[Congressional Record Volume 149, Number 141 (Wednesday, October 8, 2003)]
[House]
[Pages H9319-H9320]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                GOVERNMENT NETWORK SECURITY ACT OF 2003

  Mr. TOM DAVIS of Virginia. Mr. Speaker, I move to suspend the rules 
and pass the bill (H.R. 3159) to require Federal agencies to develop 
and implement plans to protect the security and privacy of government 
computer systems from the risks posed by peer-to-peer file sharing, as 
amended.
  The Clerk read as follows:

                               H.R. 3159

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Government Network Security 
     Act of 2003''.

     SEC. 2. FINDINGS.

       Congress finds the following:
       (1) Peer-to-peer file sharing can pose security and privacy 
     threats to computers and networks by--
        (A) exposing classified and sensitive information that are 
     stored on computers or networks;
       (B) acting as a point of entry for viruses and other 
     malicious programs;
       (C) consuming network resources, which may result in a 
     degradation of network performance; and
       (D) exposing identifying information about host computers 
     that can be used by hackers to select potential targets.
       (2) The computers and networks of the Federal Government 
     use and store a wide variety of classified and sensitive 
     information, including--
       (A) information vital to national security, defense, law 
     enforcement, economic markets, public health, and the 
     environment; and
       (B) personal and financial information of citizens and 
     businesses that has been entrusted to the Federal Government.
       (3) Use of peer-to-peer file sharing on government 
     computers and networks can threaten the security and privacy 
     of the information on those computers and networks by 
     exposing the information to others using peer-to-peer file 
     sharing.
       (4) The House of Representatives and the Senate are using 
     methods to protect the security and privacy of congressional 
     computers and networks from the risks posed by peer-to-peer 
     file sharing.
       (5) Innovations in peer-to-peer technology for government 
     applications can be pursued on intragovernmental networks 
     that do not pose risks to network security.
       (6) In light of these considerations, Federal agencies need 
     to take prompt action to address the security and privacy 
     risks posed by peer-to-peer file sharing.

     SEC. 3. PROTECTION OF GOVERNMENT COMPUTERS FROM RISKS OF 
                   PEER-TO-PEER FILE SHARING.

       (a) Plans Required.--As part of the Federal agency 
     responsibilities set forth in sections 3544 and 3545 of title 
     44, United States Code, the head of each agency shall develop 
     and implement a plan to protect the security and privacy of 
     computers and networks of the Federal Government from the 
     risks posed by peer-to-peer file sharing.
       (b) Contents of Plans.--Such plans shall set forth 
     appropriate methods, including both technological (such as 
     the use of software and hardware) and nontechnological 
     methods (such as employee policies and user training), to 
     achieve the goal of protecting the security and privacy of 
     computers and networks of the Federal Government from the 
     risks posed by peer-to-peer file sharing.
       (c) Implementation of Plans.--The head of each agency 
     shall--
       (1) develop and implement the plan required under this 
     section as expeditiously as possible, but in no event later 
     than six months after the date of the enactment of this Act; 
     and
       (2) review and revise the plan periodically as necessary.
       (d) Review of Plans.--Not later than 18 months after the 
     date of the enactment of this Act, the Comptroller General 
     shall--
       (1) review the adequacy of the agency plans required by 
     this section; and
       (2) submit to the Committee on Government Reform of the 
     House of Representatives and the Committee on Governmental 
     Affairs of the Senate a report on the results of the review, 
     together with any recommendations the Comptroller General 
     considers appropriate.

     SEC. 4. DEFINITIONS.

        In this Act:
       (1) Peer-to-peer file sharing.--The term ``peer-to-peer 
     file sharing'' means the use of computer software, other than 
     computer and network operating systems, that has as its 
     primary function the capability to allow the computer on 
     which such software is used to designate files available for 
     transmission to another computer using such software, to 
     transmit files directly to another such computer, and to 
     request the transmission of files from another such computer. 
     The term does not include the use of such software for file 
     sharing between, among, or within Federal, State, or local 
     government agencies.
       (2) Agency.--The term ``agency'' has the meaning provided 
     by section 3502 of title 44, United States Code.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Virginia (Mr. Tom Davis) and the gentleman from California (Mr. Waxman) 
each will control 20 minutes.
  The Chair recognizes the gentleman from Virginia (Mr. Tom Davis).


                             General Leave

  Mr. TOM DAVIS of Virginia. Mr. Speaker, I ask unanimous consent that 
all Members may have 5 legislative days within which to revise and 
extend their remarks on H.R. 3159.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Virginia?
  There was no objection.
  Mr. TOM DAVIS of Virginia. Mr. Speaker, I yield myself such time as I 
may consume.
  Mr. Speaker, H.R. 3159, the Government Network Security Act of 2003 
closes a loophole in the Federal Government's efforts to protect the 
security and privacy of its computers. It requires executive branch 
departments and agencies to take steps to protect government computers 
and information from the risks that are posed by the use of peer-to-
peer file sharing programs. Peer-to-peer file sharing programs are 
Internet applications that allow users to download and directly share 
electronic files from users on the same network. These programs are 
surging in popularity with millions of people trading music, images and 
documents over these networks at any given time.
  While most of the news coverage on file sharing focuses on the 
abilities of users to illegally trade copyrighted music, movies and 
videos, another less-publicized dark side to this technology is the 
risk it poses to the security of computers and the privacy of 
electronic information. Few people recognize these risks.
  At a hearing held by the Committee on Government Reform in May, 
members heard from computer security experts who discussed the privacy 
and security risks created by these programs. And through a couple of 
simple searches on one file-sharing program, committee staff easily 
obtained completed tax returns, medical records, confidential legal 
documents and business files. We learned that using these programs can 
be similar to giving a complete stranger access to your personal file 
cabinet.

[[Page H9320]]

  Consequently, file sharing programs can create a number of risks for 
Federal departments at agencies if they are installed on government 
computers. The Federal Government uses and stores a wide variety of 
classified and sensitive information, including information vital to 
national security, vital to public health and the personal and 
financial records of U.S. citizens and businesses. Installing these 
programs on government computers can cause this sensitive information 
to be exposed to the public. Because files are shared anonymously on 
peer-to-peer networks, there is also the risk of the spread of viruses 
worms and other malicious computer files.
  Mr. Speaker, both the House and the Senate have successfully taken 
steps to protect congressional computers through both technical and 
nontechnical means including firewalls and employee training. Unlike 
Congress, however, executive branch departments and agencies do not 
have similar policies. This legislation requires agencies to develop 
and implement such policies to protect government information and 
computers. File-sharing technology is not inherently bad and it may 
turn out to have a variety of beneficial implications. H.R. 3159 
recognizes this by protecting the ability of Federal agencies to pursue 
innovations of peer-to-peer technology on government networks, as long 
as they do not put government information or computers at risk.
  This bill takes a common sense approach to protect the computers and 
networks of the Federal Government and the valuable information they 
contain. I want to commend the gentleman from California (Mr. Waxman), 
the distinguished ranking member on the Committee on Government Reform, 
and his staff for their work on this bill, setting up the hearing, and 
really calling this to our attention. I also want to recognize all the 
28 members of the Committee on Government Reform who have cosponsored 
this legislation. This bill is an excellent follow-up to the 
committee's bipartisan investigations into the risk of using file 
sharing programs.
  Mr. Speaker, I urge all Members to support H.R. 3159.
  Mr. Speaker, I reserve the balance of my time.
  Mr. WAXMAN. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise today to ask my colleagues to support the 
Government Network Security Act of 2003, legislation that would protect 
the security of Federal Government computers from the risks posed by 
peer to peer sharing.
  I introduced this legislation with my colleague on the Committee on 
Government Reform, the gentleman from Virginia (Mr. Tom Davis), and I 
want to thank him for his interest on this issue and he and his staff 
for all the work they have done to address the risk of peer-to-peer 
file sharing. This is legislation that both of us have worked closely 
together to develop.
  In recent years, peer-to-peer file sharing programs have gone from 
little known to an incredibly popular Internet application. In fact, 
the most popular of these file-sharing programs, Kazaa, has been 
downloaded more than 280 million times, making it the most downloaded 
software program ever.
  In a series of hearings earlier this year, our committee looked into 
these peer-to-peer file-sharing programs and the issues they raised. 
What we found out is that the risks they posed, particularly to our 
personal privacy and security, can be significant. At a Committee on 
Government Reform hearing in May, we heard from leading network 
security experts from universities and the private sector talk about 
how peer-to-peer file sharing can put computers at risk for viruses, 
worms and other damaging computer files. And the committee 
investigation found that without even knowing it, people are sharing 
incredibly personal information through these programs. Our staff 
investigators found completed tax returns, medical files, and even 
entire E-mail in boxes being shared on these networks. Government 
computers are not immune from these risks.
  A GAO investigation, which is still underway, has found that even at 
Los Alamos National Laboratory, where top secret research is often 
conducted, file-sharing programs have been found on government 
computers. Protecting government computers from these security risks is 
essential. The Federal Government has computer records with incredibly 
sensitive personal information about citizens, including tax returns, 
military records and medical and psychiatric records. It also, 
obviously, has many files with important national security information.
  It is important to protect government computers from computer 
viruses. In the last several weeks, we have seen how the spread of just 
two or three malicious viruses can slow the functioning of government. 
We need to make sure Federal Government computers and networks stay 
protected from these threats.
  It is not difficult to safeguard Federal computers from these risks. 
The House of Representatives recognized the privacy and security 
threats posed by peer-to-peer programs nearly 2 years ago and took 
steps to protect against them. The Senate did the same shortly 
thereafter, but many of our Federal agencies have yet to follow suit. 
The Government Network Security Act of 2003 is simple legislation. It 
requires that when developing their network security policy and 
procedures, Federal agencies address the risks posed by peer-to-peer 
file-sharing programs. Plans to address these risks may include 
technological means, such as firewalls, and nontechnological means, 
such as employee training.
  Technical innovation is tremendously important, including potential 
innovation involving peer-to-peer file-sharing technologies. This act 
recognizes this, and it protects the ability of Federal agencies to 
pursue new technologies, including peer-to-peer technology. The only 
limitation it imposes is a requirement that agencies not jeopardize the 
security of sensitive government records.
  When popularly available, peer-to-peer file-sharing programs can 
threaten us with viruses and worms and put in risk the privacy of 
sensitive information. I think we can all agree that they have no place 
on government computers and networks. That is why, Mr. Speaker, I urge 
my colleagues to support this legislation.
  Mr. Speaker, I have no further requests for time, and I yield back 
the balance of my time.
  Mr. TOM DAVIS of Virginia. Mr. Speaker, I have no further speakers, 
and I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from Virginia (Mr. Tom Davis) that the House suspend the 
rules and pass the bill, H.R. 3159, as amended.
  The question was taken; and (two-thirds having voted in favor 
thereof) the rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________