FAS | Government Secrecy | Congress ||| Index | Search | Join FAS

Congressional Record: April 12, 2000 (Extensions)
Page E545-E546



                          HON. THOMAS M. DAVIS

                              of virginia

                    in the house of representatives

                       Wednesday, April 12, 2000

  Mr. DAVIS of Virginia. Mr. Speaker, I am pleased to rise today to 
introduce legislation with my good friend and colleague from northern 
Virginia, Representative Jim Moran, that will facilitate the protection 
of our nation's critical infrastructure from cyber threats. In the 
104th Congress, we called upon the Administration to study our nation's 
critical infrastructure vulnerabilities and to identify solutions to 
address these vulnerabilities. The Administration has, through the 
President and participating agencies, identified a number of steps that 
must be taken in order to eliminate the potential for significant 
damage to our critical infrastructure. Foremost among these suggestions 
is the need to ensure coordination between the public and private 
sector representatives of critical infrastructure. The bill I am 
introducing today is the first step in encouraging private sector 
cooperation and participation with the government to accomplish this 
  The critical infrastructure of the United States is largely owned and 
operated by the private sector. Critical infrastructures are those 
systems that are essential to the minimum operations of the economy and 
government. Our critical infrastructure is comprised of the financial 
services, telecommunications, information technology, transportation, 
water systems, emergency services, electric power, gas and oil sectors 
in private industry as well as our

[[Page E546]]

National Defense, and Law Enforcement and International Security 
sectors within the government. Traditionally, these sectors operated 
largely independently of one another and coordinated with government to 
protect themselves against threats posed by traditional warfare. Today, 
these sectors must learn how to protect themselves against 
unconventional threats such as terrorist attacks, and cyber attack. 
These sectors must also recognize the vulnerabilities they may face 
because of the tremendous technological progress we have made. As we 
learned when planning for the challenges presented by the Year 2000 
rollover, many of our computer systems and networks are now 
interconnected and communicate with many other systems. With the many 
advances in information technology, many of our critical infrastructure 
sectors are linked to one another and face increased vulnerability to 
cyber threats. Technology interconnectivity increases the risk that 
problems affecting one system will also affect other connected systems. 
Computer networks can provide pathways among systems to gain 
unauthorized access to data and operations from outside locations if 
they are not carefully monitored and protected.
  A cyber threat could quickly shutdown any one of our critical 
infrastructures and potentially cripple several sectors at one time. 
Nations around the world, including the United States, are currently 
training their military and intelligence personnel to carry out cyber 
attacks against other nations to quickly and efficiently cripple a 
nation's daily operations. cyber attacks have moved beyond the 
mischievous teenager and are being learned and used by terrorist 
organizations as the latest weapon in a nation's arsenal. In June 1998 
and February 1999, the Director of the Central Intelligence Agency 
testified before Congress that several nations recognize that cyber 
attacks against civilian computer systems represent the most viable 
option for leveling the playing field in an armed crisis against the 
United States. The Director also stated that several terrorist 
organizations believed information warfare to be a low cost opportunity 
to support their causes. Both Presidential Decision Directive 63 (PDD-
63) issued in May 1998, and the President's National Plan for 
Information Systems Protection, Version 1.0 issued in January 2000, 
call on the legislative branch to build the necessary framework to 
encourage information sharing to address cyber security threats to our 
nation's privately held critical infrastructure.
  Recently, we have learned the inconveniences that may be caused by a 
cyber attack or unforeseen circumstance. Earlier this year, many of our 
most popular sites such as Yahoo, eBay and Amazon.com were shutdown for 
several hours at a time over several days by a team of hackers 
interested in demonstrating their capability to disrupt service. While 
we may have found the shutdown of these sites temporarily inconvenient, 
they potentially cost those companies significant amounts of lost 
revenue, and it is not too difficult to imagine what would have 
occurred if the attacks had been focused on our utilities, or emergency 
services industries. We, as a society, have grown increasingly 
dependent on our infrastructure providers. I am sure many of you recall 
when PanAmSat's Galaxy IV satellite's on-board controller lost service. 
An estimated 80 to 90% of our nation's pagers were inoperable, and 
hospitals had difficulty reaching doctors on call and emergency 
workers. It even impeded the ability of consumers to use credit cards 
to pay for their gas at the pump.
  Moreover, recent studies have demonstrated that the incidence of 
cyber security threats to both the government and the private sector 
are only increasing. According to an October 1999 report issued by the 
General Accounting Office (GAO), the number of reported computer 
security incidents handled by Carnegie-Mellon University's CERT 
Coordination Center has increased from 1,334 in 1993 to 4,398 during 
the first two quarters of 1999. Additionally, the Computer Security 
Institute reported an increased in attacks for the third year in a row 
based on responses to their annual survey on computer security. GAO has 
done a number of reports that give Congress an accurate picture of the 
risk facing federal agencies; they cannot track such information for 
the private sector. We must rely on the private sector to share its 
vulnerabilities with the federal government so that all of our critical 
infrastructures are protected.
  Today, I am introducing legislation that gives critical 
infrastructure industries the assurances they
  The Cyber Security Information Act of 2000 is closely modeled after 
the successful Year 2000 Information and Readiness Disclosure Act by 
providing a limited FOIA exemption, civil litigation protection for 
shared information, and an antitrust exemption for information shared 
within an ISAC. These three protections have been previously cited by 
the Administration as necessary legislative remedies in Version 1.0 of 
the National Plan and PDD-63. This legislation will enable the ISACs to 
move forward without fear from industry so that government and industry 
may enjoy the mutually cooperative partnership called for in PDD-63. 
This will also allow us to get a timely and accurate assessment of the 
vulnerabilities of each sector to cyber attacks and allow for the 
formulation of proposals to eliminate these vulnerabilities without 
increasing government regulation, or expanding unfunded federal 
mandates on the private sector.
  PDD-63 calls upon the government to put in place a critical 
infrastructure proposal that will allow for three tasks to be 
accomplished by 2003:
  (1) The Federal Government must be able to perform essential national 
security missions and to ensure the general public health and safety;
  (2) State and local governments must be able to maintain order and to 
deliver minimum essential public services; and
  (3) The private sector must be able to ensure the orderly functioning 
of the economy and the delivery of essential telecommunications, 
energy, financial, and transportation services. This legislation will 
allow the private sector to meet this deadline.
  We will also ensure the ISACs can move forward to accomplish their 
missions by developing the necessary technical expertise to establish 
baseline statistics and patterns within the various infrastructures, 
become a clearinghouse for information within and among the various 
sectors, and provide a repository of valuable information that may be 
used by the private sector. As technology continues to rapidly improve 
industry efficiency and operations, so will the risks posed by 
vulnerabilities and threats to our infrastructure. We must create a 
framework that will allow our protective measures to adapt and be 
updated quickly.
  It is my hope that we will be able to move forward quickly with this 
legislation and that Congress and the Administration can move forward 
in partnership to provide industry and government with the tools for 
meeting this challenge. A Congressional Research Service report on the 
ISAC proposal describes the information sharing model one of the most 
crucial pieces for success in protecting our critical infrastructure, 
yet one of the hardest pieces to realize. With the introduction of the 
Cyber Security Information Act of 2000, we are removing the primary 
barrier to information sharing between government and industry. This is 
landmark legislation that will be replicated around the globe by other 
nations as they too try to address threats to their critical 
  Mr. Speaker, I believe that the Cyber Security Information Act of 
2000 will help us address critical infrastructure cyber threats with 
the same level of success we achieved in addressing the Year 2000 
problem. With government and industry cooperation, the seamless 
delivery of services and the protection or our nation's economy and 
well-being will continue without interruption just as the delivery of 
services continued on January 1, 2000.



H. R. 4246


Mr. DAVIS of Virginia (for himself and Mr. MORAN of Virginia) introduced
the following bill; which was referred to the Committee on______________


To encourage the secure disclosure and protected exchange
of information about cyber security problems, solutions,
test practices and test results, and related matters in
connection with critical infrastructure protection.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,


This Act may be cited as the ‘‘Cyber Security Information Act’’.


(a) FINDINGS.—Congress finds the following:

(b) PURPOSES.—Based upon the powers contained in article I, section 8, clause 3 of the Constitution of the United States, the purposes of this Act are—


In this Act:

(1) ANTITRUST LAWS.—The term ‘‘antitrust laws’’—

(2) CRITICAL INFRASTRUCTURE.—The term ‘‘critical infrastructure’’ means facilities or services so vital to the nation or its economy that their disruption, incapacity, or destruction would have a debilitating impact on the defense, security, long-term economic prosperity, or health or safety of the United States.

(3) CYBER SECURITY.—The term ‘‘cyber security’’ means the vulnerability of any computing system, software program, or critical infrastructure to, or their ability to resist, intentional interference, compromise, or incapacitation through the misuse of, or by unauthorized means of, the Internet, public or private telecommunications systems, or other similar conduct that violates Federal, State, or international law, that harms interstate commerce of the United States, or that threatens public health or safety.

(4) CYBER SECURITY INTERNET WEBSITE.— The term ‘‘cyber security Internet website’’ means an Internet website or other similar electronically accessible service, clearly designated on the website or service by the person or entity creating or controlling the content of the website or service as an area where cyber security statements are posted or otherwise made accessible to appropriate entities.


(A) IN GENERAL.—The term ‘‘cyber security statement’’ means any communication or other conveyance of information by a party to another, in any form or medium including by means of a cyber security Internet website—

(B) NOT INCLUDED.—For the purposes of any action brought under the securities laws, as that term is defined in section 3(a)(47) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(47)), the term ‘‘cyber security statement’’ does not include statements contained in any documents or materials filed with the Securities and Exchange Commission, or with Federal banking regulators, pursuant to section 12(i) of the Securities Exchange Act of 1934 (15 U.S.C. 781(i)), or disclosures or writing that when made accompanied the solicitation of an offer or sale of securities.


(a) IN GENERAL.—Any Federal entity, agency, or authority may expressly designate a request for the voluntary provision of information relating to cyber security, including cyber security statements, as a cyber security data gathering request made pursuant to this section.

(b) SPECIFICS.—A cyber security data gathering request made under this section—

(c) PROTECTIONS.—Except with the express consent or permission of the provider of information described in paragraph (1), any cyber security statements or other such information provided by a party in response to a special cyber security data gathering request made under this section—



(a) EXEMPTION.—Except as provided in subsection (b), the antitrust laws shall not apply to conduct engaged in, including making and implementing an agreement, solely for the purpose of and limited to—

(b) EXCEPTION TO EXEMPTION.—Subsection (a) shall not apply with respect to conduct that involves or results in an agreement to boycott any person, to allocate a market, or to fix prices or output.



(b) FEDERAL ADVISORY COMMITTEE ACT.—The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the working groups established under this section.

(c) PRIVATE RIGHT OF ACTION.—This section creates no private right of action to sue for enforcement of any provision of this section.

FAS | Government Secrecy | Congress ||| Index | Search | Join FAS