this bill. se with us for a good part of the past two years, ranking member, superb. i call her t. incidentally. trying hard to addresshencerns. i think we have in fact, met mosthe we sought to engage senator am him another senator there was some reluctance to have staff discussions. didn't make any difference. had. and if it was something good and what they had we put it in the bill. we wanted it in the bill. then it had to pass future tests as we -- you know, combined the whole, ahe senator kyl, senator whitehouse contributed a title regarding cyber security awareness. because of senator mccain's

concerns, we omitted significant language pertaining to the white house cyberoffice. colleagues had ongoing question as but a provision that i personally believed in extremely important to be extremely important. i agreed to drop it from the this provision that i am talking about would clarify private sector companies existing requirements regard risks, quot pertaining to cyber, have to be disclosed to investors in as you know at one point, out of frustration, i went to the sec and mary shapiro agreed if you are hacked into as a company it goesebse at sec and that had a substantial impact, actually. i believe this provision is crucial for the market to help solve our cyber vulnerabilities. we'll fight for an amendment on the floor. that's as it should be. the way the system works. but in the interest of to addre questions i agreed to take it

out of the bill we introduced this week. any suggestion that this exhaustive process has been anything but open and transparent is patently false. this has been a really open process. pointed out. why have we worked so tireless low to include the views of all sides? why have we tried so hard to get because our country and our communities and our citizens are at grave risk. they simply are. i'm not sure if they're aware. there are so many things, reported in a news cycle, it almost diminishes the overallin. so our citizens have to beep aware of this. this is not a republican, democrat issue, a life fothe ec people. i want to be clear, the cyberthreat is very, very real. this is not here is why. it is hard to talk about this some times without seeming

alarmist. and yet -- it simply hackers supported by the governments of china and russia and also sophisticated criminal nd connections to terrorist groups are now able to crack the code of our government agencies including sensitive ones. 500. they can do that. regular basi mentioned what, what mike mullins said. and, and she pointed out that w possessionssnot the end of the problem. the reason thament this cyber threat is a life-or-death issue is the same reason that a burglar in your house is a life-or-death issue. if a criminal has broken into your home how do you know what he wants to do? is it talk your belongings? you don't know. he is in the building. in your home.that's where we ar.

in terms of a country. so that's the situation we face. cyber burglars have thrown in, mike mullin said exactly what senator collins indicatedhe sam level to cyberthreat is russia's stockpile of nuclear weapons. fbi director mullerg after 9/11. we had to pass, ukly, was a law saying that the cia and fbi could talk to each other. i mean, w be. that's where we were because of stovepipes and things of that sort. enator muller -- i mean congress recently that cyber threat will soon overcome terrorism as his top national security emphasis. it's all ver serious. and you can't exaggerate it. and it could happen. so, then you think about how people could die. a cyber terror attack on air

fialki with secretary napolitano before this hearing. often over big cities it gets very soupy, vele d't look to be weather. they can't see above, below. lo but if they're protected because of air traff. put in a more modern one, the same situation will prele veil. cyberout. they can take, of a city or group of cities take out capacity so the planes are literally flying in the dark that if will fly into each other and kill a lot of people. and people have to understand that. rail switching. networks are hacked. causing trains which carry toxic materials, deadly materials through our major cities, and that can, there can be a massive so we are on the brink of very, very serious happenings. we have not reached that. which is one of our problems.

in getting legislation passed. but we can act now and try t ou. i just, let me just close by saying that -- i winteigence co during -- during the time leading up to 2001. and the world,he rife with reports of -- people coming in and going out of ourd appeared to be connected but we were not quite sure. what about this thing, what hou san diego, all that was up there, closing down of the bin de message that never got to the bin laden unit. all that was there. we knew allnaonal security appa working very, very hard on that. and they took it seriously. did because it was a new phenomenon. here we are in a very similar it's much.

more obvious than leadup to 2011 was. so we now have to act. we do not have the luxury of waiting to see and develop, at some point the congress has to assert itself. the federal rn roles, this is not a heavy-handed thing, as senator collins has pointed out. it's not. but th involved b. and so -- i to work with anybody and anybody to get gresis >> thanks very much, senator rockefeller. that was great. chairman feinstein. thank you again, you contributed immensely particularly information sharing section of the bill. you bring all the expertise. muchintelligence of the sen thank you mr. chairman, senator collins, senator landreau. banner

day. i look at its as finally the senate is coming together. that we are settling on one is. if it needs improving. we'll up prove it. with a focus we can hopefully move forward. i want to thank you for for the hearings you have held, and for all of the offers for consultation that you have placed out there to a moment on behalf of what i do in the intelligence committee. we have examined cyber threats to our national and economic security. and just last month, at the worldwide threat hearing, which is an open hearing, we heard fbi direhatct b the cyberthreat which cuts across all programs will be the number one threat to the country. and already cyber threats are doing great damage to the united states. and the trend is getting worse.

let me give you just four examples. and what is interesting is we know about these when they en often classified because the people that they happen to don't want it released because they -- because their clients will think badly of them. of course it is not their fault. nonetheless. i think it is fair to say pentagon netusands of times dai. and it's computer networks have suffered a significant compromise in 2008. that is according to fordety de lin. in november doj charged seven defendants from russia and maldava with hacking into the royal bank of stealing. from more than 2,100 200

cities worldwide in 12 hours. in 2009, federal officials for data from more than 130 million credit card into five major companies computer including 7/11, heartland payment systems and the hanird brothers supermarket chain. finally, an by the intelligence community in november 2011, said cyber intrusions against united states companies cost untold billions of dollars report, named china d russia, as aggressive and persistent modern warfare is already employing cyber attacks. and ge. and unfortunately, it may only be a matter of time before we

see cyber attacks thatcatastrop. whether by terrorists, or state adversaries. our enemies are constantly on the offensive. and in the cyber it is much harder for us to play defense when, than it is for them to the hard question is -- what do we do about this dangerous and growing cyber threat? i believe the comb pro hen sieve bill that has been introduced, the cyber security act of 2012, security information t of this. introduced monday and you title 7 in your legislation. e e ability of the private sector and the government to share information on cyber

threats that both sides need to however, a combination of existing law, the threat of st business practices has presented or deterred private sector information about the cyber threats they face. and the losses of oney they suf. we need to change that. through better shing. in a way that companies will use thatrest and that takes advantage of classified information without putting that information at risk. so here is what we have tried to do in title affirmatively provi private sector companies the authority to the information on their own computer twencourage private cos to share information about cyber

by providing a good faith defense against lawsuits for sharing or using that information themselv. three, require the federal government to designate a secap information sharing. we refer to this as a cyber security exchange to serve as a hub for appropriately distributing andcyrthreat infor the private sector andgovement. this is intended to reduce government bureaucracy and make the government a more effective partner in the privateseor. but with protections to ensure that private information is not misused. this legislation new establish procedures nt for the government to share

classified cybersecurity threat companies that can effectively use and protect that believe iy to take advantage of information that the intelligence mm puttin sources and methods at risk or turning private cybersecurity over to our intelligence i would look ike to raise one i of somethinging th, that is not included in the bill. data breach notification. this is an issue i worked on over eight years since california had a huge data breach that we only inadvertently found out about re of thousands of data breaches. it is an urgent d. -- called tha breach notification act.

it has come out of the judiciary committee. and it accomplishes what in my view are the key goals of any data breach notification legislation. one, notice to individual whose will better be able to protect themselves from identity theft. two, notice to law enforcement, which can connect the dots between breaches and cyberattacks. and three, pre, this is different state and territorial standards on this issue. this is a real problem. we have 47 different laws in this country. it makes it very difficult for subjected sector. to conflicting regulation if there is one basicacross the co. i know senators rockefeller and pryor have a bill in the

commerce committee and bills that were also reported out of the judiciary committee. but the differences in our approaches are not so great that we can't work prepared to sit down with members of this committee, with senator rockefeller, and others, to find a common solution. rlly implore to add a data breach preemption across the united states so that there is one standard for notification, to an individual, a data brea communication, with law enforcement that goes all across america. until we have that, we really won't have a sound data breach . i think we are on our way. i am really so proud of both of you on thicommittee. for coming together and -- i think it is a banner day.much.

off awe thanks very much. senator feinstein. couldn't have done it without you. thanks for your testimony. i am personally very wi the dat breach proposal. and i look forward to working if we u as you say the other can't find a way to include that in this proposal when it come to the floor. >> thank you very much. >> thank you very much. >> thank you. >> have a g now, madam secretary, i hate to break up a conversation b scret first secretary. but we almost had the of the three secretaries of tme today. secretary chertoff wanted to testify had a previous commitment and has filed a the

strongly in support of the legislation.etar napolitano tha for being here and the work that the department has done to help us come to this point whmony no. >> well, thank you chairman lieberman, collins i am pleased to discuss cyber security and the department's strong support for the cyber security act of 2012. i appreciate this committee's support of the department's cyber security efforts. your sustained attention to this issue and the leadershipou bill forward to strengthen and improve our cyber security authorities. i alppemphasize the urgency of situation. indeed, the contrast between the urgent need to respond to the threats weep fa face in this ar the one hand and professed desire for deliberation and sensitivity to regulatory

burdens on the other as several of you suggested of lessons we learned from the 9/11 attacks. as the commission noted the attacks resulted in hindsight from a failure of imagination. we failed to anticipate the vulnerabilities of our security infrastructure. there its no failure of imagination when it comes to cyber security. we can see the vulnerabilities. we are experiencing the that th would materially improve our ability to addss th threat. no country, industry, community or individual is immune to cyber risks. our daily life, economic vitality, and national security depend on cyber array of inter i.t. network systems services and r communication, travel, powering our homes, running our economy and obtaining government services. cyber increased

dramatically over the past decade. there have been instances of theft, compromise of sensitive information from both government an p all of this undermines confidence in the a the integrity of the data they contain. combatting evolving threats is a shared responsibility that requires the engagement of 0 our entire so i society from government and law enforcement to the private sector and, most importantly, with members of the public. dhs plays a key role in this effort both in protect iing federal networks and working with os perators of critical infrastructure to secure through risk assessment, mitigation and incident response capabilities. fy-2011 our u.s. cert teams received over 106,000 reports.

we issued over 5,200 actionable cyber alerts that were used by private sector and government network administrators to protect their systems. we conducted 78 assessments of control entities and made recommendations to companies about how they can improve their own cyber security. we distributed 1,150 copies of our cyber evaluation tool, over 40 training sessions, all of which makes owners and operators better equipped to protect their networks. to protect civilian agency thet works we're deploying technology to detect and block intrusions of thesedefense. we're providing guidance on what agencies need to do to protect themselves and are measuring implementation of those efforts. we are responsible for coordinating the national response to significant cyber

incidents and for creating and maintaining a commonpiure for c the entire government. with respect to critical infrastructure, we work with the private sector the key systems upon which americans, including the federal government, rely such as the financial second is tore, the power grid, water systems and transportation networks. we pay particular attention whi control processes at power plants and transportation systems alike. last year we deployed seven response teams to such critical infrastructure organizations at their request to response to intrusions. to combat cyber crime we leveraged the skills and resources of dhs components such as the secret service, i.c.e. and cpb and work closely with the fbi.

dhs serves as the focal point for the government's cyber security outreach and public awareness efforts. as we perform th mindful that one of our missions is to ensure that privacy, confidentiality and civil liberties are not diminished by our efforts. the department has implemented strong privacy and civil rights and civil liberty standards in all of its cyber security programs and initiatives from the outset and we're pleased to see these in the draft bill. now administration and private sector reports going back decades have laid out cyber security strategies and the need for legal authorities. in addition to other statutes the homeland security act of 2002 specifically directed dhs scurity of nonfederal networks by providing a analysis and warnings, crisis management support, and technical assistance to state and local governments and th private sector. policy finish it if i was have had to supplement the existing e

this administration cyberspace policy review in 2009 echoed in large part a similar review by the bush administrationecr grou including the csi study led by jim lewis, one of yourses today. still, dhs executes its portion of the federal security have failed to keep up with the responsibilities with which we are charged. to be sure, we have taken significant steps to protect agai cyber threats. but we must recognize that the current threat outpaces existing authorities. our nation cannot improve its ability to defend against cyber threats unless certainlae updat. we have had many interactions

with this committee and with the congress to provide our perspective on cyber security. indeed in the last two years department representatives have testified in 16 committee hearings and provided 161 staff briefings. we've had bipartisan agreement. in particular many would agree with the house republican cyber task force which stated that, quote, congress should consider for limited regulation of particular critical the protection of cyber security. the recently introduced legislation cohens administration's ideas and proposals including two crucial concepts that are central to our efforts. first, acressing the urgent need b infrastructure to a baseline level of security and, fostering information sharing

which ily key to our security efforts. all sides agree that federal and private networks must be better pr more security. and both our proposal and the senate legislation would provid barriers to the sharing of information. is that the bill 2105 would ex perfect diet the adoption of the best cyber security solutions by the owners and operators of critical infrastructure and give businesses, states, and local governments the immunity they need to share information about cyber threats or incidents. there's broad support as well for increasing the penalties for scyber crimes and for creating uniformed data breach reporting regime tthisot proposal would m easier to prosecute cybers and l

standards requiring businesses and poor infrastructure that have suffered an intrusion to notify those of us who have the ability for mitigating and helping them mitigate it. i hope that the current legislative debate maintains the bipartisan tenor it has benefited so far andbi consensu administrations and the committee's efforts ofseral yea. let me close by saying that now is not the time for half measures. as the administration has stressed repeatedly, addressing only a portion of the needs of our cyber security professionals will continue to expose our country to serious risk. for example, only providing incentives for the private sector to share more information will not in and of itself adequately address critical infrastructure vulnerabilities and let us not forget that inn newman eshl small businesses rely on this critical

infrastructure for their own survival. as the president noted in the state of the union address, the american people expect us to secure the country in the growing danger of cyber threats be and to ensure the nation's critical infrastructure is protected. and that as the secretary of homeland security i strongly support the proposed legislation because it addresses the need, the urgency, and the methodology of protecting our nation's kr critical infrastructure. i can think of no more pressing legislative proposal in the current environment. i want to thank you againnt wore and i look forward to answering the committee's madam secretary. we'll do a six-minute round of questions because we have a large number on the second following panel. i know some people have to leave. right to one of the issues that's been somewhat in contention which there are some people who have said the

expanded authority here, particularly that related to cyber structure owned and operate operated by the private sector would better be handled by the department of defense or the intelligence community. in other words they should take the lead in protecting federal civilian networks. i wonder if you would respond as to why you think the department of homeland security, as obviously we do, is better prepared this critical responsibility. >> well, several points. first, the department of homeland security, as i stated, already is exercising authority in the civilian area, working with the private sector, working with federal agencies so that's a space we are already filling and continue to grow our second, military and