Feinstein Speaks on Cybersecurity Legislation
Jul 26 2012
Washington—Senator Dianne Feinstein (D-Calif.) today spoke on the Senate floor about the Cybersecurity Act of 2012. Her remarks, as prepared for delivery, follow:
“Cyber attacks and cyber intrusions against U.S networks pose the largest national security threat we face. These security breaches have become far more numerous, more sophisticated, and more insidious in recent years.
Consider the following examples of cyber attacks in the last few years:
- The Pentagon’s classified military computer networks suffered a “significant compromise” in 2008, according to a statement by former Deputy Defense Secretary Bill Lynn in 2010. Former Deputy Secretary Lynn also detailed that foreign hackers stole 24,000 U.S. military files in a single attack on a defense contractor in March 2011.
- In the five months from October 2011 through February 2012, over 50,000 cyber attacks were reported on private and government networks, with 86 of those attacks taking place on critical infrastructure networks, according to a report issued July 19, 2012 by the Bipartisan Policy Center’s Cyber Security Task Force. (Keep in mind that these 50,000 incidents were the ones reported to the Department of Homeland Security, so they represent only a small fraction of cyber attacks carried out against the United States.)
- In December 2011 press reports revealed that networks of the U.S. Chamber of Commerce were completely penetrated for possibly more than a year by hackers. The hackers apparently had access to everything in Chamber computers, including member company communications and industry positions on U.S. trade policy.
- In March 2011, NASA’s Inspector General reported that cyber attacks successfully compromised NASA computers. In one attack, intruders stole 150 user credentials that could be used to gain unauthorized access to NASA systems. Another attack at the Joint Propulsion Laboratory (JPL) – involving China-based Internet protocol (IP) addresses – let the intruders gain full access to key JPL systems and sensitive user accounts.
- 48 companies in the chemical, defense, and other industries were penetrated during 2011 for at least six months by a hacker looking for intellectual property. The cybersecurity company Symantec attributes some of the attacks to computers in Hebei, China.
- It became worldwide news when Google alleged in April 2011 that China had compromised hundreds of Gmail passwords for email accounts of prominent people, including senior U.S. officials.
- On March 17, 2011, RSA publicly disclosed that it had detected a very sophisticated cyber attack on its systems in an attempt to obtain data that would compromise RSA’s authenticated log-in technology. The data acquired was then used in an attempt to penetrate Lockheed Martin’s networks.
- Between March 2010 and April 2011, the FBI identified twenty incidents in which the online banking credentials of small-to-medium sized U.S. businesses were compromised and used to initiate wire transfers to Chinese economic and trade companies. As of April 2011, the total attempted fraud amounts to approximately $20 million; the actual victim losses are $11 million.
- In October 2010, hackers penetrated the systems of NASDAQ, which sparked concerns about the severity of the cyber threat facing the financial industry.
- In January 2011, a hacker extracted $6.7 million from South Africa’s Postbank over the New Year's Holiday.
- In January 2011, hackers penetrated the European Union's carbon trading market, which allows organizations to buy and sell their carbon emissions quotas, and steal more than $7 million in credits, forcing the market to shut down temporarily.
- An international computer-crime ring broken up in October 2010 siphoned about $70 million in a hacking operation targeting bank accounts of small businesses, municipalities and churches, according to the FBI.
- In November 2008, hackers breached networks at Royal Bank of Scotland’s WorldPay, allowing them to clone 100 ATM cards and withdraw over $9 million dollars from machines in 49 cities.
- In December 2008, retail giant TJX was hacked. The one hacker captured and convicted named, Maksym Yastremskiy, is said to have made $11 million from the hack.
- In August 2008, computer networks in Georgia were hacked by unknown foreign intruders, most likely at the behest of the Russian government because they were coordinated with Russian military actions against Georgia.
- In May 2007, Estonian government networks were harassed by a denial of service attack by unknown foreign intruders, most likely at the behest of the Russian government because they were part of a the worst dispute between the two countries since the collapse of the Soviet Union
So as you can see from some of the examples above, for years now, the United States has been at the receiving end of multiple, concerted efforts by nation-states and non-state actors to hack into our networks. These bad actors are infiltrating our communications, accessing our secrets, and sapping our economic health by stealing intellectual property.
They may also be building a capability – if needed in the future – to wage cyber war. We may not even know until the attack has been launched.
These attacks are sophisticated and they involve hacking techniques that we unfortunately see quite often. Cyber attacks can come in the form of viruses and worms, malicious “backdoors,” “logic bombs” and denial-of-service attacks, just to name a few.
A groundbreaking, unclassified report from November of last year published by the Intelligence Community said cyber intrusions against U.S. companies cost billions of dollars annually and the report named China and Russia as aggressive cyber thieves.
On China, the report said, “Chinese actors are the world’s most active and persistent perpetrators of economic espionage.” We know that sophisticated attacks from China against financial and technology companies, such as Google, resulted in property theft on a massive scale. Billions of dollars of trade secrets, technology and intellectual property are being siphoned each year from the U.S. to benefit the economies of China and other countries.
On Russia, the report said, “Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.”
I can assure you that the classified assessments are far more descriptive, and far more devastating.
The examples above are bad enough. But cyber threats are evolving, and I am very concerned that the next wave of cyber attacks will come in the form of crippling intrusions against the computers that control power plants, dams, transportation hubs, and financial networks in the United States.
We have already seen the use of cyber attacks in warfare, when hackers inside Russia reportedly took down the command and control systems in Estonia in 2007. That was five years ago, or roughly a lifetime ago in the realm of cyber attack capability.
Senior national security experts from across the political spectrum have sounded the alarm about this threat. For example:
At his confirmation hearing to be Secretary of Defense Leon Panetta said, “The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.”
Earlier this year, at the annual worldwide-threat hearing before the Senate Intelligence Committee, FBI Director Robert Mueller testified that “the cyber threat, which cuts across all programs, will be the number one threat to the country.”
It is time for the Senate to listen to these experts and pass comprehensive cybersecurity legislation.
I am pleased to be an original co-sponsor of the Cybersecurity Act of 2012, with Senator Lieberman, Senator Collins, Senator Rockefeller, and Senator Carper. I would like to commend their tireless work on this cybersecurity legislation over the past several years.
The Cybersecurity Act has seven titles, each of them addressing a key gap in our nation’s cyber laws. I would like to take a moment to describe the critical infrastructure protection provisions in Title I, but I will focus most of my remarks on the information sharing portion of the bill, which make up Title VII.
Title I covers Critical Infrastructure Protection, which means protecting the public and private infrastructure that underpin our economy and our way of life. A cyber attack against these networks could open a dam, crash our financial system, or disable the electric grid.
Although some critical infrastructure companies have taken action to protect their networks, too many of them have not. It appears that market forces are insufficient for many critical infrastructure companies to adopt adequate cybersecurity practices. Thus, Title I of this bill would create strong incentives for companies to work with the federal government to establish standards for critical infrastructure protection.
Even though the bill makes cybersecurity standards voluntary, I know many Senators still resist this idea. I do not. I would have preferred that this bill include its original critical infrastructure provisions, which would have mandated baseline standards for cybersecurity. But I recognize that this legislation is a necessary first step to provide some security, and that compromise to the voluntary measures in this bill was necessary. I hope that if and when we see a major cyber attack against the power grid, or Wall Street, or a major dam, we won’t see this compromise as being a mistake.
Other Senators have spoken at length about critical infrastructure and other parts of this bill, so let me move now to Title VII of the bill, regarding information sharing.
This title, essentially the last 40 pages of the bill, covers authorities and protections for sharing information about threats to cybersecurity.
The information sharing title addresses one of the main problems I have heard from both the private sector and the government about existing laws and business practices when it comes to cyber: that private sector companies and the government each know a lot about the cyber attacks against their networks, but that this information is stovepiped so that no one is as well protected as they could be if information were shared.
As the Bipartisan Policy Center’s “Cyber Security Task Force” recently found, “Despite general agreement that we need to do it, cyber information sharing is not meeting our needs today.”
Title VII addresses this problem by reducing those legal barriers which hamper a private entity's ability to work with others and the federal government to share cybersecurity threat information.
Now, how do we do this?
First, Title VII explicitly authorizes companies to monitor and defend their own networks.
Many companies monitor and defend their own networks today, in order to protect themselves and their customers.
But we have heard from numerous companies that the law in this area is unclear, and that sometimes it is less risky, from a liability perspective, for them to allow attacks to happen than to take additional steps to defend themselves.
So we make the law clear by giving companies explicit authority to monitor and defend their own networks.
Second, the bill authorizes the sharing of cyber threat information among private companies. There have been concerns that anti-trust laws prevent companies from cooperating on cyber defense. This bill, in section 702, clearly says “notwithstanding any other provision of law, any private entity may disclose lawfully obtained cybersecurity threat indicators to any other private entity in accordance with this section.”
Third, the bill authorizes the government – which will largely mean (in practice) the Intelligence Community – to share classified information about cyber threats with appropriately cleared organizations outside of the government.
Traditionally, only government employees and contractors have been eligible to receive security clearances, and therefore gain access to national secrets. To put it another way, those with a valid “need to know” most national security secrets are within the government.
That isn’t true for cyber security. In this case, we can’t restrict classified information tightly within government – the companies that underpin our nation’s economy and way of life have a “need to know” about the nature of cyber attacks so they can better secure their systems.
It is not sufficient for the government to be able to defend itself against an attack. It is also necessary for companies like Google or an institution like the NASDAQ to be able to protect themselves, and to use all possible defenses that we can help provide.
So under this bill, companies are able to qualify to receive classified information, will be certified, and then able to obtain classified information about what cyber threats to look out for.
Fourth, the bill establishes a system through which any private sector entity – whether a power utility, a defense contractor, a telecom company, or others – can share cyber threat information with the government.
When it comes to cyber, information sharing must be a two-way street. Often times, the private sector has important information about cyber intrusions that the government does not possess. After all, the private sector is on the front lines of the incoming cyber assault, so companies are often best able to understand the attack.
The private sector should be able to share that information with the government so that the government can protect itself, and fulfill its responsibility to warn others about threats. So let me describe how this bill allows for and encourages that information sharing, and the liability protections that companies receive for doing so.
Here’s how the private sector can share information with the government under this bill:
The Secretary of Homeland Security, in consultation with the Attorney General, the Secretary of Defense, and the Director of National Intelligence, would designate one or more federal cybersecurity exchanges. We envision that these exchanges would be an existing entity, such as one of the existing Federal cybersecurity centers.
Private companies would share cyber threat information with these exchanges directly. These exchanges must be civilian entities, and they will have procedures in place to share that information as quickly as possible with other parts of the government. The information is protected from disclosure under the Freedom of Information Act (FOIA), and cannot be used in a regulatory enforcement action.
This exchange would serve as a focal point for information sharing with the government. Having a single focal point would establish a single point of contact for the private sector, which has complained to us about not always knowing who to go to in the government to report cyber attacks. This approach solves the problem.
Having a single focal point is also more efficient for the government. It would help eliminate stovepipes because right now there are dozens of different parts of the government receiving information from the private sector about the cyber threats they are encountering.
It would also make privacy and civil liberties oversight easier, as I will describe in a moment. Finally, it should save tax payers money, because it is more efficient to manage and oversee the operation of one entity versus many entities.
Now let me describe the liability protections, because that is a critical part of this.
Section 706 of bill provides liability protection for the voluntary sharing of cyber threat information with the federal exchange.
The bill reads: “no civil or criminal cause of action shall lie or be maintained in any Federal or State court against any entity [that means a company] acting as authorized by this title, and any such action shall be dismissed promptly for … the voluntary disclosure of a lawfully obtained cybersecurity threat indicator to a cybersecurity exchange.” (section 706(a))
In other words, a company is immune from lawsuit over sharing cyber threat information with a federal exchange.
The same immunity applies to:
Companies who monitor their own networks;
Cybersecurity companies who share threat information with their customers;
Companies that share information with a critical infrastructure owner or operator; or
Companies who share threat information with other companies, as long as they also share that information with the federal exchange within a reasonable time. This “reasonable good faith” defense is also available for the use of defensive countermeasures.
If a company shared information in a way other than the five ways I just mentioned, it still receives a legal defense under this bill from suit if the company can make a reasonable good faith showing that the information sharing provisions permitted that sharing.
Further, no civil or criminal cause of action can be brought against a company or an officer, employee, or agency of a company for the reasonable failure to act on information received through the information sharing mechanisms set up by this bill.
Basically, the only way that anyone participating in the information sharing system can be held liable is if they are found to have knowingly violated a provision of the bill or acted in gross negligence.
So there are very strong liability protections for anyone that shares information about cyber threats – which is completely voluntarily – under this bill.
What information will be shared with the Exchange?
Information that should be shared includes – but is not limited to – malware threat signatures, known malicious Internet Protocol (IP) addresses, and immediate cyber attack incident details.
The exchanges would be able to share this information in as close to real time as possible over networks. That is the only way for the private sector and the government to stay a step ahead of our cyber adversaries.
What kind of information can they share? We define this information in our bill as “cybersecurity threat indicators.” We define this term to include only information that is “reasonably necessary” to describe the technical attributes of cyber attacks. This is not a license for the government to take in and distribute private citizens’ information. Rather, it is narrowly tailored to cover information that relates specifically to a cyber attack.
In addition to narrowly defining what information can be shared with an exchange, our bill also requires the Federal government to adopt a very robust privacy and civil liberties oversight regime for information shared under this title. There are multiple layers of oversight from different parts of the Executive Branch, including the Department of Justice and the independent Privacy and Civil Liberties Oversight Board, as well as the Congress. I direct Members to the privacy and civil liberty protections on pages 185 through 192 of this bill for the litany of procedures, reviews, and reports that are required.
We have worked closely with several Senators, including Senators Durbin, Franken, Coons, Akaka, Blumenthal, and Sanders on these protections, and I thank them for their efforts.
I would also be remiss if I didn’t note my great appreciation of the work and leadership of the Majority Leader for his focus on getting this bill to the Floor and for making time to have this debate.
It is infinitely better having this debate now rather than after a major cyber attack. I know there are many other things competing for the Senate’s attention, but this is a critically important issue, and the Leader is to be commended for bringing it up.
As I said in the beginning of my remarks, Mr. President, the cyber threat we face is real, it is serious, and it is growing. This bill will not stop the threat, but it is an important first step in improving our government’s and our nation’s cyber security. I urge my colleagues to support the motion to proceed and to support the bill.”