[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4246 Introduced in House (IH)]







106th CONGRESS
  2d Session
                                H. R. 4246

     To encourage the secure disclosure and protected exchange of 
 information about cyber security problems, solutions, test practices 
   and test results, and related matters in connection with critical 
                       infrastructure protection.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 12, 2000

    Mr. Davis of Virginia (for himself, Mr. Moran of Virginia, Mr. 
  Cunningham, and Mr. Rogan) introduced the following bill; which was 
referred to the Committee on Government Reform, and in addition to the 
Committee on the Judiciary, for a period to be subsequently determined 
 by the Speaker, in each case for consideration of such provisions as 
        fall within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
     To encourage the secure disclosure and protected exchange of 
 information about cyber security problems, solutions, test practices 
   and test results, and related matters in connection with critical 
                       infrastructure protection.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Security Information Act''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--Congress finds the following:
            (1)(A) Many information technology computer systems, 
        software programs, and similar facilities are vulnerable to 
        attacks or misuse through the Internet, public or private 
        telecommunications systems, or similar means.
            (B) The problem described in subparagraph (A) and resulting 
        failures could incapacitate systems that are essential to the 
        functioning of markets, commerce, consumer products, utilities, 
        government, and safety and defense systems, in the United 
        States and throughout the world.
            (C) Protecting, reprogramming, or replacing affected 
        systems before the problem incapacitates essential systems is a 
        matter of national and global interest.
            (2) The prompt, candid, and thorough, but secure and 
        protected, disclosure and exchange of information related to 
        the cybersecurity of entities, systems, and infrastructure--
                    (A) would greatly enhance the ability of public and 
                private entities to improve their own cyber security; 
                and
                    (B) is therefore a matter of national importance 
                and a vital factor in minimizing any potential cyber 
                security related disruption to the Nation's economic 
                well-being and security.
            (3) Concern about the potential for legal liability 
        associated with the disclosure and exchange of cyber security 
        information could unnecessarily impede the secure disclosure 
        and protected exchange of such information.
            (4) The capability to securely disclose and engage in the 
        protected exchange of information relating to cyber security, 
        solutions, test practices and test results, without undue 
        concern about inappropriate disclosure of that information, is 
        critical to the ability of public and private entities to 
        address cyber security needs in a timely manner.
            (5) The national interest will be served by uniform legal 
        standards in connection with the secure disclosure and 
        protected exchange of cyber security information that will 
        promote appropriate disclosures and exchanges of such 
        information in a timely fashion.
            (6) The ``National Plan for Information Systems Protection, 
        Version 1.0, An Invitation to a Dialogue'', released by the 
        President on January 7, 2000, calls for the Government to 
        assist in seeking changes to applicable laws on ``Freedom of 
        Information, liability, and antitrust where appropriate'' in 
        order to foster industry-wide centers for information sharing 
        and analysis.
    (b) Purposes.--Based upon the powers contained in article I, 
section 8, clause 3 of the Constitution of the United States, the 
purposes of this Act are--
            (1) to promote the secure disclosure and protected exchange 
        of information related to cyber security;
            (2) to assist private industry and government in 
        effectively and rapidly responding to cyber security problems;
            (3) to lessen burdens on interstate commerce by 
        establishing certain uniform legal principles in connection 
        with the secure disclosure and protected exchange of 
        information related to cyber security; and
            (4) to protect the legitimate users of cyber networks and 
        systems, and to protect the privacy and confidence of shared 
        information.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Antitrust laws.--The term ``antitrust laws''--
                    (A) has the meaning given to it in subsection (a) 
                of the first section of the Clayton Act (15 U.S.C. 
                12(a)), except that such term includes section 5 of the 
                Federal Trade Commission Act (15 U.S.C. 45) to the 
                extent such section 5 applies to unfair methods of 
                competition; and
                    (B) includes any State law similar to the laws 
                referred to in subparagraph (A).
            (2) Critical infrastructure.--The term ``critical 
        infrastructure'' means facilities or services so vital to the 
        nation or its economy that their disruption, incapacity, or 
        destruction would have a debilitating impact on the defense, 
        security, long-term economic prosperity, or health or safety of 
        the United States.
            (3) Cyber security.--The term ``cyber security'' means the 
        vulnerability of any computing system, software program, or 
        critical infrastructure to, or their ability to resist, 
        intentional interference, compromise, or incapacitation through 
        the misuse of, or by unauthorized means of, the Internet, 
        public or private telecommunications systems, or other similar 
        conduct that violates Federal, State, or international law, 
        that harms interstate commerce of the United States, or that 
        threatens public health or safety.
            (4) Cyber security internet website.--The term ``cyber 
        security Internet website'' means an Internet website or other 
        similar electronically accessible service, clearly designated 
        on the website or service by the person or entity creating or 
        controlling the content of the website or service as an area 
        where cyber security statements are posted or otherwise made 
        accessible to appropriate entities.
            (5) Cyber security statement.--
                    (A) In general.--The term ``cyber security 
                statement'' means any communication or other conveyance 
                of information by a party to another, in any form or 
                medium including by means of a cyber security Internet 
                website--
                            (i) concerning an assessment, projection, 
                        or estimate concerning the cyber security of 
                        that entity, its computer systems, its software 
                        programs, or similar facilities of its own;
                            (ii) concerning plans, objectives, or 
                        timetables for implementing or verifying the 
                        cyber security thereof;
                            (iii) concerning test plans, test dates, 
                        test results, or operational problems or 
                        solutions related to the cyber security 
                        thereof; or
                            (iv) reviewing, commenting on, or otherwise 
                        directly or indirectly relating to the cyber 
                        security thereof.
                    (B) Not included.--For the purposes of any action 
                brought under the securities laws, as that term is 
                defined in section 3(a)(47) of the Securities Exchange 
                Act of 1934 (15 U.S.C. 78c(a)(47)), the term ``cyber 
                security statement'' does not include statements 
                contained in any documents or materials filed with the 
                Securities and Exchange Commission, or with Federal 
                banking regulators, pursuant to section 12(i) of the 
                Securities Exchange Act of 1934 (15 U.S.C. 781(i)), or 
                disclosures or writing that when made accompanied the 
                solicitation of an offer or sale of securities.

SEC. 4. SPECIAL DATA GATHERING.

    (a) In General.--Any Federal entity, agency, or authority may 
expressly designate a request for the voluntary provision of 
information relating to cyber security, including cyber security 
statements, as a cyber security data gathering request made pursuant to 
this section.
    (b) Specifics.--A cyber security data gathering request made under 
this section--
                    (1) shall specify a Federal entity, agency, or 
                authority, or, with its consent, another public or 
                private entity, agency, or authority, to gather 
                responses to the request;
                    (2) shall be a request from a private entity, 
                agency, or authority to a Federal entity, agency, or 
                authority; or
                    (3) shall be deemed to have been made and to have 
                specified such a private entity, agency, or authority 
                when the Federal entity, agency, or authority has 
                voluntarily been given cyber security information 
                gathered by that private entity, agency, or authority, 
                including by means of a cyber security Internet 
                website.
    (c) Protections.--Except with the express consent or permission of 
the provider of information described in paragraph (1), any cyber 
security statements or other such information provided by a party in 
response to a special cyber security data gathering request made under 
this section--
            (1) shall be exempt from disclosure under section 552(a) of 
        title 5, United States Code (commonly known as the ``Freedom of 
        Information Act''), by all Federal entities, agencies, and 
        authorities;
            (2) shall not be disclosed to or by any third party; and
            (3) may not be used by any Federal or State entity, agency, 
        or authority or by any third party, directly or indirectly, in 
        any civil action arising under any Federal or State law.
    (d) Exceptions.--
            (1) Information obtained elsewhere.--Nothing in this 
        section shall preclude a Federal entity, agency, or authority, 
        or any third party, from separately obtaining the information 
        submitted in response to a request under this section through 
        the use of independent legal authorities, and using such 
        separately obtained information in any action.
            (2) Public disclosure.--A restriction on use or disclosure 
        of information under this section shall not apply to any 
        information disclosed generally or broadly to the public with 
        the express consent of the party.

SEC. 5. ANTITRUST EXEMPTION.

    (a) Exemption.--Except as provided in subsection (b), the antitrust 
laws shall not apply to conduct engaged in, including making and 
implementing an agreement, solely for the purpose of and limited to--
            (1) facilitating the correction or avoidance of a cyber 
        security related problem; or
            (2) communicating or disclosing information to help correct 
        or avoid the effects of a cyber security related problem.
    (b) Exception to Exemption.--Subsection (a) shall not apply with 
respect to conduct that involves or results in an agreement to boycott 
any person, to allocate a market, or to fix prices or output.

SEC. 6. CYBER SECURITY WORKING GROUPS.

    (a) In General.--
            (1) Working groups.--The President may establish and 
        terminate working groups composed of Federal employees who will 
        engage outside organizations in discussions to address cyber 
        security, to share information related to cyber security, and 
        otherwise to serve the purposes of this Act.
            (2) List of groups.--The President shall maintain and make 
        available to the public a printed and electronic list of such 
        working groups and a point of contact for each, together with 
        an address, telephone number, and electronic mail address for 
        such point of contact.
            (3) Balance.--The President shall seek to achieve a balance 
        of participation and representation among the working groups.
            (4) Meetings.--Each meeting of a working group created 
        under this section shall be announced in advance in accordance 
        with procedures established by the President.
    (b) Federal Advisory Committee Act.--The Federal Advisory Committee 
Act (5 U.S.C. App.) shall not apply to the working groups established 
under this section.
    (c) Private Right of Action.--This section creates no private right 
of action to sue for enforcement of any provision of this section.
                                 <all>