Majority Statement

• Chairman John Thune
  Read statement

  Majority Statement

  Chairman John Thune

  "Good morning and welcome. We are here today to examine the private sector’s experience working with the National Institute of Standards and Technology (NIST) to develop and utilize the “Framework for Improving Critical Infrastructure Cybersecurity,” and also to look forward to additional steps that can be taken to help improve our nation’s cybersecurity.
  
  "No country, company, or consumer is immune to cybersecurity threats. The United States faces a growing array of threats from hackers, criminals, terrorists, and nation-states who seek to gain access to sensitive or classified information. This also includes efforts to steal intellectual property or consumers’ personal information, deny the availability of normally accessible online services, or potentially sabotage the networks and control systems of critical infrastructure.
  
  "While cyber threats are not new, we saw a number of notable cyber events last year. In 2014, security flaws such as Sandworm, Shellshock, POODLE, and Heartbleed compromised millions of servers and systems. Attacks on point of sale systems sent ripples through the retail industry, not to mention the significant cyber hack on Sony Pictures.
  
  "In 2014, after a decade without passage of major cybersecurity legislation, Congress passed five cybersecurity bills that were signed into law. I am especially pleased that our Committee’s work on the Cybersecurity Enhancement Act of 2014, which I worked on with former Chairman Rockefeller was one of those bills the President signed into law.
  
  "Our Committee’s bill ensures the continuation of a voluntary and industry-led process for identifying cybersecurity standards and best practices for critical infrastructure – codifying elements of the successful process that NIST undertook to create its Cybersecurity Framework, and ensuring NIST’s continued involvement in this public-private collaboration.
  
  "The law also included important provisions for research and development, workforce development, and increased public awareness. It will help to protect the public and private sectors against the growing number of cyber threats from around the world by, among other things, strengthening and directing better cooperation across Federal agencies in research and development, improving our test beds and cloud computing security, and authorizing the National Science Foundation’s successful Cybercorps scholarships.
  
  "I am proud to note that Dakota State University in my home state is a leading institution of higher education in the area of cybersecurity. I appreciate that Dr. Josh Pauli, an Associate Professor of Cyber Security at DSU, has provided written remarks discussing that work, and I will submit that as part of the record.
  
  "I called today’s hearing primarily to hear from stakeholders about their experience with the NIST Framework. Released almost one year ago, the Framework provides a common language regarding security issues to facilitate discussions within a company between the technical IT security managers and senior management. While the Framework targets organizations that own or operate critical infrastructure, businesses across all sectors may find use of the Framework beneficial.
  
  "The success of the Framework thus far is due in large part to NIST’s collaborative relationship and engagement with the private sector. As a non-regulatory agency dedicated to promoting U.S. innovation and industrial competiveness in ways that enhance economic security, NIST has been a genuine partner and has successfully combined its technical expertise in standards with the know-how of the private sector to help advance the nation’s technology infrastructure.
  
  "Congress is now tasked with important questions about what actions the federal government should take next, including:
  
  o How do we assess the effectiveness of the Framework going forward?

  o What incentives do businesses and consumers need to improve their cyber defenses?

  o What type of cyber threat information sharing legislation is needed to help industry defend against more sophisticated cyber attacks?

  o What should we do to better secure our supply chain?

  o And what more can be done in related areas?
  
  "These questions are relevant to both the private and public sectors. According to the U.S. Government Accountability Office, “Federal agencies have significant weaknesses in information security controls…” Last year, I along with Senator Rockefeller sent letters to every agency under our committee’s jurisdiction asking targeted questions about the measures being taken to protect systems using unsupported operating systems, as well as compliance with the Federal Information Security Management Act. As Chairman, I will be continuing to conduct such oversight of agencies’ information security management.
  
  "While I am pleased that Congress took a positive step to improving our cybersecurity posture by passing a number of bills in December, I believe an absolutely necessary missing piece for this Congress is finally passing legislation to spur greater cyber threat information sharing. It is my hope that the Senate can find a path forward in this area soon. The hearing being held today underscores the seriousness of the threat and our commitment to passing information sharing legislation that did not get done last Congress."

Minority Statement

• Ranking Member Bill Nelson
  Read statement

  Minority Statement

  Ranking Member Bill Nelson

  Thank you, Chairman Thune, for holding this hearing today on where we stand as a nation on cybersecurity.

  The high-profile hack and release of internal emails within Sony Pictures, as well as recent high-profile breaches at large retailers, such as Target and Home Depot, should serve as a wake-up call for Americans.

  While these incidents have received the most attention, the reality is that they represent only a fraction of the cyberattacks our country faces every day.

  More troubling is the fact that these companies did not have adequate protections in place to prevent these attacks.

  Cyber attacks and data breaches have real consequences for American consumers and businesses.

  They’re painful for the American who has to juggle family responsibilities while trying to replace a credit card, get back the money that was taken from a compromised bank account, or reclaim his or her identity when it gets stolen.

  And, they’re costly for the businesses that have been hacked. Some studies estimate that cyber attacks cost businesses around the world as much as $400 billion a year.

  These cyber attacks also threaten our national security. Our electricity, drinking water, telecommunications systems, and other critical infrastructure are all vulnerable to cyber threats.

  Last February, National Institute of Standards and Technology (NIST) released a framework to help companies assess cyber risks and has since been working with the private sector to promote awareness and encourage its adoption.

  And I greatly appreciate the fact the NIST recently held its 6th Cybersecurity Framework Workshop in my home state last October at the University of South Florida.

  The work completed so far by NIST is undoubtedly a good first step.

  I’m sure we’re going to hear a lot of positive stories today and be assured that we’re making great progress.

  In addition, we will probably hear that we shouldn’t place any obligations of any kind on businesses to adopt strong cybersecurity standards.

  But as President Ronald Reagan used to say, “trust but verify.”

  And the problem right now is simple: As strong as the framework is, and as much as I trust that companies and industry sectors are working towards adopting it, there is no way to actually verify that progress.

  We really have no way to determine how rapidly and effectively companies are using the framework to strengthen their cybersecurity or whether companies are even implementing the framework at all.

  I want to know that American businesses are doing all that is reasonable and necessary to protect the American public and our national security from cyber attacks against our critical infrastructure.

  Unfortunately, we just don’t have enough information to make that assessment right now.

  And until then, the framework will never fulfill its potential.

  Let me close on this somber note.

  The next cyber attack is coming.

  It’s not a matter of “if” – it’s a matter of “when.”

  And when that attack comes, we can look back on today’s hearing and pinpoint whether or not we are seriously tackling the issue of cybersecurity.

  Until everyone – government and businesses – is on board and is collectively addressing cybersecurity with the urgency it deserves, we as a committee and as a Congress have not done our job.

  I hope today that we can begin a robust discussion of how we can do a better job of protecting our critical infrastructure and safeguarding consumers from cyber security threats.

  Thank you, Mr. Chairman.

Testimony

• Dr. Charles Romine

  Director of the Information Technology Laboratory

  National Institute of Standards and Technology, U.S. Department of Commerce
  Download Testimony (75.24 KB)

• Ms. Ann M. Beauchesne

  Vice President

  National Security and Emergency Preparedness Department, U.S. Chamber of Commerce
  Download Testimony (323.56 KB)

• Mr. Paul N. Smocer

  President of BITS

  Financial Services Roundtable
  Download Testimony (261.01 KB)

• Mr. Jefferson H. England

  Chief Financial Officer

  Silver Star Communications
  Download Testimony (143.44 KB)

• Dr. James Lewis

  Director and Senior Fellow, Strategic Technologies Program

  Center for Strategic & International Studies
  Download Testimony (109.83 KB)