>> c-span's "wrote to the white house" coverage continues this week. at the state's primary elections next tuesday. coming up this afternoon, we will take you live to phoenix where rick santorum will speak at the lincoln day at lunch and straw poll. watch live coverage on c-span at 2:00 p.m. eastern. on c-span2 this afternoon live coverage of a panel discussion on the constitutionality of presidential recess appointments. the event, hosted by the american enterprise institute in washington gets under way at 1:30 eastern. with congress on break all this week, c-span2 is featuring the

in primetime. tonight we will hear from republican presidential candidates, beginning at 8:00 p.m. eastern, mitt romney interviewed by juan williams and his book "no apology." at 9:00, newt gingrich with "to save america." not a cut 45, rick santorum discusses "it takes a family." and then ron paul with "end the fed." homeland security secretary janet napolitano urged lawmakers last week to quickly pass cyber security legislation to strengthen governance and private computer defenses from attack. the legislation would grant dhs the power to identify

vulnerabilities and said security standards for networks beamed a critical infrastructure. -- deemed critical infrastructure. >> senator collins is on the way. with the two here, i cannot hesitate to offer my congratulations on this and tell youthe centennial celebration of the great state of arizona. hear hear guest: >i wa there at the. >> i was there at the time. [laughter] >> you look very well for your age. i hope this is the last hearing before the comprehensive cybersecurity bill before us today is enacted into law.

the fact is that time is not on our side. to me it feels like september 10 2011, and the question is whether we will act to prevent a cyber 9-11 before it happens instead of reacting after it happens. the reason for this legislation is based in fact. every day, rival nations terrorist groups, criminals and it gets, and individual hackers probe of the weaknesses in our most critical computer networks seeking to steal government and industrial secrets were to plant cyber agents in the cyber systems that control our most critical infrastructure and would enable an enemy, for example, to seize control of ict's electric grid or supply system or our nation's financial

or mass transit systems with the touch of a key from a world away. the current on going and growing cyber threat not only threatens our security at home, but it is right now having a very damaging impact on our economic prosperity because extremely valuable intellectual property is being stolen regularly buy it cyber exploitation by people and individuals and groups and countries abroad, that is then being replicated without the initial cost of research done by american companies, meaning that jobs are being treated abroad that would otherwise be created here. when we talk about cyber security, there is a natural way

in which people focus on the very real danger that the enemy will attack us in cyberspace. as it did about how to grow our economy again, create jobs again, i have come to the conclusion that this is one of the most andimportant things we can do, to protect the treasures of american innovation from being stolen by competitors abroad. last year, a distinguished group of security experts, led by former department of homeland security secretary michael chertoff and former defense secretary bill curry going across both parties, issued a stark warning. "the constant barrage of the cyber assault has inflicted severe damage to our national economic security as well as to the privacy of individual citizens. the threat is only going to get worse. inaction is not an acceptable option."

i agree. the bill before us today is the product of hard work across party lines and committee jurisdictional lines. i particularly want to thank my colleagues, senator collins care rockefeller, intelligence committee chairman, senator feinstein, for their hard and cooperative work to get us to this point. we are privileged to hear from all three of them shortly. i want to thank senator carper, who is not here yet for his significant leadership contributions to this effort. and i want to thank the witnesses who are here. we have chosen not what this is deliberately because they will the differing points of view on the problem and the legislation if crafted and the challenges we face. we look for it to their testimony. there are several important things to beef up our defenses in the new battleground of

cyberspace. the systems that control most critical privately owned and operated infrastructure are secured. privately owned and operated cyber infrastructure can well be probably sunday will be the target of an enemy attack. it is today the target of economic exploitation. we have got to work together with the private sector to better secure those systems both for their own defense and for national defense. in this bill, the systems will be asked to meet standards or defined as those who are brought down or commandeered it and would lead to mass casualties evacuation's of major population centers, the collapse of financial markets see if the degradation of our national security -- significant the

creation of national security. the secretary of the department of homeland security, under the legislation, would work with the private sector operators of the systems to develop a cybersecurity performance requirements. owners of the privately operated cyber system is covered would have the flexibility to meet the performance requirements with whatever hardware or software they shoes, so long as it achieves the required level of security. the department of homeland security will not be picking technological winners or losers, and there is nothing in the bill that would stifle innovation. a letter from cisco systems and oracle two of our most prominent i.t. companies, concludes that this legislation "includes a number of tools and will enhance the nation's cybersecurity without interfering in the development

processes of the american i.t. industry." if a company can show under our legislation to the department of homeland security that it already has high cybersecurity standards met, it would be exempt from for the requirements under this law. failure to meet standards would result in civil penalties proposed by the department during a standard rule making. the bill creates a streamlined and efficient cyber organization within the dhs, which will work at regulators and the private sector to ensure that no rules or regulations are put in place that duplicate or are in conflict with existing requirements. the bill also importantly establishes mechanisms for information sharing between the private sector and the federal government and among the private

sector operators themselves. this is important because computer security experts need to be able to compare notes to protect us from this threat. but the bill also creates security measures and oversight to protect privacy and preserve the civil liberties. in fact, the american civil liberties union has reviewed our bill and says that it offers the greatest privacy protections of any cybersecurity legislation that has yet been proposed. i am going to skip over the other things the bill does and just go to mention that the process by which we reached this legislative proposal was very inclusive. we not only worked across committee lines, but reached out to people in business, academics, civil liberties privacy and security experts for

advice on many a bit difficult issues. any meaningful piece of cedras agreed legislation would need to address. hundreds of changes have been made to this bill as a result of their input. we think that finally we have struck the right balance. i want to describe briefly or mention some things that are not in this bill. first and foremost, this bill does not contain a so-called kill switch that would allow the president to seize control of all or part of the internet in a national crisis. it is not there. it never was. thank you senator collins. we put an exclamation point now by dropping a section that people thought included a kill switch. it just wasn't worth it, because of the urgent need for this bill. there is nothing that touches on the balance between

intellectual property and free speech that so or arouse public opinion over the proposed online privacy act and has left many members of congress with scars or leased a kind of post- traumatic stress syndrome since that happened. this is not the ultimate verification of my assertion that there is nothing here anything like what concerned people in the so apasopa and pipa. one of our witnesses was a leading proponent of -- opponent of sopa but is testifying in favor of our bill. the average user will go about using the internet just as they do today, but hopefully, as a result of the law and outreach

pursuant to it, it willthey will be far better equipped to protect their own privacy and resources from cyberattack. a lot of people would work very hard to come so far in a bipartisan way to face a real and present danger to our country that was in the cannot allow this moment to slip away from us. i feel very strongly that we need to act now to defend america's cyberspace as a matter of national and economic security. senator collins. >> thank you, mr. chairman. mr. chairman, let me first applaud you on your leadership on this very important issue, as well as the leadership of our witnesses, senator rockefeller and senator feinstein who contributed so much to this issue and this bill. i personally want to thank you for holding this important hearing today.

after the 9/11 attacks we learned of many early warnings that when -- went unheeded, including an fbi agent who warned that one day people would die because of a wall that kept law enforcement and intelligence agencies apart. when a major cyber attack occurs, it ignored warnings would be even more glaring because a nation's vulnerability has already been demonstrated by the daily at times by nation states terrorist groups, cyber criminals, and hackers to penetrate our system. the warnings of our vulnerability to a major cyber attacks comes from all directions and countless

experts. they are underscored by the intrusions that have already occurred. earlier this month, the fbi director warned that the cyber threat will soon equal or surpass the threat from terrorism. he argued that we should be addressing the cyber threat with the same intensity that we have applied to the terrorist threat. the director of national intelligence, james clapper made the point even more strongly, describing the cyber threat as a profound threat to this country its future, its economy. in november, the director of dart up warned that malicious cyberattacks threatened a growing number of systems with which we interact every day -- the electric grid, water treatment plants, chief

financial systems. similarly, general keith alexander, the commander of u.s. cybercommand, and the director of an essay has said that our cyber vulnerabilities are extraordinary, and characterized by a disturbing trend from exploitation and to destruction to destruction. these statements are just the latest in a chorus of warnings from current and former officials. the threat as the chairman has pointed out, is not just to our national security, but also to our economic well-being. a study last year calculated the cost of global cyber crimes at $140 billion annually. when combined with the the value of time the victims lost due to cyber crime this figure rose

to $388 billion. norton describes this as significantly more than the global black-market and marijuana, cocaine, and heroin combined. and not at last month entitled "china -- an op-ed at last month entitled "china's steve frick," former homeland security secretary michael trough and others noted the ability of said terrorists to cripple our critical infrastructure. they sounded an even more urgent alarm about the threat of economic cyber espionage, citing an october 2011 report by the office of the national counterintelligence executive.

these experts warn of the catastrophic impact that cyber espionage, particularly that pursued by china, could have on our economy and competitiveness. they estimated that the cost easily means billions of dollars and millions of jobs. this threat is all the more menacing because it is being pursued by a global competitor. seeking to pursue economic firms to undermine our economic leadership. the evidence of our cybersecurity of vulnerability is overwhelming. it compels us to act now. some members for yet more study even more hearings, additional markups.

in other words more delay. since 2005 alone, our committee alone has held 10 hearings on the cyber threat, including today's hearing. i know that commerce and intelligence committees have held many more. in 2011, chairman lieberman senator carper, and i introduced our cybersecurity bill, which was reported by this committee later that same year. since last year, we have been working with chairman rockefeller to merge our bill with legislation that he championed, which was reported by the commerce committee. senator feinstein has done groundbreaking work on information sharing which she has been kind enough to share with this committee as well. after incorporating changes based on the feedback from the

private sector, our colleagues, and the administration, we have produced a refined version which is the subject of today's hearing. it is significant net three senate chairmanen with jurisdiction over cybersecurity have come together on these issues, and each day that we fail to act, the threat increases to our national and economic security. others of our colleagues have urged us to cope is nearly on the federal information security management at, as well as on several r&d and improve information sharing. we need to address those issues, and our bill does just that. however, with 85% of our nation's critical infrastructure owned by the private sector, the

government also has a critical role to play in ensuring that the most vital part of that infrastructure those whose disruption could result in a truly catastrophic consequences, meet reasonable risk-based performance standards. in an editorial this week, "the washington post" concurred writing that our critical systems have remained unprotected. some of our colleagues are skeptical about the need for any new regulation. i oppose efforts to expand regulation that would burden our economy. but regulations that are necessary for our national security and that promotes rather than hinder our economic prosperity, strengthen our

country. they are in an entirely different category. the fact is, the risk-based performance requirements in our bill are targeted carefully. they apply only to specific systems and assets, not entire companies. if damage could result in mass casualties mass evacuations catastrophic economic damages or severe degradation of our national security -- some of the witnesses think we have gone too far in that direction. senator lieberman has described much of what the bill contains so i will not repeat that in the interest of time. let me just say that this bill is urgent.

we cannot wait to act. we cannot wait until our country as a catastrophic cyberattack. it would be irresponsible legislation do -- it would be irresponsible for congress not to pass legislation to deter of -- due to turf battles are claims that we are somehow harming the economy. what we're doing is protecting the economy and our way of life. thank you, mr. chairman. >> thank you, senator collins for that very strong statement. i agree with you, i would correct one part, at least you were that three committee chairs of the jurisdiction. i consider you the co-chair of this committee, so i would say it was four. i appreciate your contribution to this effort. we are grateful to have senator

rockefeller and senator feinstein here. i cannot thank you enough for the work we have done together. it is a very poor full statement and we have agreed on a consensus bill. -- very powerful statement and we have agreed on a consensus bill. senator rockefeller, mr. chairman, we welcome your testimony now. >> thank you, chairman lieberman, ranking member collins. you are quite right. senator reid once this on the floor as soon as possible. the thing that scares me is that we have had so many hearings, and they are solid rock-solid, but we still have to find a floor time for it. this is not going to be an easy time to do that. the pressure is on this congress both of the house and senate, to come through on

this. i think our government needs a civilian agency to coordinate our civilian cybersecurity efforts. that agency should be the department of homeland security. under the super leadership of janet napolitano. our bill represents expertise and hard work, as both of you have said. that is as it should be. we have eagerly saw, as you mentioned, and received a constructive criticisms and input from a whole lot of places. i remember giving a speech two years ago to a business group presenting ideas that olympia snowe and i had. they were surprised to hear the summit would listen to them, listen to their complaints, and there were a lot of them.

even when people refused to engage with us, even in the senate refused to discuss with our staff, that does not mean we don't take some of their suggestions. we have done that. if they don't want to engage if they have suggested is, put them in so it makes a stronger bill. the bill reflects the input and requests of senators on both sides of the aisle as it should be, which gives me hope for final passage. senator carper was a co-author of the lieberman-collins of bill. both have left a major imprints on this bill. senator hutchison and her staff work with us for a good part of the past two years. she is by ranking member, absolutely superb -- i call her co-chair, too incidentally.

we have worked to address her concerns and i think we have met most of her concerns. we saw to engage senator chambliss in the same fashion. there was reluctance at some point to discuss -- staff discussions did not make any difference. we are interested in what they had come and there was something good, we put it in the bill. it then had to pass future tests as we combine all the efforts. senator kyl and senator winehouse contribute entire title regarding cybersecurity awareness. senators kerry lugar gillibrand hatch did the same regarding cyber diplomacy. because of senator mccain's concerns, we committed language pertaining to the cyber office. when colleagues had questions about the section i believed to be extremely important, i agreed to drop it. this would satisfy private

sector companies' existing requirements regarding what material risks pertaining to cyber have to be disclosed to investors in sec filings. at one point out of frustration i went to the sec, and mary schapiro agreed that if you are packed into as a company, it goes on the website of that company. s had a substantial impact -- that has had a substantial impact. i believe this is crucial for the market to solve our cyber vulnerabilities. that is the way the system more. but in the interest of providing more time to address colleagues' questions. -- to address colleagues' questions, i agreed to take it out of the bill. this has been a really open process, and the lengthy, as has been pointed out. why have we worked so tirelessly

to improve the views of -- to include the views of all sides? why have we worked so hard to get this right? our country and our communities and our citizens are at great risk. they simply are. i am not sure they are aware because there are so many things reported in the news cycle than it diminishes the aggregated weight of the danger. our citizens have to be aware that this is not a republican or democrat issue. it is in life or death issue for the economy and for us as people. i want to be clear that the cyber threat is very, very real. this is not alarmist. it is hard to talk about his sometimes without sitting alarmist. and yet it simply reflects the truth. hackers supported by the governments of china russia, and sophisticated criminals and the kids -- criminal syndicates with connections to terrorist groups are able to crack government agencies, including

sensitive ones, and the fortune 500 they can do that and they to that on a regular basis. senator collins mentioned what mike mullen said. she pointed out that we are being looted of valuable possessions on an unfathomable scale. the recent cyber threat is a life-and-death issue is the same reason a burglar in our house is a life-and-death issue. if a recentcriminal has broken into your home, how you know what he wants to do? you don't know. he is in the building, in your home, where we are now in terms of the country. that is the situation we face. cyber burglars have thrown in. mike mullen has said exactly what senator collins indicated that the only other threat on the same level to the cyber threat is russia's stockpile of nuclear weapons.

fbi director mueller -- the first thing after 9/11, we had to pass was a law saying that the cia and fbi could talk to each other how pathetic could that be, but that is where we were because of stovepipes of that sort. director moeller testify to congress recently that the cyber threat will overcome terrorism as his top national security emphasis. it is all very serious, and you cannot exaggerate it, and it can happen. you think about how people could die guest:. often in big cities it gets very soupy. people do not like to be in soupy weather.

they are protected because of the air-traffic control system. cyber-hackers can take that out. they to take over a city, they can take out that capacity, so the planes are literally flying into the dark and they will fly into each other and killed a lot of people. rail switching, networks are act, causing trains which carry toxic materials, deadly materials, through our major cities, and that can be a massive explosion from that. we are on the brink of a very very serious happenings. we have not reached that, which is one of our problems in getting legislation passed. but we can act now and try to prepare ourselves. let me close by saying that i was on the intelligence committee during the time leading up to 2001. the world was rife with reports

of people coming in and going out of our country dots here and get that appeared to be connected to we were not quite sure. what about folks in the house in san diego? what about the closing down of the bin laden unit? all that was there, and we knew all of that. then at they took it seriously but they did not get deep enough because it was a new phenomenon. well, here we are in a very similar situation. it's already with us, much more obvious than the lead up to 2011 was. we now have to act. we don't have the luxury of waiting and seeing. congress has to assert itself. the federal government does have roles. this is not heavy handed in, as

senator collins pointed out. the federal government is involved because it is a matter of national security. i just wait to work with anybody and anybody -- everybody and anybody to get this passed in both houses of congress. >> thank you, senator rockefeller. that was great. senator feinstein, welcome. we thank you again, particularly on the information sharing section of the bill. >> thank you very much. thank you mr. chairman, senator collins, senator landrieu. i look at this as a banner day. i look at that as finally the senate coming together, that we are settling on one bill. this is the bill. if it needs improving, we will improve it. but we have focused now, and with a focus we can hopefully

moving forward. i want to thank you for your work, the hearings to have health the operas of consultation that you have placed out there it to us. let me speak for a moment on behalf of what idea in the intelligence committee. we have examined cyber threats to our national and economic security. just last month, at the world wide threat hearing, an open hearing, we heard fbi director bob mueller testified that the cyber threat which cuts across all programs will be the number-one threat to the country. already, cyber threats are doing great damage to the estates, and the trends are getting worse. let me give you four examples. we know about these when it they happen, but they are often classified because the people they happen to do not want it released because their clients will think that the of them, and

it is not their fault, but nonetheless. i think it is it fair to say that pentagon networks are being probed thousands of times daily , and it is-- and classified military computer networks suffered significant compromise in 2008 according to former deputy defense secretary bill lynn. in november 2009 doj charged seven defendants with packing in it to the royal bank of scotland and stealing $9 million for more than 2100 atm's in 200 cities worldwide in 12 hours. in 2009, federal officials indicted three men for stealing data from more than 130 million credit cards by hacking into five major companies' computer

systems, including 7-11 harlan payment systems, and the hanover brothers supermarket chain. finally, an unclassified report by the intelligence community in november 2011 said that cyber intrusion against united states companies caused untold billions of dollars annually. that report named china and russia as aggressive and persistent cyber thieves. modern warfare is already employing cyberattacks, as seat in estonia and georgia. unfortunately, it may only be a matter time before we see cyberattacks that can cause catastrophic loss of life, whether by terrorists or state adversaries. our enemies are constantly on the offensive, and in the cyber domain is harder for us to play

defense than it is for them to attack. the hard question is what do we do about this dangerous and growing cyber threat. i believe the comprehensive bill that has been introduced, the cybersecurity act of 2012, is an essential part of this answer. i would like to speak briefly on the cybersecurity information sharing built that i introduced on monday and that you have included in title 7 at of your legislation. the goal of this bill is to improve the ability of the private sector and the government to share information on cyber threats that both sides needed to improve their defenses. however, a combination of existing law, the threat of litigation and standard business practices, has prevented or deterred

private sector companies from sharing information about the cyber threats they face and the loss of information and money they suffer. we need to change that through better information sharing in a way that companies will use to protect privacy interests and take advantage of classified information without putting that information at risk. here is what we are trying to do in tunnel 7. one, affirmatively provide private sector companies the authority to monitor and protect the information on their own computer networks. two, encourage private companies to share information about cyber threats with each other by providing a good faith defense against lawsuits for sharing or using that information to protect themselves. 3, require the federal government to designate a single focal point for cyber

security information sharing. we refer to this as a cybersecurity exchange to serve as a hub for appropriately disturbing anddisturbing exchanging cyber threat information. this is intended to reduce but to ensure that private information is not used. this legislation provides no new authority for government surveillance. fourth, we establish procedures for the government to share classified cybersecurity threat information with private companies that can effectively use and protect that information. this, we believe is a prudent way to take advantage of information that the intelligence community acquires

without putting our sources and methods at risk. or turning private cybersecurity over to our intelligence apparatus. i would like to raise just one issue, something that is not yet included in this bill. that is data breach notification. this is an issue i've worked on for over eight years, since california has a huge data breach. we only inadvertently found about literally hundreds of thousands of data preaches. it is an urgent need. i have a bill, the data breach notification act. it has come out of the judiciary committee and it accomplishes what, in my view, are the key goals of any notification legislation. one, notice to individuals who will better be able to protect themselves from identity theft. two, notice to law enforcement

which can connect the dots between reaches and cyberattacks. three, and this is important pre-emption of the 47 current state and territorial standards on this issue. this is a real problem. we have 47 different laws in this country. it makes it very difficult for the private sector. companies will not be subjected to conflicting regulation if there is one basic standard across the country. i know that senators rockefeller and pryor have a bill in the commerce committee, and senators leahy and implements all have their own bills also reported out of the judiciary committee. the differences in our approaches are not so great that we cannot work them out. i am very prepared to sit down with members of this committee, senator rockefeller and others,

to find a common solution. but i would really implore you to add a data breach pre-emption across the united states so that there is one standard for notification to an individual of data breach, communication with law enforcement that goes all across america. until we have that, we really won't have a sound data breach system. let me just thank you. i think we are on our way. i am really so proud of both of you in this committee for coming together. i think it is a banner day. thank you very much. >> thanks very much, senator feinstein. we could not have done it without you. thanks for your testimony. i am personally very supportive of your games with the data breach proposal. -- your aims with the data breach proposal. i look forward to working with you and we will see if we cannot

find a way to include that in this proposal when it comes to the floor. >> thank you very much. >> thank you very much. have a good rest of your day. and now madam secretary, i hate to break up a conversation between the secretary and the current secretary. we almost had the trifecta of the three secretaries of the department of homeland security here today. secretary chertoff wanted to testify, had a previous commitment, and has filed a statement for the record strongly in support of the legislation. secretary napolitano, thanks very much for being here and for all the work you and people in the department have done to help us come to this point with this bill. we welcome your testimony now. >> thank you, chairman lieberman, ranking member collins, members of the committee.

it is great to be here to discuss the issue of cybersecurity and in particular the department's strong support for the cybersecurity act of 2012. i appreciate this committee's support of the department's cybersecurity efforts. you have sustained attention to this issue and the leadership you have shown in bringing the bill forward to strengthen and improve our cybersecurity authorities. i also appreciate and want to emphasize the urgency of this situation. indeed, the contrast between the urgent need to respond to the threats we face in this area on one hand and a professed desire for more deliberation and sensitivity to regulatory burdens on the other reminds me as several of you have suggested, of lessons we learned from the 9/11 attacks. as the 9/11 commission noted those attacks resulted in hindsight from a failure of imagination, because we failed to anticipate the vulnerabilities of our security infrastructure. there is no failure of

imagination when it comes to cyber security. we can see the vulnerability. we are experiencing the attacks. and we know that this legislation would materially improve our ability to address the threat. no country and it's become a community, or individual is immune to cyber risks. our daily lives, economic vitality and national security depend on cyberspace. a vast array of internet and i.t. networks, services, systems, and resources are critical to communication travel, power our homes, running our economy and obtaining government services. cyber incidents have decreased dramatically over the past decade. there have been incidents of that fact, compromises of sensitive information from both proudgovernment and private sector networks, and both of these undermine confidence in the systems and the integrity of the data at they contain trade,

adding involving the cyber threats, they shared responsibility that requires the engagement of our entire society, from government and law enforcement to the private sector and most importantly members of the public. dhs plays a key role in this effort, both in protecting federal networks and working with owners and operators of critical infrastructure to secure their networks through risk assessment, mitigation, incident response capabilities. in fy at2011, -- in fy2011, search teams at dhs received over 6000 reports from federal agencies and industry partners, we issued over 5200 actionable cyber alerts that were used by private sector and network administrators to protect their systems. we connected 78 assessments of control entities and made

recommendations to companies about how they can improve their own cybersecurity. we distributed 1150 copies of our cyber evaluation tools. we conducted over 40 training sessions, all of which makes owners and operators and better equipped to protect their networks. to protect federal civilian agency networks, we are applying technology to detect and block intrusions into these networks with cooperation with the department of defense. we're providing guidance on what agencies need to do to protect themselves and are measuring implementations of those efforts. we are responsible for coordinating the national response for significant separate incidents and creating and maintaining a common operational picture for cyberspace across the entire government. with respect to critical infrastructure, we work with the private sector to help secure the key systems upon which americans, including the federal government rely, such as the

financial sector, the power grid water systems, and transportation networks. we pay particular attention to industrial control systems which control power plants and transportation systems alike. last year we deployed seven response teams to such critical infrastructure organizations at their request in response to important cyber intrusions. to combat cyber crime, we leverage the skills and resources of dhs components such as the secret service, and we worked very closely with the fbi. dhs serves as the focal point for the government's cybersecurity our reach and public awareness efforts. as we perform this work, we are mindful that one of our missions is to ensure the privacy confidentiality, and civil liberties are not diminished by our efforts. the department has implemented a strong privacy and civil rights and civil liberties standard in

all of its cyber security programs and initiatives from the outset, and we are pleased to see these in the draft bill. administration and private sector reports going back decades have laid out cyber security strategies and highlighted the need for legal authorities. in addition to other statutes, the homeland security act of 2002 specifically directed dhs to enhance the security of non- federal now works by providing analysis and warnings, crisis management support and technical assistance to state and local governments and the private sector. policy initiatives have had to supplement the existing statutes. these initiatives strike a common chord. indeed, this administration's cyberspace policy review in 2009 echoed in a large part a similar review by the bush administration. we have had numerous contributions by private sector groups including a study led by

jim lewis, one of your witnesses today. still, dhs executes its portion of the federal said a security mission under an amalgam of authorities that have failed to keep up with the responsibilities with which we are charged. to be sure, we have taken significant steps to protect against evolving cyber threats. but we must recognize that the current threat outpaces our existing authorities. our nation cannot improve its ability to defend against cyber threats and less certain laws that govern cybersecurity activities are updated. we have had many interactions with this committee, with the congress, to provide our perspective on cybersecurity. indeed in the last two years department representatives have testified in 16 committee hearings and provided 161 staff briefings. we have had bipartisan

agreement, in particular, many would agree with the house republicans cyber task force which stated that "congress should consider carefully targeted directives for a limited regulation of particular critical infrastructures to advance the protection of cyber security." the recently introduced legislation contains great commonality with the administration's ideas and proposals, including two crucial concepts that are essential to our efforts. first, addressing the urgent need to bring up core critical infrastructure to a baseline level of security. second, fostering information sharing, which is absolutely key to our security efforts. all sides agree that federal and private networks must be better protected, and that information should be shared more easily get still more securely. both our proposal and the senate legislation would provide dhs with clear statutory authority

commensurate with our cybersecurity responsibilities and remove legal barriers to the sharing of information. senate bill 2105 would expedite adoption of the best cybersecurity solutions by the owners and operators of critical infrastructure and its businesses, states, and local governments the immunity they need to share information about cyber threats or incidents. there is broad support as well for increasing penalties for cyber crime data recording regime to protect consumers. this proposal would make it easier to prosecute cyber criminals and establish national standards requiring businesses and core infrastructure that has suffered intrusion to notify those of us who have irresponsibility for mitigating and helping them mitigate it. i hope that the current legislative debate maintains the bipartisan tanner it has benefited from so far, and

builds on the consensus that spans two administrations and the committee's efforts of the last several years. let me close by saying that now is not the time for half measures. as the administration has stressed repeatedly, addressing only a portion of the needs of our cybersecurity professionals will continue to expose our country to serious risk. for example, only providing incentives for the private sector to share more information will not in and of itself adequately address critical infrastructure vulnerabilities. let us not forget that in your role -- that innumerable small businesses rely on this infrastructure for their own survival. as the president noted in the state at the union address, the american people expect us to secure the country from the growing danger of cyber threats and to ensure that the nation's critical infrastructure is protected.

as the secretary of homeland security, i strongly support the proposed legislation because it addresses the need, the urgency and the methodology for protecting our nation's critical infrastructure. i could give no more pressing legislative proposal in the current environment. i want to thank you again for the important work you have done and i look forward to answering the committee's questions. >> thanks very much, madame secretary. we will to a six-minute round of questions, because with the following panel, some people have to leave. madam secretary, let me get right to one of the issues that has been somewhat in contention. some people have said that the expanded authority here, particularly that related to cyber structure on it operated by the private sector, would be better handled by the department of defense forthe intelligence community. they to take the lead in

protecting federal civilian networks. i wonder if you would respond as to why you think the department of homeland security, as obviously we do, is better prepared to take on this critical responsibility. >> well, several points. first, the department of homeland security, as i stated, already is exercising authorities in the civilian area, working with the private sector, working with federal civilian agencies. in that space, we are filling and continue to grow our capacity to fill. second, military and civilian authorities and missions are different, and there are significant differences. for example in the privacy protection that we imply within -- that we employ within the exercise of civil the jurisdiction. finally, i would note that both

dod and dhs use the technological expertise of the nsa. we are not proposing an have never proposed that two nsa's the created. rather that there be two different lines of authority that any easing the nsa, one for a civilian, one for military. >> that is a very important factor. i want to come back to that in a minute. one of the opinions expressed to the committee, as we faced the challenge and decided which part of our government should be responsible for responding, it is that it would probably be a very deep and widespread in how it concerns the public if we, for instance, asked the national security agency or the department of defense to be directly in charge of working with the privately owned and

operated it cyber infrastructure. particularly was an essay, the concern a -- particularly with nsa, the concerns with the civil liberties, does that make sense to you? >> i have heard the concerns, they to make sense. when secretary of dates by memorandum of understanding figure out the responsibilities and how we were going to use nsa, one of the things we were careful to all of it was the discussion of protection of privacy, similarities -- protection of privacy, civil liberties, and to the extent that we have people at nsa they are accompanied by people from the office of privacy and general counsel to make sure those protections are abided by . >> i am glad he mentioned that memorandum of understanding between homeland security and nsa.

senator mccain and i codify that into law that memorandum of understanding, in the national debt as authorization act was passed last year. -- national defense authorization act was passed last year. that memorandum does not preempt the need for this legislation. that memorandum does not allocate responsibility with regard to working with the private sector having the authority to require the private sector to take steps to defend themselves and our country from cyber attack. is that right? >> that is right, mr. chairman. it is a memorandum that describes the vision of how we would each use the resources of the nsa, but it doesn't deal with the protection of court critical infrastructure the way that the bill does. it does not deal with the private sector at all the way that the bill does. it does not deal with information exchange the way the bill does. it really was designed to make

sure that at least with respect to how each uses the nsa we had some meeting of the mines. >> so there is nothing inconsistent between the memorandum of understanding between dhs and nsa and the cybersecurity act of 2012? >> oh, not at all. this legislation was endorsed and this morning, before the armed services committee the director of national intelligence and general burgess, the head of the intelligence agency also endorsed the legislation. both the those expressions of support or unexpected by senator collins and me and all the more appreciated. i want to ask this question -- dhs' duster control system

response to an as play critical roles providing protection to the owners and operators of critical infrastructure. can you describe their capabilities and the work they have done to assist private entities? >> what they have done is to help isolate and identify when they have been notified of attacks on industrial control systems to identify the source of the attack and methodology with which it was conducted, to work with the infiltrated entity to prepare a package and to make a program disclosures or sharing of information to other control systems that could be subject to a similar attack either in that particular industry or in other industries. >> on a voluntary basis, and if i can put it this way dhs has developed the capability and relationship working with the

private sector that will be strengthened by this legislation? >> yes since the passage of the national destitution protection -- infrastructure protection act in 2006 we have been working with critical infrastructure for their sector coordinating council's. s. we have a process in place for dealing with the private sector and for exchanging some information on a voluntary basis. that does not mean that we get all the necessary information we get from court critical infrastructure. that is what the problems the bill addresses. >> thank you very much. my time is up. >> madame secretary to follow up on a question that the german ask you -- it is my understanding that dhs has unique expertise in the area of industrial control systems that

is not replicated at any other government agency. is that correct? >> yes. >> that is important because industrial control systems are a key part of critical infrastructure like the electric grid, water treatment plants -- is that also correct? >> yes, and when you think about it, if you have the ability to interrupt the control system, you can take down an entire protected network. you can interfere with all of the activities there. the attacks on control systems are growing more and more sophisticated all the time. >> could you tell us about work that is being done by d dhs with your team and the national lab with respect to the u.s.

electric grid? >> yes we're working both of those capacities with the national labs end of the bridge in terms of not only mitigating attacks that have occurred but also a preventive measures that they can employ. >> so you are doing training as well and helping the critical infrastructure owners and operators identified vulnerability? >> that's correct. >> it is my understanding that in january the administration transferred the defense department's defense industrial base cyber-pilot program from dod to dhs. this is the program known as dib. >>the dib pilot program shared it cyber threat indicators with defense contractors in an effort to better defend systems that contained information critical

to the department's programs and operations. i understand that dhs is now the lead for coordinating this program with the private sector and that is being expanded to other critical infrastructure sex tourists. sectors. can you say why the administration decided to transfer this pilot program from dod to the department of homeland security? >>the dib pilot gets to the responsibility between military and civilian and what we are talking about here are basically private companies that do important defense contractor and work but they are in essence private companies. the authorities and laws that we use our better situation in the dhs which deals in this context as opposed to dod.

we have been working with dod from the outside on the design of the dib pilot and the initial aspects of it and now the decision was made to extend it and grow it and the decision was made that it should more be appropriately located within dhs. >> the bill provides the authority to dhs to set risc- based performance standards for critical infrastructure. do you believe that we can achieve great progress in improving our cyber security in this country absent that authority? >> i think it makes it tougher. the basic authority under the homeland security act, we have

authorities by various presidential directives but nowhere do we have explicit authority to establish, on a wrist-based level, and a risk- based protection necessary for critical infrastructure. >> finally, i think a lot of people are not familiar with a lot of the work that the department has already done in the area of cyber security including the fact that there is a 24-hour, seven-day a week national cyber security and communications integration center. i believe it is called the n- kik? can you explain to the committee and those watching this hearing how this center operates and what it does with respect to the private sector? >>the encec is a watch center

for cyber and includes on its floor not only dhs employees but representatives from other federal agencies from critical infrastructure sectors that coordinates for us. there are lots of acronyms and the cyber world and the government world. it also has representatives from state and local governments as well because a lot of the information sharing is applicable to them. >> thank you. >> senator mccain -- >> thank you for holding this hearing on the long awaited cyber security act of 2012. i welcome all of our witnesses including secretary napolitano and my old friend governor ridge who will have different views on this bill in his

testimony. i would like to state from the outside my fondness for the chairman and ranking member when it comes to matters of national security. the criticisms i have with the legislation should not be interpreted as criticisms of them but rather on a process by which the bill is being debated and its policy implications. all of us recognize the importance of cyber security and the digital world. time and again we have heard from experts about the importance of possessing the ability to effectively protect and respond to cyber threat 3 we have listened to accounts of cyber espionage to originating in countries like china and organized criminals and russia and the domestic presence of groups like anonymous. our own government accountability office has reported that over the last five years, cyber attacks against the united states are of 650%.

we all agree that the threat is real. it is my opinion that congress should be able to address this issue with legislation. a clear majority of us can support this but we should begin with a transparent process which allows lawmakers and the american public to let their views be known. unfortunately, the bill has been placed on the calendar by the majority leader without a single market or any business executive meeting. that is wrong. to suggest this bill should move to let -- directly to the senate floor because it has been around since 2009 as outrageous. the bill was introduced first two days ago. where do the senate rules state that the progress of a bill in the previous congress can supplant the necessary work on that bill in the present one? in 2009, we were in the 111th congress with a difference of

senators. the minority of this committee has four senators on it presently and we are not even in the senate much less this committee in 2009. how can we seriously call it a product of this committee without their participation? respectfully to treat the last congress as a legislative mulligan by bypassing the committee process and bring in the legislation directed to the floor is not the proper way to begin consideration of an issue that is complicated. in addition to these process concerns, i have policy issues with the bill. a few months ago an amendment was introduced to the defense authorization bill codifying an additional cyber security agreement between the department of defense and the department of homeland security. the purpose of that amendment was to insure that this relationship and doors and highlight that the best government security approach is

one where dhs leverages, not a duplicate, dod efforts. this legislation unfortunately backtracks on the principles of that moa by expanding the size, scope, and reach of dhs and neglect to afford the authorities necessary to protect the homeland to the only institutions currently capable of doing so u.s. cyber command and the national security agency. at a recent fbi-sponsored symposium at for a university, the commander of u.s. cyber command and a director of the nsa stated that if a significant cyber attack on this country were to take place, there may not be much that he and his team can legally do to stop it in advance. in order to stop the cyber attack, you have to see it in real time and you have to have

those authorities. these are the conditions we put on the table. how and what the congress chooses will be a policy decision. this legislation does nothing to address this significance concern. i question why we have yet to have a serious discussion about who is best suited which agency who is best suited to protect our country from this threat? we all agree this threat is real and growing. if the legislation before us today were enacted into law unelected bureaucrats at the dhs could promulgate regulations on businesses in the private sector. the regulations that would be created under this new authority would stymie job creation, stretch private property rights and divert resources from cyber security to complies with government mandates. a super regulator like dhs under this bill would impact free

market forces which currently allowed our brightest minds to develop the most effective network security solutions. i am also concerned about the cause of this bill to the american taxpayer. it fails to include any authorization or attempt to pay for the real cost associated with the creation of a new regulatory leviathan at dhs. this attempt to hide the cost is equipped by the reality of critical infrastructure and the promulgation of regulations and their enforcement and that would take a small army. i would like to find out over the next few days what specific factors went into providing regulatory carve outs for the it hardware and software manufacturers. this had more to do with garnering political support than sound policy considerations. however, i think the fact that they are included only lends credence to the notion that we should not be taking the

regulatory approach in the first place. because of provisions like these and the threat of a hurried process myself and seven of us on seven committees will be introducing an alternative cyber-security bill in the coming days pretty fundamental difference in our alternative approach is that we aim to enter into a cooperative relationship with the entire private sector through information sharing or other than an adversarial one with the prescriptive regulations. our bill will be introduced after the president's day recess will provide a common sense path forward to improve our nation's cyber security defense's barry we believe that by improving information sharing among the private sector and the government, updating our criminal code reforming the federal information security management act, and focusing federal investments in cyber

security our nation will be better able to defend itself against cyber attacks. we are all partners in this fight as research for solutions. our first goal should be to move forward together. i also would ask entered in the record a letter signed by several of us. we have asked that the legislation goes through the regular process with the committees of jurisdiction having a say in this process.

mr. chairman, i thank you and i yield the balance of my time about no balance. >> no balance. [laughter] no, it's not. [laughter] with the same fondants and respect you expressed for senator collins, i cannot conceal the fact that i am disappointed by your statement. we have conducted -- this bill is essentially the one marked up by the committee but that is not the point. we have reached out not only to everybody who was possibly interested in this bill outside of the congress but open to the process to every member of the senate who wanted to be involved. we pleaded for involvement. a lot of people including yourself have not come to the table. the most encouraging part of your statement is that you and those working with you will in truth -- will introduce

legislation and we will be glad to consider it. i think senator reid intends to hold an open amendment process on this bill but you know, as you stated, that this is a critical national security problem. to respond to it with business about regulation, this is national security. there is regulation of business that is bad for business and bad for the american economy. there is regulations such as we have worked hard to include in this bill that in fact is not only bad for american business and that for the american economy but will protect american business and american jobs and help to guarantee more american economic growth. on the question of dod and the intelligence committee, i indicated earlier that they have supported our bill. i hear which you said about general alexander from an essay bom nsa but he has never come

forward to offer any suggestions for additions to this bill that would give him more authority. i would welcome those suggestions if he wishes. i had to be honest with you as you have been honest with us and express my disappointment and express the only satisfaction i have from your statement which is that you will make a proposal that our colleagues in the senate will consider and centre collins and i working on this bill will consider and let's get something done on a clear and present danger to our country this year. >> in response, i speak for it seven ranking members of the major committees of jurisdiction. i don't speak for myself. there is a breakdown somewhere if seven ranking members of the relevant committees are all joining in this opposition to this process and to this

legislation. if you choose to neglecting my years of experience legislative experience and time on the senate, that's fine but there is seven of us that are deeply concerned about this process and the legislation and we don't think it should go directly to the floor about i will say for the record that we have reached out >> to all seven in various ways to try to engage their involvement in this bill. i would much rather have preferred to submit a bill that everybody had been involved in discussing. we were very open to try to find consensus as we did with others who are here. nobody is neglecting the expertise. i'm sorry they had not been engaged before and i'm glad they will be engaged now. senate moran -- >> thank you. this is my first opportunity to visit with you since the

announcement of the president's budget i want to talk about a topic not related to cyber security but certainly related to security. the chairman just spoke about clear and present danger. we have had a conversation that is related to our food and animal safety and security in this country. as you would expect, the disappointment that i have and others in the congressional delegation have to include dollars related to construction of agro and science by a facility to replace the aid plum island. we will have a greater chance to visit in a homeland security appropriations hearing in which you and i will be together in a

few days. i would not want this opportunity to pass with began delivering the message to you and to the folks at home and security who have been our allies throughout this process and we consider we have been your allies in an effort to see that a facility designed to make certain that the food and animal safety of this country is protected. you and i had a conversation in march of last year that was in an appropriations subcommittee. you told me that there is something that we are supportive of breadplum island does not meet the nation's needs in this way. we look forward to continued constructionn. we feel we need to get on with it. in september of that year, you talked about the future and need to get prepared for the next

generation. again, we need to be confronting the things we face today and the things we will face 10 years from now. that seriousness continues with your testimony and others from a homeland security and the department of agriculture. i would like for you i hope, to reiterate your position as secretary continued support and belief in the importance of building this facility and to explain to me the idea of a reassessment which as i read in press reports is a reassessment in scope only, not in concerns about safety or in concerns about location. >> that's right, senator. you are right, the president does not request in the budget and appropriations for this because last year requested $150 million and the house

ultimately appropriated $75 million and the senate appropriate zero and we ended up with 50. there were a lot of extra requirements put on the project as you have stated. what we have done this year's budget is allocated to million dollars that will go to related animal research atk state university. in light of the budget control act and other changed circumstances we have to deal with and in light of the fact that we have not been able to persuade the congress to really move forward in a substantial way on funding be mbath, we recommend there be a reassessment in terms not of location or in terms of need, both of which is strong with stand by the position i have stated, but in terms of scoping

and what needs to happen so this project can move forward with the right level of appropriation. >> madam secretary, thank you. i would say that the solution to lack of funding by congress is not for the administration to not request funding. the solution to that problem is continued support and encouragement from congress to act. the house appropriated $75 million last year and the senate agreed to $50 million and you are requesting reprogramming for additional planning of money which in this year's budget. the money that is there needs to be spent as quickly as possible. i will be asking you by letter shortly to continue the funding of the $40 million that is available and is appropriate and now, as a result of the report filed this week, can be spent to complete the federal share of

the utility portion of this facility. based upon what i have heard you say and what i've read that you have said, it is not about location, it is not about the site -- it may be about the scope of what will occur but the utility path is still important and will still be necessary regardless of the scope of that project. we will ask you to continue the funding that you already have committed to and are authorized to now spend this $40 million on utilities and i would add that we have appropriated $200 million, federal dollars -- the state of kansas has put in more than $150 million and we need the federal government to continue its partnership on the utility portion. we're waiting on a share you are now authorized to spend to be spent. i appreciate the answer to my question and i have considered you an ally and continued to consider you an allied.

let's work together to see that this congress moves forward on an issue that is important just as cyber security is to the economic security and future of our nation. >> senator, i would be happy to work with you on this. >> thank you, we need your help. >> for the information of members, the order of arrival today -- we will go to senator pryor. >> thank you for this important meeting. let me start with the question about -- you have pretty much said that you feel like we need a statute but i am curious about what specific authority you think your agency or the federal government does not have in this area that you need?

>> i think the specific authority that the statute contains, the most important is the ability to bring all of the nation's critical infrastructure up to a certain basic standard of security. and to outline the process with which that will occur. >> on a different topic -- in reading some of the news stories and trade publications, the private sector seems to have hesitation about sharing too much information and understandably so. they may fear that a competitor will get it or it will create liability issues or whatever. do we have an effective mechanism for the private sector stakeholders to share their best practices and potential threats and those

concerns without raising issues of their own security and liability and even antitrust concerns? no, another major improvement in the bill over the current situation is it clarifies that that kind of information sharing can occur without violating other federal statutes. i trust the electronic private communications act, we have had situations where we have had a delay in a beatable -- in being able to get information and being able to respond because lawyers had to first assess whether they would be violating other federal law by alerting the department of homeland security that an intrusion had occurred. when the lawyers get it, it can take awhile. the new bill would clarify that that should not be a problem. >> and you are comfortable with

how the new bill is structured in that area? >> yes i am. >> let me ask about lessons learned. dhs has recently discussed that some of the work being done other -- under the chemical facility terrorist standards program has not really been done as quickly or as the early as maybe it should have been. as you know, this bill provides the requirement dh thats would do similar assessments. there are lessons learned in this experience that might indicate that we can put the problem behind us and we can comply with what this law would ask you to do? >> yes senator. with respect to cfats, no one is more displeased and i am with the problems that have occurred

there. there is an action plan in place. there are changes in personnel among other things. that program is going to run smoothly. the security plans are being evaluated. >> so there are lessons learned there? >> there are as there are on -- in all things. this bill is less descriptive the and thecfats. this is a very regulation-light to build. this is not a regulatory bill per se. there are some lessons learned fromc-fats. >> when we read news media accounts about cyber security and oftentimes we tend to focus on large companies and bridges that large companies experience but the truth is, many small and midsize companies carry a lot of

sensitive information. is dhs working with small to midsize companies in any way to reach that to them to talk about best practices? >> we conduct a lot of outreach activity with small and medium- sized businesses. on a whole host of cyber- related areas so the answer is yes. >> great. we want to make sure that our small businesses are taken care of and if there is a weak link in the chain that is a problem. >> i continue to emphasize that when we are talking about the security of court critical infrastructure if that goes down many small businesses are dependent on that and they will fail. >> that's exactly right. we also talk about the federal government but also state governments have the same issue of cyber security and your former governor and attorney general is senator lieberman.

are you working with states to talk about their best practices? >> yes, we are. we work with a multi-state of information system and they are located or provide input at encec. >> i yield back the balance of my time. >> thank you, general prior next is car enterper. >> can i have his 14 seconds? >> you got it. >> good to see you. nice to see all of our witnesses. i like to see if we cannot develop a consensus. you could never have too much of that in the senate or the house. i hope we identify where we have

differences and can find some common ground. i want to return to the comment of my colleague from arizona mentioning regulation. i want to second with the chairman said that regulation can be a problem if we don't use common sense. it could be a bad thing but having said that, i remember meeting with a bunch of utilities ceo's about seven years ago in my first term in the senate and they were talking about clean air issues. we were trying to decide what the path forward should be. a ceo from someplace down south said to do this -- tell us what the rules will be, give us some flexibility, give us a reasonable amount of time, and

get out of the way. i have always remembered those words and i think it may apply here. i want to thank the chairman and ranking member susan collins for calling the hearing and working with us and giving -- if you have an idea, for it to us. i think you had an open door. we have a lot of distractions around here. we're being attacked by hackers across the world and closer to home and is likely to get worse not better. summer there to cause mischief and summer there to call ideas and defense secrets. -- to steal ideas and defense secrets. we really need a road map.

to move forward. i hope we can move along that way today. i am especially pleased that the legislation being andrew -- being introduced includes a number of suggestions from my staff. i would like to begin by asking a couple of questions about the department's efforts in this area. i have been calling for some major changes to bill law that controls how federal agencies protect their information, our information systems. we looked at this issue several years ago and we found federal agencies were wasting millions of dollars on reports that nobody read. the bill before state includes many improvements to the federal informations, security

information act. we hope that will ensure that our federal agencies are actively monitoring and response and not just writing reports about them. the agencies have taken many steps to improve the security networks largely because of the action you have taken in your department to make this more affected despite the outdated statute. god bless you. i commend you for being proactive in this area. here is the question -- that was a long windup -- can you describe some of the current limitations offisma and why this legislation and some new tools to give you might be needed >>? one of the key things that this bill would do is to clarify and

centralize where the authorities lie within the government and have those relate to fisma among other things so it really sets the common sense road map for how we move forward. we have done a lot with the civilian networks of the government. they have been repeatedly and increasingly have attempted to be infiltrated all the time. we have almost completed the deployment of what's known as einstein2. we were working on the next iteration in the president's budget request, we have asked for a budget that would be used to help improve or raise the level a it protection within

the civilian agencies. >> thank you. could you talk a little bit more about how your department will be able to achieve what the president has requested and how this legislation will impact those activities? >> i can give you more detail but basically, it allows us to have a fund out of which we can make sure that the civilian agencies of government are deploying best practices, hiring qualified personnel and another was strengthening their own cyber security within the federal government. >> thank you. in conclusion, one of the things i hear a lot from businesses across the country and in delaware is they want us to

provide for them certain predictability and one of the things we are trying to do is this legislation and regulations from it. with that in mind, it would be helpful if you can help us bring us together. >> q. thank you. senator levin -- >> thanks for taking the initiative on this with other colleagues and thank-you madam secretary, for the work the light as did on a similar bill which you worked on which i understand is basically part of this pending bill which is on the calendar. i am trying to understand what the objections are to the bill. it seems there are a whole bunch of private -- promises for the

private sector. there is a self-certification or a third-party assessment of compliance with the performance requirements. i understand there is an appeal of those requirements if there is objection i understand and believe the owners have covered critical infrastructure and they are in substantial compliance and they would not be liable for punitive damages. this arises from an incident related to cyber security risk. you have here something unusual i believe for the private sector which is a waiver of punitive damages. i don't know that it is unique but i think is fairly unique in legislation to waive the possibility of punitive damages in case of a liability claim. there is a number of other

protections in the privacy area as i read the summary of this bill. where there is a significant threat that has been identified i am trying to identify and will not be able to state to hear from the next panel as to what the objections are. i will surely read the letter from the opponents and will study the bill that senator mccain referred to. i am trying to see exactly what those objections are. there seems to be privacy protection. there seems to be self- certification here which avoids part of a bureaucracy. there is limits on liability weather is good faith defense force cyber security activities there is a number of other projections.

i would like you to the best of your ability to address what you understand are the key objections. we will hear them directly. we will read about them but i think if you can, give us your response to them so we can have that for the record as well. >> i think there are three kind of clusters. the first is that the bill as a regulatory bill and it will be burdened some for industry to comply. it is a security bill, not a regulatory bill. it is designed with making sure we have a basic level of security in the cyber structures of our nation's core political infrastructure and that we have a way to exchange information that allows us to do that

without private sector parties being afraid of violating other laws. this is not what one would consider a regulatory bill at all. as senator collins said, it really is designed to protect the american economy not to burden the american economy. the second set of objections would revolve around all private area. the aclu acknowledged that this bill has done a very very good job of incorporating those protections right from the get go. one of the reasons why dhs has the role it does is because we have a privacy of this with a cheap privacy officer who will be directly engaged in this. the bill, i think really addresses of those privacy

concerns. i think senator mccain alluded to this that it's somehow duplicates the nsa. we don't need to clarify the authorities ordered jurisdiction to. as the chair of the joint chiefs and the others have recognized but dod and the dhs use the nsa but we use it in different ways. we are not duplicating are making it redundant. we're taking the nsa and using it to the extent we can within the framework of the bill to protect our civilians cyber net efforts. >> i understand the department of defense supports this legislation? from what i can understand, at least. is that your understanding? >> i think wholeheartedly.

>> in terms of the privacy concerns, those concerns, in terms of the information supplied where there has been a threat that information when it is submitted to the government entity is protected? >> rights, the content is not shared. >> tell us more about that, content is not shared by the information shared with required minimization and requires the elimination of personally identifiable information. it includes all the things necessary to kill the public confidence that their own personal communications are not being shared. >> thank you. >> that was a helpful exchange.

senator johnson -- >> i would like to say to senator lieberman and senator collins, i appreciate your work on this because i think it was critically important an incredibly complex. i am new here and i don't want to break protocol i want to ask you a question. >> i may have to consult my counsel them up i share some of the concerns of senator mccain. >> in light of his objection and the ranking members, will we consider not taking this to the floor directly? will that be reconsidered? >> i don't believe so. there has been a long process here and bills have been reported out of this committee and out of commerce,

intelligence, for relations. they are not all done on a bipartisan basis but most of the more. senator reid got agitated about this problem last year and began to convene a the chairs and then held a joint meeting which was unusual. it was a bipartisan meeting and all the committees urged us to begin working together and reconcile the differences. some came to the table and some did not. we worked very hard to bring people in. i cannot speak for senator reid but i'd think is intended to becomesion was to take the bill to the floor and have an open amendment process so i don't think anyone will rush this thing through. we are open to any ideas that anybody has.

>> i appreciate that. this is important to get right. >> the most important thing is to get it right but also to get it done as quickly as we possibly can get it right. the threat is out there. >> mr. chairman, i would like to add one thing. this legislation has gone through a lot of iterations. it came up first in 2010. i was not part of the committee at that point that our staff has been shared with the center's staff draft after draft. i know that senators come to some of the classified briefings we have had. we have invited input -- >> i am sincere in the

appreciation of the work you are doing. with that in mind, i know the house has worked on a bipartisan bill which is a slimmed down version. it is probably an important first step. is that something you can support in case this the s getsnagged? >> i would have to go back and look at that and there may be parts of that better included within this bill. this bill is a much stronger and more comprehensive focus on what we actually need in the cyber security area given the threats that are out there. >> if you are trying to create cyber security, why would c youarve out people at the heart

of it? why would we car out of the service providers? >> from our standpoint, if you focus on the nation's critical infrastructure and to really focus on the standards they have to meet, and you want to avoid some of the complexities that deal with this light isp's and where they are located,the carve out is a program that moves the legislation along. >> have you done a cost assessment? >> it is not our intent to have an undue cost on the critical infrastructure of this country. it is our belief that the cost

of making sure you practice a base level, a common base level of cyber security should be a core competency within the nation's critical infrastructure. while we don't want an undue cost, we want a recognition that this is something that needs to be part of doing business. >> has there been an attempt to quantify that? >> i don't know, i would imagine just thinking about it that there will be many entities that already are at the right level but sadly, there are others that are not. we're only talking a good infrastructure that if a tactic would have a large impact on the economy and life and limb on a national security. you're talking about a very narrow core part of the critical infrastructure.

the fact that they have to reach a base level is a fairly minimal requirement. >> one last question -- i am aware the chamber is not for this bill or the bankers' association. do you have a listed private companies that would have to comply with this that are in favor? >> there are a number of them and they have been in contact with the committee but we can get that for you. >> i appreciate that. >> thank you. we appreciate your testimony very much. if we define the group of owner/operators in our country better ultimately regulated that can be forced to meet the standards now rowley, to include only those sectors which if they were attacked, would have

devastating consequences on our society. you are right. it will be a fraction of what it would cost our society of there was a successful cyber attack. i go back to the national 9/11 question. after that, we could not do enough to protect ourselves from another 9/11. we have the opportunity here to do something pre-emptive and at much less cost to our society overall. >> that's right, mr. chairman gordo. it is our responsibility to be proactive and not just reactive. we know enough now to chart a way ahead in the bill does that. >> i agree. if there is a separate second

don't legislate or creed is system for protection of american cyberspace, we will all be rushing around frantically to throw money at the problem. it will be after a lot of suffering. we have a real opportunity to work together. nobody is saying this bill is perfect but it is a darn good. you have been very helpful to day and look forward to working with you. centre collins? >> i too, want to thank the secretary for her excellent testimony and its technical assistance of the department. for the record, i would like to submit what is a very clear statement from the chairman of the joint chiefs of staff at a hearing before the armed services committee earlier this week. general dempsey said that i want

to mention for the record that we strongly support the lieberman-collins-or rockefeller legislation dealing with cyber security. the secretary's comments in response to the question as to where the department stand where she said wholeheartedly is exactly right. the department testified to that effect and i would submit that to the record. >> without objection, thank you. have a good rest of the day. we will call the rest of the panel and i know secretary ridge is next. we had hoped secretary ridge -- then the hon. stewart baker and dr. james lewis and scottchanrney.

>> gentlemen, thank you for your willingness to be here. to testify and for your patience. it got pretty interesting at times during the hearing didn't it? secretary richard - ridge - i don't think we will be going to the common man together tonight. that is another story. [laughter] thanks very much for being here and we will hear your testimony and we will understand if you have to go. i know you have another engagement and you're already late. please proceed -- >> i thank you very much. it is a pleasure to be back before the committee. my 12 years in the congress of united states, i enjoyed being on that side of the table rather

than best. every time i appeared before the committee, i hope i have been able to contribute i hope the fact that we agree in part and disagree in part today does not preclude another indentation another time. i testified today on behalf of the u.s. chamber of commerce which is the world's largest business federation representing the interests of more than 3 million businesses and organizations of every size and sector in every region of this country. for the past year or so, i have chaired the chambers national security task force which is responsible for the development and implementation of the chamber's homeland and national security policies. it is consistent with the president's concern, this committee's concern and concern on both sides of the aisle. cyber security has been at the top of the list. we met with dozens and dozens of

private sector companies and the vice president's for security at bricks and mortar organizations. it is in my capacity as chairman bob altman do with a prospective -- but also with a perspective regarding social security and ways we can secure america's future. at the very outset, senator lieberman and senator collins one of the mine sets that i want to share with you is that you need to add the chamber of commerce to the core of the people sounding the alarm. they get it. why do they get it? because the infrastructure that we are worried about that protect america's national interest and supports the federal government, the state

and local governments is the infrastructure that they operate. in addition to being concerned about the impact of cyber invasion an incursion federal government, they also have 300 million consumers the have to deal with. >> we are leaving the hearing to bring you gavel-to-gavel coverage of the house. the speaker pro tempore: the house will be in order. the chair lays before the house a communication from the speaker. the clerk: the speaker's rooms, washington, d.c. february 21 2012. i here appoint the honorable andy harris to act as speaker pro tempore on this day. signed john a. boehner, speaker of the house of representatives. the speaker pro tempore: the prayer will be offered by the guest chaplain, reverend dr.

lisa lassiter wayloo, the capitol hill united methodist church, washington, d.c. the chaplain: let us pray. god of perfect power and endless love within these walls decisions are made that influence the whole world. but it is within the human heart that you do some of your very best work. so open each heart here to you, tune each set of ears to hear your still small voice within. open each pair of eyes to see you in one another. and especially in those with whom we disagree. protect each soul from predictable and unexpected temptation. and excite each mind to the vastness of your great possibility. so that our work here today

will reflect the breath of your love for each child we represent from our own districts and each individual around the globe without any representation. we ask these things with abund ant gratitude for the awesome opportunity to be used as instruments of your heeling and hope. amen. and amep. -- amen. the speaker pro tempore: the chair has examined the journal of the last day's proceedings and announces to the house his approval thereof. pursuant to clause 1 of rule 1, the journal stands approved. the chair will lead the house in the pledge of allegiance. i pledge allegiance to the flag of the united states of america and to the republic for which it stands, one nation under god, indivisible, with liberty and justice for all. without objection, the house

stands adjourned until 10:00 a.m. on friday, now we are going to take you back to the homeland security committee meeting focusing on cybersecurity issues. >> at the end of the day ccp there is no need for that. we have a process in place. people have been working together for 10 years to develop the infrastructure. you have cybersecurity experts in these selected agencies. not only do you take a definition that appears to have no walls ceilings, floors, it appears to be redundant. somebody used the word requirements.

one of the great concerns we have is requirements, prescriptions. mandates are regulations. frankly, the attackers and technology moves a lot faster than any regulatory body or political body will ever be able to move. in my judgment, the chamber agrees the sections in here with regard to the international component, public awareness component, fisma and hopefully if you are trying to deal with this as quickly as possible with more robust information-sharing proposal marrying it with the house, and then you will have bipartisan agreement. i appreciate and ask that my full statement be included as part of the record. >> thank you, mr. secretary.

we will include your statement in the record in full. can you stay? >> i am prepared to stay for q&a. >> do you want to have a few questions now and then have you go? >> i would appreciate that. >> i will yield to senator collins. >> first, secretary ridge as you know, i have the greatest respect and affection for you personally, and the greatest respect for the chamber of commerce, which is why i am disappointed we do not see this issue in the same way. i would also note a certain

irony, since that the chamber itself was under cyber attack by a group of sophisticated chinese hackers for some six months during which time, they had access to apparently everything in the chamber's system, and the chamber was not even aware of the attack until the fbi alerted the chamber in may 2010. so there is a little bit of irony, but i assure you under our bill, the chamber is not considered critical infrastructure. >> you rate itraise an interesting point. [laughter] if it is not critical infrastructure, information regarding america why in the world did the fbi delay in forming an organization that

represents the economic infrastructure of america? somebody ought to ask that question. i have heard cases of people in the private sector people reporting incidences about the federal government and they said, we knew. what do you mean we knew? >> we have robust information- sharing provisions in the bill that would cure that very problem. but the fact is, in drafting this latest version of the bill we have taken to heart many of the concerns raised by the chamber. just to clarify where the chamber is on this issue i do want to ask your opinion on some of the changes we have made in direct response to the chamber pots concerns.

for example -- chamber's concerns. for example entities regulated by existing regulations would be eligible for waivers. entities able to prove they are sufficiently secure would be exempted from most of the requirements under this bill. the bill would require the use of existing cyber security requirements and current regulations. does the chamber support those changes incorporated in response to the chamber's concerns? >> i think you have incorporated several changes, senator collins. i believe that is one of them. i think it also goes to the point, however, some of that oversight is being done within the existing process and protocol.

with the potential changes in information sharing, it is a system that will work. one of the questions i had when i was listening to the chorus of people that supported the bill, wondering if the secretary of defense believes that with the defense industrial base, the cyber model of information sharing announced by the department of defense in 2011, or whether they would prefer to be regulated? the point i want to be strong about is, you have heard some of the concerns, and we are grateful for that. >> that is my point. we have bent over backwards frankly, listening to legitimate concerns without weakening the bill to the point where it can no longer accomplish the goal. another important provision of the bill. the owners of critical

infrastructure, not the government, not dhs, would select and implement a cybersecurity measures that they determined are best suited to satisfy the risk-based performance requirements. does the chamber supports halving the owners of the infrastructure decide, rather than government mandating specific measures? >> as i recall and interpret your legislation the chamber embraces the notion that the sector select agencies who have the sector coordinating council's have been working on identifying critical infrastructure and sharing the kind of information that we think is necessary to not immunize us completely. technology and hacking procedures will change.

in fact, it is in everyone's interest particularly the owner, to move as quickly as possible. the logic that has been applied to leaving cisco microsoft to others to respond to the risk, would seem logical to apply to everyone else in the economy as well who does not want to be burdened by a series of regulations or prescriptive requirements. >> since the private-sector under our bill, is specifically involved in creating the standards, i do not see how that creates burdensome standards. since the secretary has to choose from the standards that the private sector develops again, another change that we strengthened in our bill. another question i would have for you. i would assume the chamber

supports the liability protections included in this bill, so that if a company abides by the performance standards the company is immune from punitive damages? >> i presume they do. if i was the chamber, i would encourage them to embrace it wholeheartedly. >> my point is, there are many, many provisions in this bill that we changed in direct response to input from the chamber. i would like the chamber to acknowledge that. there is one final point that i would make. when you were talking about ceo's invested in cybersecurity because of the impact on their customers and clients so it is

in their own self interest -- i cannot tell you how many cio's chief information officers, with whom i have talked who told me, if only i could get the attention of the ceo on cybersecurity. we are not investing enough, we are not protecting our systems enough, and it is not a priority for the ceo. i would suggest to you to talk to some cio's because i think you would get a different picture. >> i appreciate that, senator collins. i am familiar with quite a few at major companies in america what they're doing with regard to cybersecurity. my experience is 180 from yours. i do not imagine many

organization that would not like more money to manage the risk. i will take your word that there are some ceo's that feel that strongly and have reflected that to you. at the end of the day you have made valuable contribution, you have listened to the chamber but we will disrespectfully disagree. you are going down the path of what we are concerned about -- prescriptive regiments. i know the legislation talked about a light touch but it can turn into a stranglehold of the goes too far down the process. if you look at the chemical anti-terrorism standards, what was a light touch became a standard. members of congress have said that is not enough and we need specific technology and regulations in order to vet the people that work. it is a slippery slope but i appreciate you giving me the

chance to articulate that before the committee. >> thank you. i have no further questions. secretary, we are glad to liberate you to catch the next plane. >> my great pleasure. as i said, i am happy to share my thoughts with the committee. senator carper, best wishes to you, sir. >> our next witness is the former general counsel for the nsa from 1992 to 1994 assistant secretary at dhs. thanks for being here. we welcome your testimony now. >> it it is a great pleasure. thank you, chairman lieberman ranking members. it is a nostalgic moment to come

back here and i want to congratulate you on your achievement in moving this bill in a comprehensive form as far as it has gone. perryville label contribution to our security. i just have two points. before that, i thought i would address the stop online parsee analogy. this is the sopa and the internet will rise up to strike it down. if i can channel senator bentsen for a minute. ihop sop -- i fought sopa, but this bill is no sopa. as a nation, as a legislature our first obligation is to protect the security of this country. sopa would have made us less secure to serve the interests of hollywood. this bill will make us more secure, and that is why i support it.

two points on why i believe that. we know today the most sophisticated security companies in the country have been unable to protect their most important secrets. this shows us how deep the security problem runs. we also know from a direct experience -- i saw at dhs have seen emerge since that -- once you penetrate the network you can break it in ways that leave permanent damage. you can break industrial control systems on which refineries, pipelines, the power grid, water, sewage all depend. we have had analogies to september 11. if you want to know what it would be like to live through an event where someone launches an attack like this, the best analogy is new or lend the day after katrina hits.

you would have no power no communications, but you also would not have had the morning or evacuation, and you would not have the national guard in some safe place ready to relieve the suffering. it could indeed be a real disaster, and we have to do something to protect against that possibility. that is not something the private sector can do on its own. they are not built to stand up to the military's of half a dozen countries. that is why it is important for there to be a government role. i do think this role, in contrast of the views of the chamber -- i think you have gone a bit too far in accommodating them. here is one point of concern. i support the idea there should be a set of performance requirements driven by the private sector, implemented by the private sector, with private sector flexibility to meet them as they wish.

but the process of getting to that, and then getting enforcement, is time consuming. it could take eight years, 10 years if there is resistance from industry or a particular sector. and it may be worth it to take time to get standards that really are something that the private sector buys into and is willing to live with. but we have to recognize in the next 10 years, we could have an attack an incident, serious trouble or a threat that requires that we move faster than that statutory framework within just. so i would suggest if there is one change i would make, put in a provision that says, in an emergency where there is an immediate threat to life and limb, the secretary has the ability to compress the time frames and moved quickly from stage to stage. if we only have one week to get the great protected, she is in a position to tell power

companies, bring your best practices because by friday, you will have to start implementing them because we know there is an attack coming this week. that is something we need to be able to do and have the flexibility to do. thank you. >> very helpful. thank you. dr. jim lewis, thank you for being here. director and senior fellow of technology and public policy program at the center for strategic and international studies. dr. lewis was also the director of the csis commission on cybersecurity which began its work in 2008. >> thank you, senators, for the opportunity to testify. when we hear getting incentives right and letting the private sector lead, sharing more information will secure the nation remember, we have spent the last 15 years repeatedly

proven this does not work. from an attack of perspective america is a big target. some people say the threat is exaggerated. you have talked about the parallels with september 11. in some ways, we are on tap to repeat that error, if we do not take action in the near term. the threat is real and growing. military intelligence services with advanced cyber capabilities can penetrate in the corporate network with ease. cyber criminals and government- sponsored hacker's routinely penetrate corporate networks. and a new attackers are steadily increasing their skills. the intersection of greatest risk and weakest authority is critical infrastructure. national security requires holding critical infrastructure to a higher standard than the market will produce. this bill has many useful sections on education research,

securing government that works international cooperation, and they all deserve support but the main event is regulating critical infrastructure for better regulating cybersecurity. everything else is an ornament. low hanging fruit will not make us safer. one way to think about this is, if you took the section on critical infrastructure regulation out of the bill, it would be like a car without an engine. there are all sorts of objections to moving ahead. innovation could be damaged. but well-designed regulation will increase innovation. companies will innovate to make things safer for progress. we have seen this with federal regulation with cars planes, even as far back as steamboats. everyone agrees we want to avoid burdensome regulation and focus new authorities on critical systems. the bill as drafted takes a

minimalist approach to regulation based on commercial practices. i appreciate the effort that has gone into that. many in congress recognize the need for legislation, and this committee, the senate, others in the house, deserve our thanks for taking up this task. but the battle has shifted. people will try to dilute legislation, put forward slogans instead of solutions and they will write in who polls. the goal is to strengthen. two problems the attention. the first is the threshold for controlling critical infrastructure. cyber attacks are likely to be targeted and precise. they probably will not cause mass casualties or catastrophic disruption. if we set the threshold too high, it is telling our attacking what they should hit so we need to carefully limit the scope of this regulation, but i fear we may have gone a bit too far.

the second is the car out for commercial information technology. it makes sense industry does not want government telling them how to make their products. that is reasonable. but a blanket exemption on services maintenance installation, and repair would undo the central work started by the bush administration, and second leave america open for a stuxnet-like attack. these provisions of the bill should be removed. in particular, paragraph a and b of 104. and the important legislation there is a delicate balance between protecting the nation and minimizing the burdens on our economy. this bill, with some strengthening, i think can achieve that balance and thus serve the national interest. the alternative is to wait for the inevitable attack. my model for 2012 is braced for

the impact. happy to take any questions. >> thank you, dr. louis. your voice is an import one to listen to. our last witness today it is a corporate vice president press were the computing group. that is a good job at the microsoft corporation. >> thank you. thank you for the opportunity to appear at this important hearing on cybersecurity. in addition to my role as corporate vice president for trustworthy computing i serve on the president's telecommunication advisory committee and was part of the csis commission. microsoft has a lot history of focusing on cybersecurity. in 2002 bill gates launched a trust for the computing initiative. as we celebrate the 10th year anniversary of that, we are proud to celebrate our progress

was conscious of the work we have to do. all companies are providing better security, the world is increasingly relied on cyber- based systems. and those attacking such systems have increased in number and sophistication. cyber attacks represent one of the more complex threats facing our nation. with that in mind, i want to thank the members of this committee and senate to their commitment to addressing cybersecurity. we appreciate your leadership in developing the legislation that was introduced earlier this week. over the past few years, you have helped to focus national attention on this problem offering proposals and conducting open and transparent process to look at the interests of private sector stakeholders. mcchrystal please the current legislative proposal provides and brokerage firm or to improve the security of government and critical infrastructure systems and establishes an unbroken security baseline to address current threats.

furthermore, the framework is flexible enough to permit future improvements to security and important points of security threats involving over time. while the internet has created unprecedented opportunities for social and commercial interaction, it has also created unprecedented opportunities on those -- for those bent on attacking security i.t. systems. it is important legislative efforts designed to improve cybersecurity meet requirements. first, legislation must embrace sound management principles and recognize the private sector is best positioned to protect private sector assets. second, legislation must affect information sharing among members. third, any legislation must take into account the realities of today's global i.t. environment. i will discuss each of these in turn. first, sound risk management principles must be directed where the risk is greatest and

that those responsible for protecting systems have the flexibility to respond to ever- changing threats. to ensure this happens it isn't for the definition of critical infrastructure be stopped appropriately and that the owner of an i.t. system ultimately is responsible for developing and implementing security measures. we believe the current legislation, which allows the government to define outcomes, but allows the private sector owner of a critical system or asset to select and implement particular measures, is the right framework. second successful rich -- risk- management pens and information sharing. for too long, people have cited information sharing as a goal, when, in fact, it is a tool. the goal should be to share the right information with the right parties. parties that are prepared to take meaningful action. we appreciate this legislation attempts to remove barriers to information sharing by of the - certain disclosures and

protecting the information shared. finally, as a global business, we are very cognizant of the fact that countries of around the world are grappling with similar cybersecurity challenges and implementing their own cybersecurity strategies. we believe actions taken by the united states government may have ramifications beyond our borders and it is important that the united states leads by example, adopting policies that are technology neutral and not stifle innovation. it must also develop cyber norms with discussions with other governments. unlike traditional efforts where government to government discussions may suffice to achieve desired outcome it must be remembered the private sector is designing, deploying, and maintaining most of our infrastructure. as such, we need to ensure the owners operators, and vendors that make the cyberspace possible are part of any discussions. i would know, security remains a journey, not a destination.

in leaving our -- in leading our security over the years, i have seen microsoft's strategies. technologies advance threats change but defenders grow wiser and more agile. the committee's legislation which focuses on outcomes, represents an important step forward. microsoft is committed to working with congress and the administration to insure this legislation meets these important objectives while minimizing unintended consequences. thank you for the leadership you have shown in developing this legislation under consideration today and for the opportunity to testify. >> thank you, mr. charney. let me ask all three of you a question. as you can hear from some of the testimony, and some of the questions from committee members, there is a question

still about whether regulation is necessary whether -- i am using a pejorative term -- whether government involvement is necessary here. at its purest, the argument is, obviously, the private sector, which owns and operates infrastructure has its own set of incentives to protect itself. why do we need the government to be involved? >> it seems to me, fundamentally, the private sector and the company has an incentive to spend about as much on security as is necessary to protect their revenue streams prevent crime and the like. it is much less likely that they will spend the money to protect against disaster that may fall on someone else, on their customers.

so there are certain kinds of arms, especially if you are in a business where it is hard for people to steal money but it is easy to change a code which could be disastrous, and to view that as something you would not get a higher payment for when you sell your product, and therefore, not something you want to spend a lot of money on. it seems there are a lot of externalities here that require the government to be involved, in addition to the problem of -- if you are baltimore gas and electric, you do not know how to deal with an attack launched by the russians. >> sometimes i call the mandatory standards. i wanted to say regulation this time, because we have to put it on the table. the first time we thought about protecting critical infrastructure was 1998.

tell them about the threat, share information, and they would do the right thing. as you have heard the return on investment is such that companies will spend up to a certain level. it is not even clear that all of them do that by the way but they will not spend enough to protect the nation. so we are stuck with the classic case of public good, national defence. if we do not regulate, we will fail. >> you've made a statement in your opening remarks -- i will paraphrase. a hostile party, a nation state, whatever, intelligence agency could penetrate any -- any company, at entity in the cyberspace if they wanted? did i hear you right?

>> you did. the full answer is complicated and i am happy to submit it to you in writing. but when you consider the multitude of tactics that one can use including tapping phone lines, hiring employees, these are hard to stop. the assumption that is the safest to make from a defense point of view is that all members have been compromised. >> mr charney? >> i think market forces are doing a good job of providing security. the challenge is, market forces are not designed to respond to national security threats. so you really have to think about, what will the market give us what has national security required, and how do you fill the delta between those gaps? secondly looking at regulating

critical infrastructure, in my 10 years at microsoft, as we struggle with cybersecurity strategies we live in one of three states of play. sometimes we do not know what to do and you have to figure out a strategy. sometimes, you do not know what to do and you were not executed well. sometimes, we know what to do and we execute well, but we did not do it's scale. there are some companies that do a good job of protecting critical infrastructure today but the question is whether we're doing it at a skill to manage the risk the country faces. i do not think we are today and that is why the csis commission and my testimony, we are supportive of the framework that has been articulated in the legislation. >> assuming the statistics are close to accurate about the frequency of the exploitation,

intrusion into the cyberspace, then it is self evident there is not being done to protect from that. dr. lewis, you offered a friendly criticism of the bill before, which is our definition of court recovered infrastructure is too high. we are limited in -- we are limiting it to much. give me an idea of how you would draft legislation. >> we are talking about simple amendments to the language. i would look at some of the threshold you have put in -- mass casualties. what is a mass casualty event? for those of us coming out of the cold war, that was a high threshold. economic disruption. it is not clear to me that

katrina, for example, would be caught by that definition. i think it is more an issue of clarifying. the smaller attacks the we are more likely to see in the future need to be caught. we are not just looking for the big bang. >> thank you. my time is up. senator carper. >> thank you, mr. chairman. i applaud you. i also want to thank you and the administration for incorporating my suggestions to the cyber provisions of the bill.

it employees of the department of homeland security are on the front lines of conquering the cyber threat. we must make sure that the department has the appropriate tools to attract and retain the work force it needs to meet these complex challenges. stakeholders have raised concerns about the privacy and civil liberties implications of certain provisions of this bill. i want to commend the bill's office for making progress in addressing these concerns. it is important for the final product to adequately protect american's reasonable expectations of privacy, and i will continue to closely monitor this issue. fbi director robert moeller's recent statements about cyber attacks will equal or even

surpass the danger of terrorism in the foreseeable future. it is a stark reminder that strengthening cybersecurity must be a key priority for this congress. cyber criminals and terrorists are targeting our critical infrastructure including our electricity grids, final markets, transportation networks as has been mentioned by the panelists. american businesses face constant cyber attacks against their intellectual property and trade secrets. however, cyber security policy has been slow to these ever increasingly sophisticated threats. this would give the tools

necessary to respond to respond to these threats. finally, this legislation is a pressing priority for this congress and i look forward to working with you on this. my question is to the panel. as you know, the bill contains new authorities to bolster the civil securities hovered work force. it also has provisions to educate and train the next generation of federal cybersecurity professionals. i would like to hear your views on the challenges of recruiting and retaining cybersecurity professionals. the provisions in this bill, any other recommendations you may have to address these work-force challenges?

>> [inaudible] it is very challenging to find well-trained cybersecurity professionals, even in the private-sector. this technology has proliferated far faster than educational institutions could educate people to manage i.t. security and manage the security. as a result, microsoft is committing considerable resources, supporting programs like stem education elevate america, where we provided vouchers for entry level and more advanced computer basic skills. but it is a big challenge. if it is a big challenge for the private sector, you can imagine it will be a large challenge for the public sector as they do not have the same pay scale that i

have available to me. so this is a big challenge both in education and proficiency of the work force. the csis commission issued a report on the challenges of getting an educated cyber work force. >> indeed, dhs has had particular difficulties in attracting people and working through their personnel hiring procedures. anything that makes that smoother and more responsive to the market is useful. finally, most importantly for every student that is watching this wondering what to do when he graduates from college these jobs are waiting for you. you owe it to your country and yourself to pursue these opportunities. >> two years ago we had an event on the hill on education

for cybersecurity. i was kicking myself because i thought, nobody is going to be here on july 29. i told them to cut back on the food. we have standing room only. people love this topic, but there are a couple of issues to think about. on the government side, we need a clearer career path for people to be promoted. on the private sector side, the education that we get right now needs to be refined and focused. a degree in computer science may not give you the skills. in fact, it probably will not give you the skills for cybersecurity. some of the provisions in the bill tap into this real enthusiasm among teenagers college students, to get into this new field. i think this is one of the stronger parts. during the education peace is important but it will not protect us in the next few

years, which is why we need to other parts of the bill as well. >> thank you. my time has expired. >> thank you for the contribution you have made to the bill, as indicated by your questioning on the cyber work force. senator collins. >> thank you. the hour is late, but i just want to thank our witnesses for their excellent testimony. hearing some of our witnesses on some -- on this panel raise a legitimate questions about whether we have gone too far in trying to accommodate concerns raised by the chamber and other groups makes me think that maybe we have gotten it just right. since the chamber is still not happy and you believe we have gone too far. in all seriousness, your expertise has been extremely helpful, as has the input we have had from microsoft the

chamber, from the tech industry, experts, academics. we really have consulted very widely. it has been very helpful to us as we try to strike the right balance. this is an enormously important but complicated, complex issue for us to tackle. but tackled it we must. that is something, i believe unites all the witnesses from whom we have heard from today. whether we consider this to be a response to a 9/11 attacks, were katrina, i just do not want us to be here after a major cyber incident saying, if only. how could we have and not -- ignored all of these warnings,

commissions, all of these studies? i cannot think of another area in homeland security where the threat is greater and we have done less. there is a huge gap. whether we got it exactly right on chemical plant security or port security report security, or fema reforms -- port security, or fema reforms we have at least acted in those areas. we have made a difference. in the intelligence reform, i think we made a big difference. hear, we have a bomber ability of threats -- here we have able ability of the threats that is occurring every day. yet, we have seen from the comments of our colleagues, this will be a very difficult job to

get this bill through. i am confident we can do it, however, and, in the end, we will succeed. finally, i do want to say to our colleagues who are listening, to those in the audience, we need your help. if you have other good ideas for us, by all means, bring them forward. help us get the best possible bill. but for anyone to stand in the way and cause us to fail to act at all to pass legislation this year, i think, would be a tragic -- travesty. it would be a disaster waiting to happen for our country. so, mr. chairman, i just to encourage you to press forward. i will be at your side your partner, along the way.

>> and we will do it again. thank you. that meant a lot to me and is characteristic of your independence of spirit and commitment to do what you think is right for our national security. we're going to press forward. the majority leader, senator reid, i am confident will push forward, too. he got briefings on this problem of cybersecurity last year and it really troubled him. he feels there is a clear and present danger to our national security and economic prosperity from cyber attack. that is why he has devoted a lot of time trying to get as to this point where we can have at least a foundation of consensus bill and why i'm confident he will push, bring this to the floor with the authority he has

as majority leader. i am optimistic that it will be within the next work period, which is among the come back at the end of february and into march. the three of you have added immensely to our work here. i do want to continue to work. senator collins has given us such a wonderful ending point but as we take the bill to the floor, i want to invite you -- particularly, mr. baker, dr. lewis, who have expressed concerns about the so-called carve out. people in the administration still think with the money we have left, the language will allow the government to develop formants standards that will require owners of systems to protect those systems even if

they might include some commercial products. i am not resting on what we have got, so i invite you to submit -- we hear your concerns and we invite you to submit thoughts to us on how to do it better. we promise we will consider those concerns. any last words from many of the three of you? thank you for everything you have contributed. it is true, we get very stubborn when we think something is right and necessary. so we are going to plow forward. the record of the hearing will be held open for 10 days for any additional questions or statements for the record. thank you again. the hearing is adjourned. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2012]

>> senate democratic leader harry reid said last week he may recommend president obama make more recess appointments. at 1:30 eastern, c-span2 will have live coverage as legal experts discuss the president's actions. republican leaders say congress was meeting every three days and not in an official recess. presidential candidates are back on the campaign trail after the president's day weekend. we will have coverage art santorum in at arizona. our coverage begins at 2:00 eastern.

tonight, a look at u.s. power in the 21st century. saxby chambliss and bob corker joined white house advisers at the world economic forum. >> it is our cause to dispel -- in a delusion that it a world of conflict will somehow resolve itself into a world of harmony. if we just do not rock the boat or irritate the forces of aggression, and this is hogwash. >> as candidates campaign for president this year, we look back at 14 men then ran for the office and lost. code to our website, c-span.org /thecontenders to see individual that had a lasting impact on

politics. >> this is the time to turn away from excessive preoccupation of overseas to the rebuilding of our own nation. america must be restored to her proper role in the world, but we can do that only through the recovery of confidence in ourselves. >> c-span.org/thecontenders. peter orszag. he speaks to executives at the>> earlier this week, president obama's budget director peter orszag gave comments on the future of the u.s. economy at the executives club of chicago. he serves as head of global banking for citigroup and talks about the economic downturn. this is about an hour. >> you are people that matter very much to the financial times. thank you for having me. it is my great honor today to introduce peter orszag, the man who president barack obama

called his propeller head. propeller heads i have always thought of as a funny complement. i am sure you will agree with me that it is not an aspersion on his good looks. instead, it all makes sense when you realize the propeller is inside his agile and compendious frame and spins around fast. this is a man who matched equations with larry summers in the white house. he has the resume and economic advisers, founder of the fantastic hamilton project now by chairman of global banking at citigroup. but that misses is the ambition

and coakley brought to all of those jobs. that he brought to all of those jobs. he is one of the nation's leading experts on the budget and one of the leading experts on the microeconomics of health care. if you want to know how to bend the cost curve on your rising health insurance costs, he is the man to talk to. peter is a self-confessed geek. his public life is not something you can say about many geeks. many economists will bludgeon you with theories and numbers. when i read peter's columns they connect the dots to a pattern that i realize i should have known was there but i did not see it until he showed it to me. please welcome me in the -- help me in welcoming peter orszag. [applause] >> thank you, robin. thank you for joining us this

afternoon, i am delighted to be here with you. i was like to talk to you about a few overarching things that are affecting the u.s. economy. i hope to use an empirical basis to connect some dots. even when i tried to be empirical, the world does not always turn out as i expect. the most compelling affect of that is after having been confirmed in record time as the director of office and management and budget, assembling talked advisers to join me, i almost said the white house on fire since the war of 1812 -- on fire for the first time since the war of 1812. imagine this, it is a labyrinth in quite draftee. i was working the first weekend in office. it was cold and no way to adjust the thermostat.

so i noticed there was, in the sellout barrette office, a fireplace in which there was a fire screen at the next to it were some fire tools. and next to that, some logs. that suggested an operational fireplace. [laughter] being empirical, i decided to test the proposition. i made sure that the smoke would go up the chimney, the experiment worked perfectly. i moved the logs into the fireplace and i thought life was looking grand. the room is warming up nicely, five minutes and, i am getting work done. the fire alarm goes off. the secret service is clear in the hallways and somewhat was surprised someone was telling a four letter word and it did not

come from rahm emanuel. [laughter] i tried to tell them that there was a fire burning in my fireplace. they say, don't worry about it, please evacuate. there is an electrical fire on the fifth floor. the to the coffee shop across the street. the secret service came to collect me because i was the culprit. about five years earlier unbeknownst to the first secret service agent, another part had capped the chimney as a security precaution. once it got to the top, and had nowhere to go except into a fifth floor conference room. my phone rings and i got a phone call from my mother that said, i am so proud of you, you are on television. [laughter]

i say, they don't have the sound don, do they? hopefully what i am about to talk to you about doesn't have such dire consequences as evacuating an entire white house complex my first weekend in office. we are at a very rare moment in the u.s. economic history. it is extraordinarily rare for an underlying tectonic plate shift to be affecting i say, they don't have the sound don, do they? hopefully what i am about to talk to you about doesn't have such dire consequences as evacuating an entire white house complex my first weekend in office. we are at a very rare moment in the u.s. economic history. it is extraordinarily rare for an underlying tectonic plate shift to be affecting the economy at the same time that you have an overlay of a financial crisis. the only time that has happened in the last century was during the great depression when the economy was evolving from agriculture to manufacturing. that was a tectonic plate shift, and we had an overlay of financial crisis. it is an extraordinarily rare occurrence and we are living through it right now. the underlying tectonic plate shift can be expressed in lots of different ways.