[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 9769 Introduced in House (IH)]

<DOC>






118th CONGRESS
  2d Session
                                H. R. 9769

    To ensure the security and integrity of United States critical 
infrastructure by establishing an interagency task force and requiring 
   a comprehensive report on the targeting of United States critical 
  infrastructure by People's Republic of China state-sponsored cyber 
                    actors, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 24, 2024

   Ms. Lee of Florida (for herself, Mr. Green of Tennessee, and Mr. 
  Moolenaar) introduced the following bill; which was referred to the 
                     Committee on Homeland Security

_______________________________________________________________________

                                 A BILL


 
    To ensure the security and integrity of United States critical 
infrastructure by establishing an interagency task force and requiring 
   a comprehensive report on the targeting of United States critical 
  infrastructure by People's Republic of China state-sponsored cyber 
                    actors, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Strengthening Cyber Resilience 
Against State-Sponsored Threats Act''.

SEC. 2. INTERAGENCY TASK FORCE AND REPORT ON THE TARGETING OF UNITED 
              STATES CRITICAL INFRASTRUCTURE BY PEOPLE'S REPUBLIC OF 
              CHINA STATE-SPONSORED CYBER ACTORS.

    (a) Interagency Task Force.--Not later than 120 days after the date 
of the enactment of this Act, the Secretary of Homeland Security, 
acting through the Director of the Cybersecurity and Infrastructure 
Security Agency (CISA) of the Department of Homeland Security, in 
consultation with the Attorney General, the Director of the Federal 
Bureau of Investigation, and the heads of appropriate Sector Risk 
Management Agencies as determined by the Director of CISA, shall 
establish a joint interagency task force (in this section referred to 
as the ``task force'') to facilitate collaboration and coordination 
among the Sector Risk Management Agencies assigned a Federal role or 
responsibility in National Security Memorandum-22, issued April 30, 
2024 (relating to critical infrastructure security and resilience), or 
any successor document, to detect, analyze, and respond to the 
cybersecurity threat posed by State-sponsored cyber actors, including 
Volt Typhoon, of the People's Republic of China by ensuring that such 
agencies' actions are aligned and mutually reinforcing.
    (b) Chairs.--
            (1) Chairperson.--The Director of CISA (or the Director of 
        CISA's designee) shall serve as the chairperson of the task 
        force.
            (2) Vice chairperson.--The Director of the Federal Bureau 
        of Investigation (or such Director's designee) shall serve as 
        the vice chairperson of the task force.
    (c) Composition.--
            (1) In general.--The task force shall consist of 
        appropriate representatives of the departments and agencies 
        specified in subsection (a).
            (2) Qualifications.--To materially assist in the activities 
        of the task force, representatives under paragraph (1) should 
        be subject matter experts who have familiarity and technical 
        expertise regarding cybersecurity, digital forensics, or threat 
        intelligence analysis, or in-depth knowledge of the tactics, 
        techniques, and procedures (TTPs) commonly used by State-
        sponsored cyber actors, including Volt Typhoon, of the People's 
        Republic of China.
    (d) Vacancy.--Any vacancy occurring in the membership of the task 
force shall be filled in the same manner in which the original 
appointment was made.
    (e) Establishment Flexibility.--To avoid redundancy, the task force 
may coordinate with any preexisting task force, working group, or 
cross-intelligence effort within the Homeland Security Enterprise or 
the intelligence community that has examined or responded to the 
cybersecurity threat posed by State-sponsored cyber actors, including 
Volt Typhoon, of the People's Republic of China.
    (f) Task Force Reports; Briefing.--
            (1) Initial report.--Not later than 540 days after the 
        establishment of the task force, the task force shall submit to 
        the appropriate congressional committees the first report 
        containing the initial findings, conclusions, and 
        recommendations of the task force.
            (2) Annual report.--Not later than one year after the date 
        of the submission of the initial report under paragraph (1) and 
        annually thereafter for five years, the task force shall submit 
        to the appropriate congressional committees an annual report 
        containing the findings, conclusions, and recommendations of 
        the task force.
            (3) Contents.--The reports under this subsection shall 
        include the following:
                    (A) An assessment at the lowest classification 
                feasible of the sector-specific risks, trends relating 
                to incidents impacting sectors, and tactics, 
                techniques, and procedures utilized by or relating to 
                State-sponsored cyber actors, including Volt Typhoon, 
                of the People's Republic of China.
                    (B) An assessment of additional resources and 
                authorities needed by Federal departments and agencies 
                to better counter the cybersecurity threat posed by 
                State-sponsored cyber actors, including Volt Typhoon, 
                of the People's Republic of China.
                    (C) A classified assessment of the extent of 
                potential destruction, compromise, or disruption to 
                United States critical infrastructure by State-
                sponsored cyber actors, including Volt Typhoon, of the 
                People's Republic of China in the event of a major 
                crisis or future conflict between the People's Republic 
                of China and the United States.
                    (D) A classified assessment of the ability of the 
                United States to counter the cybersecurity threat posed 
                by State-sponsored cyber actors, including Volt 
                Typhoon, of the People's Republic of China in the event 
                of a major crisis or future conflict between the 
                People's Republic of China and the United States, 
                including with respect to different cybersecurity 
                measures and recommendations that could mitigate such a 
                threat.
                    (E) A classified assessment of the ability of 
                State-sponsored cyber actors, including Volt Typhoon, 
                of the People's Republic of China to disrupt operations 
                of the United States Armed Forces by hindering mobility 
                across critical infrastructure such as rail, aviation, 
                and ports, including how such would impair the ability 
                of the United States Armed Forces to deploy and 
                maneuver forces effectively.
                    (F) A classified assessment of the economic and 
                social ramifications of a disruption to one or multiple 
                United States critical infrastructure sectors by State-
                sponsored cyber actors, including Volt Typhoon, of the 
                People's Republic of China in the event of a major 
                crisis or future conflict between the People's Republic 
                of China and the United States.
                    (G) Such recommendations as the task force may have 
                for the Homeland Security Enterprise, the intelligence 
                community, or critical infrastructure owners and 
                operators to improve the detection and mitigation of 
                the cybersecurity threat posed by State-sponsored cyber 
                actors, including Volt Typhoon, of the People's 
                Republic of China.
                    (H) A one-time plan for an awareness campaign to 
                familiarize critical infrastructure owners and 
                operators with security resources and support offered 
                by Federal departments and agencies to mitigate the 
                cybersecurity threat posed by State-sponsored cyber 
                actors, including Volt Typhoon, of the People's 
                Republic of China.
            (4) Briefing.--Not later than 30 days after the date of the 
        submission of each report under this subsection, the task force 
        shall provide to the appropriate congressional committees a 
        classified briefing on the findings, conclusions, and 
        recommendations of the task force.
            (5) Form.--Each report under this subsection shall be 
        submitted in classified form, consistent with the protection of 
        intelligence sources and methods, but may include an 
        unclassified executive summary.
            (6) Publication.--The unclassified executive summary of 
        each report required under this subsection shall be published 
        on a publicly accessible website of the Department of Homeland 
        Security.
    (g) Access to Information.--
            (1) In general.--The Secretary of Homeland Security, the 
        Director of CISA, the Attorney General, the Director of the 
        Federal Bureau of Investigation, and the heads of appropriate 
        Sector Risk Management Agencies, as determined by the Director 
        of CISA, shall provide to the task force such information, 
        documents, analysis, assessments, findings, evaluations, 
        inspections, audits, or reviews relating to efforts to counter 
        the cybersecurity threat posed by State-sponsored cyber actors, 
        including Volt Typhoon, of the People's Republic of China as 
        the task force considers necessary to carry out this section.
            (2) Receipt, handling, storage, and dissemination.--
        Information, documents, analysis, assessments, findings, 
        evaluations, inspections, audits, and reviews described in this 
        subsection shall be received, handled, stored, and disseminated 
        only by members of the task force consistent with all 
        applicable statutes, regulations, and executive orders.
            (3) Security clearances for task force members.--No member 
        of the task force may be provided with access to classified 
        information under this section without the appropriate security 
        clearances.
    (h) Termination.--The task force, and all the authorities of this 
section, shall terminate on the date that is 60 days after the final 
briefing required under subsection (h)(4).
    (i) Exemption From FACA.--Chapter 10 of title 5, United States Code 
(commonly referred to as the ``Federal Advisory Committee Act''), shall 
not apply to the task force.
    (j) Exemption From Paperwork Reduction Act.--Chapter 35 of title 
44, United States Code (commonly known as the ``Paperwork Reduction 
Act''), shall not apply to the task force.
    (k) Definitions.--In this section:
            (1) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security, the 
                Committee on Judiciary, and the Select Committee on 
                Intelligence of the House of Representatives; and
                    (B) the Committee on Homeland Security and 
                Governmental Affairs, the Committee on Judiciary, and 
                the Select Committee on Intelligence of the Senate.
            (2) Assets.--The term ``assets'' means a person, structure, 
        facility, information, material, equipment, network, or 
        process, whether physical or virtual, that enables an 
        organization's services, functions, or capabilities.
            (3) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given such term in section 
        1016(e) of Public Law 107-56 (42 U.S.C. 5195c(e)).
            (4) Cybersecurity threat.--The term ``cybersecurity 
        threat'' has the meaning given such term in section 2200 of the 
        Homeland Security Act of 2002 (6 U.S.C. 650).
            (5) Homeland security enterprise.--The term ``Homeland 
        Security Enterprise'' has the meaning given such term in 
        section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 
        650).
            (6) Incident.--The term ``incident'' has the meaning given 
        such term in section 2200 of the Homeland Security Act of 2002 
        (6 U.S.C. 650).
            (7) Information sharing.--The term ``information sharing'' 
        means the bidirectional sharing of timely and relevant 
        information concerning a cybersecurity threat posed by a State-
        sponsored cyber actor of the People's Republic of China to 
        United States critical infrastructure.
            (8) Intelligence community.--The term ``intelligence 
        community'' has the meaning given such term in section 3(4) of 
        the National Security Act of 1947 (50 U.S.C. 3003(4)).
            (9) Locality.--The term ``locality'' means any local 
        government authority or agency or component thereof within a 
        State having jurisdiction over matters at a county, municipal, 
        or other local government level.
            (10) Sector.--The term ``sector'' means a collection of 
        assets, systems, networks, entities, or organizations that 
        provide or enable a common function for national security 
        (including national defense and continuity of Government), 
        national economic security, national public health or safety, 
        or any combination thereof.
            (11) Sector risk management agency.--The term ``Sector Risk 
        Management Agency'' has the meaning given such term in section 
        2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
            (12) State.--The term ``State'' means any State of the 
        United States, the District of Columbia, the Commonwealth of 
        Puerto Rico, the Northern Mariana Islands, the United States 
        Virgin Islands, Guam, American Samoa, and any other territory 
        or possession of the United States.
            (13) Systems.--The term ``systems'' means a combination of 
        personnel, structures, facilities, information, materials, 
        equipment, networks, or processes, whether physical or virtual, 
        integrated or interconnected for a specific purpose that 
        enables an organization's services, functions, or capabilities.
            (14) United states.--The term ``United States'', when used 
        in a geographic sense, means any State of the United States.
            (15) Volt typhoon.--The term ``Volt Typhoon'' means the 
        People's Republic of China State-sponsored cyber actor 
        described in the Cybersecurity and Infrastructure Security 
        Agency cybersecurity advisory entitled ``PRC State-Sponsored 
        Actors Compromise and Maintain Persistent Access to U.S. 
        Critical Infrastructure'', issued on February 07, 2024, or any 
        successor advisory.
                                 <all>