国会记录:2001年7月10日(扩展)页E1292-E1294《2001年网络安全信息法案》简介______弗吉尼亚州的汤姆·戴维斯议员众议院2001年7月10日星期二弗吉尼亚州的汤姆·戴维斯先生。议长先生,我很高兴今天能站起来与我的好朋友和来自北维吉尼亚州的同事,众议员吉姆·莫兰重新介绍这项立法。去年,我们引入了4246号决议以促进我们国家的关键基础设施免受网络威胁的保护。我们积极与立法推进,并举行了富有成效的小组委员会对政府管理,信息,科技当时的小组委员会对条例草案的重要性听力。基于在听证会上提出的意见,我们有一个广泛的行业努力完善和改进这项立法。今天,我们再次推出这项立法与私营部门的充分合作。在过去的几个月里,我已经与业界领袖合作,从我们的每一个关键基础设施部门对草案达成共识,立法,促进公私伙伴关系,以促进信息共享,以防止我们的国家从一个网络恐怖主义的威胁正在削弱。在第104届国会中,我们呼吁前任政府来研究我们国家的关键基础设施的脆弱性,并找出解决方案来解决这些漏洞。通过这些努力,一些被确定的步骤,必须按顺序采取消除对我们的关键基础设施显著损坏的可能性。这些建议中,最重要的是需要确保重要基础设施的公共和私营部门代表之间的协调。我们今天再次推出该法案是在鼓励与政府私营部门合作和参与实现这一目标的第一步。自今年年初春,美国国会举行了听证会数量检查我们的国家,以应对网络安全威胁和攻击的能力。 For instance, the House Energy and Commerce has held numerous hearings regarding the vulnerability of specific Federal agencies and entities, and how those agencies are implementing--or not implementing--the appropriate risk management tools to deal with these threats. The House Judiciary Subcommittee on Crime has held a number of hearings specifically looking at cybercrime from both a private sector and a federal law Also, the National Security Telecommunications Advisory Committee (NSTAC) met in early June of this year to discuss the necessary legislative action to encourage industry to voluntarily work in concert with the federal government in assessing and protecting against cyber vulnerabilities. The bill I am introducing today was endorsed at the June meeting. In recent months, the Bush Administration has aggressively been working with industry to address our critical infrastructure protection needs and ensure that the federal government is better coordinating its' cybersecurity efforts. I look forward in the coming weeks to working with the Administration to enhance the public-private partnership that industry and government must have in order to truly protect our critical infrastructure. The critical infrastructure of the United States is largely owned and operated by the private sector. Critical infrastructures are those systems that are essential to the minimum operations of the economy and government. Our critical infrastructure is comprised of the financial services, telecommunications, information technology, transportation, water systems, emergency services, electric power, gas and oil sectors in private industry as well as our National Defense, and Law Enforcement and International Security sectors within the government. Traditionally, these sectors operated largely independently of one another and coordinated with government to protect themselves against threats posed by traditional warfare. Today, these sectors must learn how to protect themselves against unconventional threats such as terrorist attacks, and cyber intrusions. These sectors must also recognize the vulnerabilities they may face because of the tremendous technological progress we have made. As we learned when planning for the challenges presented by the Year 2000 rollover, many of our computer systems and networks are now interconnected and communicate with many other systems. With the many advances in information technology, many of our critical infrastructure sectors are linked to one another and face increased vulnerability to cyber threats. Technology interconnectivity increases the risk that problems affecting one system will also affect other connected systems. Computer networks can provide pathways among systems to gain unauthorized access to data and operations from outside locations if they are not carefully monitored and protected. A cyber threat could quickly shutdown any one of our critical infrastructures and potentially cripple several sectors at one time. Nations around the world, including the United States, are currently training their military and intelligence personnel to carry out cyber attacks against other nations to quickly and efficiently cripple a nation's daily operations. Cyber attacks have moved beyond the mischievous teenager and are now being learned and used by terrorist organizations as the latest weapon in a nation's arsenal. During this past spring, around the anniversary of the U.S. bombing of the Chinese embassy in Belgrade, U.S. web sites were defaced by hackers, replacing existing content with pro-Chinese or anti-U.S. rhetoric. In addition, an Internet worm named ``Lion'' infected computers and installed distributed denial of service (DDOS) tools on various systems. An analysis of the Lion worm's source code revealed that it could send password files from the victim site to e-mail address We have learned the inconveniences that may be caused by a cyber attack or unforeseen circumstance. Last year, many of individuals and companies were impacted by the ``I Love You'' virus as it moved rapidly around the world disrupting the daily operations of many of our industry sectors. The Love Bug showed the resourcefulness of many in the private sector in identifying and responding to such an attack but it amply demonstrated the weakness of the government's ability to handle such a virus. Shortly after the attack, Congress learned that the U.S. Department of Health and Human Services' (HHS) operating systems were so debilitated by the virus that it could not have responded adequately if we had faced a serious public health crisis at the same time. Additionally, the federal government was several hours behind industry in notifying agencies about the virus. If the private sector could share information with the government within a defined framework, federal agencies could have been made aware of the threat earlier on. Last month, NIPC and FedCIRC received information on attempts to locate, obtain control of and plant new malicious code known as ``W32- Leaves.worm'' on computers previously [[Page E1293]] infected with the SubSeven Trojan. SubSeven is a Trojan Horse that can permit a remote computer to gain complete control of an infected machine, typically by using Internet Relay Chat (IRC) channels for communications. In June 1998 and February 1999, the Director of the Central Intelligence Agency testified before Congress that several nations recognize that cyber attacks against civilian computer systems represent the most viable option for leveling the playing field in an armed crisis against the United States. The Director also stated that several terrorist organizations believed information warfare to be a low cost opportunity to support their causes. We must, as a nation, prepare both our public and private sectors to protect ourselves against such efforts. That is why I am again introducing legislation that gives critical infrastructure industries the assurances they need in order to confidently share information with the federal government. As we learned with the Y2K model, government and industry can work in partnership to produce the best outcome for the American people. Today, the private sector has established many information sharing organizations (ISOs) for the different sectors of our nation's critical infrastructure. Information regarding a cyber threat or vulnerability is now shared within some industries but it is not shared with the government and it is not shared across industries. The private sector stands ready to expand this model but have also expressed concerns about voluntarily sharing information with the government and the unintended consequences they could face for acting in good faith. Specifically, there has been concern that industry could potentially face antitrust violations for sharing information with other industry partners, have their shared information be subject to the Freedom of Information Act, or face potential liability concerns for information shared in good faith. My bill will address all three of these concerns. The Cyber Security Information Act also respects the privacy rights of consumers and critical infrastructure operators. Consumers and operators will have the confidence they need to know that information will be handled accurately, confidentially, and reliably. The Cyber Security Information Act is closely modeled after the successful Year 2000 Information and Readiness Disclosure Act by providing a limited FOIA exemption, civil litigation This legislation will enable the private sector, including ISOs, to move forward without fear from the government so that government and industry may enjoy a mutually cooperative partnership. This will also allow us to get a timely and accurate assessment of the vulnerabilities of each sector to cyber attacks and allow for the formulation of proposals to eliminate these vulnerabilities without increasing government regulation, or expanding unfunded federal mandates on the private sector. ISOs will continue their current leadership role in developing the necessary technical expertise to establish baseline statistics and patterns within the various infrastructures, as clearinghouses for information within and among the various sectors, and as repositories of valuable information that may be used by the private sector. As technology continues to rapidly improve industry efficiency and operations, so will the risks posed by vulnerabilities and threats to our infrastructure. We must create a framework that will allow our protective measures to adapt and be updated quickly. It is my hope that we will be able to move forward quickly with this legislation and that Congress and the Administration will work in partnership to provide industry and government with the tools for meeting this challenge. A Congressional Research Service report on the ISOs proposal describes the information sharing model as one of the most crucial pieces for success in protecting our critical infrastructure, yet one of the hardest pieces to realize. With the introduction of the Cyber Security Information Act of 2001, we are removing the primary barrier to information sharing between government and industry. This is landmark legislation that will be replicated around the globe by other nations as they too try to address threats to their critical infrastructure. Mr. Speaker, I believe that the Cyber Security Information Act of 2001 will help us address critical infrastructure cyber threats with the same level of success we achieved in addressing the Year 2000 problem. With government and industry cooperation, the seamless delivery of services and the protection of our nation's economy and well-being will continue without interruption just as the delivery of services continued on January 1, 2000. July 5, 2001. Hon. ---- U.S. House of Representatives, Washington, DC Dear Representative: We, the undersigned, representing every sector of the United States economy, write today to strongly urge you to become an original cosponsor of the Cyber Security Information Act to be shortly introduced by Representatives Tom Davis and Jim Moran. This important bill will strengthen information sharing legal protections that shield U.S. critical infrastructures from cyber and physical attacks and threats. Over the past four years, industry-government information sharing regarding vulnerabilities and threats has been a key element of the federal government's critical infrastructure protection plans. Several industry established information sharing organizations, including Information Sharing and Analysis Centers (ISACs) and the Partnership for Critical Infrastructure Security (PCIS), have been set up to support this initiative. The National Plan for Information Systems Protection, version 1.0, also calls for private sector input about actions that will facilitate industry-government information sharing. As representative companies and industry associations involved in supporting the ongoing development of a National Plan for critical infrastructure protection, we believe that Congress can play a key role in facilitating this initiative by passing legislation to support the Plan's strategic objectives. Currently, there is uncertainty about whether existing law may expose companies and industries that voluntarily share sensitive information with the federal government to unintended and potentially harmful consequences. This uncertainty has a chilling effect on the growth of all information sharing organizations and the quality and quantity of information that they are able to gather and share with the federal government. As such, this situation is an impediment to the effectiveness of both industry and government security and assurance managers to understand, collaborate on and manage their vulnerability and threat environments. Legislation that will clarify and strengthen existing Freedom of Information Act and antitrust exemptions, or otherwise create new means to promote critical infrastructure protection and assurance would be very helpful and have a catalytic effect on the initiatives that are currently under way. Companies in the transportation, telecommunications, information technology, financial services, energy, water, power and gas, health and emergency services have a vital stake in the protection of infrastructure assets. With over 90 percent of the country's critical infrastructure owned and/or operated by the private sector, the government must support information sharing between the public and private sectors in order to ensure the best possible security for all our citizens. A basic precondition for this cooperation is a clear legal and public policy framework for action. Businesses also need protection from unnecessary restrictions placed by federal and state antitrust laws on critical information sharing that would inhibit identification of R&D needs or the identification and mitigation of vulnerabilities. There are a number of precedents for this kind of collaboration, and we believe that legislation based on these precedents will also assist this process. Faced with the prospect of unintended liabilities, we also believe that any assurances that Congress can provide to companies voluntarily collaborating with the government in risk management planning activity--such as performing risk assessments, testing infrastructure security, or sharing certain threat and vulnerability information--will be very beneficial. Establishing liability safeguards to encourage the sharing of threat and vulnerability information will add to the robustness of the partnership and the significance of the information shared. Thank you for considering our views on this important subject. We think that such legislation will contribute to the success of the institutional, information-sharing, technological, and collaborative strategies outlined in Presidential Decision Directive--63 and version 1.0 of the National Plan for Information Systems Protection. Sincerely, Americans for Computer Privacy. Edison Electric Institute. Fannie Mae. Internet Security Alliance. Information Technology Association of America. Microsoft. National Center for Technology and Law, George Mason University. Owest Communications. Security. Computer Sciences Corporation. Electronic Industries Alliance. The Financial Services Roundtable. Internet Security Systems. National Association of Manufacturers. Mitretek Systems. The Open Group. [[Page E1294]] Oracle. U.S. Chamber of Commerce. Why Information Sharing is Essential for Critical Infrastructure Protection Frequently Asked Questions What are Critical Infrastructures? Critical Infrastructures are those industries identified in Presidential Decision Directive--63 and version 1.0 of the National Plan for Information Systems Protection, deemed vital for the continuing functioning of the essential services of the United States. These include telecommunications, information technology, financial services, oil, water, gas, electric energy, health services, transportation, and emergency services. What Is the Problem? 90% of the nation's critical infrastructures are owned and/ or operated by the private sector. Increasingly, they are inter-connected through networks. This has made them more efficient, but it has also increased the vulnerability of multiple sectors of the economy to attacks on particular infrastructures. According to the Carnegie-Mellon Computer Emergency Response Team (CERT), cyber attacks on critical infrastructures have grown at an exponential rate over the past three years. This trend is expected to continue for the foreseeable future. In our free market system, it is not feasible to have a centralized-government monitoring function. A voluntary national industry-government information sharing system is needed in order for the nation to create an effective early warning system, find and fix vulnerabilities, benchmark best practices and create new safety technologies. How Do Industries and the Government Share Information? Based on PDD-63 and the National Plan, a number of organizations have been created to foster industry-government cooperation. These include Information Sharing and Analysis Centers (ISACs). ISACs are industry-specific and have been set up in the financial services, telecommunications, IT, and electric energy industries. Others are in the process of being organized. ISACs vary in their membership structures and relationship to the government. Most of them have a formal government sector liaison as their principal point of contact. What Are Current Concerns? Companies are concerned that information voluntarily shared with the government that reports on or concerns corporate security may be subject to FOIA. They are also concerned that lead agencies may not be able to effectively control the use or dissemination of sensitive information because of similar legal requirements. Access to sensitive information may fall into the hands of terrorists, criminals, and other individuals and organizations capable of exploiting vulnerabilities and harming the U.S. Unfiltered, unmediated information may be misinterpreted by the public and undermine public confidence in the country's critical infrastructures. Also, competitors and others may use that information to the detriment of a reporting company, or as the basis for litigation. Any and all of these possibilities are reasons why the current flow of voluntary data is minimal. What Can Be Done? Possible solutions include creating an additional exemption to current FOIA laws. There are currently over 80 specific FOIA Exemptions throughout the body of U.S. law, so it is clear that exempting voluntarily shared information that could affect national security is consistent with the intent and application of FOIA. Another solution is to build on existing relevant legal precedents such as the 1998 Y2K Information and Readiness Disclosure Act, the 1984 National Cooperative Research Act, territorially limited court rulings, and individual, advisory Department of Justice Findings. Why Pursue a Legislative Solution? The goal is to provide incentives for voluntary information sharing. Legislation can add legal clarity that will provide one such incentive, as well as also demonstrate the support and commitment of Congress to increasing critical infrastructure assurance. ____________________