On December 11, House Homeland Security Committee Chairman Michael McCaul (R-TX) introduced a long-awaited cybersecurity bill, entitled the National Cybersecurity and Critical Infrastructure Protection Act (“NCCIP Act”), H.R. 3696. The bill has bipartisan co-sponsors including, House Homeland Security Committee Ranking Member Bennie Thompson (D-MS), and Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies Chairman Patrick Meehan (R-PA) and Ranking Member Yvette Clarke (D-NY).
The bill focuses primarily on the authorities of the Department of Homeland Security (“DHS”) and information-sharing, while preserving and enhancing the role of private parties in interfacing with DHS. Section 203 of the bill specifically states that it does not provide any new regulatory authorities.
DHS and Federal Civilian Systems
The bill directs the Secretary of Homeland Security (“the Secretary”) to manage efforts to secure federal civilian information systems. The Secretary, among other things, would oversee government-wide information security efforts, establish “continuous diagnostics systems,” operate intrusion detection and prevention systems, conduct risk assessments, provide technical assistance, and develop training requirements regarding privacy and civil liberties for federal information security employees.
The bill specifically authorizes the Secretary to request and obtain assistance from private entities that “provide electronic communications services, remote computing services, or cybersecurity services to acquire, intercept, retain, use, and disclose communications and other system traffic, deploy countermeasures, or otherwise operate protective capabilities.” It provides that no cause of action may exist against private entities for providing such assistance to DHS.
DHS and Critical Infrastructure
With respect to the private sector, the Secretary is directed, upon the request of critical infrastructure (“CI”), to provide CI with support to secure systems against cyber threats, analysis and warnings about cyber threats, and assistance with cyber incident response and recovery. In addition, the bill makes the Secretary responsible for, among other things, coordinating with federal, state, and local governments, CI, and other entities to: facilitate a national effort to strengthen CI against cyber threats; ensure that CI owners and operators can receive real-time, actionable cyber threat information; and coordinate a research and development strategy to protect CI from cyber threats.
To interface with the private sector, the bill directs the Secretary to designate CI sectors and, in collaboration with any applicable Sector-Specific Agency, to recognize a Sector-Coordinating Council for each CI sector. The Councils are to be composed entirely of CI owners and operators, private entities, and trade associations. The bill envisions that the Councils will serve as the primary points of coordination with DHS and requires the Secretary to meet biannually with each Council to discuss cybersecurity threats and to provide each Council with an assessment of the threats to its CI sector. The Secretary would also be required to report annually to Congress on the state of cybersecurity for each CI sector. The bill specifically provides that no information shared with Secretary in the course of the Council meetings can be used for regulatory purposes.
DHS, in collaboration with each Council, is also directed to recognize at least one Information Sharing and Analysis Center (“ISAC”) for each CI sector. Each sector-specific ISAC will then promote “ongoing multi-directional sharing of real-time, relevant, and actionable cyber threat information” and coordinate emergency response and recovery operations with DHS.
National Cybersecurity and Communications Integration Center
The bill would also establish within DHS the “National Cybersecurity and Communications Integration Center” (“NCCIC”) as a clearinghouse for information sharing among federal government entities and between government entities and the private sector. The NCCIC would include the ISACs, the U.S. Computer Emergency Readiness Team, and other governmental and private entities. NCCIC is charged with promoting real-time “multi-directional sharing” of cyber threat information among governmental entities, CI, ISACs, and other entities and with providing, “upon request,” technical and crisis management assistance. The NCCIC would also analyze cyber threat information and provide actionable assessments of CI cyber risks.
Other Key Provisions
- The bill would continue the National Institute of Standards and Technology’s role, now proceeding under Executive Order 13,636, in developing “voluntary, industry-led” standards, guidelines, and best practices to reduce cyber risks to CI.
- The NCCIP Act would also require the Secretary to establish “Cyber Incident Response Teams” to provide, upon request, technical assistance, crisis management support, and recommendations on security and countermeasures to governmental and CI entities. Relatedly, DHS would be required to develop a Cyber Incident Response Plan, in coordination with governmental entities, Sector Coordinating Councils, and ISACs.
- The bill would require DHS to submit an annual report to Congress summarizing major cyber incidents involving federal civilian systems, including statistics on the number of breaches, the amount of data exfiltrated, and the impact and cost of remedying the breaches.