Sen. Murkowski: Process Matters

WASHINGTON, D.C. – U.S. Sen. Lisa Murkowski, R-Alaska, today spoke on the Senate floor about the importance of allowing a full and open amendment process when considering legislation to improve the nation’s cybersecurity defenses.

The Senate on Thursday voted against advancing the Cybersecurity Act of 2012, after the Majority Leader refused to allow members to offer amendments. Instead, Murkowski and a number of other Senate ranking members have introduced the SECURE IT Act, which takes a more pragmatic approach to strengthening the nation’s protections against cyber attacks.    

(Click photo to watch video)

The text of Sen. Murkowski’s remarks as prepared are below:

“There is no question that cybersecurity is a critical issue. I’m sure that every member of this body shares the concern that our nation may be vulnerable to cyber-attacks that could have severe economic and national security ramifications. Indeed, with over 180 amendments filed to the cyber legislation, it’s clear that all of us have ideas on how best to protect our critical infrastructure. 

“That is why I was so disappointed that the Majority Leader filled the amendment tree and filed cloture on the cyber measure. That was not the open process we were promised when the Senate overwhelmingly agreed to consider the cyber bill. And because members were denied the opportunity to have the thoughtful and complete debate this important issue deserves, the cloture vote failed this morning on a bipartisan basis.

“We’ve heard a lot about the electric grid during this debate and how legislation is needed to protect our nation’s transmission system from cyber-attack. What’s been missing from this discussion is a recognition that Congress already moved to protect our grid system seven years ago, by enacting the bipartisan Energy Policy Act of 2005.

“As the ranking member of the committee of jurisdiction, let me reassure my colleagues that we already have mandatory cybersecurity standards in place for the electric grid.

“In the 2005 Energy Policy Act, Congress directed the Federal Energy Regulatory Commission – the grid’s regulator – to set mandatory, enforceable reliability standards, including standards for cybersecurity. Because these standards can be extremely complex and highly technical, Congress decided they should be developed through a consensus-driven stakeholder process overseen by an Electric Reliability Organization – now NERC.

“We thought this was so important back in 2005 that we even expanded FERC’s traditional jurisdiction to include municipal and cooperatively-owned utility systems under these grid reliability standards. It might surprise some of you to learn that the FERC/NERC mandatory cybersecurity regime currently regulates over 1,900 entities and that the electric power sector is already subject to federal penalties of up to $1 million per day for non-compliance. In fact, one of our own government entities, the Southwestern Power Administration, was recently fined by the grid regulators for violating two mandatory cyber standards.    

“The point is that the electric power sector and our grid regulators have been working extremely hard these past seven years to develop and implement these cyber standards.  We’ve already taken substantial measures to safeguard our electric utility systems. 

“We’ve identified our critical assets and established security management controls; we’ve performed risk assessments and trained our personnel; we’ve established sabotage reporting; and we’ve mandated disaster recovery plans.

“It also might surprise members to learn that the Nuclear Regulatory Commission has already taken action to protect the nation’s nuclear facilities from cyber-attack. The nuclear industry developed a cybersecurity program for critical assets over a decade ago. 

“The NRC now mandates cybersecurity plans for nuclear plants, including the identification of critical cyber assets and required contingency and incident response plans. Failure to comply with NRC cyber requirements could result in fines and even an order to shut the nuclear reactor down.

“If anything, the cyber bill that was brought to the floor via Rule 14 would undermine the existing mandatory framework Congress has already established. By establishing a competing regime – even if such a regime was truly voluntary – the Cybersecurity Act the Senate just rejected could duplicate, conflict with, and even supersede the hard work that’s already been put in over the past several years to safeguard both our grid and our nuclear facilities.

“One of the amendments I had filed to the bill was a strong savings clause that would maintain our mandatory protections. Two competing systems are not workable and could make both the nation’s grid and nuclear facilities more vulnerable to cyber-attack.       

“One thing we’ve learned in the Energy Committee in overseeing our mandatory cyber practices is that not everything needs to rise to the level of a foundational standard. But, with cyber threats and vulnerabilities that are constantly emerging and constantly changing, the one thing we always need is more information.

“I think we can all agree that the federal government needs to form a partnership with the private sector. After all, we share the same goals – to keep our computer systems and our nation safe from cyber intrusions. We need private companies to talk with each other and with the government about the cyber problems they face, as well as the potential strategies and solutions to combat them. And we need our government to provide timely and actionable information to the private sector.

“That’s why I would encourage members to take a close look at the SECURE IT cyber legislation that I, along with a number of my ranking colleagues, have offered as an alternative. The SECURE IT bill is a commonsense approach to addressing these ever-increasing cyber threats. Our bill focuses on four areas that we believe can reach bipartisan support and result in legislation that can get enacted even in an election year.  Those four areas are: information sharing, FISMA reform, criminal penalties and additional research.

“I’d like to close with some observations about process.  Back in 2005, when the Senate passed the bipartisan Energy Policy Act by a vote of 85-12, we spent a full two weeks on the floor considering amendments. We had earlier spent two weeks marking up the bill in Committee. Process matters. That’s how strong, bipartisan pieces of legislation are enacted. When you forego that process and refuse to do the hard work in Committee, send an ever-changing bill directly to the floor via Rule 14 and then fill the amendment tree, that legislation is bound for failure.  That’s what happened today."

“A few months ago I came to the floor to advocate for cyber legislation and to express my concern that the “all-or-nothing” approach to cybersecurity would result in nothing.  After today’s vote, we have nothing. I remain hopeful that we can find a path forward on the cyber issue that will result in a truly bipartisan and effective piece of legislation that will help protect our nation’s critical infrastructure.”