nearly $150 million. this is a and we need the federal government to continue its partnership. in fact on the utility portion we're waiting on the share that you are now authorized to spend to be spent. and i appreciate the answer to i have considered you and ally and continue to consider you and ally, and my plea is let's work forward on an issue that is important just as cyber security is to the no future of our nation. >> senator, i would be happy to work together with you on this. >> thank you very much. we need your help.to moran. for the information of the of today now withat brown, carper, so we'll go to senator pryor. >> thank you, mr. chairman. an meeting. always good to see you, madam secretary.

let me start if i may about a question -- i think you already need a statute but i'm curious about specific authority you think your agency or the federal government needs. >> the most important is the ability tong nation's critical infrastructure up to a certain base standard of security. and to outline the process with which that will occur. >> andle me ask you on a little different topic, i know that in reading stories, trade publications, et cetera, the private sector seems to have hesitation about sharing

too much information andth maco will get it or it may create liability issues for them. do we have an effective mechanism for the private sector stakeholders to share their best practices and potential threats and those concerit security and liability and even antitrust concerns? >> no. in fact, ano improvement in the bill over the current situation is it clarifies that kind of information sharing can owe can kur without violating other federal statutes -- antitrust, the electronic communications privacy act. we've hadelay in receiving information and to respond because the lawyers had to

violate federal law by alerting the department of homeland security that an intrusion hado. and i think as you and i can both appree it can take a while >> we understand. >> again, the new bill would clarify that should not be a problem. >> okay. and you're comfortable with how the new bill is structured in that area? >> i am. >> and let me ask about lesson learned. dhs has ly discussed, and it's been discussed about dhs that some of the work being done under the chemical anti-terrorism standards don as or as thoroughly as maybe it bill provides a requirement that dhs would do similar type assessments. are there lessons learned that

might indicate that we can can put that that we can comply with what this law would ask you to do? >> yes, senator. first of all, with respect to cfa it tsre displeased than i am with some of the problems that have occurred there and the ilan in n personnel hong other things and that program is going to run smoothly and now the supreme court plans are being evaluated and the like. >> there are l there. >> and there are lessons learned as there are in all things. this bill is less n like bill. this is a security bihich will, per se. but in terms just management and organization, yes, there are some lessons learned from cfats.

>> great. and i know when we read enthuse media accounts about cyber dis it among ourselves oftentimes we tend to focus on and breaches that large companies experience but the truth is a lot of small and mid-sized companies carry a lot ofinformation. is dhs working with small to mid sized companies to talk about best that? >> we conduct a lot of outreach activities with small and medium sized businesses and a whole host of cyber related areas so . >> great. and that's just -- we always want to make taken care of and obviously they're the weak link in the chain. that's a real problem. >> and, senators, i continue to emphasize when we're talking about the security ofstruure, it

goes down, a lot of these small businesses are depending on that and they will fail. >> that's exactly right. also, we have been talk iing abt the federal government but also state governments have this same issue in their states, cyber security, and your former governor, former attorney general, as is the chairman here, general lieberman. so you appreciate that state perspective. are you working with states to try to talk about their best practices and lessons that you've learned? >> yes, we are. and, indeed, we work with a ovide input into the center m that we talked about. >> great. mr. chairman, that's all i have. i yield back the balance of my time. >> thank you, general pryor. next is senator carper. >> could i have his 14 seconds? >> you've got it. >> madam secretary, good to see you. good to see a former secretary out there and a former

congressman out there, tom ridge, nice to see all of our witnesses. thank you for being here. one of the things i and my colleagues know i like to do is. can never have too much of that in the senate or in the house and my hope is that when we adjourn here today we'll identify not just differences but we'll have identified where we can find some common ground and so i ask a coupleat in mind. i want to return to the comment of my colleague from arizona, mentioned regulation and sort of a cautionary e.at t chairman said, regulation can be a problem. it can be problematic if we don't us don't look cost/benefit analysis. it could be a bad thing. having said that, i always remember meeting with a bunch of utility ceos about six, seven years ago. it m meeting with me about clean air issues.

mercury, co2, and trying to decide what the path should be. finally came to this meeting, fr south, a curmudgeon guy. he said tell us what the rules are going to be flilount of time and get out of the way. that's what he said and i always remembered those words. it may apply here today. i want to thank the chairman and ranking member susan collins for calling a hearing, for working with us, for giving what the chairman mentioned trying to open up -- if you have an idea, bring it to us. i think he's had an open door and too bad some haven't taken opportunity. we have distractions and sometimes that happens. we're being attacked by hackers

he world and close to home. some want to cause mischief. some to steal, to blackmail nono do worse. there are also challenges i think we have. we need a roadi call it a commo map to move forward and i hope we can move along that way today. i'm especially please introduce that my staff ptect our federal information system. having said that i would like to begin by asking about the department's efforts in area if i could. i've been calling changes for the laws on protecting our information systems. scommittee i chair

first looked at this issue a couple years ago w federal agencies will wasting millions of dollars on reports that nobody read arstood and th didn't make us any safer. the bill before us we hope, federal agencies are actively monitoring and responding to threats not just writing paper reports about them. from what i understand many agencies arein to improve networks largely because of the actiou' taken in your department toak t outdated statute. god bless you. i commend you for being proactive in this area,puing fot that makes sure your department has what it needs. could you, here isa long windup?

here we go. can you describe some of the current limitations for us of the new tools we give you just might be needed? >> well, i think, just going back, one of the keyhat this bill would do is by clarifying and centralizing where the authorities lie within th how those relate among other things so that it really sets the xhop sense road map on how we move forward. we have done a lot with the civilian networks of the government. as you know they've been repeatedly and increasinglytemp intruded upon all the time. we havmo completed the deployment of what's known as

einsteinorki on the next eratio. we have also in the president's etrequt asked for a budget that would be held by the department of homeland security but would be used to help improve or raise the level of i.t. protection within the civilian agencies. >> all right. thank you. very quickly if i could just follow it up and justyou st talt more about how your department will be able to achieve what the president has requested, a $200 million for federal network security and how this legislation will impact those activities? will you just drill down that .or us? what it allows us to do and what we will be able to do is have a fund out of which we can make sure that the civilian agenciest

practices, hiring qualified personnel and in other wayseng security within the federal government. >> all right, thanks. mr. chairman, if i could just say iofn the things that i hear a lot from businesses across the country e they want us toictality and one of the the regulations may flow from it are just that, predictability and certainty. with that in mind, i say to our witness that is are following, again, figure out ways in your testimony not just to divide us but help us to bring us together. that would be an enormous help to our country. thank you. >> thank you, senator carper. senator levin? >> mr. chairman and ranking member for taking the finiinitie on this with other colleagues, thank you, madam secretary, for all the work the white house did

on a similar bill you had worked on which i understand is basically part of now thischs o calendar. i'm trying to understand what the objections are to the bill because it seems is there are a whole bunch of protections in here for the private sector. as i have read at least a summary of the bill, i haven't read the bill yet, there's a self-certification or a third party assessment of compliance with the performance requirement. i understand there's an appeal of those requirements if there's objection to it. i understand owners have covered critical infrastructure that are in substantial compliance with thet liable for punitive damage which arise from an incident of cyber security risk. so you have here something i ber

the private sector which is a waiver of punitive damages and i think that's fairly -- i don't know that it is unique but to waive the possibility of punitive damages in case of a liability claim. and there's a numberr protections as i read for the information that must be provided where there is a which identified. i'm not going to be able to state it here from the next panel as to what the objections are. i surely will read the letter from the opponents and will study the bill that senator'm trying to the best of my ability as we go a exactly what those objections are. there seems to be privacy pr

protection here. there seems to be self-certification here which avoids part of a bureaucracy at where there's good faith defense for cyber activity as the bill's heading says. there's a number of other protections. i don't want you to argue for the people who have problems obviously but i would like you to thelity address what you understand are the key objections. if you can, give us your response to them so we can have that for t well, i think there e kind of clusters. the a regulatory bill and it will be burdensome to industry to .

it really is a basic level of security in the cyber structures of our nation' c we have a way to exchange informatio t without private sector parties being afraid of violating other laws. is not what one would consider a regulatory bill at all collins said, it really is designed to protect the economy not to burden the american economy. second set of objti i think, evolve around the whole privacy area. but as the aclu itself acknowledged this bill really has done a very, very good job protections right from the get-go and realize one of the

reasons why dhs le it does is b a privacy office with a chief privacy officer who will be directly engaged in i think, r addresses some of those privacy concerns. be -- i think senator mccain alluded to it that it someeed o just let that -- we don't need the jurisdiction of the dhs, and i think there's a misconception there the plain fts t chair, th chiefs, both use the nsa, but we use it in different ways. so we are not duplicating or making a redundant nsa.

we are taking the nsa and using the framework of the bill to protect our civilian cyber networks. >> and i understand the department of defense basically support this is legislation, what i can understand at least it does. hay, i think wholeheartedly. privacy officer.f the privacy in terms of the information which is supplied where there is -- has been a threat, that government entity is protected. >> right, the content is not sh. more about that protection. >> content is not shared. the information shared requires minimumization, of identifiable information, all of the things

necessary to give can haonfiden their own personal communications are not shared. so it's the fact of the intrusion, the methodology, the tactics used, the early warning indica indicators, all of those sorts of things are to be shared but not the contents of then itlf. >> thank you, mr. chairman. >> thank you very much. >> madam secretary, nice to see you again. personally i would like to say to senator lieberman and senator collins, i appreciate your work on this. this is, i think, critically important. it a incredibly complex. is it inappropriate for me to ask you a question, mr. chairman? i'm new here. i don't want to be breaking protocol. >> i may have to consult my counsel but go ahead.of the con of senator mccain and because this is so important, certainly a good way to start the process. obi meanction and those of the

ranking members, are we going to consider doing -- not taking this to the floor directly? is that going to be reconsidered on that basis? >> i don i suppose if people want to raise the question, but i think -- this has been a long process here. the bills have been reported out of this committee, out of commerce, intelligence, foreign relations had some stuff all done -- not all done on a b bipartisan basis. senator reid got really agitate body this problem last year and began to convene the chairs and then held a meing which in these times is very unusual. bipartisan meetings, senator reid, senator mcconnell, the chairs and al the committees urged us to begin to work together to reconcile the differences. some came to the table, as i said. some didn't. to try to bring people in. i think -- i can't speak for senator reid, but i think his intention is to

that is the consensus bill now and bring it to the floor under his authority on rule really o amendment process. and there willnyone is going to be plenty of time for people to be involved and i'm sure i speak for senator collins, w o. this is just really important to get right. >> i couldn't agree well, to get it right, but also to get it done as quickly -- as quickly as we ib it right, we should get it enacted because the threat is out there. senator collins? >> mr. chairman, if add one thing, and that is legislation has gone through a lot of tetions, it was reported first in 2010. i realize the senator was not part of the committee at that point.

but our staff has shared draft after invited them to briefings. i know the senator has come tols that we've had as well. so we have invited put from the staff. >> i'm sincere in my appreciation of the work and the desire to get this right and move some legislation. with that in mind, i know the house has worked on a bipartisan version, probably a very important first step in really trying to get information shared. is that something you can move towards? >> i think there may be parts of that included in this bill but this bill is a much stronger and more comprehensive focus on what

we actually need in the cyber security area giv >> in terms of the carve outs, i was trying to use one of the big expressed. if you're really trying to create cyber security why would you carve out people at the heart of it? it's like if you're going to steal money, you would go to the bank where it is. why would we carve out the service providers? >> i think afew things but from our standpoint if you focus on the nation's critical infrastructure and you really focus on the standards they have to meet and you want to avoid t deal with like the isps and the like and where they're located, that the carveout is appropriate and helps move legislation

along. >> have you done a cost analysis? >> well, i think -- i think talking about cost is important here. it is not our intent to have an undu cost on the core of our country. it is our belief the costs of ma sase level, a common base level b a within the critical infrastructure. and so while we don't want an undue cost we want recognition this is something that needs to be part of doing business. i would imagine that there will be many entities that already are at the right level but, sadly, there are others that are not.

weane only talking about infrastructure that if intruded or attacked would have a really large impact on the econ o the national security. i mean, you're talking about a narrow, core part of the infrastructure, thea reach a ba level is a fairly requirement. >> do you have a list of private seco sector companies in favor of it? >> we can get that for you. >> i appreciate that. thank you, mr. chairman. >> thanks, senator johnson. secretary napolitano, you made a really important point here, i think. first, that we define the group of owners and

private cyberspace in our k country that are ultimately regulated here, that can can be forced to meet the standards very narrowly to include only those sectors which if they were attacked, cyber attack would have devastating consequences so, you're right. obviously it will cost some to but it will be a fraction of what we would have to -- what it would cost our society if there was a successful cyber attack, and i go back to the 9/11 question. after 9/11 we just couldn't do enough to protect ourselves from another 9/11 and we have the opportunity here preemptively, methodically, and at much less cost.

>> it is our responsibility to be proactive and not just reactive. we know enough now to chart a way ahead and the bill does that. >> yeah, i re is a cyber attack and we don't 'treate a s protection of american cyberspace. there is an attack, we're all going to be rushing around frantillnd it's going to be after a lot of suffering that occurs as a result. we have a real opportunity to work together. no one is saying this bill is perfect. it's darned good after all it's been through but you've been very helpful today. i thank you very much and we look forward to working with you. senator collins? i, too, want to thank the secretary for excellent

testimony and the technical assistance of the department. for the record, i would like t statement from the chairman of the joint chiefs of staff at a services committee earlier this week and general dempsey said i want to record that we strongly support the lieberman-collins-rockefeller dealing with security. so in response to the question of senator levin where department stand, she said wholeheartedly is exactly right. and the department testified to that effect, and i would submit that for the record. thank you. >> thank you. without objection, submitted for the record. thanks>> we call the final pane secretary ridge is first. i know you're under time