THE URGENT NEED TO PASS CYBERSECURITY LEGISLATION

Prepared Floor Statement – Senator John D. (Jay) Rockefeller IV, Chairman 

WASHINGTON, D.C.—Mr. President.  For those of us living long enough, we have seen a historic transition happen before our very eyes.  Over the course of the past two decades, we entered a new age.  The information superhighway that we dreamed of twenty years ago is here.  And it has changed the world.  Today, as we debate, over 200 billion e-mails will be sent around the world to every continent.  Google—a company that was created just over a decade ago—will process over a billion searches and stream more than two billion videos today.  And in the next minute, about 36,000 tweets will be posted on Twitter.  We are now connected in ways that only a few short years ago was considered science fiction.  The breadth and impact of the Internet cannot be overstated.

Here in the United States, we have been a leader in both its development and adoption.  The initial structure that created the Internet stems from investments and advancements made by our own government.  And the open nature of the Internet can be traced back to our initial decision to relinquish control of it.  To this day, our nation remains a leader in using the Internet for innovation and growth.  In just over a decade, we have digitized and networked our entire economy and our way of life.

The opportunities brought about by this process are well-known.  We are now more efficient than ever.  Almost anything we need—from information and entertainment to banking and social media—is only a keystroke away.  And every one of our most critical systems now rely upon interconnected networks, whether it is our electric grid, our various transportation systems, the gas pipelines that crisscross our country, or the telecommunications systems that we use to communicate with one another.  They all rely upon networks to function.

Yet, the ramifications of this new era remain poorly understood by many, if not most.  History teaches us that disruptive technological advancements bring about both opportunities and dangers.  We cannot let our exuberance blind us from this simple truth.  We cannot ignore the part of the equation that is unpleasant.  And this is it: These technological advancements can compromise our national security.  

The connectivity brought about by the Internet and the new ability to access anything, combined with our decision as a country to put everything we hold dear on the Internet, means that we are now vulnerable in ways that were unfathomable just a few short years ago.  In our rush to digitize and connect every aspect of the American economy and way of life, we have spent little time focusing on what this means to our security.  And we have left ourselves extraordinarily vulnerable.  The consequences could be devastating.

Our intellectual property, perhaps our greatest asset as a nation, is currently being pilfered and stolen because it is connected to the Internet and is unsecure.  Experts have called this thievery the greatest transfer of wealth in the history of the world. Our most important personal information, including our credit card numbers and our financial data, is now accessible via the Internet and is stolen through data breaches that occur all too often.  And most importantly, our critical infrastructure, from water facilities and gas pipelines to our electric grid and communications networks, are now vulnerable to cyber attacks.  Many of these systems were designed before the Internet and were never intended to be connected to a network.  Yet, many are now accessible and unsecure.

If these systems are exploited via cyber vulnerabilities, lives could be lost.  And our country could suffer crippling economic damage.  The stakes cannot be overstated.  The threat is real.  In recent months, we learned that hackers penetrated the networks of companies that control our nation’s pipelines.  There have been attempts to penetrate the networks of companies that run nuclear power plants.  And last year, a foreign computer hacker showed that he could access the control systems of a water facility in Texas with ease.  He accomplished the task in minutes at a computer thousands of miles away.  Our critical infrastructure is being targeted and it is vulnerable.  

James Hoyer, the Adjutant General of the West Virginia National Guard, recently shared a frightening story with me.  He’s been working on cybersecurity.  Through this work, he learned that a critical infrastructure facility was allowing its engineers to operate control systems from their home computers.  This practice was entirely unsecure and it was dangerous.  Twenty years ago, it was a problem that did not exist because it was impossible.  But the opportunities of connectivity brought about the Internet have also brought dangers like these.  And this is just one example.

The Internet and what it has done for our country is unparalleled.  But everything we have accomplished in this Internet Age is now vulnerable.  We have built a castle in the sand.  And the tide is approaching.  Our systems are too fragile, too critical, and too vulnerable.  It’s a recipe for disaster and it’s time to do something about it, before it is too late.  

We have known about the seriousness of cyber threats for years.  Our national security experts know it.  Our law enforcement experts know it.  And there is bipartisan agreement that something needs to be done.  Former generals and officials in both Republican and Democratic administrations, including three of the last four directors of NSA, have urged the Senate to pass cybersecurity legislation.  FBI Director Robert Mueller has told Congress that the cyber threat will soon overcome terrorism as the top national security focus of the FBI.  

In my capacity both as the current Chairman of the Senate Commerce Committee and the former Chairman of the Senate Intelligence Committee, I have become very familiar with this threat.  And I have been working with my colleagues to address it.  For the past three years, we have been working with both Republican and Democratic senators to find common ground on these issues.  We have held hearings.  We have held mark ups.  We have held countless meetings with the private sector and interest groups.  And during this time, the cyber threat to our nation has only grown, more and more data breaches have occurred, and we have lost our intellectual property to thieves.  We have been patient in working to find a compromise.  And now is the time to make that compromise happen.  We know what we need to do.  

Here’s what we know right now about the state of our nation’s cybersecurity:  

• • The Federal government needs to do a better job protecting its own networks.  It has become all too common for breaches to occur in the government.  
• • Companies control most of our nation’s critical infrastructure and need to do a better job eliminating cyber vulnerabilities from their systems.  
• • There are no clear lines of authority and responsibility in the federal government for cybersecurity, which will cause confusion in the event of a cyber catastrophe.  
• • And the private sector and the federal government need to be able to share information about cyber threats.   

Over the last year, the Committees of jurisdiction in the Senate have worked together to finalize legislation that addresses each of these concerns.  Senator Lieberman, Senator Feinstein, Senator Collins, and I have made it our priority to finish this work together.  We believe every member of this body will be able to support this legislation.  With the revised version of the Cybersecurity Act that we introduced last week, we believe we have addressed the concerns that our colleagues have raised.  This is a compromise approach and it will work. 

This legislation will increase our nation’s cybersecurity.  And it will do it without harming our economy or the private sector’s ability to innovate or our civil liberties. 

Our bill will create a National Cybersecurity Council that will include representatives from across the government to find the critical infrastructure that is the most vulnerable to cyber attack and then develop cybersecurity practices for those systems, in cooperation with the private sector.  The Council will establish a program that encourages companies with critical infrastructure to adopt practices to protect their systems through an incentives-based, voluntary approach.

The bill will also:

• • Allow the government and the private sector to share threat and vulnerability information, while protecting privacy and civil liberties.  
• • Improve the security of the Federal government’s networks by taking away a “checklist” based approach that does not make the systems more secure.
• • Clarify the roles and responsibilities of Federal agencies when it comes to cybersecurity.
• • Coordinate cybersecurity research and development so that the federal government has a plan that is kept up to date.
• • And promote public awareness of cyber vulnerabilities to ensure a better informed and more alert citizenry.  Many cyber attacks have been successful because the people using the systems do not understand the consequences of their actions, whether it is clicking on a link to an untrustworthy website or using a USB drive that is unsecure.       

This bill is bipartisan and incorporates the good ideas and suggestions that have been made by many of our colleagues, both Republican and Democrat.  We have settled on a plan that creates no new bureaucracies or heavy handed regulation.  It’s premised on companies taking responsibility for securing their own networks, with government assistance where necessary.  This bill represents a compromise and it’s time move forward with it.  

In February, when we first introduced this bipartisan legislation, I finished my statement with a few thoughts on the gravity of our present course.  I would be remiss if I didn’t do it now, for it is how I view our current debate over cybersecurity.  In working on this issue over the past three years, I have often found myself thinking back to 2000 and 2001: when we saw signs of people moving in and out of our country, when we saw dots appear to connect, when we knew something new and different and dangerous might be upon us.  

Our intelligence and national security leadership took these matters seriously, but not seriously enough.  Then it was too late.  9/11 happened.  Today, with a new set of warnings flashing before us, and a wide range of new challenges to our security and safety, we again face a choice.  Act now, and put in place safeguards to protect this country and our people.  Or act later, when it is too late.  We must act now.  

I yield the floor.   

###