Cyber Security Public Awareness Act of 2011 - Directs the Secretary of Homeland Security (DHS) to submit an annual report that: (1) summarizes major cyber incidents involving networks of executive agencies, except for the Department of Defense (DOD); (2) provides aggregate statistics on the number of breaches of networks of executive agencies, the volume of data exfiltrated, and the estimated cost of remedying the breaches; and (3) discusses the risk of cyber sabotage. Requires a similar report by the Secretary of DOD.
Directs: (1) the Attorney General and the Director of the Federal Bureau of Investigation (FBI) to submit reports and annual updates describing investigations and prosecutions by the Department of Justice (DOJ) relating to cyber crimes, resources devoted to the enforcement, investigation, and prosecution of such crimes, and legal impediments to such prosecutions; (2) the Securities and Exchange Commission (SEC) to report on the extent of financial risk to issuers of securities caused by cyber crimes, on any resulting legal liability, and on whether current financial statements of issuers transparently reflect that risk to shareholders; and (3) designated primary regulators responsible for the security of specified critical industries to submit annual reports describing vulnerabilities to, and the prevalence of, cyber attacks for each industry.
Directs the Attorney General, in coordination with the Administrative Office of the United States Courts, to submit a report on: (1) whether federal courts have granted timely relief in matters relating to botnets and other cyber crime and cyber security threats; and (2) recommended changes to the rules of civil or criminal procedure, the resources, capabilities, and specialization of courts to which such cases may be assigned, and federal civil and criminal laws.
Directs the Secretary of DHS to: (1) submit annual reports describing policies and procedures for federal agencies to assist a private sector entity in defending its information networks against cyber threats that could result in loss of life or significant harm to the national economy or national security; (2) contract with the National Research Council or another federally funded research and development corporation for reports on available technical options for enhancing the security of the information networks of entities that own or manage critical infrastructure; (3) submit annual reports on impediments to public awareness of common cyber security threats; (4) submit annual reports on the vulnerability to malicious activity of U.S. telecommunications networks due to the presence of technology produced by foreign suppliers linked to a foreign government; and (5) submit a report on the threat of a cyber attack disrupting the U.S. electrical grid and the national security implications.
[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[S. 813 Introduced in Senate (IS)]
112th CONGRESS
1st Session
S. 813
To promote public awareness of cyber security.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 13, 2011
Mr. Whitehouse (for himself and Mr. Kyl) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
_______________________________________________________________________
A BILL
To promote public awareness of cyber security.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cyber Security Public Awareness Act
of 2011''.
SEC. 2. FINDINGS.
(a) Congress finds the following:
(1) Information technology is central to the effectiveness,
efficiency, and reliability of the industry and commercial
services, Armed Forces and national security systems, and the
critical infrastructure of the United States.
(2) Cyber criminals, terrorists, and agents of foreign
powers have taken advantage of the connectivity of the United
States to inflict substantial damage to the economic and
national security interests of the Nation.
(3) The cyber security threat is sophisticated, relentless,
and massive, exposing all consumers in the United States to the
risk of substantial harm.
(4) Businesses in the United States are bearing enormous
losses as a result of criminal cyber attacks, depriving
businesses of hard-earned profits that could be reinvested in
further job-producing innovation.
(5) Hackers continuously probe the networks of Federal and
State agencies, the Armed Forces, and the commercial industrial
base of the Armed Forces, and already have caused substantial
damage and compromised sensitive and classified information.
(6) Severe cyber security threats will continue, and will
likely grow, as the economy of the United States grows more
connected, criminals become increasingly sophisticated in
efforts to steal from consumers, industries, and businesses in
the United States, and terrorists and foreign nations continue
to use cyberspace as a means of attack against the national and
economic security of the United States.
(7) Public awareness of cyber security threats is essential
to cyber security defense. Only a well-informed public and
Congress can make the decisions necessary to protect consumers,
industries, and the national and economic security of the
United States.
(8) As of 2011, the level of public awareness of cyber
security threats is unacceptably low. Only a tiny portion of
relevant cyber security information is released to the public.
Information about attacks on Federal Government systems is
usually classified. Information about attacks on private
systems is ordinarily kept confidential. Sufficient mechanisms
do not exist to provide meaningful threat reports to the public
in unclassified and anonymized form.
SEC. 3. CYBER INCIDENTS AGAINST GOVERNMENT NETWORKS.
(a) Department of Homeland Security.--Not later than 180 days after
the date of enactment of this Act, and annually thereafter, the
Secretary of Homeland Security shall submit to Congress a report that--
(1) summarizes major cyber incidents involving networks of
executive agencies (as defined in section 105 of title 5,
United States Code), except for the Department of Defense;
(2) provides aggregate statistics on the number of breaches
of networks of executive agencies, the volume of data
exfiltrated, and the estimated cost of remedying the breaches;
and
(3) discusses the risk of cyber sabotage.
(b) Department of Defense.--Not later than 180 days after the date
of enactment of this Act, and annually thereafter, the Secretary of
Defense shall submit to Congress a report that--
(1) summarizes major cyber incidents against networks of
the Department of Defense and the military departments;
(2) provides aggregate statistics on the number of breaches
against networks of the Department of Defense and the military
departments, the volume of data exfiltrated, and the estimated
cost of remedying the breaches; and
(3) discusses the risk of cyber sabatoge.
(c) Form of Reports.--Each report submitted under this section
shall be in unclassified form, but may include a classified annex as
necessary to protect sources, methods, and national security.
SEC. 4. PROSECUTION FOR CYBERCRIME.
(a) In General.--Not later than 180 days after the date of
enactment of this Act, the Attorney General and the Director of the
Federal Bureau of Investigation shall submit to Congress reports--
(1) describing investigations and prosecutions by the
Department of Justice relating to cyber intrusions or other
cybercrimes the preceding year, including--
(A) the number of investigations initiated relating
to such crimes;
(B) the number of arrests relating to such crimes;
(C) the number and description of instances in
which investigations or prosecutions relating to such
crimes have been delayed or prevented because of an
inability to extradite a criminal defendant in a timely
manner; and
(D) the number of prosecutions for such crimes,
including--
(i) the number of defendants prosecuted;
(ii) whether the prosecutions resulted in a
conviction;
(iii) the sentence imposed and the
statutory maximum for each such crime for which
a defendant was convicted; and
(iv) the average sentence imposed for a
conviction of such crimes;
(2) identifying the number of employees, financial
resources, and other resources (such as technology and
training) devoted to the enforcement, investigation, and
prosecution of cyber intrusions or other cybercrimes, including
the number of investigators, prosecutors, and forensic
specialists dedicated to investigating and prosecuting cyber
intrusions or other cybercrimes; and
(3) discussing any impediments under the laws of the United
States or international law to prosecutions for cyber
intrusions or other cybercrimes.
(b) Updates.--The Attorney General and the Director of the Federal
Bureau of Investigation shall annually submit to Congress reports
updating the reports submitted under section (a) at the same time the
Attorney General and Director submit annual reports under section 404
of the Prioritizing Resources and Organization for Intellectual
Property Act of 2008 (42 U.S.C. 3713d).
SEC. 5. ASSISTANCE PLAN FOR SIGNIFICANT PRIVATE CYBER INCIDENTS.
(a) In General.--Not later than 180 days after the date of
enactment of this Act, and annually thereafter, the Secretary of
Homeland Security shall submit to Congress a report that describes
policies and procedures for Federal agencies to assist a private sector
entity in the defending of the information networks of the private
sector entity against cyber threats that could result in loss of life
or significant harm to the national economy or national security.
(b) Form of Reports.--Each report submitted under this section
shall be in unclassified form, but may include a classified annex as
necessary to protect sources, methods, proprietary or sensitive
business information, and national security.
SEC. 6. CYBERCRIME REPORTING TO SHAREHOLDERS.
Not later than 180 days after the date of enactment of this Act,
the Securities and Exchange Commission, in consultation with the
Secretary of Homeland Security, shall submit to Congress a report on--
(1) the extent of financial risk to issuers of securities
caused by cyber intrusions or other cybercrimes, and any
resulting legal liability; and
(2) whether current financial statements of issuers
transparently reflect the risk described in paragraph (1) to
shareholders.
SEC. 7. PRIMARY REGULATORS OF CRITICAL INFRASTRUCTURE.
(a) Definitions.--In this section the term ``primary regulators
responsible for the physical and economic security of each critical
industry'' means--
(1) for the energy industry, the Federal Energy Regulatory
Commission, the Nuclear Regulatory Commission, and the
Secretary of Energy;
(2) for the financial services industry, the Federal
Deposit Insurance Commission, the Secretary of the Treasury,
and the Chairman of the Securities and Exchange Commission;
(3) for the air, rail, and ground transportation industry,
the Secretary of Transportation;
(4) for the communications industry, the Federal
Communications Commission;
(5) for the food supply industry, the Commissioner of Food
and Drugs;
(6) for the water supply industry, the Administrator of the
Environmental Protection Agency; and
(7) for any other element of the economy determined to be
critical by the Secretary of Homeland Security, the Federal
Trade Commission.
(b) Reports.--Not later than 180 days after the date of enactment
of this Act, and annually thereafter for 3 years, the primary regulator
for each critical industry, in consultation with the Secretary of
Homeland Security, shall submit to Congress a report that describes
the--
(1) nature and state of the vulnerabilities to cyber
attacks of each industry described in subsection (a);
(2) prevalence and seriousness of cyber attacks in each
industry described in subsection (a);
(3) recommended steps to thwart or diminish cyber attacks;
and
(4) whether the concept of cyber security and information
assurance cooperative activities with private sector partners
developed by the Defense Industrial Base of the Department of
Defense may be applied to the critical industries described in
subsection (a).
(c) Form of Reports.--Each report submitted under this section--
(1) shall be--
(A) in unclassified form; and
(B) anonymized as the Secretary determines
necessary to protect confidential business information;
and
(2) may include a classified annex as necessary to protect
sources, methods, proprietary or sensitive business
information, and national security.
SEC. 8. RESEARCH REPORT ON IMPROVING SECURITY OF INFORMATION NETWORKS
OF CRITICAL INFRASTRUCTURE ENTITIES.
(a) Definition.--In this section, the term ``critical
infrastructure'' has the meaning given that term in section 1016(e) of
the USA PATRIOT Act (42 U.S.C. 5195c(e)).
(b) Reports.--
(1) In general.--The Secretary of Homeland Security shall
enter into a contract with the National Research Council, or
another federally funded research and development corporation,
under which the Council or corporation shall submit to Congress
reports on available technical options, consistent with
Constitutional and statutory privacy rights, for enhancing the
security of the information networks of entities that own or
manage critical infrastructure through--
(A) technical improvements, including developing a
secure domain; or
(B) increased notice of and consent to the use of
technologies to scan for, detect, and defeat cyber
security threats, such as technologies used in a secure
domain.
(2) Timing.--The contract entered into under paragraph (1)
shall require that the report described in paragraph (1) be
submitted--
(A) not later than 180 days after the date of
enactment of this Act;
(B) annually, after the first report submitted
under paragraph (1), for 3 years; and
(C) more frequently, as determined appropriate by
the Secretary of Homeland Security in response to new
risks or technologies that emerge.
SEC. 9. PREPAREDNESS OF FEDERAL COURTS TO PROMOTE CYBER SECURITY.
Not later than 180 days after the date of enactment of this Act,
the Attorney General, in coordination with the Administrative Office of
the United States Courts, shall submit to Congress a report--
(1) on whether Federal courts have granted timely relief in
matters relating to botnets and other cybercrime and cyber
security threats; and
(2) that includes, as appropriate, recommendations on
changes or improvements to--
(A) the Federal Rules of Civil Procedure or the
Federal Rules of Criminal Procedure;
(B) the training and other resources available to
support the Federal judiciary;
(C) the capabilities and specialization of courts
to which such cases may be assigned; and
(D) Federal civil and criminal laws.
SEC. 10. IMPEDIMENTS TO PUBLIC AWARENESS.
Not later than 180 days after the date of enactment of this Act,
and annually thereafter for 3 years (or more frequently if determined
appropriate by the Secretary of Homeland Security) the Secretary of
Homeland Security shall submit to Congress a report on--
(1) legal or other impediments to appropriate public
awareness of--
(A) the nature of, methods of propagation of, and
damage caused by common cyber security threats such as
computer viruses, phishing techniques, and malware;
(B) the minimal standards of computer security
necessary for responsible Internet use; and
(C) the availability of commercial off the shelf
technology that allows consumers to meet such levels of
computer security;
(2) a summary of the plans of the Secretary of Homeland
Security to enhance public awareness of common cyber security
threats, including a description of the metrics used by the
Department of Homeland Security for evaluating the efficacy of
public awareness campaigns; and
(3) recommendations for congressional actions to address
these impediments to appropriate public awareness of common
cyber security threats.
SEC. 11. PROTECTING THE INFORMATION TECHNOLOGY SUPPLY CHAIN OF THE
UNITED STATES.
(a) Definitions.--In this section--
(1) the term ``information technology supply chain of the
United States'' means the public and private telecommunications
networks of the United States; and
(2) the term ``telecommunications networks of the United
States'' includes--
(A) telephone systems;
(B) Internet systems;
(C) fiber optic lines, including cable landings;
(D) computer networks; and
(E) smart grid technology under development by the
Department of Energy.
(b) Report.--Not later than 90 days after the date of enactment of
this Act, and annually thereafter, the Secretary of Homeland Security
shall submit to Congress a report that--
(1) identifies foreign suppliers of information technology
(including equipment, software, and services) that are linked
directly or indirectly to a foreign government, including--
(A) by ties to the military forces of a foreign
government; or
(B) by being the beneficiaries of significant low
interest or no interest loans, loan forgiveness, or
other support by a foreign government;
(2) discusses the extent to which goods produced by
suppliers identified under paragraph (2) have been integrated
into the information technology supply chain of the United
States;
(3) identifies specific telecommunications networks of the
United States that include information technology identified
under paragraph (1); and
(4) assesses the vulnerability to malicious activity,
including cyber crime or espionage, of the telecommunications
networks of the United States identified under paragraph (3)
due to the presence of technology produced by suppliers
identified under paragraph (1).
SEC. 12. PROTECTING THE ELECTRICAL GRID OF THE UNITED STATES.
Not later than 180 days after the date of enactment of this Act,
the Secretary of Homeland Security, in consultation with the Secretary
of Defense and the Director of National Intelligence, shall submit to
Congress a report on--
(1) the threat of a cyber attack disrupting the electrical
grid of the United States;
(2) the implications for the national security of the
United States if the electrical grid is disrupted;
(3) the options available to the United States and private
sector entities to quickly reconstitute electrical service to
provide for the national security of the United States, and,
within a reasonable time frame, the reconstitution of all
electrical service within the United States; and
(4) a plan to prevent disruption of the electric grid of
the United States caused by a cyber attack.
<all>
Introduced in Senate
Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
Sponsor introductory remarks on measure. (CR S2498)
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line