Official text as published. Use Ctrl+F / Cmd+F to search within the document.
[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 4565 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
2d Session
S. 4565
To ensure the security and integrity of United States critical
infrastructure by establishing an interagency task force and requiring
a comprehensive report on the targeting of United States critical
infrastructure by People's Republic of China state-sponsored cyber
actors, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
May 19, 2026
Mr. Scott of Florida introduced the following bill; which was read
twice and referred to the Committee on Homeland Security and
Governmental Affairs
_______________________________________________________________________
A BILL
To ensure the security and integrity of United States critical
infrastructure by establishing an interagency task force and requiring
a comprehensive report on the targeting of United States critical
infrastructure by People's Republic of China state-sponsored cyber
actors, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Strengthening Cyber Resilience
Against State-Sponsored Threats Act''.
SEC. 2. INTERAGENCY TASK FORCE AND REPORT ON THE TARGETING OF UNITED
STATES CRITICAL INFRASTRUCTURE BY PEOPLE'S REPUBLIC OF
CHINA STATE-SPONSORED CYBER ACTORS.
(a) Definitions.--In this section:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and
Governmental Affairs, the Committee on the Judiciary,
and the Select Committee on Intelligence of the Senate;
and
(B) the Committee on Homeland Security, the
Committee on the Judiciary, and the Permanent Select
Committee on Intelligence of the House of
Representatives.
(2) Asset.--The term ``asset'' means a person, structure,
facility, information, material, equipment, network, or
process, whether physical or virtual, that enables the
services, functions, or capabilities of an organization.
(3) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given the term in section
1016(e) of the Critical Infrastructures Protection Act of 2001
(42 U.S.C. 5195c(e)).
(4) Cybersecurity threat.--The term ``cybersecurity
threat'' has the meaning given the term in section 2200 of the
Homeland Security Act of 2002 (6 U.S.C. 650).
(5) Director.--The term ``Director'' means the Director of
the Cybersecurity and Infrastructure Security Agency.
(6) Homeland security enterprise.--The term ``Homeland
Security Enterprise'' has the meaning given the term in section
2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
(7) Incident.--The term ``incident'' has the meaning given
the term in section 2200 of the Homeland Security Act of 2002
(6 U.S.C. 650).
(8) Information sharing.--The term ``information sharing''
means the bidirectional sharing of timely and relevant
information concerning a cybersecurity threat posed by a State-
sponsored cyber actor of the People's Republic of China to
United States critical infrastructure.
(9) Intelligence community.--The term ``intelligence
community'' has the meaning given the term in section 3(4) of
the National Security Act of 1947 (50 U.S.C. 3003(4)).
(10) Locality.--The term ``locality'' means any local
government authority or agency or component thereof within a
State having jurisdiction over matters at a county, municipal,
or other local government level.
(11) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
(12) Sector.--The term ``sector'' means a collection of
assets, systems, networks, entities, or organizations that
provide or enable a common function for national security
(including national defense and continuity of Government),
national economic security, national public health or safety,
or any combination thereof.
(13) Sector risk management agency.--The term ``Sector Risk
Management Agency'' has the meaning given the term in section
2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).
(14) State.--The term ``State'' means any State of the
United States, the District of Columbia, the Commonwealth of
Puerto Rico, the Northern Mariana Islands, the United States
Virgin Islands, Guam, American Samoa, and any other territory
or possession of the United States.
(15) Systems.--The term ``systems'' means a combination of
personnel, structures, facilities, information, materials,
equipment, networks, or processes, whether physical or virtual,
integrated or interconnected for a specific purpose that
enables the services, functions, or capabilities of an
organization.
(16) Task force.--The term ``task force'' means the joint
interagency task force established under subsection (b).
(17) United states.--The term ``United States'', when used
in a geographic sense, means any State of the United States.
(18) Volt typhoon.--The term ``Volt Typhoon'' means the
People's Republic of China State-sponsored cyber actor
described in the Cybersecurity and Infrastructure Security
Agency cybersecurity advisory entitled ``PRC State-Sponsored
Actors Compromise and Maintain Persistent Access to U.S.
Critical Infrastructure'', issued on February 07, 2024, or any
successor advisory.
(b) Interagency Task Force.--Not later than 120 days after the date
of enactment of this Act, the Secretary, acting through the Director,
in consultation with the Attorney General, the Director of the Federal
Bureau of Investigation, and the heads of appropriate Sector Risk
Management Agencies as determined by the Director, shall establish a
joint interagency task force to facilitate collaboration and
coordination among the Sector Risk Management Agencies assigned a
Federal role or responsibility in National Security Memorandum-22,
issued April 30, 2024 (relating to critical infrastructure security and
resilience), or any successor document, to detect, analyze, and respond
to the cybersecurity threat posed by State-sponsored cyber actors,
including Volt Typhoon, of the People's Republic of China by ensuring
that the actions of those agencies are aligned and mutually
reinforcing.
(c) Chairs.--
(1) Chairperson.--The Director, or the designee of the
Director, shall serve as the Chairperson of the task force.
(2) Vice chairperson.--The Director of the Federal Bureau
of Investigation, or the designee of the Director, shall serve
as the Vice Chairperson of the task force.
(d) Composition.--
(1) In general.--The task force shall consist of
appropriate representatives of the departments and agencies
specified in subsection (b) appointed by the Chairperson in
consultation with the Vice Chairperson.
(2) Qualifications.--To materially assist in the activities
of the task force, representatives under paragraph (1) shall be
subject matter experts who have familiarity and technical
expertise regarding cybersecurity, digital forensics, or threat
intelligence analysis, or in-depth knowledge of the tactics,
techniques, and procedures commonly used by State-sponsored
cyber actors, including Volt Typhoon, of the People's Republic
of China.
(e) Vacancy.--Any vacancy occurring in the membership of the task
force shall be filled in the same manner in which the original
appointment was made.
(f) Establishment Flexibility.--To avoid redundancy, the task force
may coordinate with any preexisting task force, working group, or
cross-intelligence effort within the Homeland Security Enterprise or
the intelligence community that has examined or responded to the
cybersecurity threat posed by State-sponsored cyber actors, including
Volt Typhoon, of the People's Republic of China.
(g) Task Force Reports; Briefing.--
(1) Initial report.--Not later than 540 days after the
establishment of the task force, the task force shall submit to
the appropriate congressional committees the first report
containing the initial findings, conclusions, and
recommendations of the task force.
(2) Annual report.--Not later than 1 year after the date of
the submission of the initial report under paragraph (1), and
annually thereafter for 5 years, the task force shall submit to
the appropriate congressional committees an annual report
containing the findings, conclusions, and recommendations of
the task force.
(3) Contents.--The reports under this subsection shall
include the following:
(A) An assessment at the lowest classification
feasible of the sector-specific risks, trends relating
to incidents impacting sectors, and tactics,
techniques, and procedures utilized by or relating to
State-sponsored cyber actors, including Volt Typhoon,
of the People's Republic of China.
(B) An assessment of additional resources and
authorities needed by Federal departments and agencies
to better counter the cybersecurity threat posed by
State-sponsored cyber actors, including Volt Typhoon,
of the People's Republic of China.
(C) A classified assessment of the extent of
potential destruction, compromise, or disruption to
United States critical infrastructure by State-
sponsored cyber actors, including Volt Typhoon, of the
People's Republic of China in the event of a major
crisis or future conflict between the People's Republic
of China and the United States.
(D) A classified assessment of the ability of the
United States to counter the cybersecurity threat posed
by State-sponsored cyber actors, including Volt
Typhoon, of the People's Republic of China in the event
of a major crisis or future conflict between the
People's Republic of China and the United States,
including with respect to different cybersecurity
measures and recommendations that could mitigate such a
threat.
(E) A classified assessment of the ability of
State-sponsored cyber actors, including Volt Typhoon,
of the People's Republic of China to disrupt operations
of the United States Armed Forces by hindering mobility
across critical infrastructure such as rail, aviation,
and ports, including how such disruption would impair
the ability of the United States Armed Forces to deploy
and maneuver forces effectively.
(F) A classified assessment of the economic and
social ramifications of a disruption to 1 or multiple
United States critical infrastructure sectors by State-
sponsored cyber actors, including Volt Typhoon, of the
People's Republic of China in the event of a major
crisis or future conflict between the People's Republic
of China and the United States.
(G) Such recommendations as the task force may have
for the Homeland Security Enterprise, the intelligence
community, or critical infrastructure owners and
operators to improve the detection and mitigation of
the cybersecurity threat posed by State-sponsored cyber
actors, including Volt Typhoon, of the People's
Republic of China.
(H) A one-time plan for an awareness campaign to
familiarize critical infrastructure owners and
operators with security resources and support offered
by Federal departments and agencies to mitigate the
cybersecurity threat posed by State-sponsored cyber
actors, including Volt Typhoon, of the People's
Republic of China.
(4) Briefing.--Not later than 30 days after the date of the
submission of each report under this subsection, the task force
shall provide to the appropriate congressional committees a
classified briefing on the findings, conclusions, and
recommendations of the task force.
(5) Form.--Each report under this subsection shall be
submitted in classified form, consistent with the protection of
intelligence sources and methods, but may include an
unclassified executive summary.
(6) Publication.--The unclassified executive summary of
each report required under this subsection shall be published
on a publicly accessible website of the Department of Homeland
Security.
(h) Access to Information.--
(1) In general.--The Secretary, the Director, the Attorney
General, the Director of the Federal Bureau of Investigation,
and the heads of appropriate Sector Risk Management Agencies,
as determined by the Director, shall provide to the task force
such information, documents, analysis, assessments, findings,
evaluations, inspections, audits, or reviews relating to
efforts to counter the cybersecurity threat posed by State-
sponsored cyber actors, including Volt Typhoon, of the People's
Republic of China as the task force considers necessary to
carry out this section.
(2) Receipt, handling, storage, and dissemination.--
Information, documents, analysis, assessments, findings,
evaluations, inspections, audits, and reviews described in this
subsection shall be received, handled, stored, and disseminated
only by members of the task force consistent with all
applicable statutes, regulations, and Executive orders.
(3) Security clearances for task force members.--No member
of the task force may be provided with access to classified
information under this section without the appropriate security
clearances.
(i) Termination.--The task force, and all the authorities of this
section, shall terminate on the date that is 60 days after the final
briefing required under subsection (g)(4).
(j) Exemption From FACA.--Chapter 10 of title 5, United States
Code, shall not apply to the task force.
(k) Exemption From Paperwork Reduction Act.--Chapter 35 of title
44, United States Code (commonly known as the ``Paperwork Reduction
Act''), shall not apply to the task force.
<all>