Floor Updates

Collins, Carper, Lieberman

Cybersecurity bill (S. 3414)

Jul 31 2012

05:04 PM

Senator Collins: (4:26 PM)
  • Spoke on the Cybersecurity bill.
    • SUMMARY "We've gone from having a mandatory framework to a voluntary approach to enhance the security of our most critical infrastructure. The underlying concept of this approach, which was suggested in a very constructive way by our colleagues, Senator Kyl and Senator Whitehouse, is to encourage owners of our most critical infrastructure to enhance their cybersecurity by providing them with various incentives, the most important of which is liability protections. We've also made changes to improve the privacy protections in the information sharing title of our bill. The bill establishes the multiagency council, the National Cybersecurity Council to respond to concerns that too much power was being given to the Department of Homeland Security. So now we have an interagency body that includes the Department of Defense, the Department of Justice, represented by the FBI, the Department of Commerce, the intelligence community, undoubtedly it would be the Director of National Intelligence's office. And appropriate sector-specific federal agencies such as FERC, if we're talking about how best to protect our electric grid. The council would work in partnership with the private sector, would conduct risk assessments to identify our nation's most critical cyber infrastructure. Now, what do we mean about that? We hear that term. What exactly is critical cyber infrastructure? It is that which, if damaged, could result in mass casualties, mass evacuations, catastrophic economic damage to our country, or severe harm to our national security. Don't we want to safeguard critical national assets that if damaged would cause numerous deaths, people to flee their homes, their communities, a disaster for our economy, or severe blow to our national security? I can't believe there's even any discussion about the need for us to have robust systems to protect us against mass casualties, a devastating blow to our economy, and catastrophic consequences. That's a high bar in our bill for defining what is critical cyber infrastructure. It isn't every business in this country, and those that are implying that it is and this is sweeping are not accurately reading the bill. We would be irresponsible if we did not act when the warnings are so loud and are coming from so many respected sources."

Senator Carper: (4:40 PM)
  • Spoke on the Cybersecurity bill.
    • SUMMARY "In recent years when we heard opposition to doing something on cybersecurity, the concern we had it's going to be a top down. This is going to be Homeland Security, which frankly back in its early days didn't have a very good reputation. The idea that somehow Homeland Security is going to be running this, top down, without a whole lot of input from industry, basically we've taken even â€" second most recent version of our bill and changed that. What we said it's not going to be top down, it's not going to be homeland security saying these are the best practices and standards to protect against cybersecurity, but industry, why don't you tell us, us being Homeland Security, us being Department of Defense, us being National Security Agency, us being the FBI, what you think those best practices and standards should be. And give us a chance to work on those together, and at the end of the day, correct me if I'm wrong, but if don't think the deal is for homeland security to come back and say no, got to throw those away. We'll do it our way. That's not what's going to happen here. In our meeting yesterday with folks from FBI, National Security Agency, that's not the way it's going to work. Not the way it works today, not the way it's going to work in the future. What do you think?"

Senator Collins: (4:42 PM)
  • Responded.
    • SUMMARY "He is absolutely correct. This is a collaborative partnership with the private sector, and indeed it has to be. 85% of critical infrastructure is owned by the private sector. So it makes sense to have their involvement. We've restructured the bill to require that and there is another safeguard. Since this is a voluntary system that we have now devised, adopting the Kyl-Whitehouse approach, if the private sector decided not to participate, it essentially invalidates the standards that are developed. So why would this interagency council, which has developed the standards based on the recommendations of the private sector, not adopt reasonable standards? They want industry to participate. That's the ultimate safeguard."

Senator Carper: (4:43 PM)
  • Responded.
    • SUMMARY "One of the criticisms of our bill was not only was it top down, oriented, directed by Homeland Security but also there were just sticks involved. We were not going to incentivize anybody to comply with the standards that might be developed, but we would just hammer somebody. That's not the way it's turned out. And if commend the chairman for doing that but would you just lay out for us in a minute or two here how it would work?"

Senator Lieberman: (4:44 PM)
  • Responded.
    • SUMMARY "This is now a voluntary system This legislation contains authority to share information between the government and the private sector, between two private sector companies that can't be done now. That's critically necessary to improve our defenses. The requirement of standards being promulgated as resulting from a public-private collaborative operation and then offering the carrot of immunity from liability is something that doesn't exist now, and all the experts say though some of the private sector operators of critical cybersecurity infrastructure and we're talking again about the companies that run the electric grid or the telecommunications system or the entire financial system, or dams that hold back water, we're not talking about mom-and-pop businesses back home, some of them are doing a pretty good job of defending that cyber infrastructure, but most of them are not doing enough. And that's where the government has to come in and push them in that direction. So why did we change it from mandatory to voluntary, from sticks to carrots? Because we didn't have the votes to adopt the mandatory, which I think is necessary. We're at a point now in this debate with the kind of never-ending questions about every detail, notwithstanding all the compromises Senator Collins, Carper and I and others have made, that it feels to me - and the filing of an amendment by Senator McConnell to repeal Obamacare - you can have a position on Obamacare, but to put it on this Cybersecurity bill? Not fair, not relevant, not constructive. I think we're coming to a moment where we're going to have to face a tough decision. And I've talked to the majority leader about filing for cloture soon so we can draw this to a choice. Do our colleagues want to act to protect our cyber systems in this session or do they not? And that's a tough choice, particularly if you vote "no" to explain in the light of all the evidence of the constant cyber attacks going on in and the of hundreds of billions of dollars from our industries and tens of thousands of jobs lost as a result to foreign countries. Whether you're going to say, no, we don't want to take that up now. I hope and pray that that's not the case. But the way this is moving right now, in this last week of the session before we break, I'm afraid that we're headed in the wrong direction."

Senator Carper: (4:50 PM)
  • Responded.
    • SUMMARY "First, we've elected not to direct the Department of Homeland Security to mandate new cybersecurity regulations for private owners of critical infrastructure. We said we're not going to do that. Instead, we've endorsed an approach that relies on a public-private partnership and a voluntary cybersecurity program to strengthen the electronic backbone of our most sensitive systems. Instead of government penalties, our bill calls for using incentives like liability protection to encourage critical infrastructure owners to adopt voluntary practices developed by industry. Second, our revised bill provides a framework for the sharing of cyber threat information between the federal government and the private sector. While offering liability protection and better privacy protections for all Americans. And, third, to ensure that federal agencies are better equipped to stop cyber attacks on them, the bill includes a number of security measures that I've worked on for years with Senator Collins and others to better protect our federal information systems. In particular, this bill will help replace our outdated paper-based security practices with real-time security systems that can actively monitor, detect and respond to threats. For example, agencies will be required to continuously monitor their systems like a security guard would watch a building through a video camera, rather than just taking a snapshot, developing the film and reporting on the results once a year ... Finally, our bill makes a number of important investments in developing the next generation of cybersecurity professionals. This is work force development. For example, the bill provides stronger cybersecurity training and establishes better cybersecurity programs in our schools and in our universities. This legislation also makes research and development for cybersecurity a priority so we can develop cutting-edge technologies here at home and bring jobs to our country. Doing so will not only make us safer as a nation, it will help ensure that America's work force is better prepared for tomorrow's job market."

Senator Lieberman: (4:58 PM)
  • Unanimous Consent --
    • The Senate will resume consideration of S. 3414, the Cybersecurity bill, with the time until 6:30 PM for debate only.
    • At 6:30 PM, Majority Leader Reid will be recognized (without objection).