Over the last few days, we’ve been lectured numerous times that we must protect cyber critical infrastructure, otherwise the country is in jeopardy. Who doesn’t agree with that statement? Enhancing cybersecurity is important to our national security. I support efforts to strengthen our Nation against cyber-attacks.
However, I take issue with those who have come to the floor and argued that those who don’t support this bill are against strengthening our Nation’s cybersecurity. Disagreements over how to address policy matters shouldn’t devolve into accusations about a member’s willingness to tackle tough issues. The debate over cybersecurity legislation has turned from a substantive analysis of the merits into a political blame game as to which side supports defending our Nation more. If we want to tackle big issues like cybersecurity, we need to rise above disagreements and work in a constructive manner. Disagreements over policy should be openly and freely debated.
Unfortunately, this isn’t how the debate on cybersecurity proceeded. Instead, before a real debate began the Majority Leader cut it off. As the discussion of cybersecurity began on the floor this week, senators stated that a failure to grant broad new powers to the federal government will lead to a cyber-9/11. I agree that if we fail to take action on cybersecurity, there could be national security consequences. However, I don’t believe giving the federal government more regulatory authority over business and industry, as supporters of this bill propose, is the answer to strengthening cybersecurity.
Chief among my concerns with the pending bill is the role played by the Department of Homeland Security. These concerns stem from oversight I’ve conducted on its implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) program. CFATS was the Department’s first major foray into regulation of the chemical sector. DHS spent nearly a half-a-billion dollars on the program. Five years later, the department’s just begun to approve site security plans for the more than 4,000 facilities designated under the rule. I’ve continued to conduct oversight on this matter. Despite assurances from DHS that they’ve fixed all the problems with CFATS, I keep discovering more problems.
So, I’m baffled why we would take an agency that has proven problems with overseeing critical infrastructure, and give them chief responsibility for our country’s cybersecurity. Additionally, I’m concerned with provisions that restrict the way information is shared. The restrictions imposed under title seven of this bill are a step backward from other information sharing proposals. This includes the bill I’ve co-sponsored, the SECURE-IT bill.
The bill before us places DHS in the role of gatekeeper of cyber-threat information. The bill calls for DHS to share the information in “as close to real time as possible” with other agencies. However, this will create a bottleneck for information coming into the government.
Further, title seven includes restrictions on what types of information can be shared, limiting the use of it for criminal prosecutions except those that cause imminent harm.
This is exactly the type of restriction on information sharing that the 9/11 Commission warned about. In fact, the 9/11 Commission said, “the [wall] resulted in far less information sharing and coordination.” The Commission further added, “the removal of the wall that existed before 9/11 between intelligence and law enforcement has opened up new opportunities for cooperative action.” Why would we even consider legislation that could rebuild these walls that threaten our national security?
How much of a real debate have we had on these issues I’ve raised? The lack of a real process in the Senate on this current bill amplifies my substantive concerns. In fact, this is eerily reminiscent of the debate surrounding Obamacare. During that time, then-Speaker of the House Pelosi declared, “We have to pass the bill so that you can find out what is in it.” Well, we all know how well that worked out. Years of litigation later the public is still learning what surprises the majority and the Obama administration had in store for the Nation’s healthcare system.
Here we are once again, in the last week before the August recess, tackling a serious problem that hasn’t been given full process. I don’t want cybersecurity legislation to become another Obamacare. If we’re serious about our nation’s security, then shouldn’t we treat it as such?
We’re told that the Senate has been working on cybersecurity for three to five years. However, we haven’t been working on the bill before us for that long. The bill before us was introduced 13 days ago. And it was only pending on the floor for four days before the motion for cloture was filed. It didn’t go through the normal committee process. It wasn’t debated or amended. Instead, it was brought straight to the floor and we’re being forced to consider it under a rushed schedule.
Talking about the danger of cyber-attacks for years isn’t the same as discussing the impact of the actual text of the bill which could become law. The words on the 212 pages of the bill are what must be analyzed in detail. In fact, no one, except a handful of senators, actually knows what the bill says or might say. We need full process and unfortunately that’s not happened and it’s not going to happen, because the Majority Leader has limited debate.
This week, we were told that a group of Senators and their staff were working on a compromise. Again, that’s something that all of us as a body don’t know much about. We need an open debate in order to process this, as opposed to huddled, backroom meetings. I don’t think this is the way we’re supposed to legislate. The people who elected us expect more. How many Senators are prepared to vote on something this important, without knowing its impact because we haven’t followed regular order? Are we to once again pass a bill so that the American public can then find out what’s in it?
These are questions that all Senators should consider. And our citizens should know in advance what we’re actually considering. Now yesterday, we heard claims that the amendments offered by Republicans were part of some obstructionist tactic. Apparently, the 77 or so amendments filed by Democrats are acceptable. I had three amendments that addressed specific provisions in the bill and I wanted to have a debate on them.
For example, I have an amendment to strike the provision in the bill that creates a cause of action against the federal government. That provision waives sovereign immunity, provides for automatic damages and provides for an award of attorney’s fees. This provision is a gift for the trial lawyers’ lobby, which American taxpayers shouldn’t have to pay for. And I don’t think class action lawsuits against the government will help with cybersecurity.
Another amendment of mine would’ve removed industry specific carve outs from the bill. This is another example of how backroom deal making takes place so as to get support for a bill. We saw this happen with Obamacare. The “Cornhusker Kickback” that was agreed to in order to pass Obamacare reminds me of what we’re seeing now. Here, to get support from companies in the Information Technology industry, the bill clearly states those companies can’t be identified as critical cyber infrastructure. So, in order to get support from certain companies, the authors carved out these companies from having to comply with the bill.
For example, under this carve-out, say Cisco builds a router that has a flaw that’s exploited by hackers. That router is purchased by every sector of the critical infrastructure, including power, water, and others. If that router flaw is exploited and attacked, the companies that bought the router are held responsible. However, the company that made the faulty router isn’t. This is absurd and a major giveaway to a key industry to give the appearance of private sector support. No wonder other information technology companies such as Oracle, Microsoft, and the Information Technology Industry Council support this bill—they are all carved out of the critical infrastructure provisions. This is not how we should handle cybersecurity, and I have an amendment to strike this provision. We should openly debate this and discuss whether this is the right course. Again, the carve-out was a deal cut with one purpose: to limit opposition to the bill. Well, that wasn’t good policy in 2009 in the Obamacare debate and it’s not good policy now.
I also know that Senator Ron Johnson of Wisconsin had an amendment that the Congressional Budget Office (CBO) issue a score on the cost of the bill before it could take effect. Why were the supporters of the bill opposed to that? Do they believe that they have a right to spend millions or billions of taxpayers’ dollars at will and without making the amount public? Are the supporters of the bill really prepared to vote for this bill without revealing how much it will cost?
But I won’t get a chance to debate my amendments or Senator Johnson’s amendment before the cloture vote because that’s how the majority leader now runs the Senate.
There are serious questions about this bill. It needs to be amended. We need to discuss changes. Unfortunately, that’s not going to happen. I know some will again say that this has been a long process. The only thing true about that statement is that the issue and problem has been discussed for a long time. If we’re serious about addressing this problem, then let’s deal with it appropriately. Rushing something through that will impact the country in such a massive way isn’t the way we should do business. It’s not good for the country and it’s not good for this body. Thank you. I yield the floor.