Carper, Lieberman, Collins Unveil Major Cybersecurity Bill To Modernize, Strengthen, And Coordinate Cyber Defenses
WASHINGTON – Federal Financial Management Subcommittee Chairman Tom Carper, D-De., Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me. Thursday introduced comprehensive legislation to modernize, strengthen, and coordinate the security of federal civilian and select private sector critical infrastructure cyber networks.
The Protecting Cyberspace as a National Asset Act of 2010 would create an Office of Cyber Policy in the White House with a director accountable to the public who would lead all federal cyberspace efforts and devise national cyberspace strategy. A National Center for Cybersecurity and Communications within the Department of Homeland Security, also led by a director accountable to the public, would enforce cybersecurity policies throughout the government and the private sector. The bill would also establish a public/private partnership to set national cyber security priorities and improve national cyber security defenses.
The Committee will hold a hearing on the legislation June 15, 2010.
"Over the past few decades, our society has become increasingly dependent on the internet, including our military, government, and businesses of all kinds," said Carper. "While we have reaped enormous benefits from this powerful technology, unfortunately our enemies have identified cyber space as an ideal 21st century battlefield. We have to take steps now to modernize our approach to protecting this valuable, but vulnerable, resource. This legislation is a vital tool that America needs to better protect cyber space. It encourages the government and the private sector to work together to address this growing threat and provides the tools and resources for America to be successful in this critical effort."
"The Internet may have started out as a communications oddity some 40 years ago but it is now a necessity of modern life, and sadly one that is under constant attack," said Lieberman. "It must be secured, – and today, Senators Collins, Carper, and I have introduced a bill which we believe will do just that. The Protecting Cyberspace as a National Asset Act of 2010 is designed to bring together the disjointed efforts of multiple federal agencies and departments to prevent cyber theft, intrusions, and attacks across the federal government and the private sector. The bill would establish a clear organizational structure to lead federal efforts in safeguarding cyber networks. And it would build a public/private partnership to increase the preparedness and resiliency of those private critical infrastructure cyber networks upon which our way of life depends.
"For all of its ‘user-friendly’ allure, the Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets. Our economic security, national security and public safety are now all at risk from new kinds of enemies — cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals.
"The need for this legislation is obvious and urgent."
"As our national and global economies become ever more intertwined, cyber terrorists have greater potential to attack high-value targets," said Collins. "From anywhere in the world, they could disrupt telecommunications systems, shut down electric power grids, and freeze financial markets. With sufficient know-how, they could cause billions of dollars in damage and put thousands of lives in jeopardy. We cannot afford to wait for a "cyber 9/11" before our government finally realizes the importance of protecting our digital resources, limiting our vulnerabilities, and mitigating the consequences of penetrations of our networks.
"Yet, for too long, our approach to cyber security has been disjointed and uncoordinated. Our vital legislation would fortify the government’s efforts to safeguard America’s cyber networks from attack. This bill would build a public/private partnership to promote national cyber security priorities and help prevent and respond to cyber attacks."
Key elements of the legislation include:
o Creation of an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director, who will advise the President on all cybersecurity matters. The Director will lead and harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic. The Director will oversee all related federal cyberspace activities to ensure efficiency and coordination.
o Creation of a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to elevate and strengthen the Department’s cyber security capabilities and authorities. The Director will regularly advise the President on efforts to secure federal networks. The NCCC will be led by a Senate-confirmed Director, who will report to the Secretary. The NCCC will include the United States Computer Emergency Response Team (US-CERT), and will lead federal efforts to protect public and private sector cyber and communications networks.
o Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. With strong leadership from DHS, these reforms will allow agencies to move away from the system of after-the-fact paperwork compliance to real-time monitoring to secure critical systems.
o Requiring the NCCC to work with the private sector to establish risk-based security requirements that strengthen cyber security for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
o Requiring covered critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements. Creation of a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to "take over" private networks.
o Development of a comprehensive supply chain risk management strategy to address risks and threats to the information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
o Requiring the Office of Personnel Management to reform the way cyber security personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cyber security effort and protect its own networks.
Among the bill’s supporters are: anti-virus software companies MacAfee and Semantec; Karen Evans, former Administrator for E-Government and IT, Office of Management and Budget; Stewart Baker, former Assistant Secretary for Policy at DHS; the Intelligence and National Security Alliance; the Professional Services Council; and the Coalition for Government Procurement.
A copy of Senator Carper’s remarks as prepared for delivery follows:
"I want to thank Chairman Lieberman and Ranking Member Collins for their leadership on this important issue.
"As we all know, the Internet has certainly grown over the years – both in its complexity and in its impact on our everyday lives.
"For some time now, our Committee has been looking at how to secure cyberspace and the Federal government from current and emerging threats. We found federal agencies and the private sector weren’t coordinating enough to secure sensitive networks.
"That’s why our bill establishes an office in the White House to harness technical skills within the military, intelligence, civilian agencies, and the private sector.
"The bill also leverages the government’s purchasing power to buy more secure products and services, like the military has done for years.
"Over the past two years I have chaired several subcommittee hearings looking into why hackers were able to steal some of our most sensitive secrets — despite agencies spending an estimated $15 billion on security per year.
"It turns out that agencies spent nearly $1.5 billion a year on paperwork talking about security, rather than doing what should be done to protect ourselves.
"For example, agencies can be compliant with the current cyber security law and yet not be adequately protected against threats that have been around for years; never mind the more-sophisticated and dangerous cyber-attacks.
"This needs to change. Our bill fixes this by compelling agencies to make their networks truly secure and focus their resources on actively monitoring, detecting, and responding to threats against their sensitive systems.
"Further, as I have called for in the past, our bill bolsters the Department of Homeland Security’s role within the Federal government to assist agencies against more sophisticated and persistent threats.
"Our bill also recognizes that investing in a well trained and qualified workforce is key to improving security.
"Lastly, I’m pleased that my colleagues accepted my proposal to create a nationwide network of ‘cyber challenges,’ contests that foster competition and innovation and that are aimed at teaching young Americans how to enhance our nation’s cyber defenses and also how to protect their own sensitive information online.
"We need these cyber challenges to close the gap between the number of so-called ‘cyber warriors’ being produced by China, Russia, and North Korea and the number of ‘cyber warriors’ being produced here at home.
"In fact, my home state of Delaware has pioneered these cyber challenges, and I look forward to seeing how we stack up against our national and international counterparts this summer when the first cyber challenge summer camps commence.
"Again, I want to thank Chairman Lieberman and Ranking Member Collins for bringing together a diverse group of stakeholders in both the public and private sector to produce a bipartisan and common sense bill that will enhance our nation’s defenses and ensure cyber space stays safe and secure."