United States critical infrastructure and key resources and to
protect them from terrorists.'' It goes on to talk about
protection from cyber attack as well.
In 2006, the National Infrastructure Protection Plan was
established. The NIPP, updated in 2009, encompasses all that
had gone on before to protect critical infrastructure and is
specifically based on HSPD-7. The NIPP helped to create the
Sector-Specific Agencies and the Sector Coordinating Councils--
the point being that we do not need a piece of legislature, at
least from the Chamber's point of view, that would identify and
regulate critical infrastructure. We have been working on that
for 10 years. It started with the enabling legislation, and you
understand that process.
Where we tip the hat because compared to the first mark of
the President's bill to this market, the information sharing,
although we would probably like to tinker with it a little bit,
is a vast improvement from the one that was initially placed
and initially considered by the Administration. And, again, we
are not ready to embrace it in its totality, but the concept,
the direction, and the focus of it being bilateral we believe
is the way to go.
So at the end of the day, with regard to covered critical
infrastructure (CCI), there is really in our judgment no real
need for that. We already have the process in place. People
have been working together for 10 years, personal and
institutional relationships to develop what that critical
infrastructure is. You have cybersecurity experts in these
Sector-Specific Agencies. So not only do you take a definition
that appears to have no walls, ceilings, or floors, but it
appears to be redundant.
And, second, it does--somebody used the word
``requirements.'' And one of the great concerns we have is that
requirements and prescriptions are mandates, mandates are
regulations, and, frankly, the attackers and the technology
moves a lot faster than any regulatory body or political body
will ever be able to move.
So, in my judgment--and, again, we need to talk--the
Chamber agrees. The sections in here with regard to the
international component, the public awareness component, the
FISMA component, and some of the others, we applaud and
celebrate. And hopefully if you tied those together, if you are
looking to really deal with this in an immediate way as quickly
as possible with a more robust information-sharing proposal,
marry it with the House and then you will have that bipartisan
So I was hurried. I appreciate and respectfully request
that my full statement be included as part of the record, and
thank you for the opportunity of appearing before you.
Chairman Lieberman. Thanks, Mr. Secretary, and we will
definitely include your statement in full in the record.
Am I right that you have to leave?
Mr. Ridge. You were, but I think it is a little too late. I
Chairman Lieberman. Can you stay?
Mr. Ridge. I am prepared to stay to answer questions. I can
leave at 6 o'clock instead of 5 o'clock. I have to be on a
plane--but thank you for asking.
Chairman Lieberman. Do you want us to ask you a few
questions now and then have you go? Or with the sufferance of
Mr. Ridge. I think that in deference, it is a little late
to get there, so I appreciate that.
Chairman Lieberman. I am going to yield to Senator Collins,
and if there is anything left to ask when she is done----
Senator Collins. Thank you, Mr. Chairman.
First, Secretary Ridge, as you know, I have the greatest
respect and affection for you personally and the greatest
respect for the Chamber of Commerce, which is why I am
disappointed that we do not see this issue exactly in the same
I would also note a certain irony since the Chamber itself
was under cyber attack by a group of sophisticated Chinese
hackers for some 6 months at least, during which time the
hackers had access to apparently everything in the Chamber's
system, and the Chamber was not even aware of the attack until
the FBI alerted the Chamber in May 2010. So there is a little
bit of irony, but I will assure you that under our bill the
Chamber is not considered critical infrastructure. [Laughter.]
Mr. Ridge. But Senator, you raise a very interesting point,
and I guess the question I have, if it is not critical
infrastructure but a significant organization representing the
critical economic infrastructure of America, why in the world
did the FBI delay informing the organization that represents
the economic infrastructure of America? Somebody ought to ask
that question. Frankly, I have heard some cases where people in
the private sector have reported potential--this has not been
verified--incidents to the Federal Government and they said,
``We knew.'' What do you mean you knew?
Senator Collins. Well, that is one reason----
Mr. Ridge. You cure some of that problem.
Senator Collins. I was just going to point to that. We have
very robust information-sharing provisions in our bill that
will cure that very problem.
But the fact is, in drafting this latest version of our
bill, we have taken to heart many of the concerns raised by the
Chamber, and, thus, just to clarify exactly where the Chamber
is on these issues, I do want to ask your opinion on some of
the changes that we have made in direct response to the
For example, we now have a provision that says that
entities that are already regulated by existing regulations
would be eligible for waivers and entities able to prove that
they are sufficiently secure would be exempted from most of the
requirements under this bill. The bill would require the use of
existing cybersecurity requirements and current regulators.
Does the Chamber support those changes that were
incorporated in response to the Chamber's concerns?
Mr. Ridge. Well, I think you have incorporated several
changes, Senator Collins, and I cannot speak directly, but I
believe that is one of them. And I think it also goes to the
point, however, that some of that oversight is being done
within the existing process and protocol, and with the dramatic
potential changes in information sharing, it is a system that
One of the questions I had when I listened to the chorus of
people who support the bill, I just wondered if the Secretary
of Defense believes that the Defense Industrial Base likes the
cyber model of information sharing that was announced by the
Department of Defense in June 2011 or they would prefer to be
regulated. I think there are some unanswered questions here.
But I think the point that I want to be very strong about,
Senator Collins, is that you have heard some of the concerns,
and we are grateful for that.
Senator Collins. Well, that is my point as we, frankly,
have bent over backwards to try to listen to legitimate
concerns without weakening the bill to the point where it can
no longer accomplish the goal.
Another important provision of the bill is that the owners
of critical infrastructure, not the government, not DHS, would
select and implement the cybersecurity measures that they
determine are best suited to satisfy the risk-based performance
requirements. Does the Chamber support having the owners of the
infrastructure decide rather than government mandating specific
Mr. Ridge. Well, I think, again, if I recall and interpret
your legislation correctly, the Chamber likes the notion and
embraces the notion that the Sector-Specific Agencies, the
respective departments and agencies who have the Sector
Coordinating Councils, have been working on identifying
critical infrastructure and sharing the kind of information
that we think is necessary to not immunize us completely
because the technology and the hacking procedures are going to
change, but to dramatically reduce the risk. In fact, it is in
everybody's interest, particularly the owners, to move as
quickly as possible.
The logic that has been applied to relieving, I guess,
Cisco, Microsoft, and others so they can move adroitly and
respond to the risk seems to me would be pretty decent logic to
apply to everybody else in the economy as well who do not want
to be burdened by a series of regulations or prescriptive
Senator Collins. Well, since the private sector under our
bill is specifically involved in creating the standards, I do
not see how that produces burdensome standards since the
Secretary has to choose from the standards that the private
sector develops. Again, another change that we strengthened in
Another question that I would have for you, I assume that
the Chamber supports the liability protections that are
included in this bill, so that if a company abides by the
performance standards and there is an attack anyway, the
company is immune from punitive damages.
Mr. Ridge. Well, they have not tapped me on the shoulder,
but I presume they do.
Senator Collins. Well, in back of you a young woman is
Mr. Ridge. I presume they do. If I were the Chamber, I
would certainly encourage them to embrace that wholeheartedly.
Senator Collins. Well, my time has expired, but my point is
that there are many provisions in this bill that we changed in
direct response to input from the Chamber, and I would like the
Chamber to acknowledge that.
There is one final point that I want to make. When you were
talking about that CEOs are invested in cybersecurity because
of the impact on their customers and their clients, and so it
is in their own self-interest, I cannot tell you how many chief
information officers (CIOs) with whom I have talked who have
told me, ``If only I could get the attention of the CEO on
cybersecurity. We are not investing enough, we are not
protecting our systems enough, and it is just not a priority
for the CEO.''
So I would suggest to you to talk to some CIOs because I
think you would get a totally different picture.
Mr. Ridge. Well, I appreciate that, Senator Collins. You
know, I am familiar with quite a few major companies in America
and what they are doing with regard to cyber, and my experience
is 180 from yours. I realize that there are probably some
people out there--I do not imagine too many organizations--and
anybody in an organization would like a little bit more money
to enhance their capability to safeguard or to manage the risk.
But I will take you at your word that there may be some CIOs
who feel very strongly and have reflected that in their
statements to you.
I think at the end of the day, though, I think you have
made a valuable contribution. You have listened to the Chamber.
We applaud those things we agree with, and we are just going to
respectfully disagree that you are going down the path very
similar to what we are concerned about, a prescriptive regimen.
I notice some of the literature talks about a light touch, but
a light touch can turn into a stranglehold if it goes too far
down the process. And if you take a look at the Chemical
Facility Anti-Terrorism Standards, what was to be a light touch
may become very prescriptive, because once the legislation was
passed, there were Members of Congress, your colleagues, who
said, well, that is not enough and we may need very specific
technology and we need very specific regulations.
So, again, it is that slippery slope that I think they are
most concerned about, and I very much appreciate you giving me
a chance to articulate it before the Committee.
Senator Collins. Thank you, Mr. Chairman.
Chairman Lieberman. Thanks, Senator Collins.
I have no further questions, Secretary. Thanks for being
here. We are glad to liberate you to catch the next plane.
Mr. Ridge. Well, you are very kind. I thank you. It has
been my great pleasure, and as I said before, I look forward to
future opportunities, in the ``what it is worth'' department,
to share my thoughts with this Committee. I thank my friends.
Chairman Lieberman. We do, too.
Mr. Ridge. Senator Akaka, best wishes to you, sir. Thank
Chairman Lieberman. Thank you.
Stewart Baker is our next witness, currently a partner in
the law firm of Steptoe and Johnson, former General Counsel for
the much mentioned today NSA from 1992 to 1994 and Assistant
Secretary at DHS from 2005 to 2009 during which time we
benefited greatly from your counsel and service. Thanks for
being here, and we would welcome your testimony now.
TESTIMONY OF HON. STEWART A. BAKER,\1\ PARTNER, STEPTOE AND
Mr. Baker. It is a great pleasure. Thank you, Chairman
Lieberman, Senator Collins, and Senator Akaka. It is a
nostalgic moment to come back here, and I want to congratulate
you on your achievement in moving this bill in a comprehensive
form as far as it has gone. It is a very valuable contribution
to our security.
\1\ The prepared statement of Mr. Baker appears in the Appendix on
I just have two points, but before I do that, I thought I
would address the Stop Online Piracy Act analogy, the idea that
this is like SOPA and the Internet will rise up to strike it
I am proud to say, if I can channel Senator Lloyd Bentsen
for a minute, I knew SOPA, I fought SOPA, and, Mr. Chairman,
this bill is no SOPA. [Laughter.]
Chairman Lieberman. Hear, hear.
Mr. Baker. In fact, I opposed SOPA for the same reason that
I support this bill. As a Nation, as a legislature, our first
obligation is to protect the security of this country. SOPA
would have made us less secure, to serve the interests of
Hollywood. This bill will make us more secure, and that is why
I support it.
Just two points on why I believe that. We know today the
most sophisticated security companies in the country have been
unable to protect their most important secrets. This shows us
how deep the security problem runs. We also know from direct
experience, things that I saw when I was at DHS and that have
emerged since, that once you penetrate a network, you can break
it in ways that leave behind permanent damage. You can break
industrial control systems on which refineries, pipelines, the
power grid, water, and sewage all depend. And we have had a lot
of analogies today about how this is like September 10, 2001.
If you want to know what it would be like to live through an
event where someone launches an attack like this, the best
analogy is New Orleans, the day after Hurricane Katrina hit.
You would have no power; you would have no communications. But
you also would not have had the warning and the evacuation of
most of the city's population, and you would not have the
National Guard in some safe place, ready to relieve the
suffering. It could, indeed, be a real disaster, and we have to
do something to protect against that possibility. That is not
something the private sector can do on its own. They are not
built to stand up to the militaries of half a dozen countries,
and that is why it is important for there to be a government
I do think that with this bill--in contrast to the views of
the Chamber--you may have gone a little far in accommodating
them, and I will just address one point that I think is
particularly of concern.
I fully support the idea that there should be a set of
performance requirements driven by the private sector,
implemented by the private sector, and with private sector
flexibility to meet them as they wish. But the process of
getting to that and then getting enforcement is time-consuming.
It could take 8 years; it could take 10 years if there is
resistance from industry or a particular sector. And it may be
worth it to take that time to get standards that really are
something that the private sector buys into and is willing to
live with. But I think we have to recognize that in the next 8
to 10 years we could have an attack. We could have an incident.
We could have some very serious trouble or a threat that
requires that we move faster than that statutory framework
And so I would suggest that if there is one change that I
would make to this bill, it is to put in a provision that says
that in an emergency, where there really is an immediate threat
to life and limb, the Secretary has the ability to compress all
of the time frames and to move quickly from stage to stage so
that if we only have a week to get the grid protected, she is
in a position to tell the power companies, ``You will be here
on Tuesday and bring your best practices because by Friday you
are going to have to start implementing them because we know
there is an attack coming this week.'' That is something that
we need to be able to do and to have the flexibility to do.
Chairman Lieberman. Very helpful. Thank you very much. We
will talk more about that.
Dr. Jim Lewis, thanks for being here. He is Director and
Senior Fellow of the Technology and Public Policy Program at
the Center for Strategic and International Studies. Dr. Lewis
was also the Director of the CSIS Commission on Cybersecurity,
which began its work in 2008. Thanks so much. Please proceed.
TESTIMONY OF JAMES A. LEWIS, PH.D.,\1\ DIRECTOR AND SENIOR
FELLOW, TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR
STRATEGIC AND INTERNATIONAL STUDIES
Mr. Lewis. Thank you, Senators, for giving me the
opportunity to testify. You know, when we hear that getting
incentives right and letting the private sector lead or sharing
more information will secure the Nation, remember that we have
spent the last 15 years repeatedly proving that this does not
work, and from an attacker's perspective, America is a big,
\1\ The prepared statement of Mr. Lewis appears in the Appendix on
Some people say the threat is exaggerated. This is really
unfortunate. You have talked about the parallels with September
11, 2001. But in some ways we are on a path to repeat the
September 11 error if we do not take action in the very near
The threat is real and growing. Military and intelligence
services with advanced cyber capabilities can penetrate any
corporate network with ease. Cyber criminals and government-
sponsored hackers routinely penetrate corporate networks. And
new attackers, ranging from Iran and North Korea to a host of
anti-government groups, are steadily increasing their skills.
The intersection of greatest risk and weakest authority is
critical infrastructure. National security requires holding
critical infrastructure to a higher standard than the market
This bill has many useful sections on education, research,
securing government networks, and international cooperation,
and they all deserve support. But the main event is regulating
critical infrastructure for better cybersecurity. Without this,
everything else is an ornament, and America will remain
vulnerable. Low-hanging fruit will not make us safer, and one
way to think about this is if you took the section on critical
infrastructure regulation out of this bill, it would be like a
car without an engine. So I look forward to what we will see
There are all sorts of objections to moving ahead. We heard
that innovation could be damaged, but well-designed regulation
will actually increase innovation. Companies will innovate at
making safer products. We have this with Federal regulation of
cars, airplanes, even as far back as steamboats. Regulation can
Everyone agrees that we want to avoid burdensome regulation
and focus new authorities on truly critical systems. The bill
as drafted takes a minimalist and innovative approach to
regulation based on commercial practices, so I appreciate the
effort that has gone into that.
Many in Congress recognize the need for legislation, and
this Committee, the Senate, and others in the House deserve our
thanks for taking up this task. But the battle has shifted.
People will try to dilute legislation. They will try to put
forward slogans instead of solutions, and they will write in
loopholes. The goal should be to strengthen not to dilute, and
so two problems need attention.
The first is the threshold for designating controlled
critical infrastructure. Cyber attacks in the next few years
are most likely to be targeted and precise. They probably will
not cause mass casualties or catastrophic disruption. If we set
the threshold too high, it is simply telling our attackers what
they should hit. So we need to very carefully limit the scope
of this regulation, but I fear that we may have gone a bit too
The second is the carve-out for commercial information
technology, and others have raised this. It makes sense that
industry does not want government telling them how to make
their products. That is perfectly reasonable. But a blanket
exemption on services, maintenance, installation, and repair
would, first, undo central work started by the Bush
Administration; and, second, leave America open for a Stuxnet-
like attack. So these parts of the bill should really be
removed, and in particular, I would call your attention to
paragraph (A) and (B) of Section 104(b)(2).
In any important legislation, there is a delicate balance
between protecting the Nation and minimizing the burdens on our
economy. This bill, with some strengthening, I think can
achieve that balance and best serve the national interest. The
alternative is to wait for the inevitable attack. My motto for
2012 in cybersecurity is, ``Brace for impact.''
I thank the Committee and will be happy to take any
Chairman Lieberman. Thank you, Dr. Lewis. Your voice is an
important one to listen to, and we will, we do.
Scott Charney is our last witness today. He is the
Corporate Vice President of the Trustworthy Computing Group--
that is a good job--at Microsoft Corporation. Thanks for being
TESTIMONY OF SCOTT CHARNEY,\1\ CORPORATE VICE PRESIDENT,
TRUSTWORTHY COMPUTING GROUP, MICROSOFT CORPORATION
Mr. Charney. Chairman Lieberman, Senator Akaka, thank you
for the opportunity to appear at this important hearing on
cybersecurity. In addition to my role as Corporate Vice
President for Trustworthy Computing, I serve on the President's
National Security Telecommunications Advisory Committee and was
Co-chair of the CSIS Commission on Cybersecurity for the 44th
\1\ The prepared statement of Mr. Charney appears in the Appendix
on page 99.
Microsoft has a long history of focusing on cybersecurity.
In 2002, Bill Gates launched our Trustworthy Computing
Initiative. As we celebrate the 10th anniversary of that
effort, we are proud of both our progress and conscious of how
much work remains to be done. While IT companies are providing
better cybersecurity, the world is increasingly reliant on
cyber-based systems, and those attacking such systems have
increased in both number and sophistication. Cyber attacks
represent one of the more significant and complex threats
facing our Nation.
With that in mind, I commend the Chairman, the Ranking
Member, this Committee, and Members of the Senate for your
continuing commitment to addressing cybersecurity. We
appreciate your leadership in developing the legislation that
was introduced earlier this week. Over the past few years, you
have helped focus national attention on this urgent problem,
offered constructive proposals, and conducted an open and
transparent process to solicit the views of interested private
Microsoft believes the current legislative proposal
provides an appropriate framework to improve the security of
government and critical infrastructure systems and establishes
an appropriate security baseline to address current threats.
Furthermore, the framework is flexible enough to permit future
improvements to security, an important point since security
threats evolve over time.
While the Internet has created unprecedented opportunities
for social and commercial interaction, it has also created
unprecedented opportunities for those bent on attacking IT
systems. Securing IT systems remains challenging, and it is
important that legislative efforts designed to improve computer
security meet three important requirements:
First, legislation must embrace sound risk management
principles and recognize that the private sector is best
positioned to protect private sector assets. Second, the
legislation must enable effective information sharing among
government and industry members. Third, any legislation must
take into account the realities of today's global IT
environment. I will discuss each of these important issues in
First, sound risk management principles require that
security efforts be directed where the risk is greatest and
that those responsible for protecting systems have the
flexibility to respond to ever changing threats. To ensure that
this happens, it is important that the definition of critical
infrastructure be scoped appropriately and that the owner of an
IT system ultimately be responsible for developing and
implementing security measures. We believe that the current
legislation, which allows the government to define outcomes but
allows the private sector owner of a critical system or asset
to select and implement particular measures, is the right
Second, successful risk management depends on effective
information sharing. For too long, people have cited
information sharing as a ``goal'' when, in fact, it is a tool.
The goal should not be to share all information with all
parties, but rather the right information with the right
parties, that is, parties who are positioned to take meaningful
action. We appreciate that this legislation attempts to remove
barriers to information sharing by specifically authorizing
certain disclosures and protecting the information shared.
Finally, as a global business, we are very cognizant of the
fact that countries around the world are grappling with similar
cybersecurity challenges and implementing their own
cybersecurity strategies. We believe that actions taken by the
U.S. Government may have ramifications beyond our borders, and
it is important that the United States lead by example,
adopting policies that are technology neutral and do not stifle
innovation. It must also promote cyber norms through
international discussions with other governments.
Unlike some traditional international efforts where
government-to-government discussions may suffice to achieve
desired outcomes, it must be remembered that the private sector
is designing, deploying, and maintaining most of our critical
infrastructures. As such, the United States needs to ensure
that the owners, operators, and vendors that make cyberspace
possible are part of any international discussions.
I would note in closing that security remains a journey,
not a destination. In leading our Trustworthy Computing effort
over the last 10 years, I have witnessed the continual
evolution of Microsoft's own security strategies. Technologies
advance, threats change, hackers grow stronger, but defenders
grow wiser and more agile. The Committee's legislation, which
focuses on outcomes and ensures meaningful input by the private
sector, represents an important step forward. Microsoft is
committed to working with Congress and the Administration to
help ensure this legislation meets these important objectives
while minimizing unintended consequences.
Thank you for the leadership that you have shown in
developing this legislation under consideration today and for
the opportunity to testify. I look forward to your questions.
Chairman Lieberman. Thanks very much to you, too, Mr.
Let me ask all three of you a threshold question, no pun
intended. As you can hear from some of the testimony and some
of the questions from Committee Members, there is a question
still about whether regulation is necessary here--I am using a
pejorative term. Let me just say government involvement here is
necessary. And at its purest, this argument is that obviously
the private sector that owns and operates cyber infrastructure
has its own set of incentives to protect itself. Why do we need
the government to be involved? Mr. Baker, do you want to start?
Mr. Baker. Sure. It seems to me that, fundamentally, the
private sector and each private company has an incentive to
spend about as much on security as is necessary to protect
their revenue streams, to prevent criminals from stealing
things from them and the like. It is much less likely that they
are going to spend money to protect against disasters that
might fall on someone else, on their customers down the road,
that are unpredictable. And so there are certain kinds of
harms, especially if you are in a business where it is hard for
people to steal money from you but it is easy for them to
change your code in a way that could later be disastrous for
consumers. That is a situation businesses will view as
something that they are not ever going to get a higher payment
for addressing when they sell their products and, therefore,
not something that they would want to spend a lot of money on.
So it does seem to me that there are a lot of externalities
here that require the government to be involved in addition to
the problem that if you are the Baltimore Gas and Electric
company, for example, you really do not know how to deal with
an attack launched by Russian intelligence.
Chairman Lieberman. Right. Dr. Lewis.
Mr. Lewis. Thank you. Sometimes I call them ``mandatory
standards,'' and that is nicer than ``regulation,'' but I
wanted to say ``regulation'' this time because we have to put
it out on the table.
Chairman Lieberman. Right.
Mr. Lewis. We got the incentives wrong in 1998, the first
time we thought about protecting critical infrastructure. We
thought that if you tell them about the threat, get them
together, share a little information, and they will do the
right thing. And as you have heard, the return on investment is
such that companies will spend up to a certain level. It is not
even clear that all of them do that, by the way, but they will
not spend enough to protect the Nation.
So we are stuck with a classic case of a public good,
national defense regulation is essential, and if we do not
regulate, we will fail.
Chairman Lieberman. Let me just follow up. You made a
statement in your opening remarks--I am going to paraphrase
it--which is that a hostile party, a nation state, or
intelligence agency could penetrate any entity's cyberspace in
this country if they wanted. Did I hear you right?
Mr. Lewis. You did. The full answer is complicated, so I
will be happy to provide it to you in writing. But when you
think of the high-end opponents who can use a multitude of
tactics, including tapping your phone line, including hiring
agents or corrupting employees, these are very hard people to
stop. And the assumption that is probably safest to make from a
defensive point of view is that all networks have been
Chairman Lieberman. Mr. Charney.
Mr. Charney. I would say two things. First, I would echo
what Mr. Baker said. I think market forces are actually doing a
very good job of providing security. The challenge is market
forces are not designed to respond to national security
threats. You cannot make a market case for the Cold War. And so
you really have to think about what will the market give us?
What does national security require? And how do you fill the
delta between those gaps?
The second thing I would say about looking at regulating
critical infrastructure, is in my 10 years at Microsoft, I have
found as we have struggled with cybersecurity strategies, we
really live in one of three states of play. Sometimes we do not
know what to do, and you have to figure out a strategy.
Sometimes you know what to do, but you are not executing very
well, in which case you need to go execute better. Sometimes we
know what to do and we execute well, but we do not execute at
I think there are some companies that do a very good job of
protecting critical infrastructure today. Are we doing it at
enough scale to really manage the risk that the country faces?
And I do not think we are today, and that is why in our report
of the CSIS Commission and in my testimony we are supportive of
the framework that has been articulated in the legislation.
Chairman Lieberman. I appreciate that. Assuming the
statistics are accurate or close to accurate about the
frequency of intrusion into cyberspace owned and operated in
the private sector, then that makes it self-evident that there
is not enough being done to protect from that.
Dr. Lewis, let me ask you something. You offered a friendly
criticism of the bill just before, which is that our definition
of ``covered critical infrastructure'' is too narrow, too high.
We are limiting it too much. Give me an idea about how you
might broaden it if you were drafting the legislation.
Mr. Lewis. I think we are talking about relatively simple
amendments to the language, Mr. Chairman. I would look at some
of the thresholds you have put in: Mass casualties. What is a
mass casualty event? For those of us coming out of the Cold
War, that was a very high threshold. Economic disruption on a
catastrophic scale--it is not clear to me that Hurricane
Katrina, for example, would be caught by that definition. So I
think it is more an issue of clarifying, more an issue of
making sure that the smaller attacks that we are more likely to
see in the near future are caught by this threshold and we are
not just looking for the big bang.
Chairman Lieberman. Thanks. My time is up. Senator Akaka,
thank you for being here.
OPENING STATEMENT OF SENATOR AKAKA
Senator Akaka. Thank you very much, Mr. Chairman, for
holding this hearing. I applaud your tenacity and that of
Senators Collins, Rockefeller, and Feinstein in pursuing the
comprehensive cybersecurity legislation we are considering
today. I also want to thank you and the Administration for
incorporating my suggestions to the cyber workforce provisions
of the bill. Employees of the Department of Homeland Security
are on the front lines of countering the cyber threat, and we
must make sure the Department has the appropriate tools to
attract and retain the workforce it needs to meet these complex
Stakeholders have raised concerns about the privacy and
civil liberties implications of certain provisions of this
bill. I want to commend the bill's authors for making progress
in addressing these concerns. It is important for the final
product to adequately protect Americans' reasonable expectation
of privacy, and I will continue to closely monitor this issue.
FBI Director Robert Mueller's recent statement that the
danger of cyber attacks will equal or surpass the danger of
terrorism in the foreseeable future is a stark reminder that
strengthening cybersecurity must be a key priority for this
Congress. Cyber criminals and terrorists are targeting our
critical infrastructure, including our electricity grids,
financial markets, and transportation networks, and these have
been mentioned by the panelists. American businesses face
constant cyber attacks that seek to steal their intellectual
property and trade secrets. However, cybersecurity policy has
been slow to adjust to these ever increasing and sophisticated
The Cybersecurity Act of 2012 will give the Federal
Government and the private sector the tools necessary to
respond to these troubling threats, I feel. Finalizing this
important legislation is a pressing priority for this Congress,
and I look forward to working with you on this.
As you know, the bill contains new hiring and pay
authorities to bolster the Federal civilian cybersecurity
workforce. It also has provisions to educate and train the next
generation of Federal cybersecurity professionals. I would like
to hear your views on the challenges of recruiting and
retaining cybersecurity professionals, the provisions in this
bill, and any other recommendations you may have to address
these growing workforce challenges. Mr. Baker.
Mr. Baker. If I might, I would like to just defer to Mr.
Charney, who really has more expertise and experience in this
field, and if there is anything else, I will add to it after.
Senator Akaka. Fine. Mr. Charney.
Mr. Charney. It is very challenging to find well-trained
cybersecurity professionals even in the private sector. This
technology has just proliferated far faster than educational
institutions could educate people to manage IT security and
manage the security.
As a result of that, Microsoft has actually committed
considerable resources, supporting programs like science,
technology, engineering, and mathematics (STEM) education, or
Elevate America where we provided over a million vouchers for
entry-level and more advanced computer basic skills. But it is
a big challenge, and if it is a big challenge for the private
sector, you can imagine that it would also be a large challenge
for the public sector as they do not have the same pay scale
that I have available to me.
So this is a big challenge. It is a challenge in both
education and in proficiency of the workforce. And, in fact,
the CSIS Commission issued a report on the challenges of
getting an educated, cyber-educated workforce.
Mr. Baker. And I would just add to that, indeed, that DHS
has had particular difficulty in attracting people and working
through their personnel hiring procedures. Anything that makes
that smoother and more responsive to the market is useful.
But finally, and most importantly, for every student who is
watching this wondering what he is going to do when he
graduates from college, these jobs are waiting for you. You owe
it to your country and you owe it to yourself to pursue these
Senator Akaka. Thank you. Mr. Lewis.
Mr. Lewis. Senator, 2 years ago, at the end of July, CSIS
had an event here on the Hill, on education for cybersecurity,
and I was kicking myself because I thought no one is going to
be here on July 29. It is just stupid. And so I told them,
``Cut back on the food. We do not need it.'' And we had
standing room only. They had to put chairs in the hall. People
love this topic, but there are a couple of issues to think
On the government side, we need to have a clearer career
path for people to get promoted up.
On the private sector side, the education that we get now
needs to be refined and focused. A degree in computer science
may not give you the skills. In fact, it probably will not give
you the skills for cybersecurity. And so some of the provisions
in the bill such as the cyber challenge, and other programs,
tap into this real enthusiasm among teenagers and among college
students to get into this new field. And I think this is one of
the stronger parts. Again, doing the education piece is
important, but it will not protect us in the next few years,
which is why we need the other parts of the bill as well.
Senator Akaka. Thank you very much, panel. My time has
expired, Mr. Chairman.
Chairman Lieberman. Thanks, Senator Akaka, and thanks very
much for the contribution you made to the bill, as indicated by
your questioning, on the cyber workforce. That was very
Senator Collins. Thank you, Mr. Chairman. The hour is late,
but I just want to thank our witnesses for their excellent
testimony. Hearing some of our witnesses on this panel raise
some legitimate questions about whether we have gone too far in
trying to accommodate concerns raised by the Chamber and other
groups makes me think that maybe we have gotten it just right
since the Chamber is still not happy and you believe we have
gone too far.
But in all seriousness, your expertise has been extremely
helpful, as has the input that we have had from Microsoft, from
the Chamber, from the tech industry, and from experts and
academics. We really have consulted very widely, and it has
been very helpful to us as we try to strike the right balance.
This is an enormously important but complicated, complex
issue for us to tackle, but tackle it we must. And that is
something that I believe unites all of the witnesses from whom
we have heard today.
Whether we consider this to be a response to a 9/11-like
attack or a Hurricane Katrina, I just do not want us to be here
after a major cyber incident saying, ``If only, and how could
we have ignored all these warnings, all these commissions, all
of these studies, all of these experts?'' I cannot think of
another area in homeland security where the threat is greater
and we have done less.
There is a huge gap. Whether we got it exactly right on
chemical plant security, port security, or reform of the
Federal Emergency Management Agency, at least we acted and we
have made a difference in each of those areas. They are not
perfect, but we have acted and we have made a difference. And
in intelligence reform, I think we have made a big difference.
But here we have a vulnerability, a threat that is not
theoretical. It is happening each and every day, and yet we
have seen today by the comments of some of our colleagues this
is going to be a very difficult job to get this bill through. I
am confident that we can do it, however, and that in the end we
And, finally, I do want to say to our colleagues, to those
who are listening, to those in the audience, that we need your
help. If you have other good ideas for us, by all means bring
them forward. Help us get the best possible bill. But for
anyone to stand in the way and cause us to fail to act at all
to pass legislation this year I think would just be a travesty.
It would be a disaster waiting to happen for our country.
So, Mr. Chairman, I would just encourage you to press
forward, and I will be at your side, your partner, all along
the way. We have done it before against great odds.
Chairman Lieberman. And we will do it again. Hear, hear.
Thank you. That meant a lot to me, and it is just expressive
and characteristic of your independence of spirit and your
commitment to do what you think is right for our national
We are going to press forward, and the Majority Leader,
Senator Reid, I am confident is going to press forward, too. As
I mentioned earlier, he had a couple of briefings on this
problem of cybersecurity last year, and it really troubled him.
He feels that there is a clear and present danger to our
national security and our economic prosperity from cyber
attack. That is why he has devoted a lot of time to trying to
get us to this point that we have reached this week to have at
least a foundational consensus bill and why I am confident he
is going to bring this to the floor with the authority he has
as Majority Leader. I am optimistic that may well be in the
next work period, which is when we come back at the end of
February and into March.
The three of you have added immensely to our work here. I
do want to continue to work--I do not want to ask a question
because Senator Collins has brought this to such a wonderful
ending point, but I do want to, over time as we take the bill
to the floor, invite you--particularly Mr. Baker and Dr. Lewis,
who have expressed concerns about the so-called carve-out.
People in the Administration still think that with the
authority that we have left in there, the language will allow
the government to develop performance standards that will
require owners of systems to protect those systems even if they
might include some commercial products. But we hear your
concerns, and we invite you to submit thoughts to us as to how
to do this better, and we promise we will consider those
Any last words from any of the three of you?
Chairman Lieberman. Thanks very much for all you have
contributed. I thank Senator Collins again. It is true, we get
very stubborn, the two of us, when we think something is really
right and necessary. So we are going to plow forward.
The record of this hearing will be held open for 10 days
for any additional questions or statements for the record. I
thank you again very much.
With that, the hearing is adjourned.
[Whereupon, at 5:20 p.m., the Committee was adjourned.]
A P P E N D I X