[Congressional Record (Bound Edition), Volume 154 (2008), Part 9]
[Senate]
[Pages 11817-11820]
[From the U.S. Government Publishing Office, www.gpo.gov]




          STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS

      By Ms. SNOWE (for herself and Mr. Kerry):
  S. 3102. A bill to establish the Small Business Information Security 
Task Force, and for other purposes; to the Committee on Small Business 
and Entrepreneurship.
  Ms. SNOWE. Mr. President, I rise today, with Senator John Kerry, to 
introduce the Small Business Information Security Act of 2008. Not only 
is this a bipartisan bill in the United States Senate, but it is also a 
bicameral bill. Congressmen Manzullo and Michaud are also introducing 
companion legislation in the U.S. House of Representatives. This bill 
would establish within the Small Business Administration, SBA, a Small 
Business Information Security Task Force to advise the SBA and help 
small businesses both understand the unique information security 
challenges they face, and identify resources to help meet those 
challenges.
  As ranking member of the Senate Committee on Small Business and 
Entrepreneurship, one of my goals is to ensure small businesses are 
protected from the mounting information security threats they face 
every day. This legislation will create a clearinghouse of information, 
resources, and tools--compiled by a task force consisting of public and 
private sector experts in the field--that will ease the complexity, 
confusion, and cost often associated with enhancing information 
security measures within a small business. The task force will 
continually update information and resources as new technologies and 
threats arise.
  Currently, small business owners turn to the SBA for resources 
regarding a number of aspects, but information security resources 
remain largely unavailable within the agency. This legislation will 
present an opportunity for the SBA to develop and create a repository 
of data to help small business owners meet their information security 
needs. This legislation will enable industry experts to come together 
and immediately provide meaningful strategies to enable small 
businesses to safeguard their customer's personal information.
  Computer networks are increasingly susceptible to hackers, intruders, 
and other cyber criminals. In fact, in my home state of Maine, the 
retail supermarket chain, Hannaford Bros., was recently affected by an 
intrusion into their computer system which led to the exposure of 4.2 
million credit and debit card numbers. What many people do not realize 
is that a breach like Hannaford's impacts not only the millions of 
customers whose personal data was compromised, but it also has serious 
downstream impact on our Nation's small businesses. For example, 
throughout Maine there are many small banks; these banks are 
responsible for protecting and alerting their depositors upon 
fraudulent activity. Following the Hannaford breach, many small banks 
had to replace their customers' credit and debit cards, clearly a 
costly enterprise that diverts resources from more productive 
activities, such as small business lending. The bill we are introducing 
today will help ameliorate this problem.
  Unfortunately, these attacks are becoming more frequent and more 
severe, and the perpetrators are becoming harder to identify and bring 
to justice. According to a survey by the Small Business Technology 
Institute, more than half of all small businesses in the U.S. 
experienced a security breach in the last year. Furthermore, the study

[[Page 11818]]

concludes that nearly one-fifth of small businesses do not use virus-
scanning for e-mail, over 60 percent do not protect their wireless 
networks with encryption, and two-thirds of small businesses do not 
have an information security plan.
  As these statistics illustrate, small businesses are increasingly at 
risk of data breaches and other forms of malicious attacks on their 
information technology infrastructure. Cyber attacks launched by a 
small group of people can devastate America financially, it is 
conceivable that a few individuals working together could disable 
millions of computers at a cost of hundreds of millions to the U.S. 
economy. Cyber-criminals can hold hostage not just a few individuals, 
but millions of small businesses. This legislation provides best 
practices to help small business owners decrease the risk cyber attacks 
pose to their customers.
  The information security threat posed to our Nation's small 
businesses is serious, and our efforts to prevent and reduce this risk 
carry a tremendous sense of urgency. We must continue to focus on ways 
we can protect small businesses, and their customers, from the serious 
consequences of cyber crimes. In order to take an important first step, 
I encourage all of my colleagues to support this critical legislation, 
and I hope we can see this commonsense legislation enacted into law as 
expeditiously as possible.
  Mr. President. I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 3102

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Small Business Information 
     Security Act of 2008''.

     SEC. 2. DEFINITIONS.

       In this Act--
       (1) the terms ``Administration'' and ``Administrator'' mean 
     the Small Business Administration and the Administrator 
     thereof, respectively;
       (2) the term ``small business concern'' has the same 
     meaning as in section 3 of the Small Business Act (15 U.S.C. 
     632); and
       (3) the term ``task force'' means the task force 
     established under section 3(a).

     SEC. 3. INFORMATION SECURITY TASK FORCE.

       (a) Establishment.--The Administrator shall establish a 
     task force, to be known as the Small Business Information 
     Security Task Force, to address the information technology 
     security needs of small business concerns.
       (b) Duties.--The task force shall--
       (1) identify--
       (A) the information technology security needs of small 
     business concerns; and
       (B) the programs and services provided by the Federal 
     Government, State Governments, and nongovernment 
     organizations that serve those needs;
       (2) assess the extent to which the programs and services 
     identified under paragraph (1)(B) serve the needs identified 
     under paragraph (1)(A);
       (3) make recommendations to the Administrator on how to 
     more effectively serve the needs identified under paragraph 
     (1)(A) through--
       (A) programs and services identified under paragraph 
     (1)(B); and
       (B) new programs and services promoted by the task force;
       (4) make recommendations on how the Administrator may 
     promote--
       (A) new programs and services that the task force 
     recommends under paragraph (3)(B); and
       (B) programs and services identified under paragraph 
     (1)(B);
       (5) make recommendations on how the Administrator may 
     inform and educate with respect to--
       (A) the needs identified under paragraph (1)(A);
       (B) new programs and services that the task force 
     recommends under paragraph (3)(B); and
       (C) programs and services identified under paragraph 
     (1)(B);
       (6) make recommendations on how the Administrator may more 
     effectively work with public and private interests to address 
     the information technology security needs of small business 
     concerns; and
       (7) make recommendations on the creation of a permanent 
     advisory board that would make recommendations to the 
     Administrator on how to address the information technology 
     security needs of small business concerns.
       (c) Internet Website Recommendations.--The task force shall 
     make recommendations to the Administrator relating to the 
     establishment of an Internet website to be used by the 
     Administration to receive and dispense information and 
     resources with respect to the needs identified under 
     subsection (b)(1)(A) and the programs and services identified 
     under subsection (b)(1)(B). As part of the recommendations, 
     the task force shall identify the Internet sites of 
     appropriate programs, services, and organizations, both 
     public and private, to which the Internet website should 
     link.
       (d) Education Programs.--The task force shall make 
     recommendations to the Administrator relating to developing 
     additional education materials and programs with respect to 
     the needs identified under subsection (b)(1)(A).
       (e) Existing Materials.--The task force shall organize and 
     distribute existing materials that inform and educate with 
     respect to the needs identified under subsection (b)(1)(A) 
     and the programs and services identified under subsection 
     (b)(1)(B).
       (f) Coordination With Public and Private Sector.--In 
     carrying out its responsibilities under this section, the 
     task force shall coordinate with, and may accept materials 
     and assistance as it determines appropriate from--
       (1) any subordinate officer of the Administrator;
       (2) any organization authorized by the Small Business Act 
     to provide assistance and advice to small business concerns;
       (3) other Federal agencies, their officers, or employees; 
     and
       (4) any other organization, entity, or person not described 
     in paragraph (1), (2), or (3).
       (g) Chair and Vice-Chair.--The task force shall have--
       (1) a Chair, appointed by the Administrator; and
       (2) a Vice-Chair, appointed by the Administrator, in 
     consultation with appropriate nongovernmental organizations, 
     entities, or persons.
       (h) Members.--
       (1) Chair and vice-chair.--The Chair and the Vice-Chair 
     shall serve as members of the task force.
       (2) Additional members.--
       (A) In general.--The task force shall have additional 
     members, each of whom shall be appointed by the Chair, with 
     the approval of the Administrator.
       (B) Number of members.--The number of additional members 
     shall be determined by the Chair, in consultation with the 
     Administrator, except that--
       (i) the additional members shall include, for each of the 
     groups specified in paragraph (3), at least 1 member 
     appointed from within that group; and
       (ii) the number of additional members shall not exceed 13.
       (3) Groups represented.--The groups specified in this 
     paragraph are--
       (A) subject matter experts;
       (B) users of information technologies within small business 
     concerns;
       (C) vendors of information technologies to small business 
     concerns;
       (D) academics with expertise in the use of information 
     technologies to support business;
       (E) small business trade associations;
       (F) Federal, State, or local agencies engaged in securing 
     cyberspace; and
       (G) information technology training providers with 
     expertise in the use of information technologies to support 
     business.
       (i) Meetings.--
       (1) Frequency.--The task force shall meet at least 2 times 
     per year, and more frequently if necessary to perform its 
     duties.
       (2) Quorum.--A majority of the members of the task force 
     shall constitute a quorum.
       (3) Location.--The Administrator shall designate, and make 
     available to the task force, a location at a facility under 
     the control of the Administrator for use by the task force 
     for its meetings.
       (4) Minutes.--
       (A) In general.--Not later than 90 days after each meeting, 
     the task force shall publish the minutes of the meeting and 
     shall submit to Administrator any findings or recommendations 
     approved at the meeting.
       (B) Submission to congress.--Not later than 60 days after 
     the date that the Administrator receives minutes under 
     subparagraph (A), the Administrator shall submit to the 
     Committee on Small Business and Entrepreneurship of the 
     Senate and the Committee on Small Business of the House of 
     Representatives such minutes, together with any comments the 
     Administrator considers appropriate.
       (5) Findings.--
       (A) In general.--Not later than the date that the task 
     force terminates under subsection (m), the task force shall 
     submit to the Administrator a final report on any findings 
     and recommendations of the task force approved at a meeting 
     of the task force.
       (B) Submission to congress.--Not later than 90 days after 
     the date that the Administrator receives the report under 
     subparagraph (A), the Administrator shall submit to the 
     Committee on Small Business and Entrepreneurship of the 
     Senate and the Committee on Small Business of the House of 
     Representatives the full text of the report submitted under 
     subparagraph (A), together with any comments the 
     Administrator considers appropriate.
       (j) Personnel Matters.--

[[Page 11819]]

       (1) Compensation of members.--Each member of the task force 
     shall serve without pay for their service on the task force.
       (2) Travel expenses.--Each member of the task force shall 
     receive travel expenses, including per diem in lieu of 
     subsistence, in accordance with applicable provisions under 
     subchapter I of chapter 57 of title 5, United States Code.
       (3) Detail of SBA employees.--The Administrator may detail, 
     without reimbursement, any of the personnel of the 
     Administration to the task force to assist it in carrying out 
     its duties. Such a detail shall be without interruption or 
     loss of civil status or privilege.
       (4) SBA support of the task force.--Upon the request of the 
     task force, the Administrator shall provide to the task force 
     the administrative support services that the Administrator 
     and the Chair jointly determine to be necessary for the task 
     force to carry out its duties.
       (k) Not Subject to Federal Advisory Committee Act.--The 
     Federal Advisory Committee Act (5 U.S.C. App.) shall not 
     apply to the task force.
       (l) Startup Deadlines.--The initial appointment of the 
     members of the task force shall be completed not later than 
     90 days after the date of enactment of this Act, and the 
     first meeting of the task force shall be not later than 180 
     days after the date of enactment of this Act.
       (m) Termination.--
       (1) In general.--Except as provided in paragraph (2), the 
     task force shall terminate at the end of fiscal year 2012.
       (2) Exception.--If, as of the termination date under 
     paragraph (1), the task force has not complied with 
     subsection (i)(4) with respect to 1 or more meetings, then 
     the task force shall continue after the termination date for 
     the sole purpose of achieving compliance with subsection 
     (i)(4) with respect to those meetings.
       (n) Authorization of Appropriations.--There are authorized 
     to be appropriated to carry out this section $200,000 for 
     each of fiscal years 2009 through 2012.
                                 ______
                                 
      By Mr. BIDEN (for himself and Mr. Lugar) (by request):
  S. 3103. A bill to amend the Iran, North Korea, and Syria 
nonproliferation Act to allow certain extraordinary payments in 
connection with the International Space Station; to the Committee on 
Foreign Relations.
  Mr. BIDEN. Today Senator Lugar and I introduce, by request, the 
International Space Station Payments Act of 2008. This measure would 
enable the National Aeronautics and Space Administration to continue 
payments to Russia related to the International Space Station after 
2011.
  As with any legislation proposed by request, we introduce this bill 
for the purpose of placing the Executive branch's proposals before 
Congress and the public without expressing our own views on the 
substance of the proposals. As chairman and ranking member of the 
Committee on Foreign Relations, we intend to give the administration's 
requested legislation careful review and consideration.
  The Administrator of NASA, Michael Griffin, has submitted this 
legislation to the committee, along with a section-by-section analysis 
that helps to explain why NASA wants this legislation and what they 
believe it will achieve. Mr. President, I ask unanimous consent that a 
letter of support and a section-by-section analysis be printed in the 
Record.
  There being no objection, the material was ordered to be printed in 
the Record as follows:

                                         National Aeronautics and 


                                         Space Administration,

                                   Washington, DC, April 11, 2008.
     Hon. Joseph R. Biden,
     Chairman, Committee on Foreign Relations,
     U.S. Senate, Washington, DC.
       Dear Mr. Chairman: The National Aeronautics and Space 
     Administration (NASA) proposes the enclosed amendment to the 
     Iran, North Korea, and Syria Nonproliferation Act (50 USC 
     1701 note). The purpose of the amendment is to permit NASA to 
     continue to procure Russian support for the International 
     Space Station (ISS) until suitable U.S. capabilities are in 
     place. We urge enactment of this important amendment.
       The amendment provides a balanced approach, maintaining 
     both U.S. nonproliferation principles and objectives as well 
     as a U.S. presence on ISS. The justification and purpose for 
     this proposed amendment are stated more fully in the enclosed 
     sectional analysis. As an overview, NASA has procured Soyuz 
     services through the fall of 2011, consistent with existing 
     authority under the Act. However, U.S. obligations to provide 
     crew transportation and emergency services to the ISS 
     continue beyond 2011, and Soyuz will be the only viable 
     option for the United States to meet these obligations until 
     the U.S. Orion Crew Exploration Vehicle or U.S. commercial 
     providers can provide such transportation and rescue 
     services. Fabrication of Soyuz vehicles must begin 
     approximately 36 months prior to launch, according to the 
     responsible Russian entities. Thus, unless contractual 
     arrangements for the provision of crew rescue and rotation 
     services beyond 2011 are concluded in 2008, the production of 
     Soyuz vehicles for U.S. crew transportation requirements will 
     be at risk. This, in turn, means that prompt legislative 
     action is needed to provide further relief beyond 2011 and 
     allow for the negotiation of these arrangements.
       The Office of Management and Budget advises that there is 
     no objection to the submission of this legislation from the 
     standpoint of the Administration's program.
           Sincerely,
                                               Michael D. Griffin,
     Administrator.
                                  ____


   Amendment to the Iran, North Korea, and Syria Nonproliferation Act


                           Sectional Analysis

       The Administration remains committed to the important 
     objective of persuading the Russian Government and Russian 
     entities to improve their nonproliferation efforts regarding 
     Iran, North Korea, and Syria. Accordingly, the proposed 
     amendment to the Iran, North Korea, and Syria 
     Nonproliferation Act (the Act) would maintain key existing 
     U.S. nonproliferation tools while allowing payments to 
     Russian entities that support U.S. obligations to the 
     International Space Station (ISS) beyond December 31, 2011.
       The provision would extend the Act's exception to the 
     prohibition on ``extraordinary payments'' to the Russian 
     government and Russian entities for goods or services 
     relating to the ISS from January 1, 2012 to the end of the 
     life of the ISS. It would exclude from the exception any 
     payments after December 31, 2011 for cargo services provided 
     by a Progress vehicle. The new provision would also exclude 
     from the exception payments for crew transportation or rescue 
     services provided by a Soyuz vehicle once (1) the U.S. Orion 
     Crew Exploration Vehicle reaches Full Operational Capability 
     or (2) a U.S. commercial provider of crew transportation and 
     rescue services demonstrates the capability to meet ISS 
     mission requirements.
       An international partnership governed by an 
     Intergovernmental Agreement (IGA) among the United States, 
     Canada, multiple European States, Japan and Russia 
     established the ISS. This partnership is a long-standing and 
     interdependent one, with roles and responsibilities outlined 
     in the IGA and subordinate agreements for design, development 
     and operations of the program. Pursuant to the IGA and 
     subordinate agreements, NASA has an obligation to its non-
     Russian ISS Partners to provide crew rotation and rescue 
     services during the life of the ISS. Currently, the Russian 
     vehicle Soyuz is the sole provider of rescue services, with 
     the Space Shuttle providing crew transportation. After 
     Shuttle retirement, the partnership will be dependent on 
     Russia to provide both crew transportation and rescue 
     services with Soyuz until the U.S. Orion Crew Exploration 
     Vehicle (CEV) achieves Full Operational Capability (currently 
     projected for 2016) and can provide crew transportation and 
     rescue services, or a U.S. commercial provider can 
     demonstrate the capability to provide crew transportation and 
     rescue services to meet ISS mission needs.
       NASA has procured Soyuz services through the fall of 2011, 
     consistent with existing authority under the Act. Fabrication 
     of Soyuz vehicles must begin approximately 36 months prior to 
     launch based upon information provided by the Russian 
     entities responsible for manufacturing these vehicles. Thus, 
     unless contractual arrangements for rescue and crew rotation 
     services after 2011 are concluded in 2008, the production of 
     Soyuz vehicles for U.S. crew transfer and rescue will be at 
     risk. This in turn means that prompt legislative action is 
     needed to provide further relief beyond 2011 and allow for 
     the negotiation of these arrangements.
       Absent the proposed relief, the United States will be 
     unable to meet one of its most critical partner obligations: 
     providing crew transportation and rescue services to 
     European, Japanese and Canadian crews. The United States 
     would not have an American ``presence'' aboard the ISS, 
     either in terms of astronauts or access to research 
     facilities for the U.S. scientific community, if we could not 
     purchase crew transportation and rescue services from Russia, 
     as no non-Russian crew transfer vehicles will be available 
     until the CEV reaches full operational capability or a U.S. 
     commercial provider demonstrates the capability to meet ISS 
     crew transportation and rescue needs. Given NASA's 
     operational, engineering, safety and other responsibilities 
     for the ISS, NASA is concerned whether the ISS could remain 
     fully operational for any significant time period absent an 
     American presence.
       Moreover, the authority under the present exception to the 
     Act has been used to obtain ancillary goods and services from 
     Russia in addition to crew transport and rescue. For example, 
     although purchased from Russia, the Zarya module is legally a 
     U.S. element under the Space Station agreements and

[[Page 11820]]

     NASA must purchase unique tools and engineering support, such 
     as sustaining software, from Russia for the continued 
     operation of the module. NASA will have a continuing 
     requirement to procure certain goods and services where 
     Russia offers unique capabilities, such as those related to 
     Russian space suits, software and hardware engineering 
     support, and Extravehicular Activity tools and training, 
     which are required for effective operations onboard the ISS. 
     This amendment will allow NASA to continue to purchase such 
     goods and services that are necessary to meet U.S. 
     responsibilities under the Space Station Agreements.
       In addition, this limited relief being requested (i.e., 
     through the life of the ISS) may be necessary even after a 
     U.S. commercial capability is available, because some 
     potential U.S. commercial providers of cargo services and of 
     crew transportation and rescue services have Russian 
     contractors or other relationships with Russian entities 
     that, without this amendment, could trigger the Act's 
     ``extraordinary payment'' prohibition.
       With respect to furthering the United States' 
     nonproliferation objectives and tools, in addition to the 
     positive incentive provided by prudent, closely monitored 
     space cooperation in areas of great benefit to the United 
     States, the proposed amendment would not affect the current 
     nonproliferation framework. The first five sections of the 
     Act establish a requirement to report to Congress on every 
     foreign person that transfers controlled items to, or 
     acquires controlled items from, Iran, Syria or North Korea 
     and authorizes sanctions against such foreign persons. These 
     key reporting and sanctions provisions would not be affected 
     by the proposed amendment. In addition, the amendment leaves 
     in place the ban on any United States government agency 
     making extraordinary payments in connection with the ISS or 
     other human space flight to any persons (including entities) 
     subject to sanctions under the Act or the Proliferation of 
     Weapons of Mass Destruction Executive Order (E.O. 12938, as 
     amended by E.O. 13094) or if the U.S. government agency (in 
     consultation with other interested U.S. government agencies) 
     anticipates that such payments will be passed on to such 
     persons. Finally, specific proposals for cooperation with 
     Russia would continue to be subject to review under relevant 
     mechanisms such as the State Department's Circular 175 
     process for interagency review of international agreements. 
     Likewise, export and import licensing regulations would 
     ensure that U.S. nonproliferation objectives are maintained.

                          ____________________