Floor Updates

Kyl, McCain, Lieberman, Collins

Executive Session (Jordan nomination, post-cloture)

Feb 14 2012

03:30 PM

Senator Kyl: (2:22 PM)
  • Paid tribute to Arizona becoming the 48th member of the United States on February 14, 1912.

Senator McCain: (2:35 PM)
  • Paid tribute to Arizona becoming the 48th member of the United States on February 14, 1912.

Senator Lieberman: (2:55 PM)
  • Spoke on the CyberSecurity Act of 2012.
    • SUMMARY "Now, let me just briefly describe some of the important things this bill does. First, it ensures that the computer systems, private systems that control our most critical infrastructure that are currently not secure are made secure. Our bill defines critical infrastructure narrowly to include those systems that if brought down or commandeered in a cyber attack would lead to mass casualties, evacuations of major financial centers, the collapse of financial markets, the degradation of our national security. This is really critical infrastructure. After identifying the precise systems that meet the definition, that definition of high risk, the Secretary of Homeland Security would under our legislation then work with the private sector operators of those systems to develop cybersecurity performance requirements based on risk assessments of those sectors. The private sector owners would then have some flexibility to meet those performance requirements with hardware or software they choose so long as it achieves the required level of security. The Department of Homeland Security will not be picking technological winners and losers, so there is nothing in this bill that would stifle innovation. In fact, I think quite the contrary. If a company can show that it already has met high security standards, it will be exempt from these requirements. The bill focuses on securing that which is not secure today, not on putting new requirements on industries that are doing everything they should be doing to protect themselves and our national security. Once these improved security systems come online, I think that many companies will want to apply them to noncritical systems that are not covered by this bill as a way to protect the privacy of their employees and customers as well as giving these companies the chance to offer secure e-commerce services, but that will be up to each company. This bill also seeks to make compliance easier, more rational for covered critical infrastructure operators by creating a more streamlined and efficient cyber organization within the department of homeland security, and at each step in the process created by our bill, the Department of Homeland Security must work with existing federal regulators and the private sector that they regulate to ensure that no rules or regulations are put in place that duplicate or conflict with existing requirements and if a company feels that the designation of its networks as critical surface is somehow wrong, it's got the right to appeal that decision, for the law that the - system that the law requires DHS to set up or they can go to federal district court. This bill also establishes mechanisms for information sharing between the private sector and the federal government and among the private sector operators themselves, Senator Feinstein and her committee made a significant contribution to this part of our bill. This is important because computer security experts in the private and public sectors need to be able to share information, compare notes in order to protect us against evolving cyber threat. Our proposal also creates appropriate security measures and oversight to protect privacy and preserve civil liberties."

Senator Collins
: (3:12 PM)
  • Spoke on the CyberSecurity Act of 2012.
    • SUMMARY "Some of our colleagues have urged us to focus very narrowly on the Federal Information Security Management Act as well as on federal research and development and improved information sharing. We do need to address those issues, and our bill does address those important issues With 85% of our nation's critical infrastructure owned by the private sector, government also has a critical role in ensuring that the most vital parts of that critical infrastructure, those whose disruption could result in truly catastrophic consequences, such as mass casualties or mass evacuations, meet reasonable risk-based performance standards Some of our colleagues are skeptical about the need for any new regulations. There's no one who has worked harder than I have to oppose regulations that would unnecessarily burden our economy and cost us jobs. But we need to distinguish between regulations that hurt our economy and are not necessary and hinder our international competitiveness versus regulations that are necessary for our national security and that promote rather than hinder our economic prosperity. Those strengthen our economy and our nation. The fact is that the risk-based performance requirements in our bill are targeted carefully. They only apply to specific systems and assets, not entire companies. That if damage could reasonably be expected to result in mass casualties, huge evacuations, catastrophic economic damages, or a severe degradation of our national security. In other words, we are talking about truly catastrophic impacts. Moreover, the owners of critical infrastructure, not the government, would select and implement the cybersecurity measures the owners determine to be best suited to satisfy the risk-based cybersecurity performance requirements. Our new bill would also require the Secretary of Homeland Security to select among existing have industry practices and standards or choose performance requirements proposed by the private sector. Lots of collaboration and consultation. Only if none of these mitigates the risk identified through this public-private collaboration could the secretary propose something different. That is extremely unlikely to happen. The bill prohibits the regulation of the design and development of commercial IT products. It would require that existing requirements and current regulators use wherever possible. The bill would allow federal officials to waive the bill's requirements when existing regulations or security measures are already sufficiently robust. As with our earlier versions of this bill, companies in substantial compliance with the performance requirements at the time of a cyber incident would receive liability protection from any punitive damages associated with an incident, giving them an incentive to comply. The fact remains that improving cybersecurity is absolutely essential. We cannot afford to wait for a cyber 9/11 before taking action. The warnings could not be clearer about the vulnerabilities and the threat to our systems."