Murkowski Comments on Introduction of SECURE IT Act

WASHINGTON, D.C. – U.S. Sen. Lisa Murkowski, R-Alaska, today delivered the following speech on the Senate floor on the introduction of the “SECURE IT” Act to strengthen cybersecurity.


(Click video to watch speech)

 “I’ve come to the floor today to speak about cybersecurity legislation that will soon come before the Senate. There is no question this is a critical issue that should be addressed by this Congress. I’m certain that every member of this body is concerned that our nation may be vulnerable to cyber-attacks that could have severe economic and security ramifications. We see stories about cyber-attacks daily – on individuals, on companies, on the government – and it is time for us to take steps to protect ourselves against this emerging threat. 

“In the coming weeks, the Senate is expected to take up legislation to address this very real problem.  I’m hopeful this effort will result in legislation that we can all agree is worthy of sending to the President. Right now, however, it appears that we’re on track to follow an “all-or-nothing” approach. The problems I see with the bill that is expected to come to the floor – featuring text that was recently released by the Homeland Security Committee – is that it has not gone through regular order and amounts to a regulatory overreach.  If that is our only option, it will ultimately prevent us from making progress on cybersecurity in this Congress.

“Because that outcome is unacceptable, I introduced an alternative bill this morning along with a number of my ranking member colleagues. We call our bill the “Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012” – or “SECURE IT” for short.  It follows a commonsense approach to address our ever-increasing cyber threats.  Our bill focuses on four areas that we believe can draw bipartisan support and result in a public law.  Those four areas are:  information sharing, FISMA reform, criminal penalties and additional research.

“What the SECURE IT bill does not do is equally important.  It does not simply add new layers of bureaucracy and regulation that will serve little purpose and achieve meager results.  The Homeland Security Committee’s bill would arm the Department of Homeland Security with expansive new authorities to review all sectors of our economy and designate “covered critical infrastructure” for further regulation.  We’ve heard from industry that this amounts to regulation for regulation’s sake – and in the electric industry’s case, duplicative regulation – that will lead to a “compliance-first” mentality.  Companies will focus on meeting their new federal requirements and passing an endless string of audits.  But these heavy-handed, static requirements from yet another federal regulator will not address the very real threat we face.  Instead, we need a much more nimble approach to deal with cyber-related threats that are constantly growing and constantly changing.   

“That’s where our SECURE IT Act comes in. We’ve taken a more pragmatic approach by focusing on the areas where we know we can find bipartisan support. 

“One area that I think we can all agree on is that the federal government needs to form a partnership with the private sector. After all, we share the same goals – to keep our computer systems and our nation safe from cyber intrusions.  We need private companies to talk with each other and with the government about the cyber problems they face as well as the potential strategies and solutions to combat them.  To achieve that goal, our legislation encourages the voluntary sharing of much-needed information by removing legal barriers to its use and disclosure. At the same time, we’re careful to safeguard privacy and prohibit the information from being used for competitive advantage.

“Our bill also provides necessary updates to the Federal Information Security Management Act. These FISMA reforms require real-time monitoring of federal systems and will modernize the way the government manages and mitigates its own cyber risks.  Unlike other legislation on this subject, the cyber bill we’ve introduced today will also update criminal statutes to account for cyber activities. Finally, we support advanced cybersecurity research by leveraging existing resources without spending new federal dollars.   

“This straightforward approach to cybersecurity can go a long way in tackling the problem. Clearly, our own government agencies need to communicate better with one another. For example, the White House and DHS are staging an exercise next week to take members through a mock scenario that will feature a cyber attack on the nation’s grid.  While I think that could be a useful exercise, I find it stunning that DHS would set up a grid attack scenario and fail to include the grid’s primary regulators – our Electric Reliability Organization, called NERC, and the Federal Energy Regulatory Commission.  It makes me question if DHS is even aware that the electricity industry is the only industry already subject to mandatory cyber standards or that NERC has the ability to issue time-sensitive alerts to electric utilities in emergency situations. 

“It is hard to understand why DHS would proceed with a grid attack simulation and not include the government entities that already have safeguards in place. And, further, it begs the question as to whether Congress should provide DHS with such significant and expansive new authorities in the cyber arena.

“Before I close, I’d like to take a moment to talk about process behind cybersecurity legislation. While my colleagues and I have highlighted the substantive and procedural problems associated with the Homeland Security Committee’s bill, the majority and even the press have attempted to dismiss our arguments as nothing more than partisan stall tactics. That is simply not true.  I want to take action on cyber. We need to take action on cyber. I’ve been calling for legislation since last Congress. But process matters.  That’s how strong, bipartisan pieces of legislation are enacted. When you forego that process and refuse to do the hard work in Committee, you set legislation up for failure.  And when you have seven ranking members taking issue with how a bill has been put together, you know the process has broken down. In fact, to brush off legitimate process concerns is a pretty partisan move in itself. We need to set aside politics, and focus on protection.

“The SECURE IT bill we introduced today is a strong starting point.  Some may argue that we need to go further, but additional layers of bureaucracy and regulations are not the answer at this time.  Legislating in the four areas we’ve highlighted – information sharing, FISMA reform, criminal penalties, and research – are necessary first steps that will make a tremendous amount of difference.  If we need to do more in the future, Congress can make that determination.  But let’s not take an “all-or-nothing” approach to cyber legislation and wind up empty-handed. I ask my colleagues to support the SECURE IT Act so we can continue to ensure that our citizens, our companies, and our country are protected.”