By David Fagan, Richard Hertling, and Sumon Dantiki
On July 28, 2014, the U.S. House of Representatives (“House”) passed three cybersecurity bills, the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696) (“NCCIP Act”), the Critical Infrastructure Research and Development Advancement Act (H.R. 2952) (“CIRDA Act”), and the Homeland Security Cybersecurity Boots-on-the-Ground Act (H.R. 3107) (“Boots-on-the-Ground Act”) with broad bipartisan support.
The NCCIP Act was introduced in December 2013 and is the most significant of the three measures. As we noted at the time, the bill focuses primarily on strengthening the authorities of the Department of Homeland Security (“DHS”). Under the provisions of the bill as passed by the House, the Secretary of DHS would have broad responsibilities for the protection of critical infrastructure (“CI”) from cyber threats. Specifically, the Secretary would be charged with facilitating “a national effort to strengthen and maintain secure, functioning and resilient critical infrastructure” by seeking “industry-specific expertise” to “identify and disrupt threats” and providing “education and assistance” to CI owners and operators who request them.
The bill also promotes several avenues for public-private collaboration to protect CI, organized by sector. To effectuate this collaboration, the Secretary of DHS would be directed to designate different sectors of critical infrastructure, such as communications, financial services, information technology, and transportation systems. DHS would then interact with private sector entities on a sector-specific basis through designated federal agencies and “coordinating councils.” The sector-specific coordinating councils would be designed to “reflect the unique composition of each sector” and would include critical infrastructure owners, operators, private sector entities and trade associations. Government entities with any “regulating authority” would be prohibited from being members of the coordinating councils. The bill would also direct DHS, in collaboration with the relevant coordinating council, to recognize at least one Information Sharing and Analysis Center (“ISAC”) for each CI sector, to help promote information sharing along with each coordinating council. The bill would codify the National Cybersecurity and Communications Integration Center (“NCCIC”) within DHS to promote “ongoing multi-directional sharing” of cyber threat information among federal government entities and between such entities and the private sector, including through ISACs, the coordinating councils, the U.S. Computer Emergency Readiness Team, and other stakeholders.
The NCCIP Act bill would also codify the establishment of Cyber Incident Response Teams within DHS, which would be available to provide crisis management support to critical infrastructure owners and operators on request. In addition, the NCCIP Act also amends and expands the SAFETY Act, 6 U.S.C. §§ 441-444, which currently affords some liability protections to companies who provide qualified anti-terrorism technologies following a traditional terrorist attack. Under the bill, these liability protections would expanded to include qualified cybersecurity technologies in the event of a range of cyberattacks (to be further defined by the Secretary of DHS), even if wholly unconnected to terrorism.
The second bill passed by the House, the CIRDA Act, would further enhance DHS’s authority to protect CI by mandating that DHS develop and update a plan for research and development of cybersecurity technologies for the protection of critical infrastructure. The plan would be developed with stakeholders, including sector-specific coordinating councils, and focus, among other things, on identifying risks and technology gaps and prioritizing security technology needs to address such risks and gaps. The bill also would require DHS to report to Congress on, among other things, those aspects of critical infrastructure protection that are predominately operated by the private sector and that would most benefit from rapid security technology advancement. The bill would also expand DHS’s Technology Clearinghouse, established pursuant to 6 U.S.C. § 193, to promote “rapidly sharing proven technology solutions for protecting critical infrastructure.”
Finally, the third bill passed by the House, the Cybersecurity-Boots-on-the-Ground Act, is focused largely on improving the DHS cyber work force. It directs the Security of DHS to “assess the readiness and capacity” of the DHS workforce “to meet its cybersecurity mission.” To this end, the bill requires the Secretary to establish uniform cybersecurity occupation classifications, assess the cybersecurity workforce, and develop a strategy to develop and recruit cybersecurity employees.
The three bills now proceed to the U.S. Senate for further consideration.