[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4551 Referred in Senate (RFS)]

<DOC>
117th CONGRESS
  2d Session
                                H. R. 4551


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 28, 2022

    Received; read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 AN ACT


 
 To amend the U.S. SAFE WEB Act of 2006 to provide for reporting with 
respect to cross-border complaints involving ransomware or other cyber-
                related attacks, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Reporting Attacks from Nations 
Selected for Oversight and Monitoring Web Attacks and Ransomware from 
Enemies Act'' or the ``RANSOMWARE Act''.

SEC. 2. RANSOMWARE AND OTHER CYBER-RELATED ATTACKS.

    Section 14 of the U.S. SAFE WEB Act of 2006 (Public Law 109-455; 
120 Stat. 3382) is amended--
            (1) in the matter preceding paragraph (1)--
                    (A) by striking ``Not later than 3 years after the 
                date of enactment of this Act,'' and inserting ``Not 
                later than 1 year after the date of enactment of the 
                Reporting Attacks from Nations Selected for Oversight 
                and Monitoring Web Attacks and Ransomware from Enemies 
                Act, and every 2 years thereafter,''; and
                    (B) by inserting ``, with respect to the 2-year 
                period preceding the date of the report (or, in the 
                case of the first report transmitted under this section 
                after the date of the enactment of the Reporting 
                Attacks from Nations Selected for Oversight and 
                Monitoring Web Attacks and Ransomware from Enemies Act, 
                the 1-year period preceding the date of the report)'' 
                after ``include'';
            (2) in paragraph (8), by striking ``; and'' and inserting a 
        semicolon;
            (3) in paragraph (9), by striking the period at the end and 
        inserting ``; and''; and
            (4) by adding at the end the following:
            ``(10) the number and details of cross-border complaints 
        received by the Commission that involve ransomware or other 
        cyber-related attacks--
                    ``(A) that were committed by individuals located in 
                foreign countries or with ties to foreign countries; 
                and
                    ``(B) that were committed by companies located in 
                foreign countries or with ties to foreign countries.''.

SEC. 3. REPORT ON RANSOMWARE AND OTHER CYBER-RELATED ATTACKS BY CERTAIN 
              FOREIGN INDIVIDUALS, COMPANIES, AND GOVERNMENTS.

    (a) In General.--Not later than 1 year after the date of the 
enactment of this Act, and every 2 years thereafter, the Federal Trade 
Commission shall transmit to the Committee on Energy and Commerce of 
the House of Representatives and the Committee on Commerce, Science, 
and Transportation of the Senate a report describing its use of and 
experience with the authority granted by the U.S. SAFE WEB Act of 2006 
(Public Law 109-455) and the amendments made by such Act. The report 
shall include the following:
            (1) The number and details of cross-border complaints 
        received by the Commission (including which such complaints 
        were acted upon and which such complaints were not acted upon) 
        that relate to incidents that were committed by individuals, 
        companies, or governments described in subsection (b), broken 
        down by each type of individual, type of company, or government 
        described in a paragraph of such subsection.
            (2) The number and details of cross-border complaints 
        received by the Commission (including which such complaints 
        were acted upon and which such complaints were not acted upon) 
        that involve ransomware or other cyber-related attacks that 
        were committed by individuals, companies, or governments 
        described in subsection (b), broken down by each type of 
        individual, type of company, or government described in a 
        paragraph of such subsection.
            (3) A description of trends in the number of cross-border 
        complaints received by the Commission that relate to incidents 
        that were committed by individuals, companies, or governments 
        described in subsection (b), broken down by each type of 
        individual, type of company, or government described in a 
        paragraph of such subsection.
            (4) Identification and details of foreign agencies 
        (including foreign law enforcement agencies (as defined in 
        section 4 of the Federal Trade Commission Act (15 U.S.C. 44))) 
        located in Russia, China, North Korea, or Iran with which the 
        Commission has cooperated and the results of such cooperation, 
        including any foreign agency enforcement action or lack 
        thereof.
            (5) A description of Commission litigation, in relation to 
        cross-border complaints described in paragraphs (1) and (2), 
        brought in foreign courts and the results of such litigation.
            (6) Any recommendations for legislation that may advance 
        the mission of the Commission in carrying out the U.S. SAFE WEB 
        Act of 2006 and the amendments made by such Act.
            (7) Any recommendations for legislation that may advance 
        the security of the United States and United States companies 
        against ransomware and other cyber-related attacks.
            (8) Any recommendations for United States citizens and 
        United States businesses to implement best practices on 
        mitigating ransomware and other cyber-related attacks.
    (b) Individuals, Companies, and Governments Described.--The 
individuals, companies, and governments described in this subsection 
are the following:
            (1) An individual located within Russia or with direct or 
        indirect ties to the Government of the Russian Federation.
            (2) A company located within Russia or with direct or 
        indirect ties to the Government of the Russian Federation.
            (3) The Government of the Russian Federation.
            (4) An individual located within China or with direct or 
        indirect ties to the Government of the People's Republic of 
        China.
            (5) A company located within China or with direct or 
        indirect ties to the Government of the People's Republic of 
        China.
            (6) The Government of the People's Republic of China.
            (7) An individual located within North Korea or with direct 
        or indirect ties to the Government of the Democratic People's 
        Republic of Korea.
            (8) A company located within North Korea or with direct or 
        indirect ties to the Government of the Democratic People's 
        Republic of Korea.
            (9) The Government of the Democratic People's Republic of 
        Korea.
            (10) An individual located within Iran or with direct or 
        indirect ties to the Government of the Islamic Republic of 
        Iran.
            (11) A company located within Iran or with direct or 
        indirect ties to the Government of the Islamic Republic of 
        Iran.
            (12) The Government of the Islamic Republic of Iran.

            Passed the House of Representatives July 27, 2022.

            Attest:

                                             CHERYL L. JOHNSON,

                                                                 Clerk.