29 August 2001. Thanks to SK. Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html ----------------------------------------------------------------------- [DOCID: f:h2435ih.txt] 107th CONGRESS 1st Session H. R. 2435 To encourage the secure disclosure and protected exchange of information about cyber security problems, solutions, test practices and test results, and related matters in connection with critical infrastructure protection. _______________________________________________________________________ IN THE HOUSE OF REPRESENTATIVES July 10, 2001 Mr. Tom Davis of Virginia (for himself, Mr. Moran of Virginia, Mr. Isakson, and Mr. Sessions) introduced the following bill; which was referred to the Committee on Government Reform, and in addition to the Committee on the Judiciary, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned _______________________________________________________________________ A BILL To encourage the secure disclosure and protected exchange of information about cyber security problems, solutions, test practices and test results, and related matters in connection with critical infrastructure protection. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Cyber Security Information Act''. SEC. 2. FINDINGS AND PURPOSES. (a) Findings.--Congress finds the following: (1)(A) Many information technology computer systems, software programs, and similar facilities are essential to the functioning of markets, commerce, consumer products, utilities, government, and safety and defense systems, in the United States and throughout the world. (B) Protecting systems and products against domestic and international attacks or misuse through the Internet, public, or private telecommunications systems, or similar means is a matter of national and global interest. (C) Such protection is best accomplished through private sector solutions that are market driven and industry led because the private sector owns, operates, and has developed many of the networks, products, and services that constitute the information infrastructure. (D) Government should work cooperatively with industry on a voluntary basis to achieve such protection and should not mandate the private sector use particular technologies, dictate standards, or impose undue costs. (2) The prompt, voluntary, candid, and thorough, but secure and protected, disclosure and exchange of information related to the cyber security of entities, systems, and infrastructure-- (A) would greatly enhance the ability of private and public entities to improve their cyber security; (B) would measurably contribute to avoidance of financial risk and loss resulting from disruption or harm to critical institutional elements of the United States economy, including but not limited to securities exchanges, banking and other financial services institutions, communications networks, transportation systems, manufacturing, information technology, health care, government services, and electric utilities and energy providers, or from serious damage to public confidence in such critical institutional elements; and (C) is therefore a vital factor in minimizing any potential cyber security-related disruption to the Nation's critical infrastructure and the consequences for its economic well-being and national security. (3) Concern about the potential for legal liability associated with the disclosure and exchange of cyber security information has impeded and continues to impede the secure disclosure and protected exchange of such information. (4) The capability to securely disclose and engage in the protected exchange of information relating to cyber security, solutions, test practices, test results, and risk assessments and audits, without undue concern about inappropriate disclosure of that information, is critical to the ability of private and public entities to address cyber security needs in a timely manner. (5) The national interest will be served by uniform legal standards in connection with the secure disclosure and protected exchange of cyber security information that will promote appropriate disclosures and exchanges of such information in a timely fashion. (6) The ``National Plan for Information Systems Protection, Version 1.0, An Invitation to a Dialogue'', released by the President on January 7, 2000, calls for the Government to assist in seeking changes to applicable laws on ``Freedom of Information, liability, and antitrust where appropriate'' in order to foster industry-wide centers for information sharing and analysis. (b) Purposes.--Based upon the powers contained in article 1, section 8, clause 3 of the Constitution of the United States, the purposes of this Act are-- (1) to promote the secure disclosure and protected exchange of cyber security information; (2) to assist private industry and government in responding effectively and rapidly to cyber security problems; (3) to lessen burdens on interstate commerce by establishing certain legal principles in connection with the secure disclosure and protected exchange of cyber security information; and (4) to protect the legitimate users of cyber networks and systems, and to protect the privacy and confidentiality of shared information. SEC. 3. DEFINITIONS. In this Act: (1) Antitrust laws.--The term ``antitrust laws''-- (A) has the meaning given to it in subsection (a) of the first section of the Clayton Act (15 U.S.C. 12(a)), except that such term includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent such section 5 applies to unfair methods of competition; and (B) includes any State law with the same intent and effect as the laws referred to in subparagraph (A). (2) Critical infrastructure.--The term ``critical infrastructure'' means facilities or services so vital to the nation or its economy that their disruption, incapacity, or destruction would have a debilitating impact on the defense, security, long-term economic prosperity, or public health or safety of the United States. (3) Cyber security information.-- (A) In general.--The term ``cyber security information'' means information related to-- (i) the ability of any protected system, or critical infrastructure to resist intentional interference, compromise, or incapacitation through the misuse of or unauthorized access to or use of the Internet, public or private telecommunications systems, or other similar conduct that violates Federal, State, or international law, that harms interstate commerce of the United States, or that threatens public health or safety; (ii) any planned or past assessment, projection or estimate concerning a cyber security vulnerability of a protected system, or critical infrastructure; (iii) any planned or past cyber security testing, risk assessment, or audit; (iv) any planned or past operational problems or solutions related to the cyber security of any protected system, or critical infrastructure; or (v) any immediate threats to the cyber security of any protected system, or critical infrastructure. (B) Exclusion.--For the purposes of any action brought under the securities laws, as that term is defined in section 3(a)(47) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(47)), the term ``cyber security information'' does not include information or statements contained in any documents or materials filed with the Securities and Exchange Commission, or with Federal banking regulators, pursuant to section 12(i) of the Securities Exchange Act of 1934 (15 U.S.C. 781(i)), or disclosures or writing that when made accompanied the solicitation of an offer or sale of securities. (4) Protected system.--The term ``protected system'' includes but is not limited to any system or process deployed in or remotely affecting a critical infrastructure facility consisting of one or more of the following: computer, computer system, network, or any component hardware or element of the foregoing, software program, processing instruction or data in storage, irrespective of the storage medium. (5) Information sharing organization; iso.--The terms ``Information Sharing Organization'' and ``ISO'' mean an Information Sharing and Analysis Center (``ISAC'') or any other entity created by private sector organizations for the purpose of sharing cyber security information among such organizations, with or among their individual affiliated members, and with and from State, local, and Federal Government agencies. SEC. 4. PROTECTION FOR CYBER SECURITY INFORMATION SHARED WITH THE GOVERNMENT. (a) In General.--Cyber security information that is voluntarily provided to any Federal entity, agency, or authority shall not be disclosed and must be protected against disclosure. (b) Specifics.--This section shall apply to cyber security information voluntarily provided-- (1) directly to the government about its own cyber security; (2) directly to the government about a third party's cyber security; or (3) to an ISO, which is subsequently provided to the government in identifiable form. (c) Protections.--Except with the express consent or permission of the provider of cyber security information, any cyber security information provided pursuant to subsection (b)-- (1) shall be exempt from disclosure under section 552(a) of title 5, United States Code (commonly known as the ``Freedom of Information Act''), by any Federal entity, agency, and authority; (2) shall not be disclosed to any third party except pursuant to subsection (e)(3); and (3) shall not be used by any Federal or State entity, agency, or authority or by any third party, directly or indirectly, in any civil action arising under any Federal or State law. (d) Exemptions.--Any disclosure of cyber security information by any private entity, or by any Information Sharing Organization as defined in section 3(5) of this Act, to any official of an agency of the United States in accordance with subsection (b) of this section shall not be subject to-- (1) the requirements of the Federal Advisory Committee Act (5 U.S.C. App.) with regard to notice of meetings and publication of the record of such disclosure; and (2) any agency rules regarding ex parte communications with decision making officials. (e) Exceptions.-- (1) Information obtained elsewhere.--Nothing in this section shall preclude a Federal or State entity, agency, or authority, or any third party, from separately obtaining cyber security information through the use of independent legal authorities, and using such separately obtained information in any action. (2) Public disclosure.--A restriction on use or disclosure of information under this section shall not apply to any information disclosed generally or broadly to the public. (3) Third party information.--A Federal entity, agency, or authority receiving cyber security information from one private entity about another private entity's cyber security shall notify and convey that information to the latter upon its initial receipt, except that such entity, agency, or authority shall not notify the third party if the Government has probable cause to believe that such party has conducted, or may be conducting economic espionage against United States entities within the meaning of the Economic Espionage Act (18 U.S.C. 1831 et seq.) or if such entity derives support from any nation currently under a trade embargo. SEC. 5. ANTITRUST EXEMPTION. (a) Exemption.--Except as provided in subsection (b), the antitrust laws shall not apply to conduct engaged in, including making and implementing an agreement, solely for the purpose of and limited to-- (1) facilitating the correction or avoidance of a cyber security-related problem; or (2) communication of or disclosing information to help correct or avoid the effects of a cyber security-related program. (b) Exception to Exemption.--Subsection (a) shall not apply with respect to conduct that involves or results in an agreement to boycott any person, to allocate a market, or to fix prices or output. SEC. 6. CYBER SECURITY WORKING GROUPS. (a) In General.-- (1) Working groups.--The President may establish and terminate working groups composed of Federal employees who will engage outside organizations in discussions to address cyber security, to share information related to cyber security, and otherwise to serve the purposes of this Act. (2) List of groups.--The President shall maintain and make available to the public a printed and electronic list of such working groups and a point of contact for each, together with an address, telephone number, and electronic mail address for such point of contact. (3) Balance.--The President shall seek to achieve a balance of participation and representation among the working groups. (4) Meetings.--Each meeting of a working group created under this section shall be announced in advance in accordance with procedures established by the President. (b) Federal Advisory Committee Act.--The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the working groups established under this section. (c) Private Right of Action.--This section creates no private right of action to sue for enforcement of any provision of this section.