[Congressional Record: April 14, 2011 (Senate)]
[Page S2498]
CYBER SECURITY PUBLIC AWARENESS ACT
Mr. WHITEHOUSE. Mr. President, I rise to speak about the Cyber
Security Public Awareness Act of 2011, which I have introduced with
Senator Kyl.
The damage caused by malicious activity in cyberspace is enormous and
unrelenting. Every year, cyber attacks inflict vast damage on our
Nation's consumers, businesses, and government agencies. This constant
cyber assault has resulted in the theft of millions of Americans'
identities; exfiltration of billions of dollars of intellectual
property; loss of countless American jobs; vulnerability of critical
infrastructure to sabotage; and intrusions into sensitive government
networks.
These massive attacks have not received the attention they deserve.
Instead, we as a nation remain woefully unaware of the risks that cyber
attacks pose to our economy, our national security, and our privacy.
This problem is caused in large part by the fact that cyber threat
information ordinarily is classified when it is gathered by the
government or held as proprietary when collected by a company that has
been attacked. As a result, Americans do not have an appropriate sense
of the threats that they face as individual Internet users, the damage
inflicted on our businesses and the jobs they create, or the scale of
the attacks undertaken by foreign agents against American interests.
We must not wait for a disaster before we recognize and respond to
the cyber threats we face. A false sense of complacency is not a
security strategy. For that reason, I believe that raising public
awareness of cyber security threats is an important element of the
substantial work that we in Congress must do to improve our Nation's
cyber security.
The Cyber Security Public Awareness Act of 2011 takes up that
challenge. It will raise the public awareness of the cyber threats
against our nation in a manner that protects classified, business-
sensitive, and proprietary information. By doing so, it will provide
consumers, businesses, and policymakers with the continuous flow of
information necessary to secure our networks, identities,
infrastructure, and innovation economy.
The bill improves public awareness with respect to three key issues:
attacks on the government, attacks on infrastructure, and attacks on
businesses and consumers.
The bill enhances public awareness of attacks on Federal networks by
requiring that the Department of Homeland Security and the Department
of Defense submit reports to Congress that detail cyber incidents on
the ``.gov'' and ``.mil'' domains. These reports would provide
aggregate statistics on breaches, the volume of data exfiltrated, and
the estimated cost of remedying these breaches, as well as the
continuing risk of cyber sabotage after an incident.
The bill also improves government reporting in two other ways. It
requires the Department of Justice and the Federal Bureau of
Investigation to submit annual reports on their investigations and
prosecutions of cyber crimes, as well as on the resources devoted to
cyber crime and on any legal impediments that frustrate those efforts.
It also requires the Department of Justice, in consultation with the
Administrative Office of the Courts, to study the preparedness of the
Federal courts to handle cases relating to botnets or other cyber
threats, and to consider whether courts need improved procedural rules,
training, or organization to handle such cases.
The bill includes four provisions to enhance the awareness of threats
against our nation's critical infrastructure. First, it requires
primary regulators to report to Congress on the cyber vulnerabilities
in our Nation's critical infrastructure, including our energy,
financial, transportation, and communications sectors, and of
recommended steps to thwart or diminish cyber attacks in each industry.
Second, it requires the Department of Homeland Security to commission
reports on improving the network security of critical infrastructure
entities, including through the possible creation of a secure domain
that relies on technical advancements or notice and consent to
increased security measures. Third, it requires the Department of
Homeland Security to identify producers of information technology that
are linked directly or indirectly to foreign governments. This
provision also requires reporting of the vulnerability to malicious
activity, including cyber crime or espionage, associated with the use
of these producers' technologies in the United States'
telecommunications networks. And fourth, the bill requires the
Department of Homeland Security, in consultation with the Secretary of
Defense and the Director of National Intelligence, to submit a report
to Congress describing the threat of a cyber attack disrupting the
United States' electrical grid, the implications of such a disruption,
the possibility of quickly reconstituting electrical service in the
event of a cyber attack, and plans to prevent such a disruption.
The bill also seeks to enhance cyber awareness in the private sector
and among businesses and consumers using the Internet. It requires the
Department of Homeland Security to report to Congress on policies and
procedures for Federal agencies to assist a private sector entity in
the event of a cyber attack that could result in the loss of life or
significant harm to the national economy or national security. To
ensure that our markets properly reflect cyber risks, the bill also
tasks the Securities Exchange Commission with reporting to Congress on,
first, the extent of financial risk and legal liability of issuers of
securities caused by cyber intrusions or other cybercrimes, and,
second, whether current financial statements of issuers transparently
reflect these risks. Finally, the bill will help enhance consumer
awareness of cyber threats by requiring a report to Congress on legal
or other impediments to public awareness of common cyber security
threats, the minimal standards of computer security needed for
responsible Internet use, and the availability of commercial products
to meet those standards. This provision also requires the Department of
Homeland Security to report on its plans to enhance public awareness of
common cyber security threats and to recommend congressional actions to
address remaining impediments to appropriate public awareness of common
cyber security threats.
The Senate has a lot of work ahead as it seeks to improve our
Nation's cyber security. One vital element of this work will be to
ensure that we have an appropriate public awareness of cyber security
threats going forward. I look forward to working with my colleagues on
this important task as well as on cyber security issues more broadly.
I would particularly like to thank Senator Kyl for working with me on
this piece of legislation. Senator Kyl has worked on cyber security
issues extensively in the past, and we have worked together on
Intelligence issues, so I very much look forward to partnering with him
on this and other cyber security bills. As demonstrated by the hearing
we held this week in the Crime and Terrorism Subcommittee of the
Judiciary Committee, as well as by the important work previously done
by the Commerce, Homeland Security, Judiciary, and other Committees,
this is a vitally important and urgent national security issue, but one
that we can confront in a serious and bipartisan manner.
____________________
S 813 IS
112th CONGRESS 1st Session S. 813
To promote public awareness of cyber security. IN THE SENATE OF THE UNITED STATES
April 13, 2011 Mr. WHITEHOUSE (for himself and Mr. KYL) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs
A BILL
To promote public awareness of cyber security. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Cyber Security Public Awareness Act of 2011'.
SEC. 2. FINDINGS.
(a) Congress finds the following:
(1) Information technology is central to the effectiveness, efficiency, and reliability of the industry and commercial services, Armed Forces and national security systems, and the critical infrastructure of the United States.
(2) Cyber criminals, terrorists, and agents of foreign powers have taken advantage of the connectivity of the United States to inflict substantial damage to the economic and national security interests of the Nation.
(3) The cyber security threat is sophisticated, relentless, and massive, exposing all consumers in the United States to the risk of substantial harm.
(4) Businesses in the United States are bearing enormous losses as a result of criminal cyber attacks, depriving businesses of hard-earned profits that could be reinvested in further job-producing innovation.
(5) Hackers continuously probe the networks of Federal and State agencies, the Armed Forces, and the commercial industrial base of the Armed Forces, and already have caused substantial damage and compromised sensitive and classified information.
(6) Severe cyber security threats will continue, and will likely grow, as the economy of the United States grows more connected, criminals become increasingly sophisticated in efforts to steal from consumers, industries, and businesses in the United States, and terrorists and foreign nations continue to use cyberspace as a means of attack against the national and economic security of the United States.
(7) Public awareness of cyber security threats is essential to cyber security defense. Only a well-informed public and Congress can make the decisions necessary to protect consumers, industries, and the national and economic security of the United States.
(8) As of 2011, the level of public awareness of cyber security threats is unacceptably low. Only a tiny portion of relevant cyber security information is released to the public. Information about attacks on Federal Government systems is usually classified. Information about attacks on private systems is ordinarily kept confidential. Sufficient mechanisms do not exist to provide meaningful threat reports to the public in unclassified and anonymized form.
SEC. 3. CYBER INCIDENTS AGAINST GOVERNMENT NETWORKS.
(a) Department of Homeland Security- Not later than 180 days after the date of enactment of this Act, and annually thereafter, the Secretary of Homeland Security shall submit to Congress a report that--
(1) summarizes major cyber incidents involving networks of executive agencies (as defined in section 105 of title 5, United States Code), except for the Department of Defense;
(2) provides aggregate statistics on the number of breaches of networks of executive agencies, the volume of data exfiltrated, and the estimated cost of remedying the breaches; and
(3) discusses the risk of cyber sabotage.
(b) Department of Defense- Not later than 180 days after the date of enactment of this Act, and annually thereafter, the Secretary of Defense shall submit to Congress a report that--
(1) summarizes major cyber incidents against networks of the Department of Defense and the military departments;
(2) provides aggregate statistics on the number of breaches against networks of the Department of Defense and the military departments, the volume of data exfiltrated, and the estimated cost of remedying the breaches; and
(3) discusses the risk of cyber sabatoge.
(c) Form of Reports- Each report submitted under this section shall be in unclassified form, but may include a classified annex as necessary to protect sources, methods, and national security.
SEC. 4. PROSECUTION FOR CYBERCRIME.
(a) In General- Not later than 180 days after the date of enactment of this Act, the Attorney General and the Director of the Federal Bureau of Investigation shall submit to Congress reports--
(1) describing investigations and prosecutions by the Department of Justice relating to cyber intrusions or other cybercrimes the preceding year, including--
(A) the number of investigations initiated relating to such crimes;
(B) the number of arrests relating to such crimes;
(C) the number and description of instances in which investigations or prosecutions relating to such crimes have been delayed or prevented because of an inability to extradite a criminal defendant in a timely manner; and
(D) the number of prosecutions for such crimes, including--
(i) the number of defendants prosecuted;
(ii) whether the prosecutions resulted in a conviction;
(iii) the sentence imposed and the statutory maximum for each such crime for which a defendant was convicted; and
(iv) the average sentence imposed for a conviction of such crimes;
(2) identifying the number of employees, financial resources, and other resources (such as technology and training) devoted to the enforcement, investigation, and prosecution of cyber intrusions or other cybercrimes, including the number of investigators, prosecutors, and forensic specialists dedicated to investigating and prosecuting cyber intrusions or other cybercrimes; and
(3) discussing any impediments under the laws of the United States or international law to prosecutions for cyber intrusions or other cybercrimes.
(b) Updates- The Attorney General and the Director of the Federal Bureau of Investigation shall annually submit to Congress reports updating the reports submitted under section (a) at the same time the Attorney General and Director submit annual reports under section 404 of the Prioritizing Resources and Organization for Intellectual Property Act of 2008 (42 U.S.C. 3713d).
SEC. 5. ASSISTANCE PLAN FOR SIGNIFICANT PRIVATE CYBER INCIDENTS.
(a) In General- Not later than 180 days after the date of enactment of this Act, and annually thereafter, the Secretary of Homeland Security shall submit to Congress a report that describes policies and procedures for Federal agencies to assist a private sector entity in the defending of the information networks of the private sector entity against cyber threats that could result in loss of life or significant harm to the national economy or national security.
(b) Form of Reports- Each report submitted under this section shall be in unclassified form, but may include a classified annex as necessary to protect sources, methods, proprietary or sensitive business information, and national security.
SEC. 6. CYBERCRIME REPORTING TO SHAREHOLDERS.
Not later than 180 days after the date of enactment of this Act, the Securities and Exchange Commission, in consultation with the Secretary of Homeland Security, shall submit to Congress a report on--
(1) the extent of financial risk to issuers of securities caused by cyber intrusions or other cybercrimes, and any resulting legal liability; and
(2) whether current financial statements of issuers transparently reflect the risk described in paragraph (1) to shareholders.
SEC. 7. PRIMARY REGULATORS OF CRITICAL INFRASTRUCTURE.
(a) Definitions- In this section the term `primary regulators responsible for the physical and economic security of each critical industry' means--
(1) for the energy industry, the Federal Energy Regulatory Commission, the Nuclear Regulatory Commission, and the Secretary of Energy;
(2) for the financial services industry, the Federal Deposit Insurance Commission, the Secretary of the Treasury, and the Chairman of the Securities and Exchange Commission;
(3) for the air, rail, and ground transportation industry, the Secretary of Transportation;
(4) for the communications industry, the Federal Communications Commission;
(5) for the food supply industry, the Commissioner of Food and Drugs;
(6) for the water supply industry, the Administrator of the Environmental Protection Agency; and
(7) for any other element of the economy determined to be critical by the Secretary of Homeland Security, the Federal Trade Commission.
(b) Reports- Not later than 180 days after the date of enactment of this Act, and annually thereafter for 3 years, the primary regulator for each critical industry, in consultation with the Secretary of Homeland Security, shall submit to Congress a report that describes the--
(1) nature and state of the vulnerabilities to cyber attacks of each industry described in subsection (a);
(2) prevalence and seriousness of cyber attacks in each industry described in subsection (a);
(3) recommended steps to thwart or diminish cyber attacks; and
(4) whether the concept of cyber security and information assurance cooperative activities with private sector partners developed by the Defense Industrial Base of the Department of Defense may be applied to the critical industries described in subsection (a).
(c) Form of Reports- Each report submitted under this section--
(1) shall be--
(A) in unclassified form; and
(B) anonymized as the Secretary determines necessary to protect confidential business information; and
(2) may include a classified annex as necessary to protect sources, methods, proprietary or sensitive business information, and national security.
SEC. 8. RESEARCH REPORT ON IMPROVING SECURITY OF INFORMATION NETWORKS OF CRITICAL INFRASTRUCTURE ENTITIES.
(a) Definition- In this section, the term `critical infrastructure' has the meaning given that term in section 1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)).
(b) Reports-
(1) IN GENERAL- The Secretary of Homeland Security shall enter into a contract with the National Research Council, or another federally funded research and development corporation, under which the Council or corporation shall submit to Congress reports on available technical options, consistent with Constitutional and statutory privacy rights, for enhancing the security of the information networks of entities that own or manage critical infrastructure through--
(A) technical improvements, including developing a secure domain; or
(B) increased notice of and consent to the use of technologies to scan for, detect, and defeat cyber security threats, such as technologies used in a secure domain.
(2) TIMING- The contract entered into under paragraph (1) shall require that the report described in paragraph (1) be submitted--
(A) not later than 180 days after the date of enactment of this Act;
(B) annually, after the first report submitted under paragraph (1), for 3 years; and
(C) more frequently, as determined appropriate by the Secretary of Homeland Security in response to new risks or technologies that emerge.
SEC. 9. PREPAREDNESS OF FEDERAL COURTS TO PROMOTE CYBER SECURITY.
Not later than 180 days after the date of enactment of this Act, the Attorney General, in coordination with the Administrative Office of the United States Courts, shall submit to Congress a report--
(1) on whether Federal courts have granted timely relief in matters relating to botnets and other cybercrime and cyber security threats; and
(2) that includes, as appropriate, recommendations on changes or improvements to--
(A) the Federal Rules of Civil Procedure or the Federal Rules of Criminal Procedure;
(B) the training and other resources available to support the Federal judiciary;
(C) the capabilities and specialization of courts to which such cases may be assigned; and
(D) Federal civil and criminal laws.
SEC. 10. IMPEDIMENTS TO PUBLIC AWARENESS.
Not later than 180 days after the date of enactment of this Act, and annually thereafter for 3 years (or more frequently if determined appropriate by the Secretary of Homeland Security) the Secretary of Homeland Security shall submit to Congress a report on--
(1) legal or other impediments to appropriate public awareness of--
(A) the nature of, methods of propagation of, and damage caused by common cyber security threats such as computer viruses, phishing techniques, and malware;
(B) the minimal standards of computer security necessary for responsible Internet use; and
(C) the availability of commercial off the shelf technology that allows consumers to meet such levels of computer security;
(2) a summary of the plans of the Secretary of Homeland Security to enhance public awareness of common cyber security threats, including a description of the metrics used by the Department of Homeland Security for evaluating the efficacy of public awareness campaigns; and
(3) recommendations for congressional actions to address these impediments to appropriate public awareness of common cyber security threats.
SEC. 11. PROTECTING THE INFORMATION TECHNOLOGY SUPPLY CHAIN OF THE UNITED STATES.
(a) Definitions- In this section--
(1) the term `information technology supply chain of the United States' means the public and private telecommunications networks of the United States; and
(2) the term `telecommunications networks of the United States' includes--
(A) telephone systems;
(B) Internet systems;
(C) fiber optic lines, including cable landings;
(D) computer networks; and
(E) smart grid technology under development by the Department of Energy.
(b) Report- Not later than 90 days after the date of enactment of this Act, and annually thereafter, the Secretary of Homeland Security shall submit to Congress a report that--
(1) identifies foreign suppliers of information technology (including equipment, software, and services) that are linked directly or indirectly to a foreign government, including--
(A) by ties to the military forces of a foreign government; or
(B) by being the beneficiaries of significant low interest or no interest loans, loan forgiveness, or other support by a foreign government;
(2) discusses the extent to which goods produced by suppliers identified under paragraph (2) have been integrated into the information technology supply chain of the United States;
(3) identifies specific telecommunications networks of the United States that include information technology identified under paragraph (1); and
(4) assesses the vulnerability to malicious activity, including cyber crime or espionage, of the telecommunications networks of the United States identified under paragraph (3) due to the presence of technology produced by suppliers identified under paragraph (1).
SEC. 12. PROTECTING THE ELECTRICAL GRID OF THE UNITED STATES.
Not later than 180 days after the date of enactment of this Act, the Secretary of Homeland Security, in consultation with the Secretary of Defense and the Director of National Intelligence, shall submit to Congress a report on--
(1) the threat of a cyber attack disrupting the electrical grid of the United States;
(2) the implications for the national security of the United States if the electrical grid is disrupted;
(3) the options available to the United States and private sector entities to quickly reconstitute electrical service to provide for the national security of the United States, and, within a reasonable time frame, the reconstitution of all electrical service within the United States; and
END
(4) a plan to prevent disruption of the electric grid of the United States caused by a cyber attack.