[House Report 108-305]
[From the U.S. Government Publishing Office]



108th Congress                                                   Report
                        HOUSE OF REPRESENTATIVES
 1st Session                                                    108-305

======================================================================



 
                GOVERNMENT NETWORK SECURITY ACT OF 2003

                                _______
                                

October 7, 2003.--Committed to the Committee of the Whole House on the 
               State of the Union and order to be printed

                                _______
                                

  Mr. Tom Davis of Virginia, from the Committee on Government Reform, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 3159]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Government Reform, to whom was referred 
the bill (H.R. 3159) to require Federal agencies to develop and 
implement plans to protect the security and privacy of 
government computer systems from the risks posed by peer-to-
peer file sharing, having considered the same, report favorably 
thereon without amendment and recommend that the bill do pass.

                                CONTENTS

                                                                   Page
Committee Statement and Views....................................     1
Section-by-Section...............................................     4
Explanation of Amendments........................................     5
Committee Consideration..........................................     5
Rollcall Votes...................................................     5
Application of Law to the Legislative Branch.....................     5
Statement of Oversight Findings and Recommendations of the 
  Committee......................................................     5
Statement of General Performance Goals and Objectives............     6
Constitutional Authority Statement...............................     6
Unfunded Mandate Statement.......................................     6
Committee Estimate...............................................     6
Changes in Existing Law Made by the Bill as Reported.............     6
Budget Authority and Congressional Budget Office Cost Estimate...     6

                     COMMITTEE STATEMENT AND VIEWS

Purpose

    H.R. 3159 requires that federal agencies address the 
security and privacy risks posed by peer-to-peer file sharing 
programs when developing their network policies and procedures. 
Agencies must ensure that federal computers and the important 
information they store remain secure, private, and protected, 
but agencies are given the flexibility to develop the most 
appropriate means of accomplishing this goal through a 
combination of technological means (such as firewalls) or non-
technological means (such as employee training).

Background and need for the legislation

    Peer-to-peer file-sharing programs are Internet 
applications that allow computer users to share electronic 
files with other users connected to a common file sharing 
network. Peer-to-peer file sharing programs can be used to 
share any type of electronic files, but are commonly used to 
share music, movies, and video games.
    Peer-to-peer file sharing programs have become increasingly 
popular in recent years. One such program, Kazaa, has been 
downloaded nearly 280 million times--more than any other 
software program in Internet history. Other popular programs 
include BearShare and iMesh.
    Peer-to-peer file-sharing programs increase the 
connectivity between computers connected to a common peer-to-
peer network. This heightened connectivity can expose computers 
to risks beyond those raised by other Internet activities.
    A user of a peer-to-peer file sharing program chooses which 
folders on his or her computer are available for sharing with 
others on the same peer-to-peer network. Because peer-to-peer 
file-sharing programs allow the sharing of any type 
ofelectronic data, every computer file in these shared folders becomes 
accessible to every other user on the peer-to-peer network. A peer-to-
peer user who chooses to share a folder containing a music collection 
may not be aware that he or she is also sharing every personal document 
that might be stored in the same location.
    A recent Government Reform Committee investigation found 
that peer-to-peer users are sharing more than movies, music, 
and video games. Using a search tool built into the Kazaa 
program, staff investigators found users sharing completed tax 
forms, medical records, and complete e-mail inboxes.
    This increased connectivity of peer-to-peer file sharing 
also means that the computers used to operate these programs 
can be at greater risk for viruses and other malicious files. 
At a May 2003 Government Reform Committee hearing, leading 
network security experts testified on how viruses and worms can 
multiply on these peer-to-peer networks and enter into a user's 
computer through a peer-to-peer file sharing program.
    The security risks of peer-to-peer file sharing programs 
potentially become far more serious when federal government 
computers are used to connect to peer-to-peer networks. The 
electronic information exposed may include data vital to 
national security and personal files about citizens such as 
financial, military, and medical records. Additionally, peer-
to-peer use on even one computer can introduce viruses and 
worms to critical government networks, potentially slowing the 
functioning of the affected agency.
    The United States House of Representatives and Senate 
recognized the risks of peer-to-peer file sharing nearly two 
years ago. The House and Senate are successfully protecting the 
privacy and security of congressional computers from the risks 
of peer-to-peer file sharing through firewall technologies and 
employee policies on appropriate computer use.
    Although Congress has addressed the risks of peer-to-peer 
file sharing, many federal government agencies have not taken 
the steps necessary to protect their networks and computers. A 
General Accounting Office investigation requested by the 
Government Reform Committee has found computers actively using 
peer-to-peer file sharing at federal agencies entrusted with 
sensitive government information, including a Department of 
Energy nuclear laboratory and a facility that manages NASA's 
space flight research.

Committee actions

    H.R. 3159 was introduced by the Committee on Government 
Reform's Ranking Minority Member, Henry Waxman (CA), and the 
Committee's Chairman, Tom Davis (VA), on September 24, 2003. It 
is cosponsored by several members of the Government Reform 
Committee, including Rep. Christopher Shays (CT), Rep. John 
McHugh (NY), Rep. Wm. Lacy Clay (MO), Rep. Edolphus Towns (NY), 
Rep. John Carter (TX), Rep. Christopher Van Hollen (MD), Rep. 
Ileana Ros-Lehtinen (FL), Rep. Chris Bell (TX), Rep. Mark 
Souder (IN), Rep. Candice Miller (MI), Rep. Dan Burton (IN), 
Rep. Ed Schrock (VA), Rep. Stephen Lynch (MA), Rep. Dutch 
Ruppersberger (MD), Rep. Adam Putnam (FL), Rep. Elijah Cummings 
(MD), Rep. Linda Sanchez (CA), Rep. Tom Lantos (CA), Rep. 
Carolyn Maloney (NY), Rep. Major Owens (NY), Rep. Dianne Watson 
(CA), Rep. Doug Ose (CA), Rep. Jim Cooper (TN), Del. Eleanor 
Holmes Norton (DC), Rep. Danny Davis (IL), Rep. Joanne Davis 
(VA), Rep. Mike Turner (OH), and Rep. Todd Platts (PA). The 
bill was referred to the Committee on Government Reform.
    On September 25, 2003, the Committee on Government Reform 
met in open session to consider H.R. 3159 along with four other 
measures. The committee favorably approved the bill by voice 
vote and reported it to the House of Representatives.

Committee hearings and testimony

    On May 15, 2003, the Committee on Government Reform held a 
hearing entitled ``The Threats to Privacy and Security on File 
Sharing Networks.'' \1\ The purpose of the hearing was for the 
Committee to assess the security and privacy risks posed by the 
use of peer-to-peer file sharing programs. Witnesses at the 
hearing included Nathaniel S. Good, School of Information 
Management Systems, University of California, Berkeley; Jeffrey 
I. Schiller, Network Manager and Security Architect, 
Massachusetts Institute of Technology; Dr. John Hale, Assistant 
Professor of Computer Science and Director, Center for 
Information Security, the University of Tulsa; and James E. 
Farnan, Deputy Assistant Director, Cyber Division, Federal 
Bureau of Investigation. These computer security experts 
expressed significant concern about security vulnerabilities 
associated with peer-to-peer file-sharing programs. Other 
witnesses included Alan B. Davidson, Associate Director, Center 
for Democracy and Technology; Derek S. Broes, Executive Vice 
President of Worldwide Operations, Brilliant Digital 
Entertainment; and Mari J. Frank, Esq., Mari J. Frank, Esq. & 
Associates.
---------------------------------------------------------------------------
    \1\ ``Overexposed: The Threats to Privacy and Security on File 
Sharing Networks,'' Committee on Government Reform, 108th Congress (May 
15, 2003), Report No. 108-26.
---------------------------------------------------------------------------
    On May 15, 2003, the Committee on Government Reform 
released a staff report entitled ``File-Sharing Programs and 
Peer-To-Peer Networks: Privacy and Security Risks.'' \2\ This 
report summarizes the results of the Committee's staff 
investigation into the potential privacy and security risks 
associated with the use of peer-to-peer file-sharing programs. 
Committee staff found that many users of file-sharing programs 
have inadvertently made highly personal information available 
to other users and that file-sharing software can spread 
viruses, worms, and other malicious computer files.
---------------------------------------------------------------------------
    \2\ Ibid., p. 125.
---------------------------------------------------------------------------

                           SECTION-BY-SECTION

Section 1. Short title

    The short title of this bill is the ``Government Network 
Security Act of 2003.''

Section 2. Findings

    This section details the findings of Congress that peer-to-
peer file sharing can pose security and privacy threats to 
computers and networks. Specifically, peer-to-peer file sharing 
can expose classified and sensitive information stored on 
computers or networks, act as a point of entry for viruses and 
other malicious programs, consume network resources, and expose 
identifying information about host computers that can be used 
by hackers to select potential targets.
    This section also finds that the House of Representatives 
and the Senate are using methods to protect the security and 
privacy of congressional computers and networks from the risks 
posed by peer-to-peer file sharing.
    This section also finds that any potentially beneficial 
innovations in peer-to-peer technology for government 
applications can be pursued on state, local, and federal 
networks. Use of peer-to-peer file sharing programs in this way 
does pose risks to network security because it does not expose 
government computers and networks to nongovernmental users.

Section 3. Protection of government computers from risks of peer-to-
        peer file sharing

    This section requires that, as part of the federal agency 
responsibilities set forth by the Federal Information Security 
Act of 2002 (44 U.S.C. 3544 and 44 U.S.C. 3545), each agency 
develop and implement a plan to protect the security and 
privacy of computers and networks from the risks posed by peer-
to-peer file sharing. These plans will include the use of 
appropriate methods for each agency to achieve this goal, 
including technological means such as software and hardware and 
non-technological means such as employee training. Each agency 
is required to develop and implement the plan no later than six 
months after enactment of this Act and review and revise the 
plan periodically as necessary.
    This section also directs the Comptroller General to review 
the adequacy of agency plans and submit to the Committee on 
Government Reform of the House of Representatives and the 
Committee on Governmental Affairs of the Senate a report on the 
results of the review no later than 18 months after enactment 
of this act. To facilitate evaluation, each agency should 
provide a copy of the plan required under this Act to the 
Comptroller General, preferably in electronic form. Each agency 
should also provide the General Accounting Office with a 
description of the agency's policy concerning the use of peer-
to-peer applications by employees, how the agency plans to 
monitor employee compliance with this policy, how the agency 
plans to enforce the policy, how the agency plans to address 
peer-to-peer applications in its employee training programs, 
the technological tools that agencies plan to use to monitor 
and prevent inappropriate use of peer-to-peer applications, and 
a timetable for implementing the plan including any significant 
barriers to implementation. The requirement by the Comptroller 
General to review such plans shall be satisfied by reviewing a 
sample of the plans provided.

Section 4. Definitions

    This section defines the term ``peer-to-peer file sharing'' 
to mean the use of computer software, other than computer and 
network operating systems, that has as its primary function the 
capability to allow the computer on which such software is used 
to designate files available for transmission to another 
computer using such software, to transmit files directly to 
another such computer, and to request the transmission of files 
from another such computer. The term does not include the use 
of such software for file sharing between, among, or within 
State, local, or Federal government agencies.
    This section defines ``agency'' to have the meaning 
provided by section 3502 of title 44, United States Code.

                       EXPLANATION OF AMENDMENTS

    The Committee reported the bill without amendment.

                        COMMITTEE CONSIDERATION

    On September 25, the Committee met in open session and 
ordered reported favorably the bill, H.R. 3159 by voice vote.

                             ROLLCALL VOTES

    No rollcall votes were held.

              APPLICATION OF LAW TO THE LEGISLATIVE BRANCH

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(B)(3) of the Congressional Accountability Act (Public Law 
104-1).

  STATEMENT OF OVERSIGHT FINDINGS AND RECOMMENDATIONS OF THE COMMITTEE

    In compliance with clause 3(c)(1) of rule XIII and clause 
(2)(b)(1) of rule X of the Rules of the House of 
Representatives, the Committee reports that the findings and 
recommendations of the Committee, based on oversight activities 
under clause 2(b)(1) of rule X of the Rules of the House of 
Representatives, are incorporated in the descriptive portions 
of this report.

         STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES

    H.R. 3159 does not authorize funding. Therefore, clause 
3(c)(4) of rule XIII of the Rules of the House of 
Representatives is inapplicable.

                   CONSTITUTIONAL AUTHORITY STATEMENT

    Under clause 3(d)(1) of rule XIII of the Rules of the House 
of Representatives, the Committee must include a statement 
citing the specific powers granted to Congress to enact the law 
proposed by H.R. 3159. The Committee finds that clauses 1 and 
18 of Article I, Section 8 of the U.S. Constitution grant 
Congress the power to enact this law.

                       UNFUNDED MANDATE STATEMENT

    Section 423 of the Congressional Budget and Impoundment 
Control Act (as amended by Section 101(a)(2) of the Unfunded 
Mandate Reform Act, P.L. 104-4) requires a statement whether 
the provisions of the reported include unfunded mandates. In 
compliance with this requirement the Committee has received a 
letter from the Congressional Budget Office included herein.

                           COMMITTEE ESTIMATE

    Clause 3(d)(2) of rule XIII of the Rules of the House of 
Representatives requires an estimate and a comparison by the 
Committee of the costs that would be incurred in carrying out 
H.R. 3159. However, clause 3(d)(3)(B) of that rule provides 
that this requirement does not apply when the Committee has 
included in its report a timely submitted cost estimate of the 
bill prepared by the Director of the Congressional Budget 
Office under section 402 of the Congressional Budget Act.

          CHANGES IN EXISTING LAW MADE BY THE BILL AS REPORTED

    Clause 3(e) of rule XIII of the Rules of the House of 
Representatives requires a comparative statement on changes 
made to existing law proposed by the bill as reported. This 
bill proposes no changes to existing law.

     BUDGET AUTHORITY AND CONGRESSIONAL BUDGET OFFICE COST ESTIMATE

    With respect to the requirements of clause 3(c)(2) of rule 
XIII of the Rules of the House of Representatives and section 
308(a) of the Congressional Budget Act of 1974 and with respect 
to requirements of clause 3(c)(3) of rule XIII of the Rules of 
the House of Representatives and section 402 of the 
Congressional Budget Act of 1974, the Committee has received 
the following cost estimate for H.R. 3159 from the Director of 
Congressional Budget Office:

                                     U.S. Congress,
                               Congressional Budget Office,
                                   Washington, DC, October 6, 2003.
Hon. Tom Davis,
Chairman, Committee on Government Reform,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 3159, the 
Government Network Security Act of 2003.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford.
            Sincerely,
                                       Douglas Holtz-Eakin,
                                                          Director.
    Enclosure.

H.R. 3159--Government Network Security Act of 2003

    H.R. 3159 would require federal agencies develop and 
implement a plan within a six months to ensure computer systems 
are secure from the use of Internet file-sharing (peer-to peer) 
programs. Peer-to-peer file-sharing programs are Internet 
applications that allow users to download and directly share 
electronic files from other users on the same network. The 
legislation would not prohibit the use of file-sharing 
programs, but would require agencies to create a plan that uses 
technology and employee training to address potential privacy 
and security concerns for government computer networks. The 
legislation also would require the General Accounting Office 
(GAO) to review individual agency plans within 18 months after 
enactment.
    CBO estimates that implementing H.R. 3159 would not have a 
significiant impact on the federal budget. Under the E-
Government Act of 2002, federal agencies are already charged 
with protecting information systems from unauthorized access, 
use, disclosure, disruption, modification, or destruction. H.R. 
3159 would highlight a specific security concern for computer 
systems that federal agencies are currently implementing plans 
to protect. Based on information from the Office of Management 
and Budget and GAO, CBO expects that addressing this specific 
security concern would not significantly increase the cost of 
ongoing efforts to maintain secure federal computer systems.
    In addition, the legislation would require the GAO to 
review and report on the individual agencies plans. CBO expects 
that completing the GAO report would cost less than $500,000, 
assuming the availability of appropriated funds.
    The bill contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act and 
would not affect the budgets of state, local, or tribal 
governments.
    The CBO staff contact for this estimate is Matthew 
Pickford. This estimate was approved by Peter H. Fontaine, 
Deputy Assistant Director for Budget Analysis.

                                
