[Congressional Record Volume 164, Number 5 (Tuesday, January 9, 2018)]
[House]
[Pages H43-H46]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




              CYBER VULNERABILITY DISCLOSURE REPORTING ACT

  Mr. ESTES of Kansas. Mr. Speaker, I move to suspend the rules and 
pass the bill (H.R. 3202) to require the Secretary of Homeland Security 
to submit a report on cyber vulnerability disclosures, and for other 
purposes.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 3202

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Cyber Vulnerability 
     Disclosure Reporting Act''.

     SEC. 2. REPORT ON CYBER VULNERABILITIES.

       (a) Report.--Not later than 240 days after the date of the 
     enactment of this Act, the Secretary of Homeland Security 
     shall submit to the Committee on Homeland Security of the 
     House of Representatives and the Committee on Homeland 
     Security and Governmental Affairs of the Senate a report that 
     contains a description of the policies and procedures 
     developed for coordinating cyber vulnerability disclosures, 
     in accordance with section 227(m) of the Homeland Security 
     Act of 2002 (6 U.S.C. 148(m)). To the extent possible, such 
     report shall include an annex with information on instances 
     in which such policies and procedures were used to disclose 
     cyber vulnerabilities in the year prior to the date such 
     report is required and, where available, information on the 
     degree to which such information was acted upon by industry 
     and other stakeholders. Such report may also contain a 
     description of how the Secretary is working with other 
     Federal entities and critical infrastructure owners and 
     operators to prevent, detect, and mitigate cyber 
     vulnerabilities.
       (b) Form.--The report required under subsection (b) shall 
     be submitted in unclassified form but may contain a 
     classified annex.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Kansas (Mr. Estes) and the gentlewoman from Texas (Ms. Jackson Lee) 
each will control 20 minutes.
  The Chair recognizes the gentleman from Kansas.


                             General Leave

  Mr. ESTES of Kansas. Mr. Speaker, I ask unanimous consent that all 
Members have 5 legislative days within which to revise and extend their 
remarks and include any extraneous material on the bill under 
consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Kansas?
  There was no objection.
  Mr. ESTES of Kansas. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, I rise in support of H.R. 3202, the Cyber Vulnerability 
Disclosure Reporting Act.
  It is hard to find an electronic device today that doesn't connect to 
the internet. From smartphones to alarm clocks, everything is part of 
the Internet of Things. Americans can do everything, from personal 
banking to unlocking the front door, with the palm of their hands.
  As the world has become increasingly interconnected, vulnerabilities 
in computer code underlying these devices and the applications they run 
can often expose the average American to exploitation by hackers, 
criminals, and even bad actors from nation states.
  As more and more critical and personal information is being stored on 
the internet and more industrial systems are being operated 
autonomously, it is vital that we are able to plug the holes in 
vulnerable technology.
  It seems like every day we read about another data breach that could 
have been prevented if only the company had known about a vulnerability 
in the product or network, occurrences such as the WannCry ransomware 
that affected hundreds of thousands of computers in more than 150 
countries, and the recently reported meltdown that could affect 
millions of personal computers throughout the world. That is why, in 
this world of ever-increasing intrusions, we must do our best to make 
sure our computer systems are as invulnerable to attack as possible.
  The Department of Homeland Security was given the authority by the 
Cybersecurity Act of 2015 to improve cybersecurity in the United States 
through enhanced sharing of information about cybersecurity threats.
  The Homeland Security Act of 2002 allows the Secretary to coordinate 
with industry to develop departmental policies and procedures for 
coordinating the disclosure of cyber vulnerabilities as described in 
the Vulnerabilities Equities Policy and Process published by the White 
House on November 15, 2016. This disclosure is important, as it 
highlights vulnerabilities and allows the public and private sector to 
work to prevent and mitigate cyber threats.
  H.R. 3202, the Cyber Vulnerability Disclosure Reporting Act, is an 
important tool, in that it requires the Secretary of Homeland Security 
to submit a report to Congress on their policies and procedures for 
disclosing vulnerabilities.
  Mr. Speaker, I urge my colleagues to support this bill, and I reserve 
the balance of my time.
  Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may 
consume, and I thank the manager for his kind words.
  Mr. Speaker, I rise in support of H.R. 3202, the Cyber Vulnerability 
Disclosure Reporting Act. I very much want

[[Page H44]]

to thank the committee for bringing the Jackson Lee bill to the floor 
and the work that we did on it in committee.
  I wish to speak specifically to the work that is done on the Homeland 
Security Committee as I discuss this legislation. I think it is very 
important to take note of the fact that the ranking member works very 
hard to generate very positive legislation and that we have been able 
to see a large number of bills, some that I have been able to sponsor, 
come to the floor of the House.
  Mr. Speaker, therefore, I thank the chairman, Mr. McCaul, and the 
ranking member for making the Homeland Security Committee so productive 
in generating important legislation to ensure the security of this 
Nation. I thank them for their leadership in putting the security of 
our Nation's cyber assets first, whether they are computing resources 
used in voting technology, or industrial control systems that support 
the delivery of electricity, oil and gas, or management of 
transportation systems that are vital to our Nation's economic health.
  Mr. Speaker, I was chairman of the Transportation Security and 
Infrastructure Protection Subcommittee some few sessions ago. This was 
when infrastructure was included in the transportation and security 
domain. I can tell you that, even then, we began to acknowledge the 
crucialness of protecting the cyber system and how far-reaching cyber 
systems can go, as far away as water systems, to bridges, to dams, and 
in between, and to note that a lot of our cyber system, 80 percent of 
it was in the private sector, probably more at this point.
  H.R. 3202, the Cyber Vulnerability Disclosure Reporting Act, which I 
introduced, requires the Secretary of Homeland Security to submit a 
report on the policies and procedures developed for coordinating cyber 
vulnerability disclosures.
  The report will include an annex with information on instances in 
which cybersecurity vulnerability disclosure policies and procedures 
were used to disclose details on identified weaknesses in computing 
systems or digital devices at risk.
  The report will provide information on the degree to which the 
information provided by DHS was used by industry and other 
stakeholders.
  The report may also contain a description of how the Secretary of 
Homeland Security is working with other Federal entities and critical 
infrastructure owners and operators to prevent, detect, and mitigate 
cyber vulnerabilities.
  It is important to restate that our cyber system is largely in the 
private sector. It does not alleviate or eliminate the role that the 
Federal Government should play. This legislation squarely places with 
the Federal Government the responsibilities of dealing with 
those critical infrastructure owners and operators to prevent, detect, 
and mitigate cyber vulnerabilities.

  The reason that I have worked to bring this bill before the full 
House for consideration is a problem often referred to as a zero-day 
event. A zero-day event describes a situation that network security 
professionals may find themselves in when a previously unknown error or 
flaw in computing code is exploited by a cybercriminal or terrorist.
  The term ``zero-day event'' simply means that there is zero time to 
prepare a defense against a cyber attack. That is not the place that we 
would like to find ourselves.
  When a defect in software is discovered, their network engineers and 
software companies can work to develop a patch to fix the problem 
before it can be exploited by those who may seek to do us harm.
  We have evidence that the cyber world is a good world, but it can be 
a dangerous world and impact the life and quality and democracy and 
freedom of Americans. We want to be prepared and never have to face, in 
this most powerful country in the world, something called a zero-day 
event.
  H.R. 3202 seeks a report on the ongoing Department of Homeland 
Security's policies and procedures for coordinating cyber vulnerability 
disclosures, such as zero-day events, with private sector partners. 
Because vulnerabilities can be used by adversaries, it is important 
that this sensitive information be managed securely so details are not 
routinely made available, neither to the public nor to Congress.
  H.R. 3202 provides the Congress with the opportunity to understand 
the process and procedures used by the Department of Homeland Security 
and the benefit these disclosures may have for private sector entities 
participating in programs in support of cybersecurity.
  Mr. Speaker, I thank Lillie Coney of my district and Jean de Pruneda, 
a fellow on the Committee on Homeland Security, for their work on this 
important legislation.
  I urge Members of the House to vote in favor of H.R. 3202, the Cyber 
Vulnerability Disclosure Reporting Act.
  Mr. Speaker, I want to emphasize again a point that I made earlier. 
Because vulnerabilities can be used by adversaries, it is important 
that this sensitive information be managed securely so details are not 
routinely made available, neither to the public nor to Congress.
  It is important to take note of the fact that the work we have to do 
is ongoing and continuing.
  H.R. 3202 will give this body important information on our 
governmentwide efforts to secure civilian agency networks and the 
collaborative ongoing work to provide information to private sector 
partners on computing vulnerabilities. There is no security in keeping 
zero-day events secure from disclosure and not working on solutions.
  Cybersecurity is found in finding the zero-day events, creating 
solutions to defend against them, and sharing the solutions broadly so 
that they can be deployed. Once solutions are in place, the zero-day 
event should be disclosed to the public so that scholars and 
researchers can learn from the experience.
  In essence, what we are saying is that we want to make sure that we 
are in the driver's seat, that we know the vulnerabilities, that we can 
confront the zero-day events, and that we can do that, meaning the 
Federal Government, in working with the private sector to ensure that 
we do protect this Nation.
  Before I close, since we are dealing with Homeland Security Committee 
issues, I think it is important to take note of the fact of the 
crucialness and the importance of having a DACA fix and working 
together, as we have been doing, to ensure that the thousands and 
thousands of young people located across the Nation, who came here 
through no fault of their own, have a serious pathway of protection, in 
particular, the 140,000 that are in the State of Texas.
  If we can stand here as bipartisan Members, I know that we can 
continue to work on that crucial and important issue, which I stand 
with those young people to ensure to get that done.
  Mr. Speaker, I include in the Record an article by Morgan Chalfant, 
``Lawmakers approve `cyber vulnerability' bill,'' written in The Hill.

                     [From the Hill, July 26, 2017]

              Lawmakers Approve `Cyber Vulnerability' Bill

                          (By Morgan Chalfant)

       A House panel advanced legislation on Wednesday requiring 
     the Department of Homeland Security (DHS) to give lawmakers 
     more information on how it discloses cyber vulnerabilities to 
     the private sector.
       The legislation was sponsored by Rep. Sheila Jackson Lee 
     (D-Texas) and received broad support from members of the 
     House Homeland Security Committee, including Chairman Michael 
     McCaul (R-Texas).
       The bill would require Homeland Security Secretary John 
     Kelly to send a report to relevant congressional committees 
     describing policies and procedures used by the DHS to 
     coordinate the disclosure of what are called ``zero days''--
     cyber vulnerabilities that are unknown to a product's 
     manufacturer and for which no patch exists.
       The federal government decides whether to disclose zero 
     days to the private sector through the vulnerabilities 
     equities process (VEP), which was first acknowledged by the 
     Obama administration in 2014 but is still shrouded in 
     secrecy. While the government is said to err on the side of 
     disclosure, the VEP has proven controversial because so 
     little is known about it.
       The process has attracted increased scrutiny in the wake of 
     the outbreak of the ``Wanna Cry'' ransomware, which is 
     believed to be based on a hacking tool developed by the 
     National Security Agency.
       Lawmakers in both chambers have sought to boost 
     transparency of the VEP.
       On Wednesday, Jackson Lee touted the legislation as 
     providing an opportunity for Congress to better understand 
     the process by which the DHS shares threat information

[[Page H45]]

     with private companies and how that information benefits the 
     private sector.
       ``Because vulnerabilities can be used by adversaries, it is 
     important that the sensitive information is managed securely 
     and the details are guarded against premature disclosure,'' 
     Jackson Lee said during a committee markup.
       ``There's no security in keeping zero day events secure and 
     not working on solutions,'' she said. ``The protection is in 
     finding the zero day events, creating solutions, sharing the 
     solutions broadly, then disclosing the vulnerabilities to the 
     public.''
       The report mandated by the legislation would include an 
     annex of information on specific instances when the DHS 
     disclosed vulnerabilities to private sector companies in the 
     previous year and information on how industry acted on the 
     information. It could also contain information about how the 
     DHS is working with other federal agencies and departments, 
     as well as owners of critical infrastructure, to mitigate the 
     threat of these vulnerabilities.
       Kelly would be required to submit the report, which would 
     be unclassified but could have a classified annex, within 240 
     days of the enactment of the legislation.
       The committee approved the legislation in a voice vote with 
     no amendments, sending it to the full House for a vote.

  Ms. JACKSON LEE. Mr. Speaker, I encourage my colleagues to support 
H.R. 3202, and I thank my manager as well.
  Mr. Speaker, I rise to speak in support of H.R. 3202, the Cyber 
Vulnerabilities Disclosure Reporting Act.
  I thank Chairman McCaul and Ranking Member Thompson for their 
leadership on putting the security of our nation's cyber assets first 
whether they are computing resources used in voting technology or 
industrial control systems that support the delivery of electricity, 
oil and gas, or management of transportation systems all are vital to 
our nation.
  H.R. 3202, the Cyber Vulnerability Disclosure Reporting Act, which I 
introduced, requires the Secretary of Homeland Security to submit a 
report on the policies and procedures developed for coordinating cyber 
vulnerability disclosures.
  The report will include an annex with information on instances in 
which cyber security vulnerability disclosure policies and procedures 
were used to disclose details on identified weaknesses in computing 
systems that or digital devices at risk.
  The report will provide information on the degree to which the 
information provided by DHS was used by industry and other 
stakeholders.
  The report may also contain a description of how the Secretary of 
Homeland Security is working with other Federal entities and critical 
infrastructure owners and operators to prevent, detect, and mitigate 
cyber vulnerabilities.
  The reason that I worked to bring this bill before the Full House for 
consideration is the problem often referred to as a ``Zero Day Event.''
  Zero Day Events are vulnerabilities in software or firmware that have 
gone undetected or undisclosed, but if exploited by terrorists could 
cause great harm to computer networks, data, or complex computing 
dependent systems.
  Our nation's electric power grid; industrial control systems that 
operate bridges, dams, water treatment facilities or food processing 
plants are all vulnerable to the potential harm that could be caused if 
a weakness in software or firmware goes undetected.
  Critical infrastructure must be secured against terrorist attacks 
that may use Zero Day Event vulnerabilities to attack critical 
infrastructure or civilian government agency computing assets.
  Zero Day Events discovered in commercial software applications such 
as the ``Heartbleed'' and OpenSSL cryptographic software library 
vulnerability.
  Proactive and coordinated efforts are necessary to strengthen and 
maintain secure critical infrastructure including assets that are vital 
to public confidence in the cyber nation's safety.
  This bill supports the ongoing work of the Department of Homeland 
Security in security civilian agency and coordinating with private 
sector computing network owners and operators.
  The nation's critical infrastructure is diverse, complex, and 
interdependent.
  The overwhelming majority of critical infrastructure is privately 
owned or managed.
  Critical Infrastructure owners and operators are uniquely positioned 
to manage risk to their operations and assets.
  What is needed is a better understanding of how vulnerability 
discoveries lead to better protection for computing networks.
  Zero Day Events require a coordinated approach to assignment of 
responsibility for developing patches or solutions, and a means of 
effectively distributing the solution without alerting potential 
terrorist or cyber criminals.
  H.R. 3202 provides the Congress with the opportunity to understand 
the process and procedures used by the Department of Homeland Security 
and the benefit these disclosures may have for private sector entities 
participating in programs in support of cybersecurity.
  I thank Lillie Coney of my staff and Jean de Pruneda a Fellow on the 
Committee on Homeland Security for their work on this important 
legislation.
  I ask my colleagues to vote for H.R. 3202.
  Mr. Speaker, I rise in support of 3202, The ``Cyber Disclosure 
Reporting Act.''
  I thank Chairman McCaul and Ranking Member Thompson for their 
leadership on putting the security of our nation's cyber assets first 
whether they are computing resources used in voting technology or 
industrial control systems that support the delivery of electricity, 
oil and gas, or management of transportation systems that are vital to 
our nation economic health.
  H.R. 3202, the Cyber Vulnerability Disclosure Reporting Act, which I 
introduced, requires the Secretary of Homeland Security to submit a 
report on the policies and procedures developed for coordinating cyber 
vulnerability disclosures.
  The report will include an annex with information on instances in 
which cyber security vulnerability disclosure policies and procedures 
were used to disclose details on identified weaknesses in computing 
systems that or digital devices at risk.
  The report will provide information on the degree to which the 
information provided by DHS was used by industry and other 
stakeholders.
  The report may also contain a description of how the Secretary of 
Homeland Security is working with other Federal entities and critical 
infrastructure owners and operators to prevent, detect, and mitigate 
cyber vulnerabilities.
  The reason that I worked to bring this bill before the Full House for 
consideration is the problem often referred to as a ``Zero Day Event.''
  A Zero Day Event describes the situation that network security 
professionals may find themselves when a previously unknown error or 
flaw in computing code is exploited by a cybercriminal or terrorist.
  The term ``Zero Day Event'' simply means that there is zero time to 
prepare a defense against a cyberattack.
  When a defect in software is discovered then network engineers and 
software companies can work to develop a ``patch'' to fix the problem 
before it can be exploited by those who may seek to do harm.
  H.R. 3202 seeks a report on the ongoing Department of Homeland 
Security's policies and procedures for coordinating cyber vulnerability 
disclosures such as Zero Day Events with private sector partners.
  Because vulnerabilities can be used by adversaries it is important 
that this sensitive information be managed securely so details are not 
routinely made available neither to the public nor to Congress.
  H.R. 3202 provides the Congress with the opportunity to understand 
the process and procedures used by the Department of Homeland Security 
and the benefit these disclosures may have for private sector entities 
participating in programs in support of cybersecurity.
  I thank Lillie Coney of my staff and Jean de Pruneda a Fellow on the 
Committee on Homeland Security for their work on this important 
legislation.
  I urge members of the House to vote in favor of H.R. 3202, the Cyber 
Vulnerabilities Disclosure Act.
  Mr. Speaker, H.R. 3202 will give this body important information on 
our government wide efforts to secure civilian agency networks and the 
collaborative ongoing work to provide information to private sector 
partners on computing vulnerabilities.
  There's no security in keeping zero day events secure from disclosure 
and not working on solutions.
  Cyber security is found in finding the zero day events, creating 
solutions to defend against them, and sharing the solutions broadly so 
that they can be deployed.
  Once solutions are in place the Zero Day Event should be disclosed to 
the public so that scholars and researchers can learn from the 
experience.
  With that, I encourage my colleagues to support H.R. 3202.
  Mr. Speaker, I yield back the balance of my time.
  Mr. ESTES of Kansas. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, I once again urge my colleagues to support this bill. 
With an ever-increasing reliance on technology today, we need to make 
sure that it is secure and safe for us to use and that the 
vulnerabilities are addressed so that we can maintain a safe and secure 
environment.
  Mr. Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by

[[Page H46]]

the gentleman from Kansas (Mr. Estes) that the House suspend the rules 
and pass the bill, H.R. 3202.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill was passed.
  A motion to reconsider was laid on the table.

                          ____________________