[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 3188 Introduced in Senate (IS)]







106th CONGRESS
  2d Session
                                S. 3188

  To facilitate the protection of the critical infrastructure of the 
    United States, to enhance the investigation and prosecution of 
            computer-related crimes, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

            October 11 (legislative day, September 22), 2000

Mr. Kyl (for himself and Mrs. Feinstein) introduced the following bill; 
  which was read twice and referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
  To facilitate the protection of the critical infrastructure of the 
    United States, to enhance the investigation and prosecution of 
            computer-related crimes, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Security Enhancement Act''.

SEC. 2. FINDINGS.

    Congress makes the following findings:
            (1) The ability of the Federal Government to obtain 
        information on threats and risks to the critical infrastructure 
        of the United States, whether operated by the public sector or 
        private sector and whether domestic or foreign, is vital to the 
        maintenance of United States security and the economic well-
        being of the United States.
            (2) Persons in the private sector and non-Federal 
        governmental agencies have expressed a willingness to 
        voluntarily provide sensitive information on critical 
        infrastructure threats and vulnerabilities to the Federal 
        Government contingent on the ability of the Federal Government 
        to protect such information from unrestricted disclosure.
            (3) The Federal Government needs critical infrastructure 
        information from persons in the private sector and non-Federal 
        governmental agencies in order to protect critical 
        infrastructure from intentional acts of significant harm.
            (4) The public interest is best served by preserving the 
        confidentiality of critical infrastructure information that is 
        submitted to the Federal Government to the extent necessary to 
        encourage the submittal of such information to the Federal 
        Government.
            (5) Current Federal law does not provide persons in the 
        private sector and non-Federal governmental agencies with clear 
        assurance that information submitted to the Federal Government 
        on threats and risks to critical infrastructure will be 
        protected from disclosure under section 552 of title 5, United 
        States Code (commonly referred to as the Freedom of Information 
        Act).
            (6) There are currently more than 100 exemptions from 
        disclosure of information under the Freedom of Information Act 
        that have been approved by law for other purposes.
            (7) President Clinton has acknowledged the national 
        security issues that result from the cyber vulnerabilities of 
        the United States in stating that ``[w]e must be ready . . . 
        ready if our adversaries try to use computers to disable our 
        power grids, banking, communications and transportation 
        networks, police, fire and health services, or military 
        assets''.
            (8) Information sharing among private sector organizations 
        is critical to help identify vulnerabilities and threats to 
        information networks. Many companies are wary of participating 
        in cyber security information sharing activities with one 
        another due to concerns about antitrust penalties.
            (9) Currently, the maximum penalties for Federal computer 
        crimes are inadequate to punish and deter the most serious 
        computer crimes.
            (10) In order to catch cyber criminals, a cyber attack must 
        be swiftly traced to its source.
            (11) A lack of standardization among law enforcement 
        agencies has hindered effective information gathering from 
        industry during investigation of cyber crimes.
            (12) Many cyber attacks are complicated by the criminal's 
        use of a false Internet protocol (IP) address, thus masking the 
        origin of the attack. There is no legitimate use for a false IP 
        address.

SEC. 3. LIMITATION ON DISCLOSURE OF CERTAIN SENSITIVE INFORMATION UNDER 
              THE FREEDOM OF INFORMATION ACT.

    (a) Limitation.--Critical infrastructure information, records 
relating to critical infrastructure information, and information on 
critical infrastructure protection derived from such information or 
records that is submitted voluntarily by a non-Federal source to a 
critical infrastructure protection office or program shall not be made 
available under section 552 of title 5, United States Code (commonly 
referred to as the Freedom of Information Act), if the person 
submitting such information or records expressly requests that such 
information or records, or information derived therefrom, not be made 
available under that section.
    (b) Designation of Office or Program.--
            (1) Designation.--The President or the head of a Federal 
        agency may designate an element in the agency as a critical 
        infrastructure office or program for purposes of subsection 
        (a). The head of an agency may not delegate the authority in 
        the preceding sentence.
            (2) Publication of notice.--The head of the Federal agency 
        concerned shall publish in the Federal Register a notice of 
        intent to designate an element in the Federal agency as a 
        critical infrastructure office or program not later than 30 
        days before the effective date of such designation.
    (c) Request for Protection.--
            (1) In general.--A person seeking the protection of 
        information or records under subsection (a) shall be treated as 
        having made an express request for protection under that 
        subsection if the person marks the information or records 
        substantially as follows: ``____________ is submitted to a 
        critical infrastructure protection office or program under the 
        provisions of section 3(a) of the Cyber Security Enhancement 
        Act.'' (the blank being filled in with information sufficient 
        to identify the information or records concerned).
            (2) Limitation.--A request with respect to information or 
        records under subsection (a) may be made only by the person 
        submitting such information or records to the Federal 
        Government.
    (d) Independently Obtained Information.--Nothing in this section 
shall be construed to limit or otherwise affect the ability of the 
Federal Government to obtain and use under applicable law critical 
infrastructure information obtained by or submitted to the Federal 
Government in a manner not covered by subsection (a).
    (e) Operation of State and Local Law.--
            (1) Control of united states.--Information or records 
        protected from disclosure under subsection (a) shall be treated 
        as under the control of the Federal Government even if made 
        available to a State or local government.
            (2) Inapplicability of state or local disclosure law.--No 
        State or local law requiring public disclosure of information 
        or records shall apply to information or records obtained by 
        the Federal Government that are protected from disclosure under 
        subsection (a).
    (f) Treatment of Voluntary Submittal of Information.--The voluntary 
submission of information or records that are protected from disclosure 
by this section shall not be construed to constitute compliance with 
any requirement to submit such information to a Federal agency under 
any other provision of law.
    (g) Withdrawal of Request for Protection.--
            (1) Withdrawal.--A request that information or records be 
        protected from disclosure under subsection (a) may be withdrawn 
        at any time by the person making the request.
            (2) Effect.--The withdrawal of a request under paragraph 
        (1) shall take effect upon receipt of the withdrawal by the 
        Federal agency concerned.
    (h) Time Limitations on Protection.--
            (1) In general.--Subject to paragraph (2), the protection 
        of information or records under subsection (a) shall expire at 
        the end of the five-year period beginning on the date of 
        submittal of such information or records to the Federal 
        Government.
            (2) Extension.--Upon the expiration of the protection of 
        information or records under this section, including any 
        extension of such protection under this subsection, such 
        protection may be extended by an additional period of 5 years.
            (3) Procedure after expiration.--After expiration under 
        this subsection of the period of protection of information or 
        records under this section, the Federal agency concerned shall, 
        upon receipt of a request for such information or records under 
        section 552 of title 5, United States Code, determine whether 
        the person who originally requested the protection of such 
        information or records under this section seeks to continue the 
        protection of such information or records under this section. 
        If such person does not seek continuation of the protection of 
        such information or records under this section, the protection 
        of such information or records under this section shall cease.
    (i) Penalties for Unauthorized Disclosure.--
            (1) Investigation.--If a court finds that a Federal agency 
        has violated this section, and finds that the circumstances of 
        the violation raise questions whether or not an officer or 
        employee of the agency acted willfully or intentionally with 
        respect to the violation, the agency shall promptly investigate 
        whether or not disciplinary action is warranted against the 
        officer or employee.
            (2) Authority to act.--Appropriate disciplinary action may 
        be imposed as a result of an investigation under paragraph (1).
    (j) Scope of Protection.--This section may not be construed to 
preclude a Federal agency from establishing procedures for sharing 
critical infrastructure protection information within and outside the 
Federal Government for purposes related to protecting critical 
infrastructure.

SEC. 4. ANTITRUST MATTERS.

    (a) Antitrust Exemption.--Except as provided in subsection (b), the 
antitrust laws shall not apply to conduct engaged in, including making 
and implementing an agreement, solely for the purpose of and limited 
to--
            (1) facilitating responses intended to correct or avoid a 
        cyber security related problem; or
            (2) communicating or disclosing information to help correct 
        or avoid the effects of a cyber security related problem.
    (b) Exception.--Subsection (a) shall not apply with respect to 
conduct that involves or results in an agreement to boycott any person, 
to allocate a market, or to fix prices or output.
    (c) Rule of Construction.--The exemption granted by subsection (a) 
shall be construed narrowly.

SEC. 5. FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS.

    (a) Enhanced Penalties.--Subsection (c) of that section is 
amended--
            (1) in paragraph (2)(B), by striking ``5 years'' and 
        inserting ``10 years'';
            (2) in paragraph (2)(C), by striking ``ten years'' and 
        inserting ``20 years'';
            (3) in paragraph (3)(A), by striking ``five years'' and 
        inserting ``10 years''; and
            (4) in paragraph (3)(B), by striking ``ten years'' and 
        inserting ``20 years''.

SEC. 6. ADMINISTRATIVE SUBPOENAS IN CASES INVOLVING CYBER CRIME.

    (a) In General.--Chapter 223 of title 18, United States Code, is 
amended by inserting after section 3486A the following new section:
``Sec. 3486B. Administrative subpoenas in cases involving cyber crime
    ``(a) Authorization.--
            ``(1) In general.--In any investigation relating to any act 
        or activity involving a violation of section 871, 879, 1029, 
        1030, 1362, 2511, 2701, 2702, or 2703 of this title, the 
        Attorney General, or the designee of the Attorney General, may 
        issue in writing and cause to be served a subpoena--
                    ``(A) requiring a provider of electronic 
                communication service or remote computing service to 
                disclose the name, address, Internet protocol address 
                (IP address), local and long distance telephone toll 
                billing records, telephone number or other subscriber 
                number or identity, and length of service of a 
                subscriber to or customer of such service and the types 
                of services the subscriber or customer utilized, which 
                may be relevant to an authorized law enforcement 
                inquiry; or
                    ``(B) requiring a custodian of records to give 
                testimony concerning the production and authentication 
                of such records or information.
            ``(2) Limitation on disclosure.--Information disclosed 
        under paragraph (1) may not include content of an electronic 
        communication.
            ``(3) Attendance of witnesses.--Witnesses summoned under 
        this section shall be paid the same fees and mileage that are 
        paid witnesses in the courts of the United States.
    ``(b) Procedures Applicable.--The same procedures for service and 
enforcement as are provided with respect to investigative demands under 
section 3486 of this title shall apply with respect to a subpoena 
issued under this section.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 223 of such title is amended by inserting after the item 
relating to section 3486A the following new item:

``3486B. Administrative subpoenas in cases involving cyber crime.''.

SEC. 7. STANDARDIZED REQUESTS FOR ELECTRONIC INFORMATION AND RECORDS.

    (a) Plan To Encourage Standardized Requests.--Not later than six 
months after the date of the enactment of this Act, the Attorney 
General shall submit to the President and to the Committees on the 
Judiciary of the Senate and House of Representatives a plan to 
encourage the standardization of requests of Federal, State, and local 
law enforcement agencies to Internet service providers (ISPs) and other 
entities for electronic information and records used in the 
investigation of computer fraud and other computer-related crimes.
    (b) Consultation.--In preparing the plan, the Attorney General 
shall consult with the heads of other appropriate Federal agencies, 
appropriate representatives of State and local law enforcement 
agencies, and other interested persons.
    (c) Notice and Comment.--In preparing the plan, the Attorney 
General shall seek public notice and comment on the plan.

SEC. 8. PREVENTION OF INTERNET PROTOCOL ADDRESS SPOOFING.

    (a) Plan To Encourage Prevention.--Not later than six months after 
the date of the enactment of this Act, the Attorney General and the 
Secretary of Commerce shall jointly submit to Congress and the 
President a plan to encourage Internet service providers to take 
appropriate actions to prevent or impede the use of false Internet 
protocol addresses as a means of access to Internet servers (commonly 
referred to as ``IP spoofing''), including the installation and use of 
Internet servers and routers, and so-called ``firewall'' software, 
which prevent, impede, or otherwise provide protection against the use 
of such addresses for that purpose.
    (b) Consultation.--In preparing the plan, the Attorney General and 
the Secretary of Commerce shall jointly consult with the heads of other 
appropriate Federal agencies, appropriate representatives of State and 
governments, and other interested persons.
    (c) Notice and Comment.--In preparing the plan, the Attorney 
General and the Secretary of Commerce shall seek public notice and 
comment on the plan.

SEC. 9. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the meaning given that 
        term in section 551 of title 5, United States Code.
            (2) Antitrust laws.--The term ``antitrust laws''--
                    (A) has the meaning given such term in subsection 
                (a) of the first section of the Clayton Act (15 U.S.C. 
                12(a)), except that such term includes section 5 of the 
                Federal Trade Commission Act (15 U.S.C. 45) to the 
                extent such section 5 applies to unfair methods of 
                competition: and
                    (B) includes any State law similar to the laws 
                referred to in subparagraph (A).
            (3) Critical infrastructure.--The term ``critical 
        infrastructure'' means physical and cyber-based systems, 
        facilities, or services so essential to the United States or 
        the United States economy that the disruption, incapacity, or 
        destruction of such systems, facilities, or services would have 
        a debilitating impact on the defense, security, economic 
        prosperity, or health or safety of the United States.
            (4) Critical infrastructure information.--The term 
        ``critical infrastructure information'' means information 
        concerning threats, vulnerabilities, risks, and mitigation of 
        same pertinent to critical infrastructure.
            (5) Critical infrastructure protection office or program.--
        The term ``critical infrastructure protection office or 
        program'' means an element of a Federal agency that is 
        designated by the President or the head of the agency as having 
        functions relating to the protection of critical infrastructure 
        from intentional acts or significant harm.
            (6) Cyber security.--The term ``cyber security'' means the 
        vulnerability of any computing system, software program, or 
        critical infrastructure to, or their ability to resist, 
        intentional interference, compromise, or incapacitation through 
        the misuse of, or by unauthorized means of, the Internet, 
        public or private telecommunications systems, or other similar 
        conduct that violates Federal, State, or international law, 
        that harms interstate commerce of the United States, or that 
        threatens public health or safety.
            (7) Voluntary.--The term ``voluntary'', in the case of 
        submittal of information or records to the Federal Government, 
        means that the information or records were submitted--
                    (A) without mandate or compulsion; and
                    (B) not as a condition of doing business with the 
                Federal Government.
                                 <all>