[Congressional Record Volume 164, Number 24 (Wednesday, February 7, 2018)]
[Senate]
[Pages S705-S706]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. DAINES:
  S. 2392. A bill to amend the Homeland Security Act of 2002 to 
authorize the Secretary of Homeland Security to designate cybersecurity 
technologies that qualify for protection under systems of risk and 
litigation management; to the Committee on Homeland Security and 
Governmental Affairs.
  Mr. DAINES. Mr. President, in recent years we have seen the inability 
of the Federal government to quickly adapt to changing technology and 
evolving cyber security threats. In June of 2015 the Office of 
Personnel Management (OPM) announced it had fallen victim to a major 
cyber breach, compromising the personally identifiable information of 
more than 22 million current and former Federal employees, including 
myself. Seven months later, nearly half a million more Americans had 
their social security numbers stolen when the Internal Revenue Service 
was hacked. We found out last year that the U.S. Securities and 
Exchange Commission had been hacked in 2016.
  I spent 28 years in the private sector, 12 years with a global cloud 
computing company. We faced new cyber threats daily and our customers 
expected security. We delivered, not once was our data compromised.
  I know firsthand that industry has the talent and the incentive to 
revolutionize cyber security and keep their information systems secure. 
The Federal government should unbridle the private sector whenever 
possible, utilizing their expertise, learning from their best 
practices, and facilitating their innovation.
  That is why I am introducing the Cyber Support for Anti-Terrorism by 
Fostering Effective Technologies Act or the Cyber SAFETY Act. Since 
2002, the Department of Homeland Security's existing SAFETY Act program 
has successfully incentivized the private sector's development and 
deployment of anti-terrorism and security technologies through limited 
liability protections. It has ensured the threat of litigation does not 
deter entrepreneurs from developing and commercializing products and 
services that protect lives and infrastructure. This legislation will 
simply expand the applicability of the program to ensure that cyber 
security firms can qualify for these same protections. It will enable 
cyber security firms to innovate and commercialize new technologies 
without a technology mandate.
  I ask my Senate colleagues to join me in support of this important 
legislation.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 2392

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Cyber Support for Anti-
     Terrorism by Fostering Effective Technologies Act of 2018'' 
     or the ``Cyber SAFETY Act of 2018''.

     SEC. 2. INCLUSION OF QUALIFYING CYBER INCIDENTS.

       Subtitle G of title VIII of the Homeland Security Act of 
     2002 (6 U.S.C. 441 et seq.) is amended--
       (1) in section 862(b) (6 U.S.C. 441(b))--
       (A) in the heading, by striking ``Designation of Qualified 
     Anti-terrorism Technologies'' and inserting ``Designation of 
     Anti-terrorism and Cybersecurity Technologies'';
       (B) in the matter preceding paragraph (1), by inserting 
     ``or cybersecurity'' after ``anti-terrorism'';
       (C) in paragraphs (3), (4), and (5), by inserting ``or 
     cybersecurity'' after ``anti-terrorism'' each place that term 
     appears; and
       (D) in paragraph (7)--
       (i) by inserting ``or cybersecurity'' after ``Anti-
     terrorism''; and
       (ii) by inserting ``or qualifying cyber incidents'' after 
     ``acts of terrorism'';
       (2) in section 863 (6 U.S.C. 442)--
       (A) by inserting ``or cybersecurity'' after ``anti-
     terrorism'' each place that term appears;
       (B) by inserting ``or qualifying cyber incident'' after 
     ``act of terrorism'' each place that term appears;
       (C) by inserting ``or qualifying cyber incidents'' after 
     ``acts of terrorism'' each place that term appears; and
       (D) in subsection (d)(3)--
       (i) by striking ``(3) Certificate.--'' and inserting the 
     following: ``(3) Certificates.--
       ``(A) Certificates for anti-terrorism technologies.--''; 
     and
       (ii) by adding at the end the following:
       ``(B) Certificates for cybersecurity technologies.--
       ``(i) In general.--For cybersecurity technology reviewed 
     and approved by the Secretary, the Secretary will issue a 
     certificate of conformance to the Seller and place the 
     cybersecurity technology on an Approved Product List for 
     Homeland Security.
       ``(ii) Subsequent review.--Not less frequently than once 
     every 2 years, the Secretary shall conduct a new review of 
     any cybersecurity technology for which the Secretary issued a 
     certification under clause (i).'';
       (3) in section 864 (6 U.S.C. 443)--
       (A) by inserting ``or cybersecurity'' after ``anti-
     terrorism'' each place that term appears; and
       (B) by inserting ``or qualifying cyber incident'' after 
     ``act of terrorism'' each place that term appears; and
       (4) in section 865 (6 U.S.C. 444)--
       (A) in paragraph (1)--
       (i) in the heading, by inserting ``or cybersecurity'' after 
     ``anti-terrorism'';
       (ii) by inserting ``or cybersecurity'' after ``anti-
     terrorism'';
       (iii) by inserting ``or qualifying cyber incidents'' after 
     ``acts of terrorism''; and
       (iv) by inserting ``or incidents'' after ``such acts''; and
       (B) by adding at the end the following:
       ``(7) Qualifying cyber incident.--The term `qualifying 
     cyber incident' has the meaning given the term `incident' in 
     section 3552(b) of title 44, United States Code.

[[Page S706]]

       ``(8) Final agency action.--The determination by the 
     Secretary that an act of terrorism or qualifying cyber 
     incident has occurred shall constitute a final agency action 
     subject to review under chapter 7 of title 5, United States 
     Code.''.
                                 ______