Sen. Hutchison: We are working towards a solution on cybersecurity
July 26, 2012
Washington, DC – U.S. Senator Kay Bailey Hutchison, Ranking Member of the Senate Commerce, Science, and Transportation Committee, today made the following statement on the floor of the Senate regarding her cybersecurity bill, SECURE IT:
Click here for video of speech.
“Mr. President, I have listened to the Senator from Connecticut and the presentation on the bill that I assume will be voted on today and I appreciate very much that we have had the meetings because there are really two bills that have been introduced, the Lieberman-Collins and that group's bills, and then I have legislation called the SECURE IT Act along with Senators McCain, Chambliss, Grassley, Coats, Johnson, and Burr. These are eight ranking members of the subcommittees and committees that have jurisdiction over cybersecurity, and we differ in a major way from the bill that is before us that is cosponsored by the Ranking Member of the Homeland Security Committee, but all of the other committees of jurisdiction ranking members are in disagreement.
“Now, the good news is we have been meeting to try to begin to work out the differences and see if we can move forward. Our bill, the SECURE I.T. bill, will be introduced as an amendment in the nature of a substitute if in fact we take up the bill today.
“And I would agree with what Senator Lieberman said right off the bat in that I believe as long as we have an open amendment process that we will vote to move to the bill. I don't think anyone in our group or anyone with whom I've talked wants to hold up dealing with cybersecurity.
“We know that America's systems could be under threat and some have been hacked into already. There are terrorists that seek to sabotage networks. There are just people who want access to proprietary information and intellectual property, and we need to protect our systems and our country against those attacks, which is why as long as we have an amendment process and we're not shut out from discussing this, we will vote to move forward to the bill.
“This bill was not marked up in committee. It did have a lot of hearings in the committee, but it wasn't marked up so amendments were not able to be introduced and discussed and voted on. Which makes it harder, as we all know, when you come to the floor with a bill where there are major disagreements and not have had the capability for the committee to take up the amendments and vote on them. So that's why I think we need to have the open amendment process and why we do want to move forward on the good faith that it will be open.
“Now, our bill, the SECURE IT Act, is centered on consensus items. It sets aside the controversial provisions that are of questionable need and it also is one that we believe we could work with the House to pass and send to the President. The bill that we have would greatly improve information sharing to and from and with government, with other private-sector industries in the same field, and we think that is the most important step that we could all take on a fairly quick basis and start the process of getting more security throughout our systems. But we must ensure also that the entities and government -- in government and industry share back and forth. It has to be a two-way street. Obviously, if an industry is going to share information about potential threats, it must get information from the governments that are doing the intelligence gathering on a quick basis if they see risks or they see problems in a system.
“Our bill also dramatically improves cybersecurity for federal agencies themselves. It does update the rules that govern cybersecurity, and it requires any government contractor to inform their agency clients if their clients' systems are under any kind of risk or attack. We think that is reasonable as a part of a government contracting requirement.
“Today, antitrust laws and liability concerns inhibit private companies from exchanging the information that is necessary to defend against and respond to cyber threats. If a company knows that it is going to be required or asked or encouraged to share with a competitor information about cyber threats, they've got to know that they're not going to be then hit with an antitrust lawsuit. I think that's pretty -- pretty clear. So our bill does address that.
“We make it very clear that there are antitrust immunities as well as most certainly immunity from a lawsuit if you meet the volunteer standards on a voluntary basis and you are audited to show that you have done what the standards have put forward as the best practices, then you would have a liability attack.
“So those are the things that we do that I think will open up the information sharing, which is the way that we believe it is important to move the next step. It -- it is also I think very important that we have the safeguards for privacy. I do believe the bill, the underlying bill, certainly protects privacy. So does our substitute. We have safeguards that protect the privacy and civil liberties of all Americans while we preserve the right to assure that we try to protect America in general from attack from the outside.
“We also in our bill improve the security of federal information systems and facilities to prosecute cyber crime. We want to beef up the criminals who are hacking in and potential terrorists that might to be able to prosecute against cyber crime as a disincentive to break the law.
“Our legislation finally, Mr. President, has broad industry support. The businesses in the private sector who know their systems best and who fight every day to protect their systems and networks believe that SECURE I.T. is the best way to go. We believe that without the cooperation of the business community, without a big regulatory morass, that is the way that we are going to get the most cooperation from the people who are running the networks and systems. I have letters of endorsement from the U.S. Chamber of Commerce, the National Association of Manufacturers, the American Fuel and Petrochemical Manufacturers, the American Petroleum Institute, the U.S. Telecom National Retail Federation, the Internet Security Alliance, and ask for consent to enter these letters into the record.
“Our bill also allows for the true collaborative effort. Now, the reason we're not supporting the bill that is on the floor today is because we believe that it does not do the priorities that we can pass and it does increase the mandates and the regulatory overkill in our opinion that will keep our companies from being able to move forward on an expedited basis to start protecting our systems.
“A priority of mine has been throughout this process that we help the private sector combat cyber attacks by breaking down the barriers to sharing information. If we could take that one step, we would be a long way toward assuring that we are increasing the security of all Americans. But the bill before us will actually undermine current information sharing between the government and the private sector. That bill's information sharing step -- title is a step backwards because it slows the transfer of critical information to our intelligence agencies and there's not sufficient protection from
antitrust.
“In addition, there is no consensus in the United States Senate to grant the Department of Homeland Security with broad new authority to impose burdensome regulations on the private sector. While I am pleased that our colleagues who are cosponsoring the bill that is before us have made an effort to move away from direct regulation of our nation's systems, it has a long way to go. While their bill allows the private sector to propose standards that are described as voluntary, the bill actually empowers federal agencies to make these voluntary standards mandatory. If an agency does not make the standards mandatory, it would have to report to congress why it had failed to do so. Well, that's a pretty big incentive for mandates to start being put on with regulations that will be required.
“I believe that there is a way forward. If the senate takes the well-reasoned and broadly supported provisions of the SECURE IT bill and puts them with a voluntary and industry-driven critical infrastructure protection title, we could pass a senate bill with overwhelming support.
“The key to reaching consensus has five parts. The cybersecurity standards must be developed by the private sector and must be truly voluntary. The relationship between government and the private sector in this area must be cooperative, not adversarial and not regulatory.
“The National Institute for Standards and Technology should be the convening authority for the private-sector standard setting process. The government can have a role in ensuring the standards are sufficient and it should, but it can't establish a regulatory regime that will lengthen and hamper the efforts to open information sharing. Companies -- and here's the incentive for the companies to do exactly what we're asking them to do -- companies that adopt the voluntary standards must receive robust and straightforward protections from liability as well as necessary antitrust and freedom of information act exemptions. If a company is going to turn over proprietary information to the government, they must be protected from Freedom of Information Act requests from the government that would then take their private proprietary information public.
“As in the SECURE I.T. Act, the information sharing title must be strong and encourage the private sector to share information and it must encourage the government to share with the private sector. It cannot cut those out with the most expertise in the area, meaning the national security agencies should not have to be subservient to the Department of Homeland Security.
“In addition, a five-year sunset would allow Congress to revisit the act and make needed changes. FISA has certainly shown that with a sunset, it allows the flexibility to adapt to new issues that arise and stay current in its processes to deal with cybersecurity. We believe a five-year sunset would be the right time to get this going, set things in place, see what works and see what needs to be adjusted.
“I'm hopeful that my colleagues and I can come to a compromise on this critical issue. We want a strong cybersecurity bill. We want one that can pass both Houses. The five points that I have laid out could get us to a bill that will significantly take the steps to improve our nation's cybersecurity.
“Mr. President, I would just like to read a couple of excerpts from a Heritage -- the Heritage Foundation's views of the bill that is before us today:
‘Cybersecurity legislation will likely be taken up by the Senate tomorrow" -- this was written yesterday. ‘regrettably, the idea that we just need to do something about cybersecurity seems to be trumping the view that we need to do it right.
‘The Cybersecurity Act of 2012, authored by Senators Lieberman and Collins, seeks to solve our cybersecurity ills but only threatens to make the situation worse. The voluntary nature the act before us, the standards within the act before us, is also questionable. Any voluntary standard is one step away from mandatory in the bill.
‘Senator Lieberman has already indicated that if the standards aren't voluntarily used, he would make -- he would push to make them mandatory. Even more concerning, Section 103-g of the act before us gives current regulators the power to make these voluntary standards mandatory. It specifically authorizes that action. If a regulator doesn't mandate the standards, the regulatory agency will have to report to congress why it didn't do so. Again, strong encouragement to just make the standards mandatory and avoid a congressional inquisition.’ finally, the Heritage Foundation goes to say, ‘The sharing and analysis of cybersecurity threat information was weakened by confining cybersecurity information exchanges to civilian organizations. Though in an ideal world the Department of Homeland Security would have the capability to lead our cybersecurity efforts, it currently lacks those capabilities and needs to lean on more capable organizations, such as the National Security Agency. The recent changes, however, give D.H.S. more responsibility than it is likely able to handle -- to handle.’
“So, Mr. President, we will certainly move forward with the understanding that we will have the ability to offer amendments and try to make this a workable bill. It is certain that because the committee was not able to mark up the bill, that you have to have the amendments to try to perfect it. I would very much like to take the first step forward in cybersecurity, which is why, assuming we have the right to amend, I will support going to the legislation so that we can start the amendment process next week.
“I think that the people who are cosponsors of my legislation, along with Senator McCain, Senator Chambliss, Senator Burr, Senator Murkowski, Senator Coats, Senator Johnson, we want to make sure that we do this right. As the heritage foundation has so aptly said, we don't want a big, new regulatory scheme that is not going to be successful in our efforts to improve the cybersecurity safeguards in our system. We are the ranking members of all but one of the relevant committees. We know this area. We deal with the agencies that deal with cybersecurity and all the national security in our country and we know what can work and we know what we have a chance to pass and we know how to take the first step forward without another big regulatory overreach that we have seen happen in the last 3 1/2 years in this Administration.
“We hope to work with the majority, with the Lieberman-Collins bill and come up with something that everyone will feel is the right step forward. We'd like to have a bill that would get a large number of votes rather than a very lopsided vote against it. So, Mr. President, I appreciate very much that we are now beginning to discuss this.
“I'm appreciative that we have had several meetings with all the sides that had been put forward with having concerns with the bill that's on the floor as well as its sponsors. And I hope we can keep working towards a solution that will protect America and do it in the right way. Thank you, Mr. President, and I yield the floor.”