Sheldon Whitehouse Senate Floor Speech on Cyber Security delivered 17 November 2010 Thank you. Mr. President, I come to the floor to speak about the legislation that will be required in order to bolster our Nation’s cyber defenses and to protect our Nation’s intellectual property from piracy and from theft. In the course of my work on the Intelligence and Judiciary Committees, it has become all too clear that our laws have not kept pace with the amazing technological developments we have seen, many information technologies over the past 15 or 20 years. Earlier this year, I had the privilege of chairing the Intelligence Committee’s bipartisan cyber task force, along with my distinguished colleagues, Senator Snowe and Senator Mikulski, who made vital contributions and were great teammates in that effort. We spent 6 months conducting a thorough review of the threat and the posture of the United States for countering it. Based on that review and my work on the Senate Judiciary Committee, I have identified six areas in which there are overarching problems with the current statutory framework for protecting our country. The first is a really basic one; that is, that current law does not adequately facilitate or encourage public awareness about cyber threats. The government keeps the damage we are sustaining from cyber attacks secret because it is classified. The private sector keeps the damage they are sustaining from cyber attacks secret so as not to look bad to customers, to regulators, and to investors. The net result of that is that the American public gets left in the dark. We do not even have a good public understanding of how extensive and sophisticated the cyber forces arrayed against America are. Between the efforts of foreign governments and international organized crime, we are a long way from the problem of hackers in the basement. It is a big operation that has been mounted against us, and I would like to be able to describe it more fully, but it is both unhelpfully and unnecessarily classified, and so I can’t even talk about that. Americans are sadly uninformed about the extent of the risk and the extent of the capacity that is being used against us. If Americans understood the threat and the vital role they themselves can play in protecting themselves and the country, I think we would all be more likely to engage in the cyber equivalent of routine maintenance. People would understand and they would support legislative changes which we need to protect our intellectual property and our national infrastructure. One of the principal findings of our cyber task force was that most cyber threats — literally the vast majority of cyber threats — can be countered readily if Americans simply allowed automatic updates to their computer software, ran up-to-date antivirus programs, and exercised reasonable vigilance when surfing the Web and opening e-mails. So we need far more reporting from the government and the private sector to let Americans know what is happening out there on the wild Web. Disclosures can be anonymized, where necessary, to safeguard national security or protect competitive business interests. But basic facts, putting Americans on notice of the extent of the present danger and harm, need to be disclosed. Second, we need, beyond just public information, to create a structure of rights and responsibilities where the public, consumers, technology companies, software manufacturers, and Internet service providers are all able to take appropriate roles for us to maintain those basic levels of cyber security. The notion that the Internet is an open highway with toll takers who have no responsibility for what comes down the highway, no responsibility no matter how menacing, no responsibility no matter how piratical, no responsibility no matter how dangerous can no longer be valid. We protect each other on our physical highways with basic rules of the road and we need a similar code for the information highway. Australia’s ISPs have negotiated a cyber security code of conduct, and ISPs in compliance with the code can display a trust mark. That is one idea worth exploring. But one way or the other, there needs to be a code of conduct for safe travel on the information highway just as there is on our geographic highways. Third, we need to better empower our private sector to defend itself. When an industry comes together against cyber attackers to circle the wagons, to share information, and to engage in a common defense against those cyber attackers, we should help and not hinder that private sector effort. Legal barriers to broader information sharing among private sector entities and between the private sector and government must be lowered. I believe we can encourage cyber security in this way — common defense within the private sector — without undermining other areas of public policy. But it is not going to be a simple task, and we will have to work our way through it because those other areas of public policy are serious areas–antitrust protection, the safeguarding of intellectual property, protecting legal privileges, liability concerns, and even national security concerns in those areas where the government may be asked to share classified information. Bear in mind that there are three levels of threat. As I have said, the vast majority of our cyber vulnerabilities can be cured by simple patches and off-the-shelf technology. That is the lowest level — just follow basic, simple procedures and we can rid ourselves of most of the attacking. The next is a more sophisticated set of threats that require the best efforts of the private sector to defend against. Those private sector efforts are becoming increasingly sophisticated and capable. As to those types of attacks, the private sector can handle them alone and particularly so if we have empowered the private sector, industry by industry, to engage in more effective common defense and information sharing. The most sophisticated threats and attacks, however, will require action by our government. The notion that we can leave our Nation’s cyber defense entirely to the private sector is no longer valid. This brings us to a fourth question — the increasingly important issue of cyber 911. When the CIO of a local bank or electric utility is overwhelmed by a cyber attack, whom do they call and under what terms does the government respond? Right now, the answers to those questions are dangerously vague. The Electronic Communications Privacy Act — or ECPA — is a vitally important statute. In 1986, 25 years ago, Chairman Patrick Leahy worked hard to establish statutory privacy protections in a domain where constitutional privacy protections were weak. It is an enduring legislative accomplishment and we must preserve its core principles. Since ECPA was enacted, however, the threat has dramatically changed. Imagine how technology has changed in 25 years. It is no longer true that private firms are capable of defending their networks from sophisticated thieves and spies on their own. As we found in the Cyber Task Force, there is now a subset of threats that cannot be countered without bringing to bear the U.S. Government’s unique authorities and capabilities. There always needs to be strong privacy protections for Americans against the government. But we do let firemen into our house when it is on fire and the police can come into our house when there is a burglar. A similar principle should apply to criminals and cyber attacks when private capabilities are overwhelmed. There is one more step, and here is where it gets a little bit more tricky. You call 9-1-1 and the police or the ambulance rushes right over. But in cyber security, by the time you call cyber 9-1-1, it may be too late. Attacks in cyberspace happen at light speed, as fast as electrons flow. Not all the risks and harms that imperil Americans can be averted by action after the fact. Some attacks are actually already there, in our networks, lying in wait for the signal to activate. We as a country are naked and vulnerable to some forms of attack if we have not pre-deployed our defenses. Because the viruses and cyber attack nodes can travel in the text portion of messages, we have to sort out a difficult question: whether, and if so how and when, the government can scan for dangerous viruses and attack signals. In medieval times, communities protected their core infrastructure from raiders by locating the well, the granary, and the treasury inside castle walls. Not everything needs the same level of protection in cyberspace, but we need to sort out what does need that kind of protection, what the castle walls should look like, who gets allowed to reside inside the walls, and what the rules are. That leads to the question of a dot-secure domain. I have mentioned this before, but I would like to highlight it as an option for improving cyber security, particularly of the critical infrastructure of our country. Recently, General Alexander, Director of the NSA and commander of U.S. Cyber Command, has echoed this as a possibility. His predecessor at NSA, and a former Director of National Intelligence, Admiral McConnell, is also an advocate of such a domain for critical infrastructure. This doesn’t have to be complicated or even mandatory. The most important value of a dot-secure domain is that, like dot-gov and dot-mil, now we can satisfy consent under the fourth amendment search requirements for the government’s defenses to do their work within that domain, their work of screening for attack signals, botnets, and viruses. Critical infrastructure sites could bid for permission to protect themselves with the dot-secure domain label and be allowed in if they could show that lives and safety for Americans would be protected by allowing them entry. Obviously, core elements of our electric grid, of our financial, transportation, and communications infrastructure would be obvious candidates. But we simply cannot leave that core infrastructure on which the life and death of Americans depends without better security. Fifth, we must significantly strengthen law enforcement against cyber crooks. There is simply no better deterrent against cyber crime than a prospect of a long stretch in prison. We need to put more cyber crooks behind bars. It is not for want of ingenuity and commitment by our professionals that there are not more cyber crooks behind bars. During my work on the Cyber Task Force, I received a number of briefings and intelligence reports on cyber crime. The FBI and the Department of Justice have some real success stories under their belts, such as the arrests of the alleged perpetrators behind the Mariposa botnet this summer, and our agencies are beginning to work together better and better over the lines of turf defense that separate them. The problem is, the criminals are also ingenious and they are greedy and they are successful and they are astoundingly well funded. Again, we are not talking about hackers in the basement. We are talking about substantial criminal enterprise with enormous sums of money at their disposal and at stake. Many enterprises appear to work hand-in-hand with foreign governments, which puts even greater assets for attack at their disposal. They have a big advantage. The architecture of the Internet favors offense over defense. Technologically, it is generally easier for savvy criminals to attack a network and to hide their trail than it is for savvy defenders to block an attack and trace it back to the criminals. We are not on a level playing field against cyber criminals. That is the problem not easily overcome. What we can overcome, however, are the gaps, the weaknesses, the outdated strategies, and the inadequate resources in our own legal investigative processes. One example: the most dangerous cyber criminals are usually located overseas. To identify, investigate, and ultimately prosecute those criminals under traditional law enforcement authorities, we have to rely on complex and cumbersome international processes and treaties established decades ago that are far too slow for the modern cyber crime environment. We also need to resource and focus criminal investigation and prosecution at a level commensurate with the fact that we, America, are now on the losing end of what is probably the biggest transfer of wealth through theft and piracy in human history. I will say that again: We are at the losing end of what is probably the biggest transfer of wealth through theft and piracy in human history. I am pleased that in fiscal year 2010 the FBI received an additional 260 cyber security analysis and investigative positions. DOJ’s Computer Crimes and Intellectual Property Section has not received new resources in 5 years. With the FBI poised to ramp up its investigatory actions against our cyber adversaries, I am concerned the DOJ may not have the resources to keep up. Sixth, we need clear rules of engagement for our government to deal with foreign threats. That is, unfortunately, a discussion for another day since so much of this area is now deeply classified. But here is one example: Can we adapt traditional doctrines of deterrence to cyber attacks when we may not know for sure which country or nonstate actor carried out the attack? If we can’t attribute, how can we deter? With respect to any policy of deterrence, how can it stand on rules of engagement that the attacker does not know of? Not only do we need to establish clear rules of engagement, we need to establish and disclose clear rules of engagement if any policy of deterrence is to be effective in cyberspace. Finally, as we go about these six tasks, the government must be as transparent as possible with the American people. I doubt very much that the Obama administration would abuse new authorities in cyberspace to violate Americans’ civil liberties. But on principle, I firmly and strongly believe that maximum transparency to the public and rigorous congressional oversight are essential. We have to go about this right. I look forward to working with my Senate colleagues and with the administration as the Congress moves toward comprehensive cyber security legislation to protect our country before a great cyber attack should befall us. Let me close my remarks by saying the most somber question we need to face is resilience. First, resilience of governance: How could we maintain command and control, run 9-1-1, operate FEMA, deploy local police and fire services, and activate and direct the National Guard if all of our systems are down? Second, resilience of society: How do we make sure people have confidence during a prolonged attack that food, water, warmth, and shelter will remain available? Because the Internet supports so many interdependent systems, a massive or prolonged attack could cascade across sectors, compromising or taking over our communications systems, our financial systems, our utility grid, and the transportation and delivery of the basic necessities of American life. Third, our American resilience as individuals: Think about it. Your power is out and has been for a week. Your phone is silent. Your laptop is dark. You have no access to your bank account. No store is accepting credit cards. Indeed, the corner store has closed its doors and the owner is sitting inside with a shotgun to protect against looters. Gasoline supply is rationed with National Guard soldiers keeping order at the pumps. Your children are cold and hungry and scared. How, then, do you behave? I leave this last question, our resilience as a government, as a society, and as individuals to another day. But I mention it to highlight the potentially catastrophic nature of a concerted and prolonged cyber attack. Again, such an attack could cascade across multiple sectors and could interrupt all of the different necessities on which we rely. When your power is down, it is an inconvenience but you can usually call somebody on the phone. Now the phone is out, so you can go to the laptop and try to e-mail somebody, but there is no signal on the laptop. You need cash. You go to the ATM. It is down. The bank is not open because a run would take place against its cash assets, given the fact that it can no longer reliably electronically let its customers know what their bank account balances are. We are up against a very significant threat. I hope some of the guideposts I have laid out will be helpful in designing the necessary legislation we need to put in place to empower our country to successfully defend against these sorts of attacks. I yield the floor. Book/CDs by Michael E. Eidenmuller, Published by McGraw-Hill (2008) Audio Note: AR-XE = American Rhetoric Extreme Enhancement Copyright Status: Text, Audio, Image = Public domain.