Grassley Cyber Security Remarks at National Cyber Security Alliance Seminar
Prepared Statement of U.S. Senator Chuck Grassley of Iowa
National Cyber Security Alliance seminar, STOP. THINK. CONNECT. Two Steps Ahead: Protect Your Digital Life
Iowa State University, Scheman Building
Thursday, September 4, 2014
Good morning and thank you President Leath for that very kind introduction. It’s an honor and a privilege to speak today about this very important and timely topic.
The reality of today’s world is that we share a lot of personal information online. It’s a fact of life and something most of us couldn’t have imagined 15 or 20 years ago. Cyber criminals, from here and abroad, seek to exploit the fact that so much information is shared electronically. A cyber criminal’s goal is to stay one step ahead of the security measures implemented by both businesses and consumers. Given this, we all must be vigilant in working to keep our online information secure. We can’t take a break from trying to protect sensitive information, because the moment we do, we’re in trouble.
I appreciate the National Cyber Security Alliance hosting this event, and others like it, throughout the United States. Today’s event is important, and more like it are needed.
Unfortunately, educating consumers about basic steps needed to better secure everyday online activities sometimes becomes an afterthought. We all expect businesses to protect our sensitive information. But, we as consumers simply can’t stick our heads in the sand and assume that we don’t also share some responsibility. The fact of the matter is that there are simple steps that can be used to strengthen the security of online information. In many cases, even experienced users have neglected taking these basic steps.
Today’s event includes experts who will go into far greater detail about how we all can better protect our information. Rather than spend too much time on that, I’d like to take a few minutes to discuss what we’ve been looking at and working on in the United States Senate. I’ll share some of the things we’ve learned as we’ve tried to identify the government’s role in cyber security. A major cyber attack could have a devastating effect on the United States’ economy and security. So without question, the government should prioritize working with the private sector to strengthen the security of personal information online.
Earlier this year, the Senate Judiciary Committee held a hearing to examine the high profile data breaches that occurred at Target and Neiman Marcus. Some of you may have watched the hearing or even attended. It was an opportunity for us to revisit the issue and examine proposed legislation to address federal data security requirements and the need for a uniform, national breach notification standard.
As will be discussed throughout today, we learned that there’s no single solution that will prevent future cyber-attacks. However, there are measures and advanced technology that can be implemented to make an attack more difficult, and limit the harm. We all recognize that businesses should have comprehensive security programs in place to protect sensitive information. And while consumers share an ongoing responsibility to do their best to secure their information, businesses are no different. One example is a much needed update to payment card technology. This is an area where the United States has lagged far behind other countries. I’m glad to know that both financial institutions and retailers are in the process of updating this technology.
Not only did the hearing provide information about specific breaches, but it gave committee members insight about the federal government’s role in working with the private sector to strengthen data security. Currently in the Senate there are several proposals related to data security. As I’ve studied these proposals and questioned experts, I’ve heard one consistent theme. Congress and the federal government must be careful to avoid an approach that fails to provide businesses the flexibility they need to secure data in their specific situations. A one-size-fits-all requirement rarely works, as it doesn’t account for businesses of different sizes and resources.
Just as there are problems with creating a top-down, government imposed regulatory scheme, I understand the criticism regarding an industry-only security approach. As I’ve continued to examine this issue, it’s been instructive to consider actions and proposals that have achieved both bipartisan and industry support. One approach is the public-private partnership that’s developed following the President’s Executive Order on Improving Critical Infrastructure Cybersecurity.
The President’s Executive Order stated that strengthening cybersecurity can be achieved through government partnership with private business. I agree. Following the issuance of the Executive Order, the National Institute of Standards and Technology worked to improve its partnership with owners of critical infrastructure.
As a result, the private sector came to the table with the government and worked to create standards, guidelines, and best practices for businesses to implement on a voluntary basis. This approach has received buy-in from the private sector, along with strong bipartisan support in the Senate. Senators Rockefeller and Thune, the Chairman and Ranking Member of the Senate Commerce Committee, have introduced a bill to enshrine the National Institute of Standards and Technology’s role in creating a cybersecurity framework. Granted, this is just one model for government action focused on securing critical infrastructure. But it’s worth considering how a similar public-private partnership might work with regard to overall data security.
Over the past several months I’ve worked with the Judiciary Committee’s Chairman, Pat Leahy, to try and craft bipartisan data security and breach notification legislation. We’ll continue to work with each other and with stakeholders. But even as we work in Congress, businesses must stay vigilant to update their technologies and better educate consumers to ensure the security of sensitive information. The question isn’t whether there will be another cyber-attack or data breach. It’s when. So we need to have systems in place to prevent or limit the damage that occurs. The criminals don’t give up and take a break. We must be just as relentless in securing our systems and information.
In closing, I appreciate the opportunity to speak to you all about this topic. More importantly, thank you to the Alliance for hosting this event and raising awareness about basic measures we all can take to protect our online activities.