OFFICIALS LEGISLATION INTEREST GROUPS PUBLIC STATEMENTS COMMITTEES VETOES

Consolidated Appropriations Act, 2016

Floor Speech

Date: Dec. 18, 2015
Location: Washington, DC
Issues: Technology and Communication Defense

BREAK IN TRANSCRIPT

Ms. COLLINS. Madam President, the cyber security bill included in the omnibus is a first step towards improving our Nation's dangerously inadequate defenses against cyber attacks. I know that the chairman and vice chairman of the Senate Intelligence Committee worked hard to ensure that a cyber security bill passed this year.

Unfortunately, however, the American people and economy will remain vulnerable to a catastrophic cyber attack against our critical infrastructure even after this bill becomes law.

Critical infrastructure refers to entities that are vital to the safety, health, and economic well-being of the American people, such as the major utilities that run the Nation's electric grid, the national air transportation system that moves passengers and cargo safely from one location to another, and the elements of the financial sector that ensure the $14 trillion in payments made every day are securely routed through the banking system.

The Senate-passed cyber bill included an important provision I authored with the support of Senators Mikulski, Coats, Reed, Warner, Heinrich, King, Hirono, and Wyden that would have required the Department of Homeland Security, in conjunction with the appropriate Federal agencies, to undertake an assessment of the fewer than 65 critical infrastructure entities at greatest risk of causing catastrophic harm if they were the targets of a successful cyber attack.

By ``catastrophic harm,'' the Department of Homeland Security means a single cyber attack that would likely result in 2,500 deaths, $50 billion in economic damage, or a severe degradation of our national security. In other words, if one of these entities upon which we depend each day were attacked, the results would be devastating.

Following the assessment, the provision then required a report to Congress describing the steps that could be taken to lessen the vulnerability of these entities and to decrease the risk of catastrophic harm resulting from such a cyber attack against our critical infrastructure.

Inexplicably, this provision, which was supported by a majority of the members of the Senate Intelligence Committee, was eliminated in the negotiations between the leaders of the House and Senate Intelligence Committees.

I am told that this important provision was dropped because of opposition from certain industry groups that claimed that the current investment and regulatory structure is sufficient to protect our critical infrastructure; yet our provision explicitly included existing regulators in the assessment process and required no new mandates. Compromise language that would have made this even clearer was also rejected.

Our provision appropriately distinguished between the vast majority of businesses, such as a retail store or a chain of small ice cream shops, and the fewer than 65 critical infrastructure entities that could debilitate the U.S. economy or our way of life if attacked; yet the final version of the cyber bill treats these very different entities in exactly the same way.

These fewer than 65 entities warrant our special attention because there is ample evidence, both classified and unclassified, that demonstrates the threat facing critical infrastructure and the deficiencies in the cyber security capability to defend them.

The Director of National Intelligence, Jim Clapper, has testified that the greatest threat facing our country is in cyber space. He has stated before the Armed Services Committee that the number one cyber challenge that concerns him the most is an attack on our Nation's critical infrastructure.

His assessment is backed up by several intrusions into the industrial controls of critical infrastructure. Since 2009, the Wall Street Journal has published reports regarding efforts by foreign adversaries, such as China, Russia, and Iran, to leave behind software on American critical infrastructure and to disrupt U.S. banks through cyber intrusions.

Multiple natural gas pipeline companies were the target of a sophisticated cyber intrusion campaign beginning in December 2011, and Saudi Arabia's oil company, Aramco, was subject to a destructive cyber attack in 2012.

When I asked Admiral Rogers, the Director of the National Security Agency with responsibility for cyber space, how prepared our country was for a cyber attack against our critical infrastructure in a hearing this summer, he replied that we are at a ``5 or 6.''

Last month, the Deputy Director of the NSA, Richard Ledgett, was asked during a CNN interview if foreign actors already have the capability of shutting down key U.S. infrastructure, such as the financial sector, energy, transportation, and air traffic control. His response? ``Absolutely.''

When it comes to cyber security, ignorance is not bliss. The least we should do is to ask DHS and the appropriate Federal agencies to describe what more could be done to prevent a catastrophic cyber attack on critical infrastructure that could cause thousands of deaths and/or a devastating blow to our economy or national defense.

Congress has missed an opportunity to improve our Nation's cyber preparedness by refusing to even ask DHS or the appropriate Federal agencies to understand and identify what more could be done to prevent a catastrophic cyber attack on the fewer than 65 critical infrastructure entities.

A cyber attack on our critical infrastructure is not a matter of ``if,'' but a matter of ``when.'' We are at September 10 levels in terms of cyber preparedness--a sentiment expressed by former Secretary of Defense Leon Panetta in 2012 and in the 9/11 Commission's 10th anniversary report released last year.

We cannot afford to wait for a ``cyber 9/11'' before protecting our critical infrastructure. By rejecting this provision, this Congress has elected to take just such a risk. Senate, Washington, DC, November 30, 2015. Hon. Richard Burr, Chairman, Senate Select Committee on Intelligence, Washington DC. Hon. Michael T. McCaul, House Committee on Homeland Security, Washington, DC. Hon. Devin Nunes, House Permanent Select Committee on Intelligence, Washington, DC. Hon. Dianne Feinstein Vice Chairman, Senate Select Committee on Intelligence, Washington, DC. Hon. Bennie G. Thompson, House Committee on Homeland Security, Washington, DC. Hon. Adam B. Schiff, House Permanent Select Committee on Intelligence, Washington, DC.

Dear Chairman Burr, Vice Chairman Feinstein, Chairman McCaul, Ranking Member Thompson, Chairman Nunes, and Ranking Member Schiff: We strongly support the enactment of a voluntary cybersecurity information sharing bill, which will promote better communication between the private sector and the federal government on cyber threats and vulnerabilities. For 99 percent of businesses, the voluntary information sharing framework established in law should be sufficient to avoid catastrophic harm.

It would be a mistake, however, to treat the country's most critical infrastructure, upon which our people and our economy depend, the same way as a retail business, such as a chain of small ice cream shops. That is why Section 407 of S. 754, the Cybersecurity Information Sharing Act (CISA) appropriately distinguishes between the vast majority of businesses and those entities already designated by the federal government as critical infrastructure at greatest risk. Unless Section 407 of S. 754, the Cybersecurity Information Sharing Act (CISA) is retained in the final cybersecurity bill, these very different entities will be treated exactly the same way under this legislation.

Critical infrastructure refers to entities that are vital to the safety, health, and economic wellbeing of the American people, such as the major utilities that run the nation's electrical grid. Section 407, however, only applies to the fewer than 65 entities that have already been designated by the Department of Homeland Security (DHS) as the critical infrastructure entities where a cyber attack would likely result in catastrophic harm. By catastrophic harm, DHS means a single cyber attack that would likely result in 2,500 deaths, $50 billion in economic damage, or a severe degradation of our national security.

Given these devastating consequences, we urge you to retain Section 407 of CISA. Ample evidence, both classified and unclassified, testifies to the threat facing critical infrastructure and the deficiencies in the cybersecurity capability to defend them. Since 2009, the Wall Street Journal has published reports regarding efforts by foreign adversaries, such as China, Russia, and Iran, to leave behind software on American critical infrastructure or to disrupt U.S. banks through cyber intrusions. Multiple natural gas pipeline companies were the target of a sophisticated cyber intrusion campaign beginning in December 2011, and Saudi Arabia's oil company, Aramco, was subject to a destructive cyber attack in 2012.

Admiral Mike Rogers, the Director of the National Security Agency, has said publicly that ``We have . . . observed intrusions into industrial control systems . . . what concerns us is that . . . capability can be used by nation-states, groups or individuals to take down the capability of the control systems.''

At a recent Senate Armed Services Committee hearing on cybersecurity, the Director of National Intelligence was asked what one cyber challenge concerned him the most. He testified that it was a large-scale cyber attack against the United States' infrastructure. At a subsequent open hearing of the Senate Select Committee on Intelligence, Senator Collins asked Admiral Mike Rogers how prepared our country was for such an attack against our critical infrastructure. His answer, on a scale of 1-10, was that we are at a ``5 or 6''. That is a failing grade that we cannot ignore.

Section 407 has been mischaracterized in correspondence we have received, so we would also like to clarify some key facts about it. First, Section 407 is not counter to the overall voluntary nature of CISA, and it does not impose new incident reporting requirements on the fewer than 65 covered entities. Of course, many critical infrastructure entities, such as those in the electrical sector, are already subject to mandatory incident reporting to their federal regulators.

Section 407 simply requires DHS to undertake an assessment of the critical infrastructure that it has identified where a single catastrophic cyber attack could cause deaths and devastation and then report to Congress what actions could be taken to lessen their vulnerability and to decrease the risk of catastrophic harm resulting from such an attack.

Despite claims to the contrary, Section 407 is also consistent with existing government authority, regulations, and programs. The text of the provision clearly states that the report and strategy required by DHS must be produced ``in conjunction with the appropriate agency head . . .'' Appropriate agency head means the head of the existing sector-specific agency for such an entity or the existing federal regulator for that entity.

Section 407 will also likely reduce, rather than increase, the existing liability risk for the critical infrastructure entities that have already been identified as being at greatest risk of cyber attack. Liability risk is incurred when an entity actually fails to mitigate cyber vulnerabilities that they should have known about and addressed. Rather than increasing this risk, Section 407 seeks to share the burden of defending critical infrastructure against the most sophisticated cyber attacks by requiring the Secretary of Homeland Security to conduct an assessment of the cybersecurity of only the fewer than 65 entities. Following this assessment, Section 407 would require the Secretary to develop a strategy to mitigate the risk of catastrophic effects. The least we should do is to ask DHS and the appropriate federal agencies to describe what more could be done to prevent a catastrophic cyber attack on critical infrastructure that could cause thousands of deaths and/or a devastating blow to our economy or national defense.

Finally, we urge you to review the list of entities that are, in fact, covered by Section 407. Ironically, many of the trade associations who oppose this provision do not represent a single entity that would be covered by this amendment because none of their members has been designated as critical infrastructure at greatest risk. The list of entities and the classified intelligence regarding the threats to critical infrastructure have been provided to your respective committees.

If you have any questions, please do not hesitate to contact us. Sincerely, Susan M. Collins. Daniel Coats. Martin Heinrich. Mazie K. Hirono. Barbara A. Mikulski. Mark R. Warner. Angus S. King, Jr. Jack Reed.

BREAK IN TRANSCRIPT

Ms. COLLINS. Madam President, I rise today to speak on the fiscal year 2016 Omnibus appropriations bill. I want to highlight the Transportation and Housing and Urban Development division of the bill, which is critically important to meeting the housing needs of low- income, disabled, and older Americans, to shelter the homeless, and to boost our economy and create jobs through much needed infrastructure investments in our roads, bridges, railroads, transit systems, and airports.

Let me begin by thanking Chairman Cochran and Vice Chairwoman Mikulski for their leadership in advancing these appropriations bills.

I also want to acknowledge Senator Jack Reed, the ranking member of the subcommittee, who worked closely with me in our negotiations with the House.

I would be remiss if I did not also acknowledge the tireless efforts staff have put into this bill throughout the entire process. My staff: Heideh Shahmoradi, Ken Altman, Jason Woolwine, Rajat Mathur, Lydia Collins, and Gus Maples have made enormous contributions.

I also want to thank Dabney Hegg, Rachel Milberg, Christina Monroe, and Jordan Stone on Senator Reed's staff.

This bill represents priorities from Members on both sides of the aisle in both Chambers. Through considerable negotiation and compromise, we have crafted a bipartisan bill that targets limited resources to meet our most essential transportation and housing needs while ensuring effective oversight of these important programs.

The bill makes important investments, supporting millions of jobs and economic development. It invests in our Nation's transportation infrastructure by continuing to provide $500 million for the TIGER Program. This highly competitive program creates jobs and supports economic growth in every one of our home States.

The bill provides increased funding for our Nation's highway, transit, and safety programs, consistent with the recently enacted highway authorization bill, the FAST Act. State DOTs are also provided with the flexibility to repurpose approximately $2 billion in old, unused congressionally directed spending and direct it toward infrastructure projects that are of higher priority today within the same geographic location of the original designation.

Turning to air travel, the aviation investments will continue to modernize our nation's air traffic system and help to keep rural communities connected to the transportation network. It will ease future congestion and help reduce delays for travelers in U.S. airspace. The bill provides funding for FAA programs at 99.97 percent of the budget request to ensure FAA's operations and safety workforce are fully funded, which includes 14,500 air traffic controllers and more than 25,000 engineers, maintenance technicians, safety inspectors, and operational support personnel.

In addition to aviation safety, the bill provides $50 million in rail safety grants in response to the devastating rail accidents in recent years. These grants will support infrastructure improvements and safety technology, including positive train control.

There are also several provisions to enhance truck safety on our Nation's highways. For example, the bill requires the Department of Transportation to publish a proposed rule on speed governors, which limits the speed at which these trucks can operate. The Department continues to delay this rulemaking, which was initially petitioned by the industry itself. It is time to get this important safety rule completed and implemented.

The bill also protects critical housing programs by preserving existing rental assistance for vulnerable families and individuals, including our seniors, and strengthens the Federal response to the problem of youth homelessness. Sufficient funding is provided to keep pace with the rising cost of housing vulnerable families, ensuring that more than 4.7 million individuals and families currently receiving assistance will not have to worry about losing their housing. Without this assistance, many of these families might otherwise become homeless.

Youth homelessness is especially troubling and warrants more attention. Reflecting this concern, our bill provides $42.5 million to expand efforts to reduce youth homelessness. These efforts build on our success in reducing veterans homelessness, which has been reduced by 36 percent since 2010. This bill continues that effort by providing an additional 8,000 vouchers for our homeless veterans despite the administration's failure to request funding for this critically important program.

To support local development, we provide $3 billion for the Community Development Block Grants Program. This is an extremely popular program with the States and communities because it allows them to tailor the Federal funds to support local economic and job creation projects.

I appreciate the opportunity to speak about this legislation, and I urge my colleagues to support final passage of the omnibus. Section 702 in Division O

BREAK IN TRANSCRIPT


Source
arrow_upward