The House Homeland Security Committee on Feb. 5 unanimously approved bi-partisan cyber security legislation that would give the Department of Homeland Security authorities to protect federal civilian computer networks and strengthen its ability to share real-time cyber threat data across critical infrastructure sectors.
The bill essentially codifies much of what DHS is already doing in the area of cyber security, clarifying its roles and responsibilities related to protecting the integrity and resiliency of federal civilian networks and strengthening the role of the National Cybersecurity Communications and Integration Center, a division of DHS, in facilitating the sharing of threat data with the private sector and within the federal sector, as well as state and local governments. The NCCIC is also authorized to help the various critical infrastructure sectors share cyber threat information with each other.
The National Cybersecurity and Critical Infrastructure Protection (NCCIP) Act of 2013
(H.R. 3696) is supported by a wide range of private sector entities as well as the American Civil Liberties Union. The bill was approved by voice vote.
Unlike legislation proposed in the Senate in 2012 by Sen. Susan Collins (R-Maine) and former Sen. Joseph Lieberman (I/D-Conn.) but never voted on, the NCCIP Act doesn’t call for DHS and its federal partners to work with critical infrastructure stakeholders to establish best practices and standards that could bolster the cyber security posture of the private sector. The Lieberman-Collins bill proposed that the adoption of these standards by the private sector would be voluntary, although it encouraged adoption by providing incentives in the form of liability protections as well as expediting the provision of security clearances to appropriate personnel.
However, the bill does codify the role of the National Institute of Standards and Technology (NIST), an agency of the Commerce Department, to collaborate with DHS and critical infrastructure entities and other stakeholders on an ongoing basis to create best practices that can be voluntarily adopted to help identify, assess and manage cyber risks.
As early as Feb. 11 the Obama Administration is expected to release a Cybersecurity Framework that will contain among other things best practices and standards that can be voluntarily adopted by owners and operators of the nation’s critical infrastructures. The Cybersecurity Framework was called for by President Barack Obama in an Executive Order he issued aimed at strengthening the nation’s overall cyber defenses in the wake of Congress’ failure to agree on legislation aimed at doing the same thing.
The framework is the “new starting point,” a Senate aide told sister publication Defense Daily on Feb. 5. As the framework rolls out, it will give the Senate time to consider what legislation will be needed, the aide said.
Sen. Tom Carper (D-Del.), the ranking member of the Senate Homeland Security and Governmental Affairs Committee is working with Sen. Tom Coburn (R-Okla.) on cyber security legislation that is similar to the bill approved by the House panel. Carper, who is pleased with the House committee’s bill, will also be working toward codifying the cyber security roles and responsibilities of DHS, reforming how federal networks are secured and bolstering research and development, and cyber education, the aide said.
While Congress goes after the low hanging fruit for cyber legislation in the near-term, longer term it will have to grapple with other issues such as liability protections, which cannot be addressed in the forthcoming Cybersecurity Framework.
The NCCIP Act does extend the DHS Safety Act to cyber security procedures, essentially offering limited liability protections to private entities that voluntarily submit their procedures to the SAFETY Act office. The SAFETY Act currently applies to anti-terrorism products and services and the House bill refers to cyber events that cause material “damage, disruption, or casualties” to the United States “population, infrastructure, economy or national morale.”
Given the frequency of cyber attacks it’s hard to know “how these liability protections will play out,” the Senate aide said. The thresholds for cyber events within the House bill are large but there will have to be judgments made that determine whether an event is covered under the SAFETY Act, the aide said.
A number of amendments were agreed to in the Feb. 5 markup, including one offered by Rep. Susan Brooks (R-Ind.) calling for the NCCIC to coordinate with the DHS Intelligence and Analysis office to get a better understanding of the cyber threat environment.