Hatch Calls for Audit of Federal Government’s Vulnerability to Cyber Attacks

Senator Orrin Hatch, R-Utah, spoke on the Senate floor Tuesday about the Federal Computer Security Act of 2015, an amendment included in the Cybersecurity Information Sharing Act (“CISA”), which ensures government cybersecurity accountability. 

Description: Macintosh HD:Users:mw43095:Desktop:Screen Shot 2015-09-17 at 2.54.27 PM.png

(Via YouTube)

Hatch said, “The future of our nation’s cybersecurity starts with our federal government practicing good cyber-hygiene. In strengthening our security infrastructure, the federal government should be accountable to the American people—especially when cyber attacks affect millions of taxpayers.”

“The Federal Computer Security Act shines light on whether the federal government is using the most up-to-date cybersecurity practices and software to protect federal computer systems and databases from both external cyber-attackers and insider threats. Specifically, the legislation requires federal agency Inspectors General to report to Congress on the security practices and software used to safeguard classified and personally identifiable information on federal computer systems.”

The Federal Computer Security Act of 2015 has broad industry support. You can find more about ithere.

The full speech, as prepared for delivery, is below.

Mr. President, as the Senate turns its focus to legislation related to the critical issue of our nation’s cybersecurity, and in light of Chinese President Xi (SHEE) Jinping’s state visit last month, I would like to reflect on America’s security in cyberspace. 

As the global economy becomes increasingly dependent on the Internet, the exponential increase in the number and scale of cyber-attacks and cyber-thefts are straining our relationship with international trading partners throughout the world.  This is especially true for our important trade relationship with China.  This year alone, the U.S. has experienced some of the largest cyber-attacks in our nation’s history—many of which are believed to have been perpetrated by the Chinese. 

Just last February, hackers breached the customer records of the health insurance company Anthem Blue Cross/Blue Shield. Many news sources reported that China was responsible for the attack.  This cyber-attack resulted in the theft of approximately 80 million customers’ personally identifiable information, including social security numbers and information that can be used for identity theft.

In the early summer, cyber criminals also hacked United Airlines, compromising manifest data that detailed the movement of millions of Americans. According to news media, China was again believed to have been responsible.

But the most devastating cyber-attack this year was on the U.S. Government’s Office of Personnel Management.  This past June, sources report that the OPM data breach—considered the worst cyber intrusion ever perpetrated against the U.S. government—affected about 21.5 million federal employees and contractors. Hackers successfully accessed sensitive personal information, including security clearance files, social security numbers, and information about employees’ contacts and families.  Again, China was the suspected culprit. 

Most troubling, the OPM breach included over 19.7 million background investigation records for cleared U.S. government employees.  The exposure of this highly sensitive information not only puts our national security at risk, but also raises concerns that foreign governments may be keeping detailed databases on U.S. federal workers and their associations. 

I was pleased that during the Chinese President’s visit to Washington last month, President Obama expressed his “very serious concerns about growing cyber threats” and stated that the cyber-theft of intellectual property and commercial trade secrets “has to stop.”   President Obama and President Xi Jinping came to an agreement not to “conduct or knowingly support” cyber-theft of intellectual property or commercial trade secrets. 

Even so, Director of National Intelligence James Clapper expressed doubts about the agreement in a hearing before the Senate Armed Services Committee last week.  When Chairman McCain asked Mr. Clapper if he was optimistic about the deal, he told members of the Committee he was not.  I add my skepticism of this agreement to the growing chorus of lawmakers, military leaders, and intelligence community personnel who have voiced similar reservations   

As Admiral Rogers, the head of the National Security Agency and U.S. Cyber Command, has said, “China is the biggest proponent of cyberattacks being waged against the U.S.” We must do more to defend ourselves against this growing threat.  Unfortunately, I have been disappointed in this Administration’s inability to protect our federal computer systems from cyber-intrusions and to hold criminals accountable for their participation in cyberattacks committed against the United States..   

Sadly, the cyber threats facing our nation are not limited to China; investigators believe that Russia, North Korea, Iran, and several other nations have also launched cyber-attacks against our government, U.S. citizens, and companies. These attacks are increasing, both in severity and number:

In April, Russian hackers accessed White House networks containing sensitive information, including emails sent and received by the President; 

In May, hackers breached IRS servers to gain access to 330,000 American taxpayers’ tax returns; 

That same month, a fraudulent stock trader manipulated U.S. markets, costing the stock exchange an estimated $1 trillion in just 36 minutes; 

And in July, it was reported that a Russian spear phishing attack shut down the Joint Chiefs of Staff email system for 11 days; 

Just one month ago, hackers stole the personal data of 15 million T-Mobile customers by breaching Experian—the company that processes credit checks for prospective customers.  This stolen data includes names, birth dates, addresses, social security numbers, and credit card information.

These breaches have a serious and real cost for the victims.  According to the Federal Trade Commission, the average identity fraud victim in 2012 incurred an average of $365 in losses. 

Incredibly, all of these high-profile breaches have occurred this year, making 2015 perhaps the worst year ever in terms of attacks on our nation’s cybersecurity. Prior to 2015, we also saw several high-profile breaches at large American corporations like Target, Home Depot, Sony, and others.  Our lack of effective cybersecurity policies and procedures threatens the safety of our people, our national defense, our critical infrastructure, and the health and strength of our economy.    

We must be more vigilant in reinforcing our cyber-infrastructure to better defend ourselves against these attacks. In doing so, the U.S. must create a deterrent for those who seek to commit cyber-attacks on our government and citizens.  Hackers wishing to do our nation harm should face significant consequences.  Our adversaries must know that they will suffer an unacceptable cost if they attack the United States. 

Mr. President, as you can see, finding a solution to this critical problem must be an urgent priority for the United States Senate. I agree with Leader McConnell that we must move forward in the Senate with legislation to improve our nation’s cybersecurity practices and policies.  I am supportive of the objectives outlined in Chairman Burr and Vice-chairman Feinstein’s bipartisan Cybersecurity Information Sharing Act (CISA).

I was pleased to see the Senate Select Committee on Intelligence pass the Burr-Feinstein CISA bill out of committee by an overwhelming bipartisan vote of 14-1.  This important legislation incentivizes and authorizes private sector companies to voluntarily share cyber threat information, in real time, that can be useful in detecting cyberattacks and in preventing future cyber intrusions. 

I also commend Chairman Burr and Vice Chairman Feinstein’s efforts to include provisions in CISA to protect personal privacy, including a measure that prevents a user’s personally identifiable information from being shared with government agencies.  Additionally, CISA sets limits on information that can be collected or monitored, by allowing information to be used only for cybersecurity purposes.

As the American economy grows ever more dependent on the Internet, I believe that CISA represents an important first step in protecting our nation’s critical infrastructure from the devastating impacts of cyber-attacks.  Congress must do more to adequately protect and secure America’s presence in cyberspace.

In light of recent revelations highlighting our federal government’s inability to adequately protect and secure classified data and other sensitive information, I joined Senator Carper—the Ranking Member of the Homeland Security and Government Affairs Committee—in introducing the Federal Computer Security Act. 

The Hatch-Carper bill shines light on whether our federal government is using the most up-to-date cybersecurity practices and software to protect federal computer systems and databases from both external cyber-attackers and insider threats. Specifically, this legislation requires federal agency Inspectors General to report to Congress on the security practices and software used to safeguard classified and personally identifiable information on federal computer systems. 

This bill requires each federal agency to submit a report to each respective congressional committee with oversight jurisdiction, describing in detail, to each committee, which security access controls the agency is implementing to protect unauthorized access to classified and sensitive personally identifiable information on government computers.

Requiring an accounting of each federal agency’s security practices, software, and technology is a logical first step in bolstering our nation’s cyber infrastructure.  These reports will guide Congress in crafting legislation to prevent future large scale data breaches and ensure that unauthorized users are not able to access classified and sensitive information.

Agencies should be employing multi-factor authentication policies, and should be implementing software to detect and monitor cybersecurity threats.  They should also be using the most up-to-date technology and security controls. The future of our nation’s cybersecurity starts with our federal government practicing good cyber-hygiene.  In strengthening our security infrastructure, the federal government should be accountable to the American People—especially when cyber attacks affect millions of taxpayers.

I have heard from many constituents who have expressed concerns about the state of America’s cybersecurity.   I am honored to represent a state that is an emerging center of technological advancement and innovation, with a growing hub of computer companies expanding across a metropolitan area known as “Silicon Slopes.”  The people of Utah recognize that our nation’s future depends on America’s ability to compete in the digital era. They understand that we must create effective cybersecurity policies so that we can continue to lead the world in innovation and technology advancement.

I am pleased to announce that an amended version  of the Federal Computer Security Act is included in Chairman Burr and Vice Chairman Feinstein’s managers’ package.  I want to express my appreciation to both the Chairman and Vice Chairman for their willingness to work with me in fine-tuning this legislation .  I also want to thank Chairman Ron Johnson and Ranking Member Tom Carper of the Homeland Security and Government Affairs Committee for their efforts in this endeavor.

In addition to broad bipartisan support in the Senate, the Federal Computer Security Act enjoys support from key industry stakeholders.  Some of our nation’s largest computer security firms support the bill, including Symantec, Adobe, and CA Technologies–as well as industry groups like the Business Software Alliance and the IT Alliance for the Public Sector. 

Intelligence Committee Chairman Burr and Vice Chairman Feinstein have done a wonderful job at managing this critical cybersecurity legislation in the Senate.  I am so pleased to see that under the leadership of Leader McConnell, the Senate is once again operating in an open and transparent fashion.  It is refreshing to see Senators have the ability to file amendments and for the Senate to have robust consideration, debate, and to take votes on these amendments.  I believe that because of this open Senate , we are producing superior legislative products and are better serving the needs of the American People.   I look forward to the Senate’s further consideration and debate of the critically important Cybersecurity Information Sharing Act.

With that Mr. President, I yield the floor.