[Pages S8713-S8714]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

By Mr. CARDIN (for himself and Mr. Whitehouse):
S. 4021. A bill to reduce the ability of terrorists, spies,
criminals, and other malicious actors to compromise, disrupt, damage,
and destroy computer networks, critical infrastructure, and key
resources, and for other purposes; to the Committee on Commerce,
Science, and Transportation.
Mr. CARDIN. Mr. President, the Internet has had a profound impact on
the daily lives of millions of Americans by enhancing communications,
commerce, education, and socialization between and among persons
regardless of their location. However, computers and other devices that
connect to the Internet may be used, exploited, and compromised by
terrorists, criminals, spies, and other malicious actors. As a result,
they pose a risk to computer networks, critical infrastructure, and key
resources in the United States. Users of computers and other devices
that connect to the Internet are generally unaware that these devices
can be easily used, exploited and compromised by others with spam,
viruses, and other malicious software and agents. Internet and
cybersecurity safety has therefore become an urgent homeland security
issue that needs to be addressed by internet service providers,
technology companies, other entities that enable devices to connect to
the Internet, and by individuals.
I have been focusing on cybersecurity issues for quite some time.
More than a year ago, as chairman of the Terrorism and Homeland
Security Subcommittee of the Judiciary Committee, I chaired a
Subcommittee hearing titled ``Cybersecurity: Preventing Terrorist
Attacks and Protecting Privacy in Cyberspace.'' The hearing included
witnesses from key Federal agencies responsible for cybersecurity, as
well as representatives of the private sector. We reviewed governmental
and private sector efforts to prevent a terrorist cyber attack that
could cripple large sectors of our government, economy, and essential
services. It was both illuminating and frightening.
The expertise that I have developed in regard to cybersecurity has
convinced me that the Government and the private sector need to work
together to develop and enforce minimum Internet and cybersecurity
safety standards for users of computers and

[[Page S8714]]

other devices that connect to the Internet. In the same way that
automobiles cannot and should not be sold or operated on public
highways unless they meet certain minimum safety standards, minimum
Internet and cybersecurity safety standards are essential for the
nation's information superhighway.
As a result, today I am introducing the Internet and Cybersecurity
Safety Standards Act, ICSSA. My bill will require the Secretary of
Homeland Security, in consultation with the Attorney General and the
Secretary of Commerce, to conduct an analysis to determine the costs
and benefits of requiring internet service providers and others to
develop and enforce minimum Internet and cybersecurity safety
standards. The Secretary will be required to consider all relevant
factors in this analysis, including the effect that the development and
enforcement of minimum Internet and cybersecurity safety standards
would have on homeland security, the global economy, innovation,
individual liberty, and privacy. My bill will also require the
Secretary of Homeland Security, the Attorney General and the Secretary
of Commerce to consult with relevant stakeholders in the Government
and, most importantly, the private sector, including the academic
community and groups or institutions that have scientific and technical
expertise related to standards for computer networks, critical
infrastructure, or key resources. The private sector must be a partner
in the efforts to secure the nation's information superhighway. Under
my bill, the Secretary of Homeland Security will be required to report
to Congress within one year with specific recommendations for minimum
voluntary or mandatory Internet and cybersecurity standards for
computers and other devices that connect to the Internet, so that we
can prevent them from being used, exploited, and compromised by
terrorists, criminals, spies, and other malicious actors.
In December of 2009, I praised the appointment of Howard Schmidt as
the new White House Cybersecurity Coordinator to make sure that
agencies are all working together on this critical challenge. In April
of this year, I also stressed with Secretary Napolitano, at a Senate
Judiciary Committee oversight hearing for the Department of Homeland
Security, the need to continue to make cybersecurity a top priority.
But we can and must do more. My bill will help secure our nation's
digital future.
Mr. President, I ask unanimous consent that the text of the bill be
printed in the Record.
There being no objection, the text of the bill was ordered to be
printed in the Record, as follows:

S. 4021

Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``Internet and Cybersecurity
Safety Standards Act''.

SEC. 2. DEFINITIONS.

In this Act:
(1) Computers.--Except as otherwise specifically provided,
the term ``computers'' means computers and other devices that
connect to the Internet.
(2) Providers.--The term ``providers'' means Internet
service providers, communications service providers,
electronic messaging providers, electronic mail providers,
and other persons who provide a service or capability to
enable computers to connect to the Internet.
(3) Secretary.--Except as otherwise specifically provided,
the term ``Secretary'' means the Secretary of Homeland
Security.

SEC. 3. FINDINGS.

Congress finds the following:
(1) While the Internet has had a profound impact on the
daily lives of the people of the United States by enhancing
communications, commerce, education, and socialization
between and among persons regardless of their location,
computers may be used, exploited, and compromised by
terrorists, criminals, spies, and other malicious actors,
and, therefore, computers pose a risk to computer networks,
critical infrastructure, and key resources in the United
States. Indeed, users of computers are generally unaware that
their computers may be used, exploited, and compromised by
others with spam, viruses, and other malicious software and
agents.
(2) Since computer networks, critical infrastructure, and
key resources of the United States are at risk of being
compromised, disrupted, damaged, or destroyed by terrorists,
criminals, spies, and other malicious actors who use
computers, Internet and cybersecurity safety is an urgent
homeland security issue that needs to be addressed by
providers, technology companies, and persons who use
computers.
(3) The Government and the private sector need to work
together to develop and enforce minimum Internet and
cybersecurity safety standards for users of computers to
prevent terrorists, criminals, spies, and other malicious
actors from compromising, disrupting, damaging, or destroying
the computer networks, critical infrastructure, and key
resources of the United States.

SEC. 4. COST-BENEFIT ANALYSIS.

(a) Requirement for Analysis.--The Secretary, in
consultation with the Attorney General and the Secretary of
Commerce, shall conduct an analysis to determine the costs
and benefits of requiring providers to develop and enforce
minimum Internet and cybersecurity safety standards for users
of computers to prevent terrorists, criminals, spies, and
other malicious actors from compromising, disrupting,
damaging, or destroying computer networks, critical
infrastructure, and key resources.
(b) Factors.--In conducting the analysis required by
subsection (a), the Secretary shall consider all relevant
factors, including the effect that the development and
enforcement of minimum Internet and cybersecurity safety
standards may have on homeland security, the global economy,
innovation, individual liberty, and privacy.

SEC. 5. CONSULTATION.

In conducting the analysis required by section 4, the
Secretary, in consultation with the Attorney General and the
Secretary of Commerce, shall consult with relevant
stakeholders in the Government and the private sector,
including the academic community, groups, or other
institutions, that have scientific and technical expertise
related to standards for computer networks, critical
infrastructure, or key resources.

SEC. 6. REPORT.

(a) In General.--Not later than 1 year after the date of
the enactment of this Act, the Secretary shall submit to the
appropriate committees of Congress a final report on the
results of the analysis required by section 4. Such report
shall include the consensus recommendations, if any, for
minimum voluntary or mandatory Internet and cybersecurity
safety standards that should be developed and enforced for
users of computers to prevent terrorists, criminals, spies,
and other malicious actors from compromising, disrupting,
damaging, or destroying computer networks, critical
infrastructure, and key resources.
(b) Appropriate Committees of Congress.--In this section,
the term ``appropriate committees of Congress'' means--
(1) the Committee on Commerce, Science, and Transportation,
the Committee on Homeland Security and Governmental Affairs,
and the Committee on the Judiciary of the Senate; and
(2) the Committee on Energy and Commerce, the Committee on
Homeland Security, the Committee on the Judiciary, and the
Committee on Oversight and Government Reform of the House of
Representatives.

____________________