Chairman Rockefeller Keynotes Cybersecurity Forum

Urges Public-Private Collaboration to Address Growing Cyber Threat

April 29, 2010

JDR Head ShotWASHINGTON, D.C. — Today, Senator John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, spoke about our country’s vulnerability to a cyber attack and the need for increased security measures at the Business Software Alliance’s 2010 Cybersecurity Forum.

Senator Rockefeller has been a leader in the Senate on increased security for all Americans using the Internet and introduced comprehensive cybersecurity legislation – the Rockefeller-Snowe Cybersecurity Act – last year.

The Business Software Alliance’s mission is to promote conditions in which the information technology (IT) industry can thrive and contribute to the prosperity, security, and quality of life of all people.  It is the largest and most international IT industry group, with policy, legal and/or educational programs in 80 countries.

Below are Rockefeller’s remarks as prepared for delivery:

Good afternoon. I want to thank the Business Software Alliance for inviting me here today and making this event possible. I also want to start by noting that one of the major themes of your conference is “Shared Responsibility.” This is important because shared responsibility is one of the cornerstones of the Rockefeller-Snowe Cybersecurity Act. I sincerely appreciate the BSA’s engagement as Senator Snowe and I have drafted and refined our legislation. Your input has made a good bill, even better. Not only do we have a shared responsibility, your participation and input is important to the process.

However, there is still much to do as we work with our colleagues on the Homeland Security Committee, and other committees, to complete a package that will pass the Senate and the House. So I ask you to continue giving us your best ideas and proposals in the weeks and months ahead.

As a member and former chairman of the Intelligence Committee, and now current chairman of the Commerce Committee, I work at the legislative crossroads between our national security and economic security. From that vantage point, I can tell you just how grave our situation is. The information networks that Americans and American businesses rely on every day are under attack. You know this very well.

For hundreds of years, the United States and other countries have protected their citizens with armies and security forces. Within the country’s geographic borders, sovereign governments have been solely responsible for keeping their citizens safe. Today however, we're transitioning into a new era. National borders and traditional notions of security don't always apply to 21st century threats, such as terrorism or WMD proliferation networks. Particularly in the cyber realm, the idea that the government alone can protect our citizens' security within clear national borders is dangerously outdated.

To secure our country from cyber attacks, we must have shared responsibility between the government and the private sector. Sophisticated cyber actors and organizations can launch global attacks from laptops in remote provinces of foreign lands – and do it anonymously, leaving little or no trace. They can steal our business innovations, our intellectual property, our national security secrets, and they can disrupt and disable our critical infrastructure, like power grids, financial networks, and air traffic control systems.

These attacks threaten our government and our largest companies, but also countless small businesses and families in cities and towns across the country, just trying to stay ahead and protect themselves. As our economy continues to struggle, it has become more clear than ever that economic security is national security. The two are inseparable and we must confront them as one. 

I invited Former Director of National Intelligence Mike McConnell to testify at a hearing earlier this year. Here’s what he said: “If the nation went to war today in a cyberwar, we would lose. We're the most vulnerable. We're the most connected. We have the most to lose.”

These are the stakes. This is why I am so concerned. And this is why we must act now.

I know you share my concerns. Today, I ask you to act on those concerns – on behalf of your companies, and also on behalf of your country. We need you to step up and lead. Let me be very clear: when it comes to cybersecurity, the familiar “Regulation versus Leave-it-to-the-Market” debate that always dominates discussions between the government and the private sector is a dangerous false choice. The government cannot do this on its own and neither can the private sector. This has been demonstrated and proven.

We will only succeed together. But in order to do so, our efforts require an altogether new way of thinking about national security, where information and innovation are the key defenses.

We all recognize that traditional regulation will not work because a bureaucracy simply cannot keep up with the necessary pace of innovation. Likewise, it should be clear that leaving our security solely to the market is a failing strategy. Neither approach can combat the threats we face alone. Senator Snowe and I are trying to build a new 21st century model, and we want the private sector – that is you and your companies – to take a lead in securing our country and its businesses. 

Now there are some who point to the fact that the most catastrophic scenarios have yet to unfold. They view that as “evidence” that the cyber threat has been contained or isn’t as serious as we fear. They are wrong. Others claim that any organization serious about protecting itself will take the steps it needs on its own to protect its business and its customers. They are wrong. 

Indeed, we’ve heard the reassurances and seen the best efforts of many in the private sector working to secure their networks, but we’ve seen that even the largest and most sophisticated companies are not immune from these attacks. And so now is the time to give the private sector the tools it needs to collaborate with the government to address this monumental challenge.

Last year, we introduced the Rockefeller-Snowe Cybersecurity Act, comprehensive legislation to address our nation’s vulnerability to cyber crime, global cyber espionage, and cyber attacks. It laid out concrete steps we can take to modernize the relationship between the government and the private sector to successfully meet the challenges of cybersecurity. That was a first draft and a work in progress. I know some of you had concerns about some of the language included in the bill. We listened to those concerns. It was important to me that you were part of the process. So we reworked the bill.

This March, we introduced our latest draft and later marked it up in committee. It was the culmination of a year’s worth of consultation and input from experts in the private sector, government and the civil liberties community. I am proud of how far we have come, but we need to move forward. I am consulting with my leadership about where there might be an opening.

So what does the bill do?

The bill calls for developing a cybersecurity strategy and identifying the key roles and responsibilities of all the players, private and public, who will respond in a time of crisis. That starts with a Senate-confirmed National Cybersecurity Advisor who will answer directly to the President, coordinate the government’s cybersecurity efforts, and collaborate with the private sector. In particular, our bill provides for unprecedented information-sharing between the private sector and the government regarding threats and vulnerabilities, including access to classified threat information for cleared private sector executives. We also require detailed emergency response planning and rehearsals to clarify the roles, responsibilities and authorities in an emergency.

Early versions of this provision drew concerns of sweeping new powers for the government to take over the Internet. Nothing could be further from the truth. We have worked closely with you and other stakeholders to refine the language. In case there is any remaining confusion, let me be clear: this bill does not create any new emergency powers for the President or anyone else in government. It simply requires all key players to get together ahead of a crisis and prepare. If we have a cyber-Katrina or a cyber-9/11, we want quick effective action – not bureaucratic confusion.

The bill also creates a dynamic cycle of market-driven innovation in professional training and cybersecurity products and services. Companies that excel will be recognized for their excellence, and companies that fall short will implement a remediation plan driven by the market and facilitated by the government. I know some groups have had concerns about these proposals. But here’s the truth: the government will not be choosing winners and losers, nor will it be laying down arbitrary standards from on high. 

Instead, we want to empower the private sector, to develop the standards of excellence that best suit your business or sector. Once you set those standards, we will hold you to them. That’s not regulation; it’s a 21st century imperative – both for markets and for national security.

Some have criticized our proposed independent audit process as inflexible and burdensome. And yes, we do recognize that “compliance” is not always the same thing as security, and that audits can be costly and time-consuming. However, I think we can all agree that effective cybersecurity simply is not possible without a reliable mechanism to evaluate performance. We have yet to be presented with a viable alternative. So, we have built on the audit-based framework already used by many in the private sector. We expect that if the private sector takes the lead as laid out in our bill, the standards and certification will be flexible and dynamic, not bureaucratic and burdensome. 

For those who are still unhappy with our proposal, I welcome your ideas and alternatives. You must know genuine accountability is non-negotiable – and for the system to work, any standards must be credible. 

In closing, I want to say, there is just too much at stake for us to pretend that today’s outdated cybersecurity policies are up to the task of protecting our nation and our economy. Our system must improve. Our security, both national and economic, depends on it. We cannot wait for a crisis to occur. If we were to drag our feet and God forbid, a terrible disaster took place, I fear the public’s impulse and the government’s response might be to impose tough, unbending solutions. We can do far better by acting now, and by acting together.

I know the American people and the American economy will be far safer and far more prepared if we all come together – public and private – to work in unison to build a new, strong cybersecurity partnership for the 21st century.

That is what shared responsibility is all about.