国会纪录:2000年4月12日(延期)
页面E545-E546介绍2000 ______ HON的网络安全信息法。2000年4月12日弗吉尼亚州戴维斯先生,弗吉尼亚州弗吉尼亚州弗吉尼亚州托马斯M.戴维斯。扬声器先生,我很高兴今天兴起介绍立法与我的好朋友和同事来自弗吉尼亚州代表吉姆·莫兰,这将促进我们国家从网络威胁的关键基础设施的保护。在第104次国会,我们呼吁政府研究我们国家的关键基础设施漏洞,并确定解决这些漏洞的解决方案。政府通过总统和参与机构确定了一些必须采取的步骤,以消除对我们关键基础设施的重大损害的潜力。在这些建议中最重要的是需要确保公共和私营部门代表之间的协调关键基础设施。我今天介绍的账单是鼓励私营部门合作和参与政府实现这一目标的第一步。美国的关键基础设施主要由私营部门拥有和运营。关键基础设施是对经济和政府最低运营至关重要的系统。我们的关键基础设施由私营企业的金融服务,电信,信息技术,运输,水系统,应急服务,电力,天然气和石油部门以及我们的[[页面e546]]国防和执法政府内的国际安全部门。传统上,这些行业在很大程度上独立于彼此独立,并与政府协调,以保护自己免受传统战争所带来的威胁。 Today, these sectors must learn how to protect themselves against unconventional threats such as terrorist attacks, and cyber attack. These sectors must also recognize the vulnerabilities they may face because of the tremendous technological progress we have made. As we learned when planning for the challenges presented by the Year 2000 rollover, many of our computer systems and networks are now interconnected and communicate with many other systems. With the many advances in information technology, many of our critical infrastructure sectors are linked to one another and face increased vulnerability to cyber threats. Technology interconnectivity increases the risk that problems affecting one system will also affect other connected systems. Computer networks can provide pathways among systems to gain unauthorized access to data and operations from outside locations if they are not carefully monitored and protected. A cyber threat could quickly shutdown any one of our critical infrastructures and potentially cripple several sectors at one time. Nations around the world, including the United States, are currently training their military and intelligence personnel to carry out cyber attacks against other nations to quickly and efficiently cripple a nation's daily operations. cyber attacks have moved beyond the mischievous teenager and are being learned and used by terrorist organizations as the latest weapon in a nation's arsenal. In June 1998 and February 1999, the Director of the Central Intelligence Agency testified before Congress that several nations recognize that cyber attacks against civilian computer systems represent the most viable option for leveling the playing field in an armed crisis against the United States. The Director also stated that several terrorist organizations believed information warfare to be a low cost opportunity to support their causes. Both Presidential Decision Directive 63 (PDD- 63) issued in May 1998, and the President's National Plan for Information Systems Protection, Version 1.0 issued in January 2000, call on the legislative branch to build the necessary framework to encourage information sharing to address cyber security threats to our nation's privately held critical infrastructure. Recently, we have learned the inconveniences that may be caused by a cyber attack or unforeseen circumstance. Earlier this year, many of our most popular sites such as Yahoo, eBay and Amazon.com were shutdown for several hours at a time over several days by a team of hackers interested in demonstrating their capability to disrupt service. While we may have found the shutdown of these sites temporarily inconvenient, they potentially cost those companies significant amounts of lost revenue, and it is not too difficult to imagine what would have occurred if the attacks had been focused on our utilities, or emergency services industries. We, as a society, have grown increasingly dependent on our infrastructure providers. I am sure many of you recall when PanAmSat's Galaxy IV satellite's on-board controller lost service. An estimated 80 to 90% of our nation's pagers were inoperable, and hospitals had difficulty reaching doctors on call and emergency workers. It even impeded the ability of consumers to use credit cards to pay for their gas at the pump. Moreover, recent studies have demonstrated that the incidence of cyber security threats to both the government and the private sector are only increasing. According to an October 1999 report issued by the General Accounting Office (GAO), the number of reported computer security incidents handled by Carnegie-Mellon University's CERT Coordination Center has increased from 1,334 in 1993 to 4,398 during the first two quarters of 1999. Additionally, the Computer Security Institute reported an increased in attacks for the third year in a row based on responses to their annual survey on computer security. GAO has done a number of reports that give Congress an accurate picture of the risk facing federal agencies; they cannot track such information for the private sector. We must rely on the private sector to share its vulnerabilities with the federal government so that all of our critical infrastructures are protected. Today, I am introducing legislation that gives critical infrastructure industries the assurances they The Cyber Security Information Act of 2000 is closely modeled after the successful Year 2000 Information and Readiness Disclosure Act by providing a limited FOIA exemption, civil litigation protection for shared information, and an antitrust exemption for information shared within an ISAC. These three protections have been previously cited by the Administration as necessary legislative remedies in Version 1.0 of the National Plan and PDD-63. This legislation will enable the ISACs to move forward without fear from industry so that government and industry may enjoy the mutually cooperative partnership called for in PDD-63. This will also allow us to get a timely and accurate assessment of the vulnerabilities of each sector to cyber attacks and allow for the formulation of proposals to eliminate these vulnerabilities without increasing government regulation, or expanding unfunded federal mandates on the private sector. PDD-63 calls upon the government to put in place a critical infrastructure proposal that will allow for three tasks to be accomplished by 2003: (1) The Federal Government must be able to perform essential national security missions and to ensure the general public health and safety; (2) State and local governments must be able to maintain order and to deliver minimum essential public services; and (3) The private sector must be able to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial, and transportation services. This legislation will allow the private sector to meet this deadline. We will also ensure the ISACs can move forward to accomplish their missions by developing the necessary technical expertise to establish baseline statistics and patterns within the various infrastructures, become a clearinghouse for information within and among the various sectors, and provide a repository of valuable information that may be used by the private sector. As technology continues to rapidly improve industry efficiency and operations, so will the risks posed by vulnerabilities and threats to our infrastructure. We must create a framework that will allow our protective measures to adapt and be updated quickly. It is my hope that we will be able to move forward quickly with this legislation and that Congress and the Administration can move forward in partnership to provide industry and government with the tools for meeting this challenge. A Congressional Research Service report on the ISAC proposal describes the information sharing model one of the most crucial pieces for success in protecting our critical infrastructure, yet one of the hardest pieces to realize. With the introduction of the Cyber Security Information Act of 2000, we are removing the primary barrier to information sharing between government and industry. This is landmark legislation that will be replicated around the globe by other nations as they too try to address threats to their critical infrastructure. Mr. Speaker, I believe that the Cyber Security Information Act of 2000 will help us address critical infrastructure cyber threats with the same level of success we achieved in addressing the Year 2000 problem. With government and industry cooperation, the seamless delivery of services and the protection or our nation's economy and well-being will continue without interruption just as the delivery of services continued on January 1, 2000.
第106届国会 无论它是由美国国会参众两院制定的,
2D会话H. R. 4246.
在代表院里
维吉尼亚的戴维斯先生(为他自己和维吉尼亚的莫兰先生)作了介绍
以下账单;委员会在______________法案
鼓励安全的披露和受保护的交换
关于网络安全问题,解决方案的信息,
测试实践和测试结果,以及相关事宜
与关键基础架构保护的连接。部分。1.短标题。
该法案可被引用为��亨安全信息法案。
秒。2。结果和目的。
(一)发现。�国会发现:
(1)(A)许多信息技术计算机系统、软件程序和类似设施容易通过互联网、公共或私人电信系统或类似手段受到攻击或被滥用。
(b)宗旨。就美国宪法第8条,第8条,第3条,本法的目的是�(b)(a)项中描述的问题和由此产生的失败可能会对市场,商业,消费者产品,公用事业,政府和安全和防御系统在美国和全世界的运作至关重要的系统。
(C)在问题使基本系统丧失能力之前保护、重新规划或更换受影响的系统是一个国家和全球利益的问题。
(2)提示,坦诚,彻底,但安全和保护,披露和交流信息相关实体,系统和基础设施的网络安全¶
(A)将大大增强公共和私营实体改善自身网络安全的能力;和
(3)对与披露相关的法律责任潜力的担忧和网络安全信息交换可能不必要地阻碍安全的披露和保护的此类信息交换。
(B)因此是一个国家重要的问题,是最大限度地减少任何潜在的网络安全对国家的经济福祉和安全的破坏的关键因素。(4)该能力安全地披露和参与与网络安全,解决方案,测试实践和测试结果有关的受保护的信息交流,对该信息的能力至关重要,对不适当的披露,对不适当的披露,这对公共和私人实体的能力至关重要及时解决网络安全需求。
(5)国家利益将以统一的法律标准提供统一的法律标准,并通过安全披露和保护的网络安全信息交换,以及时促进适当的披露和交换此类信息。
(6)由总统于2000年1月7日发布的《国家信息系统保护计划1.0版——对话邀请》,呼吁政府协助寻求信息自由、责任、法律的修订。并在适当的情况下建立反垄断,以促进全行业的信息共享和分析中心。
(1)促进与网络安全有关的安全披露和保护交流;
(2)有效迅速地协助私营企业和政府对网络安全问题;
(3)通过建立与安全披露和与网络安全相关的信息交换有关的某些统一的法律原则,减少对州际商务的负担;和
(4)保护网络网络和系统的合法用户,并保护共享信息的隐私和信心。
秒。3。定义。
在这个行为:
(1)反托拉斯法律。�词��塔塔法
(A)具有《克莱顿法案》(15 U.S.C. 12(A))第一节(A)小节赋予的含义,但该术语包括《联邦贸易委员会法案》(15 U.S.C. 45)第5节,且该第5节适用于不公平竞争方法;和
(B)包括与(A)项所述法律类似的任何国家法律。
(2)关键基础设施。关键基础设施是指对国家或经济至关重要的设施或服务,一旦中断、丧失能力或遭到破坏,将对美国的国防、安全、长期经济繁荣或健康或安全造成破坏性影响。
(3)网络安全。���血管安全性遵循任何计算系统,软件计划或关键基础设施的脆弱性,或者他们抵抗,故意干扰,妥协或通过滥用滥用或通过未经授权的手段,互联网,公共或私人电信系统或违反联邦,州或国际法的其他类似行为,危害美国州际商务,或威胁公共卫生或安全。
(4)网络安全网站。该术语指的是一个互联网网站或其他类似的电子访问服务,由创建或控制网站或服务内容的个人或实体在网站或服务上明确指定为发布网络安全声明或使适当实体可访问的区域。
(5)网络安全声明
(一)一般。�网络安全声明是指一方以任何形式或媒介,包括通过网络安全网站,向另一方进行的任何通信或其他形式的信息传递
(i)就该实体、其计算机系统、软件程序或其本身的类似设施的网络安全进行的评估、预测或估计;
(B) NOT INCLUDED.�For the purposes of any action brought under the securities laws, as that term is defined in section 3(a)(47) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(47)), the term ��cyber security statement�� does not include statements contained in any documents or materials filed with the Securities and Exchange Commission, or with Federal banking regulators, pursuant to section 12(i) of the Securities Exchange Act of 1934 (15 U.S.C. 781(i)), or disclosures or writing that when made accompanied the solicitation of an offer or sale of securities.(ii)关于实施或验证其网络安全的计划,目标或时间表;
(iii)涉及测试计划、测试日期、测试结果或与其网络安全相关的运营问题或解决方案;或
(iv)审查、评论或以其他方式直接或间接涉及其网络安全。
秒。4.特殊数据收集。
(a)一般来说。�无联邦实体,机构或权威,可明确指定对网络安全,包括网络安全报表的自愿提供信息的请求,作为根据本节根据本节制作的网络安全数据收集请求。
(b)的细节。根据本节提出的网络安全数据收集请求
(a)应指定联邦实体,机构或权威,或者同意,其他公共或私人实体,代理或权力,以收集对该请求的答复;
(c)保护.ȱExcept与第(1)款所述的信息提供者的表达者或许可,任何网络安全陈述或缔约方提供的其他此类信息,以响应在此规定的特殊网络安全数据收集请求切片¶(b)应是联邦实体,机构或权力机构或权力机构的私人实体或权力的要求;或
(c)在联邦实体,机构或权力自由地获得由该私人实体,机构或权威机构收集的网络安全信息,将被视为并指定私人实体,代理机构或权威,包括通过网络安全互联网网站。
(1)应豁免所有联邦实体、机构和当局根据《美国法典》第5编第552(a)条(通常称为《信息自由法》)披露的信息;
(d)例外。(2)不得向任何第三方披露或由任何第三方披露;和
(3)任何联邦或州立实体,代理机构或权威或任何第三方,任何联邦或州法律所产生的民事诉讼中可能不会被任何联邦或州立实体或权力或任何第三方使用。
(1)从其他地方获得的信息。任何联邦实体、机构、权威机构或任何第三方均不得通过使用独立的法律权威机构,单独获取根据本节要求提交的信息,并在任何行动中使用该等单独获取的信息。
秒。5.反垄断豁免。(2)公开披露。�在本条下的使用或披露信息的限制不适用于缔约方的明确同意一般或广泛地向公众披露的任何信息。
(a)豁免。�except如第(b)款所规定,反托拉斯法不适用于从事,包括制定和执行协议的行为,仅为宗旨和有限
(b)豁免例外。(a)不得适用于涉及或导致协议抵制任何人的行为,分配市场,或者修复价格或产出。
(1)促进惩教或避免网络安全相关问题;或
(2)沟通或披露信息以帮助纠正或避免网络安全相关问题的影响。
秒。6.网络安全工作组。
(一)一般来说,�
(1)工作小组。总统可以建立和终止由联邦雇员组成的工作组,这些工作组将与外部组织讨论网络安全问题,共享与网络安全相关的信息,以及其他服务于本法的目的。
(b)联邦咨询委员会法案。�联邦咨询委员会法案(5 U.S.C. App.)不适用于本条规定的工作组。(2)团体名单。总统应维护并向公众提供此类工作组的打印和电子清单,以及每个工作组的联络点,以及联络点的地址、电话号码和电子邮件地址。
(3)余额。�总统应寻求在工作组之间取得参与和代表的平衡。
(4)会议。根据本节设立的工作组的每次会议都应按照总统制定的程序提前宣布。
(c)私人诉讼权。本节不创设因执行本节任何条款而提起诉讼的私人诉讼权利。