Cybersecurity Bill Heads to House FloorCommittee Unanimously OK's Critical Infrastructure Measure
Bipartisanship - a rare commodity on Capitol Hill these days - manifested itself with the House Homeland Security Committee's approval of a bill aimed to help buttress the cybersecurity of the nation's critical infrastructure and the federal government.
See Also: The Evolution of Email Security
The legislation - the National Cybersecurity and Critical Infrastructure Protection Act - won unanimous approval of Republicans and Democrats committee members on Feb. 5. Plus, a host of groups that, at times, find themselves on opposite ends of the political spectrum, such as the American Civil Liberties Union and the National Defense Industrial Association, endorsed it.
"I'm proud to say the final product is - as our friends in the ACLU have called it - both pro-security and pro-privacy," says Committee Chairman Michael McCaul, R-Texas. "I think that is a rare concept in today's world."
The bill, HR 3696, would codify in law the National Cybersecurity and Communications Integration Center, a federal civilian agency within the Department of Homeland Security that promotes real-time cyberthreat information sharing across critical infrastructure sectors.
It also would establish an equal partnership between industry and DHS, and ensure that DHS properly recognizes industry-led organizations to expedite critical infrastructure protection and incident response.
"Importantly, the bill puts a civilian agency within the nation's most robust privacy office - and I can't stress that enough - in charge to preventing personal information from getting inadvertently caught in the net," McCaul says.
The bill would not require any additional funding and would prohibit DHS from obtaining new cybersecurity regulatory authority. That provision reflects Republican resolve that the government will not adopt cybersecurity regulations to impose on the private sector.
Other provisions in the bill would:
- Codify and strengthen the National Infrastructure Protection Plan, a public-private partnership framework that has been supported by the private sector since 2003;
- Codify the Cyber Incident Response Teams to provide timely technical assistance, crisis management and actionable recommendations on cyberthreats to critical infrastructure owners and operators on a voluntary basis;
- Ensure that the National Cybersecurity Incident Response Plan is updated regularly and coordinated with federal, state, local and private-sector stakeholders;
- Codify DHS operational information security activities to ensure the resiliency of all federal civilian information systems and networks; and
- Amend the SAFETY Act to so private organizations can submit voluntarily their cybersecurity procedures to the government to gain additional liability protections in the event of a qualifying cyber-incident.
The bill heads to the full House of Representatives, where Republican leaders will decide if, and when, it will come up for a floor vote.
Barriers to Enactment
Congress hasn't adopted a significant cybersecurity bill in a dozen years since enacting the Federal Information Security Management Act of 2002, the law that governs federal government IT security. Even if the House approves the measure, there's no assurance the Democratic-led Senate would consider it.
The roadblock to enacting new cybersecurity laws has as much to do with the distinct visions of Senate and House leaders in lawmaking as it does with partisan differences.
The Senate, under the current Democratic leadership, has approached cybersecurity through an expansive bill. In contrast, House Republican leaders prefer more narrowly focused bills, such as one for critical infrastructure IT security protection and another for FISMA reform. In the last Congress, the Senate merged a number of measures into the Cybersecurity Act of 2012 that never came up for a vote (see Senate, Again, Fails to Halt Filibuster). This year, the House has passed four, narrowly focused bills, with most receiving significant support from members of both parties (see Cybersecurity Legislation: What's Next?).
In the meantime, the administration has not weighed in on whether it supports the National Cybersecurity and Critical Infrastructure Protection Act. Last year, the House passed the Cyber Intelligence Sharing and Protection Act with some Democratic support despite a veto threat from the White House over privacy and liability protection provisions (see House Handily Passes CISPA).