[国会记录第161卷第185号(2015年12月18日星期五)][参议院][页面S8844-S8859]伯尔先生。主席女士，我请求大家一致同意将2015年《网络安全法》第N部分的联合解释性声明印在记录中。无异议的情况下，该材料被要求在记录中打印，如下所示：2015年《网络安全法》随附的联合解释性声明以下为2015年《网络安全法》随附的联合解释性声明。本联合解释性声明反映了参议院情报特别委员会、众议院情报常设特别委员会、参议院国土安全和政府事务委员会以及众议院国土安全委员会之间达成的谈判和问题处理情况。联合解释性声明对本法案的实施具有与会议委员会联合解释性声明相同的效力。联合解释性声明包括对法案背景和目标的概述，以及对立法文本的逐节分析。第一部分：立法背景和必要性网络安全威胁继续影响着我们国家的安全和经济，因为网络攻击、渗透和破坏给消费者、企业和政府造成的损失总计数十亿美元。这项立法旨在创建一个自愿的网络安全信息共享过程，鼓励公共和私营部门实体共享网络威胁信息，而不存在法律障碍和毫无根据的诉讼威胁，同时保护私人信息。这反过来应该促进更大的合作与协作，以应对对国家和经济安全日益增长的网络安全威胁。这项立法还包括改善联邦网络和信息系统安全的规定，对联邦网络安全工作人员进行评估，并就网络安全行业相关和刑事相关事项提金博宝正规网址供报告和战略。这项法案所带来的信息共享的增加是改善美国网络安全的关键一步。第二部分：立法文本的逐节分析和解释以下是2015年《网络安全法》的逐节分析和解释。标题一——网络安全信息共享第101节。简称。第101节规定，标题I可引称为“2015年网络安全信息共享法”。第102节。定义。第102节定义了本标题中的关键术语，如“网络安全目的”、“网络安全威胁”、“网络威胁指标”、“防御措施”和“监控”。“网络安全目的”的定义包括广泛的[[第S8848页]]为保护信息和信息系统免受网络安全威胁而采取的活动。本法项下的授权与为“网络安全目的”而进行的行为相关联，这既澄清了授权的范围，又确保授权涵盖可以相互配合进行的活动。例如，进行监控活动以确定是否应使用经授权的“防御措施”的私营实体将是出于“网络安全目的”进行监控。值得注意的是，“防御措施”的授权不包括通常被视为“攻击性”的活动，如未经授权访问或在另一实体的信息系统上执行计算机代码，如“黑客回击”活动，或任何可能严重损害另一私人实体信息系统的行为，如违反《美国法典》第18编第1030节。第103节。联邦政府共享信息。第103节要求国家情报局长、国土安全部长、国防部长和司法部长共同制定和发布程序，及时共享机密和非机密网络威胁指标和防御措施（以下在本联合解释性声明中统称为“网络威胁信息”）这些程序还必须确保联邦政府保持：实时共享能力；通知错误接收网络威胁信息的实体的流程；防止未经授权的访问；以及在共享网络威胁信息之前审查和删除任何信息的程序与共享时已知的网络安全威胁不直接相关的是特定个人的个人信息或识别特定个人的信息，或实施技术能力。必须与适当的联邦实体（包括小企业管理者）协商制定这些程序国家实验室和国家实验室。第104节。预防、检测和控制的授权ecting, analyzing, and mitigating cybersecurity threats. Section 104 authorizes private entities to monitor their information systems, operate defensive measures, and share and receive cyber threat information. Private entities must, prior to sharing cyber threat information, review and remove any information not directly related to a cybersecurity threat known at the time of sharing to be personal information of a specific individual or that identifies a specific individual, or to implement and utilize a technical capability to do the same. Section 104 permits non-Federal entities to use cyber threat information for cybersecurity purposes, to monitor, or to operate defensive measures on their information systems or on those of another entity (upon written consent). Cyber threat information shared by an entity with a State, tribal, or local department or agency may be used for the purpose of preventing, investigating, or prosecuting any of the offenses described in Section 105, below. Cyber threat information is exempt from disclosure under any State, tribal, local, or freedom of information or similar law. Section 104 further provides that two or more private entities are not in violation of antitrust laws for exchanging or providing cyber threat information, or for assisting with the prevention, investigation, or mitigation of a cybersecurity threat. Section 105. Sharing of cyber threat indicators and defensive measures with the Federal Government. Section 105 directs the Attorney General and Secretary of Homeland Security to jointly develop policies and procedures to govern how the Federal Government shares information about cyber threats, including via an automated real-time process that allows for information systems to exchange identified cyber threat information without manual efforts, subject to limited exceptions that must be agreed upon in advance. Section 105 also directs the Attorney General and Secretary of Homeland Security, in coordination with heads of appropriate Federal entities and in consultation with certain privacy officials and relevant private entities, to jointly issue and make publicly available final privacy and civil liberties guidelines for Federal entity-based cyber information sharing. Section 105 directs the Secretary of Homeland Security, in coordination with heads of appropriate Federal entities, to develop, implement, and certify the capability and process through which the Federal Government receives cyber threat information shared by a non-Federal entity with the Federal Government. This section also provides the President with the authority to designate an appropriate Federal entity, other than the Department of Defense (including the National Security Agency), to develop and implement an additional capability and process following a certification and explanation to Congress, as described in this section. The capability and process at the Department of Homeland Security, or at any additional appropriate Federal entity designated by the President, does not prohibit otherwise lawful disclosures of information related to criminal activities, Federal investigations, or statutorily or contractually required disclosures. However, this section does not preclude the Department of Defense, including the National Security Agency from assisting in the development and implementation of a capability and process established consistent with this title. It also shall not be read to preclude any department or agency from requesting technical assistance or staffing a request for technical assistance. Section 105 further provides that cyber threat information shared with the Federal Government does not waive any privilege or protection, may be deemed proprietary information by the originating entity, and is exempt from certain disclosure laws. Cyber threat information may be used by the Federal government for: cybersecurity purposes; identifying a cybersecurity threat or vulnerability; responding to, preventing, or mitigating a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction; responding to, investigating, prosecuting, preventing, or mitigating a serious threat to a minor; or preventing, investigating, disrupting, or prosecuting an offense arising out of certain cyber-related criminal activities. Finally, Section 105 provides that cyber threat information shared with the Federal Government shall not be used by any Federal, State, tribal, or local government to regulate non- Federal entities' lawful activities. Section 106. Protection from liability. Section 106 provides liability protection for private entities that monitor, share, or receive cyber threat information in accordance with Title I, notwithstanding any other provision of Federal, State, local, or tribal law. Section 106 further clarifies that nothing in Title I creates a duty to share cyber threat information or a duty to warn or act based on receiving cyber threat information. At the same time, nothing in Title I broadens, narrows, or otherwise affects any existing duties that might be imposed by other law; Title I also does not limit any common law or statutory defenses. Section 107. Oversight of Government activities. Section 107 requires reports and recommendations on implementation, compliance, and privacy assessments by agency heads, Inspectors General, and the Comptroller General of the United States, to ensure that cyber threat information is properly received, handled, and shared by the Federal Government. Section 108. Construction and preemption. Section 108 contains Title I construction provisions regarding lawful disclosures; whistleblower protections; protection of sources and methods; relationship to other laws; prohibited conduct, such as anti-competitive activities; information sharing relationships; preservation of contractual rights and obligations; anti-tasking restrictions, including conditions on cyber threat information sharing; information use and retention; Federal preemption of State laws that restrict or regulate Title I activities, excluding those concerning the use of authorized law enforcement practices and procedures; regulatory authorities; the Secretary of Defense's authorities to conduct certain cyber operations; and Constitutional protections in criminal prosecutions. Section 109. Report on cybersecurity threats. Section 109 requires the Director of National Intelligence, with the heads of other appropriate Intelligence Community elements, to submit a report to the congressional intelligence committees on cybersecurity threats, including cyber attacks, theft, and data breaches. Section 110. Exception to limitation on authority of Secretary of Deftnse to disseminate certain information. Section 110 clarifies that, notwithstanding Section 393(c)(3) of title 10, United States Code, the Secretary of Defense may authorize the sharing of cyber threat indicators and defensive measures pursuant to the policies, procedures, and guidelines developed or issued under this title. Section 111. Effective period. Section 111 establishes Title I and the amendments therein are effective during the period beginning on the date of enactment of this Act and ending on September 30, 2025. The provisions of Title I will remain in effect however, for action authorized by Title I or information obtained pursuant to action authorized by Title I, prior to September 30, 2025. Title II--National Cybersecurity Advancement SUBTITLE A--NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER Section 201. Short title. Section 201 establishes that Title II, Subtitle A may be cited as the ``National Cybersecurity Protection Advancement Act of 2015''. Section 202. Definitions. Section 202 defines for purposes of Title II, Subtitle A, the terms ``appropriate congressional committees,'' ``cybersecurity risk,'' ``incident,'' ``cyber threat indicator,'' ``defensive measure,'' ``Department,'' and ``Secretary.'' Section 203. Information sharing structure and processes. Section 203 enhances the functions of the Department of Homeland Security's National Cybersecurity and Communications [[Page S8849]] Integration Center, established in section 227 of the Homeland Security Act of 2002 (redesignated by this Act). It designates the Center as a Federal civilian interface for multi-directional and cross-sector information sharing related to cybersecurity risks, incidents, analysis and warnings for Federal and non-Federal entities, including the implementation of Title I of this Act. This section requires the Center to engage with international partners; conduct information sharing with Federal and non-Federal entities; participate in national exercises; and assess and evaluate consequence, vulnerability and threat information regarding cyber incidents to public safety communications. Additionally, this section requires the Center to collaborate with state and local governments on cybersecurity risks and incidents. The Center will comply with all policies, regulations, and laws that protect the privacy and civil liberties of United States persons, including by working with the Privacy Officer to ensure the Center follows the privacy policies and procedures established by title I of this Act. Section 203 requires the Department of Homeland Security, in coordination with industry and other stakeholders, to develop an automated capability for the timely sharing of cyber threat indicators and defensive measures. It is critical for the Department to develop an automated system and supporting processes for the Center to disseminate cyber threat indicators and defensive measures in a timely manner. This section permits the Center to enter into voluntary information sharing relationships with any consenting non- Federal entity for the sharing of cyber threat indicators, defensive measures, and information for cybersecurity purposes. This section is intended to provide the Department of Homeland Security additional options to enter into streamlined voluntary information sharing agreements. This section allows the Center to utilize standard and negotiated agreements as the types of agreements that non-Federal entities may enter into with the Center. However, it makes clear that agreements are not limited to just these types, and preexisting agreements between the Center and the non- Federal entity will be in compliance with this section. Section 203 requires the Director of the Center to report directly to the Secretary for significant cybersecurity risks and incidents. This section requires the Secretary to submit to Congress a report on the range of efforts underway to bolster cybersecurity collaboration with international partners. Section 203 allows the Secretary to develop and adhere to Department policies and procedures for coordinating vulnerability disclosures. Section 204. Information sharing and analysis organizations. Section 204 amends Section 212 of the Homeland Security Act to clarify the functions of Information Sharing and Analysis Organizations (ISAOs) to include cybersecurity risk and incident information beyond that pertaining to critical infrastructure. ISAOs, including Information Sharing and Analysis Centers (ISAOs) have an important role to play in facilitating information sharing going forward and has clarified their functions as defined in the Homeland Security Act. Section 205. National response framework. Section 205 amends the Homeland Security Act of 2002 to require the Secretary of the Department of Homeland Security, with proper coordination, to regularly update the Cyber Incident Annex to the National Response Framework of the Department of Homeland Security. Section 206. Report on reducing cybersecurity risks in DHS data centers. Section 206 requires the Secretary of the Department of Homeland Security to submit a report to Congress not later than 1 year after the date of the enactment of this Act on the feasibility of using compartmentalization between systems to create conditions conducive to reduced cybersecurity risks in data centers. Section 207. Assessment. Section 207 requires the Comptroller General of the United States not later than 2 years after the date of enactment of this Act to submit a report on the implementation of Title II, including increases in the sharing of cyber threat indicators at the National Cybersecurity and Communications Integration Center and throughout the United States. Section 208. Multiple simultaneous cyber incidents at critical infrastructure. Section 208 requires the appropriate Department of Homeland Security Under Secretary to draft and submit to Congress not later than 1 year after the date of enactment of this Act a report on the feasibility of producing a risk-informed plan to address the risks of multiple simultaneous cyber incidents affecting critical infrastructure as well as cascade effects. Section 209. Report on cybersecurity vulnerabilities of United States ports. Section 209 requires the Secretary of Homeland Security not later than 180 days after the date of enactment of this Act to submit to Congress a report on the vulnerability of United States ports to cybersecurity incidents, as well as potential mitigations. Section 210. Prohibition on new regulatory authority. Section 210 clarifies that the Secretary of Homeland Security does not gain any additional regulatory authorities in this subtitle. Section 211. Termination of reporting requirements. Section 211 adds a 7-year sunset on the reporting requirements in Title II, Subtitle A. SUBTITLE B--FEDERAL CYBERSECURITY ENHANCEMENT Section 221. Short title. Section 221 establishes that Title II, Subtitle B may be cited as the ``Federal Cybersecurity Enhancement Act of 2015''. Section 222. Definitions. Section 222 defines for purposes of Title II, Subtitle B, the terms ``agency,'' ``agency information system,'' ``appropriate congressional committees,'' ``cybersecurity risk,'' ``information system,'' ``Director,'' ``intelligence community,'' ``national security system,'' and ``Secretary.'' Section 223. Improved Federal network security. Section 223 amends the Homeland Security Act of 2002 by amending Section 228, as redesignated, to require an intrusion assessment plan for Federal agencies and adding a Section 230 to authorize a federal intrusion detection and prevention capabilities'' for Federal agencies. Section 230 of the Homeland Security Act of 2002, as added by Section 223(a) of the bill, authorizes the Secretary of Homeland Security to employ the Department's intrusion detection and intrusion prevention capabilities, operationally implemented under the ``EINSTEIN'' programs, to scan agencies' network traffic for malicious activity and block it. The Secretary and agencies with sensitive data are expected to confer regarding the sensitivity of, and statutory protections otherwise applicable to, information on agency information systems. The Secretary is expected to ensure that the policies and procedures developed under section 230 appropriately restrict and limit Department access, use, retention, and handling of such information to protect the privacy and confidentiality of such information, including ensuring that the Department protects such sensitive data from disclosure, and trains appropriate staff accordingly. Section 223(b) mandates that agencies deploy and adopt those capabilities within one year for all network traffic traveling to or from each information system owned or operated by the agency, or two months after the capabilities are first made available to the agency, whichever is later. The subsection also requires that agencies adopt improvements added to the intrusion detection and prevention capabilities six months after they are made available. Improvements is intended to be read broadly to describe expansion of the capabilities, new systems, and added technologies, for example: non-signature based detection systems such as heuristic- and behavior-based detection, new countermeasures to block malicious traffic beyond e-mail filtering and Domain Name System (DNS)-sinkholing, and scanning techniques that allow scanning of encrypted traffic. Section 224. Advanced internal defenses. Section 224 directs the Secretary of Homeland Security to add advanced network security tools to the Continuous Diagnostics and Mitigation program; develop and implement a plan to ensure agency use of advanced network security tools; and, with the Director of the Office of Management and Budget, prioritize advanced security tools and update metrics used to measure security under the Federal Information Security Management Act of 2002. Section 225. Federal cybersecurity requirements. Section 225 adds a statutory requirement for the head of each agency not later than 1 year after the date of the enactment of this Act to implement several standards on their networks to include identification of sensitive and mission critical data, use of encryption, and multi-factor authentication. Section 226. Assessment; reports. Section 226 includes a requirement for a Government Accountability Office study to be conducted on the effectiveness of this approach and strategy. It also requires reports from the Department of Homeland Security, Federal Chief Information Officer, and the Office of Management and Budget. Required reporting includes an annual report from the Department of Homeland Security on the effectiveness and privacy controls of the intrusion detection and prevention capabilities; information on adoption of the intrusion detection and capabilities at agencies in the Office of Management and Budget's annual Federal Information Security Management Act report; an assessment by the Federal Chief Information Officer within two years of enactment as to continued value of the intrusion detection and prevention capabilities; and a Government Accountability report in three years on the effectiveness of Federal agencies' approach to securing agency information systems. Section 227. Termination. Section 227 creates a 7-year sunset for the authorization of the intrusion detection and prevention capabilities in Section 230 of the Homeland Security Act of 2002, as added by Section 223(a). Section 228. Identification of information systems relating to national security. Section 228 requires the Director of National Intelligence and the Director of the Office of Management, in coordination with [[Page S8850]] other agencies, not later than 180 days after the date of enactment of this Act to identify unclassified information systems that could reveal classified information, and submit a report assessing the risks associated with a breach of such systems and the costs and impact to designate such systems as national security systems. Section 229. Direction to agencies. Section 229 authorizes the Secretary of Homeland Security to issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of an information system for the purpose of protecting such system from an information security threat. In situations in which the Secretary has determined there is an imminent threat to an agency, the Secretary may authorize the use of intrusion detection and prevention capabilities in accordance with established procedures, including notice to the affected agency. Title III--Federal Cybersecurity Workforce Assessment Section 301. Short title. Section 301 establishes Title III may be cited as the ``Federal Cybersecurity Workforce Assessment Act of 2015''. Section 302. Definitions. Section 302 defines for purposes of Title III the terms ``appropriate congressional committees,'' ``Director,'' ``National Initiative for Cybersecurity Education,'' and ``work roles.'' Section 303. National cybersecurity workforce measurement initiative. Section 303 requires the head of each Federal agency to identify all positions within the agency that require the performance of cybersecurity or other cyber-related functions, and report the percentage of personnel in such positions holding the appropriate certifications, the level of preparedness of personnel without certifications to take certification exams, and a strategy for mitigating any identified certification and training gaps. Section 304. Identification of cyber-related work roles of critical need Section 304 requires the head of each Federal agency to identify information technology, cybersecurity, or other cyber-related roles of critical need in the agency's workforce, and substantiate as such in a report to the Director of the Office of Personnel Management. Section 304 also requires the Director of the Office of Personnel Management to submit a subsequent report not later than 2 years after the date of the enactment of this Act, on critical needs for information technology, cybersecurity, or other cyber-related workforce across all Federal agencies, and the implementation of this section. Section 305. Government Accountability Office status reports. Section 305 requires the Comptroller General of the United States to analyze and monitor the implementation of sections 303 and 304 and not later than 3 years after the date of the enactment of this Act submit a report on the status of such implementation. Title IV--Other Cyber Matters Section 401. Study on mobile device security. Section 401 requires the Secretary of Homeland Security not later than 1 year after the date of the enactment of this Act to conduct a study on threats relating to the security of the mobile devices used by the Federal Government, and submit a report detailing the findings and recommendations arising from such study. Section 402. Department of State international cyberspace policy strategy. Section 402 requires the Secretary of State not later than 90 days after the date of the enactment of this Act to produce a comprehensive strategy relating to United States international policy with regard to cyberspace, to include a review of actions taken by the Secretary of State in support of the President's International Strategy for Cyberspace and a description of threats to United States national security in cyberspace. Section 403. Apprehension and prosecution of international cyber criminals. Section 403 requires the Secretary of State, or a designee, to consult with countries in which international cyber criminals are physically present and extradition to the United States is unlikely, to determine what efforts the foreign country has taken to apprehend, prosecute, or otherwise prevent the carrying out of cybercrimes against United States persons or interests. Section 403 further requires an annual report that includes statistics and extradition status about such international cyber criminals. Section 404. Enhancement of emergency services. Section 404 requires the Secretary of Homeland Security not later than 90 days after the date of the enactment of this Act to establish a process by which a Statewide Interoperability Coordinator may report data on any cybersecurity risk or incident involving any information system or network used by emergency response providers within the state. Reported data will be analyzed and used in developing information and recommendations on security and resilience on measures for information systems and networks used by state emergency response providers. Section 405. Improving cybersecurity in the health care industry. Section 405 requires the Secretary of Health and Human Services to establish a task force and not later than 1 year after the date of enactment of the task force to submit a report on the Department of Health and Human Services and the health care industry's preparedness to respond to cybersecurity threats. In support of the report, the Secretary of Health and Human Services will convene health care industry stakeholders, cybersecurity experts, and other appropriate entities, to establish a task force for analyzing and disseminating information on industry-specific cybersecurity challenges and solutions. Consistent with subsection (e), it is Congress's intention to allow Health and Human Services the flexibility to leverage and incorporate ongoing activities as of the day before the date of enactment of this act to accomplish the goals set forth for this task force. Section 406. Federal computer security. Section 406 requires the Inspector General of any agency operating a national security system, or a Federal computer system that provides access to personally identifiable information, not later than 240 days after the date of enactment of this Act to submit a report regarding the federal computer systems of such agency, to include information on the standards and processes for granting or denying specific requests to obtain and use information and related information processing services, and a description of the data security management practices used by the agency. Section 407. Stopping the fraudulent sale of financial information of people of the United States. Section 407 amends 18 U.S. Code Sec. 1029 by enabling the Federal Government to prosecute overseas criminals who profit from financial information that has been stolen from Americans. [...]