SB 104-19: BLACKHAT Act (Passed)

[OBD]

Aye

[If my soul was made of stone]

AYE

[GM Team Member and Deputy PPT WB]

Aye

[Bleach Blonde Bad Built Butch Bodies for Biden]

Vote on Final Senate Passage of the BLACKHAT Act:

Aye (15): Scott, Western Democrat, North Carolina Yankee, AGA, Muad'dib, Joseph Cao, Old School Republican, Pericles, S019, DeadPrez, Spark498, Kuumo, OBD,  discovolante, Weatherboy
Nay (0):
Abstain (0):

Didn't Vote (3): FalterinArc, KoopaDaQuick, tack50

The bill has passed the Senate and is sent to the President for executive action.

[Bleach Blonde Bad Built Butch Bodies for Biden]

A BILL
To fortify our nation's cybersecurity defenses and improve our overall knowledge of current cyber threats

Be it enacted by the Senate of the Republic of Atlasia assembled,

SECTION 1: TITLE
1. This legislation may be referred to as the Better Liability and Aggregated Cybersecurity Knowledge Helps Against Threats (BLACKHAT) Act.

SECTION 2: DEFINITIONS
1. Critical infrastructure refers to systems and assets, whether physical or virtual, so vital to Atlasia that the incapacity or destruction of such systems and assets would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters.
2. Covered entities refer to federal government agencies, federal contractors, owners or operators of critical infrastructure, and private entities that provide cybersecurity incident response services. Non-covered entities are private entities not included in these categories.
3. Ransomware refers to any type of malicious software that prevents the legitimate owner or operator of an information system or network from accessing computer files, systems, or networks, and demands the payment of a ransom for the return of such access.
4. A cybersecurity breach or cybersecurity intrusion is an attack on an entity's digital security and capabilities with the intent to jeopardize said security or cause damage to said capabilities, which shall be defined to cover, at minimum, the following characteristics:
   a. a nation-state is involved;
   b. a persistent threat cyber actor is involved;
   c. a transnational organized crime group is involved;
   d. the national security, economy, foreign relations, civil liberties, public health and safety, or public confidence of the Atlasian nation and people are harmed or likely to be harmed;
   e. ransomware is involved.
5. A cybersecurity notification is a notification of a cybersecurity breach in accordance with Section 5 of this Act.

SECTION 3: PROTECTION AND DEFENSE
1. Within 180 days of this legislation taking effect:
   a. Covered entities shall be directed by the agency or individual holding relevant authority to ensure proper certification of their cybersecurity practices according to national and international standards to be specified by the agency or individual in question.
   b. Federal government agencies shall publicly engage with other private-sector agencies with the goal of establishing common cybersecurity best practices and certifications to be adopted within the private sector at large.
   c. Government agencies, federal contractors, and critical infrastructure bodies shall additionally be required to evaluate the following for cyber-related vulnerabilities:
      i. existing cybersecurity procedures, including but not limited to employee practice, data protection, and software usage;
      ii. security of communications with first-tier suppliers, including but not limited to security procedures and transparency of the immediate supplier's operations.
2. $500 million shall be allocated to regional, state, and local governments to facilitate the implementation process for these goals.

SECTION 4: COOPERATION AND DETERRENCE
1. The Atlasian Congress recommends that the following courses of action be prioritized by the President and Secretary of State:
   a. continuation and expansion of international cooperation and enforcement in cybercrime investigations;
   b. working with international law enforcement units to bring foreign-based cyber criminals to justice;
   c. seeking maximum harmonization regarding the regulation of information flow between international bodies, including but not limited to:
      i. data sharing strategies;
      ii. national data protection laws;
      iii. privacy safeguards.

SECTION 5: REPORTING AND RESPONSE
1. A task force shall be created within the Cybersecurity and Infrastructure and Security Agency (CISA) to receive, analyse, and assess threats from cybersecurity incidents, with the authority to refer threats to the appropriate bodies wherever the situations below are satisfied.
2. Pursuant to this goal, CISA shall:
   a. coordinate with federal, regional and state agencies to an extent considered appropriate for fostering rapid communication and responses to cybersecurity incidents;
   b. develop procedures to analyse all incoming notifications with the aim of determining the following:
      i. the source of the breach;
      ii. the impact of the breach;
      iii. recommended actions to mitigate the impact of the breach;
      iv. information to provide on methods of securing the affected system against future breaches.
   c. compile a cybersecurity intelligence report characterizing the cybersecurity threat facing federal agencies and covered entities not less frequently than once every 30 days.
3. In the event of a cybersecurity breach, covered entities shall be required to submit the following information to CISA within 72 hours:
   a. the intrusion and its effects;
   b. the vulnerabilities exploited by the intrusion;
   c. information that might reasonably help to identify the intruder, e.g. IP addresses, domain name information, or samples of malware;
   d. actions taken to mitigate the effects of the intrusion;
   e. contact information.
4. CISA shall establish reporting capabilities to facilitate the secure, timely, and confidential submission of cybersecurity notifications:
   a. from all entities, whether covered or non-covered;
   b. which may contain classified information.
5. The security of these capabilities shall be evaluated annually.
6. Information contained in notifications shall be:
   a. exempt from FOIA requests or disclosure under regional, state, or local provisions;
   b. prohibited from being admitted as evidence in any civil or criminal action, or subject to subpoenas outside of those issued for congressional oversight purposes;
   c. subject to standard privacy and protection procedures, provided that they are known to contain personal and identifying information not directly related to cybersecurity threats.

SECTION 6: LIABILITY
1. No cause of action shall lie or be maintained in any court by any person or entity, other than the Federal Government of Atlasia pursuant to §6.2 or any applicable law, against any covered entity due to the submission of a cybersecurity notification through the capabilities established in Section 5, and any such action shall be promptly dismissed.
2. The terms of Section 5 shall be enforced as follows:
   a. Federal contractors found in violation of this section shall face penalties to be determined by the General Services Administration, which may include withdrawal of federal contracts.
   b. Private entities found in violation of this section shall be subject to fines equalling 0.5%/day of the entity's gross revenue from the previous fiscal year.
   c. Violations of this Act by federal agencies shall be referred to the Inspector General for the offending agency.

SECTION 7: IMPLEMENTATION
1. This legislation shall take effect immediately upon being signed into law.

Passed 15-0-0-3 in the Atlasian Senate assembled,

Scott, President pro tempore