contribute to the national preparedness leveraging of the federal response, but in national response will about the capabilities of each state come into each other's assistance to mutual aid. >> governor o'malley, to pile on here, one of the quadrennial review was the creation of the ten homeland response force elements, and that plays into with the administrator has said. we used the regions and ten of our states collectively in the northeast coalition of states have created these response forces and a high with the general -'s force and a long general thompson were the first once evaluated the standard of the united states to be ready to move across state lines to assist regionally, and i think that is the new way of looking at things they're very effective and efficient with the use of the force to support your first

responders in large skillet catastrophic events.

>> earlier this month homeland security secretary janet napolitano testified about cybersecurity legislation. the measures designed to strengthen both government and private computer systems. the senate, and security committee hearing is just under three hours. >> the hearing will come to order. senator collins is on her way. i just saw senator mccain and governor napolitano together and it seems to be here i cannot

hesitate to offer my congratulations on this centennial celebration of the great state of arizona. here, here. i happen to have been on the floor of the senate introducing -- >> i was there at the time. [laughter] >> you look very well, very well. okay, this is in fact the tenth hearing our committee has held on cybersecurity, and i hope it is the last before the comprehensive cybersecurity global -- is enacted into law. time is not on our side. to me, it feels like september 10, 2011 and the question is whether we will act to prevent a cyber9/11 before it happens instead of reacting after it happens.

..

a very damaging impact on our economic prosperity because extremely valuable intellectual property is being stolen regularly, buy people and individuals and groups in countries abroad that is being replicated without the initial cost of research done by american companies meaning that jobs are being created abroad that would otherwise be created here so when we talk about cybersecurity there is an actual way which we are focused on the danger that an enemy will attack us through cyberspace, but as we think about how to grow our economy again and create jobs again, i've come to the conclusion that this is actually one of the most important things we can do, protect the treasures of america's intellectual innovation from being stolen by

contenders abroad -- competitors abroad a very distinguished group of security experts, led by former department of homeland security secretary michael chertoff and former defense secretary bill perry across both parties issued a warning and i quote the constant barrage of cyber assault is inflicted severe damage to the national economic security as well as the privacy of individual citizens. the threat is only going to get worse. an action is not an acceptable option, end of quote come i agree. the bill before us today is the product of hard work across party lines and committee jurisdictional lines and i particularly want to thank my colleague, senator collins and senator jay rockefeller and dianne feinstein for all the hard and cooperative work in getting us to this point where

we are going to be privileged to hear from all three of them shortly. i also want to thank cementer carper who isn't here yet for his sycophant leadership contributions to this effort and i want to think the witnesses who are here. we've chosen the witnesses deliberately because they hold differing points of view on the problem and on the legislation we have crafted and the challenges we face, and we look forward to their testimony. so this cybersecurity act of 2012 does several important things to beef up our defense is in the new battleground of cyberspace. first it ensures the cyber systems that control our most critical privately owned and operated infrastructures are secure and that is the key to the privately owned and operated seibu infrastructure and can well be and probably will someday be the target of an enemy attack. it is today the target of

economic exploitation, and we have got to work together with the private sector for to better secure the systems both for their own defense, and for our national defense. in this bill the systems that will be asked to meet standards are defined as those that have brought down our common era of mass casualties, evacuation of major population centers, the collapse of the financial markets or significant degradation of the national security is a this is a tight and high standard. after identifying the systems that meet those standards, the secretary of the department of homeland security under the legislation would then work with the private sector operators of the systems to develop cybersecurity performance requirements. owners of the privately operated cyber systems covered would have

the flexibility to meet the performance requirements with whatever hardware or software de choose so long as it achieves the required level of security. the department of homeland security will not be tech db to picking technological winners and losers and there is nothing in the bill the would stifle innovation. in fact, a letter from cisco and two of the most prominent i.t. companies concludes that this legislation, and i quote, includes a number of tools that will enhance the nation's cybersecurity without interfering with the innovation and development processes of the american i.t. industry. if a company can show under our legislation commercial to the department of homeland security that it already has a high cybersecurity standards met, then it will be exempt from further requirements under this law. failure to meet the standards

would result in civil penalties the would be proposed by the department during a standard rule making process. the bill also creates a streamlined efficient cyber organization within dhs will work with existing federal regulators to ensure no rules are put in place that either duplicate or are in conflict with existing requirements. the bill also establishes a mechanism for information sharing between the private sector and the federal government and among the operators themselves. this is important because computer security experts need to be able to compare notes in order to protect us from this threat. but the bill also creates security measures and oversight to protect privacy and preserve civil liberties. in fact, the american civil

liberties union has reviewed our bill and says it offers the greatest privacy protections of any cybersecurity legislation that has yet been proposed to the i'm going to skip over some of the other things the bill does and just go to mention the process by which we reached this legislative proposal was very inclusive and we not only worked across the committee lines but reached out to people in business, academics, civil liberties come privacy and security experts advise on many of the difficult issues that any meaningful piece of cybersecurity legislation would need to address i can tell you that literally hundreds of changes have been made to this bill as a result of their input and we think finally we have struck the right balance. i do want to describe briefly or mention some things that are not in this bill.

first and foremost, this bill does not contain a so-called kill switch that would allow the president to seize control in all or part of the internet and a national crisis. it's not there and it never was. thank you, center. but we put in! by dropping a section frankly the people included the costs which it just wasn't worth it because the urgent need for this bill. there is also nothing in this bill that touches on the balance between the intellectual property and free speech that is so arrau's in the public opinion over the proposed online privacy act and the project on pnac and has left many members of congress with scars or net least a kind of post-traumatic stress syndrome sids that have been

furious infect this is not the ultimate verification of my assertion that there's nothing anywhere like what concerned people in sopa and pippa. but mr. stewart baker was a leading opponent but his testifying today in favor of our bill. after the cybersecurity act 2012 becomes the law, the average internet user will the without using the internet just as we do today. but hopefully as a result of law and outreach pursuant he's far better equipped to protect their own privacy and resources from cyberattack. bottomline a lot of people have worked very hard to come so far and in a very bipartisan way to face a real and present danger to our country but we cannot allow this to slip away from us.

i feel very strongly that we need to act now to defend america's cyberspace as a matter of national and economic security. senator collins. >> mr. chairman, let me first applaud you for your leadership in this very important issue as well as the leadership of our two witnesses, said her rockefeller and senator feinstein who contributed so much to this issue and this bill, and i personally think you for holding this important hearing today. after the 9/11 attacks, we have learned of many early warnings that went unheeded, including an fbi agent who warned that one day people would die because of the wall that kept law enforcement and intelligence

agencies apart. when a major cyberattack occurs, the ignored warnings would be even more glaring because our nation's vulnerability had already been demonstrated by the daily attempt by nation states, terrorist groups, cyber criminals and hackers to penetrate our system. the warning of our vulnerability to a major cyberattack comes from all directions and countless experts, and they are underscored by the intrusion that has already occurred. earlier this month the fbi director warned that the cyber threat will soon equal or surpass the threat from terrorism. he argued that we should be addressing the cyber threat with

the same intensity that we have applied to the terrorist threat. director of national intelligence, james clapper, made the point even more strongly describing the cyber threat as a profound threat to this country, to its future, its economy, it's very will be in. the director warned that the cyberattack spread in a growing number of the systems with which we interactive reading, the electric grid, water treatment plants, the key financial systems. similarly, general keith alexander, the commander of the u.s. cyber command and the director of nsa has sworn that our cyber vulnerability are extraordinary, and characterized by the disturbing trend from exploitation to disruption to

destruction these statements are just the latest in the chorus of warnings from current and former officials. and the threat as the chairman pointed out is not just to our national security, but also to our economic well-being. a study last year calculated that the cost of global cybercrime at $114 billion annually. when combined with the value of the time victims lost deutsch cybercrime, this figure rose at 388 billion. and described this as significantly more than the global black-market if marijuana, cocaine and heroin combined. and an op-ed last month in title china's cyber is now policy and

must be challenged. the former dni mike mcconnell, a former homeland security secretary michael chertoff coming and former deputy secretary of defense noted the ability of cyber terrorists to cripple our critical infrastructure. they sounded an even more urgent alarm about the threat of economic cyber espionage sliding in october, 2011 report by the office of the national counterintelligence executive. these experts warned of the catastrophic impact that cyber of espionage particularly that pursued by china could have on our economy and competitiveness. the estimated the cost easily means billions of dollars and millions of jobs. this is all a more menacing

because it is being pursued by a global competitor seeking to steal the research and development of american firms to undermine our economic leadership. the evidence of our cyber secure medieval morality is overwhelming. it compels us to act now. now some members have called for yet more studies, even more hearings, additional markups. in other words, more delay. the fact is since 2005 alone, our committee has held ten hearings on the cyber threat including today's hearing. i know the commerce and the intelligence committee have held many more.

in 2011, chairman lieberman, senator carper and i introduced our cybersecurity bill which is reported by this committee later that same year. since last year, we've been working with chairman rockefeller to merge our bill with legislation that he championed which was reported by the commerce committee. senator feinstein has done groundbreaking work on information sharing which he has been kind enough. after the base on the feedback from the private sector, our colleagues and the administration, we have produced a refined version which is the subject of today's hearing, and it's significant that three senate and chairman what jurisdiction over cider security have come together on these

issues, and each day that we fail to act, the threat increases to our national and economic security. others of our colleagues have urged us to focus narrowly on the federal information security management act as well as on federal r&d and improved information sharing. we do need to address both issues and our bill does just that. with 85% of the nation's critical infrastructure owned by the private sector, the government also is a critical role to play in ensuring that the most vital part of that infrastructure, those whose disruption could result in truly catastrophic consequences meet reasonable risk-based

performance standards. in an editorial this week, the "washington post" concurred writings that the critical systems have remained unprotected. some of our colleagues are skeptical about the need for any new regulation. i have opposed efforts to expand regulations that would burden our economy. but regulations that are necessary for our national security and that prone to delete the promote rather than hinder our economic prosperity strengthen our country. they are in an entirely different category. the fact is the risk based performance requirements and our bills are targeted carefully. they apply only to those specific systems and assets, not in tiger companies that if

damaged could result reasonably in the mass casualties, masri evacuation, catastrophic economic damages, or severe degradation of our national security. in fact some of the witnesses think that we have gone too far in that direction. senator lieberman has described much of what the bill contains. so i will not repeat that in the interest of time. let me just say that this bill is urgent. we cannot wait to act. we cannot wait until our country has a catastrophic cyberattack, and it would be irresponsible of congress not to pass legislation deutsch to the turf battles were deutsch dubow claims by some

businesses that we are somehow harming our economy. in fact, what we are doing is protecting our economy and our way of life. thank you, mr. chairman. >> thank you for that strong statement. i agree with you and i would just correct one part. you said how pleased we were that the three committee chairs with jurisdiction have come together on the bill since i consider you the co-chair of this committee i would say it was before and i appreciate very much your contribution to this effort. we are really grateful to have senator rockefeller and senator feinstein and again i can't think unef for the work that we've been together. i think it is a very powerful statement and we agreed on a consensus bill and i hope it enables us to move it through the senate. i know the majority leader is really concerned about the threat and is committed to getting time on the floor.

senator rockefeller, mr. chairman, we welcome your testimony now. >> thank you, chairman lieberman and ranking member collins. you are quite right about that. i think senator reid once this on the floor as soon as possible, and the thing that scares me more than anything is the fact we have had so many hearings coming and yet that was necessary to get to the agreements that we have come to and they are solid now, rock solid, but we still have to find the time for it. this isn't going to be an easy time so the pressure is on this conference on both the house and the senate to come through on this in the face of all this danger is huge, and not yet guaranteed. i think our government needs a leave civilian agency to coordinate our civilian cybersecurity efforts, and that the agency should of course be the department of homeland security under the superable leadership of janet napolitano. i want to emphasize our bill

represents expertise as both of you have said, the three senate committees, and that is as it should be. we have eagerly sought as you mentioned, senator lieberman, and have received constructive criticism and input from a lot of places. i remember giving a speech i think two years ago to a business group presenting ideas that olympia snowe and i had for this and they were just surprised to hear somebody was willing to listen to them and their complaints, and there were a lot of them. it's -- even when people refuse to engage with us, and there has been that, even within the senate, to refuse to discuss with our staff and have to have discussions that doesn't mean we don't take some of their suggestions, and we have done that because if they don't want to engage that's okay. if the of good suggestions put them in to make a stronger bill. beyond the bill principal office, senator collins and

feinstein and myself it reflects the input of assistance or the request on both sides of the aisle as it should be coming and which gives me hope for the final passage. senator snowe was like a lot of the bill and, as reported last year as you know. senator carper was a co-author of the bill. both have had a major input on this bill. senator hutchison and her staff worked with us a good part of the past two years. she's my ranking member and superb. i call her the co-chair, too and we have tried hard to address all of her specific concerns, and i think that we have in fact met most of her concerns. we have sought to engage senator chambliss and before him senator bond in the same fashion. there was reluctance at some point to discuss but it didn't make a difference. we were interested in what they had and it was something good we put it in the bill. we wanted it in the bill and then it had to pass the future

test has become by all the efforts. senator kyl and senator whitehouse contributed and untie your title regarding cybersecurity awareness and senator kerry, linker, children and hatch did the same thing regarding diplomacy. because of senator mccain's concerns, we owe significant language pertaining to the white house cyber office. when colleagues have ongoing questions about the provision that i first believed an extremely important to be extremely important i agreed to drop it from the latest bill. this provision that i'm talking about would clarify private sector companies existing requirements regarding the risks returning to cyber have to be disclosed to the investors and filings because as you know at one point out of the frustration i went to the fcc and mary schapiro agreed if you are acting to as a company it goes on the web site of that company

coming and that is have a substantial the impact actually. i believe the provision is crucial for the market to help solve our cyber vulnerabilities and we will wait for an amendment on the floor as it should be. that's the way the system works but in the interest of providing more time to address questions i agreed to take it out of the bill would be introduced this week to be any suggestion that this process has been anything but open and transparent is false. this has been an open process and lengthy as has been pointed out. why have we worked so tirelessly to include the views of all sides? tried to get this right? because our country and communities and citizens are at a grave risk. they simply are. i'm not sure if they are aware because there are so many things reported in the news cycle that have almost diminished the overall aggregated weight of the

danger. so our citizens have to be aware of this. it's not a republican or democratic issue it is a life or death issue for the economy and for us as people. i want to be clear this labor threat is very real. this is not alarmist. it's hard to talk about this sometimes without seeming alarmist. and yet, it's simply reflects the truth. hackers supported by the government of china and russia and sophisticated criminal syndicates with a potential connections to terrorist groups are now able to crack the code of the government agencies including sensitive ones, and the fortune 500. they can do that, and they do that on a regular basis. senator collins mentioned what michael mullen said and pointed out that we are being loaded of the valuable possessions and fatima will scale, but that isn't the end of the problem during the the reason that this

cyber threat is a life or death issue is the same reason a burglar in your house is a lie for the issue. if criminal has broken into your home how do you know what he wants to do? is it take your belongings was something more? you don't know pity if he's in the building. in your home. that's where we are now. in terms of the country. so that's the situation we face that they have thrown in. michael mullen with senator collins indicated that the only other threat on the same level to the cyber threat is russia's stockpile of nuclear weapons. fbi director mike mullen, the first thing after 9/11, we had to pass sadly, pathetically, was a law we say that the cia and fbi could talk to each other how pathetic could that be the that's where we were because the stove pipes and things of that sort. senator mahlon, i mean director

miller testified to the congress recently as cyber threat would soon overcome terrorism as his top national security emphasis. so, it's all very serious and you can't exaggerated and it could happen. so then you think about how people could die. a cyberattack on air-traffic control system. i was talking to secure a napolitano just before this hearing. often over big cities it gets very soon be. people don't like to be in a soupy weather. they can't be above or below. but if they are protected because the air traffic control system we will put in a modern one with the same situation to prevail. the cyber hackers can take that out. they can take the city or a group of cities, they can take out the capacities of the planes are literally flying in the dark and they will fly into each other and kill a lot of people and people have to understand that.

they are causing trains that carry toxic materials, deadly materials through the major cities, and there can be a massive explosion from that so we are on the brink of a very serious happening spirited we have not reached that, which is one of our problems in getting legislation passed. but we can act now in trying to prepare ourselves. let me close by saying that i was on the intelligence committee during that time leading up to 2001, and the world was like with reports of people coming in and going out of our country and the dots here and there that appeared to be connected but were not quite sure and what about this and folks in the house in san diego and all of that was up there with the closing down of the bin laden unit with the message the government to the yet to the

community. the national-security apparatus was working very hard on that, but they took it seriously but they didn't get deep enough because it was a new phenomenon. well here we are in a very similar situation. it's already with us. it's much more obvious than the lead up to 2011 was, so we now have to act. we do not have the luxury of waiting to see and develop. we have to act to the it at some point the congress has to assert itself, the government does have a role but this isn't a heavy-handed thing as senator collins pointed out. it's not. but the federal government is involved because it is a matter of national security, so i just wait to work with anybody and everybody to get this passed through both houses in the united states senate. congress? >> thank you, senator rockefeller. there was great. german feinstein, welcome you

contributed immensely particularly to the information sharing section of the bill and you bring all the expertise and intelligence so the senate committee on intelligence. >> thank you very much mr. chairman and senator collins, cementer landreneau. i look at this as finally the senate is coming together that we are settlement on one bill. this is the bill and it needs improving we will improve it but we have the focus now and with the focus we can hopefully move forward. i want to thank you for the hard work and for the hearings yet held and for all of the authors for consultation that you have placed out there to us. let me speak for a moment on behalf of what i do in the intelligence committee. we have examined cyber threats to our national and economic security and just last month that the worldwide threat

hearing which is an open hearing, we heard fbi director bob miller testified that the cyber threat that cuts across all programs will be the number one threat to the country and already cyber threats are doing great damage to the united states and the trend is getting worse. let me give you four examples. what's interesting is we know about these when they happen but they are often classified because the people that the happen to don't want it released because their clients will think that we of them and of course it's not their fault but nonetheless, i think it is fair to say that the pentagon networks are being probed thousands of times daily and its classified military computer networks have suffered a significant compromise in 2008 and that is according to the former deputy defense secretary.

in november, 2009, the doj charged the seven defendants from estonia, russia and moldova with hacking into the royal bank of scotland and stealing $9 million for more than 2100 atms and the 200 cities worldwide in 12 hours. in 2009, federal officials indicted three men for stealing data for more than 130 million credit cards hacking into five major companies computer systems including 711, heartland payment systems and the supermarket chain. finally, an unclassified report by the intelligence community in november, 2011 said cyrus intrusion against the company's cost untold billions of dollars

annually, and the report named china and russia as aggressive and persistent cyberthieves. modern warfare is already employed in cyber attacks as seen in estonia and georgia. and unfortunately, it may only be a matter of time before we see cyber attacks that can cause catastrophic loss of life whether by terrorists or state adversaries. our enemies are constantly on the offensive and in the fiber domain is much harder for us to play defense than it is to attack. the hard question is what do we do of this dangerous and growing cyber threat. i believe the comprehensive bill that has been introduced, the cybersecurity act of 2012 is an essential part of this answer.

i would like to speak briefly on the cybersecurity information sharing bill that i introduced on monday and that you have included in title vii of your legislation. the goal is to improve the ability of the private sector and the government to share information on cyber threats that both sides need to improve their defenses. however, a combination of existing law, the threat of litigation and standard business practices has presented were deterred private sector companies from sharing information about the cyber threats they face and the loss of information and money they suffered. we need to change that through better information sharing and we that companies will use that protect privacy interests and that takes advantage of classified information without

putting that information at risk so here is what we have tried to do in title vii. number one, affirmatively provide private sector companies the authority to monitor and protect the information on their own computer networks. number to call encourage private companies to share information about cyber threats with each other by providing a good faith defense against lawsuits for sharing or using them permission to protect themselves. number three, require the federal government to designate a single focal point for cybersecurity information sharing. we refer to this as a cybersecurity exchange to serve as a hub for the appropriately distributing and exchanging cyber threat information between the private sector and the government. this is intended to reduce

government bureaucracy and make the government a more effective partner in the private sector. but with protections to ensure that private information is not misused. this legislation provides no new authority for government surveillance. fourth, establish procedures for the government to share classified cybersecurity threats information with private companies that can effectively use and protect that information. this, we believe that the intelligence community requires without putting our sources and methods at risk or putting private cybersecurity over to our intelligence apparatus. it's something that is not yet included in this bill and that is the data breach notification. this is an issue i've worked on

for over eight years since california had a huge data breach that we only inadvertently found out about that have literally hundreds of thousands of data breaches. it's an urgent need. it's called the notification act that's come out of the judiciary committee, and it accomplishes what in my view are the key goals of any data breach notification legislation. one noticed individuals who would better be able to protect themselves from identity threat. number two noticed the law enforcement that can connect the dots between the breeches and cyber attacks. this is important, the preemption of the 47 different state and territorial standards. this is a problem. 47 different laws in the country. it makes it very difficult and

private sector. companies will not be subjected to conflicting regulation if there is one basic standard across the country. i know that senator rockefeller and prior have a bill in the commerce committee and sent her leahy in the blumenthal have their own bills but also were reported out of the judiciary committee. but the differences in our approaches are not so great that we can't work them out. and i am very prepared to sit down with members of this committee with senator rockefeller and others to find a common solution. but i would really and for you to add a data breach preemption across the united states so that there is one standard for notification to an individual of data breach, of communication with law enforcement that goes all across america.

until we have that, we really won't have a sound data breach system. let me just thank you. i think we are on our way. i'm really so proud of both of you on this committee for coming together. thank you very much. >> thanks very much, senator feinstein. thanks for your testimony, and i am personally very supportive of the proposal and i look forward to working with you as you say the others that have bills to see if we can find a way to include that in this proposal when it comes to the floor. thank you very much. >> thank you pittard >> have a good rest of the day. now, madam secretary, i hate to break up the conversation between the current secretary and the first secretary but we

almost had the trifecta of the three secretaries of the department of homeland security come secretary chertoff wanted to testify at a previous commitment and has filed a statement for the record strongly in support of the legislation. senator napolitano, thanks very much for being here and for all of the work that you and people in the department have done to help us come to this plight of the bill. we welcome your testimony now. >> thank you, chairman lieberman, a ranking member collins, members of the committee, pleased to be here today to discuss the issue of cybersecurity, and in particular the department strong support for the cybersecurity act of 2012. i appreciated this committee's support of the department cybersecurity efforts to be a more sustained attention to this issue and the leadership that have shown in bringing the bill forward to strengthen and improve our cybersecurity

authorities. i also appreciate and want to emphasize the urgency of the situation. indeed the contrast between the need to respond to the threats we face in this area on the one hand, and the desire for more deliberation and sensitivity to the regulatory burdens on the other reminds me as several of you have suggested of lessons we learned from the 9/11 attack. as the 9/11 commission noted, those attacks resulted in hindsight from a failure of imagination because we failed to anticipate the vulnerability of our security infrastructure. there is no failure of imagination when it comes to cybersecurity. we can see the former devotees. we are experiencing the tax, and we know that this legislation would materially improve our ability to address the threat. no country come industry, or individual is immune to the cyber risk. our daily lives, economic

vitality and national security depends on cyberspace. a vast array of interdependent network systems, services and resources are critical to the communications, travel, power in our homes, running our economy and obtaining government services. cyber residents have increased dramatically over the past decade. there been instances of theft, compromise of sensitive information from both government and private sector networks, and all of this undermines confidence in the systems and the integrity of the data that they contain. combating evolving cyber threats the shared responsibility there requires the engagement of our entire society from government and law enforcement to the private sector and most importantly, with members of the public to read dhs plays a key role in this effort both in protecting federal networks and working with the owners and

operators to secure their networks to the risk assessment mitigation response capabilities. and fy 2011, our u.s. teams at the dhs received over 106,000 incident reports from federal agencies, critical infrastructure and our industry partners. we issued over 5200 cyber alerts they're used by private sector government met with administrators to protect their systems. we conducted 78 assessments of the controlled system entities and made recommendations to the company's about how they could improve their own cybersecurity. we distribute to the 1150 copies of our cyber evaluation tool. we conducted over 40 training sessions, all of which makes the owners and operators better equipped to protect their networks. to protect federal civilian agency networks we are deeply in technology to detect and block

intrusions of these networks in collaboration with the department of defense. we are providing guidance on what agencies need to do to protect themselves and our measuring implementation of those efforts. we are also responsible for coordinating the national response to the significant cyber incidents and for creating and maintaining a common operational picture for cyberspace across the entire government. with respect to critical infrastructure, we work with the private sector to help secure the systems upon which americans including the federal government rely such as the financial sector, the power grid, the water systems and transportation networks. we pay particular attention to the industrial control systems which control prophecies of power plants and transportation systems alike. last year we deploy the seventh response teams to such critical infrastructure organizations at

their request in response to important cyber intrusions. to combat cybercrime, we leveraged the skills and resources of dhs components such as the secret service, cbp, and we worked very closely with the fbi. dhs serves as the focal point for the government cybersecurity of read and public aware efforts to read as we perform the work, we are mindful that one of our missions is to ensure that privacy, confidentiality and civil liberties are not diminished by our efforts. the department has implemented strong privacy civil rights and civil liberty standards in all of its cybersecurity prevented initiatives from the outset, and we are pleased to see this in the draft bill. now administration and private sector reports going back decades have laid out cybersecurity strategies and highlighted the need for the legal of police. in addition to obstetrics from the homeland security act of 200

to specifically directed dhs to enhance the security of the nonfederal not works by providing analysis of crisis management support and technical resistance to the state and local governments and private sector. a policy initiatives have had to supplement the existing statutes. these initiatives strike a common chord, indeed this administration cyberspace policy review in 2009 echoed in large part a similar review by the bush administration. and we've had numerous contributions by private sector groups including the csis study led by jim lewis, one of your witnesses today. still, dhs executes its portion of the federal cybersecurity mission under an amalgam of the 40's that have failed to keep up with the responsibilities with which we are charged. to be sure, we've taken significant steps to protect

against the evil and cyber threats. but we must recognize the current threat of pieces of our existing authorities. our nation cannot improve its ability to defend against cyber threats and less certain laws that governor cyrus security activities are updated. we have had many interactions with this committee and with congress to provide our perspective on cybersecurity. indeed in the last two years, the department representatives have testified in 16 committee hearings and provided 100 b-1 staff briefings. we have had a bipartisan agreement in particular many would agree with the house republican cyber task force which stated, quote, congress should consider carefully targeted direct at for a limited regulation of critical infrastructures to advance the protection of cybersecurity. the recently introduced legislation contains great

commonality with the administration's ideas and proposals including the two crucial concept some are essentials to our efforts. first, addressing the urgent need to bring the core critical the infrastructure to a baseline level of security, and second, fostering information sharing which is absolutely key to the national security efforts. all sides agree that federal and private networks must be better protected and that information should be shared more easily come and get still more securely. and both fell proposals in the senate legislation would provide the dhs with clear statutory authority commensurate with our cybersecurity responsibilities and remove legal barriers to the sharing of information. senate bill 25 would expedite the adoption of the best cybersecurity solutions by the owners and operators of the critical infrastructure and give businesses, states and local governments the immunity the need to share information about

cyber threats or incidents. there is broad support as well for increasing the penalty for cybercrime and for creating a uniform data breach to protect consumers. this proposal would make it easier to prosecute cyber criminals and establish national standards requiring businesses and the core infrastructure to have suffered an intrusion to notify those of those that have the responsibility for mitigating and helping them mitigate. i hope the current legislative debate maintains a bipartisan center that it benefited from so far and builds from the consensus that stands to administrations and the committee of the last several years. but the close by saying now is not the time for the half measures as the administration stressed repeatedly addressing only a portion of the needs of the cybersecurity professionals will continue to expose our

country to serious risk. for example, only providing incentives for the private sector to share more information will not in and of itself adequately address critical infrastructure vulnerable levees. and let us not forget that innumerable small businesses rely on this critical infrastructure for their own survival. of the president noted in the state of the union address, the american people and expect us to secure the country and the growing danger of sires threat and to ensure the nation's critical infrastructure is protected. as the secretary of homeland security i strongly support the proposed legislation addresses the needs of the urgency and the methodology protecting the nation's critical infrastructure no pressing legislative proposal in the current environment. i want to thank you again for the important work that you have done and i look forward to answering the committee

questions. >> thanks very much, madame secretary. we will do a six minute round of questions because we have a large number on the second falling penalized as some people have to lead. madam secretary, let me get right to one of the issues that has been somewhat in contention which is that there are some people who have said that the expanded authority particularly related to cyber structure on and operated by the private sector would better be handled by the department of defense or the intelligence community, in other words, they should take the lead in protecting federal civilian networks. i wonder if you would respond as to why you think the department of homeland security and has obviously we do, is better prepared to take on this critical responsibility. estimate several plants. first, the department of homeland security, as i stated,

already has exercised authority in the civilian area working with the private sector, working with federal civilian agencies. so that as a space we are already filling and continue to grow our capacity to fill. second, military and civilian authorities and missions are different, and there are significant differences. fred symbol, the privacy protections that we employee within the exercise of the trust action, and then finally, i would note that both the dod and dhs use the technical expertise of the nsa. we are not proposing and have never proposed that the would be created but rather that there would be the different lines of authority that emanate using it when of course for civilian and one of course the military. >> that's a very important

factor. i want to come back to that in a minute, but one of the opinions expressed to the committee as we face the challenge and decide which part of our government should be responsible for funding is that there would probably be deep and widespread concern among the public if we for instance asked the national security agency or the department of defense to be directly in charge of working with the privately-owned and operated cyberinfrastructure and particularly with nsa about the privacy of civil liberties concerns. does that make sense to you? >> i've heard the same concerns. they do make sense and when secretary dietz and i by the memorandum of understanding

figured out the revision of the responsibilities and how we were each going to use the nsa, one of the things we were careful to elevate is in the discussion of the protections of privacy, civil liberties, and insure that to the extent we have people over at the nsa they are accompanied by people from the office of privacy come office of general counsel to make sure those protections are abided by. >> i'm glad you mentioned the memorandum to the department of homeland security and the nsa, because i want to make this point senator mccain and i codified that in the law the memorandum of understanding and the national defense authorization act was passed at the end of last year, but that memorandum doesn't -- if i can put it this way doesn't preempt the need for this legislation in other words that memorandum doesn't allocate responsibility with regard to working with the

private sector having the authority to require the private sector to take steps to defend themselves and our country from cyberattack to read is that right? >> that's right, mr. chairman. as a memorandum that describes the division of how we would each use the resources of the nsa, but it doesn't deal with the protection of the core critical infrastructure the way that the bill does. it doesn't deal with the private sector at all the way the bill does. it doesn't deal with information exchange the way the bill does so it really was designed to make sure that at least with respect to help we each use the nsa we have a meeting of the mind. >> there's nothing in your opinion inconsistent but in a memorandum of understanding between the dhs and nsa and the cybersecurity act of 2012? >> not at all. >> i'm pleased to note for the record that in testimony earlier

this week said it to the defense leon panetta and the chairman of the trend chiefs of staff general dempsey both endorsed this legislation, and then this morning before the armed services committee, the director of national intelligence burgess and the head of the national intelligence agency also endorsed the legislation. both of those as questions of support were unexpected by symmetrical once and me and therefore all the more appreciated. i wanted to ask you this question, dhs's industrial control system cybersecurity response team has been a critical role for the owners and operators of critical infrastructure. can you describe some of their capabilities and the work they've done to assist private entities? >> well, what they have done is to help isolate and identify

when they have been notified of attacks on the industrial control systems and help identify the source of the attack and the methodology with which it was conducted to work with the infantry the entity to prepare the patch, and then to make appropriate the disclosures were the sharing of information to other control systems that could be subject to a similar attack either in that particular industry or in other industries. >> so come on a voluntary basis if i can put it this way, the dhs has developed the capability and relationships of working with the private sector that will be strengthened by this legislation? >> yes, we have since the passage of the national institution protection act infrastructure protection act in 2006, you know, we've been working with critical infrastructure through the coordinator council that said a lot of names and what it basically means is we have a

process in place for dealing with the private sector and for exchanging some information on a voluntary basis. but that doesn't mean we get all of the necessary information we get from the court critical infrastructure. that's one of the problems the bill addresses. the knicks very much. my time is up. senator collins? >> thank you mr. chairman. madam secretary, to follow-up on a question that the chairman asked you, it's my understanding that dhs has unique expertise in the area of the industrial control systems that is not replicated at any other government agency. is that correct? >> yes. >> and that's important because industrial control systems for a key part of critical infrastructure like the electric grid, water treatment plants.

is that also correct? >> yes, and when you think about it if you have the ability to interrupt the control system, you can take down an entire protective network. you can interfere with all of the activities there and the attacks on the control systems are growing more and more sophisticated all the time. >> can you tell us about work being done by the dhs with your ics team with respect to the u.s. electric grid? ..

with defense contractors in an effort to better defend systems that contained information critical to the department's programs and operations. i understand that dhs is now the lead for coordinating this program with the private sector and it's being expanded to other critical infrastructure sectors. could you tell the committee why the administration decided to

transfer this pilot program from dod to the department of homeland security? >> the pilot gets to the division of responsibility between military and civilian, and what are talking about here are basically private companies that do important defense contracting work, but they're in evens private companies, and the authorities and laws we user better situated in dhs, which deals in the context as opposed to dod so we have been working with dod on the design of the pilot, the initial aspects of it, and now the decision was made to extent it and to grow it. the decision was also made it's more appropriately located within the dhs.

>> the bill provides the authority to dhs to set risk-based performance standards for critical infrastructure. do you believe that we can achieve great progress in improving our cybersecurity in this country absent that authority? >> i think it makes it tougher. we have, as i said in my testimony, the basic hurt under the homeland security act. we have authorities by various presidential directives. but nowhere do we have explicit authority to establish on a risk-based level, on a risk-based basis, the protection necessary for critical infrastructure. >> finally, i think that a lot of people are unfamiliar with a

lot of the work that the department has already done in the area of cyber security, including the fact that there is a 24-hour, seven day a week, national cybersecurity and communications integration center, call the ncic could you complain to the committee and those watching this hearing how this center operates and what it does with respect to the private sector? >> the ncic is an integrated 24/7 watch center for cyber, and it includes on the floor not only dhs employees but representatives from other federal agencies, from critical infrastructure sectors that coordinate with us through the nip. lots of,acronyms in the

cyberworld. and it has representatives from state and local governments as well because a lot of the information-sharing is applicable to them. >> thank you. thank you, mr. chairman. >> thank you very much. >> mr. chairman, and madam cochairman, thank you for holding this hearing on long awaited cybersecurity act of 2012. i welcome all our witnesses. secretary napolitano and governor ridge who will have different aspects of this bill. i'd like to state from the outset my fondness and respect for the chairman and ranking member, especially when it comes to matters of national security. the criticism is may have with the legislation should not be interpreted as criticism of them but, rather, on the process by which the bill is being debated, and its policy implications, all

of us recognize the importance of cybersecurity in the digitam world. time and again we have heard from experts about the importance of possessing the ability to eeffectively prevent and respond to cyberthreats. we listened to couldn'ts of cyberespionage from china, organized cybercriminals in russia, and rogue outlets with a domestic presence like anonymous. and launch cyberattacks on those who dare to disagree and our government report over the last five years cyberattacks against the united states are up 650%. so we all of us agree that the threat is real. it's my opinion that congress should be able to address this issue with legislation, a clear majority of us can support. however, we should begin with a transparent process which allows lawmakers and the american public to let their views be known. unfortunately the bill introduced by the chairman and ranking member have already been

placed on the calendar by the majority leader without a single markup or any business executive meeting by any committee of relevant jurisdiction. my friends, that's wrong. to suggest this bill should move directly to the senate floor because it, quote, had been around since 2009, is outrageous. the bill was introduced two days ago. secondly, where do senate rules state that a bill's progress in a previous congress can supplant that work on the bill in the present one. in 2009, we had a different set of senators. the minority of this committee has four senators on it presently which were not in the senate much less this cometee in 2009. how can we call it a product of this committee without their participation in committee and executive business. respectfully can, to treat the last congress as a legislative

mulligan by bypassing the process, is not an appropriate way to begin consideration of an issue as complicates a cybersecurity. in edition to this process concerns, i have policy issues with the bill. a few months ago, as senator lieberman mentioned, he and i introduced an amendment to the defense authorization bill codifying an agreement between the department of defense and the department of homeland security. the purpose of the amendment was to ensure the relationship endures and highlight the best government-wide cybersecurity approach is one where dhs leverages, not duplicateds, dod efforts and expertise. this bill -- this legislation unfortunately backtracks on the principles of the m.o.a. by expanding the size, scope, and reach of dhs and neglects to afford the authorities necessary to protect the homeland to the only institutions currently

capable of doing so, u.s. cyber expand the national security agency. at a recent fbi sponsored symposium, general keith alexander, the commander of u.s. cyber command, stated if a significant cyberattack against the country were to take place there might not be much he and his teams or cybercommander can legally do to stop it in advance. quote in order to stop a cyber attack you have to see it in real time, you have to have those authorities. these are the conditions we put on the table. now, how and what the congress chooses, that will be a policy decision. this legislation does nothing to address this significant concern, and i question why we have yet to have a serious discussion about who is best suited, which agency, who is best suited, to protect our country from this threat?

we all agree is very real and growing. additionally, if the legislation before us today were enacted into law, unelected bureaucrats at the dhs could promulgate regulations on american businesses which own 90% of the critical infrastructure. the regulation create under this new authority would stymy job creation, blur the definition of private property rights and divert resource from actual cybersecurity to compliance with government mandates. a superleg later like dhs under this bill would impact free market forces which currently allow our brightest minds to develop the most effective network security solutions. i'm also concerned about the cost of the bill to the american taxpayer. the bill before us fails to include any authorizations or attempt to pay for the real costs associated with the creation of the new regulatory

live vie thon at dhs. this eye crepessed be the reality of critical infrastructure, the promulgations of regulation and enforcement will take a small army. i'd like to find out what specific factors went into providing regulatory carve-outs for the i.t. hardware and software manufacturers. my suspicion is that this had more to do with garnering political support and legislative bullying than sound policy considerations. however, i think the fact that such carve-outs are included only lends creed dense to the notion we shouldn't be taking the regulatory approach in the first place. because of provisions like these and the threat of a hurried process, myself, a total of seven of us minority ranking minority, on seven committees, will be introducing and are left with no choice but to introduce an alternative cybersecurity bill in the coming days.

the fundamental difference i we aim to enter into a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with a proscriptive regulations. our bill which will be introduced when we return after the president's day recess will provide a common-sense path forward to improve our nation0s psycher security defenses. we believe by improving information sharing among the private sector and government, updating our criminal code to reflect the threat cybercriminals force, reforming the federal information security management act and focusing federal investments in cybersecurity, our nation will be better able to defend itself against cyberattacks. after all, we're all partners in this fight as we search for solutions. our first goal should be to move forward together. and i also would ask entered in the record a letter signed by secretary chambliss, ranking

member on intelligence and miss, ranking member on armed services, jeff sessions, ranking member on finances, ranking member on the commerce committee, ranking member on energy committee, and chuck grassley, the ranking member of the finance committee, which is too senator reid, which we have asked that the legislation go through the regular process with the committees of jurisdiction having a say in this process. so, mr. chairman, i thank you and i yield the balance of my time. >> no balance. [laughter] >> senator mccain, i would turn -- i would turn the -- no, it's not. [laughter] >> look, with the same fondness and respect you expressed for

senator collins and me when you started, i cannot conceal the fact that i am disappointed by your statement. this bill is essentially the one that was marked um by the commitee. but that's not the point. the opinion is we have reached out not only to everybody who was possibly interested in this bill outside of the congress, but opened the process to every member of the senate who wanted to be involved. we pleaded for involvement. and a lot of people, including yourself, have not come to the table. the most encouraging part of your statement is that you and those working with you are going to introduce some legislation, and we'll be glad to consider it. the senate should consider it. i think senator reid spends to hold an open amendment process on this bill. you know as you stated, this is a critical national security problem, and to respond to it with business about regulation of business, this is national security. as senator collins said, there's regulation of business that's

bad for business and bad for the american economy. there is regulation such as we worked hard to include in this bill that in fact is not only not bad for american business and bad for the american economy but will protect american business and american jobs and help to guarantee more american economic growth. on a question of dod, and an intelligence community, i indicated for the record earlier that they have supported our bill. this week. i hear what you said about general alexander from nsa, but he has at no point, nor has the department of defense or the dni, come before us and offered any discussions for additions to this bill that would give him more authority. i'd welcome those suggestions if he wishes. so, i can't -- i had to be on with you as you have been honest with us, express my

disappointment and express the only satisfaction i have from your statement, which is that you're going to make a proposal, let our colleagues in the senate consider it, senator collins and i and the others working on the bill will consider it, and let's get something done on a clear and present danger to our country this year. >> mr. chairman, could i say briefly in response, i speak for seven, seven ranking members of the major commitees of jurisdiction. i don't speak for myself. there's a breakdown somewhere if seven ranking members of the arrest committees are all joining in this opposition to this process and this legislation. so, if you choose to neglect how many years of experience legislative experience and time in the senate, that's fine, but there's seven of us that are deeply concerned about this process, and the legislation, and we don't think it should go directly to the floor. >> i will say for the record that we have reached out to all

seven in various ways to try to engage their involvement in this bill. i would have much rather preferred to submit a bill, and senator collins as well, that everybody had been involved in discussing. we were very open to trying to find consensus as we did with other chairs who were here. so, nobody is neglecting the expertise. i'm saying i'm sorry that they haven't been engaged before and i'm glad they're going to be engaged now. >> senator moran. >> mr. chairman, thank you. madam secretary, this is my first opportunity to visit with you since the announcement about the president's budget, and i want to talk about a topic unrelated at least to cybersecurity but certainly related to security. and the chairman just spoke about clear and present danger. one that you and i have had a conversation about over a long period of time is related to our food and animal safety and security in this country, and as you can imagine, can expect, the

disappointment that i have, others in our congressional delegation have in regard to the president's failure to include dollars related to construction of thing a grow and bioscience security facility to replace the aging plumb island, we have had a number of conversations and i will live within my six minutes today to talk about this nongermane topic. but i will have a greater chance to visit in the homeland security appropriations hearing in which you and i will be together in just a few days. but i would not want this opportunity to pass without again delivering the message to you and to the folks at homeland security who have throughout this process been our allies, and we consider we have been your allies in an effort to see that a facility designed to a make certain that the food and animal safety of this country is protected, and you and i had a

conversation in march of last year, less than a year ago, that was in an appropriations -- homeland security appropriations subcommittee. you told me it's something we are supportive of. plumb island does not meet the nation's needs in this area. there was a highly contested peer review competition and we look forward to continued construction. we believe that n bath needs to be bit and we need to get on with it. later, in september of that year, you talked about the future. we need to get prepared for the next generation. and again, we need be to confronting the things we face today and the things we will face ten years from now. that series has continued with your testimony and others from homeland security, the u.s. dep of agriculture, and i would like for you to, i hope, reiterate at the department, your position as

secretary, continued support and belief in the importance of building this facility and to explain to me the idea of a re-assessment, which, as i read in press reports, is a reassessment in scope only, not in concerns about safety or in concerns about location. >> that's right, senator. and you are right, the president does not request in the budget an appropriation for the nbath in part because last year we requested $150 million. the house ultimately appropriated 75. the senate appropriated zero. we ended up with 50. and that -- and a lot of extra requirements put on the project as you just stated. what we have done in this year's budget is allocate $10 million that will go to related animal research at k-state university. i have talked this over with the

governor among others. and in light of the budget control act, and the other changed circumstances we have to deal with, and in light of the fact that we have not been able to persuade the congress to really move forward in a substantial way, on funding the mbath, we have recommend thread be a reassessment in light of the budget control act, in terms not of location, not in terms of need -- both of which i firmly stand by the position i've stated -- but in terms of scoping and what needs to happen so that this project can move forward with the right level of appropriation. >> madam secretary, thank you. i would comment that the solution to lack of funding by congress is not for the administration to not request funding. the solution to that problem is continued support and encouragement for congress to

act. as you say, the house appropriated 75 million last year. the senate in a conference committee, was agreed upon to 50 million. you also are requesting reprogramming for additional planning of money within this year's budget. again, the money that's there needs to be spent as quickly as possible. i will be asking you, by letter, shortly, to continue the funding of the $40 million that is available, is appropriated, and now as a result of the report filed this week, can be spent to complete the federal share of the utility portion of this facility. based upon what i have heard you say and what i have read you have said, it's not about location. it's not about the site. and it may be about the scope of what will occur. but the utility pad is still important and will be necessary regardless of the scope 0 of that project. so we're going to ask you to

continue the funding you already have committed to and are authorized to now spend, this 40 million decide, on utilities, and i would add to that point, we have appropriated $200 million, federal dollars. the state of kansas put in nearly $150 million. this is a partnership we need the federal government to continue its partnership, and in fact on the utility portion we're waiting on the share you're now authorized to spend to be spent, and i appreciate the answer to my question. i have considered you an ally, i continue to consider you an ally, and my plea is, let's work together to see that this congress moves forward on an issue that is important just as cybersecurity is to the economic security and future of our nation. senator, i'd be happy to work together with you on this. >> thank you very much. we need your help. >> thank you very much, senator moran. for the information of the members, the order of arrival

today now is senator landrieu, pryor, brown, carper, so senator pryor. >> thank you for this very important meeting, always good to see you madam secretary. let me start, if i may, madam secretary, with a question about -- i think you have already pretty much said that you feel like we need a statute, but i'm curious about what specific authority your agency or the federal government does not have in this area that you need? what specific authority do you feel like you need to accomplish what you need to do here? >> i think the specific authorities the statute contains most important is the ability to bring all of the nation's critical infrastructure up to a certain base standard of security. and to outline the process with which that will occur. >> let me ask you, on a

different topic. i know in reading some of the news stories, trade publications, et cetera, the private sector seems to have hesitation about sharing too much information and understandably so. they may fear that a competitor will get it or it may create liability issues for them or whatever. but do we have an effective mechanism for the private sector stakeholders to share their best practices and potential threats and those concerns without raising issues of their own security and liability and even antitrust concerns? >> no. in fact, another major improvement in the bill over the current situation is it clarifies that kind of information can -- sharing can occur without violating other federal statutes, antitrust, the

electronic communications privacy act. we have had situations where we have had delay in being able to get information and to respond because the lawyers had the first of a company -- had first assess where they would be violating other federal law by alerting the department of homeland security that an intrusion occurred. and i think as you and i can both appreciate, when the lawyers get it, it can take a while. >> i understand. >> the new bill would clarify that should not be a problem. >> okay. and you're comfortable how the new bill is structured in that area? >> yes, i am. >> let me ask about lessons learned. dhs has recently discussed -- it's been discussed beside dhs -- some of the work done in the chemical facility antiterrorist program -- have not really been done as quickly

or as thoroughly as maybe it should have been. and as you know, this bill provides a requirement that dhs produce similar type assessments. so there are lessons learned in this experience that might indicate that we can put that problem behind us and that we can comply with what this law would ask you to do. >> yes, senator. first of all, with respect to cfas, no wince more displeased than i am with the problems that occurred there. there is an action plan in place, changes in personnel and other things, and that program is going to run smoothly, and now that security is -- the security plans are being evaluated, the tiering has occurred and the like. >> there are lessons learned. >> there are lessons learned, as there are in all things, and

this bill is less proscriptive. this is a very regulation-light bill. this is a security bill. this is not a regulatory bill per se. so, -- but in terms just of management and organization, yes, there are some lessons learned. >> great. and i know that a lot of times when we read news media accounts about cybersecurity, and even as we discuss it among ourselves, often times we tend to focus on large companies and breaches that large companies experience. the truth is a lot of small and mid-size companies carry a lot of sensitive information. is dhs working with small to mid-size companies in the way to reach out to them, to talk about best practices or anything like that? >> we conduct a lot of outreach activities will small and medium-sized businesses on a whole host of cyber-related areas. so the answer is yet. >> great. we always want to make sure our

small businesses are taken care of, and obviously if they're the weak link in the chain, that's a real problem. >> senator, as i continued to emphasize, when year talking about the security of core, critical infrastructure, if that goes down, a lot of these small businesses are dependent on that and they will fail. >> that's exactly right. also, we also can talk about the federal government but also state governments have this same issue in their states, cybersecurity, and obviously you're a former governor, former attorney general, as is the chairman here, general lieberman. so, you appreciate that state perspective. are you working with states to try to talk about their best practices and lessons you learned? >> yes, we are. we work with a multistate information system and they proceed input into this ncic, the center we talked about. >> great. mr. chairman, that's all i have if yield back the balance of my

time. >> thank you, general pryor. next so senator carper. >> could i have his 14 seconds? >> you got it. >> madam secretary, good to see you. good to see a former secretary out there, former governor out there, former congressman out there, don ridge. nice to see our witnesses. thank you for being here. one of the things my leagues know i like to develop consensus. and my hope is that when we adjourn here today we'll have identified, not justy we have differences but we have identifiedy we can find some common ground so i ask a couple of questions with that in mind. i want to return to the comment of my colleague from arizona, and sort of a cautionary note. i just want to second what the chairman said, regulation can be a problem. it can be problematic if we don't use common sense and look at cost benefit analysis, it can

be a bad thing. having said that i always remember meeting with a bunch of utility ceos about six or seven years ago and they were meeting with me about clean air issues, mercury,co2, and were trying to decide what a password should be. so finally a ceo from someplace down south, an old gay, said, look, senator, just do this, tell us what the rules are going to be, give us some flexibility, give us a reasonable amount of time, and get out of the with a. that's what the said. i've always remembered those words and i think it may apply here to today. i want to thank the chairman and our ranking member, susan collins, for calling a hearing, for working with us, for giving what the chairman said -- mentioned trying to open up -- got an idea, bring it to us, and

that, i think, an open door, and to bad some haven't taken full opportunity of that. we have a lot of distractions around here. >> we know we're being attacked in cyberspace some are there to cause mischief, some steal ideas, steal our defense secrets, steal our intellectual problem, blackmail businesses and nonprofits and do worse. also the challenges i think we have here, really need a ball plan, road map, i call it a common sense road map to move forward. and i hope we can move along that way today. i'm especially pleased the legislation that is being introduced includes a number of security measures my and my staff worked on with me colleagues for years to better protect our federal information system, and having said that, i'd like to begin, madam

secretary, by asking a couple of questions about the departments efforts in this area, if i could. as you know i've been calling for some major changes to the laws that control how federal agencies protect their information, our information systems. when the subcommittee i chair first look at this issue several years ago we found that federal agencies were wasting millions of dollars on reports that nobody read. nobody read and hardly anybody understand. they didn't make us any safer. the bill that is before us today includes many improvements to the so-called federal information security management act, affect natalie known as fisma, and it's hoped our federalling agencies are respong to threats and not just writing paper reports. from what i understand many agencies are taking steps to improve their security measures to make fisma more effective,

despite the outdated legislation. i commend you for putting forward a budget request that would enshih sure your department has the resources necessary to address the growing responsibilities. here's the question. a long windup, huh? can you describe the current limitations of fisma and why the new tools we might give you might be needed. >> well, i think just getting back, one of the key things that this bill would do is by clarifying and centralizing where the authorities lie within the government and how those relate with -- to the fisma among other things so that it really sets, as you say, the common sense road map for hour how we move forward. we have done a lot with the

civilian networks of the government. they have been repeatedly and increasingly attempting to be infiltrated and intruded upon all the time. we have almost completed the deployment of what's known as einstein 2. we are working on the next iteration. we have also in the president's budget request, asked for budget that would be held by the department of homeland security but would be idea to help improve or raise the level of i.t. protection within the civilian agencies. >> thank you. very quickly if i can follow up and get more specific. can you talk a little bit more about how your department will be able to achieve what the president has requested, for federal network security and how this legislation will impact those activities. can you just go down for -- go

over it? >> what it allows to us do and what we will be able to do is have a fund out of which we can make sure that the civilian agencies of government have -- deploying best practices, hiring qualified personnel, and other ways strengthening their own cybersecurity within the federal government. >> all right, thanks. mr. chairman, if i could just say in conclusion, one of the thing is hear a lot from, this is across the country and certainly in delware -- they want us to provide certain predictability and one of the things we're trying to do with this legislation are just that, predictability and certainty. and it would be really helpful to figure out ways to not divide us but help bring us together. thank you.

>> thank you. senator levin. >> mr. chairman and ranking member, thank you for taking the initiative on this with other colleagues. thank you, madam secretary, for all the work the white house did on a similar bill which you worked on which i understand is basically part of now this pending bill which is on the calendar. i'm trying to understand what the objections are to the bill. it seems to me as if a whole bunch of protections in here for the private sector. i haven't read the bell yet but read a summary. there's a self-certification or third-party assessment of compliance with the performance requirements. i understand there's an appeal of those requirements if there's objection to it. i understand and believe the owners of covered critical infrastructure that are in substantial compliance with the

performance requirements are not liable for punitive damage, which arise from an incident related to a cybersecurity risk. so, you have here something unusual, i believe, actually for the private sector, which is a waiver of punitive damages, and i think that's fairly -- i don't know it is unique but i think it's fairly unique in legislation to waive the possible of punitive damages in case of a liability claim. there's a number of other protections in the privacy area, as i read the summary of this bill. for the information which must be provided where there's a significant threat which is identified. i'm trying to identify -- and i'm not going to be able to state it here from the next panel -- what the objections are. i surely will read the letter from the opponents and will

study the bill that senator mccain referred to, but i'm trying to the best of my ability as we go along, to see exactly what those objections are. there seems to be privacy protection here. there seems to be self-certification here, which avoids part of a bureaucracy, at least. there's limits on liable where there's good faith defense for cybersecurity activities as the bill's heading says. there's a number of other protections. can you to the best -- i don't want you to argue for the people who have problems, but i would like you to the best of your ability to address what you understand are the key objections. if you can give us your response for the record as well.

>> well, i think there are three kind of clusters. the first is that the bill is a regulatory bill, and it will be burdensome to industry to comply, and the answer is it's a security bill, not a regulatory bill. it really is designed with making sure we have a basic level of security in the cyberstructures of our nation's core critical infrastructure and that we have a way to exchange information that allows us to do that without private sector parties being afraid of violating other laws. and so this is not what one would consider a regulatory bill at all, and as senator collins said, it really is designed to protect the american economy, not to burden the american economy. second set of objection is think

revolve around the whole privacy area. but as the aclu itself acknowledged, this bill really has done a very, very good job of incorporating those protections right from the get-go, and realize one of the reasons why dhs is -- has the role it does, is because we have a privacy office with a chief privacy officer who will be directly engaged in this. so, the bill, i think, really addresses some of those privacy concerns. the third cluster would be -- i think senator mccain alluded to it -- it somehow duplicates the nsa, we don't need another nsa, and that -- we don't need to clarify the authorities or the jurisdiction of the dhs, and i think there's a misconceptions

there. the plain fact of the matter it's the chair, the joint chiefs and other, secretary panetta and others recognized by the dod and the dhs use the nsa but we use it in different ways. so we're not duplicating or making a redundant nsa, we're taking the nsa and using it within the framework of the bill to protect our civilian cybernetworks. >> i understand the department of defense basically supports this legislation. what i can understand, at least, it does, and is that your understanding? >> i think not just basically. i think wholeheartedly. >> and in terms of the privacy concerns, those concerns are met with a privacy officer, but in terms of the information which is supplied, where there is -- has been a threat, that information, when it's submitted to a government entity, is protected. >> right. the content is not shared. it's the fact --

>> tell us more about that. >> content is not shared. the information shared requires minimization, requires elimination of permanently i'd identifiable information. all the things necessary to give the public conversation their own personal communications are not being shared. it's the fact of the intrusion, the methodology, the tactic used, the early warning indicators, those sorts of things are to be shared but not the contents of the communication itself. >> thank you, mr. chairman. >> thanks very much, senator levin. that was a really helpful change. senator johnson. >> thank you, mr. chairman. madam secretary, nice to see you again. i'd like to say to senator lieberman and senator collins, i appreciate your work on this. this is critically important, also incredibly complex. is it appropriate for know ask you a question, mr. chairman? i'm new here.

i don't walk to break protocol. >> i may have to check with counsel. go ahead. >> i share coaches senator mccain and because this is so important, not a good way to start the process so certainly in light of his objection and those of the ranking members, are we going to consider doing a -- not taking this to the floor directly? is that going to be reconsidered on that basis? >> i don't believe. so i suppose the people want to raise the question, but i think there's been a long process here. those have been reported out of this committee, out of commerce, intelligence, foreign relations had some stuff all done -- not all done on a bipartisan basis but most of them were. senator reid got acknowledge stated about this problem last year, and began to convene the chairs and then held a joint meeting which in these teams is very unusual. bipartisan meeting. all the committees urged is to

work together to reconcile the differences. some came to the table, as i said, some didn't. we worked very hard to try to bring people in. i think -- i can't speak for senator reid but i think his intention is to take the bill that is the consensus bill now and bring it to the floor under his authority on rule 14, but to have a really open amendment process. i don't think anybody is going to rush this through. and there will be plenty of time for people to be involved. i'm sure i speak for senator collins, we're open to any ideas anybody has. >> i appreciate it. this is important to get right. i couldn't agree -- >> to me the most important thing is to get it right, but also to get it done as quickly -- as quickly as we possibly can get it right. we should get it enacted. >> okay. >> because the crisis -- the threat is out there. >> senator collins? >> mr. chairman, if i could just add one thing.

and that is, this legislation has gone through a lot of iterations. it was reported first in 2010, and realized the -- is not part of the committee at that point, but ours that shared draft after draft after draft, and briefings, i know that senators come to some of the classified briefings that we have had as well. so we have invited input from the -- >> again, i'm sincere in my appreciation to your work on that. with that in mind, the house has worked on a bipartisan bill, hr3523, a very slimmed down version, an important first step, trying to get information being shared between government and private sector. is that something you can support in case this thing gets snagged up? maybe move towards something

like that? >> i think there may be part office that are included within this bill, but this bill is a much stronger and more comprehensive focus on what we actually need in the cybersecurity area, given the threats out there. ...

and you want to avoid some of the complexities that deal with the isps and where they're located in the jurisdiction of another things that the car what is appropriate and in fact it helps pull the legislation along. >> have you done cost assessment in terms of the cost complying with the regulations? >> well, i think talking about the cost is important here the cost of the critical infrastructure and the country is however our belief that the cost of making sure you practice a base level, common these little cybersecurity should be a core competency within the nation's critical infrastructure , and so while we don't want the undue cost, we do want a recognition that this is something that needs to be part

of doing business. >> has there been an attempt to quantify that or will there be an attempt to quantify? >> i would imagine just thinking about it that there will be many entities that are already at the right level, but sadly there are others that are not, and given that we are only talking about infrastructure that if it is intruded or attacked it would have a really large impact on the economy, on the life and limb on the national security talking about the core part of the critical infrastructure, the fact they all have to reach a base level is a fairly minimal requirement. >> one last quick question i am aware that the chamber is not for this bill the american bankers association. do you have a list of private sector companies that would be -- to have to comply with this in favor of it? >> there are a number of them and i think that they have been in contact with the committee

that we can get that for you. >> i would appreciate that. thank you mr. chairman. secateurs the napolitano, appreciate your testimony very much. you've made a really important point here define the group of owners and operators and private cyberspace in our country that are ultimately regulated here that can be forced to meet standards very nearly to include only those sectors which if they were attacked, the cyberattack would have devastating consequences in our society. so you are right. it will cost them to enforce this to carry it out, but it will be a fraction of what it would have to cost our society if there was a successful cyberattack and i go back to the initial 9/10, 9/11 question.

after 9/11 we couldn't do enough to protect ourselves from another 9/11 and we have another opportunity here to do something preemptively, preventive law, methodically and much less cost to our society overall. >> that's right, mr. chairman, and i think as you and i both noted and senator collins did in our opening statements it is our responsibility to be proactive and not just reactive. we know enough now to turn away ahead and the bill does that. >> i agree. there is a cyberattack. we don't legislate, we don't create a system of protection of american cybersecurity. there is an attack we are all going to be rushing around frantically to throw money at the problem and its plan to be after a lot of suffering that occurs as a result so we have an opportunity to work together. nobody's saying the bill is

perfect. it is darn good after all it's been through. but you've been very helpful today and thank you very much. we look forward to working with you. senator collins. thank you mr. chairman. i too i want to thank the secretary for her excellent testimony and the technical department for the record i would like to submit what is a very clear statement from the chairman of the joint chiefs of staff at a hearing before the armed services committee earlier this week, and general dempsey said i want to mention for the record that we strongly support the lieberman collins rockefeller legislation dealing with cybersecurity. so the secretary's comment in response to the question of senator levin about where does the department stand

wholeheartedly is exactly right and the department testified to that effect and i would submit that for the record. >> without objection submit for the record. thinks mr. secretary, have a good rest of the day. we will call the final panel. secretary ridges first. i know you are under time pressure. i apologize for keeping you leader than we had hoped. we have secretary ridge and the honorable baker, james lewis and space charney. gentlemen, thank you for your willingness to be here to testify and for your patience. although it's pretty interesting and times during the hearing. secretary ridge, in a comment

that only you and i and two other people would appreciate i don't think we will be going to the common man together tonight. it's another story. [laughter] thanks very much. we will hear your testimony and then understand if you have to go because i know you have another engagement and you are already leaked. so please, proceed. >> thank you very much, senator. first of all let me tell you what a pleasure it is to be back before the committee. as i told you before in my 12 years in the congress and the united states i did enjoy being on that side of the table better than this but every time on the period before this committee the engagement in the civil constructive substantive and i hope i've been able to contribute, and i hope the fact that we agree in part and disagree in part today in a very significant agreement and disagreement doesn't preclude the other times it is a great pleasure to be before you. i testify today on behalf of the u.s. chamber of commerce which

as you well know is the world's largest business federation representing the interest of more than 3 million businesses and organizations of every size, every sector river region in the country. for the past year coming year and a half i have chaired the chambers national security task force which is responsible for the development and implementation of the chambers on land and national security policies and very much consistent with the president's concern, the committee's concern on both sides of the aisle you are probably not surprised cybersecurity has been at the top of the list. we've met with dozens and dozens of private sector companies and the vice presidential security and the bricks and mortar cyber this may be the top of their list right now, it is in my capacity as chairman but hopefully with a perspective also as the first secretary of homeland security that i think you for this opportunity to appear before you regarding

cybersecurity and ways in which we can secure america's future. at the very outset, senator lieberman and senator collins, one of the mind set that i do want to share with you is that need to add the chamber of commerce to the people sounding the alarm. they get. and why do they get it? because the infrastructure that we are worried about that protect america's national interest and supports the federal government and state government and the local government is the infrastructure that the operate, and in addition to being concerned about the impact of the cyber invasion and incursion on their ability to do their job on behalf of the federal government, they also have the 300 million consumers one way or the other the have to deal with. so, they joined that course not only in terms of the urgency of

dealing with threat, and i would dare say respectfully they are probably better positioned to be able to calculate the consequences of systemic failure in the cyberattack that even an agency in the federal government, and on top of that, they have their interest to protect, fiduciary interests for shareholders that their publicly traded. they've got their employees and the communities the working and the consumers and the suppliers, so we are in this together and it's important to understand that the chamber times the course that appreciates both the urgency of dealing with something and i would say respectfully better understands from the microlevel the hermetic consequences to them and their community to their brand and employees and in this country for a significant cyberattack. as you also know, the industry

for years has been taking a less and protective steps to protect and make their information networks more resilient. there's been much discussion with regard to the process here and let me just talk free briefly and i'm going to ask unanimous consent to get another minute one minute and a half, and i apologize for that, but as the secretary i remember the national strategy that we created in 2002 talked about securing america but we didn't talk just about people or just about bricks and mortar, we talked about cyber attacks as well. in 2003 it's been referenced by secretary napolitano the legislation talked-about cyber attacks as well to read you and from the enabling legislation that creates the department and as the homeland is to the presidential number seven and the anticipation of testifying i read it's all about, it is establishing the national policy for the federal departments and agencies to identify and prioritize the united states

critical infrastructure and ki resources to protect them and goes on to talk about protection from the cyberattack as well. you have the plan again encompasses all that had gone before and so very specifically based on the hsppd7 that created the sector agencies and coordinating council the same mandate. the point being we don't need a piece of legislation from the chamber point of view that identifies the critical infrastructure. we've been working on that for ten years in the enabling legislation coming and you understand that process. what we do need and where we took that because compared to the first mark of the president's bill to this mark, the information sharing that we would like is a vast improvement from the one that was initially placed and initially considered by the administration, and again we are not ready to presidents

to help achieve that the direction of it being bilateral, we believe this the way to go. as at the end of the day, ccp and our judgment there is money for that we already have the process in place to meet people have been working together for ten years, personal relationships to develop the critical infrastructure is you've got cybersecurity experts in the sectors selected agencies, so not only do you take a definition that appears to have no walls, ceilings or floors, but it appears to be redundant. and second, somebody used the word requirements. one of the great concerns we have, and i will conclude, is that the requirements prescriptions are mandates, mandates are regulations, and frankly the attackers and the technology in any regulatory body or political body will ever be able to move. so in my judgment the chamber

agrees the sections in here with regard to the international component to the public awareness component and some of the others if you're dealing with this in a way as quickly as possible with a more robust information sharing and then you have that bipartisan so i was read, i appreciate and respectfully request included as a part of the record and think for the opportunity. >> thinks mr. secretary and we will include your statement. am i right that you have to leave? >> you were but it's a little too late. appreciate that. >> i am prepared to state and answer. >> okay. let me ask you this -- >> i've got to be on -- >> thank you for asking.

>> de want us to ask a few questions now and then have you go or -- >> i think that we would like to get there so i appreciate that. >> okay. i'm going to yield two center collins and if there's anything left to ask when she is done. >> thank you, mr. chairman. first secretary ridge, as you know, i have the greatest respect and affection for you personally and the greatest respect for the chamber of commerce, which is why i'm disappointed that we don't see this issue exactly in the same way. i would also note a certain irony since the chamber itself was under cyberattack by a group of sophisticated chinese hackers for some six months at least during which time they have access to apparently everything in the chamber system and the chamber was not even aware of

the attack until the fbi alerted the chamber in may of 2010, so there is a little bit of irony but i will assure you that the chamber is not considered critical infrastructure. [laughter] >> you raise a very interesting point. i guess the question i have if it isn't critical infrastructure, a significant organization representing the critical economic infrastructure america, why in the world did the fbi delay in forming the organization that represents the economic infrastructure of america? somebody ought to ask that question there are some cases people in the private sector have reported the potential -- haven't verified the incidents in the federal government and they say we knew. what do you mean you knew?

>> i was just going to point to that even if we have very robust information sharing provisions in our bill that will cure that very problem. but the fact is in drafting this bill we have taken to heart many of the concerns raised by the chamber, and just to clarify exactly where the chamber is on these issues, i do want to ask you your opinion on some of the changes we've made direct response to the chamber's concerns. for example, we now have a provision and says entities that are already regulated by existing regulations would be eligible for waivers and entities able to prove that they are sufficiently secure would be be exempted from the

requirements under this bill the bill would require the use of existing labor security requirements in the current regulators. does the chamber support those changes that were incorporated in response to the chamber concerns? >> i think that you've incorporated several, senator collins coming and i do believe i can speak directly but i believe it's one of them, and i think it also goes to the point of whether that some of that oversight is being done within the existing process and pravachol and with the dramatic interchanges and information sharing it is a system that will work. one of the questions i had when i listened to the course of people who support the bill i just wondered if the secretary of defense believes that the defense industrial base likes the seibu model of information

sharing and is announced by the department of defense in june of 2011 where they would prefer to be regulated. i think there are some unanswered questions but the point is i would be very strong about, senator collins, is that some of the concerns and we are grateful. >> that's my point as we frankly been over backwards to try to listen to the legitimate concerns without weakening the bill to the point where it can no longer accomplish the goal. another important provision of the bill, the owners of critical infrastructure, not the government, not dhs would select and implement the cybersecurity measures that they determine are best suited to satisfy risk-based performance requirements, does the chamber support having the owners of the

infrastructure decide rather than government mandating specific measures? >> as i recall in the legislation the chamber lacks the notion that the selector select agencies with respect to the departments and agencies coordinating council's have been working on identifying the critical infrastructure and sharing a kind of information that we think is necessary to not immunize as completely because the technology in the procedure is going to change to dramatically reduce the risk and the senator does interest particularly the owner to move as quickly as possible the logic that has been applied to really venegas cisco and microsoft and others can move jointly and respond to the risk and it seems to me would be decent logic to apply to everybody else as well who don't want to be burdened by

the series of regulations are the prescriptive requirements. >> since the private sector under our bill specifically involved in creating the standards, i don't see how that produces bourbon some standards since the secretary has to choose from the standards that the private sector developed. again, another change that we have strengthened in our bill. another question that i would have for you, assume that the chamber supports the liability protections that are included in this bill so that if a company abides by the performance standards and if there is an attack any way the company is immune from punitive damages.

>> a young woman is not in favor. >> i presume they do if i were in the chamber i would certainly encourage them to embrace wholeheartedly. >> welcome my point, and my time is expired, but my point is there are many provisions in this bill that we change in a direct response to input from the chamber and i would like the chamber to acknowledge that there's one final point i want to make when you were talking about ceos are invested in cybersecurity because of the impact on their customers and their clients, and so it's in their own self-interest i cannot tell you how many chief information officers with whom i've talked who have told me if only i could get the attention of the ceo on cybersecurity were

not investing them or not protecting our systems enough and it's just not a priority for the ceo. i would suggest to you to talk to some cios because you have a totally different picture. >> senator collins, i'm familiar with quite a few major companies in america and what they're doing with regard to cyber and my expert from yours i realize that there are probably some people out there don't imagine to many organizations and any with a little bit more money to enhance their capability to safeguard or management risk but i take your word there may be some who feel very strongly and reflect that in their statements to you. even a valuable contribution and in the chamber we applaud those things. you are going down the path very

similar we are concerned about the prescriptive regimen some of the of literature talks about a light touch. the light touch can turn into a stranglehold if it goes too far down the process and we take a look at the chemical facilities in those terms and standards and it becomes very restrictive because once the legislation is passed there are members of congress who called and said that's not enough, and we may need technology and regulations in order to better the people that work, so it is a slippery slope, and i think that i very much appreciate you getting the chance to articulate before the committee. >> thank you mr. chairman hispanics before, senator collins. i have no further questions. thanks for being here. we are glad to liberate you to get you to the next plane. >> like i said before, i look forward to future opportunities and for what it's worth the department to share my thoughts with this committee to get i think my friends. >> we do, too peery this mix

before. stewart baker is the next witness in the law firm of stepphtoe and johnson, and the assistant secretary at the dhs from 2005 to 2009 during which time we have benefited greatly from your counsel and service. thanks for being here and we would welcome your testimony now. >> it's a great pleasure. thank you chairman lieberman, ranking member collins, senator akaka. it is a nostalgic moment to come back here and i want to congratulate you on your achievement in moving this bill in a comprehensive form as far as it has gone. it is a very valuable contribution to our security. i just have to points but before i do that i thought i would address the stock online privacy act and now become the idea that this is like sopa and the

internet will rise up to strike it down. i'm proud to say if i can challenge senator bentsen for a minute i knew sopa and fought sopa and mr. chairman, this bill is no sopa. it's for the same reason that i support this bill. as a nation, as a new legislature, our first obligation is to protect the security of this country. sopa would have made us less secure to serve the interest of hollywood. this bill will make us more secure and that's why i support it. just two points on why i believe that. we know today the most sophisticated security companies in the country have been unable to protect their most important secrets. this shows us how deep the security problem runs. we also know from the direct

experience some things i saw when i was at dhs and emerged since that wants to penetrate and networking can break it in ways that leave behind permanent damage. you can bring industrial control systems on which refineries, pipelines, the power grid, water, sewage all depends and we've had a lot of analogies today about like september 10th and september 11th if you want to know what it would be like to live through an event where someone launches an attack like this, the best analogy is no orleans the day after katrina hit. he would have no power, no communications, but you also wouldn't have had a warning and the e evacuation of most population of the city and you wouldn't have the national guard in some safe place ready to relieve the suffering. it could indeed be a real disaster coming and we have to do something to protect against that possibility.

that's not something the private sector can do on its own. they are not built to stand up in the military that has happened in other countries, and that's why it's important for there to be a government role. i do think that this bill in contrast to the views of the chamber think he may have gone a little far in accommodating them and i will just address one point that i think is particularly of concern i fully support the idea that there should be a set of performance requirements driven by the private sector implemented by the private sector with private sector flexibility to meet them as they wish. the process of getting through that and then getting enforcement is time consuming. it could take eight years, if there is resistance from industry or a particular sector and it may be worth it to take that time to get standards that are something that the private sector buyers into and is willing to live with but i think

we have to recognize and the next eight to ten years we could have an attack, we get evidence and, get some very serious trouble or a threat there requires that we moved faster than that statutory framework would suggest and i would suggest if there's one change i would make to this bill is to put in a provision that says in an emergency where there really is an immediate threat to the life and limb, the secretary has the ability to compress all the time frames and to move quickly from stage to stage so that if we only have a week to get the grid protected he's in a position to tell the power companies will be your on tuesday and bring your best practices because by friday he will have to start implementing them because we know there is an attack coming this week. that is something that we need to be able to do and have the flexibility to do. thank you. >> very helpful. thank you very much. we will talk more about that.

dr. jim lewis, thanks for being here. director, looking for the exact title. director and senior fellow of technology and public policy program at the center strategic and international studies and dr. lewis was also the director of the csis commission on site or security which began its work in 2008. thanks so much. >> thank you, senator, for giving me the opportunity to testify, and when we hear that getting incentives right and letting the private sector lead or share information will secure the nation remember that we've spent the last 15 years repeatedly proving that this doesn't work, and from an attacker as perspective, america is a big slow target. some people say the threat is exaggerated. this is unfortunate. you talked about the parallels with september 11th but in some ways we are on have to repeat the september 11th error if we don't take action in the very near term. the threat is real and growing.

maw intelligence services with cyber capabilities can penetrate any corporate network with ease. cyber criminals and government sponsored hackers routinely penetrate the corporate networks. the new attacker's ranging from iran and north korea to a host of anti-government groups are steadily increasing their skills. the intersection of the greatest risk and the weakest authority is critical infrastructure. national security requires holding critical infrastructure to a higher standard than the market will produce. this bill has many useful sections on education research, securing the government networks and international cooperation and they all deserve support the main event is regulating the critical infrastructure for better cybersecurity. without this everything else is an ornament in america will remain vulnerable. low hanging fruit will not make us safer and one might to think about this is a fee to the

section on a critical and for stricter regulation on the bill it would be like the car without an engine so i look forward to what we see next week. they're all all results are the objections to moving ahead. we hear that innovation could be damaged but well-designed regulation would actually increase innovation. companies will innovate making safer progress. we have seen is that federal regulation of cars, airplanes, even as far back as steamboats. regulation can incentivize innovation. everyone agrees that we want to avoid burdensome regulation and focus new authorities on the truly critical systems. the bill as drafted and takes a innovative approach based on commercial practices so i appreciate the effort that has gone into that. many in congress recognized the need for legislation, and this committee, the kucinich and others in the house desert task. the battle has shifted. people try to dilute legislation

and try to put forward slogans instead of solutions and the right in the loophole. the goal should be to strengthen, not to dilute and so the two problems need attention. the first is a threshold for designating the controlled critical infrastructure. cyberattack in the next few years are most likely to be targeted and precise. they probably will not cause mass casualties or catastrophic disruptions if we set the threshold too high, it is simply telling our attackers what they should hit, so many to very carefully limit the scope of this regulation, but i fear that we may have gone a bit too far read the second is to carve out for the commercial and information technology and others have raised this. it makes sense an industry doesn't want the government telling them how to make their product. that is perfectly reasonable. but a blanket exemption on the services and maintenance installation would first undo the eisel work started by the bush administration and second, leave america opened for an

attack. so these parts of the bill should really be removed, and in particular i would call your attention to paragraph a and b of section 104. an important legislation there is a delicate balance between protecting the nation and minimizing the low burden on our economy. this bill with some strengthening i think can achieve that balance and best serve the national interest. the alternative is to wait for the inevitable attack. my model for 2012 and cybersecurity is a race for impact, so i think the committee and would be happy to take any questions. >> thank you, dr. louis. your voice is an important one to listen to come and we do. the last witness today, corporate vice president, trust for the competing group. it's a good job and the

microsoft corporation. thanks for being here. >> thank you. german lieberman, senator akaka, then keefer the opportunity to appear it is important hearing on cybersecurity. in addition to my role as the corporate vice president of trustworthy computing i serve on as the president's national security telecommunications advisory committee as the co-chair of the csis on cybersecurity for the 44 presidency. microsoft has a long history of focusing on cybersecurity. in 2002 bill gates launched a trustworthy initiative as we celebrate the tenth anniversary of that effort we have our progress and are conscious of how much work remains to be done. while the i.t. companies are providing better cybersecurity, the world is increasingly reliant on cyber based systems and those attacking the systems have increased them in both number and sophistication. cyber attacks represent one of the more significant and complex threats facing the nation to be with that in mind i commend the chairman of the ranking member from his committee and members

of the senate for its continuing commitment to address cybersecurity. we appreciate your leadership and developing the legislation that was introduced earlier this week. over the past few years, we've helped focus national attention on this urgent problem offered constructive proposals and conducted an open and transparent progress to solicit the views of the private sector stakeholders. microsoft believes the current legislative proposal provides an appropriate framework to improve the security of government and critical infrastructure systems and is doubles as inappropriate security baseline to address current threats. furthermore the free markets flexible enough to permit future improvements to security and an important point since the security threats evolves over time. while the internet has created unprecedented opportunities for social and commercial law interaction, it has also created unprecedented opportunities for those bent on attacking the i.t. systems. securing i.t. systems remains

challenging and it is important that legislative efforts designed to improve the computer security meets three important requirements. first, legislation must embrace sound risk management principles and recognize that the private sector is best position to protect private sector assets to be the second, the legislation must enable effect of inflation sharing among the government and industry members. third, any legislation must take into account the realities of today's globalized environment. i will discuss each of these important issues in the term. first sound risk management principles require the security effort to be directed where the risk is greatest and that those responsible for protecting systems have the flexibility to respond to ever-changing threats to ensure that this happens it is important that the definition of critical infrastructure be scope appropriately and that the owner of an i.t. system ultimately be a responsible for developing and implementing security measures. we believe the current legislation, which allows the

government to define outcomes, but allows the private sector owner of a critical system and assets to select and implement particular measures is the right framework. second, successful risk-management depends on effective information sharing. for too long people have cited information sharing as a goal when in fact it is a tool. if the goal shouldn't be to share all information with all parties but rather the right information with the right parties, that is parties are positioned to take meaningful action. we appreciate that this legislation and to remove barriers come information sharing that specifically authorizes certain disclosures and protecting the information sharing. finally, as a global business, we are very cognizant of the fact that countries around the world are grappling with similar cybersecurity challenges and implementing their own cybersecurity strategies. we believe that actions taken by the united states government may have ramifications beyond our borders and it is important that

the united states lead by example adopting policies that are technology neutral and do not stifle innovation. it must also promote cyber norms through international discussions and the government. unlike some traditional international efforts where the government to government discussions may suffice to achieve the desired outcomes it must be remembered that the private sector is designing, deploying and maintaining most of our critical infrastructures. as such the u.s. needs to ensure that the owners, operators, inventors that make cyberspace possible or part of any international discussions. i would note in closing that security remains a journey, not a destination. in leading our trustworthy competing effort over the last ten years i've witnessed the continual evolution of microsoft's security strategies. technologies advanced, the rights change, hacker's car stronger but they grow wiser and more agile. the committee's legislation which focuses on outcomes and incurs meaningful input by the private sector represents and

importance that forward. microsoft is committing to working with congress and the administration to help ensure the legislation meets these important objectives that minimize the unintended consequences. thank you for the leaders of that you've shown and developing the legislation under the consideration today and for the opportunity to testify. i look forward to your questions. thanks very much to you mr. chairman. let me ask a question no pun intended as you can hear from some of the testimony and some of the questions from committee members there is a question still about whether regulation is necessary and in using a pejorative term from the government involvement here is necessary and at its purest, this argument is obviously the private sector that owns and operates the sadr infrastructure

has its own set of incentives to protect itself. why do we need the government to be involved? >> stewart, d1 to start? >> fundamentally the private sector in each private company has an incentive to spend about as much on security as is necessary to protect their revenue stream to prevent the crime from stealing things from them and the like. it is much less likely that they are going to spend money to protect against disasters that might fall on someone else come on their customers down the road that are unpredictable, and so there are certain kinds of harms, especially if you are in a business where it is hard for people to steal money from you but it's easier for them to change your code in a way that could later be disastrous for consumers to view that as something that you will never get a higher payment for when you sell your product and therefore not something that you

want to spend a lot of money on it so it does seem to me there are a lot of externalities year that require the government to be involved in addition to the problem that if you are a baltimore gas and electric you really don't know how to deal with an attack launched by the russian intelligence. >> dr. lewis? stat sometimes i call them mandatory standards and that is my user than regulation but i wanted to say regulation because we've got to put it on the table. we got the incentives wrong in 1998 when the first time we felt that the protected critical infrastructure tell about the threats, share the information and they will do the right thing. and as you have heard, the return on investment was all the companies will spend a certain level it's not even clear they will do that by the way, but they won't spend enough to protect the nation. so we are stuck with a classic case of the public good,

national defence regulation is essential and if we don't regulate, we will fail. >> let me just follow up, you made a statement in your opening remarks and in going to paraphrase which is a hostile party nation state, whatever, intelligence agency could penetrate any company, any entity of cyberspace in this country if they wanted to the year you write? >> the full answer is complicated, so i will be happy to provide it in writing, but when you think of the high end opponents who can use a multitude of tactics including tapping your phone lines including hiring agents or corrupting employees these are very hard people to stop and the

assumption that is safest to make from this point of view is all the networks have been compromised. >> mr. turney? >> i would say two things. first on what stewart meter said is the market forces are doing a good job of providing security. the challenges market forces are not designed to respond to the national security threats. you can't begin market case for the cold war. so you have to think about what will the market give us? what is national security required come and how do you fill the gaps? the second thing i would say about looking at regulating the critical infrastructure in my years at microsoft i found as we have struggled with cybersecurity strategies we live in one of three states of play. sometimes we don't know what to do to figure out a strategy. we know what to do but you are not executing very well come at which case you need to go execute that. sometimes we know what to do

when we execute well, but we don't execute at scale. i think there are some companies that do a very good job of protecting critical infrastructure today. the question is are we giving get enough scale to manage the risk that the country faces? i don't think we are today and that is why in the report at the csis testimony we are supportive of the framework that has been articulated in the legislation. >> i appreciate that. assuming the statistics are accurate or close to accurate about the frequency of exploitation intrusion on the cyber space in the private sector and that makes it self-evident that there's not enough being done to protect. dr. stewart let me ask you something, you offered a friendly criticism of the bill just before, which is our

definition of the covered critical infrastructure is too narrow and high and we are limiting it to much. give me an idea how you might broaden it if you are addressing the legislation. >> we were talking about relatively simple amendments to the language mr. chairman. we will get some of the threshold that you put in a mass casualties. as a mass casualty for those of us coming out of the cold war, that was a very high threshold. economic disruption on the scale it isn't clear katrina for example would be caught by that definition so it is more an issue of clarifying and more an issue of making sure that the smaller tax we are more likely

>> senator, thank you for being here. >> thank you mr. chairman for holding this hearing. i applaud you for your tenacity and that of senator collins, rockefeller and feinstein. in pursuing the comprehensive cybersecurity legislation would considering today. i also want to thank you and the administration for incorporating my suggestions to the seibu provisions of the bill. employees of the department of homeland security are on the front lines of concord in the cyber threat, and we must make sure the department has the appropriate tools to attract and retain the work force it needs to make these complex challenges stakeholders have raised

concerns that the privacy and the civil liberties applications of certain provisions of this bill. i want to commend the bill's office for making progress in addressing these concerns. it is important for the final product to adequately protect americans reasonable expectation of privacy, and i will continue to closely monitor this. fbi director robert mueller's recent statement on the cyber attacks would equal or even surpass the danger of terrorism in the foreseeable future is a stark reminder that strengthening cybersecurity must be a key priority for this congress could decide for criminals are the critical infrastructure including the

electricity grids, final markets and transportation networks, and this has been mentioned by the panelists. american businesses face a constant cyberattack stakes to seal the trade secrets. however, cybersecurity policy has been slow to attest to these ever increasing sophisticated cyber threats. the cybersecurity act of 2012 would give the federal government and private sector the tools necessary to respond to these troubling threats. finalizing the important legislation has a pressing priority for this congress and look forward to working with you on this. my question is to the panel as you know the bill contains new

hiring authorities to bolster the sires security work force. it also has provisions to train the next generation of federal cybersecurity professionals. i would like to hear your views on the challenges of recruiting and retaining cybersecurity professionals. the provisions in this bill and any other recommendations you may have to address these growing workforce challenges. mr. baker? >> [inaudible] >> it is very challenging to find well-trained cybersecurity professionals even in the private sector.

this technology has just proliferated for faster than educational institutions could educate people to manage the i.t. security and manage the security. as a result microsoft is actually committed the considerable resources supporting programs like this them education or a lead america where we provided over a million vouchers for the entry level and more advanced computer basic skills but it is a big challenge and if it's a big challenge for the private sector you can imagine it would also be a large challenge for the public sector since they do not have the same pay scale that i have available to make. so is her book education and and proficiency of the work force and the mission issued a report on the challenges of getting an educated cyber educated work force. >> i would add to that that

indeed the dhs has had particular difficulty in attracting people working through their personal hiring procedures. anything that makes that smoother and more responsive to the market is useful. but finally, most importantly for every student was watching this wondering what he's going to do when he graduates from college, these jobs are waiting for you. you would to your country and to yourself to pursue these opportunities. >> thank you. senator, two years ago at the end of july, we had and even here on the hill, csis on education for cyber secure the and i was kicking myself because i thought no one is going to be here like on july 29. it's just stupid and so i told them cut back on the food. we the standing-room-only the had to put chairs in the hall. people of this topic but there is a couple of issues to think about. on the government side we need

to have a clear career path for people to get promoted. on the private sector side, the education we get now needs to be refined and focused. the degree in computer science may not give you the skills in fact it probably won't give you the skills for cybersecurity and some of the provisions in the bill such as thus fiber challenge and other programs tap into this real enthusiasm among teenagers, college students to get into this new field and again during the education peace is important but it will not protect us in the next few years which is why we need the other parts of the bill as well. >> thank you very much. my time is expired. 64, senator, thanks very much for the contribution that you've made to the bill as the questioning on the cyber work force was important. senator collins? >> thank you, mr. trance. the hour is late but i just want

to thank our witnesses for their excellent testimony. during some of the witnesses on the panel raised legitimate questions about whether we've gone too far from trying to accommodate concerns raised by the chamber and other groups makes me think that maybe we've got and it just right. since the chamber is still not happy and you believe we have gone too far. but in all seriousness of your expertise has been extremely helpful as the input we cut from microsoft from the chamber from the tech industry and the experts, academics we really have and it has been very helpful to us as we try to strike the right balance. this is an enormously important but complicated complex issue

for us to tackle, but tackle that we must and that is something that unites all of the witnesses from whom we've heard today. i just don't want whether we consider this to be a response to a 9/11 eda or katrina i do not want us to be here after a major cyber incident saying if only, and how could we have ignored all of these warnings come all of these commissions, all of these studies, all of these experts? i can't think of another area in homeland security where the threat is greater, and we've done less. there is a huge gap whether we got it exactly right on the chemical plant security or port

security order fema reform at least we acted and we have made a difference in each of those areas. the are not perfect, but we have acted and we have made a difference. in an intelligence reform i think that we have made a big difference. but here, we have a vulnerability, a threat that is a theoretical, but it is happening each and every day, and yet we have seen today live the comments of some of our colleagues this is going to be a very difficult job to get this bill through. i am confident that we can do it, however, and that in the end we will succeed. and finally, i do want to say to our colleagues and to those who are listening and those in the audience we need your help if you have other good ideas for us, by all means, bring them

forward, help us get the best possible bill. but for anyone come for anyone to stand in the way and cause us to fail to act at all to pass legislation this year i think would just be a travesty, it would be a disaster waiting to happen for our country. so mr. chairman, i just encourage you to press forward, and i will be at your side, your partners all along the way. we've done it before. >> thank you. that was just express's characteristic of your independence of spirit and your commitment to do what is right for the national security, so we are going to press forward and

the majority leader, senator reid, i'm confident is going to press forward. as i mentioned earlier, he got a couple of briefings on this problem of cybersecurity last year and it really troubled me. he feels that there's a clear and present danger to our national security and economic prosperity from cyber attacks to try to get us to this point we've preached this week to have a at least the additional consensus bill and i'm confident he's going to push this and bring this to the floor with the authority that he has as the majority leader and i'm optimistic that the committee will be in the next work period which is when we come back at the end of february into march. the three of you have added immensely to the work. i do want to continue to work. i don't want to ask you a question senator collins has put

this to such a wonderful ending point, but i do want to over time as we take the bill to the floor invite you who expressed concerns about the so-called car velte people in the administration still think with the authority that we have left the language will allow the government to develop performance standards that will require owners of systems to protect those systems even if they might include some commercial products. but i'm not resting on what we've got, so i invite you to submit -- we hear your concerns and we would like you to submit how to do this better and we promise we will consider those concerns. any last words from any of the

three of you? thanks very much for what he contributed and thanks, senator collins, and it's true, we get very stubborn the two of us when we think something is right and necessary, so we are going to go forward. the record of this hearing will be held open for ten days for any additional questions or statements for the record and i think you again very much for that. the hearing is adjourned. [inaudible conversations]