国会记录:2000年4月12日(延期)
页面E545-E5462000年网络安全信息法案介绍______弗吉尼亚州众议员托马斯·m·戴维斯2000年4月12日星期三弗吉尼亚州的戴维斯先生。议长先生,我很高兴今天能站起来介绍立法来自弗吉尼亚州北部我的朋友和同事,代表吉姆·莫兰,这将有利于我们国家的关键基础设施免受网络威胁的保护。在第104届国会中,我们呼吁政府当局研究我们国家的关键基础设施的脆弱性,并找出解决方案来解决这些漏洞。当局已通过总统和参与机构,确定了一些必须以消除对我们的关键基础设施显著损害的潜在威胁采取措施。在这些建议最重要的是,必须确保关键基础设施的公共和私营部门代表之间的协调。我今天介绍的法案是在鼓励与政府私营部门合作和参与实现这一目标的第一步。美国的关键基础设施主要是国有和私营部门经营。关键基础设施是那些对经济和政府最低程度的业务关键系统。我们的关键基础设施包括金融服务,电信,信息技术,交通运输,供水系统,应急服务,电力,私人企业天然气和石油部门以及我们的[[页E546]国防,执法和政府内部的国际安全部门。传统上,这些行业主要是彼此独立运作,并与政府协调,以保护自己免受由传统战争所造成的威胁。 Today, these sectors must learn how to protect themselves against unconventional threats such as terrorist attacks, and cyber attack. These sectors must also recognize the vulnerabilities they may face because of the tremendous technological progress we have made. As we learned when planning for the challenges presented by the Year 2000 rollover, many of our computer systems and networks are now interconnected and communicate with many other systems. With the many advances in information technology, many of our critical infrastructure sectors are linked to one another and face increased vulnerability to cyber threats. Technology interconnectivity increases the risk that problems affecting one system will also affect other connected systems. Computer networks can provide pathways among systems to gain unauthorized access to data and operations from outside locations if they are not carefully monitored and protected. A cyber threat could quickly shutdown any one of our critical infrastructures and potentially cripple several sectors at one time. Nations around the world, including the United States, are currently training their military and intelligence personnel to carry out cyber attacks against other nations to quickly and efficiently cripple a nation's daily operations. cyber attacks have moved beyond the mischievous teenager and are being learned and used by terrorist organizations as the latest weapon in a nation's arsenal. In June 1998 and February 1999, the Director of the Central Intelligence Agency testified before Congress that several nations recognize that cyber attacks against civilian computer systems represent the most viable option for leveling the playing field in an armed crisis against the United States. The Director also stated that several terrorist organizations believed information warfare to be a low cost opportunity to support their causes. Both Presidential Decision Directive 63 (PDD- 63) issued in May 1998, and the President's National Plan for Information Systems Protection, Version 1.0 issued in January 2000, call on the legislative branch to build the necessary framework to encourage information sharing to address cyber security threats to our nation's privately held critical infrastructure. Recently, we have learned the inconveniences that may be caused by a cyber attack or unforeseen circumstance. Earlier this year, many of our most popular sites such as Yahoo, eBay and Amazon.com were shutdown for several hours at a time over several days by a team of hackers interested in demonstrating their capability to disrupt service. While we may have found the shutdown of these sites temporarily inconvenient, they potentially cost those companies significant amounts of lost revenue, and it is not too difficult to imagine what would have occurred if the attacks had been focused on our utilities, or emergency services industries. We, as a society, have grown increasingly dependent on our infrastructure providers. I am sure many of you recall when PanAmSat's Galaxy IV satellite's on-board controller lost service. An estimated 80 to 90% of our nation's pagers were inoperable, and hospitals had difficulty reaching doctors on call and emergency workers. It even impeded the ability of consumers to use credit cards to pay for their gas at the pump. Moreover, recent studies have demonstrated that the incidence of cyber security threats to both the government and the private sector are only increasing. According to an October 1999 report issued by the General Accounting Office (GAO), the number of reported computer security incidents handled by Carnegie-Mellon University's CERT Coordination Center has increased from 1,334 in 1993 to 4,398 during the first two quarters of 1999. Additionally, the Computer Security Institute reported an increased in attacks for the third year in a row based on responses to their annual survey on computer security. GAO has done a number of reports that give Congress an accurate picture of the risk facing federal agencies; they cannot track such information for the private sector. We must rely on the private sector to share its vulnerabilities with the federal government so that all of our critical infrastructures are protected. Today, I am introducing legislation that gives critical infrastructure industries the assurances they The Cyber Security Information Act of 2000 is closely modeled after the successful Year 2000 Information and Readiness Disclosure Act by providing a limited FOIA exemption, civil litigation protection for shared information, and an antitrust exemption for information shared within an ISAC. These three protections have been previously cited by the Administration as necessary legislative remedies in Version 1.0 of the National Plan and PDD-63. This legislation will enable the ISACs to move forward without fear from industry so that government and industry may enjoy the mutually cooperative partnership called for in PDD-63. This will also allow us to get a timely and accurate assessment of the vulnerabilities of each sector to cyber attacks and allow for the formulation of proposals to eliminate these vulnerabilities without increasing government regulation, or expanding unfunded federal mandates on the private sector. PDD-63 calls upon the government to put in place a critical infrastructure proposal that will allow for three tasks to be accomplished by 2003: (1) The Federal Government must be able to perform essential national security missions and to ensure the general public health and safety; (2) State and local governments must be able to maintain order and to deliver minimum essential public services; and (3) The private sector must be able to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial, and transportation services. This legislation will allow the private sector to meet this deadline. We will also ensure the ISACs can move forward to accomplish their missions by developing the necessary technical expertise to establish baseline statistics and patterns within the various infrastructures, become a clearinghouse for information within and among the various sectors, and provide a repository of valuable information that may be used by the private sector. As technology continues to rapidly improve industry efficiency and operations, so will the risks posed by vulnerabilities and threats to our infrastructure. We must create a framework that will allow our protective measures to adapt and be updated quickly. It is my hope that we will be able to move forward quickly with this legislation and that Congress and the Administration can move forward in partnership to provide industry and government with the tools for meeting this challenge. A Congressional Research Service report on the ISAC proposal describes the information sharing model one of the most crucial pieces for success in protecting our critical infrastructure, yet one of the hardest pieces to realize. With the introduction of the Cyber Security Information Act of 2000, we are removing the primary barrier to information sharing between government and industry. This is landmark legislation that will be replicated around the globe by other nations as they too try to address threats to their critical infrastructure. Mr. Speaker, I believe that the Cyber Security Information Act of 2000 will help us address critical infrastructure cyber threats with the same level of success we achieved in addressing the Year 2000 problem. With government and industry cooperation, the seamless delivery of services and the protection or our nation's economy and well-being will continue without interruption just as the delivery of services continued on January 1, 2000.
第106届国会 无论它是由美国国会参众两院制定的,
2 d会话h . r . 4246
在众议院
维吉尼亚的戴维斯先生(为他自己和维吉尼亚的莫兰先生)作了介绍
以下账单;委员会在______________一项法案
鼓励安全的披露和受保护的交换
关于网络安全问题和解决方案的信息,
测试实践和测试结果,以及相关事宜
连接关键基础设施保护。部分。1.短标题。
本法案可被引用为网络安全信息法案。
秒。2。结果和目的。
(一)发现。�国会发现:
(1)(A)许多信息技术计算机系统、软件程序和类似设施容易通过互联网、公共或私人电信系统或类似手段受到攻击或被滥用。
(b)的目的。根据《美国宪法》第1条第8款第3款所包含的权力,本法的目的为(B)第(A)段所描述的问题及其导致的故障可能使美国和全世界的市场、商业、消费品、公用事业、政府、安全和国防系统的运作所必需的系统丧失能力。
(C)在问题使基本系统丧失能力之前保护、重新规划或更换受影响的系统是一个国家和全球利益的问题。
(2)及时、坦诚、全面、但安全、受保护地披露和交换实体、系统和基础设施的网络安全相关信息
(A)将大大增强公共和私营实体改善自身网络安全的能力;和
(3)对与披露相关的法律责任潜力的担忧和网络安全信息交换可能不必要地阻碍安全的披露和保护的此类信息交换。
(B)因此是一个国家重要的问题,是最大限度地减少任何潜在的网络安全对国家的经济福祉和安全的破坏的关键因素。(4)能够安全地披露和参与保护的信息交换相关的网络安全,解决方案,测试实践和测试结果,没有过度的担忧不恰当披露这些信息,公共和私人实体的能力至关重要,及时解决网络安全需求。
(5)在网络安全信息的安全披露和受保护的交换方面,将遵循统一的法律标准,以维护国家利益,促进此类信息的适当披露和及时交换。
(6)由总统于2000年1月7日发布的《国家信息系统保护计划1.0版——对话邀请》,呼吁政府协助寻求信息自由、责任、法律的修订。并在适当的情况下建立反垄断,以促进全行业的信息共享和分析中心。
(1)促进与网络安全有关的信息的安全披露和受保护的交换;
(2)协助私营企业和政府有效、快速地应对网络安全问题;
(3)在与网络安全相关的信息的安全披露和受保护的交换方面,通过建立某些统一的法律原则,减轻州际贸易的负担;和
(4)保护网络和系统的合法用户,保护共享信息的隐私和信心。
秒。3。定义。
在这个行为:
(1)反托拉斯法。这个术语是指反垄断法
(A)具有《克莱顿法案》(15 U.S.C. 12(A))第一节(A)小节赋予的含义,但该术语包括《联邦贸易委员会法案》(15 U.S.C. 45)第5节,且该第5节适用于不公平竞争方法;和
(B)包括与(A)项所述法律类似的任何国家法律。
(2)关键基础设施。关键基础设施是指对国家或经济至关重要的设施或服务,一旦中断、丧失能力或遭到破坏,将对美国的国防、安全、长期经济繁荣或健康或安全造成破坏性影响。
(3)网络安全。��网络安全一词指任何计算系统、软件程序或关键基础设施在滥用或以未经授权的方式使用互联网、公共或私人电信系统时,对故意干扰、妥协或丧失能力的脆弱性或抵抗能力。或违反联邦法、州法或国际法、损害美国州际贸易或威胁公共健康或安全的其他类似行为。
(4)网络安全网站。该术语指的是一个互联网网站或其他类似的电子访问服务,由创建或控制网站或服务内容的个人或实体在网站或服务上明确指定为发布网络安全声明或使适当实体可访问的区域。
(5)网络安全声明
(一)一般。�网络安全声明是指一方以任何形式或媒介,包括通过网络安全网站,向另一方进行的任何通信或其他形式的信息传递
(i)就该实体、其计算机系统、软件程序或其本身的类似设施的网络安全进行的评估、预测或估计;
(B)不包括在内。�为了任何行动受到美国证券法律,这个词是在第三节中定义(a)(47)的1934年证券交易法(事项78 c (a)(47)),这个词��网络安全声明��不包括语句中包含的任何文件或材料提交给美国证券交易委员会(sec),或根据1934年《证券交易法》(15 U.S.C. 781(i))第12(i)条与联邦银行监管机构合作,或在证券要约或销售邀请中披露或撰写相关信息。(ii)关于实施或验证其网络安全的计划、目标或时间表;
(iii)涉及测试计划、测试日期、测试结果或与其网络安全相关的运营问题或解决方案;或
(iv)审查、评论或以其他方式直接或间接涉及其网络安全。
秒。4。特殊的数据收集。
(一)一般来说,�Any Federal entity, agency, or authority may expressly designate a request for the voluntary provision of information relating to cyber security, including cyber security statements, as a cyber security data gathering request made pursuant to this section.
(b)的细节。根据本节提出的网络安全数据收集请求
(A)应指定一个联邦实体、机构或当局,或在其同意下,指定另一个公共或私人实体、机构或当局收集对请求的回应;
(c)的保护。除经第(1)段所述信息提供者明示同意或许可外,任何一方应根据本节提出的特殊网络安全数据收集请求而提供的任何网络安全声明或其他该等信息均属例外(B)应是私人实体、机构或当局向联邦实体、机构或当局提出的请求;或
(C)当联邦实体、机构或当局自愿获得由该私人实体、机构或当局收集的网络安全信息(包括通过网络安全互联网网站)时,应视为已作出并已指定该私人实体、机构或当局。
(1)应豁免所有联邦实体、机构和当局根据《美国法典》第5编第552(a)条(通常称为《信息自由法》)披露的信息;
(d)例外。�(2)不得向任何第三方披露或由任何第三方披露;和
(3)不得被任何联邦或州实体、机构或当局或任何第三方直接或间接地用于根据任何联邦或州法律产生的任何民事诉讼。
(1)从其他地方获得的信息。任何联邦实体、机构、权威机构或任何第三方均不得通过使用独立的法律权威机构,单独获取根据本节要求提交的信息,并在任何行动中使用该等单独获取的信息。
5秒。。反垄断豁免。(2)公开披露。根据本条规定对信息的使用或披露的限制不适用于经当事人明确同意的一般或广泛向公众披露的任何信息。
(一)免税。除第(b)款规定外,反托拉斯法仅适用于为目的或仅限于为�
(b)豁免的例外。第(a)款不适用于涉及或导致抵制任何人、分配市场或固定价格或产量协议的行为。
(1)协助纠正或避免与网络安全有关的问题;或
(2)沟通或披露信息以帮助纠正或避免网络安全相关问题的影响。
秒。6。网络安全工作组。
(一)一般来说,�
(1)工作小组。总统可以建立和终止由联邦雇员组成的工作组,这些工作组将与外部组织讨论网络安全问题,共享与网络安全相关的信息,以及其他服务于本法的目的。
(b)联邦咨询委员会法案。�《联邦咨询委员会法》(5 U.S.C. App)不适用于根据本节设立的工作组。(2)团体名单。总统应维护并向公众提供此类工作组的打印和电子清单,以及每个工作组的联络点,以及联络点的地址、电话号码和电子邮件地址。
(3)平衡。总统应寻求在各工作组中实现参与率和代表性的平衡。
(4)会议。根据本节设立的工作组的每次会议都应按照总统制定的程序提前宣布。
(c)私人诉讼权。本节不创设因执行本节任何条款而提起诉讼的私人诉讼权利。