[Congressional Record Volume 167, Number 194 (Thursday, November 4, 2021)]
[Senate]
[Pages S7919-S7920]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 4405. Mr. PETERS submitted an amendment intended to be proposed to 
amendment SA 3867 submitted by Mr. Reed and intended to be proposed to 
the bill H.R. 4350, to authorize appropriations for fiscal year 2022 
for military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes; which was ordered to lie on the table; as follows:

        At the appropriate place in title XVI, insert the 
     following:

     SEC. 16__. PILOT PROGRAM ON PUBLIC-PRIVATE PARTNERSHIPS WITH 
                   INTERNET ECOSYSTEM COMPANIES TO DETECT AND 
                   DISRUPT ADVERSARY CYBER OPERATIONS.

       (a) Pilot Required.--Not later than one year after the date 
     of the enactment of this Act, the Secretary shall, acting 
     through the Director of the Cybersecurity and Infrastructure 
     Security Agency and in coordination with the Secretary of 
     Defense and National Cyber Director, establish and commence a 
     pilot program to assess the feasibility and advisability of 
     entering into public-private partnerships with internet 
     ecosystem companies to facilitate, within the bounds of the 
     applicable provisions of law and companies' terms of service, 
     policies, procedures, contracts, and other agreements, 
     actions by such companies to discover and disrupt use of the 
     platforms, systems, services, and infrastructure of such 
     companies by malicious cyber actors.
       (b) Public-private Partnerships.--
       (1) In general.--Under the pilot program required by 
     subsection (a), the Secretary shall seek to enter into one or 
     more public-private partnerships with internet ecosystem 
     companies to facilitate actions as described in subsection 
     (a).
       (2) Voluntary participation.--(A) Participation by an 
     internet ecosystem company in a public-private partnership 
     under the pilot program shall be voluntary.
       (B) Participation by an internet ecosystem company in any 
     activity under the pilot program set forth in subsection (c), 
     or otherwise occurring under the pilot program, shall be 
     voluntary.
       (C) No funds appropriated by any Act may be used to direct, 
     pressure, coerce, or otherwise require that any internet 
     ecosystem company take any action on their platforms, 
     systems, services, and infrastructure as part of this pilot 
     program.
       (c) Authorized Activities.--In establishing and conducting 
     the pilot program under subsection (a), the Secretary may--
       (1) provide assistance to a participating company in 
     developing effective know-your-customer processes and 
     requirements;
       (2) provide information, analytics, and technical 
     assistance to improve the ability of participating companies 
     to detect and prevent illicit or suspicious procurement, 
     payment, and account creation on their own platforms, 
     systems, services, or infrastructure;
       (3) develop and socialize best practices for the 
     collection, retention, and sharing of data by participating 
     companies to support internet ecosystem company discovery of 
     malicious cyber activity, investigations, and attribution on 
     their own platforms, systems, services, or infrastructure;
       (4) provide actionable, timely, and relevant information to 
     participating companies, such as information about ongoing 
     operations and infrastructure, threats, tactics, and 
     procedures, and indicators of compromise, to enable such 
     companies to detect and disrupt the use of their platforms, 
     systems, services, and infrastructure by malicious cyber 
     actors;
       (5) provide recommendations for (but not design, develop, 
     install, operate, or maintain) operational workflows, 
     assessment and

[[Page S7920]]

     compliance practices, and training that participating 
     internet ecosystem companies can institute within their 
     companies to reliably detect and disrupt the use of their 
     platforms, systems, services, and infrastructure by malicious 
     cyber actors;
       (6) provide recommendations for accelerating, to the 
     greatest extent practicable, the automation of existing or 
     instituted operational workflows to operate at line-rate in 
     order to enable real-time mitigation without the need for 
     manual review or action;
       (7) provide recommendations for (but not design, develop, 
     install, operate, or maintain) technical capabilities to 
     enable participating internet ecosystem companies to collect 
     and analyze data on malicious activities occurring on their 
     platforms, systems, services, and infrastructure to detect 
     and disrupt operations of malicious cyber actors; and
       (8) provide recommendations regarding relevant mitigations 
     for suspected or discovered malicious cyber activity and 
     thresholds for action.
       (d) Competition Concerns.--Consistent with section 1905 of 
     title 18, United States Code, the Secretary shall ensure that 
     any trade secret or proprietary information of a 
     participating internet ecosystem company made known to the 
     Federal Government pursuant to a public-private partnership 
     under the pilot program remains private and protected unless 
     explicitly authorized by the participating company.
       (e) Impartiality.--In carrying out the pilot program under 
     subsection (a), the Secretary shall not take any action that 
     is intended primarily to advance the particular business 
     interests of a given company but are otherwise authorized to 
     take actions that advance the interests of the United States, 
     notwithstanding differential impact or benefit to a given 
     company's or given companies' business interests.
       (f) Responsibilities.--
       (1) Secretary of homeland security.--The Secretary shall 
     exercise primary responsibility for the pilot program 
     required by subsection (a), organizing and directing 
     authorized activities with participating Federal Government 
     organizations and internet ecosystem companies to achieve the 
     objectives of the pilot program.
       (2) National cyber director.--The National Cyber Director 
     shall support prioritization and cross-agency coordination 
     for the pilot program required by subsection (a), including 
     ensuring appropriate participation by participating agencies 
     and the identification and prioritization of key private 
     sector entities and initiatives for the pilot program.
       (3) Secretary of defense.--The Secretary of Defense shall 
     provide support and resources to the pilot program required 
     by subsection (a), including the provision of technical and 
     operational expertise drawn from appropriate and relevant 
     components of the Department of Defense, including the 
     National Security Agency, United States Cyber Command, the 
     Chief Information Officer, the Office of the Secretary of 
     Defense, military department Principal Cyber Advisors, and 
     the Defense Advanced Research Projects Agency.
       (g) Participation of Other Federal Government Components.--
     The Secretary may invite to participate in the pilot program 
     required by subsection (a) the heads of such departments or 
     agencies as the Secretary considers appropriate.
       (h) Integration With Other Efforts.--The Secretary shall 
     ensure that the pilot program makes use of, builds upon, and, 
     as appropriate, integrates with and does not duplicate other 
     efforts of the Department of Homeland Security and the 
     Department of Defense relating to cybersecurity, including 
     the following:
       (1) The Joint Cyber Defense Collaborative of the 
     Cybersecurity and Infrastructure Security Agency.
       (2) The Cybersecurity Collaboration Center and Enduring 
     Security Framework of the National Security Agency.
       (i) Rules of Construction.--
       (1) Limitation on government access to data.--Nothing in 
     this section authorizes sharing of information, including 
     information relating to customers of internet ecosystem 
     companies or private individuals, from an internet ecosystem 
     company to an agency, officer, or employee of the Federal 
     Government unless otherwise authorized by another provision 
     of law and the Secretary shall ensure compliance with this 
     subsection.
       (2) Stored communications act.--Nothing in this section 
     shall be construed to permit or require disclosure by a 
     provider of a remote computing service or a provider of an 
     electronic communication service to the public of information 
     not otherwise permitted or required to be disclosed under 
     chapter 121 of title 18, United States Code (commonly known 
     as the ``Stored Communications Act'').
       (3) Third party customers.--Nothing in this section shall 
     be construed to require a third party, such as a customer or 
     managed service provider of an internet ecosystem company, to 
     participate in the pilot program.
       (j) Briefings.--
       (1) Initial.--
       (A) In general.--Not later than one year after the date of 
     the enactment of this Act, the Secretary shall, in 
     coordination with the Secretary of Defense and the National 
     Cyber Director, brief the appropriate committees of Congress 
     on the pilot program required by subsection (a).
       (B) Elements.--The briefing required by subparagraph (A) 
     shall include the following:
       (i) The plans of the Secretary for the conduct of the pilot 
     program under subsection (a).
       (ii) Identification of key priorities for the pilot 
     program.
       (iii) Identification of any potential challenges in 
     standing up the pilot program or impediments to private 
     sector participation in the program, such as a lack of 
     liability protection.
       (iv) A description of the roles and responsibilities under 
     the pilot program of each participating Federal entity.
       (2) Annual.--
       (A) In general.--Not later than two years after the date of 
     the enactment of this Act, and annually thereafter for three 
     years, the Secretary shall, in coordination with the 
     Secretary of Defense and the National Cyber Director, brief 
     the appropriate committees of Congress on the progress of the 
     pilot program required by subsection (a).
       (B) Elements.--Each briefing required by subparagraph (A) 
     shall include the following:
       (i) Recommendations for addressing relevant policy, 
     budgetary, and legislative gaps to make the pilot program 
     more effective.
       (ii) Such recommendations as the Secretary may have for 
     increasing private sector participation in the pilot program, 
     such as providing liability protection.
       (iii) A description of the challenges encountered in 
     carrying out subsection (a), including any concerns expressed 
     by private sector partners regarding participation in the 
     pilot program.
       (iv) The findings of the Secretary with respect to the 
     feasibility and advisability of extending or expanding the 
     pilot program
       (v) Such other matters as the Secretary considers 
     appropriate.
       (k) Termination.--The pilot program required by subsection 
     (a) shall terminate on the date that is five years after the 
     date of the enactment of this Act.
       (l) Definitions.--In this section:
       (1) The term ``appropriate committees of Congress'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs and the Committee on Armed Services of the Senate; 
     and
       (B) the Committee on Homeland Security and the Committee on 
     Armed Services of the House of Representatives.
       (2) The term ``internet ecosystem company'' means a 
     business incorporated in the United States that provide 
     cybersecurity services, internet service, content delivery 
     services, Domain Name Service, cloud services, mobile 
     telecommunications services, email and messaging services, 
     internet browser services, or such other services as the 
     Secretary determines appropriate for the purposes of the 
     pilot program required by subsection (a).
       (3) The term ``participating company'' means an internet 
     ecosystem company that has entered into a public-private 
     partnership with the Secretary under subsection (b).
       (4) The term ``Secretary'' means the Secretary of Homeland 
     Security.
                                 ______