106TH CONGRESS 2D SESSION H. R. ll IN THE HOUSE OF REPRESENTATIVES Mr. DAVIS of Virginia (for himself and Mr. MORAN of Virginia) introduced the following bill; which was referred to the Committee on lllllllllllllll A BILL To encourage the secure disclosure and protected exchange of information about cyber security problems, solutions, test practices and test results, and related matters in connection with critical infrastructure protection. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION. 1. SHORT TITLE. This Act may be cited as the ‘‘Cyber Security Information Act’’. SEC. 2. FINDINGS AND PURPOSES. (a) FINDINGS.—Congress finds the following: (1)(A) Many information technology computer systems, software programs, and similar facilities are vulnerable to attacks or misuse through the Internet, public or private telecommunications systems, or similar means. (B) The problem described in subparagraph (A) and resulting failures could incapacitate systems that are essential to the functioning of markets, commerce, consumer products, utilities, government, and safety and defense systems, in the United States and throughout the world. (C) Protecting, reprogramming, or replacing affected systems before the problem incapacitates essential systems is a matter of national and global interest. (2) The prompt, candid, and thorough, but secure and protected, disclosure and exchange of information related the cybersecurity of entities, systems, and infrastructure— (A) would greatly enhance the ability of public and private entities to improve their own cyber security; and (B) is therefore a matter of national importance and a vital factor in minimizing any potential cyber security related disruption to the Nation’s economic well-being and security. (3) Concern about the potential for legal liability associated with the disclosure and exchange of cyber security information could unnecessarily impede the secure disclosure and protected exchange of such information. (4) The capability to securely disclose and engage in the protected exchange of information relating to cyber security, solutions, test practices and test results, without undue concern about inappropriate disclosure of that information, is critical to the ability of public and private entities to address cyber security needs in a timely manner. (5) The national interest will be served by uniform legal standards in connection with the secure disclosure and protected exchange of cyber security information that will promote appropriate disclosures and exchanges of such information in a timely fashion. (6) The ‘‘National Plan for Information Systems Protection, Version 1.0, An Invitation to a Dialogue’’, released by the President on January 7, 2000, calls for the Government to assist in seeking changes to applicable laws on ‘‘Freedom of Information, liability, and antitrust where appropriate’’ in order to foster industry-wide centers for information sharing and analysis. (b) PURPOSES.—Based upon the powers contained in article I, section 8, clause 3 of the Constitution of the United States, the purposes of this Act are— (1) to promote the secure disclosure and protected exchange of information related to cyber security; (2) to assist private industry and government in effectively and rapidly responding to cyber security problems; (3) to lessen burdens on interstate commerce by establishing certain uniform legal principles in connection with the secure disclosure and protected exchange of information related to cyber security; and (4) to protect the legitimate users of cyber networks and systems, and to protect the privacy and confidence of shared information. SEC. 3. DEFINITIONS. 20 In this Act: (1) ANTITRUST LAWS.—The term ‘‘antitrust laws’’— (A) has the meaning given to it in subsection (a) of the first section of the Clayton Act (15 U.S.C. 12(a)), except that such term includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent such section 5 applies to unfair methods of competition; and (B) includes any State law similar to the laws referred to in subparagraph (A). (2) CRITICAL INFRASTRUCTURE.—The term ‘‘critical infrastructure’’ means facilities or services so vital to the nation or its economy that their disruption, incapacity, or destruction would have a debilitating impact on the defense, security, long-term economic prosperity, or health or safety of the United States. (3) CYBER SECURITY.—The term ‘‘cyber security’’ means the vulnerability of any computing system, software program, or critical infrastructure to, or their ability to resist, intentional interference, compromise, or incapacitation through the misuse of, or by unauthorized means of, the Internet, public or private telecommunications systems, or other similar conduct that violates Federal, State, or international law, that harms interstate commerce of the United States, or that threatens public health or safety. (4) CYBER SECURITY INTERNET WEBSITE.— The term ‘‘cyber security Internet website’’ means an Internet website or other similar electronically accessible service, clearly designated on the website or service by the person or entity creating or controlling the content of the website or service as an area where cyber security statements are posted or otherwise made accessible to appropriate entities. (5) CYBER SECURITY STATEMENT.— (A) IN GENERAL.—The term ‘‘cyber security statement’’ means any communication or other conveyance of information by a party to another, in any form or medium including by means of a cyber security Internet website— (i) concerning an assessment, projection, or estimate concerning the cyber security of that entity, its computer systems, its software programs, or similar facilities of its own; (ii) concerning plans, objectives, or timetables for implementing or verifying the cyber security thereof; (iii) concerning test plans, test dates, test results, or operational problems or solutions related to the cyber security thereof; or (iv) reviewing, commenting on, or otherwise directly or indirectly relating to the cyber security thereof. (B) NOT INCLUDED.—For the purposes of any action brought under the securities laws, as that term is defined in section 3(a)(47) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(47)), the term ‘‘cyber security statement’’ does not include statements contained in any documents or materials filed with the Securities and Exchange Commission, or with Federal banking regulators, pursuant to section 12(i) of the Securities Exchange Act of 1934 (15 U.S.C. 781(i)), or disclosures or writing that when made accompanied the solicitation of an offer or sale of securities. SEC. 4. SPECIAL DATA GATHERING. (a) IN GENERAL.—Any Federal entity, agency, or authority may expressly designate a request for the voluntary provision of information relating to cyber security, including cyber security statements, as a cyber security data gathering request made pursuant to this section. (b) SPECIFICS.—A cyber security data gathering request made under this section— (A) shall specify a Federal entity, agency, or authority, or, with its consent, another public or private entity, agency, or authority, to gather responses to the request; (B) shall be a request from a private entity, agency, or authority to a Federal entity, agency, or authority; or (C) shall be deemed to have been made and to have specified such a private entity, agency, or authority when the Federal entity, agency, or authority has voluntarily been given cyber security information gathered by that private entity, agency, or authority, including by means of a cyber security Internet website. (c) PROTECTIONS.—Except with the express consent or permission of the provider of information described in paragraph (1), any cyber security statements or other such information provided by a party in response to a special cyber security data gathering request made under this section— (1) shall be exempt from disclosure under section 552(a) of title 5, United States Code (commonly known as the ‘‘Freedom of Information Act’’), by all Federal entities, agencies, and authorities; (2) shall not be disclosed to or by any third party; and (3) may not be used by any Federal or State entity, agency, or authority or by any third party, directly or indirectly, in any civil action arising under any Federal or State law. (d) EXCEPTIONS.— (1) INFORMATION OBTAINED ELSEWHERE.— Nothing in this section shall preclude a Federal entity, agency, or authority, or any third party, from separately obtaining the information submitted in response to a request under this section through the use of independent legal authorities, and using such separately obtained information in any action. (2) PUBLIC DISCLOSURE.—A restriction on use or disclosure of information under this section shall not apply to any information disclosed generally or broadly to the public with the express consent of the party. SEC. 5. ANTITRUST EXEMPTION. (a) EXEMPTION.—Except as provided in subsection (b), the antitrust laws shall not apply to conduct engaged in, including making and implementing an agreement, solely for the purpose of and limited to— (1) facilitating the correction or avoidance of a cyber security related problem; or (2) communicating or disclosing information to help correct or avoid the effects of a cyber security related problem. (b) EXCEPTION TO EXEMPTION.—Subsection (a) shall not apply with respect to conduct that involves or results in an agreement to boycott any person, to allocate a market, or to fix prices or output. SEC. 6. CYBER SECURITY WORKING GROUPS. (a) IN GENERAL.— (1) WORKING GROUPS.—The President may establish and terminate working groups composed of Federal employees who will engage outside organizations in discussions to address cyber security, to share information related to cyber security, and otherwise to serve the purposes of this Act. (2) LIST OF GROUPS.—The President shall maintain and make available to the public a printed and electronic list of such working groups and a point of contact for each, together with an address, telephone number, and electronic mail address for such point of contact. (3) BALANCE.—The President shall seek to achieve a balance of participation and representation among the working groups. (4) MEETINGS.—Each meeting of a working group created under this section shall be announced in advance in accordance with procedures established by the President. (b) FEDERAL ADVISORY COMMITTEE ACT.—The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the working groups established under this section. (c) PRIVATE RIGHT OF ACTION.—This section creates no private right of action to sue for enforcement of any provision of this section. April 11, 2000 (1:18 PM)