The House of Representatives on Thursday passed the second of two cyber threat information sharing bills being considered this week, the National Cybersecurity Protection Advancement Act (NCPAA) of 2015 (H.R. 1731).
The bill passed 355-63 after adopting 11 amendments, all but one by voice vote.
H.R. 1731, originating in the House Committee on Homeland Security, was sponsored by chairman Michael McCaul (R-Texas) and Rep. John Ratcliffe (R-Texas), chairman of the Cybersecurity, Infrastructure Protection and Security Technologies subcommittee (Defense Daily, April 14).
On Wednesday, the House passed a similar cyber information sharing bill, the Protecting Cyber Networks Act (H.R. 1560), originating in the House Intelligence Committee (Defense Daily, April 22).
The NCPAA provides liability protections for companies that voluntarily share cyber threat indicators in good faith with the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and other private entities. The NCCIC is the round-the-clock cyber watch center for the nation.
H.R. 1731 also designates the NCCIC as the “lead Federal civilian interface for voluntary information sharing.”
An amendment from Rep. Mick Mulvaney (R-S.C.), that sunsets the provisions in the bill after seven years was approved, matching a similar provision he inserted in Wednesday’s House Intelligence Committee cybersecurity bill.
“Sometimes we err too much on the side of safety and protection and security to the expense of our individual liberties. Sometimes we err on the other side and do not provide the requisite level of safety and security that citizens rightly demand of Congress. All this bill does is force us to make sure that we keep an eye on this piece of legislation to make sure that we got the balance exactly right,” Mulvaney said.
Rep. Bennie Thompson (D-Miss.), ranking member of the House Committee on Homeland Security, cosponsored the amendment.
Because the cyber-threat landscape is constantly changing, the amendment guarantees Congress will be able to take into account oversight findings and stakeholder feedback when reauthorization proceeds in seven years, Thompson’s office said in a statement.
McCaul opposed the sunset. “While normally I support sunset provisions I think in this case submitting a sunset provision to this vital national security program would not be in our best interest. I’ve heard time and time again from industry and other stakeholders that a sunset would stifle the sharing of the valuable cyber threat information. It would undermine everything we are trying to do here today as we try to incentivize participation and investment in this voluntary program.”
Rep. Sheila Jackson Lee (D-Texas) brought the only recorded vote, approved 405-8, requiring the Government Accountability Office to report to Congress five years after the bill is enacted to evaluate the impact on privacy and civil liberties.
The bill’s authors were glad to see the NCPAA pass.
“Removing the legal barriers for the voluntary sharing of cyber threats will help keep malicious nation states and cyber criminals out of our vital digital networks. This bipartisan, pro-privacy, pro-security bill has been three years and hundreds of stakeholder meetings in the making. I look forward to moving this landmark bill over to the Senate and getting it to the President’s desk as quickly as possible,” McCaul said.
“I am grateful to have worked with fellow Texan, House Homeland Security Committee Chairman Michael McCaul, along with Ranking Member Bennie Thompson and Mr. Cedric Richmond to move this legislation forward. Ultimately, it will arm those who protect our networks with valuable cyber threat indicators that they can use to fortify defenses against future cyber intrusions while protecting the personal information of Americans,” Ratcliffe said.
Rep. Jim Langevin (D-R.I.), co-chair of the Congressional Cybersecurity Caucus with McCaul, was also positive about the bill’s passage.
“Cybersecurity has been a passion of mine for nearly a decade, and I am thrilled to see that, after years of hard work, the House, the Senate, and the President are beginning to see eye-to-eye on this bipartisan issue,” Langevin said.
He said of the NCPAA, “It is one piece of a much larger puzzle, but it represents a major victory in our ongoing efforts to close our aperture of vulnerability in cyberspace.”
Lawyer and cybersecurity expert Jamie Barnett applauded both bills passing.
“This week’s break in the deadlock over the cyber information sharing bill in the House, and the promise of action in the Senate is huge step forward. Finally Congress is acting on incentives for businesses to do the right thing on cyber. The cybersecurity fight is in the private sector, which responds to inducements like limited liability,” Barnett, a partner at Venable LLP and former Chief of the Public Safety and Homeland Security Bureau of the Federal Communications Commission, said in a statement.
The White House on Tuesday issued a statement of administration policy supporting H.R. 1731, but with some concerns.
The administration is particularly concerned that the liability protections in the bill are too broad. “Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks,” the statement said.
The White House believes a reasonable solution for an appropriate balance can still be found.
The administration is also concerned about authorization of potentially disruptive defensive measures in response to incidents. Not included in the administration’s proposal, “the use of defensive measures without appropriate safeguards raises significant legal, policy, and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity.”
Despite this concern, the White House said it is committed to working with stakeholders to address its remaining concerns.
Representatives will now work to combine H.R. 1731 with H.R. 1560 before sending a single bill to the Senate. The Senate Intelligence Committee approved a similar bill, the Cybersecurity Information Sharing Act of 2015 (S. 754) last month, but it has not yet made it to the floor (Defense Daily, March 12).