[Congressional Record Volume 147, Number 125 (Monday, September 24, 2001)]
[Senate]
[Pages S9742-S9744]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. BENNETT (for himself and Mr. Kyl):
  S. 1456. A bill to facilitate the security of the critical 
infrastructure of the United States, to encourage the secure disclosure 
and protected exchange of critical infrastructure information, to 
enhance the analysis, prevention, and detection of attacks on critical 
infrastructure, to enhance the recovery from such attacks, and for 
other purposes; to the Committee on Governmental Affairs.
  Mr. BENNETT. Mr. President, I ask unanimous consent that the text of 
the bill be printed in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 1456

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Critical Infrastructure 
     Information Security Act of 2001''.

     SEC. 2. FINDINGS.

       Congress makes the following findings:
       (1) The critical infrastructures that underpin our society, 
     national defense, economic

[[Page S9743]]

     prosperity, and quality of life--including energy, banking 
     and finance, transportation, vital human services, and 
     telecommunications--must be viewed in a new context in the 
     Information Age.
       (2) The rapid proliferation and integration of 
     telecommunications and computer systems have connected 
     infrastructures to one another in a complex global network of 
     interconnectivity and interdependence. As a result, new 
     vulnerabilities to such systems and infrastructures have 
     emerged, such as the threat of physical and cyber attacks 
     from terrorists or hostile states. These attacks could 
     disrupt the economy and endanger the security of the United 
     States.
       (3) The private sector, which owns and operates the 
     majority of these critical infrastructures, and the Federal 
     Government, which has unique information and analytical 
     capabilities, could both greatly benefit from cooperating in 
     response to threats, vulnerabilities, and actual attacks to 
     critical infrastructures by sharing information and analysis.
       (4) The private sector is hesitant to share critical 
     infrastructure information with the Federal Government 
     because--
       (A) Federal law provides no clear assurance that critical 
     infrastructure information voluntarily submitted to the 
     Federal Government will be protected from disclosure or 
     misuse;
       (B) the framework of the Federal Government for critical 
     infrastructure information sharing and analysis is not 
     sufficiently developed; and
       (C) concerns about possible prosecution under the antitrust 
     laws inhibit some companies from partnering with other 
     industry members, including competitors, to develop 
     cooperative infrastructure security strategies.
       (5) Statutory nondisclosure provisions that qualify as 
     Exemption 3 statutes under section 552 of title 5, United 
     States Code (commonly referred to as the Freedom of 
     Information Act), many of them longstanding, prohibit 
     disclosure of numerous classes of information under that Act. 
     These statutes cover specific and narrowly defined classes of 
     information and are consistent with the principles of free 
     and open government that that Act seeks to facilitate.
       (6) Since the infrastructure information that this Act 
     covers is not normally in the public domain, preventing 
     public disclosure of this sensitive information serves the 
     greater good by promoting national security and economic 
     stability.

     SEC. 3. PURPOSE.

       The purpose of this Act is to foster improved security of 
     critical infrastructure by--
       (1) promoting the increased sharing of critical 
     infrastructure information both between private sector 
     entities and between the Federal Government and the private 
     sector; and
       (2) encouraging the private sector and the Federal 
     Government to conduct better analysis of critical 
     infrastructure information in order to prevent, detect, warn 
     of, and respond to incidents involving critical 
     infrastructure.

     SEC. 4. DEFINITIONS.

       In this Act:
       (1) Agency.--The term ``agency'' has the meaning given that 
     term in section 551 of title 5, United States Code.
       (2) Critical infrastructure.--The term ``critical 
     infrastructure''--
       (A) means physical and cyber-based systems and services 
     essential to the national defense, government, or economy of 
     the United States, including systems essential for 
     telecommunications (including voice and data transmission and 
     the Internet), electrical power, gas and oil storage and 
     transportation, banking and finance, transportation, water 
     supply, emergency services (including medical, fire, and 
     police services), and the continuity of government 
     operations; and
       (B) includes any industry sector designated by the 
     President pursuant to the National Security Act of 1947 (50 
     U.S.C. 401 et seq.) or the Defense Production Act of 1950 (50 
     U.S.C. App. 2061 et seq.) as essential to provide resources 
     for the execution of the national security strategy of the 
     United States, including emergency preparedness activities 
     pursuant to title VI of the Robert T. Stafford Disaster 
     Relief and Emergency Assistance Act (42 U.S.C. 5195 et seq.).
       (3) Critical infrastructure information.--The term 
     ``critical infrastructure information'' means information 
     related to--
       (A) the ability of any protected system or critical 
     infrastructure to resist interference, compromise, or 
     incapacitation by either physical or computer-based attack or 
     other similar conduct that violates Federal, State, or local 
     law, harms interstate commerce of the United States, or 
     threatens public health or safety;
       (B) any planned or past assessment, projection, or estimate 
     of the security vulnerability of a protected system or 
     critical infrastructure, including security testing, risk 
     evaluation, risk management planning, or risk audit;
       (C) any planned or past operational problem or solution, 
     including repair, recovery, reconstruction, insurance, or 
     continuity, related to the security of a protected system or 
     critical infrastructure; or
       (D) any threat to the security of a protected system or 
     critical infrastructure.
       (4) Information sharing and analysis organization.--The 
     term ``Information Sharing and Analysis Organization'' means 
     any formal or informal entity or collaboration created by 
     public or private sector organizations, and composed 
     primarily of such organizations, for purposes of--
       (A) gathering and analyzing critical infrastructure 
     information in order to better understand security problems 
     related to critical infrastructure and protected systems, and 
     interdependencies of critical infrastructure and protected 
     systems, so as to ensure the availability, integrity, and 
     reliability of critical infrastructure and protected systems;
       (B) communicating or disclosing critical infrastructure 
     information to help prevent, detect, mitigate, or recover 
     from the effects of a problem related to critical 
     infrastructure or protected systems; and
       (C) voluntarily disseminating critical infrastructure 
     information to entity members, other Information Sharing and 
     Analysis Organizations, the Federal Government, or any 
     entities which may be of assistance in carrying out the 
     purposes specified in subparagraphs (A) and (B).
       (5) Protected system.--The term ``protected system''--
       (A) means any service, physical or computer-based system, 
     process, or procedure that directly or indirectly affects a 
     facility of critical infrastructure; and
       (B) includes any physical or computer-based system, 
     including a computer, computer system, computer or 
     communications network, or any component hardware or element 
     thereof, software program, processing instructions, or 
     information or data in transmission or storage therein 
     (irrespective of storage medium).
       (6) Voluntary.--The term ``voluntary'', in the case of the 
     submittal of information or records to the Federal 
     Government, means the submittal of the information or records 
     in the absence of an agency's exercise of legal submission.

     SEC. 5. PROTECTION OF VOLUNTARILY SHARED CRITICAL 
                   INFRASTRUCTURE INFORMATION.

       (a) Protection.--
       (1) In general.--Notwithstanding any other provision of 
     law, critical infrastructure information that is voluntarily 
     submitted to a covered Federal agency for analysis, warning, 
     interdependency study, recovery, reconstitution, or other 
     informational purpose, when accompanied by an express 
     statement specified in paragraph (3)--
       (A) shall not be made available under section 552 of title 
     5, United States Code (commonly referred to as the Freedom of 
     Information Act);
       (B) may not, without the written consent of the person or 
     entity submitting such information, be used directly by such 
     agency, any other Federal, State, or local authority, or any 
     third party, in any civil action arising under Federal or 
     State law, unless such information is submitted in bad faith; 
     and
       (C) may not, without the written consent of the person or 
     entity submitting such information, be used for a purpose 
     other than the purpose of this Act, or disclosed by any 
     officer or employee of the United States, except pursuant to 
     the official duties of such officer or employee pursuant to 
     this Act.
       (2) Covered federal agency defined.--In paragraph (1), the 
     term ``covered Federal agency'' means the following:
       (A) The Department of Justice.
       (B) The Department of Defense.
       (C) The Department of Commerce.
       (D) The Department of Transportation.
       (E) The Department of the Treasury.
       (F) The Department of Health and Human Services.
       (G) The Department of Energy.
       (H) The Environmental Protection Agency.
       (I) The General Services Administration.
       (J) The Federal Communications Commission.
       (K) The Federal Emergency Management Agency.
       (L) The National Infrastructure Protection Center.
       (M) The National Communication System.
       (3) Express statement.--For purposes of paragraph (1), the 
     term ``express statement'', with respect to information or 
     records, means--
       (A) in the case of written information or records, a 
     written marking on the information or records as follows: 
     ``This information is voluntarily submitted to the Federal 
     Government in expectation of protection from disclosure under 
     the provisions of the Critical Infrastructure Information 
     Security Act of 2001.''; or
       (B) in the case of oral information, a statement, 
     substantially similar to the words specified in subparagraph 
     (A), to convey that the information is voluntarily submitted 
     to the Federal Government in expectation of protection from 
     disclosure under the provisions of this Act.
       (b) Independently Obtained Information.--Nothing in this 
     section shall be construed to limit or otherwise affect the 
     ability of the Federal Government to obtain and use under 
     applicable law critical infrastructure information obtained 
     by or submitted to the Federal Government in a manner not 
     covered by subsection (a).
       (c) Treatment of Voluntary Submittal of Information.--The 
     voluntary submittal to the Federal Government of information 
     or records that are protected from disclosure by this section 
     shall not be construed to constitute compliance with any 
     requirement to submit such information to a Federal agency 
     under any other provision of law.
       (d) Procedures.--

[[Page S9744]]

       (1) In general.--The Director of the Office of Management 
     and Budget shall, in consultation with appropriate 
     representatives of the National Security Council and the 
     Office of Science and Technology Policy, establish uniform 
     procedures for the receipt, care, and storage by Federal 
     agencies of critical infrastructure information that is 
     voluntarily submitted to the Federal Government. The 
     procedures shall be established not later than 90 days after 
     the date of the enactment of this Act.
       (2) Elements.--The procedures established under paragraph 
     (1) shall include mechanisms regarding--
       (A) the acknowledgement of receipt by Federal agencies of 
     critical infrastructure information that is voluntarily 
     submitted to the Federal Government, including confirmation 
     that such information is protected from disclosure under this 
     Act;
       (B) the marking of such information as critical 
     infrastructure information that is voluntarily submitted to 
     the Federal Government for purposes of this Act;
       (C) the care and storage of such information; and
       (D) the protection and maintenance of the confidentiality 
     of such information so as to permit, pursuant to section 6, 
     the sharing of such information within the Federal 
     Government, and the issuance of notices and warnings related 
     to protection of critical infrastructure.

     SEC. 6. NOTIFICATION, DISSEMINATION, AND ANALYSIS REGARDING 
                   CRITICAL INFRASTRUCTURE INFORMATION.

       (a) Notice Regarding Critical Infrastructure Security.--
       (1) In general.--A covered Federal agency (as specified in 
     section 5(a)(2)) receiving significant and credible 
     information under section 5 from a private person or entity 
     about the security of a protected system or critical 
     infrastructure of another known or identified private person 
     or entity shall, to the extent consistent with requirements 
     of national security or law enforcement, notify and convey 
     such information to such other private person or entity as 
     soon as reasonable after receipt of such information by the 
     agency.
       (2) Construction.--Paragraph (1) may not be construed to 
     require an agency to provide specific notice where doing so 
     would not be practicable, for example, based on the quantity 
     of persons or entities identified as having security 
     vulnerabilities. In instances where specific notice is not 
     practicable, the agency should take reasonable steps, 
     consistent with paragraph (1), to issue broadly disseminated 
     advisories or alerts.
       (b) Analysis of Information.--Upon receipt of critical 
     infrastructure information that is voluntarily submitted to 
     the Federal Government, the Federal agency receiving such 
     information shall--
       (1) share with appropriate covered Federal agencies (as so 
     specified) all such information that concerns actual attacks, 
     and threats and warnings of attacks, on critical 
     infrastructure and protected systems;
       (2) identify interdependencies; and
       (3) determine whether further analysis in concert with 
     other Federal agencies, or warnings under subsection (c), are 
     warranted.
       (c) Action Following Analysis.--
       (1) Authority to issue warnings.--As a result of analysis 
     of critical infrastructure information under subsection (b), 
     a Federal agency may issue warnings to individual companies, 
     targeted sectors, other governmental entities, or the general 
     public regarding potential threats to critical 
     infrastructure.
       (2) Form of warnings.--In issuing a warning under paragraph 
     (1), the Federal agency concerned shall take appropriate 
     actions to prevent the disclosure of the source of any 
     voluntarily submitted critical infrastructure information 
     that forms the basis for the warning.
       (d) Strategic Analyses of Potential Threats to Critical 
     Infrastructure.--
       (1) In general.--The President shall designate an element 
     in the Executive Branch--
       (A) to conduct strategic analyses of potential threats to 
     critical infrastructure; and
       (B) to submit reports on such analyses to Information 
     Sharing and Analysis Organizations and such other entities as 
     the President considers appropriate.
       (2) Strategic analyses.--
       (A) Information used.--In conducting strategic analyses 
     under paragraph (1)(A), the element designated to conduct 
     such analyses under paragraph (1) shall utilize a range of 
     critical infrastructure information voluntarily submitted to 
     the Federal Government by the private sector, as well as 
     applicable intelligence and law enforcement information.
       (B) Availability.--The President shall take appropriate 
     actions to ensure that, to the maximum extent practicable, 
     all critical infrastructure information voluntarily submitted 
     to the Federal Government by the private sector is available 
     to the element designated under paragraph (1) to conduct 
     strategic analyses under paragraph (1)(A).
       (C) Frequency.--Strategic analyses shall be conducted under 
     this paragraph with such frequency as the President considers 
     appropriate, and otherwise specifically at the direction of 
     the President.
       (3) Reports.--
       (A) In general.--Each report under paragraph (1)(B) shall 
     contain the following:
       (i) A description of currently recognized methods of 
     attacks on critical infrastructure.
       (ii) An assessment of the threats to critical 
     infrastructure that could develop over the year following 
     such report.
       (iii) An assessment of the lessons learned from responses 
     to previous attacks on critical infrastructure.
       (iv) Such other information on the protection of critical 
     infrastructure as the element conducting analyses under 
     paragraph (1) considers appropriate.
       (B) Form.--Reports under this paragraph may be in 
     classified or unclassified form, or both.
       (4) Construction.--Nothing in this subsection shall be 
     construed to modify or alter any responsibility of a Federal 
     agency under subsections (a) through (c).
       (e) Plan for Strategic Analyses of Threats to Critical 
     Infrastructure.--
       (1) Plan.--The President shall develop a plan for carrying 
     out strategic analyses of threats to critical infrastructure 
     through the element in the Executive Branch designated under 
     subsection (d)(1).
       (2) Elements.--The plan under paragraph (1) shall include 
     the following:
       (A) A methodology for the work under the plan of the 
     element referred to in paragraph (1), including the 
     development of expertise among the personnel of the element 
     charged with carrying out the plan and the acquisition by the 
     element of information relevant to the plan.
       (B) Mechanisms for the studying of threats to critical 
     infrastructure, and the issuance of warnings and 
     recommendations regarding such threats, including the 
     allocation of personnel and other resources of the element in 
     order to carry out those mechanisms.
       (C) An allocation of roles and responsibilities for the 
     work under the plan among the Federal agencies specified in 
     section 5(a)(2), including the relationship of such roles and 
     responsibilities.
       (3) Reports.--
       (A) Interim report.--The President shall submit to Congress 
     an interim report on the plan developed under paragraph (1) 
     not later than 120 days after the date of the enactment of 
     this Act.
       (B) Final report.--The President shall submit to Congress a 
     final report on the plan developed under paragraph (1), 
     together with a copy of the plan, not later than 180 days 
     after the date of the enactment of this Act.

     SEC. 7. ANTITRUST EXEMPTION FOR ACTIVITY INVOLVING AGREEMENTS 
                   ON CRITICAL INFRASTRUCTURE MATTERS.

       (a) Antitrust Exemption.--The antitrust laws shall not 
     apply to conduct engaged in by an Information Sharing and 
     Analysis Organization or its members, including making and 
     implementing an agreement, solely for purposes of--
       (1) gathering and analyzing critical infrastructure 
     information in order to better understand security problems 
     related to critical infrastructure and protected systems, and 
     interdependencies of critical infrastructure and protected 
     systems, so as to ensure the availability, integrity, and 
     reliability of critical infrastructure and protected systems;
       (2) communicating or disclosing critical infrastructure 
     information to help prevent, detect, mitigate, or recover 
     from the effects of a problem related to critical 
     infrastructure or protected systems; or
       (3) voluntarily disseminating critical infrastructure 
     information to entity members, other Information Sharing and 
     Analysis Organizations, the Federal Government, or any 
     entities which may be of assistance in carrying out the 
     purposes specified in paragraphs (1) and (2).
       (b) Exception.--Subsection (a) shall not apply with respect 
     to conduct that involves or results in an agreement to 
     boycott any person, to allocate a market, or to fix prices or 
     output.
       (c) Antitrust Laws Defined.--In this section, the term 
     ``antitrust laws''--
       (1) has the meaning given such term in subsection (a) of 
     the first section of the Clayton Act (15 U.S.C. 12(a)), 
     except that such term includes section 5 of the Federal Trade 
     Commission Act (15 U.S.C. 45) to the extent such section 5 
     applies to unfair methods of competition; and
       (2) includes any State law similar to the laws referred to 
     in paragraph (1).

     SEC. 8. NO PRIVATE RIGHT OF ACTION.

       Nothing in this Act may be construed to create a private 
     right of action for enforcement of any provision of this Act.
                                 ______