

116 S2666 IS: Sanction and Stop Ransomware Act of 2021
U.S. Senate
2021-08-05
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



II117th CONGRESS1st SessionS. 2666IN THE SENATE OF THE UNITED STATESAugust 5, 2021Mr. Rubio (for himself and Mrs. Feinstein) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental AffairsA BILLTo address threats relating to ransomware, and for other purposes.1.Short titleThis Act may be cited as the Sanction and Stop Ransomware Act of 2021.2.Cybersecurity standards for critical infrastructure(a)In generalTitle XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the following: CCybersecurity standards for critical infrastructure2231.Definition of critical infrastructure entityIn this subtitle, the term critical infrastructure entity means an owner or operator of critical infrastructure.2232Cybersecurity standards(a)In generalThe Secretary, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop and promulgate mandatory cybersecurity standards for critical infrastructure entities.(b)Harmonization and incorporationIn developing the cybersecurity standards required under subsection (a), the Secretary shall—(1)to the greatest extent practicable, ensure the cybersecurity standards are consistent with Federal regulations existing as of the date on enactment of the Sanction and Stop Ransomware Act of 2021; and(2)in coordination with the Director of the National Institute of Standards and Technology, ensure that the cybersecurity standards incorporate, to the greatest extent practicable, the standards developed with facilitation and support from the Director of the National Institute of Standards and Technology under section 2(c)(15) of the National Institute of Standards and Technology Act (15 U.S.C. 272(c)(15)).(c)Compliance assessmentNot less frequently than annually, the Secretary, in coordination with the heads of Sector Risk Management Agencies, shall assess the compliance of each critical infrastructure entity with the cybersecurity standards developed under subsection (a)..(b)Technical and conforming amendmentThe table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by adding at the end the following:Subtitle C—Cybersecurity standards for critical infrastructure Sec. 2231. Definition of critical infrastructure entity. Sec. 2232. Cybersecurity standards..3.Regulation of cryptocurrency exchanges(a)Secretary of the TreasuryNot later than 180 days after the date of enactment of this Act, the Secretary of the Treasury shall—(1)develop and institute regulatory requirements for cryptocurrency exchanges operating within the United States to reduce the anonymity of users and accounts suspected of ransomware activity and make records available to the Federal Government in connection with ransomware incidents; and(2)submit to Congress a report with any recommendations that may be necessary regarding cryptocurrency exchanges used in conjunction with ransomware.(b)Attorney GeneralThe Attorney General shall determine what information should be preserved by cryptocurrency exchanges to facilitate law enforcement investigations.4.Designation of state sponsors of ransomware and reporting requirements(a)Designation of state sponsors of ransomware(1)In generalNot later than 180 days after the date of the enactment of this Act, and annually thereafter, the Secretary of State, in consultation with the Director of National Intelligence, shall—(A)designate as a state sponsor of ransomware any country the government of which the Secretary has determined has provided support for ransomware demand schemes (including by providing safe haven for individuals engaged in such schemes);(B)submit to Congress a report listing the countries designated under subparagraph (A); and(C)in making designations under subparagraph (A), take into consideration the report submitted to Congress under section 5(c)(1).(2)Sanctions and penaltiesThe President shall impose with respect to each state sponsor of ransomware designated under paragraph (1)(A) the sanctions and penalties imposed with respect to a state sponsor of terrorism.(3)State sponsor of terrorism definedIn this subsection, the term state sponsor of terrorism means a country the government of which the Secretary of State has determined has repeatedly provided support for acts of international terrorism, for purposes of—(A)section 1754(c)(1)(A)(i) of the Export Control Reform Act of 2018 (50 U.S.C. 4813(c)(1)(A)(i));(B)section 620A of the Foreign Assistance Act of 1961 (22 U.S.C. 2371);(C)section 40(d) of the Arms Export Control Act (22 U.S.C. 2780(d)); or(D)any other provision of law.(b)Reporting requirements(1)Sanctions relating to ransomware reportNot later than 180 days after the date of the enactment of this Act, the Secretary of the Treasury shall submit a report to Congress that describes, for each of the 5 fiscal years immediately preceding the date of such report, the number and geographic locations of individuals, groups, and entities subject to sanctions imposed by the Office of Foreign Assets Control who were subsequently determined to have been involved in a ransomware demand scheme.(2)Country of origin reportThe Secretary of State, in consultation with the Director of National Intelligence and the Director of the Federal Bureau of Investigation, shall—(A)submit a report, with a classified annex, to the Committee on Foreign Relations of the Senate, the Select Committee on Intelligence of the Senate, the Committee on Foreign Affairs of the House of Representatives, and the Permanent Select Committee on Intelligence of the House of Representatives that identifies the country of origin of foreign-based ransomware attacks; and(B)make the report described in subparagraph (A) (excluding the classified annex) available to the public.(3)Investigative authorities reportNot later than 180 days after the date of the enactment of this Act, the Comptroller General of the United States shall issue a report that outlines the authorities available to the Federal Bureau of Investigation, the United States Secret Service, the Cybersecurity and Infrastructure Security Agency, the Homeland Security Investigations, and the Office of Foreign Assets Control to respond to foreign-based ransomware attacks. 5.Deeming ransomware threats to critical infrastructure as a national intelligence priority(a)Critical infrastructure definedIn this section, the term critical infrastructure has the meaning given such term in subsection (e) of the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c(e)).(b)Ransomware threats to critical infrastructure as national intelligence priorityThe Director of National Intelligence, pursuant to the provisions of the National Security Act of 1947 (50 U.S.C. 3001 et seq.), the Intelligence Reform and Terrorism Prevention Act of 2004 (Public Law 108–458), section 1.3(b)(17) of Executive Order 12333 (50 U.S.C. 3001 note; relating to United States intelligence activities), as in effect on the day before the date of the enactment of this Act, and National Security Presidential Directive–26 (February 24, 2003; relating to intelligence priorities), as in effect on the day before the date of the enactment of this Act, shall deem ransomware threats to critical infrastructure a national intelligence priority component to the National Intelligence Priorities Framework.(c)Report(1)In generalNot later than 180 days after the date of the enactment of this Act, the Director of National Intelligence shall, in consultation with the Director of the Federal Bureau of Investigation, submit to the Select Committee on Intelligence of the Senate and the Permanent Select Committee on Intelligence of the House of Representatives a report on the implications of the ransomware threat to United States national security.(2)ContentsThe report submitted under paragraph (1) shall address the following:(A)Identification of individuals, groups, and entities who pose the most significant threat, including attribution to individual ransomware attacks whenever possible.(B)Locations from where individuals, groups, and entities conduct ransomware attacks.(C)The infrastructure, tactics, and techniques ransomware actors commonly use.(D)Any relationships between the individuals, groups, and entities that conduct ransomware attacks and their governments or countries of origin that could impede the ability to counter ransomware threats.(E)Intelligence gaps that have, or currently are, impeding the ability to counter ransomware threats. (3)FormThe report submitted under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.6.Ransomware operation reporting capabilities(a)In generalTitle XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.), as amended by section 2(a), is amended by adding at the end the following: DRansomware Operation Reporting Capabilities2241.DefinitionsIn this subtitle:(1)Definitions from section 2201The definitions in section 2201 shall apply to this subtitle, except as otherwise provided. (2)AgencyThe term Agency means the Cybersecurity and Infrastructure Security Agency.(3)Appropriate congressional committeesThe term appropriate congressional committees means—(A)the Committee on Homeland Security and Governmental Affairs of the Senate; (B)the Select Committee on Intelligence of the Senate; (C)the Committee on the Judiciary of the Senate; (D)the Committee on Homeland Security of the House of Representatives; (E)the Permanent Select Committee on Intelligence of the House of Representatives; and(F)the Committee on the Judiciary of the House of Representatives. (4)Covered entityThe term covered entity means—(A)a Federal contractor; (B)an owner or operator of critical infrastructure; (C)a non-government entity that provides cybersecurity incident response services; and(D)any other entity determined appropriate by the Secretary, in coordination with the head of any other appropriate department or agency. (5)Critical functionThe term critical function means any action or operation that is necessary to maintain critical infrastructure.(6)DirectorThe term Director means the Director of the Cybersecurity and Infrastructure Security Agency.(7)Federal agencyThe term Federal agency has the meaning given the term agency in section 3502 of title 44, United States Code.(8)Federal contractorThe term Federal contractor—(A)means a contractor or subcontractor (at any tier) of the United States Government; and(B) does not include a contractor or subcontractor that is a party only to—(i)a service contract to provide housekeeping or custodial services; or (ii)a contract to provide products or services unrelated to information technology that is below the micro-purchase threshold (as defined in section 2.101 of title 48, Code of Federal Regulations, or any successor thereto).(9)Information technologyThe term information technology has the meaning given the term in section 11101 of title 40, United States Code.(10)RansomwareThe term ransomware means any type of malicious software that—(A)prevents the legitimate owner or operator of an information system or network from accessing electronic data, files, systems, or networks; and(B)demands the payment of a ransom for the return of access to the electronic data, files, systems, or networks described in subparagraph (A).(11)Ransomware notificationThe term ransomware notification means a notification of a ransomware operation. (12)Ransomware operationThe term ransomware operation means a specific instance in which ransomware affects the information systems or networks owned or operated by—(A)a covered entity; or(B)a Federal agency.(13)SystemThe term System means the ransomware operation reporting capabilities established under section 2242(b).2242.Establishment of ransomware operation reporting system(a)DesignationThe Agency shall be the designated agency within the Federal Government to receive ransomware operation notifications from other Federal agencies and covered entities in accordance with this subtitle. (b)EstablishmentNot later than 180 days after the date of enactment of this subtitle, the Director shall establish ransomware operation reporting capabilities to facilitate the submission of timely, secure, and confidential ransomware notifications by Federal agencies and covered entities to the Agency. (c)Security assessmentThe Director shall—(1)assess the security of the System not less frequently than once every 2 years; and(2)as soon as is practicable after conducting an assessment under paragraph (1), make any necessary corrective measures to the System.(d)RequirementsThe System shall have the ability—(1)to accept classified submissions and notifications; and (2)to accept a ransomware notification from any entity, regardless of whether the entity is a covered entity.(e)Limitations on use of informationAny ransomware notification submitted to the System—(1)shall be exempt from disclosure under—(A)section 552 of title 5, United States Code (commonly referred to as the “Freedom of Information Act”), in accordance with subsection (b)(3)(B) of such section 552; and (B)any State, Tribal, or local law requiring the disclosure of information or records; and(2)may not be—(A)admitted as evidence in any civil or criminal action brought against the victim of the ransomware operation; or(B)subject to a subpoena, unless the subpoena is issued by Congress for congressional oversight purposes.(f)Privacy and protection(1)In generalNot later than the date on which the Director establishes the System, Director shall adopt privacy and protection procedures for any information submitted to the System that, at the time of the submission, is known to contain—(A)the personal information of a specific individual; or(B)information that identifies a specific individual that is not directly related to a ransomware operation.(2)Model for protectionsThe Director shall base the privacy and protection procedures adopted under paragraph (1) on the privacy and protection procedures developed for information received and shared pursuant to the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 et seq.).(g)Annual reports(1)Director reporting requirementNot later than 1 year after the date on which the System is established and once each year thereafter, the Director shall submit to the appropriate congressional committees a report on the System, which shall include, with respect to the 1-year period preceding the report—(A)the number of notifications received through the System; and(B)the actions taken in connection with the notifications described in subparagraph (A).(2)Secretary reporting requirementNot later than 1 year after the date on which the System is established, and once each year thereafter, the Secretary shall submit to the appropriate congressional committees a report on the types of ransomware operation information and incidents in which ransom is requested that are required to be submitted as a ransomware notification, noting any changes from the previous submission. (3)FormAny report required under this subsection may be submitted in a classified form, if necessary.2243.Required notifications(a)In general(1)Ransomware notificationNot later than 24 hours after the discovery of a ransomware operation that compromises, is reasonably likely to compromise, or otherwise materially affects the performance of a critical function by a Federal agency or covered entity, the Federal agency or covered entity that discovered the ransomware operation shall submit a ransomware notification to the System.(2)InclusionA Federal agency or covered entity shall submit a ransomware notification under paragraph (1) of a ransomware operation discovered by the Federal agency or covered entity even if the ransomware operation does not occur on a system of the Federal agency or covered entity.(b)Required updatesA Federal agency or covered entity that submits a ransomware notification under subsection (a) shall, upon discovery of new information and not less frequently than once every 5 days until the date on which the ransomware operation is mitigated and any follow-up investigation is completed, submit updated ransomware threat information to the System.(c)Payment disclosureNot later than 24 hours after a Federal agency or covered entity issues a ransom payment relating to a ransomware operation, the Federal agency or covered entity shall submit to the System details of the ransom payment, including—(1)the method of payment;(2)the amount of the payment; and(3)the recipient of the payment.(d)Required rulemakingNotwithstanding any provision of this title that may limit or restrict the promulgation of rules, not later than 180 days after the date of enactment of this subtitle, the Secretary, acting through the Director, in coordination with the Director of National Intelligence and the Attorney General, without regard to the notice and comment rule making requirements under section 553 of title 5, United States Code, and accepting comments after the effective date, shall promulgate interim final rules that define—(1)the conditions under which a ransomware notification is required to be submitted under subsection (a)(1);(2)the ransomware operation information that shall be included in a ransomware notification required under this section; and(3)the information that shall be included in a ransom payment disclosure required under subsection (c). (e)Required coordination with Sector Risk Management AgenciesThe Secretary, in coordination with the head of each Sector Risk Management Agency, shall—(1)establish a set of reporting criteria for Sector Risk Management Agencies to submit ransomware notifications to the System; and(2)take steps to harmonize the criteria described in paragraph (1) with the regulatory reporting requirements in effect on the date of enactment of this subtitle. (f)Protection from liabilitySection 106 of the Cybersecurity Act of 2015 (6 U.S.C. 1505) shall apply to a Federal agency or covered entity required to submit a ransomware notification to the System. (g)Enforcement(1)Covered entitiesIf a covered entity violates the requirements of this subtitle, the covered entity shall be subject to penalties determined by the Administrator of the General Services Administration, which may include removal from the Federal Contracting Schedules. (2)Federal agenciesIf a Federal agency violates the requirements of this subtitle, the violation shall be referred to the inspector general for the agency, and shall be treated as a matter of urgent concern..(b)Table of contentsThe table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135), as amended by section 2(b), is further amended by adding at the end the following:Subtitle D—Ransomware Operation Reporting Capabilities Sec. 2241. Definitions. Sec. 2242. Establishment of ransomware operation reporting system. Sec. 2243. Required notifications..(c)Technical and conforming amendmentsSection 2202(c) of the Homeland Security Act of 2002 (6 U.S.C. 652(c)) is amended—(1)by redesignating the second and third paragraphs (12) as paragraphs (14) and (15), respectively; and(2)by inserting before paragraph (14), as so redesignated, the following: (13)carry out the responsibilities described in subtitle D relating to the ransomware operation reporting system;.7.Duties of the Cybersecurity and Infrastructure Security Agency(a)In generalSubtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended—(1)by redesignating section 2217 (6 U.S.C. 665f) as section 2220; (2)by redesignating section 2216 (6 U.S.C. 665e) as section 2219; (3)by redesignating the fourth section 2215 (relating to Sector Risk Management Agencies) (6 U.S.C. 665d) as section 2218; (4)by redesignating the third section 2215 (relating to the Cybersecurity State Coordinator) (6 U.S.C. 665c) as section 2217;(5)by redesignating the second section 2215 (relating to the Joint Cyber Planning Office) (6 U.S.C. 665b) as section 2216; and(6)by adding after section 2220, as so redesignated, the following:2220A.Information System and Network Security Fund(a)DefinitionsIn this section:(1)Covered entityThe term covered entity has the meaning given the term in section 2241.(2)Eligible entityThe term eligible entity—(A)means a covered entity; and(B)does not include an owner or operator of critical infrastructure that is not in compliance with the cybersecurity standards developed under section 2232(a).(3)FundThe term Fund means the Information System and Network Security Fund established under subsection (b)(1).(b)Information System and Network Security Fund(1)EstablishmentThere is established in the Treasury of the United States a trust fund to be known as the Information System and Network Security Fund.(2)Contents of Fund(A)In generalThe Fund shall consist of such amounts as may be appropriated for deposit in the Fund.(B)Availability(i)In generalAmounts deposited in the Fund shall remain available through the end of the tenth fiscal year beginning after the date on which funds are first appropriated to the Fund.(ii)Remainder to treasuryAny unobligated balances in the Fund after the date described in clause (i) are rescinded and shall be transferred to the general fund of the Treasury.(3)Use of fund(A)In generalAmounts deposited in the Fund shall be available to the Director to distribute to eligible entities pursuant to this subsection, in such amounts as the Director determines appropriate, subject to subparagraph (B).(B)DistributionThe amounts distributed to eligible entities under this paragraph shall be made for a specific network security purpose, including to enable network recovery from an event affecting the network cybersecurity of the eligible entity.(4)Administration of fundThe Director, in consultation with the Secretary and in coordination with the head of each Sector Risk Management Agency, shall—(A)establish criteria for distribution of amounts under paragraph (3); and(B)administer the Fund to support network security for eligible entities.(5)Report requiredFor each fiscal year for which amounts in the Fund are available under this subsection, the Director shall submit to Congress a report that—(A)describes how, and to which eligible entities, amounts from the Fund have been distributed;(B)details the criteria established under paragraph (4)(A); and(C)includes any additional information that the Director determines appropriate, including projected requested appropriations for the next fiscal year.(c)Authorization of appropriationsThere are authorized to be appropriated for deposit in the Fund $1,500,000,000, which shall remain available until the last day of the tenth fiscal year beginning after the fiscal year during which funds are first appropriated for deposit in the Fund.2220B.Public awareness of cybersecurity offerings(a)In generalNot later than 180 days after the date of enactment of the Sanction and Stop Ransomware Act of 2021, the Director shall establish a public awareness campaign relating to the cybersecurity services of the Federal Government.(b)Authorization of appropriationsThere are authorized to be appropriated to the Director $10,000,000 for each of fiscal years 2022 through 2031 to carry out subsection (a).2220C.Dark web analysis(a)Definition of dark webIn this section, the term dark web means a part of the internet that—(1)cannot be accessed through standard web browsers; and(2)requires specific software, configurations, or authorizations for access.(b)Authority To analyzeThe Director may monitor the internet, including the dark web, for evidence of a compromise to critical infrastructure.(c)Monitoring capabilitiesThe Director shall develop, institute, and oversee capabilities to carry out the authority of the Director under subsection (b).(d)NotificationIf the Director finds credible evidence of a compromise to critical infrastructure under subsection (c), as soon as is practicable after the finding, the Director shall notify the owner or operator of the compromised critical infrastructure in a manner that protects the sources and methods that led to the finding of the compromise..(b)Technical and conforming amendmentsSection 2202(c) of the Homeland Security Act of 2002 (6 U.S.C. 652(c)) is amended—(1)in the first paragraph (12), by striking section 2215 and inserting section 2217; and(2)by redesignating the second and third paragraphs (12) as paragraphs (13) and (14), respectively. (c)Table of contentsThe table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by striking the item relating to section 2214 and all that follows through the item relating to section 2217 and inserting the following:Sec. 2214. National Asset Database.Sec. 2215. Duties and authorities relating to .gov internet domain.Sec. 2216. Joint Cyber Planning Office. Sec. 2217. Cybersecurity State Coordinator.Sec. 2218. Sector Risk Management Agencies. Sec. 2219. Cybersecurity Advisory Committee.Sec. 2220. Cybersecurity education and training programs.Sec. 2220A. Information System and Network Security Fund.Sec. 2220B. Public awareness of cybersecurity offerings.Sec. 2220C. Dark web analysis..(d)Additional technical amendment(1)AmendmentSection 904(b)(1) of the DOTGOV Act of 2020 (title IX of division U of Public Law 116–260) is amended, in the matter preceding subparagraph (A), by striking Homeland Security Act and inserting Homeland Security Act of 2002.(2)Effective dateThe amendment made by paragraph (1) shall take effect as if enacted as part of the DOTGOV Act of 2020 (title IX of division U of Public Law 116–260). 