Congressional Record: July 10, 2001 (Extensions)
Page E1292-E1294
INTRODUCTION OF THE CYBER SECURITY INFORMATION ACT OF 2001
______
HON. TOM DAVIS
of virginia
in the house of representatives
Tuesday, July 10, 2001
Mr. TOM DAVIS of Virginia. Mr. Speaker, I am pleased to rise today to
reintroduce legislation with my good friend and colleague from northern
Virginia, Representative, Jim Moran. Last year, we introduced H.R. 4246
to facilitate the protection of our nation's critical infrastructure
from cyber threats. We aggressively pushed forward with the legislation
and held a productive Subcommittee hearing with the then-Subcommittee
on Government Management, Information, and Technology on the importance
of the bill. Based on comments made at that hearing, we have worked
hard with a wide range of industries to refine and improve this
legislation. Today, we are again introducing this legislation with the
full partnership of the private sector. Over the past several months, I
have worked with the industry leaders from each of our critical
infrastructure sectors to draft consensus legislation that will
facilitate public-private partnerships to promote information sharing
to prevent our nation from being crippled by a cyber-terrorism threat.
In the 104th Congress, we called upon the previous Administration to
study our nation's critical infrastructure vulnerabilities and to
identify solutions to address these vulnerabilities. Through that
effort, a number of steps were identified that must be taken in order
to eliminate the potential for significant damage to our critical
infrastructure. Foremost among these suggestions was the need to ensure
coordination between the public and private sector representatives of
critical infrastructure. The bill we are again introducing today is the
first step in encouraging private sector cooperation and participation
with the government to accomplish this objective.
Since early spring of this year, Congress has held a number of
hearings examining the ability of our nation to cope with cyber
security threats and attacks. For instance, the House Energy and
Commerce has held numerous hearings regarding the vulnerability of
specific Federal agencies and entities, and how those agencies are
implementing--or not implementing--the appropriate risk management
tools to deal with these threats. The House Judiciary Subcommittee on
Crime has held a number of hearings specifically looking at cybercrime
from both a private sector and a federal law
Also, the National Security Telecommunications Advisory Committee
(NSTAC) met in early June of this year to discuss the necessary
legislative action to encourage industry to voluntarily work in concert
with the federal government in assessing and protecting against cyber
vulnerabilities. The bill I am introducing today was endorsed at the
June meeting. In recent months, the Bush Administration has
aggressively been working with industry to address our critical
infrastructure protection needs and ensure that the federal government
is better coordinating its' cybersecurity efforts. I look forward in
the coming weeks to working with the Administration to enhance the
public-private partnership that industry and government must have in
order to truly protect our critical infrastructure.
The critical infrastructure of the United States is largely owned and
operated by the private sector. Critical infrastructures are those
systems that are essential to the minimum operations of the economy and
government. Our critical infrastructure is comprised of the financial
services, telecommunications, information technology, transportation,
water systems, emergency services, electric power, gas and oil sectors
in private industry as well as our National Defense, and Law
Enforcement and International Security sectors within the government.
Traditionally, these sectors operated largely independently of one
another and coordinated with government to protect themselves against
threats posed by traditional warfare. Today, these sectors must learn
how to protect themselves against unconventional threats such as
terrorist attacks, and cyber intrusions.
These sectors must also recognize the vulnerabilities they may face
because of the tremendous technological progress we have made. As we
learned when planning for the challenges presented by the Year 2000
rollover, many of our computer systems and networks are now
interconnected and communicate with many other systems. With the many
advances in information technology, many of our critical infrastructure
sectors are linked to one another and face increased vulnerability to
cyber threats. Technology interconnectivity increases the risk that
problems affecting one system will also affect other connected systems.
Computer networks can provide pathways among systems to gain
unauthorized access to data and operations from outside locations if
they are not carefully monitored and protected.
A cyber threat could quickly shutdown any one of our critical
infrastructures and potentially cripple several sectors at one time.
Nations around the world, including the United States, are currently
training their military and intelligence personnel to carry out cyber
attacks against other nations to quickly and efficiently cripple a
nation's daily operations. Cyber attacks have moved beyond the
mischievous teenager and are now being learned and used by terrorist
organizations as the latest weapon in a nation's arsenal. During this
past spring, around the anniversary of the U.S. bombing of the Chinese
embassy in Belgrade, U.S. web sites were defaced by hackers, replacing
existing content with pro-Chinese or anti-U.S. rhetoric. In addition,
an Internet worm named ``Lion'' infected computers and installed
distributed denial of service (DDOS) tools on various systems. An
analysis of the Lion worm's source code revealed that it could send
password files from the victim site to e-mail address
We have learned the inconveniences that may be caused by a cyber
attack or unforeseen circumstance. Last year, many of individuals and
companies were impacted by the ``I Love You'' virus as it moved rapidly
around the world disrupting the daily operations of many of our
industry sectors. The Love Bug showed the resourcefulness of many in
the private sector in identifying and responding to such an attack but
it amply demonstrated the weakness of the government's ability to
handle such a virus. Shortly after the attack, Congress learned that
the U.S. Department of Health and Human Services' (HHS) operating
systems were so debilitated by the virus that it could not have
responded adequately if we had faced a serious public health crisis at
the same time. Additionally, the federal government was several hours
behind industry in notifying agencies about the virus. If the private
sector could share information with the government within a defined
framework, federal agencies could have been made aware of the threat
earlier on.
Last month, NIPC and FedCIRC received information on attempts to
locate, obtain control of and plant new malicious code known as ``W32-
Leaves.worm'' on computers previously
[[Page E1293]]
infected with the SubSeven Trojan. SubSeven is a Trojan Horse that can
permit a remote computer to gain complete control of an infected
machine, typically by using Internet Relay Chat (IRC) channels for
communications. In June 1998 and February 1999, the Director of the
Central Intelligence Agency testified before Congress that several
nations recognize that cyber attacks against civilian computer systems
represent the most viable option for leveling the playing field in an
armed crisis against the United States. The Director also stated that
several terrorist organizations believed information warfare to be a
low cost opportunity to support their causes. We must, as a nation,
prepare both our public and private sectors to protect ourselves
against such efforts.
That is why I am again introducing legislation that gives critical
infrastructure industries the assurances they need in order to
confidently share information with the federal government. As we
learned with the Y2K model, government and industry can work in
partnership to produce the best outcome for the American people. Today,
the private sector has established many information sharing
organizations (ISOs) for the different sectors of our nation's critical
infrastructure. Information regarding a cyber threat or vulnerability
is now shared within some industries but it is not shared with the
government and it is not shared across industries. The private sector
stands ready to expand this model but have also expressed concerns
about voluntarily sharing information with the government and the
unintended consequences they could face for acting in good faith.
Specifically, there has been concern that industry could potentially
face antitrust violations for sharing information with other industry
partners, have their shared information be subject to the Freedom of
Information Act, or face potential liability concerns for information
shared in good faith. My bill will address all three of these concerns.
The Cyber Security Information Act also respects the privacy rights of
consumers and critical infrastructure operators. Consumers and
operators will have the confidence they need to know that information
will be handled accurately, confidentially, and reliably.
The Cyber Security Information Act is closely modeled after the
successful Year 2000 Information and Readiness Disclosure Act by
providing a limited FOIA exemption, civil litigation
This legislation will enable the private sector, including ISOs, to
move forward without fear from the government so that government and
industry may enjoy a mutually cooperative partnership. This will also
allow us to get a timely and accurate assessment of the vulnerabilities
of each sector to cyber attacks and allow for the formulation of
proposals to eliminate these vulnerabilities without increasing
government regulation, or expanding unfunded federal mandates on the
private sector.
ISOs will continue their current leadership role in developing the
necessary technical expertise to establish baseline statistics and
patterns within the various infrastructures, as clearinghouses for
information within and among the various sectors, and as repositories
of valuable information that may be used by the private sector. As
technology continues to rapidly improve industry efficiency and
operations, so will the risks posed by vulnerabilities and threats to
our infrastructure. We must create a framework that will allow our
protective measures to adapt and be updated quickly.
It is my hope that we will be able to move forward quickly with this
legislation and that Congress and the Administration will work in
partnership to provide industry and government with the tools for
meeting this challenge. A Congressional Research Service report on the
ISOs proposal describes the information sharing model as one of the
most crucial pieces for success in protecting our critical
infrastructure, yet one of the hardest pieces to realize. With the
introduction of the Cyber Security Information Act of 2001, we are
removing the primary barrier to information sharing between government
and industry. This is landmark legislation that will be replicated
around the globe by other nations as they too try to address threats to
their critical infrastructure.
Mr. Speaker, I believe that the Cyber Security Information Act of
2001 will help us address critical infrastructure cyber threats with
the same level of success we achieved in addressing the Year 2000
problem. With government and industry cooperation, the seamless
delivery of services and the protection of our nation's economy and
well-being will continue without interruption just as the delivery of
services continued on January 1, 2000.
July 5, 2001.
Hon. ----
U.S. House of Representatives,
Washington, DC
Dear Representative: We, the undersigned, representing
every sector of the United States economy, write today to
strongly urge you to become an original cosponsor of the
Cyber Security Information Act to be shortly introduced by
Representatives Tom Davis and Jim Moran. This important bill
will strengthen information sharing legal protections that
shield U.S. critical infrastructures from cyber and physical
attacks and threats.
Over the past four years, industry-government information
sharing regarding vulnerabilities and threats has been a key
element of the federal government's critical infrastructure
protection plans. Several industry established information
sharing organizations, including Information Sharing and
Analysis Centers (ISACs) and the Partnership for Critical
Infrastructure Security (PCIS), have been set up to support
this initiative. The National Plan for Information Systems
Protection, version 1.0, also calls for private sector input
about actions that will facilitate industry-government
information sharing.
As representative companies and industry associations
involved in supporting the ongoing development of a National
Plan for critical infrastructure protection, we believe that
Congress can play a key role in facilitating this initiative
by passing legislation to support the Plan's strategic
objectives.
Currently, there is uncertainty about whether existing law
may expose companies and industries that voluntarily share
sensitive information with the federal government to
unintended and potentially harmful consequences. This
uncertainty has a chilling effect on the growth of all
information sharing organizations and the quality and
quantity of information that they are able to gather and
share with the federal government. As such, this situation is
an impediment to the effectiveness of both industry and
government security and assurance managers to understand,
collaborate on and manage their vulnerability and threat
environments.
Legislation that will clarify and strengthen existing
Freedom of Information Act and antitrust exemptions, or
otherwise create new means to promote critical infrastructure
protection and assurance would be very helpful and have a
catalytic effect on the initiatives that are currently under
way.
Companies in the transportation, telecommunications,
information technology, financial services, energy, water,
power and gas, health and emergency services have a vital
stake in the protection of infrastructure assets. With over
90 percent of the country's critical infrastructure owned
and/or operated by the private sector, the government must
support information sharing between the public and private
sectors in order to ensure the best possible security for all
our citizens. A basic precondition for this cooperation is a
clear legal and public policy framework for action.
Businesses also need protection from unnecessary
restrictions placed by federal and state antitrust laws on
critical information sharing that would inhibit
identification of R&D needs or the identification and
mitigation of vulnerabilities. There are a number of
precedents for this kind of collaboration, and we believe
that legislation based on these precedents will also assist
this process.
Faced with the prospect of unintended liabilities, we also
believe that any assurances that Congress can provide to
companies voluntarily collaborating with the government in
risk management planning activity--such as performing risk
assessments, testing infrastructure security, or sharing
certain threat and vulnerability information--will be very
beneficial. Establishing liability safeguards to encourage
the sharing of threat and vulnerability information will add
to the robustness of the partnership and the significance of
the information shared.
Thank you for considering our views on this important
subject. We think that such legislation will contribute to
the success of the institutional, information-sharing,
technological, and collaborative strategies outlined in
Presidential Decision Directive--63 and version 1.0 of the
National Plan for Information Systems Protection.
Sincerely,
Americans for Computer Privacy.
Edison Electric Institute.
Fannie Mae.
Internet Security Alliance.
Information Technology Association of America.
Microsoft.
National Center for Technology and Law, George Mason
University.
Owest Communications.
Security.
Computer Sciences Corporation.
Electronic Industries Alliance.
The Financial Services Roundtable.
Internet Security Systems.
National Association of Manufacturers.
Mitretek Systems.
The Open Group.
[[Page E1294]]
Oracle.
U.S. Chamber of Commerce.
Why Information Sharing is Essential for Critical Infrastructure
Protection
Frequently Asked Questions
What are Critical Infrastructures?
Critical Infrastructures are those industries identified in
Presidential Decision Directive--63 and version 1.0 of the
National Plan for Information Systems Protection, deemed
vital for the continuing functioning of the essential
services of the United States. These include
telecommunications, information technology, financial
services, oil, water, gas, electric energy, health services,
transportation, and emergency services.
What Is the Problem?
90% of the nation's critical infrastructures are owned and/
or operated by the private sector. Increasingly, they are
inter-connected through networks. This has made them more
efficient, but it has also increased the vulnerability of
multiple sectors of the economy to attacks on particular
infrastructures. According to the Carnegie-Mellon Computer
Emergency Response Team (CERT), cyber attacks on critical
infrastructures have grown at an exponential rate over the
past three years. This trend is expected to continue for the
foreseeable future. In our free market system, it is not
feasible to have a centralized-government monitoring
function. A voluntary national industry-government
information sharing system is needed in order for the nation
to create an effective early warning system, find and fix
vulnerabilities, benchmark best practices and create new
safety technologies.
How Do Industries and the Government Share Information?
Based on PDD-63 and the National Plan, a number of
organizations have been created to foster industry-government
cooperation. These include Information Sharing and Analysis
Centers (ISACs). ISACs are industry-specific and have been
set up in the financial services, telecommunications, IT, and
electric energy industries. Others are in the process of
being organized. ISACs vary in their membership structures
and relationship to the government. Most of them have a
formal government sector liaison as their principal point of
contact.
What Are Current Concerns?
Companies are concerned that information voluntarily shared
with the government that reports on or concerns corporate
security may be subject to FOIA. They are also concerned that
lead agencies may not be able to effectively control the use
or dissemination of sensitive information because of similar
legal requirements. Access to sensitive information may fall
into the hands of terrorists, criminals, and other
individuals and organizations capable of exploiting
vulnerabilities and harming the U.S. Unfiltered, unmediated
information may be misinterpreted by the public and undermine
public confidence in the country's critical infrastructures.
Also, competitors and others may use that information to the
detriment of a reporting company, or as the basis for
litigation. Any and all of these possibilities are reasons
why the current flow of voluntary data is minimal.
What Can Be Done?
Possible solutions include creating an additional exemption
to current FOIA laws. There are currently over 80 specific
FOIA Exemptions throughout the body of U.S. law, so it is
clear that exempting voluntarily shared information that
could affect national security is consistent with the intent
and application of FOIA. Another solution is to build on
existing relevant legal precedents such as the 1998 Y2K
Information and Readiness Disclosure Act, the 1984 National
Cooperative Research Act, territorially limited court
rulings, and individual, advisory Department of Justice
Findings.
Why Pursue a Legislative Solution?
The goal is to provide incentives for voluntary information
sharing. Legislation can add legal clarity that will provide
one such incentive, as well as also demonstrate the support
and commitment of Congress to increasing critical
infrastructure assurance.
____________________