Tip:
Highlight text to annotate it
X
THE FLOOR.
THE PRESIDING OFFICER: THE
SENIOR SENATOR FROM TEXAS IS
RECOGNIZED.
MRS. HUTCHISON: I HAVE LISTENED
TO THE SENATOR FROM CONNECTICUT
AND THE PRESENTATION ON THE BILL
THAT I ASSUME WILL BE VOTED ON
TODAY AND I APPRECIATE VERY MUCH
THAT WE HAVE HAD THE MEETINGS
BECAUSE THERE ARE REALLY TWO
BILLS THAT HAVE BEEN
INTRODUCED, THE
LIEBERMAN-COLLINS AND THAT
GROUP'S BILLS, AND THEN I HAVE
LEGISLATION CALLED THE SECURE
I.T. ACT ALONG WITH SENATORS
McCAIN, CHAMB, GRASSLEY,
COATS, JOHNSON, AND BURR.
THESE ARE EIGHT RANKING MEMBERS
OF THE SUBCOMMITTEES AND
COMMITTEES THAT HAVE
JURISDICTION OVER
CYBERSECURITY, AND WE DIFFER IN
A MAJOR WAY FROM THE BILL THAT
IS BEFORE US THAT IS COSPONSORED
BY THE RANKING MEMBER OF THE
HOMELAND SECURITY COMMITTEE,
BUT ALL OF THE OTHER COMMITTEES
OF JURISDICTION RANKING MEMBERS
ARE IN DISAGREEMENT.
NOW, THE GOOD NEWS IS WE HAVE
BEEN MEETING TO TRY TO BEGIN TO
WORK OUT THE DIFFERENCES AND SEE
SPH IF WE CAN MOVE FORWARD.
OUR BILL, THE SECURE I.T.
BILL, WILL BE INTRODUCED AS AN
AMENDMENT IN THE NATURE OF A
SUBSTITUTE IF IN FACT WE TAKE UP
THE BILL TODAY.
AND I WOULD AGREE WITH WHAT
SENATOR LIEBERMAN SAID RIGHT OFF
THE BAT IN THAT I BELIEVE AS
LONG AS WE HAVE AN OPEN
AMENDMENT PROCESS THAT WE WILL
VOTE TO MOVE TO THE BILL.
I DON'T THINK ANYONE IN OUR
GROUP OR ANYONE WITH WHOM I'VE
TALKED WANTS TO HOLD UP DEALING
WITH CYBERSECURITY.
WE KNOW THAT AMERICA'S SYSTEMS
COULD BE UNDER THREAT AND SOME
HAVE BEEN HACKED INTO ALREADY.
THERE ARE TERRORISTS THAT SEEK
TO SABOTAGE NETWORKS.
THERE ARE JUST PEOPLE WHO WANT
ACCESS TO PROPRIETARY
INFORMATION AND INTELLECTUAL
PROPERTY, AND WE NEED TO
PROTECT OUR SYSTEMS AND OUR
COUNTRY AGAINST THOSE ATTACKS,
WHICH IS WHY AS LONG AS WE HAVE
AN AMENDMENT PROCESS AND WE'RE
NOT SHUT OUT FROM DISCUSSING
THIS, WE WILL VOTE TO MOVE
FORWARD TO THE BILL.
THIS BILL WAS NOT MARKED UP IN
COMMITTEE.
IT DID HAVE A LOT OF HEARINGS IN
THE COMMITTEE, BUT IT WASN'T
MARKED UP SO AMENDMENTS WERE NOT
ABLE TO BE INTRODUCED AND
DISCUSSED AND VOTED ON.
WHICH MAKES IT HARDER, AS WE
ALL KNOW, WHEN YOU COME TO THE
FLOOR WITH A BILL WHERE THERE
ARE MAJOR DISAGREEMENTS AND NOT
HAVE HAD THE CAPABILITY FOR THE
COMMITTEE TO TAKE UP THE
AMENDMENTS AND VOTE ON THEM.
SO THAT'S WHY I THINK WE NEED TO
HAVE THE OPEN AMENDMENT PROCESS
AND WHY WE DO WANT TO MOVE
FORWARD ON THE GOOD FAITH THAT
IT WILL BE OPEN.
NOW, OUR BILL, THE SECURE I.T.
ACT, IS CENTERED ON CONSENSUS
ITEMS.
IT SETS ASIDE THE CONTROVERSIAL
PROVISIONS THAT ARE OF
QUESTIONABLE NEED AND IT ALSO IS
ONE THAT WE BELIEVE WE COULD
WORK WITH THE HOUSE TO PASS AND
SEND TO THE PRESIDENT.
THE BILL THAT WE HAVE WOULD
GREATLY IMPROVE INFORMATION
SHARING TO AND FROM AND WITH
GOVERNMENT, WITH OTHER
PRIVATE-SECTOR INDUSTRIES IN THE
SAME FIELD, AND WE THINK THAT
IS THE MOST IMPORTANT STEP THAT
WE COULD ALL TAKE ON A FAIRLY
QUICK BASIS AND START THE
PROCESS OF GETTING MORE SECURITY
THROUGHOUT OUR SYSTEMS.
BUT WE MUST ENSURE ALSO THAT THE
ENTITIES AND GOVERNMENT -- IN
GOVERNMENT AND INDUSTRY SHARE
BACK AND FORTH.
IT HAS TO BE A TWO-WAY STREET.
OBVIOUSLY, IF AN INDUSTRY IS
GOING TO SHARE INFORMATION ABOUT
POTENTIAL THREATS, IT MUST GET
INFORMATION FROM THE GOVERNMENTS
THAT ARE DOING THE INTELLIGENCE
GATHERING ON A QUICK BASIS IF
THEY SEE RISKS OR THEY SEE
PROBLEMS IN A SYSTEM.
OUR BILL ALSO DRAMATICALLY
IMPROVES CYBERSECURITY FOR
FEDERAL AGENCIES THEMSELVES.
IT DOES UPDATE THE RULES THAT
GOVERN CYBERSECURITY, AND IT
REQUIRES ANY GOVERNMENT
CONTRACTOR TO INFORM THEIR
AGENCY CLIENTS IF THEIR CLIENTS'
SYSTEMS ARE UNDER ANY KIND OF
RISK OR ATTACK.
WE THINK THAT IS REASONABLE AS A
PART OF A GOVERNMENT CONTRACTING
REQUIREMENT.
TODAY, ANTITRUST LAWS AND
LIABILITY CONCERNS INHIBIT
PRIVATE COMPANIES FROM
EXCHANGING THE INFORMATION THAT
IS NECESSARY TO DEFEND AGAINST
AND RESPOND TO CYBER THREATS.
IF A COMPANY KNOWS THAT IT IS
GOING TO BE REQUIRED OR ASKED OR
ENCOURAGED TO SHARE WITH A
COMPETITOR INFORMATION ABOUT
CYBER THREATS, THEY'VE GOT TO
KNOW THAT THEY'RE NOT GOING TO
BE THEN HIT WITH AN ANTITRUST
LAWSUIT.
I THINK THAT'S PRETTY -- PRETTY
CLEAR.
SO OUR BILL DOES ADDRESS THAT.
WE MAKE IT VERY CLEAR THAT THERE
ARE ANTITRUST IMMUNITIES AS WELL
AS MOST CERTAINLY IMMUNITY FROM
A LAWSUIT IF YOU MEET THE
VOLUNTEER STANDARDS ON A
VOLUNTARY BASIS AND YOU ARE
AUDITED TO SHOW THAT YOU HAVE
DONE WHAT THE STANDARDS HAVE PUT
FORWARD AS THE BEST PRACTICES,
THEN YOU WOULD HAVE A LIABILITY
AGAINST LAWSUIT ON A
CYBERSECURITY ATTACK.
SO THOSE ARE THE THINGS THAT WE
DO THAT I THINK WILL OPEN UP THE
INFORMATION SHARING, WHICH IS
THE WAY THAT WE BELIEVE IT IS
IMPORTANT TO MOVE THE NEXT STEP.
IT
--
IT IS ALSO I THINK VERY
IMPORTANT THAT WE HAVE THE
SAFEGUARDS FOR PRIVACY.
I DO BELIEVE THE BILL, THE
UNDERLYING BILL, CERTAINLY
PROTECTS PRIVACY.
SO DOES OUR SUBSTITUTE.
WE HAVE SAFEGUARDS THAT PROTECT
THE PRIVACY AND CIVIL LIBERTIES
OF ALL AMERICANS WHILE WE
PRESERVE THE RIGHT TO ASSURE
THAT WE TRY TO PROTECT AMERICA
IN GENERAL FROM ATTACK FROM THE
OUTSIDE.
WE ALSO IN OUR BILL IMPROVE THE
SECURITY OF FEDERAL INFORMATION
SYSTEMS AND FACILITIES TO
PROSECUTE CYBER CRIME.
WE WANT TO BEEF UP THE CRIMINALS
WHO ARE HACKING IN AND POTENTIAL
TERRORISTS THAT MIGHT TO BE ABLE
TO PROSECUTE AGAINST CYBER CRIME
AS A DISINCENTIVE TO BREAK THE
LAW.
OUR LEGISLATION FINALLY,
MR. PRESIDENT, HAS BROAD
INDUSTRY SUPPORT.
THE BUSINESSES IN THE PRIVATE
SECTOR WHO KNOW THEIR SYSTEMS
BEST AND WHO FIGHT EVERY DAY TO
PROTECT THEIR SYSTEMS AND
NETWORKS BELIEVE THAT SECURE
I.T. IS THE BEST WAY TO GO.
WE BELIEVE THAT WITHOUT THE
COOPERATION OF THE BUSINESS
COMMUNITY, WITHOUT A BIG
REGULATORY MORASS, THAT IS THE
WAY THAT WE ARE GOING TO GET THE
MOST COOPERATION FROM THE PEOPLE
WHO ARE RUNNING THE NETWORKS AND
SYSTEMS.
I HAVE LETTERS OF ENDORSEMENT
FROM THE U.S. CHAMBER OF
COMMERCE, THE NATIONAL
ASSOCIATION OF MANUFACTURERS,
THE AMERICAN FUEL AND
PETROCHEMICAL MANUFACTURERS, THE
AMERICAN PETROLEUM INSTITUTE,
THE U.S. TELECOM NATIONAL RETAIL
FED RATION, THE INTERNET
SECURITY ALLIANCE, AND ASK FOR
CONSENT TO ENTER THESE LETTERS
INTO THE RECORD.
THE PRESIDING OFFICER: WITHOUT
OBJECTION, SO ORDERED.
MRS. HUTCHISON: THANK YOU.
THANK YOU, MR. CHAIRMAN -- OR
MR. PRESIDENT.
OUR BILL ALSO ALLOWS FOR THE
TRUE COLLABORATIVE EFFORT.
EFFORT NOW,
THE REASON WE'RE NOT SUPPORTING
THE BILL THAT IS ON THE FLOOR
TODAY IS BECAUSE WE BELIEVE THAT
IT DOES NOT DO THE PRIORITIES
THAT WE CAN PASS AND IT DOES
INCREASE THE MANDATES AND THE
REGULATORY OVERKILL IN OUR
OPINION THAT WILL KEEP OUR
COMPANIES FROM BEING ABLE TO
MOVE FORWARD ON AN EXPEDITED
BASIS TO START PROTECTING OUR
SYSTEMS.
A PRIORITY OF MINE HAS BEEN
THROUGHOUT THIS PROCESS THAT WE
HELP THE PRIVATE SECTOR COMBAT
CYBER ATTACKS BY BREAKING DOWN
THE BARRIERS TO SHARING
INFORMATION.
IF WE COULD TAKE THAT ONE STEP,
WE WOULD BE A LONG WAY TOWARD
ASSURING THAT WE ARE INCREASING
THE SECURITY OF ALL AMERICANS.
BUT THE BILL BEFORE US WILL
ACTUALLY UNDERMINE CURRENT
INFORMATION SHARING BETWEEN THE
GOVERNMENT AND THE PRIVATE
SECTOR.
THAT BILL'S INFORMATION SHARING
STEP -- TITLE IS A STEP
BACKWARDS BECAUSE IT SLOWS THE
TRANSFER OF CRITICAL INFORMATION
TO OUR INTELLIGENCE AGENCIES AND
THERE'S NOT SUFFICIENT
PROTECTION FROM ANTITRUST.
IN ADDITION, THERE IS NO
CONSENSUS IN THE UNITED STATES
SENATE TO GRANT THE DEPARTMENT
OF HOMELAND SECURITY WITH BROAD
NEW AUTHORITY TO IMPOSE
BURDENSOME REGULATIONS ON THE
PRIVATE SECTOR.
WHILE I AM PLEASED THAT OUR
COLLEAGUES WHO ARE COSPONSORING
THE BILL THAT IS BEFORE US HAVE
MADE AN EFFORT TO MOVE AWAY FROM
DIRECT REGULATION OF OUR
NATION'S SYSTEMS, IT HAS A LONG
WAY TO GO.
WHILE THEIR BILL ALLOWS THE
PRIVATE SECTOR TO PROPOSE
STANDARDS THAT ARE DESCRIBED AS
VOLUNTARY, THE BILL ACTUALLY
EMPOWERS FEDERAL AGENCIES TO
MAKE THESE VOLUNTARY STANDARDS
MANDATORY.
IF AN AGENCY DOES NOT MAKE THE
STANDARDS MANDATORY, IT WOULD
HAVE TO REPORT TO CONGRESS WHY
IT HAD FAILED TO DO SO.
WELL, THAT'S A PRETTY BIG
INCENTIVE FOR MANDATES TO START
BEING PUT ON WITH REGULATIONS
THAT WILL BE REQUIRED.
I BELIEVE THAT THERE IS A WAY
FORWARD.
IF THE SENATE TAKES THE
WELL-REASONED AND BROADLY
SUPPORTED PROVISIONS OF THE
SECURE I.T. BILL AND PUTS THEM
WITH A VOLUNTARY AND
INDUSTRY-DRIVEN CRITICAL
INFRASTRUCTURE PROTECTION TITLE,
WE COULD PASS A SENATE BILL WITH
OVERWHELMING SUPPORT.
THE KEY TO REACHING CONSENSUS
HAS FIVE PARTS.
THE CYBERSECURITY STANDARDS MUST
BE DEVELOPED BY THE PRIVATE
SECTOR AND MUST BE TRULY
VOLUNTARY.
THE RELATIONSHIP BETWEEN
GOVERNMENT AND THE PRIVATE
SECTOR IN THIS AREA MUST BE
COOPERATIVE, NOT ADVERSARIAL AND
NOT REGULATORY.
THE NATIONAL INSTITUTE FOR
STANDARDS AND TECHNOLOGY SHOULD
BE THE CONVENING AUTHORITY FOR
TH PRIVATE-SECTOR STANDARD
SETTING PROCESS.
THE GOVERNMENT CAN HAVE A ROLE
IN ENSURING THE STANDARDS ARE
SUFFICIENT AND IT SHOULD, BUT IT
CAN'T ESTABLISH A REGULATORY
REGIME THAT WILL LENGTHEN AND
HAMPER THE EFFORTS TO OPEN
INFORMATION SHARING.
COMPANIES -- AND HERE'S THE
INCENTIVE FOR THE COMPANIES TO
DO EXACTLY WHAT WE'RE ASKING
THEM TO DO -- COMPANIES THAT
ADOPT THE VOLUNTARY STANDARDS
MUST RECEIVE ROBUST AND
STRAIGHTFORWARD PROTECTIONS FROM
LIABILITY AS WELL AS NECESSARY
ANTITRUST AND FREEDOM OF
INFORMATION ACT EXEMPTIONS.
IF A COMPANY IS GOING TO TURN
OVER PROPRIETARY INFORMATION TO
THE GOVERNMENT, THEY MUST BE
PROTECTED FROM FREEDOM OF
INFORMATION ACT REQUESTS FROM
THE GOVERNMENT THAT WOULD THEN
TAKE THEIR PRIVATE PROPRIETARY
INFORMATION PUBLIC.
AS IN THE SECURE I.T. ACT, THE
INFORMATION SHARING TITLE MUST
BE STRONG AND ENCOURAGE THE
PRIVATE SECTOR TO SHARE
INFORMATION AND IT MUST
ENCOURAGE THE GOVERNMENT TO
SHARE WITH THE PRIVATE SECTOR.
IT CANNOT CUT THOSE OUT WITH THE
MOST EXPERTISE IN THE AREA,
MEANING THE NATIONAL SECURITY
AGENCIES SHOULD NOT HAVE TO BE
SUBSERVIENT TO THE DEPARTMENT OF
HOMELAND SECURITY.
IN ADDITION, A FIVE-YEAR SUNSET
WOULD ALLOW CONGRESS TO REVISIT
THE ACT AND MAKE NEEDED CHANGES.
FISA HAS CERTAINLY SHOWN THAT
WITH A SUNSET, IT ALLOWS THE
FLEXIBILITY TO ADAPT TO NEW
ISSUES THAT ARISE AND STAY
CURRENT IN ITS PROCESSES TO DEAL
WITH CYBERSECURITY.
WE BELIEVE A FIVE-YEAR SUNSET
WOULD BE THE RIGHT TIME TO GET
THIS GOING, SET THINGS IN PLACE,
SEE WHAT WORKS AND SEE WHAT
NEEDS TO BE ADJUSTED.
I'M HOPEFUL THAT MY COLLEAGUES
AND I CAN COME TO A COMPROMISE
ON THIS CRITICAL ISSUE.
WE WANT A STRONG CYBERSECURITY
BILL.
WE WANT ONE THAT CAN PASS BOTH
HOUSES.
THE FIVE POINTS THAT I HAVE LAID
OUT COULD GET US TO A BILL THAT
WILL SIGNIFICANTLY TAKE THE
STEPS TO IMPROVE OUR NATION'S
CYBERSECURITY.
MR. PRESIDENT, I WOULD JUST LIKE
TO READ A COUPLE OF EXCERPTS
FROM A HERITAGE -- THE HERITAGE
FOUNDATION'S VIEWS OF THE BILL
THAT IS BEFORE US TODAY.
CYBERSECURITY LEGISLATION WILL
LIKELY BE TAKEN UP BY THE SENATE
TOMORROW" -- THIS WAS WRITTEN
YESTERDAY.
"REGRETTABLY, THE IDEA THAT WE
JUST NEED TO DO SOMETHING ABOUT
CYBERSECURITY SEEMS TO BE
TRUMPING THE VIEW THAT WE NEED
TO DO IT RIGHT.
THE CYBERSECURITY ACT OF 2012,
AUTHORED BY SENATORS LIEBERMAN
AND COLLINS, SEEKS TO SOLVE OUR
CYBERSECURITY ILLS BUT ONLY
THREATENS TO MAKE THE SITUATION
WORSE.
THE VOLUNTARY NATURE THE ACT
BEFORE US, THE STANDARDS WITHIN
THE ACT BEFORE US, IS ALSO
QUESTIONABLE.
ANY VOLUNTARY STANDARD IS ONE
STEP AWAY FROM MANDATORY IN THE
BILL.
SENATOR LIEBERMAN HAS ALREADY
INDICATED THAT IF THE STANDARDS
AREN'T VOLUNTARILY USED, HE
WOULD MAKE -- HE WOULD PUSH TO
MAKE THEM MANDATORY.
EVEN MORE CONCERNING, SECTION
103-G OF THE ACT BEFORE US GIVES
CURRENT REGULATORS THE POWER TO
MAKE THESE VOLUNTARY STANDARDS
MANDATORY.
IT SPECIFICALLY AUTHORIZES THAT
ACTION.
IF A REGULATOR DOESN'T MANDATE
THE STANDARDS, THE REGULATORY
AGENCY WILL HAVE TO REPORT TO
CONGRESS WHY IT DIDN'T DO SO.
AGAIN, STRONG ENCOURAGEMENT TO
JUST MAKE THE STANDARDS
MANDATORY AND AVOID A
CONGRESSIONAL INQUISITION."
FINALLY, THE HERITAGE FOUNDATION
GOES TO SAY, "THE SHARING AND
ANALYSIS OF CYBERSECURITY THREAT
INFORMATION WAS WEAKENED BY
CONFINING CYBERSECURITY
INFORMATION EXCHANGES TO
CIVILIAN ORGANIZATIONS.
THOUGH IN AN IDEAL WORLD THE
DEPARTMENT OF HOMELAND SECURITY
WOULD HAVE THE CAPABILITY TO
LEAD OUR CYBERSECURITY EFFORTS,
IT CURRENTLY LACKS THOSE
CAPABILITIES AND NEEDS TO LEAN
ON MORE CAPABLE ORGANIZATIONS,
SUCH AS THE NATIONAL SECURITY
AGENCY.
THE RECENT CHANGES, HOWEVER,
GIVE D.H.S. MORE RESPONSIBILITY
THAN IT IS LIKELY ABLE TO
HANDLE -- TO HANDLE."
SO, MR. PRESIDENT, WE WILL
CERTAINLY MOVE FORWARD WITH THE
UNDERSTANDING THAT WE WILL HAVE
THE ABILITY TO OFFER AMENDMENTS
AND TRY TO MAKE THIS A WORKABLE
BILL.
IT IS CERTAIN THAT BECAUSE THE
COMMITTEE WAS NOT ABLE TO MARK
UP THE BILL, THAT YOU HAVE TO
HAVE THE AMENDMENTS TO TRY TO
PERFECT IT.
I WOULD VERY MUCH LIKE TO TAKE
THE FIRST STEP FORWARD IN
CYBERSECURITY, WHICH IS WHY,
ASSUMING WE HAVE THE RIGHT TO
AMEND, I WILL SUPPORT GOING TO
THE LEGISLATION SO THAT WE CAN
START THE AMENDMENT PROCESS NEXT
WEEK.
I THINK THAT THE PEOPLE WHO ARE
COSPONSORS OF MY LEGISLATION,
ALONG WITH SENATOR McCAIN,
SENATOR CHAMBLISS, SENATOR BURR,
SENATOR MURKOWSKI, SENATOR
COATS, SENATOR JOHNSON, WE WANT
TO MAKE SURE THAT WE DO THIS
RIGHT.
AS THE HERITAGE FOUNDATION HAS
SO APTLY SAID, WE DON'T WANT A
BIG, NEW REGULATORY SCHEME THAT
IS NOT GOING TO BE SUCCESSFUL IN
OUR EFFORTS TO IMPROVE THE
CYBERSECURITY SAFEGUARDS IN OUR
SYSTEM.
WE ARE THE RANKING MEMBERS OF
ALL BUT ONE OF THE RELEVANT
COMMITTEES.
WE KNOW THIS AREA.
WE DEAL WITH THE AGENCIES THAT
DEAL WITH CYBERSECURITY AND ALL
THE NATIONAL SECURITY IN OUR
COUNTRY AND WE KNOW WHAT CAN
WORK AND WE KNOW WHAT WE HAVE A
CHANCE TO PASS AND WE KNOW HOW
TO TAKE THE FIRST STEP FORWARD
WITHOUT ANOTHER BIG REGULATORY
OVERREACH THAT WE HAVE SEEN
HAPPEN IN THE LAST 3 1/2 YEARS
IN THIS ADMINISTRATION.
WE HOPE TO WORK WITH THE
MAJORITY, WITH THE
LIEBERMAN-COLLINS BILL AND COME
UP WITH SOMETHING THAT EVERYONE
WILL FEEL IS THE RIGHT STEP
FORWARD.
WE'D LIKE TO HAVE A BILL THAT
WOULD GET A LARGE NUMBER OF
VOTES RATHER THAN A VERY
LOPSIDED VOTE AGAINST IT.
SO, MR. PRESIDENT, I APPRECIATE
VERY MUCH THAT WE ARE NOW
BEGINNING TO DISCUSS THIS.
I'M APPRECIATIVE THAT WE HAVE
HAD SEVERAL MEETINGS WITH ALL
THE SIDES THAT HAD BEEN PUT
FORWARD WITH HAVING CONCERNS
WITH THE BILL THAT'S ON THE
FLOOR AS WELL AS ITS SPONSORS.
AND I HOPE WE CAN KEEP WORKING
TOWARDS A SOLUTION THAT WILL
PROTECT AMERICA AND DO IT IN THE