[House Report 117-439]
[From the U.S. Government Publishing Office]


117th Congress    }                                   {     Report
                        HOUSE OF REPRESENTATIVES
 2d Session       }                                   {     117-439

======================================================================

 
 REPORTING ATTACKS FROM NATIONS SELECTED FOR OVERSIGHT AND MONITORING 
              WEB ATTACKS AND RANSOMWARE FROM ENEMIES ACT

                                _______
                                

 July 26, 2022.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

 Mr. Pallone, from the Committee on Energy and Commerce, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 4551]

    The Committee on Energy and Commerce, to whom was referred 
the bill (H.R. 4551) to amend the U.S. SAFE WEB Act of 2006 to 
provide for reporting with respect to cross-border complaints 
involving ransomware or other cyber-related attacks, and for 
other purposes, having considered the same, reports favorably 
thereon without amendment and recommends that the bill do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Committee Hearings...............................................3
 IV. Committee Consideration..........................................3
  V. Committee Votes..................................................4
 VI. Oversight Findings...............................................7
VII. New Budget Authority, Entitlement Authority, and Tax Expenditures7
VIII.Federal Mandates Statement.......................................7

 IX. Statement of General Performance Goals and Objectives............7
  X. Duplication of Federal Programs..................................7
 XI. Committee Cost Estimate..........................................7
XII. Earmarks, Limited Tax Benefits, and Limited Tariff Benefits......7
XIII.Advisory Committee Statement.....................................8

XIV. Applicability to Legislative Branch..............................8
 XV. Section-by-Section Analysis of the Legislation...................8
XVI. Changes in Existing Law Made by the Bill, as Reported............8

                         I. Purpose and Summary

    H.R. 4551, the ``Reporting Attacks from Nations Selected 
for Oversight and Monitoring Web Attacks and Ransomware from 
Enemies (RANSOMWARE) Act,'' amends the U.S. SAFE WEB Act of 
2006 (SAFE WEB Act) to require the Federal Trade Commission 
(FTC) to report to Congress, one year after the date of 
enactment and every two years after, on cross-border complaints 
received by the FTC, numbers and details of such complaints 
that were acted upon and not acted upon, and how it used the 
authorities granted by the SAFE WEB Act in response. The bill 
amends the existing reporting requirements to require the FTC 
to, in addition, address cross-border incidents that involve 
ransomware and other cyberattacks from foreign actors. It also 
requires the FTC to report on cross-border complaints received 
that involve ransomware or other cyber-related attacks 
committed by Russia, China, North Korea, or Iran or individuals 
or companies that are located in or have ties to those 
countries.

                II. Background and Need for Legislation

    Enacted into law on December 22, 2006, the SAFE WEB Act 
amended the Federal Trade Commission Act of 1914 to improve the 
FTC's ability to combat unfair or deceptive acts or practices 
that are international in scope.\1\ Specifically, SAFE WEB Act: 
(1) affirms the FTC's cross-border enforcement authority;\2\ 
(2) authorizes collaboration with foreign law enforcement in 
the form of investigative assistance\3\ and information 
sharing,\4\ provided certain statutory factors are met; (3) 
bolsters the FTC's ability to receive information from foreign 
counterparts by allowing confidential treatment of information 
received;\5\ and (4) promotes relationship building through 
staff exchanges with foreign counterparts.\6\
---------------------------------------------------------------------------
    \1\Pub. L. No. 109-455.
    \2\Id. at Sec. 3.
    \3\Id. at Sec. 4.
    \4\Id. at Sec. 6.
    \5\Id.
    \6\Id. at Sec. 9.
---------------------------------------------------------------------------
    Since the law's enactment, the FTC has relied on the SAFE 
WEB Act to respond to 156 information-sharing requests from 38 
enforcement agencies in 15 foreign countries.\7\ The FTC has 
also used the SAFE WEB Act to issue more than 135 civil 
investigative demands in 63 investigations on behalf of 16 
foreign agencies from eight countries.\8\
---------------------------------------------------------------------------
    \7\Letter from Joseph J. Simons, Chairman, Federal Trade 
Commission; Noah Joshua Phillips, Commissioner, Federal Trade 
Commission; Rohit Chopra, Commissioner, Federal Trade Commission; 
Rebecca Kelly Slaughter, Commissioner, Federal Trade Commission; and 
Christine S. Wilson, Commissioner, Federal Trade Commission, to Rep. 
Jan Schakowsky, Chairwoman, Subcommittee on Consumer Protection and 
Commerce, House Committee on Energy and Commerce and Rep. Cathy 
McMorris Rodgers, Ranking Member, Subcommittee on Consumer Protection 
and Commerce, House Committee on Energy and Commerce (Oct. 25, 2019).
    \8\Id.
---------------------------------------------------------------------------
    According to the FTC's Consumer Sentinel complaint 
database, there were more than 255,000 complaints from United 
States consumers against foreign businesses between January 1, 
2015, and October 16, 2019.\9\ The total dollar loss from these 
complaints reportedly exceeds $410 million.\10\
---------------------------------------------------------------------------
    \9\Id.
    \10\Id.
---------------------------------------------------------------------------
    H.R. 4551 requires the FTC to report on the ransomware 
complaints it receives and explain how it cooperated with 
international authorities in addressing them. This legislation 
will increase the FTC's role in protecting consumers from 
ransomware and other cybersecurity attacks by helping it better 
understand these attacks and how to combat them.

                        III. Committee Hearings

    For the purposes of section 3(c) of rule XIII of the Rules 
of the House of Representatives, the following hearing was used 
to develop or consider H.R. 4551:
    The Subcommittee on Consumer Protection and Commerce held a 
legislative hearing on July 28, 2021, on H.R. 4551, the 
``RANSOMWARE Act,'' and 15 other bills. The hearing was 
entitled ``Transforming the FTC: Legislation to Modernize 
Consumer Protection.'' The Subcommittee received testimony from 
the following witnesses:
           The Honorable Lina Khan, Chair, Federal 
        Trade Commission;
           The Honorable Noah Joshua Phillips, 
        Commissioner, Federal Trade Commission;
           The Honorable Rohit Chopra, Commissioner, 
        Federal Trade Commission;
           The Honorable Rebecca K. Slaughter, 
        Commissioner, Federal Trade Commission;
           The Honorable Christine S. Wilson, 
        Commissioner, Federal Trade Commission;
           David Vladeck, Professor of Law, Georgetown 
        University Law Center;
           Sally Greenberg, Executive Director, 
        National Consumers League; and
           Graham Dufault, Senior Director for Public 
        Policy, ACT | The App Association.

                      IV. Committee Consideration

    H.R. 4551, the ``Reporting Attacks from Nations Selected 
for Oversight and Monitoring Web Attacks and Ransomware from 
Enemies (RANSOMWARE) Act,'' was introduced on July 20, 2021, by 
Representative Gus M. Bilirakis (R-FL) and referred to the 
Committee on Energy and Commerce. Subsequently, on July 21, 
2021, the bill was referred to the Subcommittee on Consumer 
Protection and Commerce. A legislative hearing was held on July 
28, 2021.
    On June 23, 2022, the Subcommittee on Consumer Protection 
and Commerce met in open markup session, pursuant to notice, to 
consider H.R. 4551 and seven other bills. No amendments were 
offered during consideration of the bill. Upon conclusion of 
consideration of the bill, the Subcommittee on Consumer 
Protection and Commerce agreed to report the bill favorably to 
the full Committee, without amendment, by a roll call vote of 
22 yeas to 0 nays.
    On July 20, 2022, the full Committee met in open markup 
session, pursuant to notice, to consider H.R. 4551 and five 
other bills. No amendments were offered during consideration of 
the bill. Upon conclusion of consideration of the bill, the 
full Committee agreed to a motion on final passage offered by 
Representative Pallone, Chairman of the Committee, to order 
H.R. 4551 reported favorably to the House, amended, by a roll 
call vote of 53 yeas to 0 nays.

                           V. Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list each record vote 
on the motion to report legislation and amendments thereto. The 
Committee advises that there were two record votes taken on 
H.R. 4551, including a motion by Mr. Pallone ordering H.R. 4551 
favorably reported to the House, without amendment. The motion 
on final passage of the bill was approved by a record vote of 
53 yeas to 0 nays. The following are the record votes taken 
during Committee consideration, including the names of those 
members voting for and against:


	[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                         VI. Oversight Findings

    Pursuant to clause 3(c)(1) of rule XIII and clause 2(b)(1) 
of rule X of the Rules of the House of Representatives, the 
oversight findings and recommendations of the Committee are 
reflected in the descriptive portion of the report.

         VII. New Budget Authority, Entitlement Authority, and
                            Tax Expenditures

    Pursuant to 3(c)(2) of rule XIII of the Rules of the House 
of Representatives, the Committee adopts as its own the 
estimate of new budget authority, entitlement authority, or tax 
expenditures or revenues contained in the cost estimate 
prepared by the Director of the Congressional Budget Office 
pursuant to section 402 of the Congressional Budget Act of 
1974.
    The Committee has requested but not received from the 
Director of the Congressional Budget Office a statement as to 
whether this bill contains any new budget authority, spending 
authority, credit authority, or an increase or decrease in 
revenues or tax expenditures.

                    VIII. Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

       IX. Statement of General Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XIII, the general 
performance goal or objective of this legislation is to amend 
the U.S. SAFE WEB Act of 2006 to provide for reporting with 
respect to cross-border complaints involving ransomware or 
other cyber-related attacks.

                   X. Duplication of Federal Programs

    Pursuant to clause 3(c)(5) of rule XIII, no provision of 
H.R. 4551 is known to be duplicative of another Federal 
program, including any program that was included in a report to 
Congress pursuant to section 21 of Public Law 111-139 or the 
most recent Catalog of Federal Domestic Assistance.

                      XI. Committee Cost Estimate

    Pursuant to clause 3(d)(1) of rule XIII, the Committee 
adopts as its own the cost estimate prepared by the Director of 
the Congressional Budget Office pursuant to section 402 of the 
Congressional Budget Act of 1974.

            XII. Earmarks, Limited Tax Benefits, and Limited
                            Tariff Benefits

    Pursuant to clause 9(e), 9(f), and 9(g) of rule XXI, the 
Committee finds that H.R. 4551 contains no earmarks, limited 
tax benefits, or limited tariff benefits.

                   XIII. Advisory Committee Statement

    No advisory committee within the meaning of section 5(b) of 
the Federal Advisory Committee Act was created by this 
legislation.

                XIV. Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

           XV. Section-by-Section Analysis of the Legislation


Section 1. Short title

    Section 1 designates that the short title may be cited as 
the ``Reporting Attacks from Nations Selected for Oversight and 
Monitoring Web Attacks and Ransomware from Enemies Act'' or the 
``RANSOMWARE Act.''

Sec. 2. Ransomware and other cyber-related attacks

    Section 2 amends the SAFE WEB Act to require the FTC to 
report to Congress, one year after the date of enactment, and 
every two years after, on cross-border complaints received by 
the FTC and how it used the authorities granted by the SAFE WEB 
Act in response. This section also amends the existing 
reporting requirements to specifically address cross-border 
incidents that involve ransomware and other cyberattacks from 
foreign actors.

Sec. 3. Report on ransomware and other cyber-related attacks by certain 
        foreign individuals, companies, and governments

    Section 3 requires the FTC to report to the House Committee 
on Energy and Commerce and the Senate Committee on Commerce, 
Science, and Transportation, one year after the date of 
enactment, and every two years after, on cross-border 
complaints received by the FTC on incidents, numbers and 
details of such complaints that were acted upon and not acted 
upon, including those related to ransomware and cyberattacks 
committed by certain foreign actors from Russia, China, Iran, 
and North Korea. The report would also include any 
recommendations for legislation to advance the security of the 
U.S. and U.S. companies against ransomware and other 
cyberattacks as well as recommendations for best practices to 
mitigate against ransomware.

       XVI. Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italics, and existing law in which no 
change is proposed is shown in roman):

                       U.S. SAFE WEB ACT OF 2006




           *       *       *       *       *       *       *
SEC. 14. REPORT.

   [Not later than 3 years after the date of enactment of this 
Act,] Not later than 1 year after the date of enactment of the 
Reporting Attacks from Nations Selected for Oversight and 
Monitoring Web Attacks and Ransomware from Enemies Act, and 
every 2 years thereafter, the Federal Trade Commission shall 
transmit to Congress a report describing its use of and 
experience with the authority granted by this Act, along with 
any recommendations for additional legislation. The report 
shall include, with respect to the 2-year period preceding the 
date of the report (or, in the case of the first report 
transmitted under this section after the date of the enactment 
of the Reporting Attacks from Nations Selected for Oversight 
and Monitoring Web Attacks and Ransomware from Enemies Act, the 
1-year period preceding the date of the report)--
          (1) the number of cross-border complaints received by 
        the Commission;
          (2) identification of the foreign agencies to which 
        the Commission has provided nonpublic investigative 
        information under this Act;
          (3) the number of times the Commission has used 
        compulsory process on behalf of foreign law enforcement 
        agencies pursuant to section 6 of the Federal Trade 
        Commission Act (15 U.S.C. 46), as amended by section 4 
        of this Act;
          (4) a list of international agreements and memoranda 
        of understanding executed by the Commission that relate 
        to this Act;
          (5) the number of times the Commission has sought 
        delay of notice pursuant to section 21A of the Federal 
        Trade Commission Act, as added by section 7 of this 
        Act, and the number of times a court has granted a 
        delay;
          (6) a description of the types of information private 
        entities have provided voluntarily pursuant to section 
        21B of the Federal Trade Commission Act, as added by 
        section 8 of this Act;
          (7) a description of the results of cooperation with 
        foreign law enforcement agencies under section 21 of 
        the Federal Trade Commission Act (15 U.S.C. 57-2) as 
        amended by section 6 of this Act;
          (8) an analysis of whether the lack of an exemption 
        from the disclosure requirements of section 552 of 
        title 5, United States Code, with regard to information 
        or material voluntarily provided relevant to possible 
        unfair or deceptive acts or practices, has hindered the 
        Commission in investigating or engaging in enforcement 
        proceedings against such practices[; and];
          (9) a description of Commission litigation brought in 
        foreign courts[.]; and
          (10) the number and details of cross-border 
        complaints received by the Commission that involve 
        ransomware or other cyber-related attacks--
                  (A) that were committed by individuals 
                located in foreign countries or with ties to 
                foreign countries; and
                  (B) that were committed by companies located 
                in foreign countries or with ties to foreign 
                countries.

                                  [all]