A House subcommittee on Jan. 15 approved a broadly supported bipartisan cyber security bill that would codify the Department of Homeland Security’s (DHS) lead role in protecting federal civilian computer networks and coordinate with the private sector to share information to help protect critical infrastructure from cyber threats.
The National Cybersecurity and Critical Infrastructure Protection Act of 2013 (H.R. 3696), which was crafted by Republican and Democratic leaders of the House Homeland Security Committee, also has the support of disparate groups like the American Civil Liberties Union and other privacy advocates, energy and financial sector organizations, the Professional Services Council, the National Defense Industrial Organization and others, Rep. Patrick Meehan (R-Pa.), chairman of the committee’s panel on Cybersecurity, Infrastructure Protection, and Security Technologies, said at the outset of the markup.
The bill, which was introduced in December, was approved unanimously by voice vote and will go before the full committee for another markup.
The bill recognizes the growing cyber threat “and strengthens the capabilities of DHS—a civilian, transparent agency—to protect critical infrastructure, while prohibiting new regulations,” Rep. Michael McCaul, chairman of the full committee, said in a statement.
The bill was sponsored by McCaul, Meehan, Rep. Bennie Thompson (D-Miss.), ranking member of the full committee, and Rep. Yvette Clarke (D-N.Y.), ranking member of the subcommittee.
Just like cyber security legislation that failed in the Senate in 2012, the bill doesn’t mandate that owners and operators of private critical infrastructure share information with the federal government. However, upon request by private critical infrastructure owners and operators, DHS is directed to help them secure their networks.
The bill also strengthens the DHS National Cybersecurity and Communications Integration Center (NCCIC) to facilitate real-time cyber threat information sharing with the private sector. The legislation also amends the SAFETY Act, which provides a level of liability protections for suppliers of anti-terrorism products and services, “to establish a threshold for qualifying cyber incidents so private entities can voluntarily submit their cybersecurity procedures to the SAFETY Act Office to gain additional liability protections in the event of a qualifying cyber incident,” according to a information paper provided by the committee.
Several amendments were approved by voice vote during the markup, including absorption of a separate bill to bolster the DHS cyber security workforce. Another, offered by Clarke, amends the bill to ensure that the $20 million authorized to expand the mission of the SAFETY Act Office to address cyber security challenges, comes from the overall DHS budget and not from the Science and Technology Directorate, which manages the office.
To help bolster privacy protections, the panel approved an amendment by Rep. Steve Daines (R-Mont.) calling for technical assistance to federal agencies to prevent and respond to data breaches involving personally identifiable information. It would also require federal agencies to notify all potential victims of such breaches within two business days. These breaches must also be reported to the NCCIC and Congress, Daines said.