Congressional Record: April 12, 2000 (Extensions)
Page E545-E546
INTRODUCTION OF THE CYBER SECURITY INFORMATION ACT OF 2000 ______ HON. THOMAS M. DAVIS of virginia in the house of representatives Wednesday, April 12, 2000 Mr. DAVIS of Virginia. Mr. Speaker, I am pleased to rise today to introduce legislation with my good friend and colleague from northern Virginia, Representative Jim Moran, that will facilitate the protection of our nation's critical infrastructure from cyber threats. In the 104th Congress, we called upon the Administration to study our nation's critical infrastructure vulnerabilities and to identify solutions to address these vulnerabilities. The Administration has, through the President and participating agencies, identified a number of steps that must be taken in order to eliminate the potential for significant damage to our critical infrastructure. Foremost among these suggestions is the need to ensure coordination between the public and private sector representatives of critical infrastructure. The bill I am introducing today is the first step in encouraging private sector cooperation and participation with the government to accomplish this objective. The critical infrastructure of the United States is largely owned and operated by the private sector. Critical infrastructures are those systems that are essential to the minimum operations of the economy and government. Our critical infrastructure is comprised of the financial services, telecommunications, information technology, transportation, water systems, emergency services, electric power, gas and oil sectors in private industry as well as our [[Page E546]] National Defense, and Law Enforcement and International Security sectors within the government. Traditionally, these sectors operated largely independently of one another and coordinated with government to protect themselves against threats posed by traditional warfare. Today, these sectors must learn how to protect themselves against unconventional threats such as terrorist attacks, and cyber attack. These sectors must also recognize the vulnerabilities they may face because of the tremendous technological progress we have made. As we learned when planning for the challenges presented by the Year 2000 rollover, many of our computer systems and networks are now interconnected and communicate with many other systems. With the many advances in information technology, many of our critical infrastructure sectors are linked to one another and face increased vulnerability to cyber threats. Technology interconnectivity increases the risk that problems affecting one system will also affect other connected systems. Computer networks can provide pathways among systems to gain unauthorized access to data and operations from outside locations if they are not carefully monitored and protected. A cyber threat could quickly shutdown any one of our critical infrastructures and potentially cripple several sectors at one time. Nations around the world, including the United States, are currently training their military and intelligence personnel to carry out cyber attacks against other nations to quickly and efficiently cripple a nation's daily operations. cyber attacks have moved beyond the mischievous teenager and are being learned and used by terrorist organizations as the latest weapon in a nation's arsenal. In June 1998 and February 1999, the Director of the Central Intelligence Agency testified before Congress that several nations recognize that cyber attacks against civilian computer systems represent the most viable option for leveling the playing field in an armed crisis against the United States. The Director also stated that several terrorist organizations believed information warfare to be a low cost opportunity to support their causes. Both Presidential Decision Directive 63 (PDD- 63) issued in May 1998, and the President's National Plan for Information Systems Protection, Version 1.0 issued in January 2000, call on the legislative branch to build the necessary framework to encourage information sharing to address cyber security threats to our nation's privately held critical infrastructure. Recently, we have learned the inconveniences that may be caused by a cyber attack or unforeseen circumstance. Earlier this year, many of our most popular sites such as Yahoo, eBay and Amazon.com were shutdown for several hours at a time over several days by a team of hackers interested in demonstrating their capability to disrupt service. While we may have found the shutdown of these sites temporarily inconvenient, they potentially cost those companies significant amounts of lost revenue, and it is not too difficult to imagine what would have occurred if the attacks had been focused on our utilities, or emergency services industries. We, as a society, have grown increasingly dependent on our infrastructure providers. I am sure many of you recall when PanAmSat's Galaxy IV satellite's on-board controller lost service. An estimated 80 to 90% of our nation's pagers were inoperable, and hospitals had difficulty reaching doctors on call and emergency workers. It even impeded the ability of consumers to use credit cards to pay for their gas at the pump. Moreover, recent studies have demonstrated that the incidence of cyber security threats to both the government and the private sector are only increasing. According to an October 1999 report issued by the General Accounting Office (GAO), the number of reported computer security incidents handled by Carnegie-Mellon University's CERT Coordination Center has increased from 1,334 in 1993 to 4,398 during the first two quarters of 1999. Additionally, the Computer Security Institute reported an increased in attacks for the third year in a row based on responses to their annual survey on computer security. GAO has done a number of reports that give Congress an accurate picture of the risk facing federal agencies; they cannot track such information for the private sector. We must rely on the private sector to share its vulnerabilities with the federal government so that all of our critical infrastructures are protected. Today, I am introducing legislation that gives critical infrastructure industries the assurances they The Cyber Security Information Act of 2000 is closely modeled after the successful Year 2000 Information and Readiness Disclosure Act by providing a limited FOIA exemption, civil litigation protection for shared information, and an antitrust exemption for information shared within an ISAC. These three protections have been previously cited by the Administration as necessary legislative remedies in Version 1.0 of the National Plan and PDD-63. This legislation will enable the ISACs to move forward without fear from industry so that government and industry may enjoy the mutually cooperative partnership called for in PDD-63. This will also allow us to get a timely and accurate assessment of the vulnerabilities of each sector to cyber attacks and allow for the formulation of proposals to eliminate these vulnerabilities without increasing government regulation, or expanding unfunded federal mandates on the private sector. PDD-63 calls upon the government to put in place a critical infrastructure proposal that will allow for three tasks to be accomplished by 2003: (1) The Federal Government must be able to perform essential national security missions and to ensure the general public health and safety; (2) State and local governments must be able to maintain order and to deliver minimum essential public services; and (3) The private sector must be able to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial, and transportation services. This legislation will allow the private sector to meet this deadline. We will also ensure the ISACs can move forward to accomplish their missions by developing the necessary technical expertise to establish baseline statistics and patterns within the various infrastructures, become a clearinghouse for information within and among the various sectors, and provide a repository of valuable information that may be used by the private sector. As technology continues to rapidly improve industry efficiency and operations, so will the risks posed by vulnerabilities and threats to our infrastructure. We must create a framework that will allow our protective measures to adapt and be updated quickly. It is my hope that we will be able to move forward quickly with this legislation and that Congress and the Administration can move forward in partnership to provide industry and government with the tools for meeting this challenge. A Congressional Research Service report on the ISAC proposal describes the information sharing model one of the most crucial pieces for success in protecting our critical infrastructure, yet one of the hardest pieces to realize. With the introduction of the Cyber Security Information Act of 2000, we are removing the primary barrier to information sharing between government and industry. This is landmark legislation that will be replicated around the globe by other nations as they too try to address threats to their critical infrastructure. Mr. Speaker, I believe that the Cyber Security Information Act of 2000 will help us address critical infrastructure cyber threats with the same level of success we achieved in addressing the Year 2000 problem. With government and industry cooperation, the seamless delivery of services and the protection or our nation's economy and well-being will continue without interruption just as the delivery of services continued on January 1, 2000.
106TH CONGRESS Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
2D SESSIONH. R. 4246
IN THE HOUSE OF REPRESENTATIVES
Mr. DAVIS of Virginia (for himself and Mr. MORAN of Virginia) introduced
the following bill; which was referred to the Committee on______________
A BILL
To encourage the secure disclosure and protected exchange
of information about cyber security problems, solutions,
test practices and test results, and related matters in
connection with critical infrastructure protection.SECTION. 1. SHORT TITLE.
This Act may be cited as the ‘‘Cyber Security Information Act’’.
SEC. 2. FINDINGS AND PURPOSES.
(a) FINDINGS.—Congress finds the following:
(1)(A) Many information technology computer systems, software programs, and similar facilities are vulnerable to attacks or misuse through the Internet, public or private telecommunications systems, or similar means.
(b) PURPOSES.—Based upon the powers contained in article I, section 8, clause 3 of the Constitution of the United States, the purposes of this Act are—(B) The problem described in subparagraph (A) and resulting failures could incapacitate systems that are essential to the functioning of markets, commerce, consumer products, utilities, government, and safety and defense systems, in the United States and throughout the world.
(C) Protecting, reprogramming, or replacing affected systems before the problem incapacitates essential systems is a matter of national and global interest.
(2) The prompt, candid, and thorough, but secure and protected, disclosure and exchange of information related the cybersecurity of entities, systems, and infrastructure—
(A) would greatly enhance the ability of public and private entities to improve their own cyber security; and
(3) Concern about the potential for legal liability associated with the disclosure and exchange of cyber security information could unnecessarily impede the secure disclosure and protected exchange of such information.
(B) is therefore a matter of national importance and a vital factor in minimizing any potential cyber security related disruption to the Nation’s economic well-being and security.(4) The capability to securely disclose and engage in the protected exchange of information relating to cyber security, solutions, test practices and test results, without undue concern about inappropriate disclosure of that information, is critical to the ability of public and private entities to address cyber security needs in a timely manner.
(5) The national interest will be served by uniform legal standards in connection with the secure disclosure and protected exchange of cyber security information that will promote appropriate disclosures and exchanges of such information in a timely fashion.
(6) The ‘‘National Plan for Information Systems Protection, Version 1.0, An Invitation to a Dialogue’’, released by the President on January 7, 2000, calls for the Government to assist in seeking changes to applicable laws on ‘‘Freedom of Information, liability, and antitrust where appropriate’’ in order to foster industry-wide centers for information sharing and analysis.
(1) to promote the secure disclosure and protected exchange of information related to cyber security;
(2) to assist private industry and government in effectively and rapidly responding to cyber security problems;
(3) to lessen burdens on interstate commerce by establishing certain uniform legal principles in connection with the secure disclosure and protected exchange of information related to cyber security; and
(4) to protect the legitimate users of cyber networks and systems, and to protect the privacy and confidence of shared information.
SEC. 3. DEFINITIONS.
In this Act:
(1) ANTITRUST LAWS.—The term ‘‘antitrust laws’’—
(A) has the meaning given to it in subsection (a) of the first section of the Clayton Act (15 U.S.C. 12(a)), except that such term includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent such section 5 applies to unfair methods of competition; and
(B) includes any State law similar to the laws referred to in subparagraph (A).
(2) CRITICAL INFRASTRUCTURE.—The term ‘‘critical infrastructure’’ means facilities or services so vital to the nation or its economy that their disruption, incapacity, or destruction would have a debilitating impact on the defense, security, long-term economic prosperity, or health or safety of the United States.
(3) CYBER SECURITY.—The term ‘‘cyber security’’ means the vulnerability of any computing system, software program, or critical infrastructure to, or their ability to resist, intentional interference, compromise, or incapacitation through the misuse of, or by unauthorized means of, the Internet, public or private telecommunications systems, or other similar conduct that violates Federal, State, or international law, that harms interstate commerce of the United States, or that threatens public health or safety.
(4) CYBER SECURITY INTERNET WEBSITE.— The term ‘‘cyber security Internet website’’ means an Internet website or other similar electronically accessible service, clearly designated on the website or service by the person or entity creating or controlling the content of the website or service as an area where cyber security statements are posted or otherwise made accessible to appropriate entities.
(5) CYBER SECURITY STATEMENT.—
(A) IN GENERAL.—The term ‘‘cyber security statement’’ means any communication or other conveyance of information by a party to another, in any form or medium including by means of a cyber security Internet website—
(i) concerning an assessment, projection, or estimate concerning the cyber security of that entity, its computer systems, its software programs, or similar facilities of its own;
(B) NOT INCLUDED.—For the purposes of any action brought under the securities laws, as that term is defined in section 3(a)(47) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(47)), the term ‘‘cyber security statement’’ does not include statements contained in any documents or materials filed with the Securities and Exchange Commission, or with Federal banking regulators, pursuant to section 12(i) of the Securities Exchange Act of 1934 (15 U.S.C. 781(i)), or disclosures or writing that when made accompanied the solicitation of an offer or sale of securities.(ii) concerning plans, objectives, or timetables for implementing or verifying the cyber security thereof;
(iii) concerning test plans, test dates, test results, or operational problems or solutions related to the cyber security thereof; or
(iv) reviewing, commenting on, or otherwise directly or indirectly relating to the cyber security thereof.
SEC. 4. SPECIAL DATA GATHERING.
(a) IN GENERAL.—Any Federal entity, agency, or authority may expressly designate a request for the voluntary provision of information relating to cyber security, including cyber security statements, as a cyber security data gathering request made pursuant to this section.
(b) SPECIFICS.—A cyber security data gathering request made under this section—
(A) shall specify a Federal entity, agency, or authority, or, with its consent, another public or private entity, agency, or authority, to gather responses to the request;
(c) PROTECTIONS.—Except with the express consent or permission of the provider of information described in paragraph (1), any cyber security statements or other such information provided by a party in response to a special cyber security data gathering request made under this section—(B) shall be a request from a private entity, agency, or authority to a Federal entity, agency, or authority; or
(C) shall be deemed to have been made and to have specified such a private entity, agency, or authority when the Federal entity, agency, or authority has voluntarily been given cyber security information gathered by that private entity, agency, or authority, including by means of a cyber security Internet website.
(1) shall be exempt from disclosure under section 552(a) of title 5, United States Code (commonly known as the ‘‘Freedom of Information Act’’), by all Federal entities, agencies, and authorities;
(d) EXCEPTIONS.—(2) shall not be disclosed to or by any third party; and
(3) may not be used by any Federal or State entity, agency, or authority or by any third party, directly or indirectly, in any civil action arising under any Federal or State law.
(1) INFORMATION OBTAINED ELSEWHERE.— Nothing in this section shall preclude a Federal entity, agency, or authority, or any third party, from separately obtaining the information submitted in response to a request under this section through the use of independent legal authorities, and using such separately obtained information in any action.
SEC. 5. ANTITRUST EXEMPTION.(2) PUBLIC DISCLOSURE.—A restriction on use or disclosure of information under this section shall not apply to any information disclosed generally or broadly to the public with the express consent of the party.
(a) EXEMPTION.—Except as provided in subsection (b), the antitrust laws shall not apply to conduct engaged in, including making and implementing an agreement, solely for the purpose of and limited to—
(b) EXCEPTION TO EXEMPTION.—Subsection (a) shall not apply with respect to conduct that involves or results in an agreement to boycott any person, to allocate a market, or to fix prices or output.
(1) facilitating the correction or avoidance of a cyber security related problem; or
(2) communicating or disclosing information to help correct or avoid the effects of a cyber security related problem.
SEC. 6. CYBER SECURITY WORKING GROUPS.
(a) IN GENERAL.—
(1) WORKING GROUPS.—The President may establish and terminate working groups composed of Federal employees who will engage outside organizations in discussions to address cyber security, to share information related to cyber security, and otherwise to serve the purposes of this Act.
(b) FEDERAL ADVISORY COMMITTEE ACT.—The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the working groups established under this section.(2) LIST OF GROUPS.—The President shall maintain and make available to the public a printed and electronic list of such working groups and a point of contact for each, together with an address, telephone number, and electronic mail address for such point of contact.
(3) BALANCE.—The President shall seek to achieve a balance of participation and representation among the working groups.
(4) MEETINGS.—Each meeting of a working group created under this section shall be announced in advance in accordance with procedures established by the President.
(c) PRIVATE RIGHT OF ACTION.—This section creates no private right of action to sue for enforcement of any provision of this section.