SB 104-19: BLACKHAT Act (Passed)

[Mad Deadly Worldwide Communist Gangster Computer God]

A BILL
To fortify our nation's cybersecurity defenses and improve our overall knowledge of current cyber threats

Be it enacted by the Senate of the Republic of Atlasia assembled,

SECTION 1: TITLE
1. This legislation may be referred to as the Better Liability and Aggregated Cybersecurity Knowledge Helps Against Threats (BLACKHAT) Act.

SECTION 2: DEFINITIONS
1. Critical infrastructure refers to systems and assets, whether physical or virtual, so vital to Atlasia that the incapacity or destruction of such systems and assets would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters.
2. Covered entities refer to federal government agencies, federal contractors, owners or operators of critical infrastructure, and private entities that provide cybersecurity incident response services. Non-covered entities are private entities not included in these categories.
3. Ransomware refers to any type of malicious software that prevents the legitimate owner or operator of an information system or network from accessing computer files, systems, or networks, and demands the payment of a ransom for the return of such access.
4. A cybersecurity breach or cybersecurity intrusion is an attack on an entity's digital security and capabilities with the intent to jeopardize said security or cause damage to said capabilities, which shall be defined to cover, at minimum, the following characteristics:
   a. a nation-state is involved;
   b. a persistent threat cyber actor is involved;
   c. a transnational organized crime group is involved;
   d. the national security, economy, foreign relations, civil liberties, public health and safety, or public confidence of the Atlasian nation and people are harmed or likely to be harmed;
   e. ransomware is involved.
5. A cybersecurity notification is a notification of a cybersecurity breach in accordance with Section 5 of this Act.

SECTION 3: PROTECTION AND DEFENSE
1. Within 180 days of this legislation taking effect:
   a. Covered entities shall be directed by the agency or individual holding relevant authority to ensure proper certification of their cybersecurity practices according to national and international standards to be specified by the agency or individual in question.
   b. Federal government agencies shall publicly engage with other private-sector agencies with the goal of establishing common cybersecurity best practices and certifications to be adopted within the private sector at large.
   c. Government agencies, federal contractors, and critical infrastructure bodies shall additionally be required to evaluate the following for cyber-related vulnerabilities:
      i. existing cybersecurity procedures, including but not limited to employee practice, data protection, and software usage;
      ii. security of communications with first-tier suppliers, including but not limited to security procedures and transparency of the immediate supplier's operations.
2. $500 million shall be allocated to regional, state, and local governments to facilitate the implementation process for these goals.

SECTION 4: COOPERATION AND DETERRENCE
1. The Atlasian Congress recommends that the following courses of action be prioritized by the President and Secretary of State:
   a. continuation and expansion of international cooperation and enforcement in cybercrime investigations;
   b. working with international law enforcement units to bring foreign-based cyber criminals to justice;
   c. seeking maximum harmonization regarding the regulation of information flow between international bodies, including but not limited to:
      i. data sharing strategies;
      ii. national data protection laws;
      iii. privacy safeguards.

SECTION 5: REPORTING AND RESPONSE
1. A task force shall be created within the Cybersecurity and Infrastructure and Security Agency (CISA) to receive, analyse, and assess threats from cybersecurity incidents, with the authority to refer threats to the appropriate bodies wherever the situations below are satisfied.
2. Pursuant to this goal, CISA shall:
   a. coordinate with federal, regional and state agencies to an extent considered appropriate for fostering rapid communication and responses to cybersecurity incidents;
   b. develop procedures to analyse all incoming notifications with the aim of determining the following:
      i. the source of the breach;
      ii. the impact of the breach;
      iii. recommended actions to mitigate the impact of the breach;
      iv. information to provide on methods of securing the affected system against future breaches.
   c. compile a cybersecurity intelligence report characterizing the cybersecurity threat facing federal agencies and covered entities not less frequently than once every 30 days.
3. In the event of a cybersecurity breach, covered entities shall be required to submit the following information to CISA within 72 hours:
   a. the intrusion and its effects;
   b. the vulnerabilities exploited by the intrusion;
   c. information that might reasonably help to identify the intruder, e.g. IP addresses, domain name information, or samples of malware;
   d. actions taken to mitigate the effects of the intrusion;
   e. contact information.
4. CISA shall establish reporting capabilities to facilitate the secure, timely, and confidential submission of cybersecurity notifications:
   a. from all entities, whether covered or non-covered;
   b. which may contain classified information.
5. The security of these capabilities shall be evaluated annually.
6. Information contained in notifications shall be:
   a. exempt from FOIA requests or disclosure under regional, state, or local provisions;
   b. prohibited from being admitted as evidence in any civil or criminal action, or subject to subpoenas outside of those issued for congressional oversight purposes;
   c. subject to standard privacy and protection procedures, provided that they are known to contain personal and identifying information not directly related to cybersecurity threats.

SECTION 6: LIABILITY
1. No cause of action shall lie or be maintained in any court by any person or entity, other than the Federal Government of Atlasia pursuant to §6.2 or any applicable law, against any covered entity due to the submission of a cybersecurity notification through the capabilities established in Section 5, and any such action shall be promptly dismissed.
2. The terms of Section 5 shall be enforced as follows:
   a. Federal contractors found in violation of this section shall face penalties to be determined by the General Services Administration, which may include withdrawal of federal contracts.
   b. Private entities found in violation of this section shall be subject to fines equalling 0.5%/day of the entity's gross revenue from the previous fiscal year.
   c. Violations of this Act by federal agencies shall be referred to the Inspector General for the offending agency.

SECTION 7: IMPLEMENTATION
1. This legislation shall take effect immediately upon being signed into law.

Sponsor: Joseph Cao

The gentleman from Illinois is recognized.

[Joseph Cao]

This is, as you may be able to tell, a fairly wide-ranging bill. That was partially by design. The core of the bill is a heavily reshuffled version of the RL Cyber Incident Notification Act, currently still on the House floor, but it also incorporates about half a dozen other measures recommended by various cybersecurity experts in view of our current situation: a lot of exposure and not enough ways to secure our important digital assets from both foreign and domestic threats.

Cybersecurity protections can fail in a number of different ways. That may occur as a result of sloppy practices or human error or simply having overly weak defenses against bad actors, so Section 3 is a roadmap for both the public and private sectors to work to shore up their defenses with a baseline measure of certification of security measures, focusing particularly on both one’s own protections and the protections used by immediate suppliers. It is difficult for a given agency or entity to look into the practices of their entire supply chain, but a focus on their immediate neighbors is both doable and can lead to a substantial strengthening of the overall system's security. The federal government's practices are often adopted by the private sector and §3.1.b attempts to make use of that with regard to establishing a common baseline for cybersecurity measures.

This is not necessarily a fight we can accomplish alone, especially when foreign actors are involved, so Section 4 lays out some aims to be pursued on the international level: both cooperative (with other intelligence agencies from around the world and with their governments, which can sometimes be affected by other nations’ individual privacy and data policies) and deterrent (against foreign agents working on behalf of places like Russia and China). We urgently need a two-pronged policy of this sort on the international stage and this section gives leeway for the executive branch to set out its own detailed path.

Sections 5 and 6 are a response to the common problem of cybersecurity response. It's difficult to combat cyber threats when we don't even know they are carried out, as is overwhelmingly the case because of underserved reporting capabilities. Most private agencies are also reluctant to report breaches because that can invite unwanted scrutiny. Being able to find out about and respond to cybersecurity incidents in time substantially raises the odds of us being able to counter these threats, down to recovering the assets or random that allows cybercriminals to turn profits. So these two sections create reporting capabilities that anyone can make use of, establish guidelines for what needs to be reported and when, and lay out what needs to be done with that information. Section 6 indemnifies people and companies who make these submissions from legal liability.

To take a quote by the eponymous xkcd character out of context, the best defense is an indiscriminate offense. This bill is not quite as haphazard as that implies, but the spirit of that statement is in line with our best national efforts against cybercrime. It was also originally composed all at once at 3 a.m. in the morning so please offer your thoughts and any improvements you think could be made.

[Southern Senator North Carolina Yankee]

What are the mechanisms for deterrence against agents working for Russia and China? The section 4 seems to not include anything that would function well against a state sanctioned actor.

[Senator-elect Spark]

I am generally in support of this bill. We need stronger cybersecurity.

[Southern Senator North Carolina Yankee]

What are the mechanisms for deterrence against agents working for Russia and China? The section 4 seems to not include anything that would function well against a state sanctioned actor.

[Joseph Cao]

What are the mechanisms for deterrence against agents working for Russia and China? The section 4 seems to not include anything that would function well against a state sanctioned actor.

Ouch. Sincerely sorry for the long absence, everyone.

The deterrence policy is less fleshed out here because I haven't been able to think of strategies that would work well, and that plus the reality that this particular area has stymied a lot of policy experts adds up to something that's much vaguer than I would have liked. It essentially amounts to a declaration of intent to the effect that this is a serious national security issue that needs to be fixed. Publicising the intent and efforts to fix it in both the public and private sectors signals on a larger scale that Atlasia is going to operate with this mindset – both alongside other national security issues that we already cooperate with other nations, and as a signal to places like China and Russia. But if we can get at a framework that counterstrikes against the hacking and cybercrime strategies commonly used by bad actors, including state actors, that goes a long way towards actually tightening up our overall cybersecurity from the bottom up where the main crimes occur. Top-down diplomacy is something that Section 4 leaves open for the executive branch to manage.

[Joseph Cao]

So does anyone have feedback on the $500 million figure in Section 3? I'll look for the source but that figure was pulled from a report about state-level cybersecurity capabilities, which may or may not be accurate given the additional regional level of government we have to cover / capabilities we have to combat these breaches.

[Southern Senator North Carolina Yankee]

Where is this at now?

[Mad Deadly Worldwide Communist Gangster Computer God]

Where is this at now?

[Joseph Cao]

My only lingering concern with the bill is whether that $500 million figure needs adjusting, and I haven't turned up any further indication that it needs to be, either in-game or based on RL sources. I'm good with a final vote if nobody else has anything to say about it (which, let's face it, they obviously don't).

[Mad Deadly Worldwide Communist Gangster Computer God]

I will open a vote in 24 hours, barring objections or new amendments.

[Mad Deadly Worldwide Communist Gangster Computer God]

Hearing no objection, a final vote is now open. Senators, please vote Aye, Nay, or Abstain.

A BILL
To fortify our nation's cybersecurity defenses and improve our overall knowledge of current cyber threats

Be it enacted by the Senate of the Republic of Atlasia assembled,

SECTION 1: TITLE
1. This legislation may be referred to as the Better Liability and Aggregated Cybersecurity Knowledge Helps Against Threats (BLACKHAT) Act.

SECTION 2: DEFINITIONS
1. Critical infrastructure refers to systems and assets, whether physical or virtual, so vital to Atlasia that the incapacity or destruction of such systems and assets would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters.
2. Covered entities refer to federal government agencies, federal contractors, owners or operators of critical infrastructure, and private entities that provide cybersecurity incident response services. Non-covered entities are private entities not included in these categories.
3. Ransomware refers to any type of malicious software that prevents the legitimate owner or operator of an information system or network from accessing computer files, systems, or networks, and demands the payment of a ransom for the return of such access.
4. A cybersecurity breach or cybersecurity intrusion is an attack on an entity's digital security and capabilities with the intent to jeopardize said security or cause damage to said capabilities, which shall be defined to cover, at minimum, the following characteristics:
   a. a nation-state is involved;
   b. a persistent threat cyber actor is involved;
   c. a transnational organized crime group is involved;
   d. the national security, economy, foreign relations, civil liberties, public health and safety, or public confidence of the Atlasian nation and people are harmed or likely to be harmed;
   e. ransomware is involved.
5. A cybersecurity notification is a notification of a cybersecurity breach in accordance with Section 5 of this Act.

SECTION 3: PROTECTION AND DEFENSE
1. Within 180 days of this legislation taking effect:
   a. Covered entities shall be directed by the agency or individual holding relevant authority to ensure proper certification of their cybersecurity practices according to national and international standards to be specified by the agency or individual in question.
   b. Federal government agencies shall publicly engage with other private-sector agencies with the goal of establishing common cybersecurity best practices and certifications to be adopted within the private sector at large.
   c. Government agencies, federal contractors, and critical infrastructure bodies shall additionally be required to evaluate the following for cyber-related vulnerabilities:
      i. existing cybersecurity procedures, including but not limited to employee practice, data protection, and software usage;
      ii. security of communications with first-tier suppliers, including but not limited to security procedures and transparency of the immediate supplier's operations.
2. $500 million shall be allocated to regional, state, and local governments to facilitate the implementation process for these goals.

SECTION 4: COOPERATION AND DETERRENCE
1. The Atlasian Congress recommends that the following courses of action be prioritized by the President and Secretary of State:
   a. continuation and expansion of international cooperation and enforcement in cybercrime investigations;
   b. working with international law enforcement units to bring foreign-based cyber criminals to justice;
   c. seeking maximum harmonization regarding the regulation of information flow between international bodies, including but not limited to:
      i. data sharing strategies;
      ii. national data protection laws;
      iii. privacy safeguards.

SECTION 5: REPORTING AND RESPONSE
1. A task force shall be created within the Cybersecurity and Infrastructure and Security Agency (CISA) to receive, analyse, and assess threats from cybersecurity incidents, with the authority to refer threats to the appropriate bodies wherever the situations below are satisfied.
2. Pursuant to this goal, CISA shall:
   a. coordinate with federal, regional and state agencies to an extent considered appropriate for fostering rapid communication and responses to cybersecurity incidents;
   b. develop procedures to analyse all incoming notifications with the aim of determining the following:
      i. the source of the breach;
      ii. the impact of the breach;
      iii. recommended actions to mitigate the impact of the breach;
      iv. information to provide on methods of securing the affected system against future breaches.
   c. compile a cybersecurity intelligence report characterizing the cybersecurity threat facing federal agencies and covered entities not less frequently than once every 30 days.
3. In the event of a cybersecurity breach, covered entities shall be required to submit the following information to CISA within 72 hours:
   a. the intrusion and its effects;
   b. the vulnerabilities exploited by the intrusion;
   c. information that might reasonably help to identify the intruder, e.g. IP addresses, domain name information, or samples of malware;
   d. actions taken to mitigate the effects of the intrusion;
   e. contact information.
4. CISA shall establish reporting capabilities to facilitate the secure, timely, and confidential submission of cybersecurity notifications:
   a. from all entities, whether covered or non-covered;
   b. which may contain classified information.
5. The security of these capabilities shall be evaluated annually.
6. Information contained in notifications shall be:
   a. exempt from FOIA requests or disclosure under regional, state, or local provisions;
   b. prohibited from being admitted as evidence in any civil or criminal action, or subject to subpoenas outside of those issued for congressional oversight purposes;
   c. subject to standard privacy and protection procedures, provided that they are known to contain personal and identifying information not directly related to cybersecurity threats.

SECTION 6: LIABILITY
1. No cause of action shall lie or be maintained in any court by any person or entity, other than the Federal Government of Atlasia pursuant to §6.2 or any applicable law, against any covered entity due to the submission of a cybersecurity notification through the capabilities established in Section 5, and any such action shall be promptly dismissed.
2. The terms of Section 5 shall be enforced as follows:
   a. Federal contractors found in violation of this section shall face penalties to be determined by the General Services Administration, which may include withdrawal of federal contracts.
   b. Private entities found in violation of this section shall be subject to fines equalling 0.5%/day of the entity's gross revenue from the previous fiscal year.
   c. Violations of this Act by federal agencies shall be referred to the Inspector General for the offending agency.

SECTION 7: IMPLEMENTATION
1. This legislation shall take effect immediately upon being signed into law.

[Mad Deadly Worldwide Communist Gangster Computer God]

Aye

[WD]

AYE

[Southern Senator North Carolina Yankee]

Aye

[AGA]

Aye

[Deep Dixieland Senator, Muad'dib (OSR MSR)]

Aye

[Joseph Cao]

AYE!

[OSR stands with Israel]

Aye

[Pericles]

Aye

[S019]

AYE

[Saint Milei]

aye

[Senator-elect Spark]

Aye

[Kuumo]

Aye

[Mad Deadly Worldwide Communist Gangster Computer God]

This legislation has enough votes to pass. Senators have 24 hours to change their vote.