“…does it make sense that we require one case of the measles to be reported to the government, but not a cyber attack that could result in the death of more than 2,500 people?”
Click HERE to watch Senator Collins' floor speech
WASHINGTON, D.C.—U.S. Senator Susan Collins spoke from the Senate floor this afternoon to urge support for the Cybersecurity Information Sharing Act of 2015. This bipartisan legislation would make critical reforms to bolster our nation’s cyber security.
From the Senate floor, Senator Collins stated that, “Nearly three months ago, the Senate was unable to find a path forward to adopt this important legislation. Since that time when the Senate refused to proceed, our country has continued to endure a wave of damaging and expensive cyber attacks. These incidents include the first major hack of Apple’s popular AppStore, the compromise of 15 million T-Mobile users due to a breach at Experian; and the exposure of data of up to 8,000 Army families due to improper procedures followed by the General Services Administration. For the Army families that were affected, this sensitive information included medical histories, Social Security numbers, and child daycare details.”
Senator Collins continued stating that, “Today, I renew my support for this bill in light of the continuing state of cyber insecurity that affects information in the public and private sectors…While this bill promotes appropriate information sharing between the government and private sector, a good first step, it does little to harden the protection of federal networks or to guard the critical infrastructure we rely upon every day.”
To address this discrepancy, Senator Collins introduced two amendments to this legislation in order to further strengthen our nation’s cybersecurity.
The first amendment would “improve the security of sensitive data that is stored on the networks of federal civilian agencies,” in response to the recent cyber hack at the Office of Personnel Management. This amendment is based on the bipartisan legislation that Senator Collins introduced this July
The second amendment “is aimed at protecting our country’s most vital critical infrastructure from cyber attack…The livelihood of almost every American depends upon critical infrastructure… the bare minimum we ought to do is to ask DHS and the appropriate federal agencies to describe what more could be done to prevent a catastrophic cyber attack on our critical infrastructure.”
Senator Collins’ remarks as prepared for delivery:
Ms. COLLINS. Madam. President, I rise to speak in favor of the Cybersecurity Information Sharing Act of 2015 and to urge my colleagues to support this bill. Nearly three months ago, the Senate was unable to find a path forward to adopt this important legislation. Since that time when the Senate refused to proceed, our country has continued to endure a wave of damaging and expensive cyber attacks.
These incidents include the first major hack of Apple’s popular AppStore, the compromise of 15 million T-Mobile users due to a breach at Experian; and the exposure of data of up to 8,000 Army families due to improper procedures followed by General Services Administration. For the Army families that were affected, this sensitive information included medical histories, Social Security numbers, and child daycare details.
Today, I renew my support for this bill in light of the continuing state of cyber insecurity that affects information in the public and private sectors.
Passing the Cybersecurity Information Sharing Act would make it easier for public and private sector entities to share cyber threat information in order to lessen the theft of trade and national security secrets as well as the compromise of personal information. It would eliminate some of the legal and economic barriers impeding voluntary two-way information sharing between private industry and government. It is a modest but essential first step to protect networks and their information.
While this bill promotes appropriate information sharing between the government and private sector, a good first step, it does little to harden the protection of federal networks or to guard the critical infrastructure we rely upon every day. Thus, I have introduced two amendments to further strengthen our nation’s cyber security.
The first amendment is directed at improving the security of sensitive data that is stored on the networks of federal civilian agencies.
The insecurity of federal databases and networks has been evident for years and is underscored by recent breaches. In June, more than 20 million current, former, and retired federal employees learned that their personal data were stolen from the poorly secured databases at the Office of Personnel Management (OPM). Since that time, we have learned that the personal emails of the Director of Central Intelligence have been hacked. We have learned from the State Department’s Inspector General that the State Department is “among the worst agencies in the federal government at protecting its computer networks.”
This substandard performance continued even as an adversary nation breached the Department’s email system last year. According to the IG, compliance with the federal information security standards remains “substandard” at the State Department.
This appalling performance in so many agencies and departments led to my introducing bipartisan legislation with Senators Warner, Mikulski, Coats, Ayotte, and McCaskill to strengthen the security of the networks of federal civilian agencies.
This legislation has five elements, but the most important provision would grant the Department of Homeland Security the authority to issue binding operational directives to federal agencies to respond in the face of a substantial breach or to take action in the face of an imminent threat to federal networks. Although the Secretary of Homeland Security is tasked with a similar responsibility to protect federal civilian networks, he has far less authority to accomplish this task than the Director of the NSA does for dot-mil networks. We can no longer ignore the damaging consequences of failing to address these issues.
Our amendment would fortify federal computer networks from cyber threats in other ways, and the key elements of our bill were incorporated into an amendment filed by Senator Carper that Senator Johnson, Senator Warner, and I have cosponsored.
Our amendment has been included in the managers’ substitute amendment, and I thank Chairman Burr and Vice Chairman Feinstein for their willingness to include these important provisions.
I also filed amendment #2623 to the cyber bill that is aimed at protecting our country’s most vital critical infrastructure from cyber attack. This bipartisan amendment was cosponsored by Senators Hirono, Warner, and Coats.
The livelihood of almost every American depends upon critical infrastructure that includes the electricity that powers our communities, the national air transportation system that moves passengers and cargo safely from one location to another, and the elements of the financial sector that ensure the $14 trillion in payments made every day are securely routed through the banking system.
The amendment would have created a second tier of mandatory reporting to the government for the fewer than 65 entities identified by the Department of Homeland Security where damage caused by a single cyber attack could likely cause catastrophic harm in the form of more than $50 billion in economic damage, 2,500 fatalities, or a sever degradation of our national security. In other words, only cyber attacks that could cause catastrophic results would fall under this reporting requirement.
For 99 percent of businesses, the voluntary information sharing framework established in this cyber legislation will be enough, and the decision on whether or not to share cyber threat information should rightly be left up to them.
A second tier of reporting is necessary, however, to protect the critical infrastructure that is vital to the safety, health, and economic well-being of the American people.
Under our amendment, the owners and operators of the country’s most critical infrastructure would report significant cyber attacks just as incidents of communicable disease outbreaks must be reported to public health authorities and the Centers for Disease Control and Prevention (CDC).
Think about the situation we have here: does it make sense that we require one case of the measles to be reported to the government, but not a cyber attack that could result in the death of more than 2,500 people?
The threats to our critical infrastructure are not hypothetical – they are already occurring in increasing frequency and severity. At a recent Armed Services Committee hearing on cybersecurity, Senator Donnelly asked the Director of National Intelligence, Jim Clapper, what the one cyber challenge was that he was most concerned about.
Director Clapper testified that it was a large-scale cyber attack against the United States’ infrastructure.
In light of this number one threat, how protected is our country? I posed that question to the Director of the National Security Agency, Admiral Mike Rogers.
His answer, on a scale of 1-10, was that we are at a “5 or 6”. That is a failing grade in protecting critical infrastructure -- no matter what curve we are grading on.
Although I am disappointed that the Senate will not consider the original amendment I filed, I want to thank Chairman Burr and Vice Chairman Feinstein for working with me on compromise language to begin to address the issue of cybersecurity risks that present such significant security threats to our critical infrastructure.
This new amendment, which is Section 407 of the managers’ amendment, requires the DHS Secretary to conduct an assessment of the fewer than 65 critical infrastructure entities at greatest risk and develop a strategy to mitigate the risks of a catastrophic cyber attack.
Let me again describe what we mean by “catastrophic” attack. It means a single cyber attack that would likely result in $50 billion in economic damage, 2,500 Americans dead, or severe degradation of our national security.
There are plenty of cyber threats that cannot be talked about in public because they are classified. But in light of the cyber threat to critical infrastructure described by Admiral Rogers and DNI Clapper in open testimony before the Congress, the bare minimum we ought to do is to ask DHS and the appropriate federal agencies to describe what more could be done to prevent a catastrophic cyber attack on our critical infrastructure.
By including these two provisions into the managers’ substitute amendment, we are strengthening the cyber defenses of our federal agency networks and the country’s critical infrastructure.
I urge my colleagues to support the managers’ amendment and the underlying bill.
By passing this long overdue legislation, we will begin the work of securing our economic and national security for the next generation.
I yield the floor, Madam President.