Floor Statements
|
|
|
Print this page |
FLOOR STATEMENT BY SENATOR JOHN McCAIN ON THE CYBERSECURITY ACT OF 2012
July 26, 2012
“Mr. President, I rise today to oppose the Cybersecurity Act of 2012 because it would do very little to improve our country’s national security. In fact, in its present form, I believe the bill before us would do more to harm our country’s economy and expand the size and influence of the federal government – specifically the Department of Homeland Security – than anything else.
“But before I begin my critique of the Cybersecurity Act, I would like to reaffirm my sincere respect for the lead sponsor of this bill – especially when it comes to matters of national security – even though I vehemently disagree with him in this instance. So, whatever criticisms I may have with the legislation, should not be interpreted as an attack on the lead sponsor himself, but rather on the process by which the bill being debated today arrived before us, and its public policy implications.
“Consider this for a moment, if we pass this bill in its present form, which I hope we will not, we will have handed over one of the most technologically complex aspects of our national security to an agency with an abysmal track record, the Department of Homeland Security (DHS). The problems at DHS are too numerous to list here today. But I think I speak for many when I question the logic of putting this agency in charge of sensitive national security matters. They can’t even screen airline passengers without constant controversy. And don’t forget – this is the same outfit in charge of the Chemical Facility Anti-Terrorism Standards program, or CFATs, which was described in a recent report as ‘at measurable risk,’ beset by deep-seated problems such as wasteful spending and a largely unqualified workforce that lacks ‘professionalism.’ I for one am not willing to take such a broad leap of faith, and entrust this complex area of our national security, and so many vibrant parts of our economy, to this ineffective, bloated government agency.
“The poor quality of the bill before us is a direct reflection of the lack of a thorough and transparent committee process. Had this bill been subjected to the proper process, my colleagues and I, and the American public, would have a much better understanding of the real implications of this undertaking. Unfortunately, this bill has not been the subject of one hearing, a single markup, or a whiff of regular legislative procedure. Our nation’s cybersecurity is critical and the issue is deserving of the regular order and the full attention and input of every member of this body. I urge the Majority Leader to allow a full, fair, and open amendment process if cloture is invoked on the motion to proceed.
“All of us should recognize the importance of cybersecurity. Time and again, we have heard from experts about the importance of maximizing our nation’s ability to effectively prevent and respond to cyber threats. We have all listened to accounts of cyber espionage originating from countries like China; organized criminals in Russia; and the depth of the threat from Iran in the aftermath of the Stuxnet leaks originating from the current Administration.
“Unfortunately, this bill would do little to minimize those threats or generally improve our current cybersecurity posture. The reason for this bill’s general inadequacy is that rather than using a liability protection framework to enter into cooperative relationships with the private sector – which happens to own 80 to 90 percent of the critical cyber infrastructure in this country – this bill chooses to take an adversarial approach with government mandates and inadequate liability protections. Further, this bill includes unnecessary items that our government cannot afford and makes no mention of what the additional programs will cost. For instance, I am sure some of us have fond childhood memories of going to or taking part in a talent show, but to include talent show provisions in this bill is ridiculous. Title four of this bill authorizes ninth to twelfth grade cyber talent shows and cyber summer programs for kindergartners to seniors in high school. Again – ridiculous – especially considering that the Majority Leader deemed this bill more important than the National Defense Authorization Act.
“While I have criticisms with every title of this bill, I will limit my comments today to title one, which regulates critical infrastructure, and title seven, which concerns information sharing among the government and the private sector. In my view, these titles, along with weighing how much this bill – which lacks a CBO score – will ultimately cost, and how it will dramatically increase the size of the federal government, are the most important aspects we can discuss.
“With respect to title one, the proponents of the Cybersecurity Act would have you believe this bill authorizes the private sector to generate their own standards, that those standards are voluntary, and that the bill establishes a ‘public-private partnership.’ Unfortunately, I disagree with each of those characterizations. As the bill is currently written, the government, and not the private sector, would have the final say on what standards look like, and the private sector would be forced to comply. And while my colleagues might suggest that section 103 states that the private sector proposes ‘voluntary’ cybersecurity practices to the government, I call your attention to the following provision in section 103 which states the government would then decide whether and how to ‘amend’ or ‘add’ to those cybersecurity practices. Additionally, there is no recourse for the private sector to challenge the government’s actions.
“Soon after the government’s take-over of the development of cybersecurity standards, any notion of the standards being ‘voluntary’ evaporates. Section 103 clearly states:
“‘A Federal agency with responsibilities for regulating the security of critical infrastructure may adopt the cybersecurity practices as mandatory requirements.’
“What is being portrayed as ‘voluntary’ proposals would soon become mandatory requirements. Unfortunately, the conversion from voluntary to mandatory does not stop there. Shockingly, under this bill, if an agency does not adopt mandatory cybersecurity practices – it must explain why they chose not to do so. That’s right – under this bill, if a regulatory agency chooses not to mandate the ‘voluntary’ practices it must explain itself – as if it must be doing something contrary to the final objective. If this provision does not reveal the true regulatory intent of the proponents of this bill, nothing does.
“Section 105 brings home this point by stating:
“‘Nothing in this title shall be construed to limit the ability of a Federal agency with responsibilities for regulating the security of critical infrastructure from requiring that the cybersecurity practices developed under section 103 be met.’
“All you have to do is read the bill. The regulatory result of these standards could not be clearer.
“Moving on to title seven, which deals with the flow of information between the government and the private sector, the current bill is a step in the wrong direction. Specifically, the bill would make us less safe, by failing to place the agencies with the most expertise and who are the most capable of protecting us on the same footing as other entities within the federal government. It strikes me as counterintuitive to prevent the institutions most capable of protecting the United States from a cyber-attack and leave us reliant on agencies with far less capabilities.
“Because this bill fails to equitably incentivize the voluntary sharing of information with all of the federal government’s cyber defense assets, it does a great disservice to our national security. In cyber war, where speed and reaction times are essential to success, real time responses are essential. The bill language states that information should be shared in ‘as close to real time as possible.’ That may sound nice, but it will not get the job done.
“We all agree that the threat we face in the cyber domain is among the most significant challenges of the 21st century. It is reckless and irresponsible to rebuild the very stovepipes and information sharing barriers that the 9/11 commission attributed as responsible for one of our greatest intelligence failures.
“Because of my strong opposition to this bill, and the lack of a regular legislative process, I have joined with Senators Chambliss, Hutchison, Grassley, Murkowski, Burr, Johnson from Wisconsin, and Coats in offering an alternative cybersecurity bill. The fundamental difference in our alternative approach, is that we aim to enter into a truly cooperative relationship with the entire private sector through voluntary information sharing, rather than an adversarial one with the threat of mandates. Our bill, which also addresses reforming how the government protects its own assets, sets penalties for cyber crimes and refocuses government research towards cybersecurity, provides a common-sense path forward to improve our nation’s cybersecurity defenses with no new spending. We believe that by improving information sharing among the private sector and government; updating our criminal code to reflect the threat cyber criminals pose; reforming the Federal Information Security Management Act; and focusing federal investments in cybersecurity; our nation will be better able to defend itself against cyber attacks. And even though we do not offer talent shows or summer camps in our bill, it has the support of the industries who are themselves under attack.
“Before I close, I would like to leave you all with a final point which gets to the heart of why we are having this debate today. In our country, unlike others countries around the globe, the private sector owns 80 to 90 percent of the critical cyber infrastructure. This is a fact in which we should all take great pride. After all, it speaks to the essence of American entrepreneurialism and our spirit of individualism. The companies that own these systems are large and small, they employ men and women everywhere, and their influence reaches every state, every congressional district, and just about every corner of our country. So while we all agree that we are involved in a serious national security discussion, we must not forget to thoughtfully weigh the economic realities of this debate, too. I caution all of my colleagues to tread very carefully here because I am deeply concerned that we are on the cusp of granting the federal government broad authorities and influence over one of the most vibrant and innovative sectors of our economy. The technology sector, and the use of the Internet by American companies to innovate and improve the customer experience, are deeply threatened by the heavy and too often clumsy hand of government. As we confront the security challenges of an innovating economy, we must be careful to not undermine the economy itself.”
###