[Congressional Record Volume 170, Number 183 (Tuesday, December 10, 2024)]
[House]
[Pages H6562-H6564]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
STRENGTHENING CYBER RESILIENCE AGAINST STATE-SPONSORED THREATS ACT
Mr. GREEN of Tennessee. Mr. Speaker, I move to suspend the rules and
pass the bill (H.R. 9769) to ensure the security and integrity of
United States critical infrastructure by establishing an interagency
task force and requiring a comprehensive report on the targeting of
United States critical infrastructure by People's Republic of China
state-sponsored cyber actors, and for other purposes.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 9769
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Strengthening Cyber
Resilience Against State-Sponsored Threats Act''.
SEC. 2. INTERAGENCY TASK FORCE AND REPORT ON THE TARGETING OF
UNITED STATES CRITICAL INFRASTRUCTURE BY
PEOPLE'S REPUBLIC OF CHINA STATE-SPONSORED
CYBER ACTORS.
(a) Interagency Task Force.--Not later than 120 days after
the date of the enactment of this Act, the Secretary of
Homeland Security, acting through the Director of the
Cybersecurity and Infrastructure Security Agency (CISA) of
the Department of Homeland Security, in consultation with the
Attorney General, the Director of the Federal Bureau of
Investigation, and the heads of appropriate Sector Risk
Management Agencies as determined by the Director of CISA,
shall establish a joint interagency task force (in this
section referred to as the ``task force'') to facilitate
collaboration and coordination among the Sector Risk
Management Agencies assigned a Federal role or responsibility
in National Security Memorandum-22, issued April 30, 2024
(relating to critical infrastructure security and
resilience), or any successor document, to detect, analyze,
and respond to the cybersecurity threat posed by State-
sponsored cyber actors, including Volt Typhoon, of the
People's Republic of China by ensuring that such agencies'
actions are aligned and mutually reinforcing.
(b) Chairs.--
(1) Chairperson.--The Director of CISA (or the Director of
CISA's designee) shall serve as the chairperson of the task
force.
(2) Vice chairperson.--The Director of the Federal Bureau
of Investigation (or such Director's designee) shall serve as
the vice chairperson of the task force.
(c) Composition.--
(1) In general.--The task force shall consist of
appropriate representatives of the departments and agencies
specified in subsection (a).
(2) Qualifications.--To materially assist in the activities
of the task force, representatives under paragraph (1) should
be subject matter experts who have familiarity and technical
expertise regarding cybersecurity, digital forensics, or
threat intelligence analysis, or in-depth knowledge of the
tactics, techniques, and procedures (TTPs) commonly used by
State-sponsored cyber actors, including Volt Typhoon, of the
People's Republic of China.
(d) Vacancy.--Any vacancy occurring in the membership of
the task force shall be filled in the same manner in which
the original appointment was made.
(e) Establishment Flexibility.--To avoid redundancy, the
task force may coordinate with any preexisting task force,
working group, or cross-intelligence effort within the
Homeland Security Enterprise or the intelligence community
that has examined or responded to the cybersecurity threat
posed by State-sponsored cyber actors, including Volt
Typhoon, of the People's Republic of China.
(f) Task Force Reports; Briefing.--
(1) Initial report.--Not later than 540 days after the
establishment of the task force, the task force shall submit
to the appropriate congressional committees the first report
containing the initial findings, conclusions, and
recommendations of the task force.
(2) Annual report.--Not later than one year after the date
of the submission of the initial report under paragraph (1)
and annually thereafter for five years, the task force shall
submit to the appropriate congressional committees an annual
report containing the findings, conclusions, and
recommendations of the task force.
(3) Contents.--The reports under this subsection shall
include the following:
(A) An assessment at the lowest classification feasible of
the sector-specific risks, trends relating to incidents
impacting sectors, and tactics, techniques, and procedures
utilized by or relating to State-sponsored cyber actors,
including Volt Typhoon, of the People's Republic of China.
(B) An assessment of additional resources and authorities
needed by Federal departments and agencies to better counter
the cybersecurity threat posed by State-sponsored cyber
actors, including Volt Typhoon, of the People's Republic of
China.
(C) A classified assessment of the extent of potential
destruction, compromise, or disruption to United States
critical infrastructure by State-sponsored cyber actors,
including Volt Typhoon, of the People's Republic of China in
the event of a major crisis or future conflict between the
People's Republic of China and the United States.
(D) A classified assessment of the ability of the United
States to counter the cybersecurity threat posed by State-
sponsored cyber actors, including Volt Typhoon, of the
People's Republic of China in the event of a major crisis or
future conflict between the People's Republic of China and
the United States, including with respect to different
cybersecurity measures and recommendations that could
mitigate such a threat.
(E) A classified assessment of the ability of State-
sponsored cyber actors, including Volt Typhoon, of the
People's Republic of China to disrupt operations of the
United States Armed Forces by hindering mobility across
critical infrastructure such as rail, aviation, and ports,
including how such would impair the ability of the United
States Armed Forces to deploy and maneuver forces
effectively.
(F) A classified assessment of the economic and social
ramifications of a disruption to one or multiple United
States critical infrastructure sectors by State-sponsored
cyber actors, including Volt Typhoon, of the People's
Republic of China in the event of a major crisis or future
conflict between the People's Republic of China and the
United States.
(G) Such recommendations as the task force may have for the
Homeland Security Enterprise, the intelligence community, or
critical infrastructure owners and operators
[[Page H6563]]
to improve the detection and mitigation of the cybersecurity
threat posed by State-sponsored cyber actors, including Volt
Typhoon, of the People's Republic of China.
(H) A one-time plan for an awareness campaign to
familiarize critical infrastructure owners and operators with
security resources and support offered by Federal departments
and agencies to mitigate the cybersecurity threat posed by
State-sponsored cyber actors, including Volt Typhoon, of the
People's Republic of China.
(4) Briefing.--Not later than 30 days after the date of the
submission of each report under this subsection, the task
force shall provide to the appropriate congressional
committees a classified briefing on the findings,
conclusions, and recommendations of the task force.
(5) Form.--Each report under this subsection shall be
submitted in classified form, consistent with the protection
of intelligence sources and methods, but may include an
unclassified executive summary.
(6) Publication.--The unclassified executive summary of
each report required under this subsection shall be published
on a publicly accessible website of the Department of
Homeland Security.
(g) Access to Information.--
(1) In general.--The Secretary of Homeland Security, the
Director of CISA, the Attorney General, the Director of the
Federal Bureau of Investigation, and the heads of appropriate
Sector Risk Management Agencies, as determined by the
Director of CISA, shall provide to the task force such
information, documents, analysis, assessments, findings,
evaluations, inspections, audits, or reviews relating to
efforts to counter the cybersecurity threat posed by State-
sponsored cyber actors, including Volt Typhoon, of the
People's Republic of China as the task force considers
necessary to carry out this section.
(2) Receipt, handling, storage, and dissemination.--
Information, documents, analysis, assessments, findings,
evaluations, inspections, audits, and reviews described in
this subsection shall be received, handled, stored, and
disseminated only by members of the task force consistent
with all applicable statutes, regulations, and executive
orders.
(3) Security clearances for task force members.--No member
of the task force may be provided with access to classified
information under this section without the appropriate
security clearances.
(h) Termination.--The task force, and all the authorities
of this section, shall terminate on the date that is 60 days
after the final briefing required under subsection (h)(4).
(i) Exemption From FACA.--Chapter 10 of title 5, United
States Code (commonly referred to as the ``Federal Advisory
Committee Act''), shall not apply to the task force.
(j) Exemption From Paperwork Reduction Act.--Chapter 35 of
title 44, United States Code (commonly known as the
``Paperwork Reduction Act''), shall not apply to the task
force.
(k) Definitions.--In this section:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security, the Committee on
Judiciary, and the Select Committee on Intelligence of the
House of Representatives; and
(B) the Committee on Homeland Security and Governmental
Affairs, the Committee on Judiciary, and the Select Committee
on Intelligence of the Senate.
(2) Assets.--The term ``assets'' means a person, structure,
facility, information, material, equipment, network, or
process, whether physical or virtual, that enables an
organization's services, functions, or capabilities.
(3) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given such term in section
1016(e) of Public Law 107-56 (42 U.S.C. 5195c(e)).
(4) Cybersecurity threat.--The term ``cybersecurity
threat'' has the meaning given such term in section 2200 of
the Homeland Security Act of 2002 (6 U.S.C. 650).
(5) Homeland security enterprise.--The term ``Homeland
Security Enterprise'' has the meaning given such term in
section 2200 of the Homeland Security Act of 2002 (6 U.S.C.
650).
(6) Incident.--The term ``incident'' has the meaning given
such term in section 2200 of the Homeland Security Act of
2002 (6 U.S.C. 650).
(7) Information sharing.--The term ``information sharing''
means the bidirectional sharing of timely and relevant
information concerning a cybersecurity threat posed by a
State-sponsored cyber actor of the People's Republic of China
to United States critical infrastructure.
(8) Intelligence community.--The term ``intelligence
community'' has the meaning given such term in section 3(4)
of the National Security Act of 1947 (50 U.S.C. 3003(4)).
(9) Locality.--The term ``locality'' means any local
government authority or agency or component thereof within a
State having jurisdiction over matters at a county,
municipal, or other local government level.
(10) Sector.--The term ``sector'' means a collection of
assets, systems, networks, entities, or organizations that
provide or enable a common function for national security
(including national defense and continuity of Government),
national economic security, national public health or safety,
or any combination thereof.
(11) Sector risk management agency.--The term ``Sector Risk
Management Agency'' has the meaning given such term in
section 2200 of the Homeland Security Act of 2002 (6 U.S.C.
650).
(12) State.--The term ``State'' means any State of the
United States, the District of Columbia, the Commonwealth of
Puerto Rico, the Northern Mariana Islands, the United States
Virgin Islands, Guam, American Samoa, and any other territory
or possession of the United States.
(13) Systems.--The term ``systems'' means a combination of
personnel, structures, facilities, information, materials,
equipment, networks, or processes, whether physical or
virtual, integrated or interconnected for a specific purpose
that enables an organization's services, functions, or
capabilities.
(14) United states.--The term ``United States'', when used
in a geographic sense, means any State of the United States.
(15) Volt typhoon.--The term ``Volt Typhoon'' means the
People's Republic of China State-sponsored cyber actor
described in the Cybersecurity and Infrastructure Security
Agency cybersecurity advisory entitled ``PRC State-Sponsored
Actors Compromise and Maintain Persistent Access to U.S.
Critical Infrastructure'', issued on February 07, 2024, or
any successor advisory.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
Tennessee (Mr. Green) and the gentlewoman from New York (Ms. Clarke)
each will control 20 minutes.
The Chair recognizes the gentleman from Tennessee.
{time} 1500
General Leave
Mr. GREEN of Tennessee. Mr. Speaker, I ask unanimous consent that all
Members may have 5 legislative days in which to revise and extend their
remarks and include extraneous material on H.R. 9769.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Tennessee?
There was no objection.
Mr. GREEN of Tennessee. Mr. Speaker, I yield myself such time as I
may consume.
Mr. Speaker, I rise in support of H.R. 9769. As we have all witnessed
in recent weeks, foreign malicious cyber actors are continuously
attempting to infiltrate IT environments in a wide range of U.S.
critical infrastructure sectors.
The DHS Strengthening Cyber Resilience Against State-Sponsored
Threats Act will establish an interagency task force chaired by the
Director of CISA to address the cybersecurity threats posed by PRC
cyber actors, including Volt Typhoon.
I commend my colleague, the gentlewoman from Florida (Ms. Lee), for
her leadership in confronting these threats. I am proud to have joined
her in introducing this legislation.
Mr. Speaker, I urge my colleagues to support this legislation, and I
reserve the balance of my time.
Ms. CLARKE of New York. Mr. Speaker, I yield myself such time as I
may consume.
Mr. Speaker, our adversaries are growing bolder and more
sophisticated in using cyber tools to gain access to government and
critical infrastructure networks. As we speak, the Federal Government
and its private-sector partners are working to understand the full
scope and scale of the telecommunications hack by state-sponsored
threat actors from China, known as Salt Typhoon.
The Salt Typhoon telecom hack followed warnings issued earlier this
year by the Cybersecurity and Infrastructure Security Agency and its
Federal partners that state-sponsored threat actors from China are
``seeking to pre-position themselves on IT networks for disruptive or
destructive cyberattacks against U.S. critical infrastructure.''
H.R. 9769, the Strengthening Cyber Resilience Against State-Sponsored
Threats Act, formalizes interagency efforts already underway to defend
against state-sponsored threat activity directed by the People's
Republic of China.
Notably, it would establish an interagency task force and a reporting
requirement to ensure Congress is informed of sector-specific cyber
threat trends and additional resources or authorities the government
needs to protect government and critical infrastructure networks, among
other things.
Mr. Speaker, I urge my colleagues to support H.R. 9769, and I reserve
the balance of my time.
Mr. GREEN of Tennessee. Mr. Speaker, I yield such time as she may
consume to the gentlewoman from Florida (Ms. Lee).
[[Page H6564]]
Ms. LEE of Florida. Mr. Speaker, the Chinese Communist Party and
other adversary nation-states and criminal networks have been
exploiting our critical infrastructure and collecting information on
American officials, posing a grave threat to our national security.
The malicious cyber activity by the CCP represents a calculated
effort to gather intelligence on IT systems vital to U.S. national
security, public safety, and economic stability.
Specifically, the CCP state-sponsored cyber actor known as Volt
Typhoon has conducted a coordinated campaign to infiltrate the
information technology environments of a wide range of critical
infrastructure sectors of the United States, including sectors like
communications, transportation, energy, and water.
H.R. 9769, the Strengthening Cyber Resilience Against State-Sponsored
Threats Act, will create an interagency task force, chaired by the
Cybersecurity and Infrastructure Security Agency, CISA, Director and
co-chaired by the FBI Director to address the cybersecurity threat
posed by CCP cyber actors.
This bill would improve our defensive and offensive capabilities in
cyberspace and requires the task force to provide a classified report
and briefing to Congress annually for 5 years on their findings,
conclusions, and recommendations relating to malicious cyber activity.
Specifically, this task force will help Congress create a mitigation
strategy every year to help us prevent future cyberattacks and protect
our national security.
It is time to mitigate this threat and secure our networks and
infrastructure to protect all Americans. We must address the grave
threats China and other foreign adversaries pose to our cybersecurity.
I urge my colleagues to vote ``yes'' on H.R. 9769.
Ms. CLARKE of New York. Mr. Speaker, I yield myself the balance of my
time.
Mr. Speaker, I urge my colleagues to support H.R. 9769, and I yield
back the balance of my time.
Mr. GREEN of Tennessee. Mr. Speaker, I urge my colleagues to support
H.R. 9769, and I yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from Tennessee (Mr. Green) that the House suspend the rules
and pass the bill, H.R. 9769.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill was passed.
A motion to reconsider was laid on the table.
____________________