Rep. Michael McCaul, (R-Texas), chairman of the Committee on Homeland Security, and Rep. John Ratcliffe (R-Texas), chairman of the subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies introduced the National Cybersecurity Protection Advancements (NCPA) Act on Monday, a bill to encourage cyber threat information sharing between and amongst and private sector and the government.
“One of the greatest cyber threats to the homeland is the weakness of our power grids, and energy and water systems. A successful cyber attack on our critical infrastructure could cripple our economy. Congress must take action to defend America’s vital digital networks and help American businesses better protect themselves,” McCaul and Ratcliffe said in a statement.
The NCPA Act provides liability protections for companies that voluntarily share cyber threat indicators in good faith with the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and with other private entities. The NCCIC is round-the-clock cyber watch center for the nation.
Last month McCaul said he was drafting a bill to enhance the NCCIC’s role as the primary Federal civilian interface for sharing cyber threat information (Defense Daily, March 19). The NCPA Act introduced on Monday includes some changes to the draft bill based on feedback the committee received.
The bill also designates the NCCIC as the “lead Federal civilian interface” for voluntary information sharing,
The NCPA Act provides limited liability protections to companies to conduct network awareness on their information systems, allows companies to operate defensive measures and conduct network awareness on systems they operate, and preserves pre-existing public-private partnerships. These liability protections are expected to incentivize the private sector to voluntarily share cyber threat indicators with the NCCIC.
McCaul and Ratcliffe highlighted that the NCPA Act also contains strong privacy protections.
The legislation directs NCCIC to promptly notify the Secretary and Congress of any significant violations of information sharing policies and procedures, requires private companies to “scrub “and remove personal information unrelated to the cyber risk information, instructs the NCCIC to conduct a second scrub before further intergovernmental sharing, and ensures the information sharing can only be used to respond to cyber attacks and increase defenses without law enforcement or surveillance uses.
The bill also directs the DHS Chief Privacy Officers to submit reports to Congress describing policies and procedures governing the sharing of cyber threat indicators and defensive measures, the effectiveness of the policies and procedures, and the impact on privacy and civil liberties of the information sharing activities.
Rep. Bennie Thompson (D-Miss.), the ranking member on the committee, and Rep. Cedric Richmond (D-La.), the ranking member on the subcommittee, lend their support for the bill with a caveat. They called the bill a “bold step” towards improving the nation’s cyber security posture and lauded its “strong privacy and civil liberties protections,” but said “one aspect of the bill still needs work.”
The two Democrats said they “are concerned that Chairman McCaul’s hands are tied when it comes to fixing the liability protection provisions. The Majority, at the direction of House leadership, has rejected the [Obama] Administration’s tailored and balanced approach to liability protection and, instead, embraced an unduly complicated structure that offers unnecessarily generous protections for corporations and goes so far as to immunize a company that does not act on information or is negligent.”
The committee will consider the bill in an open mark up on Tuesday morning.