[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[S. 1456 Introduced in Senate (IS)]

  1st Session
                                S. 1456

To facilitate the security of the critical infrastructure of the United 
 States, to encourage the secure disclosure and protected exchange of 
     critical infrastructure information, to enhance the analysis, 
  prevention, and detection of attacks on critical infrastructure, to 
    enhance the recovery from such attacks, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 24, 2001

 Mr. Bennett (for himself and Mr. Kyl) introduced the following bill; 
  which was read twice and referred to the Committee on Governmental 
                                Affairs

_______________________________________________________________________

                                 A BILL


 
To facilitate the security of the critical infrastructure of the United 
 States, to encourage the secure disclosure and protected exchange of 
     critical infrastructure information, to enhance the analysis, 
  prevention, and detection of attacks on critical infrastructure, to 
    enhance the recovery from such attacks, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Critical Infrastructure Information 
Security Act of 2001''.

SEC. 2. FINDINGS.

    Congress makes the following findings:
            (1) The critical infrastructures that underpin our society, 
        national defense, economic prosperity, and quality of life--
        including energy, banking and finance, transportation, vital 
        human services, and telecommunications--must be viewed in a new 
        context in the Information Age.
            (2) The rapid proliferation and integration of 
        telecommunications and computer systems have connected 
        infrastructures to one another in a complex global network of 
        interconnectivity and interdependence. As a result, new 
        vulnerabilities to such systems and infrastructures have 
        emerged, such as the threat of physical and cyber attacks from 
        terrorists or hostile states. These attacks could disrupt the 
        economy and endanger the security of the United States.
            (3) The private sector, which owns and operates the 
        majority of these critical infrastructures, and the Federal 
        Government, which has unique information and analytical 
        capabilities, could both greatly benefit from cooperating in 
        response to threats, vulnerabilities, and actual attacks to 
        critical infrastructures by sharing information and analysis.
            (4) The private sector is hesitant to share critical 
        infrastructure information with the Federal Government 
        because--
                    (A) Federal law provides no clear assurance that 
                critical infrastructure information voluntarily 
                submitted to the Federal Government will be protected 
                from disclosure or misuse;
                    (B) the framework of the Federal Government for 
                critical infrastructure information sharing and 
                analysis is not sufficiently developed; and
                    (C) concerns about possible prosecution under the 
                antitrust laws inhibit some companies from partnering 
                with other industry members, including competitors, to 
                develop cooperative infrastructure security strategies.
            (5) Statutory nondisclosure provisions that qualify as 
        Exemption 3 statutes under section 552 of title 5, United 
        States Code (commonly referred to as the Freedom of Information 
        Act), many of them longstanding, prohibit disclosure of 
        numerous classes of information under that Act. These statutes 
        cover specific and narrowly defined classes of information and 
        are consistent with the principles of free and open government 
        that that Act seeks to facilitate.
            (6) Since the infrastructure information that this Act 
        covers is not normally in the public domain, preventing public 
        disclosure of this sensitive information serves the greater 
        good by promoting national security and economic stability.

SEC. 3. PURPOSE.

    The purpose of this Act is to foster improved security of critical 
infrastructure by--
            (1) promoting the increased sharing of critical 
        infrastructure information both between private sector entities 
        and between the Federal Government and the private sector; and
            (2) encouraging the private sector and the Federal 
        Government to conduct better analysis of critical 
        infrastructure information in order to prevent, detect, warn 
        of, and respond to incidents involving critical infrastructure.

SEC. 4. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the meaning given that 
        term in section 551 of title 5, United States Code.
            (2) Critical infrastructure.--The term ``critical 
        infrastructure''--
                    (A) means physical and cyber-based systems and 
                services essential to the national defense, government, 
                or economy of the United States, including systems 
                essential for telecommunications (including voice and 
                data transmission and the Internet), electrical power, 
                gas and oil storage and transportation, banking and 
                finance, transportation, water supply, emergency 
                services (including medical, fire, and police 
                services), and the continuity of government operations; 
                and
                    (B) includes any industry sector designated by the 
                President pursuant to the National Security Act of 1947 
                (50 U.S.C. 401 et seq.) or the Defense Production Act 
                of 1950 (50 U.S.C. App. 2061 et seq.) as essential to 
                provide resources for the execution of the national 
                security strategy of the United States, including 
                emergency preparedness activities pursuant to title VI 
                of the Robert T. Stafford Disaster Relief and Emergency 
                Assistance Act (42 U.S.C. 5195 et seq.).
            (3) Critical infrastructure information.--The term 
        ``critical infrastructure information'' means information 
        related to--
                    (A) the ability of any protected system or critical 
                infrastructure to resist interference, compromise, or 
                incapacitation by either physical or computer-based 
                attack or other similar conduct that violates Federal, 
                State, or local law, harms interstate commerce of the 
                United States, or threatens public health or safety;
                    (B) any planned or past assessment, projection, or 
                estimate of the security vulnerability of a protected 
                system or critical infrastructure, including security 
                testing, risk evaluation, risk management planning, or 
                risk audit;
                    (C) any planned or past operational problem or 
                solution, including repair, recovery, reconstruction, 
                insurance, or continuity, related to the security of a 
                protected system or critical infrastructure; or
                    (D) any threat to the security of a protected 
                system or critical infrastructure.
            (4) Information sharing and analysis organization.--The 
        term ``Information Sharing and Analysis Organization'' means 
        any formal or informal entity or collaboration created by 
        public or private sector organizations, and composed primarily 
        of such organizations, for purposes of--
                    (A) gathering and analyzing critical infrastructure 
                information in order to better understand security 
                problems related to critical infrastructure and 
                protected systems, and interdependencies of critical 
                infrastructure and protected systems, so as to ensure 
                the availability, integrity, and reliability of 
                critical infrastructure and protected systems;
                    (B) communicating or disclosing critical 
                infrastructure information to help prevent, detect, 
                mitigate, or recover from the effects of a problem 
                related to critical infrastructure or protected 
                systems; and
                    (C) voluntarily disseminating critical 
                infrastructure information to entity members, other 
                Information Sharing and Analysis Organizations, the 
                Federal Government, or any entities which may be of 
                assistance in carrying out the purposes specified in 
                subparagraphs (A) and (B).
            (5) Protected system.--The term ``protected system''--
                    (A) means any service, physical or computer-based 
                system, process, or procedure that directly or 
                indirectly affects a facility of critical 
                infrastructure; and
                    (B) includes any physical or computer-based system, 
                including a computer, computer system, computer or 
                communications network, or any component hardware or 
                element thereof, software program, processing 
                instructions, or information or data in transmission or 
                storage therein (irrespective of storage medium).
            (6) Voluntary.--The term ``voluntary'', in the case of the 
        submittal of information or records to the Federal Government, 
        means the submittal of the information or records in the 
        absence of an agency's exercise of legal submission.

SEC. 5. PROTECTION OF VOLUNTARILY SHARED CRITICAL INFRASTRUCTURE 
              INFORMATION.

    (a) Protection.--
            (1) In general.--Notwithstanding any other provision of 
        law, critical infrastructure information that is voluntarily 
        submitted to a covered Federal agency for analysis, warning, 
        interdependency study, recovery, reconstitution, or other 
        informational purpose, when accompanied by an express statement 
        specified in paragraph (3)--
                    (A) shall not be made available under section 552 
                of title 5, United States Code (commonly referred to as 
                the Freedom of Information Act);
                    (B) may not, without the written consent of the 
                person or entity submitting such information, be used 
                directly by such agency, any other Federal, State, or 
                local authority, or any third party, in any civil 
                action arising under Federal or State law, unless such 
                information is submitted in bad faith; and
                    (C) may not, without the written consent of the 
                person or entity submitting such information, be used 
                for a purpose other than the purpose of this Act, or 
                disclosed by any officer or employee of the United 
                States, except pursuant to the official duties of such 
                officer or employee pursuant to this Act.
            (2) Covered federal agency defined.--In paragraph (1), the 
        term ``covered Federal agency'' means the following:
                    (A) The Department of Justice.
                    (B) The Department of Defense.
                    (C) The Department of Commerce.
                    (D) The Department of Transportation.
                    (E) The Department of the Treasury.
                    (F) The Department of Health and Human Services.
                    (G) The Department of Energy.
                    (H) The Environmental Protection Agency.
                    (I) The General Services Administration.
                    (J) The Federal Communications Commission.
                    (K) The Federal Emergency Management Agency.
                    (L) The National Infrastructure Protection Center.
                    (M) The National Communication System.
            (3) Express statement.--For purposes of paragraph (1), the 
        term ``express statement'', with respect to information or 
        records, means--
                    (A) in the case of written information or records, 
                a written marking on the information or records as 
                follows: ``This information is voluntarily submitted to 
                the Federal Government in expectation of protection 
                from disclosure under the provisions of the Critical 
                Infrastructure Information Security Act of 2001.''; or
                    (B) in the case of oral information, a statement, 
                substantially similar to the words specified in 
                subparagraph (A), to convey that the information is 
                voluntarily submitted to the Federal Government in 
                expectation of protection from disclosure under the 
                provisions of this Act.
    (b) Independently Obtained Information.--Nothing in this section 
shall be construed to limit or otherwise affect the ability of the 
Federal Government to obtain and use under applicable law critical 
infrastructure information obtained by or submitted to the Federal 
Government in a manner not covered by subsection (a).
    (c) Treatment of Voluntary Submittal of Information.--The voluntary 
submittal to the Federal Government of information or records that are 
protected from disclosure by this section shall not be construed to 
constitute compliance with any requirement to submit such information 
to a Federal agency under any other provision of law.
    (d) Procedures.--
            (1) In general.--The Director of the Office of Management 
        and Budget shall, in consultation with appropriate 
        representatives of the National Security Council and the Office 
        of Science and Technology Policy, establish uniform procedures 
        for the receipt, care, and storage by Federal agencies of 
        critical infrastructure information that is voluntarily 
        submitted to the Federal Government. The procedures shall be 
        established not later than 90 days after the date of the 
        enactment of this Act.
            (2) Elements.--The procedures established under paragraph 
        (1) shall include mechanisms regarding--
                    (A) the acknowledgement of receipt by Federal 
                agencies of critical infrastructure information that is 
                voluntarily submitted to the Federal Government, 
                including confirmation that such information is 
                protected from disclosure under this Act;
                    (B) the marking of such information as critical 
                infrastructure information that is voluntarily 
                submitted to the Federal Government for purposes of 
                this Act;
                    (C) the care and storage of such information; and
                    (D) the protection and maintenance of the 
                confidentiality of such information so as to permit, 
                pursuant to section 6, the sharing of such information 
                within the Federal Government, and the issuance of 
                notices and warnings related to protection of critical 
                infrastructure.

SEC. 6. NOTIFICATION, DISSEMINATION, AND ANALYSIS REGARDING CRITICAL 
              INFRASTRUCTURE INFORMATION.

    (a) Notice Regarding Critical Infrastructure Security.--
            (1) In general.--A covered Federal agency (as specified in 
        section 5(a)(2)) receiving significant and credible information 
        under section 5 from a private person or entity about the 
        security of a protected system or critical infrastructure of 
        another known or identified private person or entity shall, to 
        the extent consistent with requirements of national security or 
        law enforcement, notify and convey such information to such 
        other private person or entity as soon as reasonable after 
        receipt of such information by the agency.
            (2) Construction.--Paragraph (1) may not be construed to 
        require an agency to provide specific notice where doing so 
        would not be practicable, for example, based on the quantity of 
        persons or entities identified as having security 
        vulnerabilities. In instances where specific notice is not 
        practicable, the agency should take reasonable steps, 
        consistent with paragraph (1), to issue broadly disseminated 
        advisories or alerts.
    (b) Analysis of Information.--Upon receipt of critical 
infrastructure information that is voluntarily submitted to the Federal 
Government, the Federal agency receiving such information shall--
            (1) share with appropriate covered Federal agencies (as so 
        specified) all such information that concerns actual attacks, 
        and threats and warnings of attacks, on critical infrastructure 
        and protected systems;
            (2) identify interdependencies; and
            (3) determine whether further analysis in concert with 
        other Federal agencies, or warnings under subsection (c), are 
        warranted.
    (c) Action Following Analysis.--
            (1) Authority to issue warnings.--As a result of analysis 
        of critical infrastructure information under subsection (b), a 
        Federal agency may issue warnings to individual companies, 
        targeted sectors, other governmental entities, or the general 
        public regarding potential threats to critical infrastructure.
            (2) Form of warnings.--In issuing a warning under paragraph 
        (1), the Federal agency concerned shall take appropriate 
        actions to prevent the disclosure of the source of any 
        voluntarily submitted critical infrastructure information that 
        forms the basis for the warning.
    (d) Strategic Analyses of Potential Threats to Critical 
Infrastructure.--
            (1) In general.--The President shall designate an element 
        in the Executive Branch--
                    (A) to conduct strategic analyses of potential 
                threats to critical infrastructure; and
                    (B) to submit reports on such analyses to 
                Information Sharing and Analysis Organizations and such 
                other entities as the President considers appropriate.
            (2) Strategic analyses.--
                    (A) Information used.--In conducting strategic 
                analyses under paragraph (1)(A), the element designated 
                to conduct such analyses under paragraph (1) shall 
                utilize a range of critical infrastructure information 
                voluntarily submitted to the Federal Government by the 
                private sector, as well as applicable intelligence and 
                law enforcement information.
                    (B) Availability.--The President shall take 
                appropriate actions to ensure that, to the maximum 
                extent practicable, all critical infrastructure 
                information voluntarily submitted to the Federal 
                Government by the private sector is available to the 
                element designated under paragraph (1) to conduct 
                strategic analyses under paragraph (1)(A).
                    (C) Frequency.--Strategic analyses shall be 
                conducted under this paragraph with such frequency as 
                the President considers appropriate, and otherwise 
                specifically at the direction of the President.
            (3) Reports.--
                    (A) In general.--Each report under paragraph (1)(B) 
                shall contain the following:
                            (i) A description of currently recognized 
                        methods of attacks on critical infrastructure.
                            (ii) An assessment of the threats to 
                        critical infrastructure that could develop over 
                        the year following such report.
                            (iii) An assessment of the lessons learned 
                        from responses to previous attacks on critical 
                        infrastructure.
                            (iv) Such other information on the 
                        protection of critical infrastructure as the 
                        element conducting analyses under paragraph (1) 
                        considers appropriate.
                    (B) Form.--Reports under this paragraph may be in 
                classified or unclassified form, or both.
            (4) Construction.--Nothing in this subsection shall be 
        construed to modify or alter any responsibility of a Federal 
        agency under subsections (a) through (c).
    (e) Plan for Strategic Analyses of Threats to Critical 
Infrastructure.--
            (1) Plan.--The President shall develop a plan for carrying 
        out strategic analyses of threats to critical infrastructure 
        through the element in the Executive Branch designated under 
        subsection (d)(1).
            (2) Elements.--The plan under paragraph (1) shall include 
        the following:
                    (A) A methodology for the work under the plan of 
                the element referred to in paragraph (1), including the 
                development of expertise among the personnel of the 
                element charged with carrying out the plan and the 
                acquisition by the element of information relevant to 
                the plan.
                    (B) Mechanisms for the studying of threats to 
                critical infrastructure, and the issuance of warnings 
                and recommendations regarding such threats, including 
                the allocation of personnel and other resources of the 
                element in order to carry out those mechanisms.
                    (C) An allocation of roles and responsibilities for 
                the work under the plan among the Federal agencies 
                specified in section 5(a)(2), including the 
                relationship of such roles and responsibilities.
            (3) Reports.--
                    (A) Interim report.--The President shall submit to 
                Congress an interim report on the plan developed under 
                paragraph (1) not later than 120 days after the date of 
                the enactment of this Act.
                    (B) Final report.--The President shall submit to 
                Congress a final report on the plan developed under 
                paragraph (1), together with a copy of the plan, not 
                later than 180 days after the date of the enactment of 
                this Act.

SEC. 7. ANTITRUST EXEMPTION FOR ACTIVITY INVOLVING AGREEMENTS ON 
              CRITICAL INFRASTRUCTURE MATTERS.

    (a) Antitrust Exemption.--The antitrust laws shall not apply to 
conduct engaged in by an Information Sharing and Analysis Organization 
or its members, including making and implementing an agreement, solely 
for purposes of--
            (1) gathering and analyzing critical infrastructure 
        information in order to better understand security problems 
        related to critical infrastructure and protected systems, and 
        interdependencies of critical infrastructure and protected 
        systems, so as to ensure the availability, integrity, and 
        reliability of critical infrastructure and protected systems;
            (2) communicating or disclosing critical infrastructure 
        information to help prevent, detect, mitigate, or recover from 
        the effects of a problem related to critical infrastructure or 
        protected systems; or
            (3) voluntarily disseminating critical infrastructure 
        information to entity members, other Information Sharing and 
        Analysis Organizations, the Federal Government, or any entities 
        which may be of assistance in carrying out the purposes 
        specified in paragraphs (1) and (2).
    (b) Exception.--Subsection (a) shall not apply with respect to 
conduct that involves or results in an agreement to boycott any person, 
to allocate a market, or to fix prices or output.
    (c) Antitrust Laws Defined.--In this section, the term ``antitrust 
laws''--
            (1) has the meaning given such term in subsection (a) of 
        the first section of the Clayton Act (15 U.S.C. 12(a)), except 
        that such term includes section 5 of the Federal Trade 
        Commission Act (15 U.S.C. 45) to the extent such section 5 
        applies to unfair methods of competition; and
            (2) includes any State law similar to the laws referred to 
        in paragraph (1).

SEC. 8. NO PRIVATE RIGHT OF ACTION.

    Nothing in this Act may be construed to create a private right of 
action for enforcement of any provision of this Act.
                                 <all>