that otherwise would be created here. so when we talk about cybersecurity, there's a natural way in which people focus on the very real danger that an enemy will attack us from cyberspace. but as we think about how to grow our economy again, and create jobs again, i've come to the conclusion that this is actually one of the most important things we can do, to protect the treasures of america's intellectual innovation from being stolen by competitors abroad. last year, a very distinguished group of security experts, led by former department of homeland security secretary michael chertoff, and former defense secretary, bill perry, voting across both parties issued a stark warning, and i quote, the constant barrage of cyber assaults has inflicted severe damage to our national economic

security as well as to the privacy of individual citizens. the threat is only going to get worse. in action is not an acceptable option, end quote. i agree. the bill before us today is the product of hard work across both party lines and community jurisdiction allies. i want to thank my colleague, senator collins, commerce chairman, senator jay rockefeller, senator dianne feinstein, for all their hard and cooperative work in getting us to this point. we will be privileged to hear from all three of them shortly. i also want to thank senator carper was not here yet for a significant leadership, contributions, to this effort. and want to thank the witnesses who are here. we have chosen the witnesses deliberately because they hold different points of view on the problem and on the legislation, with crafted and the challenges we face and we look forward to their testimony. ..

the sector to better secure those systems for their own defense and for national defence. in this bill assistance that will be asked to meet standards for defined as those who brought

down or commandeered or lead to mass casualties or major population centers, the cause of financial markets significant degradation of national security. this is a tight high standard. identifying the systems that meet those standards the secretary of the department of homeland security under the legislation will work with the private sector, operators of the system to develop cybersecurity performance requirements. donors of privately operated -- boners --owners discover they meet the requirements for whatever hardware or software they choose as long as it achieves the required level of security. department of homeland security will not be picking technological winners or losers. in my opinion there's nothing in the bills that would stifle innovation. the letter from cisco systems and two of the most prominent . i.t. companies concludes, quote,

a number of tools will enhance the nation's cybersecurity without interfering with the innovation and development proce processes of the american i.t. industry. if a company can show under our legislation to the department of homeland security that it already has high cybersecurity standards met then it will be exempt from -- failure to meet the standards will result in civil penalties that will be proposed by the department during the standard rulemaking common process. the bill also creates a streamlined and efficient cyberorganization which will work with existing federal regulators and the private sector to ensure that no rules or regulations are put in place that duplicate or are in

conflict with existing requirements. the bill also important reestablished mechanisms between the private sector and federal government and among the private sector route raiders themselves. this is important because computer security experts need to be able to compare notes to protect us from this threat but the bill creates security measures and oversight to protect privacy and preserve civil liberties. the american civil liberties union says it offers the greatest privacy protection of any cybersecurity legislation that has yet to be proposed. i am going to skip over some of the other things the bill does and just go mention the process by which we reached this

legislative proposal was very inclusive. we worked across committee lines and reached out to academics and civil liberty private and security experts for advice on many difficult issues that meaningful piece of cybersecurity legislation will need to address. literally hundreds of changes have been made to this bill as a result of their input. we think we struck the right balance. we want to mention briefly some things that are not in this bill. the so-called kill switch would allow the president to seize control of all or part of the internets in a national crisis. never was. we put exclamation point that

people thought to include just wasn't worth it because of the urgent need for this bill. there's nothing in this bill that touches on the balance between intellectual property and free speech that so aroused public opinion over the proposed online privacy act. any members of congress, the posttraumatic stress syndrome since that happened. this is not the ultimate verification, and what concerned people -- mr. stewart baker, and

testifying today in favor. they about using the internet as they do today. as a result, in out reach pursuant to it they will be better equipped to protect their own privacy and resources from cyberattack. a lot of people worked very hard in a very bipartisan way to face a real and present danger to our country that we cannot allow this moment to slip away. i feel strongly we need to act now to defend america cyberspace as a matter of national and economic security. >> let me first applaud you for your leadership -- as well as the leadership of two lead offs as senator rockefeller and

senator feinstein who contributed so much to this issue and and this bill. i personally thank him for holding this important hearing today. after the 9/11 attacks we learned of many early warnings that went unheeded including an fbi agent who warns that one day people would die because of the wall that law enforcement and intelligence agencies -- when a major cyberattack occurs the ignored warning would-be even more glaring because our nation's vulnerability has been demonstrated by the daily attempts by nation states, terrorist groups, cybercriminals

and hackers to penetrate our system. warning of our vulnerability to a major cyberattack comes from all directions and countless experts and they are underscore by the intrusion that already occurred. earlier this month the fbi director warren said the cyberattack will surpass the threat from terrorism. he argued we should be addressing the cyberthreat with the same intensity we apply to the terrorist threat. director of national intelligence james clapper made a point even more strongly describing the cyberthreat as the profound threat to the future and the economy, it's very well being. in november the director forms

malicious cybertax -- growing number of the systems with which we interact everyday. the electric grid. water treatment and plants. key financials and similarly keith alexander, commander of u.s. cybercommand and director of nsa says our cybervulnerabilities are extraordinary and characterized by a disturbing trend from the exploitation to destruction. these statements are the latest in a series of warnings from current and former officials and the threat as the chairman pointed out is not just to national security but our economic well-being. a norton's the recalculated the

cause of global cybercrimes at $114 billion annually. when combined with the value of times victims' lawsuits, this figure throws to $388 billion. significantly more than the last market and cocaine and heroin combined. last month entitled china cybertheory, must be challenged and former the and i mike mcconnell, former homeland security secretary michael chertoff and deputy secretary of defense william lynn noted the ability of cyberterrorists to cripple our critical infrastructure. and even more urgent alarm of

economic espionage citing october of 2011 report by the office of countering -- counterintelligence these factors warned of a catastrophic impact cyberespionage, particularly bad pursued by china, could have on our economy and competitiveness. they estimated the cost means billions of dollars and millions of jobs. this rest is all the more menacing because it is being pursued by a global competitor seeking to steal the research and development of american firms to undermine our economic leadership. the evidence of cybersecurity vulnerability is overwhelming. it tells us to act now.

some members have called for yet more studies. even more hearings. additional markups. more delay. the fact is. 2005 alone. ten hearings on cyberthreat including today's hearing is. commerce and the intelligence committee have helped many more. in 2011 chairman lieberman and reduce our cybersecurity bill which was recorded by this committee later that same year. since last year we have been working with chairman rockefeller and legislation that he champions which was reported by the commerce committee.

senator feinstein -- groundbreaking work in information sharing which she has been kind enough to share with this committee as well. after incorporating changes based on the private sector, our colleagues and the administration we have produced a refined version which is the subject of today's hearing. and it is significant that three senate chairman with jurisdiction over cybersecurity have come together on these issues and each day we fail to act the threat increases to our national and economic security. to focus narrowly on the federal information security management act as well as federal r&d and improved information sharing.

we do need to address those issues and our bill sets up just that. with 85% of our nation's critical infrastructure don't buy the private sector the government also has a critical role to play in the most valuable part, truly catastrophic consequences meet reasonable risk based performance standards. writings that are critical systems have remained and protected. some of our colleagues are skeptical about the need for any new regulations. i have opposed efforts to expand regulations that would burden our economy. but regulations that are

necessary for our national security and that promote rather than hinder our economic prosperity. there in an entirely different category. the risk-based performance requirements in our bill are targeted carefully. they apply only to specific systems and assets. not entire companies. if damage could result reasonably in mass casualties and the evacuations and catastrophic economic damages or severe degradation of our national security. some of the witnesses think we went too far in that direction. senator newseum -- senator lieberman has described what the

bill has described so i will not repeat that in the interest of time. let me just say this bill is urgent. we cannot wait to act. we cannot wait until the country has a catastrophic cyberattack and it would be irresponsible of congress not to pass legislation. to turf battles or claims by some businesses that we are somehow harming our economy. in fact what we're doing is protecting our economy and our way of life. thank you, mr. chairman. >> a very strong statement. three committee chairs with

jurisdiction have a come together, consider you as the co-chair of this committee. i was for and appreciate very much your contribution and we have senator rockefeller and senator feinstein here. i think you for the work we have done together. it is a powerful statement that we agree on a consensus bill. i hope it enables us to move through the center. the majority leader is concerned about the threat and committed to giving this bill time on the floor as soon as possible. senator rockefeller, mr. chairman. we welcome your testimony. >> thank you. you are quite right about that. the thing that scares me more than anything is the fact the we had so many hearings and yet that was necessary to get to the agreements we come to and they are solid now. rock-solid.

we still have to find the fourth time. this is not going to be an easy time to do that. pressure is on this congress and the house and the senate to come through on this in the face of all this danger, is huge and not yet guaranteed. our government needs a civilian agency to coordinate our civilian cybersecurity efforts and that agency should be the department of homeland security. under the leadership of secretary napolitano. artwork that both of you have said, three senate committees, that is as it should be. we have eagerly sought as you mentioned and received constructive criticism and input. i can remember giving a speech two years ago, a business group preventing ideas that we had for

this. even when people refuse to engage with us, there has been that even within the senate. refused to discuss with our staff doesn't mean we don't take their suggestions. we have done that. we don't want to engage that is okay. that put them in and make a stronger bill. beyond this, a bill reflects the in put assistance for request of senators on both sides of the aisle as it should be which gives me hope for final passage. my co-author, the conference reported last year, the lieberman column, both with major imprints on this bill. senator hutchison and her staff worked with us in the past three

years. i call her co-chair too incidentally and we tried hard to adjust her specific concerns. we have in fact met most of her concerns. we stopped to engage with senator bond in the same fashion. it some point, staff had some discussion and did make a difference. we were interested in what they have and something good with what they had we put in the bill. we wanted in the bill for past and future tests combined -- senator whitehouse contributed to the entire title of cybersecurity awareness. they did the same on the title regarding diplomacy. because of senator mccain's concerns we amid -- cyberoffice.

when colleagues and ongoing questions that we believed extremely important to be extremely important i agreed to drop it from the bill. this would clarify private sector companies existing requirements. pertaining to cyber have to be disclosed to sec filings. as you know charney point out of frustration i went to the sec and mary schapiro greeted your hacked into a company it goes on the web site and that had a substantial impact. i believe this provision is crucial to the markets to help solve our cybervulnerability is and wait for an amendment on the floor as it should be. that is the way the system works. dominion trust of providing more time to address questions i agree to take out of the bill that we introduced this week. any suggestion that this process

has been anything but open and transparent is false. this has been an open process. why do we worked so tirelessly to include views from all sides? why do we try to get this right? our country and communities and citizens are at grave risk. they simply are. i am not sure if they are aware because so many things are reported in the news cycle that diminish the overall aggregated weight of the danger. our citizens have to be aware it is not a republican or democrat issue. it is a life or death issue for the economy and for us as people. i want to be clear the cyberthreat is very real. this is not alarmist. it is hard to talk about this without seeming alarmist and yet it simply reflects the truth. hackers supported by governments

of china and russia and sophisticated criminal syndicates and connections to terrorism are now able to crack government agencies including defensive ones and the fortune 500. they can do that and they do that on a regular basis. senator collins mentioned what mike mullins said. voluble positions. that is not the end of the problem. the reason this cyberfred is a life or death issue is the same reason a burglar in your house is a life-and-death issue. if a criminal has broken into your home how the know what you want us to do? is it something more? he is in the building, in your home. that is where we are now in terms of the country. that is the situation we face.

cyberburglars have thrown in what senator collins indicated. the only other fresh on the same level, the stockpile of nuclear weapons. fbi director -- the first thing after 9/11 we had to pass sadly, bill haas saying of the cia and fbi could talk to each other. how pathetic could that be? that is where we were because of stovepipes and things of that sort. director miller testified to congress recently the cyberfred will overcome terrorism as his top national security emphasis. it is very serious. you can't exaggerate it. it could happen. so that you think about how people could die. it terror attack on air traffic control, just before this

hearing. people love soupy weather. they can see above or below. pilots don't like it. they're protected because of the air-traffic control system. the situation will prevail. hackers can take that out. a city or group of cities and take out that capacity so the planes are flying in the dark and it will fly into each other and kill a lot of people and people have to understand that. rail switching and networks are hacked causing trains which carry toxic materials through major cities. could be a massive explosion from that. we are on the brink of similar happening is. that is one of our problems. in getting legislation passed.

let me just close by saying i was on the intelligence committee during time leading up to 2001 and the world was rife with reports of people coming in and going out of our country. dots here and there that appeared to be connected but were not quite sure. all of that was up there? what about the closing of the osama bin laden unit? all of that was there and the national security apparatus, working very hard on that. they took us seriously but didn't get deep enough because it was a new phenomenon. we're in a similar situation. it is already with us. more obvious than the lead up to 2,011 was. we have to act.

we do not have the luxury of waiting to see and develop. we have to act. congress has to assert itself. the federal government has rolls. this is not a heavy-handed thing. the federal government is involved because it is a matter of national security and i wait to work with anybody and everybody to get this passed through both houses of the senate. >> thank you, senator rockefeller. that was great. welcome and thank you again. you have contributed immensely on the information sharing section of the bill and bringing all the expertise and intelligence of the senate committee on intelligence. >> thank you, mr. chairman and senator collins and senator land route --landrieu. i look at this as a banner case. the senate is coming to the. we were selling one bill.

this is the bill. if it needs improving we will improve it but we have a focus now and with a focus we can hopefully move forward. i want to thank you for your hard work for the dozen hearings you have held and all the offers for consultations that you have placed to us. let me speak for a moment on behalf of what i do in the intelligence committee. we have examined cyberthreats to our national and economic security. just last month that the worldwide threat hearing which is an open hearing we heard fbi director bob muller testified the cyber threat that cuts across all programs will be the number-1 threat to the country and already cyberthreats are doing great damage to the united states and the trend is getting worse. let me give you four examples. we know about these when they

happen but they are often classified because the people they happened to don't want it released because their clients will think badly of them and of course it is not their fault. but nonetheless i think it is fair to say that the pentagon networks are being probed thousands of times daily and classified military computer networks have suffered a significant compromise in 2008 and that is according to former deputy defense secretary bill in. ..

>> finally, an unclassified report by the intelligence community in november 2011 said cyber intrusions against united states companies cost untold billions of dollars annually. and that report named china and russia, as aggressive and persistent cyberthieves. modern warfare is already employing cyberattacks. as seen in a stone and george and, unfortunately, it may only be a matter of time before we see cyber attacks that can cause catastrophic loss of life, whether by terrorists or state

adversaries. our enemies are constantly on the offensive. and in the cyber domain is much harder for us to play defense than it is for them to attack. the hard question is, what do we do about this dangerous and growing cyberthreat? i believe the comprehensive bill that has been introduced, the cybersecurity act of 2012, is an essential part of this answer. i'd like to speak briefly on the cybersecurity information sharing bill that i introduced on monday and that you have included in title vii in your legislation. the goal of this bill is to improve the ability of the private sector and the government to share information on cyber threats that both sides need to improve their defenses. however a combination of

existing law, the threat of litigation, and standard business practices, has presented or deterred private sector companies from sharing information about the cyber threats they face and the losses of information and money they suffer. we need to change the through better information sharing, and in a way that companies, protect privacy interests and that takes advantage of classified information without putting that information at risk. so here's what we have tried to do in title vii. one, affirmatively provide private sector companies that authority to monitor and protect the information on their own computer networks. two, encourage private companies to share information about cyber threats, with each other, by providing a good faith defense

against lawsuits for sharing or using that information to protect themselves. three, require the federal government to designate a single focal point for cybersecurity information sharing. we refer to this as a cybersecurity exchange, to serve as a hub for appropriately distributing and exchanging cyberthreat information between the private sector and the government. this is intended to reduce government bureaucracy, and make the government a more effective partner in the private sector. but with protections to ensure that private information is not misused. this legislation provides no new authority for government surveillance. fourth, we establish procedures for the government to share classified cybersecurity threat information with private companies that can effectively

use and protect that informati information. this, we believe, is a prudent way to take advantage of information that the intelligence community acquires without putting our sources and methods at risk, or turning private cybersecurity over to our intelligence apparatus. i like to raise just one issue of something that is not yet included in this bill, and that's data breach notification. this is an issue i worked on for over eight years since california has a huge data breach, that we own and certainly found out about that had literally hundreds of thousands of data breaches. it's an urgent need. i have a bill called the data breach notification act, it's come out of the judiciary committee, and it acknowledges what in my view are the key goals of any data breach

notification legislation. one, noticed individuals who will better be able to protect themselves from identity theft. two, noticed and law enforcement which can connect the dots between breaches and cyber attacks, and three, and this is important, preemption of the 47 different state and territorial standards on this issue. this is a real problem. we have 47 different laws in this country. it makes it very difficult for the private sector. companies will not use these objectives to conflicting regulation if there is one basic standard across the country. i know that senators rockefeller and prior have a bill in the commerce committee, and that senators leahy and blumenthal have their own bill that also will -- were recorded out of the judiciary committee. but the differences in our

approaches are not so great that we can't work them out, and i'm very prepared to sit down with members of this committee, with senator rockefeller and others to find a common solution. but i would really implore you to add a data breach prevention across the united states so that there is one standard for notification, to an individual, a data breach, of communication with law enforcement that goes all across america. until we have that we really won't have a sound data breach system. let me just thank you. i think we are on our way. i'm really so proud of both of you and this committee for coming together, and i think it's a banner day. so thank you very much. >> thanks very much, senator feinstein. we could have done it without you. thanks for your testimony. i'm personally very supportive

of your aims with the data breach proposal, and i look forward to working with you, as you say, the others have bills, to see if we can find a way to include that in this proposal when it comes to the floor. floor. >> thank you very much. >> thank you very much. >> thank you. >> have a good rest of the day. and now, madam secretary i hate to break up a conversation between the current secretary and the first secretary, but -- we almost had the trifecta of the three secretaries of the department of homeland security here today. secretary chertoff wanted to testify, had a previous commitment, and has i will say filed his statement for the record, stronger in support of the legislation. secretary napolitano, thanks very much for being here, for all the work and you and people in department have done to help

us come to this point with this bill. we welcome your testimony now. >> well, thank you chairman lieberman, ranking member collins, minutes of the committee. pleased to be here today to discuss the issue of cybersecurity and in particular the department strong support the cybersecurity act of 2012. i appreciate this committee's support of the cybersecurity efforts. your sustained attention to this issue and the leadership you have shown in bringing a bill forward to strengthen and improve our cybersecurity authorities. i also appreciate and want to emphasize the urgency of this situation. indeed, the contrast between the urgent need to respond to the threats we face in this area on the one hand, and the repressed desire for more deliberation and sensitivity to regulatory burdens on the other, reminds me as several of you have suggested of lessons we learned from the 9/11 attacks. as the 9/11 commission noted,

those attacks resulted in hindsight from a failure of imagination. because we failed to anticipate the vulnerabilities of our security infrastructure. there is no failure of imagination when it comes to cybersecurity. we can see the own abilities. we are experiencing the attacks and we know that this legislation would materially improve our ability to address the threat. no country, industry, community or individual is immune to cyber risk. our daily lives, economic vitality and national security depend on cyberspace. a vast array of independent i.t. network systems services and resources are critical to communication, travel, powering our homes, running our economy, and obtaining government services. cyber incidents have increased dramatically over the past decade. there have been instances of theft, compromise of sensitive

information from both the government and private-sector networks, and all of this undermines confidence in these systems and the integrity of the data they contain. combating evolving cyber threats is a shared responsibility that requires the engagement of our entire society. from government and law enforcement to the private sector, and most importantly, with members of the public. dhs plays a key role in this effort, both in protecting federal networks and working with owners and operators of critical infrastructure to secure their networks through risk assessment, mitigation, and incident response capability. in fy 2011, our u.s. teams at dhs received over 106,000 incident reports from federal agencies, critical infrastructure, and our industry partners. we issued over 5200 actual cyber alerts that were used by private

sector and government network administrators to protect their systems. we conducted 70 assessments of control assisted into the and made recommendations to companies about how they can improve their own cybersecurity. we distributed 1150 copies of our cyber if i wished tool your conduct in over 40 training sessions, all of which makes owners and operators better equipped to protect their networks. to protect federal civilian agency networks went up on technology to detect and block in traditions of these networks, in collaboration with the department of defense. we are providing guidance on what agencies need to do to protect themselves and are measuring implementation of those efforts. we are also responsible for coordinating the national response to significant cyber incidents, and for creating and maintaining a common operational picture for cyberspace across the entire government.

with respect to critical infrastructure, we work with the private sector to help secure the key systems upon which americans, including the federal government, rely, such as the financial sector, the power grid, water systems and transportation networks. we pay particular attention to industrial control systems, which control processes out our plans and transportation systems alike. last year we deployed seven response teams in such critical infrastructure organizations at the request in response to the important cyberintrusion. the combat cyber crime we leveraged the skills and resources at dhs components such as the secret service, ice and cpp. we work very closely with the fbi. dhs serves as the focal point for the government cybersecurity outreach and public awareness efforts. as we perform this work where mindful that one of our missions

is to ensure that privacy, confidentiality and civil liberties are not diminished by our efforts. the department has implemented strong privacy and civil rights and civil liberties standards in all its cybersecurity programs and initiatives from the outset, and we are pleased to see these in the draft bill. now, administration of private-sector reports, going back decades and laid outsiders agree strategies and highlighted the need for legal authorities. in addition to other statute, the home and security act of 2002 specifically directed dhs to enhance the security of nonfederal networks by providing analysis and warnings, crisis management support, and technical assistance to state and local governments, and the private sector. policy initiatives have had to supplement the existing statutes. these initiatives strike a common chord. indeed, this administration cyberspace policy review in 2009

at code in large part a similar review by the bush administration. and we've had numerous contributions by private sector groups, including that csis study led by jim lewis, one of the witnesses today. still, dhs executes its portion of the federal cybersecurity mission under an amalgam of authorities that have failed to keep up with the responsibilities with which we are charged. to be sure, we have taken significant steps to protect against evolving cyber threats, but we must recognize that the current threats outpaces our existing authorities. our nation cannot improve its ability to defend against cyber threats unless certain laws that govern cybersecurity activities are updated. we've had many interactions with this committee, with the congress, to provide our perspective on cybersecurity. indeed, in the last two years,

department representatives have testified in 16 committee hearings, and provided 161 staff briefings. we have had -- we have had much bipartisan disagreement. in particular many would agree with the house republican cyber task force, which stated that quote, congress should consider carefully targeted directives for limited regulation of particular critical infrastructures to advance protection of cybersecurity. the recently introduced legislation contains great commonality with the administration's ideas and proposals, including two crucial concepts that are essential to our efforts. first, addressing the urgent need to bring core critical infrastructure to a baseline level of security, and second, fostering information sharing which is absolutely key to our security efforts. all sides agree the federal and private networks must be better protected, and that information

should be shared more easily, yet still more secure. in both our proposal in the senate legislation would provide the hs with clear statutory authority commensurate with our cybersecurity responsibilities, and remove legal barriers to the sharing of information. senate bill 2105 would expedite the adoption of the cybersecurity solution by the owners and operators of critical infrastructure and give businesses, states and local governments the immunity they need to share information about cyber threats or incidents. there's broad support as well for increasing the penalties for cybercrime, and for creating a uniform data breach reporting regime to protect consumers. this proposal would make it easier to prosecute cybercriminals and establish national standards requiring businesses and core infrastructure that have suffered an intrusion to notify those of us who have the

responsibility for mitigating and helping them mitigate it. i hope that the current legislative debate maintains the bipartisan tenor it has benefited from so far, and builds from the consensus that spans two administrations and the committee's efforts of the last several years. let me close by saying that now is not the time for half measures. as the administration has stressed repeatedly, addressing only a portion of the needs of our cybersecurity professionals will continue to expose our country to serious risk. for example, only providing incentives for the private sector to share more information will not in and of itself adequately address critical infrastructure vulnerabilities. and let us not forget that innumerable small businesses rely on this critical infrastructure for their own survival. as the president noted in the state of the union address, the american people expect us to

secure the country, the growing danger of cyber threats and to ensure the nation's critical infrastructure is protected. and as the secretary for homeland security, i strongly support the proposed legislation because it addresses the need, the urgency and the methodology of protecting our nation's critical infrastructure. i can think of no more pressing legislative proposal in the current environment. i want to thank you again for the important work you have done, and i look forward to answering the committee's questions. >> thanks very much, madam secretary. will do a six minute round of questions because we have a large number on the following panel. i know some people have to leave. madam secretary, let me get right to one of the issues that has been somewhat in contention, which is that there's some people who have said that the expanded authority here, particularly that related to cyber structure owned and

operated by the private sector, we better be handled by the department of defense, or the intelligence community. in other words, they should take the lead in protecting federal civilian networks. i wonder if you would respond as to why you think the department of homeland security, as odyssey we give them is better prepared to take on this critical responsibility? >> well, several points. first, department of homeland security, as i stated, already is exercising authorities in the civilian area, working with the private sector, working with federal civilians agencies. so that's a space we are already filling and continue to grow our capacity to feel. second, military and civilian authorities and missions are different, and our significant differences. for example, in the privacy protections that we employ

within the exercise of civil jurisdiction. and then finally, i would note that both dod and dhs use the technological expertise of the nsa. we are not proposing and have never proposed that to nsa's be created, rather that there be two different lines of authority that emanate using the nsa, one of course for civilian, one for military. >> that's a very important factor. i want to come back to that in a minute, but one of the opinions expressed to the committee as we face the challenge and decided which part of our government should be responsible for responding was that there would probably be very deep and widespread concern among the public if we, for instance, as

the national security hcr the department of defense to be directly in charge of working with the privately owned and operated cyber infrastructure. and particularly within nsa there would be a concern about privacy and civil liberties concerns. doesn't make sense to you? >> i've heard the same concerns. they do make sense, and, indeed, when secretary gates and i, by memorandum of understanding, kind of figure a division of responsibility and that we are each going to use the nsa, one of the things we were careful to elevate was a discussion of the protections of privacy, civil liberties, and make sure that to the extent we have people over at the nsa, that are a company by people from our office of privacy, office of general counsel, to make sure those protections are abided by. >> right.

i'm glad you mentioned that memorandum of understanding between the department home it's a good in the nsa, because i want to make this point. iced -- senator mccain and i codify that in law, the memorandum of understanding in the national defense authorization act that was passed at the end of last year. but that memorandum doesn't come let me put this would. doesn't print the need for this legislation. in other words, that memorandum doesn't allocate responsibility with regard to working with the private sector, having the authority to require the private sector to take steps to defend themselves and our country from cyber attack him is that right? >> that's right, mr. chairman. it's a memorandum that describes the kind of division of how we would each use the resources of the nsa. but it doesn't do with the protection of core critical infrastructure, the way that the bill does.

it doesn't do with the private sector at all the way that the bill does. it doesn't deal with information exchange the way the bill does. so it really was designed to make sure that at least with respect to know we each use the nsa, we had some meeting of the mind. so there's nothing in your opinion inconsistent between the memorandum of understanding between dhs and nsa, and the cybersecurity act of 2012? >> oh, not at all. >> i'm pleased to note for the record that in testimony earlier this week, secretary of defense panetta and chairman of the joint chiefs of staff general dempsey both endorsed this legislation. and then this morning before the armed services committee, the director of national intelligence clapper, general burgess, the head of defense intelligence agency also endorsed the legislation. both of those expressions of support were unexpected by

senator collins in me, and, therefore, all the more appreciated. i wanted to ask you this question. d. h. s. and daschle control systems cyber emergency response team has played a critical role in providing support to the owners and operators of critical infrastructure. can you describe some of their capabilities and the work that they've done to assist private entities? >> well, what they have done is to help isolate and identify, when they have been notified of attacks on daschle control systems to help identify the source of the attack and methodology with which it was conducted, to work with the infiltrated entity to prepare a patch, ended to make appropriate disclosure, or sharing of information to other control systems that could be subject to a similar attack, either in a particular industry or in other

industries. >> so on a voluntary basis, if we can put it this way, dhs has developed the capability and relationships in working with the private sector that would be strengthened by this legislation? >> yes. we have, since the passage of the national institution protection act, infrastructure protection act, maven 2006, we have been working with critical infrastructure through their sector coordinator and councils, a lot of names, what it basically means is we have a process in place for dealing with the private sector, and for exchanging some information on a voluntary basis. but that doesn't mean we get all of the necessary information we get from core critical infrastructure. that's one of the problems the bill addresses. >> thanks very much. my time is up. senator collins? >> thank you, mr. chairman. madam secretary, to fall upon the question that the chairman

asked you, it's my understanding that dhs has unique expertise in the area of industrial control systems that is not replicated in any other government agency, is that correct? >> yes. >> and that's important because industrial controls -- control systems are a key part of critical infrastructure, like the electric grid, water treatment plants. is that also correct? >> yes, and when you think about it, if you have the ability to interrupt the control system, you can take down an entire protected network. you can interfere with all of the activities there. and the attacks on control systems are growing more and more sophisticated all of the time. >> and could you tell us about work that is being done by dhs

with your ics cert team and national lab with respect to the u.s. electric grid? >> yes. we are working in both of those capacities with the national lab, with the grid, in terms not only of mitigating attacks that occurred, but also preventive measures that they can employ. >> so you are joining training as well. and helping the critical infrastructure owners and operators identify vulnerabilities? >> that's correct. >> it's my understanding that in january, the administration transferred the defense department's defense industrial base cyber pilot program from d.o.t. to dhs. this is the program that is known as did the pilot. >> that's correct.

>> it shared classified cyberthreat indicators with defense contractors in an effort to better defend systems that contain information critical to the department programs and operations. i understand that dhs is now the lead for coordinating this program with the private sector, and that it is being expanded to other critical infrastructure sectors. could you tell the committee why the administration decided to transfer this pilot program from dod to the department of homeland security? >> well, the d.i.b. pilot really gets to the division of responsibility between military and civilian and what we are talking about here are basically private companies that do important defense contracting work. but they are innocent private

companies. and so the authorities and the laws that we use are better situated in dhs, which deals in this context as opposed to d.o.t. so we've been working with dod from the outset on the design of the d.i.b. pilot, have been working with them on the initial, the initial aspects of it, and now the decision was made to extend it and to grow it also made that it's more appropriate located within the dhs. >> the bill provides the authority to dhs to set risk-based performance standards for critical infrastructures. do you believe that we can achieve great progress in improving our cybersecurity in this country? >> i think it makes it, it makes

it tougher. we have, as i said in my testimony, you know, the basic authority under the homeland security act, we have authorities by various presidential directives, but nowhere do we have explicit authority to establish on a risk-based level, on a risk-based basis, the protection necessary for critical infrastructure. >> finally, i think that a lot of people are unfamiliar with a lot of the work that the department has already done in the area of cybersecurity, including the fact that there is a 24 hour, seven-day week national cybersecurity and communications integration center. i believe it is called --

>> could you explain to the committee and those watching this hearing how the center operates and what it does with respect to the private-sector? >> unit, it is really an integrated 24/7 watch center for cyber. and it includes on its board had only dhs employees but representatives from other federal agencies from critical infrastructure sectors that coordinate with us through the net. a lots of acronyms and the cyber world, and a government worker in and finally it also has represented for state and local governments as well. because a lot of the information sharing is applicable to them. >> thank you. thanks, mr. chairman. >> thanks very much, senator collins. senator mccain. >> mr. chairman, and madame co-chairman, think it's only this hearing on long-awaited sigh richard act of 2012.

obviously i welcome all of our witnesses, including secretary napolitano and my old friend governor ridge will have some different aspects and views on this bill in quoting in his testimony. i'd like to state from the outset my fondness and respect for the chairmen and ranking member, especially when it comes to matters of national security. so the criticisms i may have with the legislation should not be interpreted as criticism of them, but rather on the process by which the bill is being debated, and its policy indication. all of us recognize the importance of cybersecurity in the digital world. time and again. you've heard from experts about the importance of possessing the ability to effectively present and respond to cyber threats. would listen to accounts from cyber espionage originating in countries like china, organized cybercriminals in russia, and rogue outfits with domestic presence like anonymous.

and our own government accountability office has reported over the last five years cyber attacks against the united states are up 650%. so all of us agree that the threat is real. it's my opinion that congress should be able to address this issue with legislation, a clear majority of us can support. however, we should begin with a transparent process which allows lawmakers and the american public to let their views be known. unfortunately, the bill introduced by the chairmen and ranking member have already been place on the calendar by the majority leader without a single markup or any business executive meeting by any committee of relevant jurisdiction. my friends, that's wrong. to suggest this bill should not directly to the senate floor because it quote has been around since 2009 is outrageous. first the bill was introduced two days ago. secondly, where the senate rules state that it goes progress in

in a previous congress can supplant the necessary work on that bill in the present with the addition in 2009, we're in the 111th congress with a different set of senators. for example, the minority of this committee has four senators, we're not even in the senate. much less this committee in 2009. how can we seriously call it a product of this committee without their participation and committee executive business respectively. to treat the last congress as a legislative mulligan by bypassing the committee process, and bring the legislation directed to the floor is not the appropriate way to begin consideration of an issue as complicated as cybersecurity. in addition to these concerns i have policy issues for the bill. a few months ago, as senator lieberman mentioned how he and the introduced an amendment to the defense authorization bill codifying an existing cybersecurity memorandum

agreement between the department of defense and the department of homeland security. purpose of adamant was to ensure that this relationship endures and highlight of the best governmentwide cybersecurity approach is one where dhs leverages, not duplicates, to you the efforts and expertise. this bill unfortunately, this legislation unfortunately backtracks on the principles of that him away by expanding the size, scope, and reach a dhs and neglects to afford the authorities necessary to protect the homeland to the only institutions currently capable of doing so, u.s. cybercommand, and the national security agency. at a recent fbi sponsored symposium, general alexander, the commander of u.s. cybercommand, the director of the nsa stated that if a significant cyber attack against this country will take place, there may not be much that he and his team in either

cybercommand at nsa can legally do to stop them in advance, according to general alexander, oh, in order to stop a cyber attack you have to see it in real time, you have to have those authorities. these are the conditions we put on the table. now, how and when the congress chooses that will be a policy decision. this legislation does nothing to address this significant concern. and i question why we have yet to have a serious discussion about who is best suited, which agency, who is best suited to protect our country from this threat. we all agree it's very real and growing. additionally, if the legislation before us today were enacted into law, unelected bureaucrats in dhs who promulgate prescriptive regulations on american businesses which own roughly 90% of critical cyber infrastructure, the regulations that would be created under this new authority would stymie job creation, blur the definition of

private property rights, and divert resources from actual cybersecurity to compliance with government mandates. a super regulators like dhs under this bill would impact free market forces which currently of our brightest minds to develop the most effective network security solutions. i'm also concerned about the cost of this bill to the american taxpayer. the bill before us fails to include any authorizations or attempt to pay for the real cost associate with the creation of a new regulatory at dhs. this attempt to hide the cost is a glimpse by gravity assessment of critical infrastructure, the promulgation of regulations and their enforcement will take a small army. finally, i'd like to find out over the next few days what specific factors went into providing regulatory carveouts for the i.t. hardware and software manufacturers. my suspicion is that this had more to do with garnering

political support and legislative bowling than sound policy considerations. however, i think the fact that such carveouts are included, only lends credence to the notion we should be taking the regulatory approach in the first place. because of provisions like these the threat of every process, myself, eight '07 of us, ranking minority, seven committees will be introducing and are left with no choice but to introduce an alternative cybersecurity bill in the coming days. the fundamental difference in our alternative approach is we aim to enter into a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with a prescriptive regulations. our bill which will be introduced when we return after the presidents' day recess will provide a commonsense path forward to improve our nation's cybersecurity defenses. we believe that by improving information sharing among the

private sector and government, updating our criminal code to reflect the threat cybercriminals pose, reforming the federal information security management act, and focusing federal investments in cybersecurity, our nation will be better able to defend itself against cyberattacks. after all, we're all partners in this fight as we search for solutions. our first goal should be to move forward together. and i also would ask, enter into the record, a letter signed by senator chandler's, and myself, ranking them on armed services, jeff sessions, ranking member on finance, congressman enzi, ranking member on health, kay bailey hutchinson, ranking member on the commerce committee, lisa murkowski, ranking them on the energy emitted, and chuck grassley on ranking member of the finance committee, which is to senator reid, which we have asked that

the legislation go through the regular process with the committees of jurisdiction having a say in this process. so, trendy i think you and i killed the balance of my time. >> no balance. [laughter] senator mccain, i returned -- [inaudible] i return -- know it's not. [laughter] >> looked, with the same fondness and respect you expressed to senator collins and even a starter, i cannot conceal the fact that i'm disappointed by your statement. we have conducted, this bill is essentially the windows market by the committee, but that's not the point. the point is that we've reached out, not only to everybody who was possibly interested in this bill outside of the congress, but opened the process to every member of the senate who wanted to be involved. we pleaded for involvement.

and a lot of people, including yourself, have not come to the table. the encouraging part of your statement is that you and those working with you will introduce some legislation. and i will be glad to consider. senator reid intends to hold an open amendment process on this bill, but, you know, as you stated that this is a critical national security problem. and to respond to it with business about regulation business, this is national security. as senator collins said, there is regulation of business that is bad for business and bad for the american economy. there is regulation such as we worked very hard to include in this bill that impact is not only not bad for american business and bad for the american economy, but will protect american business and american jobs and help to guarantee more american economic growth. on the question of dod and

intelligence community, as i indicated for the record earlier that they have supported our bill. this week. i hear what you said about general alexander from nsa, but he has at no point nor the department of defense or the dni come before us and offered any suggestions for additions to this bill that would give him more authority. i would welcome those suggestions if he wishes. so i can't, i have to be honest with you as you've been honest with us, express my disappointment and express the only satisfaction i have from your statement, which is you're going to make a proposal, let our colleagues in the senate consider it to senator collins and i working on this bill will consider it. and let's get something done on a clear and present danger to our country this year. >> mr. chairman, can i just -- i speak for seven, seven ranking members of major committees of

jurisdiction. i don't speak for myself. there's a breakdown somewhere if seven ranking members of the relevant committees are all joining in this opposition to this process and this legislation. so, if you choose to neglect how many years of experience legislative experience and time in the senate, that's fine, but there's seven of us that are deeply concerned about this process and the legislation, and we don't think it should go directly to the floor. >> i will say for the record that we have reached out to all seven in various ways to try to engage their involvement in this bill. i would have much rather prefer to submit a bill, and senator collins would have, too, that everybody had been involved in discussing. we were very open to trying to find consensus, as we did with other chairs. so nobody is neglecting the expertise. i'm saying i'm sorry that they have been engaged before, and

i'm glad to be engaged now. >> mr. chairman, thank you. madam secretary, this is my first opportunity to visit with you since the announcement of the president's budget. and a want to talk about a topic unrelated at least to cybersecurity, but certainly related to security. the chairman just spoke about clear and present danger. one that you and i have had a conversation about over a long period of time is related to our food and animal safety and security in this country. and as you can imagine, can expect, the disappointment that i have, others in our congressional delegation have in regard to the presence of failure to include dollars related to construction of the aggro and bioscience security facility. to replace it. with you and i have had a number of conversation, and i will do with mi6 minutes today, to talk about this non-germane topic.

but i will have a greater chance to visit in the homeland security appropriations hearing in which you and i will be together in just a few days. but i would not want this opportunity to pass without again delivering the message to you and to the folks at home and security who have, throughout this process, then our allies. we consider that we have in your allies. in an effort to see that a facility designed to make certain that the food and animal safety of this country is protected. you and i had a conversation in march of last year, less than a year ago. that was in appropriations, homeland security appropriations subcommittee. you told me that it is something workers supportive of. plum island does not meet the te nation's needs and is a. there contested to refute competition, and we look forward to continued construction. we believe that in bath needs to

be dealt and we need to get on with it. later in september of that year, you talk about the future. we need to get prepared for the next generation. and begin we need to be confronted the things that we face today and think we will face 10 years from now. that series has continued with your test our and others' from homeland security, the u.s. department of agriculture. and i would like for you, i hope, reiterate the department, your position as secretary, continued support and belief in the importance of building this facility, and to explain to me the idea of a reassessment which which, as a reagan press record reports as an assessment in scope only, not in concerns about safety or in concerns about location. that's right. and you are right, the president does not request in the budget

and appropriations for the -- in part because last year we requested $150 million. the house all to the appropriate 75. the senate appropriated zero. we ended up with 50. and a lot of extra requirements put on the project, as he just devastated. what we have done in this years budget is allocated $10 million. that will go to related animal research at a state university. i've talked to serve with governor brownback, among others. and in light of the budget control act, other change circumstances that we have to deal with, and in light of the fact that we have not been able to persuade the congress to really move forward in a substantial way, on funding, we have recommended that there be a reassessment in light of the

budget control act, in terms not of location, not in terms, those of which i firmly stand by that position i stated. but in terms of scoping and what needs to happen so that this project can move forward would be the right level of appropriations. madam secretary, thank you. i would comment that solution to lack of funding by congress is not for the administration to not request funding. the solution to that problem is continued support, and encouragement from congress to act. as you say, the house appropriate 75 million last year. the senate in the covers? was agreed upon the 50 million. you also are requesting reprogrammings for additional planning money within this years budget. again, the money that is there needs to be spent as quickly as possible. i will be asking you by letter shortly to continue the funding

of the $40 million that is available, is appropriate, and now as result of the report filed this week can be spent to complete the federal share on the utility portion of this facility. based upon what i've heard you say and what i've read that you have said, it's not about location. it's not about the site, and it may be about the scope of what will occur. but the utility pad is still important and will be necessary regardless of the scope of that project. so we are going to ask you to continue the funding as you already have committed to and are authorized to now spend this $40 million on utilities. and i would add to that point, we have appropriated $200 million, federal dollars, the state of kansas has put in nearly $150 million. this is the partnership, and we need the federal government to continue its partnership on the utility portion. we're waiting on to share that

you are now authorized to spend, to be spent. i appreciate the answer to my question. i have considered you and i like, continue to consider you an ally, and my plea is let's work together to see that this congress moves forward on an issue that is important, just as cybersecurity is, to the economic security and future of our nation. >> senator, i would be happy to work together with you on this. >> thank you very much. we need your help. >> thanks very much, senator moran. for the information for members, the order of arrival today now senator landrieu, pryor, brown, carper, 11, johnson. let's go to senator pryor. >> thank you, mr. chairman. thank you for this very important meeting took always good to see you, madam secretary. let me start, if i may, madam secretary, with a question about, i think you've pretty much said that you feel like we need a statute, but i'm curious

about what specific authority you think your agency or the federal government does not have in this area that you need. what specific authority to you feel like you need to accomplish what you need to do here? >> i think the specific authorities that the statute contains, most important is the ability to bring all of the nation's critical infrastructure up to a certain base standard of security. and to outline the process with which that will occur. >> and let me ask you on a little different topic. i know that in reading some of the new stores, trade publications, et cetera, the private sector seems to have hesitation about sharing too much information and understandably so. they may fear that a competitor will get it, or it may create liability issues for them, or

whatever. but do we have an effective mechanism for the private sector, stakeholders, to share their best practices and potential threats and those concerns without raising issues of, you know, their own security and liability and even antitrust concerns? >> no. in fact another major improvement in the bill over the current situation is it clarifies that kind of information, sharing, can occur without violating other federal statutes, antitrust, the electronic communications privacy act. we have had situations where we have had to lay in being able to get information and to respond because the lawyers had the first of the coming or whatever have the first assess whether they would be violating other federal law by alerting the department of homeland security that an intrusion had occurred, and i think as you and i can

both appreciate when the lawyers get it, it can take a while to. >> we understand. >> again, the new bill would clarify that that should not be a problem. >> okay. and you're comfortable with how the new bill is structured in that area? >> yes, i am. >> and let me ask about lessons learned. dhs just recently discussed, and it's been discussed about dhs, that some of the work being done under the chemical facility antiterrorism standards program, has not really been done as quickly or as early as maybe it should have been. and as you know, this bill provides a requirement that dhs did a similar type of the system. are there lessons learned in the cfas experience that might indicate that we can put that problem behind us and that we can comply with what this law

would ask you to? >> yes senator. first of all, with respect to cfas, no one is more displeased that i am with some of the problems that have occurred there. there is an action plan in place. there are changes in personnel among other things. that program is going to run smoothly. and other security, the security plans are being evaluated. >> and there are lessons learned? >> and there are lessons learned, as there are in all things. and this bill is less prescriptive than cfas. first of all this is a very regulation light bill. this is a security bill. this is not a regulatory bill per se. but in terms just management and organization, yes, there are some lessons learned from cfas. >> right. i know a lot of times when we create news media accounts about cybersecurity, and even as we

discussed it among ourselves oftentimes, we tend to focus on large companies and breaches at large countries experience. the truth is a lot of small and midsized companies carry a lot of sensitive information. is dhs working with small to midsize companies in any way to reach out to them to talk about best practices or anything like that? >> we conduct a lot of outreach activities with small and medium-sized businesses, on a whole host of cyber related areas. so the answer is yes. >> all right. we always want to make sure that our small businesses are taken care. obviously, they aren't the link in the chain. >> senator, i continue to emphasize, when we are talking of the security of the core critical infrastructure, if that goes down, a lot of these small businesses are dependent on that, and they will fail. >> that's exactly right. also, we have also talked about the federal government, but also

state government have the same issue in the state of cybersecurity. and, obviously, you're a former governor, former attorney general, as is the chairman here, general lieberman. so you appreciate that. are you working with states to try to talk about their best practices and lessons that you learned? >> yes, we are. and, indeed, we work with a multistate information system, and they are located or provide input into the intake, the senator we talked about. >> right. mr. chairman, that's all ahead. i yield back the balance of my time. >> thank you, general pryor. next a senator carper. >> can i have his 14 seconds? >> you got it. >> madam secretary, good to see. good to see a former secretary out there, former governor, former congress and. tom ridge, all of our witnesses, thank you for being here. one of, i like to do in his likeness is see if we can develop some consensus.

never have too much of that innocent or in the house. my hope is when we assure here today we will have identified not just where we have differences but we will again by where we can find some common ground. so ask a couple of questions with that in my. i want to return to the comment of my colleague from arizona who mentioned regulation. and with sort of a cautionary note. i just want to second what the chairman said, regulation can be a problem but it can be problematic if we don't use common sense. if we don't look at cost-benefit analysis. it could be a bad thing. having said that i always remember meeting with a bunch of utility ceos about six, seven years ago. my first term in the senate. they were meeting with me about clean air issues, mercury, co2. and we were trying to decide what our passport should be. finally, came to this meeting, ceo from someplace down south,

kind of a curmudgeon the okay. he said it looks better, just do this. tell us what the rules are going to be, give us some flexibility, give us a reasonable amount of time and get out of the way. that's what he said. i've always remembered those words, and i think it may apply here too today. i want to thank the chairman and ranking member, susan collins, for calling a hearing for which and what is complicating really what the chairman said, he mentioned try to open up, if you have an idea, bring it to us. and that i think is had an open door, too bad some have taken full opportunity of the. i know have a lot of distractions around you. sometimes that happens. we are being attacked by hackers across the world and closer to home, and it's likely to get worse, not better. while some of -- some of them are there to steal ideas, steal our defenses secrets or intellectual property.

blackmail businesses and nonprofits and to do worse. they are also, the challenges that i think we have here, i think we need a bold plan, we need a roadmap. i hope again we can move along that way, too, today. i'm especially pleased with legislation that is being introduced including number of security measures that my staff and i have worked on. ..

hardly anybody understood how it made it any safer. the bill that is before us today includes many improvements to so-called federal information, security and affectionately known as fisma. our federal agencies are actively monitoring and responding to threats not just with paper reports about them. from what i understand the agencies have taken many steps to improve their security networks largely because of the action you have taken in your department to make fisma more effective despite the updated statute, god bless god bless you. i commend you for being proactive in this area and for putting forward a budget so we ensure department has the resources it needs to address this growing area of responsibility. here is the question. that was a long windup. can you describe some of the current limitations of fisma for us and why this legislation and some of the mutuals we give you just might he needed?

>> well, i think this -- one of the key things that this bill would do is, by clarifying and centralizing where the authorities lie within the government, and how those relate to the fisma among other things, so that it really sets as you say the commonsense roadmap for how we move forward. you know we have done a lot with the civilian networks of the government. as you know they have been repeatedly and increasingly attempting to be ample traded and intruded upon all the time. we have almost completed the deployment of what is known as einstein to. we are working on the next iteration. we have also in the president's budget request asked for a

budget that would be held by the department of homeland security that would be used to help improve or raise the level of i.t. protection within the civilian agencies. >> thank you. just very quickly if i could follow up just to get more specific. can you talk a little bit more about how your department will be able to achieve what the president has requested, i think 200 million or so network security and how this legislation will impact those activities? you talked about a little bit but could you drilled it down a little far as? >> right and i can give you more detail on that but basically what it allows us to do and what we will be able to do is have a fund out of which we can make sure that the civilian agency government has deployed best practices, hiring qualified personnel and in other ways, strengthening their own cybersecurity within the federal

government. >> alright, thanks. mr. chairman if i could say in conclusion, one of the things that i hear a lot from constituents across the country as they want us to provide certain predictability and one of the things we are trying to do with this legislation and the regulations that may flow from it is predictability and certainty and with that in mind that would say to our witnesses you are helpful not just to -- that would be enormously healthy not just in the committee but i think to our country. >> thank you senator carper. senator levin. >> mr. chairman and ranking member, thank you for taking the initiative on this with other colleagues in thank you madam secretary for all the work the white house did on a similar deal that you worked on which i understand it's basically part of now this pending bill, which is on the calendar. i am trying to understand what

the objections are to the bill because it seems to me there are a whole bunch of protections in here for the private sector. as i read the summer of the bill and i have not read the bill yet, there is a self certification or third-party assessment of compliance with the performance requirements. understand there is an appeal of those requirements and there is objection to it. understand and believe that the owners have covered critical infrastructure and they are in substantial compliance with the performance requirements and not liable for punitive damage, which arise from an incident related to a cybersecurity risk. so you have here something unusual i believe actually from the private sector which is a waiver, punitive damages and i think that is fairly, i don't know that it is unique but i think it's fairly unique in

legislation to say to waive the possibility of candidate damages in the case of a liability claim. there aren't number of other protections in the privacy area as i read the summary of this bill. for the information which must be provided where there is a significant threat which is identified. i am trying to identify and i'm not going to be able to stay to hear it from the next panel as to what the objections are. i'm sure you will read the letter from the opponents and will study the bill that senator mccain referred to but i'm trying to the best of my ability as we go along to see exactly what those objections are. there seems to be privacy protection here. there seems to be self certification here, which voids part of a bureaucracy at least. there are limits on liability where there is good faith

defense for cybersecurity activities and the bills heading says, there is a number of other protections. i don't want you to argue for the people with problems obviously but i would like you to the best of your ability to address what you understand are the key objections. we will hear them directly. we will read about them but i think if you can, give us your response to them so we can have that for the record as well. >> well i think there are three kind of clusters. the first is that the bill is a regulatory bill and it will be burdensome to industry to comply and the answer is that the security bill, is not a regulatory bill. it is really designed for making sure that we have a basic level of security in the cyberstructures of our nations

core critical infrastructure and that we have a way to exchange information that allows us to do that without private sector parties being afraid of violating other laws. and so, this is not what one would consider a regulatory bill at all and as senator collins said, it really is designed to protect the american economy, not to burden the american economy. the second set of objections was i think revolve around the whole privacy area, but as the aclu itself acknowledged, this bill really has done a very very good job of incorporating those protections right from the get-go, and realized one of the reasons why dhs has the role it does is because we have a

privacy office with a chief privacy officer who will be directly engaged in this. so, the bill i think really addresses some of those privacy concerns. the third cluster would be and i think senator mccain alluded to it, that somehow duplicates the nsa. we don't need another nsa and just let you know, we don't need to clarify the authorities or the jurisdiction of the dhs, and i think there is a misconception there. the plain fact of the matter is the chair the joint chiefs and others and secretary panetta and others have recognized both the dod and the dhs used the nsa, but we use it in different ways. so we are not duplicating or making a redundant nsa. we are taking the nsa and using it to the extent we can within the framework of the bill to protect our civilian cybernetworks.

>> i understand that the department of defense basically supports this legislation. from what i can understand at least it does. is that your understanding? >> i think not just basically. i think wholeheartedly. >> and in terms of the privacy concerns, those concerns are met with the privacy officer but in terms with the information which was supplied, where there has been a threat, that information when it is submitted to a government entity is protected. >> the content is not shared. >> tell us more about that. >> the content is not shared. the information shared requires minimization. it requires elimination of personally identifiable information. all the things necessary to give the public confidence that their own personal communications and are not being shared so it's a fact of the intrusion the methodology, the tactic used

some of the early warning indicators, all of those sorts of things are to be shared but not the content of the communication itself. >> thank you mr. chairman. >> thanks very much senator levin. that was a very helpful exchange. senator johnson. >> thank you mr. chairman. madam secretary nice to see you again. first of all senator lieberman and senator collins i appreciate your work on this. this is critically important and also incredibly complex. i am new here. i don't want to be breaking protocol. >> go ahead. >> i share some of the concerns of senator mccain and because this is so important, certainly not a good way to start up the process so in light of his objection and those of the ranking members are we going to consider doing, not taking this to the floor directly or is that going to be reconsidered on that basis? >> i don't believe so. i suppose if people want to

raise the question but i think, there has been a long process here. bills have been reported out of this committee out of commerce, intelligence, foreign relations, not all done on a bipartisan basis but most of them wear. senator reid got really agitated about this problem last year in convening the chairs and then held a joint meeting, which in these times is very unusual. bipartisan meeting senator reid and senator mcconnell and they chairs ranking committees urged us to work together to reconcile the differences. some came to the table as i said and some didn't. we worked very hard to bring people in. i think i can't speak for senator reid but i think his intention is to take the bill that is the consensus bill now and bring it to the floor under his authority under rule 14 but to have a really open amendment process. i don't think anybody is going

to rush this through and there will be plenty of time for people to be involved. i'm sure i speak for senator collins. we are open for any ideas that anybody has. >> this is just really important to get right. to me the most important thing is to get it right but also to get it done as quickly as, as quickly as we possibly can get it right we should get it enacted. because the crisis, the threat is out there. >> senator collins. >> mr. mr. chairman if i could just add one thing. and that is, this legislation has gone through a lot of the iterations which was recorded first and 2010 and a bill that was not part of the committee at that point. but our staff has shared with the senate staff draft after draft after draft by briefings. i know the senators come to some of the classified the things

that we have had as well. so we have invited the input from you. >> i'm sincere in my appreciation of the work you are doing and in the desire to get this right to move some legislation so with that in mind i know the house has worked on a bipartisan bill h.r. 3523 which is a slimmed down version. an important first step for getting information shared between government and the private sector. is that something you could support in case this thing gets all snagged up? may be to move towards something like that? >> go back and look at that but i think that there may be some parts of that that are included within this bill, but this bill is a much stronger and more comprehensive focus on what we actually need in the cybersecurity area given the threats that are out there. >> in terms of the carveouts,

that was one of the big questions this individual expressed, is if you are really trying to create cybersecurity why would you carveouts service providers and the people at the heart of it? it's kind of like you were going to see the money go to the bank where does. why would we carve out the service providers? >> well, i think a few things but i think from our standpoint if you focus on the nation's critical infrastructure and you really focus on the standards they have to meet, and you want to avoid some of the complexities that deal with the ist's and the like and where they're located and the international jurisdiction among other things that the carveout is appropriate and in fact it helps move the legislation along. >> have you done accosts assessment and terms of the costs required for this legislation? >> well i think, i think talking about cost is important here.

it is not our intent is to have an undue costs on the core critical infrastructure of this country. it is however, our belief that the cost of making sure you practice a ace level, a common base level of cybersecurity is, should he the a core competency within the nations critical infrastructure. and so, while they don't want an undue cost we do want a recognition that this is something that needs to be part of doing business. >> has there have been an attempt to quantify that or will there be an attempt to quantify the costs are compliant? >> i don't know. i would imagine just thinking about it, that there will be many entities that already are at the right level but sadly there are others that are not and given that we are only talking about infrastructure that if it intruded or whatever really impact -- large impact on

the economy, on life and limb, and the national security, you are talking about a very narrow car part of the critical infrastructure. the fact that they'll have to reach a base level is a fairly minimal requirement. >> one quick last question. i'm aware the chamber is not for this bill. do you have a list of private sector companies that would need, that have to comply with the setter in favor of that? >> there are a number of them and i think they have been in contact with the committee that we could get that for you. >> i appreciate that. thank you mr. chairman. >> thank secretary johnson. secretary napolitano i appreciate your testimony. you have made a very important -- important point here. ultimately regulated here that can be forced to meet the standards barrow and narrowly to

include only those sect there's which if they were attacked, cyberattacks would have devastating consequences on our society so you're right. to enforce the center carried out but it will be a fraction of what we would, what it would cost a society if there were a successful cyberattack and i go back to the initial 9/10, 9/11 where we couldn't do enough to protect ourselves from another 9/11. and we have the opportunity here to do something preemptively, preventively, methodically and at much less cost to our society overall. >> that is right mr. chairman and i think, as you and i both know that and i think senator collins did in our opening statements, it is our responsibility to be proactive and not just reactive.

we know enough now to chart a way ahead in the bill does that. >> yeah, i agree. there is a cyberattack we don't legislate, we don't create a system of protection of american cyberspace. if there is an attack we are all going to be rushing around frantically to sort of throw money at the problem and it's going to be after a lot of sudden that occurs as a result so we have a real opportunity to work together. nobody is saying this bill is perfect that it is darned good for all it has been through but the process continues. you have been very helpful in a thank you very much and we look forward to working with you. senator collins. >> thank you mr. chairman. i too want to thank the secretary for her excellent testimony of the technical assistance of the department. for the record, i would like to submit what is a very clear

statement from the chairman of the joint chiefs of staff at a hearing before the armed services committee earlier this week. general dempsey said, i want to mention for the record that we strongly support the lieberman collins rockefeller legislation dealing with cybersecurity, so the secretary's comment in response to the question by senator levin about where does the department stand where she said wholeheartedly exactly right and the department testified to that effect and i would submit that for the record. >> thank you. without objection submitted for the record. thank secretary. have a good rest of the day. if all the final panel. secretary ridges next. i know we are under time -- and we kept you later than we had hoped secretary ridge, but secretary ridge and the honorable stuart aker, james

lewis, dr. james lewis and scott charney. >> thank you. >> gentleman thank you for your willingness to be here. to testify at for your patience. although it got pretty interesting at times during the hearing, didn't it? secretary ridge in a comment that only you and i into other people would appreciate i don't think we will be going to the common man together tonight but that is another story. [laughter] thanks very much for being here and we will hear your testimony and then we will understand if you have to go because i know you have got another and gauge men and you are ready to leave. so please proceed. >> thank you very much.

first of all let me tell you what a pleasure it is to be back before the committee. as i have told you before my 12 years in the congress of the united states, did enjoy being on that side of the table rather than this but every time i've appear before this committee the engagement has been civil and constructive and i hope i'm able to country but and i hope the fact that we agree in part or disagree in part today and significant agreement and disagreement does not preclude another indication so it is a great pleasure to be before you. i testify today on behalf of the u.s. chamber of commerce, which as you well know is the world's largest business federation, representing the interests of more than 3 million businesses and organizations of every size, every sector in every region of this country. are the past year, year and a half i have chaired the chamber's national security task force which is responsible for the development and implementation of the chambers homeland and national security policies and very much

consistent with the president's concerns, this committee's concerns, concerns on both sides of the i/o. you are probably not surprise the cybersecurity has been the top of the list. when we have met we have had dozens and dozens of private sector companies and vice presidents from security, the bricks and mortar of the cyberbusiness, maybe at the top of their list right now so it's in my capacity as chairman and hopefully with perspective but also as the first secretary of homeland security that i thank you for this opportunity to appear before you regarding cybersecurity and ways in which we cansenator lieberman and senator collins, one of the mindset that i have, that i do want to share with you is that you need to add the chamber of commerce to the course of people sounding the alarm. they get it. why do they get it?

because the infrastructure that we are worried about that protects america's national interest and supports the federal government, state government and local governments, is the infrastructure that they operate. in addition to being concerned about the impact of cyberinvasion and incursion on their ability to do their their job on behalf of the federal government, they also have 300 million consumers. so they join you. they join that chorus not only in terms of the urgency of dealing with the threat, and i would dare say and i say respectfully they are probably in a better position to be able to calculate the consequences of systemic failure vis-à-vis a cyberattack that an agency of the federal government. on top of that, they have their interests to protect and fiduciary interest that are publicly traded. they have got their employees and they have the communities

they work in the consumers and the suppliers. so i think it's important for you to understand that the chamber joins the chorus that appreciates both the urgency and i would say respectfully better understands from a micro level the horrific consequences to them into their community, to their brand and their employees of this country for a significant cyberattack. as you also know the industry for years has been taking robust and proactive steps to protect information. there has been much discussion with regard to the process here and let me just talk very briefly and i'm going to ask unanimous consent to get another minute or minute and a half and i apologize for that. as the first secretary member the national strategy that we created in 2002 to talk about securing america but we didn't talk about just people, we

talked about bricks and mortar. we talked about cyberattacks as well. 2003 is referenced by secretary napolitano the legislation talked about cyberattacks as well. you move the enabling legislation that creates the department and the homeland security presidential record number seven. in anticipation of testifying i read what it is all about. is it establishes a national policy for the federal departments and agencies to identify and prioritize united states critical infrastructure and key resources and to protect them from terrorists and it goes on to talk about protection from cyberattacks as well. in 2000 you have the national infrastructure protection plan which encompasses all that had come before and sets a specifically based on hspd seven which created the sector select agencies and the sector coordinating council's under this a mandate.

the point being we don't need a piece of legislation that identifies critical infrastructure. we have been working on that for 10 years. you understand that process. what we do need and where we tip the hat compared to the first mark of the president's bill to this one the information sharing although we would like to think a little bit is a vast improvement from the one that was initially placed and initially considered by the administration and again we are not ready to -- but the direction of the focus of a being bilateral be believed is the way to go. so at the end of the day, the ccp in our judgment there is no real need for that. we are to have the process in place. people have been working together for 10 years personal institutional relationships to develop with that critical infrastructures. you have cybersecurity experts and select agencies of not only do you take a definition that appears to have no walls,

ceilings or floors, but it appears to be redundant and secondly somebody used the word requirements. one of the great concerns we have and i will conclude, is that requirements are prescriptions and prescriptions are mandates and mandates are regulations and frankly the attackers and the technology moves a lot faster than any regulatory body or political body will ever be able to move. so in my judgment again the chamber agrees, the sections in here with regard to the international component, the public awareness component and the fisma component and some of the others we applaud and celebrate and hopefully if you tie this together if you are looking to deal with this in an immediate way as quickly as possible with a more robust information sharing proposal, marriott with a house that he will have that agreement so i

was hurried. i appreciate and respectfully request my full statement be included as part of the record and thank you for the opportunity for a parent before you. >> thanks mr. secretary and we will definitely include your statement for the record. in my right that you have to leave? can you stay? >> i am prepared to stay to answer a few more. i will leave at 6:00 instead of 5:00. thank you for asking. >> i guess the question is do you want us to ask you a few questions now and have you go or -- >> a little late to get there so i appreciate that. >> okay. i'm going to yield to senator collins and if there is anything left to ask when she is done. >> thank you mr. chairman. first secretary rich as you know i have the greatest respect and affection for you personally,

and the greatest respect for the chamber of commerce and i'm disappointed that we don't see this issue exactly the same way. i would also note a certain irony since the chamber itself was under cyberattack by a group of sophisticated chinese hackers for some six months at least during which time the hackers had access to apparently everything in the chamber system and the chamber was not even aware of the attack until the fbi alerted the chamber in may of 2010, so there is a little bit of irony but i will assure you that under our bill, the chamber is not considered critical infrastructure. [laughter] >> you. >> you raise a very interesting point. and i guess the question i have if it's not critical infrastructure, a significant

organization representing the critical economic infrastructure of america, why in the world did the fbi delay in forming the organization that represents the economic infrastructure of america? somebody ought to ask a question. i have heard of cases where people in the private sector have reported the potential, not reported it but had to verify the to the federal government and they said we knew. what do you mean we knew? >> we have very robust information sharing provisions in our bill that will cure that very problem, but the fact is in drafting this latest version of our bill we have taken it to heart many of the concerns raised via the chamber and those just to clarify exactly where the chamber is on these issues,

i do want to ask your opinion on some of the changes that we have made in direct response to the chamber's concerns. for example, we now have a provision that says that entities that are already regulated by existing regulation would be eligible for waivers and entities able to prove that they are sufficiently secure would be exempted from most of the requirements under this bill. that bill would require the use of existing cybersecurity requirements of current regulators. does the chamber support those changes that were incorporated in response to the chamber's concerns? >> i think you have incorporated several changes senator collins and i do believe that is one of

them. and i think it also goes to the point that some of that oversight is being done within the existing process and protocol and with the dramatic potential changes in information sharing, it is a system that will work. one of the questions i had when i listen to the course of people who support the bill, i just wondered if the secretary of defense believes that the defense industrial base likes the cybermodel of information sharing announced by the department of defense in june 2011 but it would prefer to be regulated. i think there are some unanswered questions here but the point i want to be strong about senator collins is back you have heard some of the concerns and we are grateful for that. >> well, that is my point as we frankly have been over backwards to try to listen to legitimate concerns without weakening the

bill to the point where i can no longer accomplish the goal. another important provision of the bill, the owner of critical infrastructure, not the government, not dhs, would select and implement the cybersecurity measures that they determine our best suited to satisfy the risk-based performance requirement. does the chamber support having the owners of the infrastructure decide rather than government mandating specific measures? >> i think again, i recall if i interpret the legislation quickly the chamber likes the notion and raises the notion that the respective departments in age and sees who have the sector coordinating councils have been working on identifying critical infrastructure and sharing that kind of information

that we think is necessary to not immunize is completely and they technology and hacking procedures will change to dramatically reduce the risk. in fact it's in everybody's interest particularly the owners to move as quickly as possible. i mean the logic that has been applied to relieving cisco and microsoft another so they can move jointly and respond to risk it seems to be would be to reply to everybody as an economy as well who don't want to be burdened by a series of regulations or prescriptive requirements. >> well, since the private sector under our bill is specifically involved in creating the standards, i don't see how that produces burdensome standards, since the secretary has to choose from the standards that the private sector develops.

again, another change that we strengthened in our bill. another question that i would have for you, i assume that the chamber supports the liability protections that are included in this bill, so that if the company abides by the performance standards of their -- the company is immune from punitive damages? >> they have not tapped me on the shoulder. >> i presume they do and if i were the chamber i would certainly encourage them to embrace it wholeheartedly. >> well my point in my time has expired my point is that there are many many provisions in this bill that we have changed in direct response to input from the chamber and i would like the chamber to acknowledge that. there is one final point that i want to make. when you were talking about bad

ceos are invested in cybersecurity because of the impact on their customers and their clients and so it is in their own self-interest, i cannot tell you how many cio's chief information officers with whom i have talked to tell me, if only i could get the attention of the ceo on cybersecurity. we are not investing enough. we are not protecting our systems enough and it is just not a priority for the ceo. so, i would suggest to you to talk to some cio's because i think you would get a totally different picture. >> i appreciate that senator collins. i'm familiar with quite a few major companies in america and what they are doing with regard to cyberand my experience is,

realize there are probably people out there, don't imagine too many organizations to enhance the capability their capability to safeguard or manage the risk that i will take you at your word that there may be some cios who feel strongly and have reflected that in their statements to you. i think at the end of the day though, i think he made a valuable contribution listening to the chamber and we applaud those things and we will respectfully disagree. you are going down a path similar to the concern about or prescriptive regimen. i notice some of the literature talks about a light touch but a light touch can turn into a stranglehold if it goes too far in the process and if you take a look at the chemical facilities and antiterrorism standards, what is it light touch maybe becomes very prescriptive than once the legislation was passed members of congress and your colleague said that is not enough and we may need very

specific technology and specific regulations in order of two vet the people so again it's a slippery slope they are most concerned about in and i very much appreciate the chance to articulate before the committee. >> thank you senator collins. i have no further questions. secretary, thanks for being here. we are glad to liberate you to catch your capture and explain. >> you are very kind. i look forward to future opportunities and to share my thoughts with this committee. senator akaka best wishes to you, sir. >> stewart baker is our next witness currently in the law firm of steptoe and johnson former general counsel for the nsa from 1992 to 94 and assistant secretary of dhs from 2005 to 2009 during which time we benefited greatly from your counsel, and service.

thanks for being here. we would welcome your testimony now. >> it's a great pleasure. thank you chairman lieberman, ranking member collins senator akaka. it's a nostalgic moment to come back here and i want to congratulate you on your achievement in moving this bill in a comprehensive form it has gone. it's a very valuable contradiction to our security. i just have to point but before you do that i thought i would address the stop on line piracy act analogy, the idea that sopa, soap and the internet wants to strike it down. i'm proud to say if i could channel senator bennett for a minute i flawed sophia and mr. chairman this bill is no sopa. in fact, i opposed so buff for the same reason i support this bill. as a nation, as a legislature our first obligation is to protect the security of this

country. sopa would have made us less secure to serve the interests of hollywood. this bill will make us more secure and that is why he supported. just two points on why i believe that. we know today the most sophisticated security companies in the country have been unable to protect their most important secrets. this shows us how deeply -- deep the security problem runs. we also know from direct experience, things that i saw when i was at dhs that have emerged sense, the once you've penetrated network you can break it in ways that leave behind permanent damage. you can break industrial control systems on which refineries, pipelines, the power grid, water, sewage and we have had a lot of analogy today about like september 10 or september 11.

if you want to know what it would be like to live through an event where someone launches an attack like this the best analogy is new orleans the day after katrina hit. you would have no power, you would have no communications but you also would not have had the warning and the evacuation of most of the population of the city and he wouldn't have the national guard in some safe place ready to relieve the suffering. it could indeed be a real disaster and we have to do something to protect against that possibility. that is not something the private sector can do on its own. they are not built to stand up to the militaries and a half a dozen countries and that is why it's important for there to be a government role here. i do think that this bill, in contrast to u.s. the chamber, think you may have gone a little far in accommodating them and i will just address one point i think is of particular concern. i fully support the idea that there should need a set of

performance requirements driven by the private sector, implemented by the private sector with private sector flexibility to meet them as they wish. but the process of getting to that and then getting enforcement is time-consuming. it could take eight years, it could take 10 years if there is resistance from industry or a particular sector, and it may be worth it to take that time to get standards that really are something that the private sector buys into and is willing to live with but i think we have to recognize that in the next eight to 10 years we could have an attack, we could have an incident, we could have some very serious trouble or a threat that requires that we move faster in that statutory framework would suggest. so i would suggest if there was one change that i would make to this billets to put in a provision that says in an emergency where there really is an immediate threat to life and limb, the secretary has the

ability to compress all of the timeframes and to move quickly from stage to stage so that if we only have a week to get on the grid for tech did and the power company, you will be here on tuesday and bring your best practices because by friday you are going to have have to start implementing them because we know there is an attack coming this week. that is something that we need to be able to do and to have the flexibility to do. thank you. >> very helpful. thank you very much. we will talk more about that. jim lewis, thanks for being here. director, and looking for the exact title. technology and public policy programmer at the center for strategic and international studies and their actor lewis is the -- on cybersecurity which began its work in 2008. thanks so much. >> thank you senator for giving me the opportunity to testify. you know when we hear getting

incentives right and sharing more information will secure the nation, remember that we spent the last 15 years repeatedly proving that this doesn't work and from an attacker's perspective america is at a good target. some people say the threat is exaggerated. this is really unfortunate. he talks about the parallels with september 11, but in some ways we are on task to repeat the september 11 error if we don't take action in the very near-term. the threat is real and growing. military and intelligence services with advanced cybercapabilities can penetrate any corporate network with ease. cybercriminals and government-sponsored hackers routinely penetrate corporate networks and new attackers ranging from iran and north korea to a host of antigovernment groups are steadily increasing their ability. the intersection of greatest risk and weakest authority is critical infrastructure.

national security requires holding critical infrastructure to a higher standard than the market will produce. this bill has many useful sections on education, research, securing government networks and international cooperation and they all deserve support. but the main event is regulating critical infrastructure for better cybersecurity. without this everything else is an ornament and america will remain vulnerable. low-hanging fruit will not make us safer and you know one way to think about this is if you took the section on critical infrastructure and it would be like a car without an engine. i look forward to -- there are all sorts of objections to moving ahead. here innovation could be damaged but well-designed regulation will actually increase innovation. companies companies will innovate and making safer progress. we have seen this with federal regulation of cars, airplanes, even as far back as steamboats. regulation can incentivize

innovation. everyone agrees that we want to avoid burdensome regulation and focused new authorities on truly critical systems. the bill was drafted takes a minimalist and innovative approach to regulation based on commercial practices so i appreciate the effort that has gone into that. many in congress recognized the need for legislation and this committee, the senate and others in the house to serve our thanks for taking up this task. but the battle has shifted. people would try to dilute legislation. they will try to put forward incentive solutions and they will write in loopholes. the goal shouldn't the to strengthen, not to dilute because the problems intention. the first is the threshold for designating control critical infrastructure. cyberattacks in the next few years are most likely to be targeted and precise. they probably will not cause massive casualties are catastrophic disruption. place at up we set the threshold to hide, it simply is telling

our attackers what they should hit so we need to very carefully limit the scope of this regulation but i fear that we may have gone a bit too far. the second is the carveouts for commercial information technology. it makes sense that the industry does not want government telling them how to make their progress. that is perfectly reasonable that an exemption on services maintenance installation and repair what first into a central work started by the bush administration and second, leave america open for a stuxnet attack. these parts of the bill should really be removed in a particular i call your attention to paragraph a and b, section 104, b2. any important legislation there is a delicate balance between protective -- partaking in a nation and minimizing burdens on our economy. this spill with some

strengthening i think can achieve that balance and best serve the national interest. the alternative is to wait for the inevitable attack. my motto for 2012 cybersecurity is brace for impact. i thank the committee and i will be happy to take any questions. >> thank you dr. lewis. your voice is an important one to listen to and we will, we do. scott charney is our last witness today, corporate vice president trustworthy group. thanks for being here. >> thank you. chairman lieberman senator akaka thank you for the opportunity to appear at this important hearing on cybersecurity. in addition to my role as corporate vice president of trustworthy institute i serve on the president's national security telecommunications advisory committee and was cochair of the csis commissioned on cybersecurity for the 44th president. a long history of focusing on cybersecurity.

in 2002 bill gates launched the trustworthy computing initiative. as we celebrate the tenth anniversary of that effort we are proud to post their progress and conscience of how much work needs to be done. while i.t. companies are providing better cybersecurity, the world's increasingly reliant on cyberbae systems and those attacking systems have increased in both number and sophistication. cyberattacks represent more than -- one of the more significant and complex threats facing a nation. with that in mind i commend the chairman ranking member this committee and members of the senate for its continuing commitment to addressing cybersecurity. we appreciate your leadership in developing the legislation that was introduced earlier this week. over the past few years you have helped focused national attention on this urgent problem offering constructive proposals and conducting open and transparent process to solicit the views of interested private sector stakeholders. microsoft believes the current legislative per social provides

an appropriate framework to include the security of government and critical infrastructure systems and establishes an appropriate security baseline to address current threats. are the more the framework is flexible enough to permit future improvements to security and important points and security threats evolving over time. of the internet has created unprecedented opportunities for social and commercial interaction, it has also created unprecedented opportunities for those bent on attacking i.t. systems. securing i.t. systems remains challenging and it's important legislative efforts designed to improve computer security the three important requirements. first, legislation must embrace sound risk management principles and recognize the private sector is best in position to protect private sector assets. second, the legislation must enable effective information sharing among government and industry members. third, the legislation must take into account the realities of today's lowball i.t.

environment. i will discuss each of these important issues in turn. first, sound risk management principles require the security efforts be directed where the risk is greatest and those responsible for protecting systems have the flexibility to respond to ever-changing threats. to ensure that this happens it is important that the definition of critical infrastructure be scoped appropriately and that the owner of an i.t. system ultimately be responsible for developing and implementing security measures. we believe that the current legislation which allows the government to define outcomes but allows the critical system or asset to select and implement particular measures is the right framework. second, the successful risk management and information sharing. for too long people have cited information sharing as the goal when in fact it is a tool. the goal should not be to share all information with all parties but rather the right information with the right parties. that is, parties in a position

to take meaningful action. we appreciate the legislation attempts to remove barriers to information sharing by specifically authorizing certain disclosures that protect the information sharing. finally as a global business, we are very cognizant the fact that countries around the world are grappling with similar challenges in implementing their own cybersecurity strategies. we believe that actions taken by the united states government may have ramifications beyond our borders and it's important that the united states lead by example, topping policies for the technology and does not cycle in a position. must provide cybernorms into discussions with other governments. unlike some traditional international efforts, where government to government discussion may suffice to achieve the desired outcome, it must be remembered that private sectors assigning and maintaining most of our critical infrastructures. as such, the u.s. needs to ensure that the owners,

operators and vendors that make cyberspace possible are part of any international discussions. i would note in closing the security remains a journey, not a destination. leading our trust eight -- have witnessed the continual evolution of microsoft security strategies. technologies advance, tactics grow stronger. the committee's legislation which focuses on outcomes and ensures meaningful input by the private sector represents an important step forward. microsoft is committed to working with congress and the administration to help ensure this legislation meets these important objectives while minimizing unintended consequences. thank you for your leadership that you have shown a developing this under consideration today and for the opportunity to testify. i look forward to your questions. >> questions. >> thanks very much to you mr. charney. let me ask you a threshold

question. as you can hear from some of the testimony and some of the questions from committee members, there is a question still about whether regulation is necessary here or whether a government involvement here is necessary and at its purest, this argument is that obviously the private sector that owns and operates cyberinfrastructure has its own set of incentives to protect itself. why do we need the government to be involved? mr. stewart? >> it seems to me fundamentally, the private sector and each private company has an incentive to spend about as much on security as is necessary to protect their revenue streams, to prevent crimes and stealing things from them in the light.

it is much less likely that they are going to spend money to protect against disasters that might fall on someone else, their customers down the road that are unpredictable and so there are certain kinds of harms, especially if you are a business where it's hard for people to steal money from you but it's easy to change your code in a way that later could be disastrous for consumers, to view that is not something you are ever going to get a higher payment for when you sell your product and therefore not something you want to spend a lot of money on so it does seem to me there a lot of externalities here that require the government to be involved in addition to the problems that if you are a vault amar gas and electric you really don't know how to deal with an attack launched by russian intelligence. >> dr. lewis. >> thank you. sometimes i call the mandatory standards.

i wanted to say regulation but i have got to put it out on the table. we got the incentives wrong in 1998 the first time we thought about protecting critical infrastructure. get them together, share information and they will do the right thing and as you have heard, the return on investing is such that companies will spend up to a certain level. it's not even care that all of them do that by the way but they won't spend enough to protect the nation. so we are stuck with a classic case of a public good, national defense, regulation is essential and if we don't regulate we will fail. >> let me just follow up. you made a statement in your opening remarks and i will paraphrase it, which is that a hostile party, nation-state whatever, intelligence agency, could penetrate any company, any

entity, any entity in cyberspace in this country if they wanted. did i hear you right? >> you did. the full answer is complicated so i will be happy to provide it to you in writing but when you think of the high-end opponents who could use a multitude of tactics including tapping your phone line, including hiring agents or corrupting employees. and the assumption it is probably safest to make from a defensive point of view is that all networks can be compromised. >> mr. charney? >> i want to say two things. first i would echo what stewart baker said. i think market forces are doing a good job of providing security. the challenges market forces are not designed to respond to national security threats. you can't make that market case for the cold war so you really have to think about okay what will the market give us?

what does national security require and how do you feel the delta between those gaps? the second thing i would say about looking at regulating critical infrastructure, and my 10 years at microsoft i found this we have struggled with cybersecurity strategies we really live in one of three states of play. sometimes we don't know what to do. we have to figure out a strategy. sometimes you know what to do but you were not executing it very well in which case you note -- need to execute that. sometimes we know what to to do and execute well but we don't execute to scale. i think there are some companies who do a very good job of protecting critical infrastructure today. the question is are we doing it at an upscale to manage the risk that the country faces? i don't think we are today and that is why at the csis and in my testimony we have supported the free market has been

articulated in the legislation. >> i appreciate that. assuming the statistics are accurate or close to accurate about the frequency of exploitation and intrusion into cyberspace under the private sector, that takes itself evident that there is not enough being done to protect from that. dr. lewis let me ask you something. you barred a friendly criticism of the bill before, which is that our definition of covered critical infrastructure is too narrow, too high. we are limiting it much. give me an idea about how you might broadened it if you are drafting the legislation. >> i think we are talking about relatively simple amendments to the language mr. chairman. i would look at some of the thresholds you have put end to