[Congressional Record (Bound Edition), Volume 147 (2001), Part 9]
[Extensions of Remarks]
[Pages 12850-12852]
[From the U.S. Government Publishing Office, www.gpo.gov]



       INTRODUCTION OF THE CYBER SECURITY INFORMATION ACT OF 2001

                                 ______
                                 

                             HON. TOM DAVIS

                              of virginia

                    in the house of representatives

                         Tuesday, July 10, 2001

  Mr. TOM DAVIS of Virginia. Mr. Speaker, I am pleased to rise today to 
reintroduce legislation with my good friend and colleague from northern 
Virginia, Representative, Jim Moran. Last year, we introduced H.R. 4246 
to facilitate the protection of our nation's critical infrastructure 
from cyber threats. We aggressively pushed forward with the legislation 
and held a productive Subcommittee hearing with the then-Subcommittee 
on Government Management, Information, and Technology on the importance 
of the bill. Based on comments made at that hearing, we have worked 
hard with a wide range of industries to refine and improve this 
legislation. Today, we are again introducing this legislation with the 
full partnership of the private sector. Over the past several months, I 
have worked with the industry leaders from each of our critical 
infrastructure sectors to draft consensus legislation that will 
facilitate public-private partnerships to promote information sharing 
to prevent our nation from being crippled by a cyber-terrorism threat.
  In the 104th Congress, we called upon the previous Administration to 
study our nation's critical infrastructure vulnerabilities and to 
identify solutions to address these vulnerabilities. Through that 
effort, a number of steps were identified that must be taken in order 
to eliminate the potential for significant damage to our critical 
infrastructure. Foremost among these suggestions was the need to ensure 
coordination between the public and private sector representatives of 
critical infrastructure. The bill we are again introducing today is the 
first step in encouraging private sector cooperation and participation 
with the government to accomplish this objective.
  Since early spring of this year, Congress has held a number of 
hearings examining the ability of our nation to cope with cyber 
security threats and attacks. For instance, the House Energy and 
Commerce has held numerous hearings regarding the vulnerability of 
specific Federal agencies and entities, and how those agencies are 
implementing--or not implementing--the appropriate risk management 
tools to deal with these threats. The House Judiciary Subcommittee on 
Crime has held a number of hearings specifically looking at cybercrime 
from both a private sector and a federal law enforcement perspective. 
These hearings have demonstrated the importance of better, more 
efficient information sharing in protecting against cyber-threats as is 
encompassed in the legislation I have introduced today.
  Also, the National Security Telecommunications Advisory Committee 
(NSTAC) met in early June of this year to discuss the necessary 
legislative action to encourage industry to voluntarily work in concert 
with the federal government in assessing and protecting against cyber 
vulnerabilities. The bill I am introducing today was endorsed at the 
June meeting. In recent months, the Bush Administration has 
aggressively been working with industry to address our critical 
infrastructure protection needs and ensure that the federal government 
is better coordinating its' cybersecurity efforts. I look forward in 
the coming weeks to working with the Administration to enhance the 
public-private partnership that industry and government must have in 
order to truly protect our critical infrastructure.
  The critical infrastructure of the United States is largely owned and 
operated by the private sector. Critical infrastructures are those 
systems that are essential to the minimum operations of the economy and 
government. Our critical infrastructure is comprised of the financial 
services, telecommunications, information technology, transportation, 
water systems, emergency services, electric power, gas and oil sectors 
in private industry as well as our National Defense, and Law 
Enforcement and International Security sectors within the government. 
Traditionally, these sectors operated largely independently of one 
another and coordinated with government to protect themselves against 
threats posed by traditional warfare. Today, these sectors must learn 
how to protect themselves against unconventional threats such as 
terrorist attacks, and cyber intrusions.
  These sectors must also recognize the vulnerabilities they may face 
because of the tremendous technological progress we have made. As we 
learned when planning for the challenges presented by the Year 2000 
rollover, many of our computer systems and networks are now 
interconnected and communicate with many other systems. With the many 
advances in information technology, many of our critical infrastructure 
sectors are linked to one another and face increased vulnerability to 
cyber threats. Technology interconnectivity increases the risk that 
problems affecting one system will also affect other connected systems. 
Computer networks can provide pathways among systems to gain 
unauthorized access to data and operations from outside locations if 
they are not carefully monitored and protected.
  A cyber threat could quickly shutdown any one of our critical 
infrastructures and potentially cripple several sectors at one time. 
Nations around the world, including the United States, are currently 
training their military and intelligence personnel to carry out cyber 
attacks against other nations to quickly and efficiently cripple a 
nation's daily operations. Cyber attacks have moved beyond the 
mischievous teenager and are now being learned and used by terrorist 
organizations as the latest weapon in a nation's arsenal. During this 
past spring, around the anniversary of the

[[Page 12851]]

U.S. bombing of the Chinese embassy in Belgrade, U.S. web sites were 
defaced by hackers, replacing existing content with pro-Chinese or 
anti-U.S. rhetoric. In addition, an Internet worm named ``Lion'' 
infected computers and installed distributed denial of service (DDOS) 
tools on various systems. An analysis of the Lion worm's source code 
revealed that it could send password files from the victim site to e-
mail address located in China.
  We have learned the inconveniences that may be caused by a cyber 
attack or unforeseen circumstance. Last year, many of individuals and 
companies were impacted by the ``I Love You'' virus as it moved rapidly 
around the world disrupting the daily operations of many of our 
industry sectors. The Love Bug showed the resourcefulness of many in 
the private sector in identifying and responding to such an attack but 
it amply demonstrated the weakness of the government's ability to 
handle such a virus. Shortly after the attack, Congress learned that 
the U.S. Department of Health and Human Services' (HHS) operating 
systems were so debilitated by the virus that it could not have 
responded adequately if we had faced a serious public health crisis at 
the same time. Additionally, the federal government was several hours 
behind industry in notifying agencies about the virus. If the private 
sector could share information with the government within a defined 
framework, federal agencies could have been made aware of the threat 
earlier on.
  Last month, NIPC and FedCIRC received information on attempts to 
locate, obtain control of and plant new malicious code known as ``W32-
Leaves.worm'' on computers previously infected with the SubSeven 
Trojan. SubSeven is a Trojan Horse that can permit a remote computer to 
gain complete control of an infected machine, typically by using 
Internet Relay Chat (IRC) channels for communications. In June 1998 and 
February 1999, the Director of the Central Intelligence Agency 
testified before Congress that several nations recognize that cyber 
attacks against civilian computer systems represent the most viable 
option for leveling the playing field in an armed crisis against the 
United States. The Director also stated that several terrorist 
organizations believed information warfare to be a low cost opportunity 
to support their causes. We must, as a nation, prepare both our public 
and private sectors to protect ourselves against such efforts.
  That is why I am again introducing legislation that gives critical 
infrastructure industries the assurances they need in order to 
confidently share information with the federal government. As we 
learned with the Y2K model, government and industry can work in 
partnership to produce the best outcome for the American people. Today, 
the private sector has established many information sharing 
organizations (ISOs) for the different sectors of our nation's critical 
infrastructure. Information regarding a cyber threat or vulnerability 
is now shared within some industries but it is not shared with the 
government and it is not shared across industries. The private sector 
stands ready to expand this model but have also expressed concerns 
about voluntarily sharing information with the government and the 
unintended consequences they could face for acting in good faith. 
Specifically, there has been concern that industry could potentially 
face antitrust violations for sharing information with other industry 
partners, have their shared information be subject to the Freedom of 
Information Act, or face potential liability concerns for information 
shared in good faith. My bill will address all three of these concerns. 
The Cyber Security Information Act also respects the privacy rights of 
consumers and critical infrastructure operators. Consumers and 
operators will have the confidence they need to know that information 
will be handled accurately, confidentially, and reliably.
  The Cyber Security Information Act is closely modeled after the 
successful Year 2000 Information and Readiness Disclosure Act by 
providing a limited FOIA exemption, civil litigation protection for 
shared information, and an antitrust exemption for information shared 
among private sector companies for the purpose of correcting, avoiding, 
communicating or disclosing information about a cyber-security related 
problem. These three protections have been requested by the U.S. 
Chamber of Commerce, the National Association of Manufacturers, the 
Edison Electric Institute, the Information Technology Association of 
America, Americans for Computer Privacy, and the Electronics Industry 
Alliance. Many private sector companies have also asked for this 
important legislation. I have attached to my statement a letter from 
the many professional associations and private sector companies 
supporting the introduction of this measure.
  This legislation will enable the private sector, including ISOs, to 
move forward without fear from the government so that government and 
industry may enjoy a mutually cooperative partnership. This will also 
allow us to get a timely and accurate assessment of the vulnerabilities 
of each sector to cyber attacks and allow for the formulation of 
proposals to eliminate these vulnerabilities without increasing 
government regulation, or expanding unfunded federal mandates on the 
private sector.
  ISOs will continue their current leadership role in developing the 
necessary technical expertise to establish baseline statistics and 
patterns within the various infrastructures, as clearinghouses for 
information within and among the various sectors, and as repositories 
of valuable information that may be used by the private sector. As 
technology continues to rapidly improve industry efficiency and 
operations, so will the risks posed by vulnerabilities and threats to 
our infrastructure. We must create a framework that will allow our 
protective measures to adapt and be updated quickly.
  It is my hope that we will be able to move forward quickly with this 
legislation and that Congress and the Administration will work in 
partnership to provide industry and government with the tools for 
meeting this challenge. A Congressional Research Service report on the 
ISOs proposal describes the information sharing model as one of the 
most crucial pieces for success in protecting our critical 
infrastructure, yet one of the hardest pieces to realize. With the 
introduction of the Cyber Security Information Act of 2001, we are 
removing the primary barrier to information sharing between government 
and industry. This is landmark legislation that will be replicated 
around the globe by other nations as they too try to address threats to 
their critical infrastructure.
  Mr. Speaker, I believe that the Cyber Security Information Act of 
2001 will help us address critical infrastructure cyber threats with 
the same level of success we achieved in addressing the Year 2000 
problem. With government and industry cooperation, the seamless 
delivery of services and the protection of our nation's economy and 
well-being will continue without interruption just as the delivery of 
services continued on January 1, 2000.

                                                     July 5, 2001.
     Hon. ----
     U.S. House of Representatives,
     Washington, DC
       Dear Representative: We, the undersigned, representing 
     every sector of the United States economy, write today to 
     strongly urge you to become an original cosponsor of the 
     Cyber Security Information Act to be shortly introduced by 
     Representatives Tom Davis and Jim Moran. This important bill 
     will strengthen information sharing legal protections that 
     shield U.S. critical infrastructures from cyber and physical 
     attacks and threats.
       Over the past four years, industry-government information 
     sharing regarding vulnerabilities and threats has been a key 
     element of the federal government's critical infrastructure 
     protection plans. Several industry established information 
     sharing organizations, including Information Sharing and 
     Analysis Centers (ISACs) and the Partnership for Critical 
     Infrastructure Security (PCIS), have been set up to support 
     this initiative. The National Plan for Information Systems 
     Protection, version 1.0, also calls for private sector input 
     about actions that will facilitate industry-government 
     information sharing.
       As representative companies and industry associations 
     involved in supporting the ongoing development of a National 
     Plan for critical infrastructure protection, we believe that 
     Congress can play a key role in facilitating this initiative 
     by passing legislation to support the Plan's strategic 
     objectives.
       Currently, there is uncertainty about whether existing law 
     may expose companies and industries that voluntarily share 
     sensitive information with the federal government to 
     unintended and potentially harmful consequences. This 
     uncertainty has a chilling effect on the growth of all 
     information sharing organizations and the quality and 
     quantity of information that they are able to gather and 
     share with the federal government. As such, this situation is 
     an impediment to the effectiveness of both industry and 
     government security and assurance managers to understand, 
     collaborate on and manage their vulnerability and threat 
     environments.
       Legislation that will clarify and strengthen existing 
     Freedom of Information Act and antitrust exemptions, or 
     otherwise create new means to promote critical infrastructure 
     protection and assurance would be very helpful and have a 
     catalytic effect on the initiatives that are currently under 
     way.
       Companies in the transportation, telecommunications, 
     information technology, financial services, energy, water, 
     power and gas, health and emergency services have a vital 
     stake in the protection of infrastructure assets. With over 
     90 percent of the country's critical infrastructure owned 
     and/or operated by the private sector, the government must 
     support information sharing between the public and private 
     sectors in order to ensure the best possible security for all 
     our

[[Page 12852]]

     citizens. A basic precondition for this cooperation is a 
     clear legal and public policy framework for action.
       Businesses also need protection from unnecessary 
     restrictions placed by federal and state antitrust laws on 
     critical information sharing that would inhibit 
     identification of R&D needs or the identification and 
     mitigation of vulnerabilities. There are a number of 
     precedents for this kind of collaboration, and we believe 
     that legislation based on these precedents will also assist 
     this process.
       Faced with the prospect of unintended liabilities, we also 
     believe that any assurances that Congress can provide to 
     companies voluntarily collaborating with the government in 
     risk management planning activity--such as performing risk 
     assessments, testing infrastructure security, or sharing 
     certain threat and vulnerability information--will be very 
     beneficial. Establishing liability safeguards to encourage 
     the sharing of threat and vulnerability information will add 
     to the robustness of the partnership and the significance of 
     the information shared.
       Thank you for considering our views on this important 
     subject. We think that such legislation will contribute to 
     the success of the institutional, information-sharing, 
     technological, and collaborative strategies outlined in 
     Presidential Decision Directive--63 and version 1.0 of the 
     National Plan for Information Systems Protection.
           Sincerely,
       Americans for Computer Privacy.
       Edison Electric Institute.
       Fannie Mae.
       Internet Security Alliance.
       Information Technology Association of America.
       Microsoft.
       National Center for Technology and Law, George Mason 
     University.
       Owest Communications.
       Security.
       Computer Sciences Corporation.
       Electronic Industries Alliance.
       The Financial Services Roundtable.
       Internet Security Systems.
       National Association of Manufacturers.
       Mitretek Systems.
       The Open Group.
       Oracle.
       U.S. Chamber of Commerce.


   Why Information Sharing is Essential for Critical Infrastructure 
                               Protection


                       Frequently Asked Questions

     What are Critical Infrastructures?
       Critical Infrastructures are those industries identified in 
     Presidential Decision Directive--63 and version 1.0 of the 
     National Plan for Information Systems Protection, deemed 
     vital for the continuing functioning of the essential 
     services of the United States. These include 
     telecommunications, information technology, financial 
     services, oil, water, gas, electric energy, health services, 
     transportation, and emergency services.
     What Is the Problem?
       90% of the nation's critical infrastructures are owned and/
     or operated by the private sector. Increasingly, they are 
     inter-connected through networks. This has made them more 
     efficient, but it has also increased the vulnerability of 
     multiple sectors of the economy to attacks on particular 
     infrastructures. According to the Carnegie-Mellon Computer 
     Emergency Response Team (CERT), cyber attacks on critical 
     infrastructures have grown at an exponential rate over the 
     past three years. This trend is expected to continue for the 
     foreseeable future. In our free market system, it is not 
     feasible to have a centralized-government monitoring 
     function. A voluntary national industry-government 
     information sharing system is needed in order for the nation 
     to create an effective early warning system, find and fix 
     vulnerabilities, benchmark best practices and create new 
     safety technologies.
     How Do Industries and the Government Share Information?
       Based on PDD-63 and the National Plan, a number of 
     organizations have been created to foster industry-government 
     cooperation. These include Information Sharing and Analysis 
     Centers (ISACs). ISACs are industry-specific and have been 
     set up in the financial services, telecommunications, IT, and 
     electric energy industries. Others are in the process of 
     being organized. ISACs vary in their membership structures 
     and relationship to the government. Most of them have a 
     formal government sector liaison as their principal point of 
     contact.
     What Are Current Concerns?
       Companies are concerned that information voluntarily shared 
     with the government that reports on or concerns corporate 
     security may be subject to FOIA. They are also concerned that 
     lead agencies may not be able to effectively control the use 
     or dissemination of sensitive information because of similar 
     legal requirements. Access to sensitive information may fall 
     into the hands of terrorists, criminals, and other 
     individuals and organizations capable of exploiting 
     vulnerabilities and harming the U.S. Unfiltered, unmediated 
     information may be misinterpreted by the public and undermine 
     public confidence in the country's critical infrastructures. 
     Also, competitors and others may use that information to the 
     detriment of a reporting company, or as the basis for 
     litigation. Any and all of these possibilities are reasons 
     why the current flow of voluntary data is minimal.
     What Can Be Done?
       Possible solutions include creating an additional exemption 
     to current FOIA laws. There are currently over 80 specific 
     FOIA Exemptions throughout the body of U.S. law, so it is 
     clear that exempting voluntarily shared information that 
     could affect national security is consistent with the intent 
     and application of FOIA. Another solution is to build on 
     existing relevant legal precedents such as the 1998 Y2K 
     Information and Readiness Disclosure Act, the 1984 National 
     Cooperative Research Act, territorially limited court 
     rulings, and individual, advisory Department of Justice 
     Findings.
     Why Pursue a Legislative Solution?
       The goal is to provide incentives for voluntary information 
     sharing. Legislation can add legal clarity that will provide 
     one such incentive, as well as also demonstrate the support 
     and commitment of Congress to increasing critical 
     infrastructure assurance.

     

                          ____________________