[国会记录：2010年7月27日（参议院）] [Page S6265-S6266]网络安全Whitehouse先生。主席女士，我会谈论一个旨在是我们国家安全和经济繁荣的核心，它的通知和注意力太少;也就是说，美国网络信息系统的脆弱性以及我们从网络盗窃，网络海盗和网络攻击面临的经济危险和国家安全风险。我们住在一个有线社会。如果我们切断那些导线和社会，经济和通信联系，使我们的生活方式成为可能，我们将停止运作。我非常担心，我们没有采取必要步骤，防范这种威胁，我认为是美国面临的最大的未满足的国家安全需求。本月早些时候，情报委员会网络特遣部队向情报委员会主席和副主席提交了一份分类的最终报告。致邀请这项成交的倡议，并与我杰出的同事，参议员Mikulski和参议员雪一起服务。我感谢他们的勤奋，他们的领导力，以及他们对这项努力的重要贡献。他们很棒，我们做了一个很好的团队。 We spent 6 months investigating cybersecurity threats and our current posture for countering those threats, with a particular focus on the intelligence community. It was a very sobering experience. There is a concerted and systematic effort underway by nation states to steal our cutting edge technologies. At the same time, criminal hacker communities are conspiring to penetrate financial industry networks, rob consumers of their personal data, and transform our personal computers into botnet zombies that can spread malware and chaos. It is difficult to put a precise dollar figure on the damage and loss these malicious activities are causing, but it is safe to say it numbers in the many tens of billions of dollars--perhaps as high as $1 trillion. I believe we are suffering what is probably the biggest transfer of wealth through theft and piracy in the history of mankind. In addition, we face the risk of attacks--attacks designed to disable critical infrastructure, with grave potential harm to our national security and to our financial, communications, utility, and transportation sectors. The intelligence community is keenly aware of the threat and is doing all it can within existing laws and authorities to counter it. The bad news is the rest of our country--including the rest of the Federal Government--is not keeping pace with the threat. I am encouraged by the growing interest in Congress, where there are now more than 40 bills pertaining to cyber. I want to commend Senator Rockefeller and Senator Snowe, in particular, for being at the leading edge of the Senate's efforts. They have spent more than a year fine- tuning their legislation, which speaks of their commitment to protecting the country and their recognition that we cannot reduce our vulnerabilities without careful study and thoughtful engagement. Much of the current debate on cybersecurity in the Congress focuses on executive branch organization dealing with this threat. This is obviously an important issue, and it is one that we must resolve sooner rather than later. But the question of how this all gets organized within the executive branch is merely one of the many problem areas we saw during the course of the work of the task force. What are these other areas? Well, first of all, an overarching issue, we must raise the public's awareness about cyber-threats; otherwise, we face an uphill battle trying to legislate in this challenging and sensitive policy sphere. What is the problem? Well, threat information affecting the dot.gov and dot.mil domains is largely classified--often very highly classified--and entities in the dot.com, dot.net, and dot.org domains often consider threat information to be proprietary and disclosing it could be a risk to their business. So the result overall is that the public knows very little about the size and scope of the threat their Nation faces. If the public knew the stakes--knew the cyber-criminals, for example, have pulled off bank heists that would make Willie Sutton, Bonnie and Clyde, and the James Gang look like a bunch of petty thieves, they would demand swift action. If they knew the extent of the cyber-piracy against our intellectual property, and the economic loss that has resulted, the public would demand swift action. If they knew how vulnerable America's critical infrastructure is and the national security risk that has resulted, they would demand action. It is hard to legislate in a democracy when the public has been denied so much of the relevant information. The first key point is public awareness. We have to share more information with the public about what is going on out there. Second, we need to establish basic rules of the road. One of the signal features of our cybersecurity risk profile is that the overwhelming majority of malicious cyber-activity could be prevented if some computer users installed simple antivirus protections and allowed automatic updates of their software. If we followed basic rules of the road, there would be a national security advantage: The Federal Government could focus its cybersecurity efforts on that narrower subset of threats that can evade commercial, off-the-shelf technology. There would be economic advantage from the potentially massive reduction in cyber-crimes, such as identity theft and credit card fraud. Third, we need to empower the private sector to adopt a more proactive stance against cyber-threats. I am from Rhode Island. My State was founded as a sea trading State. When our traders were attacked by pirates, they got out their guns and fought back. Under current law, companies under cyber-attack can do little more than batten down the hatches. We need to look for more ways to help American companies better defend themselves. Our courts provide one option. Creative technical experts and smart lawyers at Microsoft were able to mount a very impressive counterattack against the Waledac botnet by obtaining a Federal court order requiring that VeriSign, the domain name registrar, cut off domains associated with the botnet. This disrupted the botnet's command-and-control function, and it highlights an important possible role for our judicial branch. Additionally, we need to establish lawful and effective means for industry sectors to band together with one another and engage with each other in [[Page S6266]] common defense strategies and information sharing where appropriate with the government. There are some early examples, such as the defense industrial base, that merit commendation, which we should encourage. But it is still pretty primitive. Fourth, we must ensure that the Federal Government has the authorities and capabilities necessary to protect our American critical infrastructure against cyber-attack. If a bank, for instance, runs into a solvency problem, there is an established and widely accepted procedure for Federal intervention to protect the bank depositors, stand the bank back up, get it back on its feet, and move back out again. There is no similar procedure if that bank or American critical infrastructure, such as an electric utility, is failing due to an ongoing cyber-attack. There needs to be clear, lawful processes for the private sector to request technical assistance and clear authority for the government to act when a cyber-incident raises significant risk to American lives and property. It gets a little bit more complicated than that because you cannot just call 911, such as when there is a fire, and have the government come and put out the fire when it is a cyber-attack. Cyber-attacks happen literally at the speed of light. The best defense against cyber-threats, particularly the most dangerous cyber-threats, requires speed-of-light awareness and response. For this reason, it is worth considering whether some defensive capabilities should be prepositioned in order to better protect the Nation's most critical private infrastructure. During medieval times, critical infrastructure, such as water wells and graineries, were inside the castle walls, protected as a precaution against enemy raiders. Can certain critical private infrastructure networks be protected now within virtual castle walls in secure domains where those prepositioned offenses could be both lawful and effective? This would, obviously, have to be done in a transparent manner, subject to very strict oversight. But with the risks as grave as they are, this question cannot be overlooked. Fifth, we need to put more cyber-criminals behind bars. Law enforcement engagement against cyber-crime needs to be considerably enhanced at multiple levels, reporting, resources, prosecution strategies, and priority. A lot more folks need to go to jail. Finally, we must more clearly define the rules of engagement for covert action by our country against cyber-threats. This is an especially sensitive subject and highly classified. But for here, let me simply say that the intelligence community and the Department of Defense must be in a position to provide the President with as many lawful options as possible to counter cyber-threats, and the executive branch must have the appropriate authorities, policies, and procedures for covert cyber-activities, including how to react in real time when the attack comes at the speed of light. This all, of course, must be subject to very vigilant congressional oversight. Uniquely in the world and uniquely in our own history, America's economy and government now depend on networked information technologies for Americans to communicate with each other, keep the trains running on time and the planes flying safely, keep our lights on, and power our daily lives. The expansion of this powerful new technology across our great country also makes us uniquely vulnerable to cyber-threats. We have to do a lot better as a nation on cybersecurity. I believe we can do better. I know we must do better. Frankly, we cannot afford not to do better. I hope these remarks and the structure they have provided helps provide assistance to my colleagues as we begin debating and resolving these important issues. I yield the floor. I see my distinguished colleague from Minnesota prepared to speak. The ACTING PRESIDENT pro tempore. The Senator from Minnesota. ____________________