Introduction of the Cyber Security Information Act of 2000

Congressional Record: April 12, 2000 (Extensions)
Page E545-E546
       INTRODUCTION OF THE CYBER SECURITY INFORMATION ACT OF 2000

                                 ______


                          HON. THOMAS M. DAVIS

                              of virginia

                    in the house of representatives

                       Wednesday, April 12, 2000

  Mr. DAVIS of Virginia. Mr. Speaker, I am pleased to rise today to
introduce legislation with my good friend and colleague from northern
Virginia, Representative Jim Moran, that will facilitate the protection
of our nation's critical infrastructure from cyber threats. In the
104th Congress, we called upon the Administration to study our nation's
critical infrastructure vulnerabilities and to identify solutions to
address these vulnerabilities. The Administration has, through the
President and participating agencies, identified a number of steps that
must be taken in order to eliminate the potential for significant
damage to our critical infrastructure. Foremost among these suggestions
is the need to ensure coordination between the public and private
sector representatives of critical infrastructure. The bill I am
introducing today is the first step in encouraging private sector
cooperation and participation with the government to accomplish this
objective.
  The critical infrastructure of the United States is largely owned and
operated by the private sector. Critical infrastructures are those
systems that are essential to the minimum operations of the economy and
government. Our critical infrastructure is comprised of the financial
services, telecommunications, information technology, transportation,
water systems, emergency services, electric power, gas and oil sectors
in private industry as well as our

[[Page E546]]

National Defense, and Law Enforcement and International Security
sectors within the government. Traditionally, these sectors operated
largely independently of one another and coordinated with government to
protect themselves against threats posed by traditional warfare. Today,
these sectors must learn how to protect themselves against
unconventional threats such as terrorist attacks, and cyber attack.
These sectors must also recognize the vulnerabilities they may face
because of the tremendous technological progress we have made. As we
learned when planning for the challenges presented by the Year 2000
rollover, many of our computer systems and networks are now
interconnected and communicate with many other systems. With the many
advances in information technology, many of our critical infrastructure
sectors are linked to one another and face increased vulnerability to
cyber threats. Technology interconnectivity increases the risk that
problems affecting one system will also affect other connected systems.
Computer networks can provide pathways among systems to gain
unauthorized access to data and operations from outside locations if
they are not carefully monitored and protected.
  A cyber threat could quickly shutdown any one of our critical
infrastructures and potentially cripple several sectors at one time.
Nations around the world, including the United States, are currently
training their military and intelligence personnel to carry out cyber
attacks against other nations to quickly and efficiently cripple a
nation's daily operations. cyber attacks have moved beyond the
mischievous teenager and are being learned and used by terrorist
organizations as the latest weapon in a nation's arsenal. In June 1998
and February 1999, the Director of the Central Intelligence Agency
testified before Congress that several nations recognize that cyber
attacks against civilian computer systems represent the most viable
option for leveling the playing field in an armed crisis against the
United States. The Director also stated that several terrorist
organizations believed information warfare to be a low cost opportunity
to support their causes. Both Presidential Decision Directive 63 (PDD-
63) issued in May 1998, and the President's National Plan for
Information Systems Protection, Version 1.0 issued in January 2000,
call on the legislative branch to build the necessary framework to
encourage information sharing to address cyber security threats to our
nation's privately held critical infrastructure.
  Recently, we have learned the inconveniences that may be caused by a
cyber attack or unforeseen circumstance. Earlier this year, many of our
most popular sites such as Yahoo, eBay and Amazon.com were shutdown for
several hours at a time over several days by a team of hackers
interested in demonstrating their capability to disrupt service. While
we may have found the shutdown of these sites temporarily inconvenient,
they potentially cost those companies significant amounts of lost
revenue, and it is not too difficult to imagine what would have
occurred if the attacks had been focused on our utilities, or emergency
services industries. We, as a society, have grown increasingly
dependent on our infrastructure providers. I am sure many of you recall
when PanAmSat's Galaxy IV satellite's on-board controller lost service.
An estimated 80 to 90% of our nation's pagers were inoperable, and
hospitals had difficulty reaching doctors on call and emergency
workers. It even impeded the ability of consumers to use credit cards
to pay for their gas at the pump.
  Moreover, recent studies have demonstrated that the incidence of
cyber security threats to both the government and the private sector
are only increasing. According to an October 1999 report issued by the
General Accounting Office (GAO), the number of reported computer
security incidents handled by Carnegie-Mellon University's CERT
Coordination Center has increased from 1,334 in 1993 to 4,398 during
the first two quarters of 1999. Additionally, the Computer Security
Institute reported an increased in attacks for the third year in a row
based on responses to their annual survey on computer security. GAO has
done a number of reports that give Congress an accurate picture of the
risk facing federal agencies; they cannot track such information for
the private sector. We must rely on the private sector to share its
vulnerabilities with the federal government so that all of our critical
infrastructures are protected.
  Today, I am introducing legislation that gives critical
infrastructure industries the assurances they
  The Cyber Security Information Act of 2000 is closely modeled after
the successful Year 2000 Information and Readiness Disclosure Act by
providing a limited FOIA exemption, civil litigation protection for
shared information, and an antitrust exemption for information shared
within an ISAC. These three protections have been previously cited by
the Administration as necessary legislative remedies in Version 1.0 of
the National Plan and PDD-63. This legislation will enable the ISACs to
move forward without fear from industry so that government and industry
may enjoy the mutually cooperative partnership called for in PDD-63.
This will also allow us to get a timely and accurate assessment of the
vulnerabilities of each sector to cyber attacks and allow for the
formulation of proposals to eliminate these vulnerabilities without
increasing government regulation, or expanding unfunded federal
mandates on the private sector.
  PDD-63 calls upon the government to put in place a critical
infrastructure proposal that will allow for three tasks to be
accomplished by 2003:
  (1) The Federal Government must be able to perform essential national
security missions and to ensure the general public health and safety;
  (2) State and local governments must be able to maintain order and to
deliver minimum essential public services; and
  (3) The private sector must be able to ensure the orderly functioning
of the economy and the delivery of essential telecommunications,
energy, financial, and transportation services. This legislation will
allow the private sector to meet this deadline.
  We will also ensure the ISACs can move forward to accomplish their
missions by developing the necessary technical expertise to establish
baseline statistics and patterns within the various infrastructures,
become a clearinghouse for information within and among the various
sectors, and provide a repository of valuable information that may be
used by the private sector. As technology continues to rapidly improve
industry efficiency and operations, so will the risks posed by
vulnerabilities and threats to our infrastructure. We must create a
framework that will allow our protective measures to adapt and be
updated quickly.
  It is my hope that we will be able to move forward quickly with this
legislation and that Congress and the Administration can move forward
in partnership to provide industry and government with the tools for
meeting this challenge. A Congressional Research Service report on the
ISAC proposal describes the information sharing model one of the most
crucial pieces for success in protecting our critical infrastructure,
yet one of the hardest pieces to realize. With the introduction of the
Cyber Security Information Act of 2000, we are removing the primary
barrier to information sharing between government and industry. This is
landmark legislation that will be replicated around the globe by other
nations as they too try to address threats to their critical
infrastructure.
  Mr. Speaker, I believe that the Cyber Security Information Act of
2000 will help us address critical infrastructure cyber threats with
the same level of success we achieved in addressing the Year 2000
problem. With government and industry cooperation, the seamless
delivery of services and the protection or our nation's economy and
well-being will continue without interruption just as the delivery of
services continued on January 1, 2000.
106TH CONGRESS
2D SESSION
H. R. 4246
IN THE HOUSE OF REPRESENTATIVES
Mr. DAVIS of Virginia (for himself and Mr. MORAN of Virginia) introduced
the following bill; which was referred to the Committee on______________

A BILL
To encourage the secure disclosure and protected exchange
of information about cyber security problems, solutions,
test practices and test results, and related matters in
connection with critical infrastructure protection.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION. 1. SHORT TITLE.
This Act may be cited as the ��Cyber Security Information Act��.
SEC. 2. FINDINGS AND PURPOSES.
(a) FINDINGS.�Congress finds the following:
(1)(A) Many information technology computer systems, software programs, and similar facilities are vulnerable to attacks or misuse through the Internet, public or private telecommunications systems, or similar means.
(B) The problem described in subparagraph (A) and resulting failures could incapacitate systems that are essential to the functioning of markets, commerce, consumer products, utilities, government, and safety and defense systems, in the United States and throughout the world.
(C) Protecting, reprogramming, or replacing affected systems before the problem incapacitates essential systems is a matter of national and global interest.
(2) The prompt, candid, and thorough, but secure and protected, disclosure and exchange of information related the cybersecurity of entities, systems, and infrastructure�
(A) would greatly enhance the ability of public and private entities to improve their own cyber security; and
(B) is therefore a matter of national importance and a vital factor in minimizing any potential cyber security related disruption to the Nation�s economic well-being and security.
(3) Concern about the potential for legal liability associated with the disclosure and exchange of cyber security information could unnecessarily impede the secure disclosure and protected exchange of such information.
(4) The capability to securely disclose and engage in the protected exchange of information relating to cyber security, solutions, test practices and test results, without undue concern about inappropriate disclosure of that information, is critical to the ability of public and private entities to address cyber security needs in a timely manner.
(5) The national interest will be served by uniform legal standards in connection with the secure disclosure and protected exchange of cyber security information that will promote appropriate disclosures and exchanges of such information in a timely fashion.
(6) The ��National Plan for Information Systems Protection, Version 1.0, An Invitation to a Dialogue��, released by the President on January 7, 2000, calls for the Government to assist in seeking changes to applicable laws on ��Freedom of Information, liability, and antitrust where appropriate�� in order to foster industry-wide centers for information sharing and analysis.
(b) PURPOSES.�Based upon the powers contained in article I, section 8, clause 3 of the Constitution of the United States, the purposes of this Act are�
(1) to promote the secure disclosure and protected exchange of information related to cyber security;
(2) to assist private industry and government in effectively and rapidly responding to cyber security problems;
(3) to lessen burdens on interstate commerce by establishing certain uniform legal principles in connection with the secure disclosure and protected exchange of information related to cyber security; and
(4) to protect the legitimate users of cyber networks and systems, and to protect the privacy and confidence of shared information.
SEC. 3. DEFINITIONS.
In this Act:
(1) ANTITRUST LAWS.�The term ��antitrust laws��
(A) has the meaning given to it in subsection (a) of the first section of the Clayton Act (15 U.S.C. 12(a)), except that such term includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent such section 5 applies to unfair methods of competition; and
(B) includes any State law similar to the laws referred to in subparagraph (A).
(2) CRITICAL INFRASTRUCTURE.�The term ��critical infrastructure�� means facilities or services so vital to the nation or its economy that their disruption, incapacity, or destruction would have a debilitating impact on the defense, security, long-term economic prosperity, or health or safety of the United States.
(3) CYBER SECURITY.�The term ��cyber security�� means the vulnerability of any computing system, software program, or critical infrastructure to, or their ability to resist, intentional interference, compromise, or incapacitation through the misuse of, or by unauthorized means of, the Internet, public or private telecommunications systems, or other similar conduct that violates Federal, State, or international law, that harms interstate commerce of the United States, or that threatens public health or safety.
(4) CYBER SECURITY INTERNET WEBSITE.� The term ��cyber security Internet website�� means an Internet website or other similar electronically accessible service, clearly designated on the website or service by the person or entity creating or controlling the content of the website or service as an area where cyber security statements are posted or otherwise made accessible to appropriate entities.
(5) CYBER SECURITY STATEMENT.�
(A) IN GENERAL.�The term ��cyber security statement�� means any communication or other conveyance of information by a party to another, in any form or medium including by means of a cyber security Internet website�
(i) concerning an assessment, projection, or estimate concerning the cyber security of that entity, its computer systems, its software programs, or similar facilities of its own;
(ii) concerning plans, objectives, or timetables for implementing or verifying the cyber security thereof;
(iii) concerning test plans, test dates, test results, or operational problems or solutions related to the cyber security thereof; or
(iv) reviewing, commenting on, or otherwise directly or indirectly relating to the cyber security thereof.
(B) NOT INCLUDED.�For the purposes of any action brought under the securities laws, as that term is defined in section 3(a)(47) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(47)), the term ��cyber security statement�� does not include statements contained in any documents or materials filed with the Securities and Exchange Commission, or with Federal banking regulators, pursuant to section 12(i) of the Securities Exchange Act of 1934 (15 U.S.C. 781(i)), or disclosures or writing that when made accompanied the solicitation of an offer or sale of securities.
SEC. 4. SPECIAL DATA GATHERING.
(a) IN GENERAL.�Any Federal entity, agency, or authority may expressly designate a request for the voluntary provision of information relating to cyber security, including cyber security statements, as a cyber security data gathering request made pursuant to this section.
(b) SPECIFICS.�A cyber security data gathering request made under this section�
(A) shall specify a Federal entity, agency, or authority, or, with its consent, another public or private entity, agency, or authority, to gather responses to the request;
(B) shall be a request from a private entity, agency, or authority to a Federal entity, agency, or authority; or
(C) shall be deemed to have been made and to have specified such a private entity, agency, or authority when the Federal entity, agency, or authority has voluntarily been given cyber security information gathered by that private entity, agency, or authority, including by means of a cyber security Internet website.
(c) PROTECTIONS.�Except with the express consent or permission of the provider of information described in paragraph (1), any cyber security statements or other such information provided by a party in response to a special cyber security data gathering request made under this section�
(1) shall be exempt from disclosure under section 552(a) of title 5, United States Code (commonly known as the ��Freedom of Information Act��), by all Federal entities, agencies, and authorities;
(2) shall not be disclosed to or by any third party; and
(3) may not be used by any Federal or State entity, agency, or authority or by any third party, directly or indirectly, in any civil action arising under any Federal or State law.
(d) EXCEPTIONS.�
(1) INFORMATION OBTAINED ELSEWHERE.� Nothing in this section shall preclude a Federal entity, agency, or authority, or any third party, from separately obtaining the information submitted in response to a request under this section through the use of independent legal authorities, and using such separately obtained information in any action.
(2) PUBLIC DISCLOSURE.�A restriction on use or disclosure of information under this section shall not apply to any information disclosed generally or broadly to the public with the express consent of the party.
SEC. 5. ANTITRUST EXEMPTION.
(a) EXEMPTION.�Except as provided in subsection (b), the antitrust laws shall not apply to conduct engaged in, including making and implementing an agreement, solely for the purpose of and limited to�
(1) facilitating the correction or avoidance of a cyber security related problem; or
(2) communicating or disclosing information to help correct or avoid the effects of a cyber security related problem.
(b) EXCEPTION TO EXEMPTION.�Subsection (a) shall not apply with respect to conduct that involves or results in an agreement to boycott any person, to allocate a market, or to fix prices or output.
SEC. 6. CYBER SECURITY WORKING GROUPS.
(a) IN GENERAL.�
(1) WORKING GROUPS.�The President may establish and terminate working groups composed of Federal employees who will engage outside organizations in discussions to address cyber security, to share information related to cyber security, and otherwise to serve the purposes of this Act.
(2) LIST OF GROUPS.�The President shall maintain and make available to the public a printed and electronic list of such working groups and a point of contact for each, together with an address, telephone number, and electronic mail address for such point of contact.
(3) BALANCE.�The President shall seek to achieve a balance of participation and representation among the working groups.
(4) MEETINGS.�Each meeting of a working group created under this section shall be announced in advance in accordance with procedures established by the President.
(b) FEDERAL ADVISORY COMMITTEE ACT.�The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the working groups established under this section.
(c) PRIVATE RIGHT OF ACTION.�This section creates no private right of action to sue for enforcement of any provision of this section.