[Congressional Record (Bound Edition), Volume 146 (2000), Part 4]
[Extensions of Remarks]
[Pages 5541-5543]
[From the U.S. Government Publishing Office, www.gpo.gov]



       INTRODUCTION OF THE CYBER SECURITY INFORMATION ACT OF 2000

                                 ______
                                 

                          HON. THOMAS M. DAVIS

                              of virginia

                    in the house of representatives

                       Wednesday, April 12, 2000

  Mr. DAVIS of Virginia. Mr. Speaker, I am pleased to rise today to 
introduce legislation with my good friend and colleague from northern 
Virginia, Representative Jim Loran, that will facilitate the protection 
of our nation's critical infrastructure from cyber threats. In the 
104th Congress, we called upon the Administration to study our nation's 
critical infrastructure vulnerabilities and to identify solutions to 
address these vulnerabilities. The Administration has, through the 
President and participating agencies, identified a number of steps

[[Page 5542]]

that must be taken in order to eliminate the potential for significant 
damage to our critical infrastructure. Foremost among these suggestions 
is the need to ensure coordination between the public and private 
sector representatives of critical infrastructure. The bill I am 
introducing today is the first step in encouraging private sector 
cooperation and participation with the government to accomplish this 
objective.
  The critical infrastructure of the United States is largely owned and 
operated by the private sector. Critical infrastructures are those 
systems that are essential to the minimum operations of the economy and 
government. Our critical infrastructure is comprised of the financial 
services, telecommunications, information technology, transportation, 
water systems, emergency services, electric power, gas and oil sectors 
in private industry as well as our National Defense, and Law 
Enforcement and International Security sectors within the government. 
Traditionally, these sectors operated largely independently of one 
another and coordinated with government to protect themselves against 
threats posed by traditional warfare. Today, these sectors must learn 
how to protect themselves against unconventional threats such as 
terrorist attacks, and Cyber attack. These sectors must also recognize 
the vulnerabilities they may face because of the tremendous 
technological progress we have made. As we learned when planning for 
the challenges presented by the Year 2000 rollover, many of our 
computer systems and networks are now interconnected and communicate 
with many other systems. With the many advances in information 
technology, many of our critical infrastructure sectors are linked to 
one another and face increased vulnerability to cyber threats. 
Technology interconnectivity increases the risk that problems affecting 
one system will also affect other connected systems. Computer networks 
can provide pathways among systems to gain unauthorized access to data 
and operations from outside locations if they are not carefully 
monitored and protected.
  A cyber threat could quickly shutdown any one of our critical 
infrastructures and potentially cripple several sectors at one time. 
Nations around the world, including the United States, are currently 
training their military and intelligence personnel to carry out cyber 
attacks against other nations to quickly and efficiently cripple a 
nation's daily operations. Cyber attacks have moved beyond the 
mischievous teenager and are being learned and used by terrorist 
organizations as the latest weapon in a nation's arsenal. In June 1998 
and February 1999, the Director of the Central Intelligence Agency 
testified before Congress that several nations recognize that Cyber 
attacks against civilian computer systems represent the most viable 
option for leveling the playing field in an armed crisis against the 
United States. The Director also stated that several terrorist 
organizations believed information warfare to be a low cost opportunity 
to support their causes. Both Presidential Decision Directive 63 (PDD-
63) issued in May 1998, and the President's National Plan for 
Information Systems Protection, Version 1.0 issued in January 2000, 
call on the legislative branch to build the necessary framework to 
encourage information sharing to address cyber security threats to our 
nation's privately held critical infrastructure.
  Recently, we have learned the inconveniences that may be caused by a 
cyber attack or unforeseen circumstance. Earlier this year, many of our 
most popular sites such as Yahoo, eBay and Amazon.com were shutdown for 
several hours at a time over several days by a team of hackers 
interested in demonstrating their capability to disrupt service. While 
we may have found the shutdown of these sites temporarily inconvenient, 
they potentially cost those companies significant amounts of lost 
revenue, and it is not too difficult to imagine what would have 
occurred if the attacks had been focused on our utilities, or emergency 
services industries. We, as a society, have grown increasingly 
dependent on our infrastructure providers. I am sure many of you recall 
when PanAmSat's Galaxy IV satellite's on-board controller lost service. 
An estimated 80 to 90% of our nation's pagers were inoperable, and 
hospitals had difficulty reaching doctors on call and emergency 
workers. It even impeded the ability of consumers to use credit cards 
to pay for their gas at the pump.
  Moreover, recent studies have demonstrated that the incidence of 
cyber security threats to both the government and the private sector 
are only increasing. According to an October 1999 report issued by the 
General Accounting Office (GAO), the number of reported computer 
security incidents handled by Carnegie-Mellon University's CERT 
Coordination Center has increased from 1,334 in 1993 to 4,398 during 
the first two quarters of 1999. Additionally, the Computer Security 
Institute reported an increase in attacks for the third year in a row 
based on responses to their annual survey on computer security. GAO has 
done a number of reports that give Congress an accurate picture of the 
risk facing federal agencies; they cannot track such information for 
the private sector. We must rely on the private sector to share its 
vulnerabilities with the federal government so that all of our critical 
infrastructures are protected.
  Today, I am introducing legislation that gives critical 
infrastructure industries the assurances they need in order to 
confidently share information with the federal government. As we 
learned with the Y2K model, government and industry can work in 
partnership to produce the best outcome for the American people. The 
President has called for the creation of Information Sharing and and 
Analysis Centers (ISACs) for each critical infrastructure sector that 
will be headed by the appropriate federal agency or entity, and a 
member from its private sector counterpart. For instance, the 
Department of Treasury is running the first ISAC for the financial 
services industry in partnership with Citigroup. Many in the private 
sector have expressed strong support for this model but have also 
expressed concerns about voluntarily sharing information with the 
government, and the unitended consequences they could face for acting 
in good faith. Specifically, there has been concern that industry could 
potentially face antitrust violations for sharing information with 
other industry partners, have their shared information be subject to 
the Freedom of Information Act, of face potentially liability concerns 
for information shared in good faith. My bill will address all three of 
these concerns. The cyber Security Information Act also respects the 
privacy rights of consumers and critical infrastructure operators. 
Consumers and operators will have the confidence they need to know that 
information will be handled accurately, confidentially, and reliably.
  The Cyber Security Information Act of 2000 is closely modeled after 
the successful Year 2000 Information and Readiness Disclosure Act by 
providing a limited FOIA exemption, civil litigation protection for 
shared information, and an antitrust exemption for information shared 
within an ISAC. These three protections have been previously cited by 
the Administration as necessary legislative remedies in Version 1.0 of 
the National Plan and PDD-63. This legislation will enable the ISACs to 
move forward without fear from industry so that government and industry 
may enjoy the mutually cooperative partnership called for in PDD-63. 
This will also allow us to get a timely and accurate assessment of the 
vulnerabilities of each sector to cyber attacks and allow for the 
formulation of proposals to eliminate these vulnerabilities without 
increasing government regulation, or expanding unfunded federal 
mandates on the private sector.
  PDD-63 calls upon the government to put in place a critical 
infrastructure proposal that will allow for three tasks to be 
accomplished by 2003:
  (1) The Federal Government must be able to perform essential national 
security missions and to ensure the general public health and safety;
  (2) State and local governments must be able to maintain order and to 
deliver minimum essential public services; and
  (3) The private sector must be able to ensure the orderly functioning 
of the economy and the delivery of essential telecommunications, 
energy, financial, and transportation services. This legislation will 
allow the private sector to meet this deadline.
  We will also ensure the ISACs can move forward to accomplish their 
missions by developing the necessary technical expertise to establish 
baseline statistics and patterns within the various infrastructures, 
become a clearinghouse for information within and among the various 
sectors, and provide a repository of valuable information that may be 
used by the private sector. As technology continues to rapidly improve 
industry efficiency and operations, so will the risks posed by 
vulnerabilities and threats to our infrastructure. We must create a 
framework that will allow our protective measures to adapt and be 
updated quickly.
  It is my hope that we will be able to move forward quickly with this 
legislation and that Congress and the Administration can move forward 
in partnership to provide industry and government with the tools for 
meeting this challenge. A Congressional Research Service report on the 
ISAC proposal describes the information sharing model one of the most 
crucial pieces for success in protecting our critical infrastructure, 
yet one of the hardest pieces to realize. With the introduction of the 
Cyber Security Information Act of 2000, we are removing the primary 
barrier to information sharing between government and industry. This is

[[Page 5543]]

landmark legislation that will be replicated around the globe by other 
nations as they too try to address threats to their critical 
infrastructure.
  Mr. Speaker, I believe that the Cyber Security Information Act of 
2000 will help us address critical infrastructure cyber threats with 
the same level of success we achieved in addressing the Year 2000 
problem. With government and industry cooperation, the seamless 
delivery of services and the protection or our nation's economy and 
well-being will continue without interruption just as the delivery of 
services continued on January 1, 2000.

                          ____________________