A bill to require studies on cyberexploitation of employees of certain Federal departments and their families, and for other purposes.

This bill directs certain federal departments and agencies to study the malicious, unauthorized digital access of the personal information and accounts of employees and their families.

[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 3788 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  2d Session
                                S. 3788

To require studies on cyberexploitation of employees of certain Federal 
        departments and their families, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           December 19, 2018

   Mr. Sasse introduced the following bill; which was read twice and 
referred to the Committee on Homeland Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
To require studies on cyberexploitation of employees of certain Federal 
        departments and their families, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. STUDY ON CYBEREXPLOITATION OF EMPLOYEES OF CERTAIN FEDERAL 
              DEPARTMENTS AND THEIR FAMILIES.

    (a) Definitions.--In this section:
            (1) Covered department.--The term ``covered department'' 
        includes the following:
                    (A) The Department of Justice.
                    (B) The Department of Energy.
                    (C) The Department of Homeland Security.
                    (D) The Department of State.
                    (E) The Department of the Treasury.
                    (F) The United States Agency for International 
                Development.
                    (G) The civilian employees of the Department of 
                Defense.
            (2) Cyberexploitation.--The term ``cyberexploitation'' 
        means the use of digital means to knowingly access, or conspire 
        to access, without authorization, an individual's personal 
        information to be employed (or to be used for) with malicious 
        intent.
            (3) Deep fake.--The term ``deep fake'' means the digital 
        insertion of a person's likeness into or digital alteration of 
        a person's likeness in visual media, such as photographs and 
        videos, without the person's permission and with malicious 
        intent.
    (b) Study Required.--Not later than 150 days after the date of the 
enactment of this Act, each head of a covered department shall complete 
a study on the cyberexploitation of the personal information and 
accounts of employees of the covered department and their families.
    (c) Elements.--The study required by subsection (b) shall include, 
with respect to a covered department, the following:
            (1) An assessment of the vulnerability of employees 
        described in subsection (b) and their families to inappropriate 
        access to their personal information and accounts of such 
        employees and their families, including identification of 
        particularly vulnerable subpopulations.
            (2) Creation of a catalogue of past and current efforts by 
        foreign governments and non-state actors at the 
        cyberexploitation of the personal information and accounts of 
        such employees and their families, including an assessment of 
        the purposes of such efforts and their degrees of success.
            (3) An assessment of the actions taken by the department or 
        agency to educate employees and their families, including 
        particularly vulnerable subpopulations, about and actions that 
        can be taken to otherwise reduce these threats.
            (4) Assessment of the potential for the cyberexploitation 
        of misappropriated images and videos as well as deep fakes.
            (5) Development of recommendations for policy changes to 
        reduce the vulnerability of such employees and their families 
        to cyberexploitation, including recommendations for legislative 
        or administrative action.
    (d) Report.--
            (1) In general.--Each head of a covered department shall 
        submit to Congress a report on the findings of the head with 
        respect to the study conducted by the head under subsection 
        (b).
            (2) Form.--The report required by paragraph (1) shall be 
        submitted in unclassified form, but may include a classified 
        annex.
                                 <all>