Sheldon Speaks in Senate on Cyber Threats

As Delivered

Madam President, I would like to speak today about a topic that is central to our national security and economic prosperity, and which gets far too little notice and attention, and that is the vulnerability of America's networked information systems, and the economic danger and national security risk we face from cyber theft, cyber piracy, and cyber attack.

We live in a wired society, and if we sever those wires, the social, economic, and communications linkages that make our way of life possible will cease to function. I am gravely concerned that we are not taking the necessary steps to guard against this threat, which I believe is the greatest unmet national security need facing the United States.

Earlier this month, the Intelligence Committee's Cyber Task Force submitted a classified Final Report to the Chair and Vice Chair of the Intelligence Committee. It was an honor to chair this bipartisan initiative, and to serve with my distinguished colleagues Senator Mikulski and Senator Snowe. I thank them for their diligence, their leadership, and their important contributions to this effort. They were excellent and we made a good team.

We spent six months investigating cybersecurity threats and our current posture for countering those threats, with a particular focus on the Intelligence Community. It was a very sobering experience. There is a concerted and systematic effort underway by nation-states to steal our cutting edge technologies. At the same time, criminal hacker communities are conspiring to penetrate financial industry networks, rob consumers of their personal data, and transform our personal computers into botnet zombies that can spread malware and chaos.

It is difficult to put a precise dollar figure on the damage and loss these malicious activities are causing, but it is safe to say that it numbers in the many tens of billions of dollars, perhaps as high as a trillion dollars. Madam President, I believe we are suffering what is probably the biggest transfer of wealth through theft and piracy in the history of mankind.

In addition, we face the risk of attack - attacks designed to disable critical infrastructure, with grave potential harm to our national security, and to our financial, communications, utility and transportation sectors.

The Intelligence Community is keenly aware of the threat, and doing all it can within existing laws and authorities to counter it. The bad news is that the rest of our country-including the rest of the federal government-is not keeping pace with the threat.

I'm encouraged by the growing interest in Congress, where there are now more than 40 bills pertaining to cyber. I'd like to commend Senator Rockefeller and Senator Snowe in particular for being at the leading edge of the Senate's efforts. They have spent more than a year fine-tuning their legislation, which speaks of their commitment to protecting the country and their recognition that we cannot reduce our vulnerabilities without careful study and thoughtful engagement.

Much of the current debate on cybersecurity in the Congress focuses on Executive Branch organization dealing with this threat. This is obviously an important issue, and it is one that we must resolve sooner rather than later.

But the question of how this all gets organized within the Executive Branch is merely one of the many problem areas that we saw during the course of the Task Force's work.

What are these other areas? Well first of all, an overarching issue: we must raise the public's awareness about cyber threats. Otherwise, we face an uphill battle trying to legislate in this challenging and sensitive policy sphere.

What's the problem? Well, threat information affecting the ".gov" and ".mil" domains is largely classified, often very highly classified, and entities in the ".com," ".net" and ".org" domains often consider threat information to be proprietary, and disclosing it to be a risk to their business. So the result overall is that the public knows very little about the size and scope of the threat their nation faces.

If the public knew the stakes-knew that cyber criminals, for example, have pulled off bank heists that would make Willie Sutton, Bonnie and Clyde, and the James Gang look like petty thieves-they would demand swift action. If they knew the extent of the cyber-piracy against our intellectual property and the economic loss that has resulted, the public would demand swift action. If they knew how vulnerable America's critical infrastructure is, and the national security risk that has resulted, they would demand action. It is hard to legislate in a democracy when the public has been denied so much of the relevant information. So the first key point is public awareness. We have to share more information with the public about what is really going on out there.

Second, we need to establish basic rules of the road. One of the signal features of our cybersecurity risk profile is that the overwhelming majority of malicious cyber activity could be prevented, if computer users simply installed simple anti-virus protections and allowed for automatic updates of their software.

If we followed basic rules of the road, there would be a national security advantage: the federal government could focus its cybersecurity efforts on that narrower subset of threats that can evade commercial off-the-shelf technology. And there would be economic advantage from the potentially massive reduction in cyber crimes such as identify theft and credit card fraud.

Third, we need to empower the private sector to adopt a more proactive stance against cyber threats. I'm from Rhode Island, my home state was founded as a sea trading state. When our traders were attacked by pirates, they ran out their guns, they fought back. Under current law, companies under cyber attack can do little more than batten down their hatches.

We need to explore ways to help American companies better defend themselves within our laws.

Our courts provide one option. Creative technical experts and smart lawyers at Microsoft were able to mount a very impressive counterattack against the Waledac botnet by obtaining a federal court order requiring that VeriSign, the domain name registrar, cut off the domains associated with the botnet. This disrupted the botnet's command and control function, and it highlights an important possible role for our judicial branch.

Additionally, we need to establish lawful and effective means for industry sectors to band together with one another and engage with each other in common defense strategies and information sharing, where appropriate with the government. There are some early examples, like the Defense Industrial Base, that merit commendation and which we should encourage, but it's still pretty primitive.

Fourth, we must ensure that the federal government has the authorities and capabilities necessary to protect our American critical infrastructure against cyber attack. If a bank, for instance, runs into a solvency problem, there is an established and widely accepted procedure for federal intervention to come in, protect the bank's depositors, stand the bank back up, set it back on its feet, and move back out again.

There is no similar procedure if that bank, or American critical infrastructure such as an electric utility, is failing due to an ongoing cyber attack. There need to be clear lawful processes for the private sector to request technical assistance, and clear authorities for the government to act when a cyber incident raises significant risks to American lives and property.

It gets a little bit more complicated than that, because you can't just call 911, like when there's a fire, and have the government come and put out the fire when it's a cyber attack.

Cyber attacks happen literally at the speed of light, so the best defense against cyber threats, particularly the most dangerous cyber threats, requires speed-of-light awareness and response.

For this reason, it is worth considering whether some defensive capabilities should be pre-positioned in order to better protect the nation's most critical private infrastructure. During medieval times, critical infrastructure such as water wells and granaries were inside the castle walls, protected, as a precaution against enemy raiders. Can certain critical private infrastructure networks be protected now within virtual castle walls, in secure domains where those pre-positioned defenses could be both lawful and effective? This would obviously have to be done in a transparent manner, subject to very strict oversight. But with the risks as grave as they are, this question cannot be overlooked.

Fifth, we need to put more cyber criminals behind bars. Law enforcement engagement against cyber crime needs to be considerably enhanced at multiple levels: reporting, resources, prosecution strategies, and priority. A lot more folks need to go to jail.

Finally, we must more clearly define the rules of engagement for covert action by our country against cyber threats. This is an especially sensitive subject, and highly classified, but for here let me simply say that the Intelligence Community and the Department of Defense must be in a position to provide the President with as many lawful options as possible to counter cyber threats, and the Executive Branch must have the appropriate authorities, policies, and procedures for covert cyber activities, including how to react in real time when the attack comes at the speed of light. This all, of course, must be subject to very vigilant Congressional oversight.

Madam President, uniquely in the world, and uniquely in our own history, America's economy and government now depend on networked information technologies for Americans to communicate with each other, keep the trains running on time and the plains flying safely, keep our lights on, and power our daily lives. The expansion of this powerful new technology across our great country also makes us uniquely vulnerable to cyber threats, and we just have to do a lot better as a nation on cybersecurity. I believe we can do better. I know we must do better. Frankly, we can't afford not to do better.

I hope these remarks, and the structure that they have provided, help provide assistance to my colleagues as we begin debating and resolving these important issues.