Thursday the House passed the bipartisan National Cybersecurity Protection Advancement Act (NCPA) by a vote of 355-63. The bill would help American businesses better protect their digital networks from cyber attacks, help stop cyber criminals and better protect American companies from cyber espionage by nation states like China, Russia and Iran.
It still remains to be seen what the Senate does on similar, companion legislation pending there.
“The House of Representatives sent a clear signal that Congress can and should pass a cyber threat information sharing bill into law," Sen. Tom Carper (D-Del.), former chairman and now ranking member of the Senate Committee on Homeland Security and Governmental Affairs, said following the House’s approval of its cybersecurity legislation.
"Now, all eyes are on the Senate,” Carper acknowledged, saying, “I hope my Senate colleagues and I can continue this important progress to strengthen our nation’s cyber defenses in a timely and transparent manner. It’s important that any bill that Congress passes empowers companies with clear legal authority and liability protection to share critical data while upholding the civil liberties we all cherish."
Carper said Thursday evening, "It must also ensure that the Department of Homeland Security has a clear and central leadership role in the threat information sharing process. While neither bill is perfect, I commend my colleagues in the House for this significant accomplishment. I look forward to continuing this bipartisan and bicameral effort and moving forward to deliver an effective and robust information sharing bill to the President’s desk soon.”
In February, Carper introduced the Cyber Threat Sharing Act of 2015, which would take critical steps to provide liability protections to increase the sharing of cyber threat data between private industry and the federal government.
Carper pointed out that in the last Congress, the Senate Committee on Homeland Security and Governmental Affairs authored several cybersecurity bills the president signed into law in December. They include the Federal Information Security Modernization Act to improve the security of federal networks, the National Cybersecurity Protection Act of 2014, which authorized the National Cybersecurity and Communications Integration Center at the Department of Homeland Security for information sharing, and two bills to improve the federal cybersecurity workforce — the Cybersecurity Workforce Assessment Act and the Border Patrol Pay Reform Act, which contains provisions from the DHS Cybersecurity Workforce Recruitment and Retention Act of 2014.
The House’s legislation is the result of months of hammering out by stakeholder outreach and collaboration, and represents another step towards securing our nation’s cyberspace by promoting the sharing of timely, cybersecurity threat information between and among the private sector and the Department of Homeland Security (DHS), a contentious issue as Congress has worked on coming up with a bill that could be supported by all stakeholders.
The legislation includes a provision to encourage public awareness and education on personal cyber security authored by Rep. Bonnie Watson Coleman (D-NJ), a member of the House Committee on Homeland Security.
The main provisions of NCPA as reported by the Committee on Homeland Security will:
- Authorizes a non-Federal entity (e.g. company) to, for a cybersecurity purpose voluntarily share information with DHS or another non-federal entity about cyber threats (cyber threat indicators) and measures to defend their networks against such cyber threats (defensive measures); (2) monitor their own networks for cyber threats; and (3) operate measures to defend their networks against cyber threats.
- Requires both the non-federal entity and DHS to take “reasonable efforts to remove information that can be used to identify specific persons and is reasonably believed at the time of sharing to be unrelated to a cybersecurity risk or incident.”
- Confers liability protection against lawsuits to any non-federal entity that shares cyber threat indicators or defensive measures or conducts authorized monitoring on their networks when acting in accordance with the requirements of the Act, so long as the non-Federal entity did not engage in “willful misconduct.” Additionally, it specifically immunizes non-federal entities for failing to act on information provided.
- Establishes substantial oversight and reporting requirements for the DHS Chief Privacy Officer, DHS Chief Civil Rights and Civil Liberties Officer, DHS Inspector General and the Privacy and Civil Liberties Oversight Board.
“American companies will have the tools they need to better protect their digital networks with this legislation,” said House Committee on Homeland Security Chairman Michael McCaul (R-Texas) and Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee Chairman John Ratcliffe (R-Texas) in a joint statement.
The two lawmakers said, “We live in an ever-evolving threat environment where cyber attacks are personally affecting Americans, as well as our businesses and the government’s ability to defend the United States. Removing the legal barriers for the voluntary sharing of cyber threats will help keep malicious nation states and cyber criminals out of our vital digital networks. This bipartisan, pro-privacy, pro-security bill has been three years and hundreds of stakeholder meetings in the making. I look forward to moving this landmark bill over to the Senate and getting it to the President’s desk as quickly as possible.”
“I came to Washington to solve problems and make our country a safer place for all Americans. The National Cybersecurity Protection Advancement Act is a much needed bill that accomplishes both,” Ratcliffe added, emphasizing that, “By passing this legislation, we are proactively protecting the national security of our country and the personal privacy of our citizens – both of which, under the status quo, remain vulnerable to malicious attacks from cyber adversaries … Ultimately, it will arm those who protect our networks with valuable cyber threat indicators that they can use to fortify defenses against future cyber intrusions while protecting the personal information of Americans.”
“Today, the House joined with the President and stakeholders from across our critical infrastructure sectors to make our nation – and our cyberspace – more secure,” saidRep. Bennie G. Thompson (D-Miss), ranking member pf the House Committee on Homeland Security.
Thompson thanked McCaul “for working with me and the other Democrats on the committee to develop this legislation and ensure it is bipartisan. I will continue to work with him – as he has committed on the House floor today – to clarify the overly-broad liability protection language in the bill to ensure that the law promotes, and does not hinder, the sharing of information to protect our infrastructure and responsible cybersecurity practices. Liability protections must be appropriately targeted.”
During consideration of the legislation, Thompson pushed to clarify language in the bill regarding what he said the White House called a “sweeping” liability protection provision to address concerns about it incentivizing companies to take no action on timely, cybersecurity threats.
The House also approved a bipartisan amendment Thompson cosponsored to sunset the provisions in the legislation after seven years. Since the cyber-threat landscape is constantly changing, this amendment, offered by Rep. Mick Mulvaney (R-SC), simply guarantees that Congress will undertake a reauthorization process in seven years, in which oversight findings and stakeholder feedback can be taken into account.
“This necessary amendment will provide the administration and private sector the flexibility to move forward in protecting our networks and promote information sharing while ensuring that our oversight findings on the implementation of this bill are addressed in future reauthorization,” Thompson earlier said. “Since the cyber-threat landscape is constantly changing, this amendment will simply guarantee that Congress will reexamine the programs in this bill, and will give us an opportunity to assess the procedures we put into place to make sure it has been effective and has appropriately protected our citizen’s privacy and civil liberties.”
“This bill is an important step in our efforts to govern in the constantly-evolving world of cybersecurity; we must continue to legislate around the needs of individuals, businesses and federal entities as they adopt new technologies which are more interconnected than ever before,” said Rep. Cedric L. Richmond (D-La), and ranking member of the Committee’s Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee.
“Every day," he said, "US networks face cyber-hacking attempts and attacks by cyber terrorists and cyber criminals. This legislation we passed today authorizes private companies to voluntarily share timely cyber threat information – a central tenet of cybersecurity. I am pleased that this bill includes key provisions to protect consumer’s privacy and personal identifiable information. It requires corporations – and the Department of Homeland Security – to scrub irrelevant personal information from the data they share.”
“I am pleased to see Congress taking an active interest in our nation’s cybersecurity, and I’m glad that bill we passed today includes my provision encouraging greater awareness of the vulnerabilities that exist for our seniors, students, small businesses, military, veterans and all Americans,” Watson Coleman said. “Cyber attacks represent a growing threat to American families and our national security. By making sure people understand the basic steps they can take to protect their networks we can prevent these attacks and improve our nation’s overall cybersecurity defenses.”
The provision authored by Watson Coleman was added to the bill during the homeland security committee’s mark-up of the bill last week. The provision would direct DHS “to launch a concerted and sustained campaign to educate individuals about personal cyber security through effective public service announcements published online and communicated through social media. It alsodirects DHS to devise creative wage to engage the public on simple steps to help thwart a cyber-breach.”
The legislation also included a measure by Rep.Donald M. Payne, Jr. (D-NJ) to protect critical infrastructure against cyber attacks.
“Three years ago, Hurricane Sandy showed just how weak our critical infrastructure is, and just how vulnerable we can quickly become to layered disasters like cyber attacks by outside actors,” Payne said. “These cyber attacks are a drain on our economy, and they expose us to other potentially devastating attacks. We must do a better job of protecting our critical infrastructure, which is why the House’s passage of my amendment is so important at this time.”
Payne said there’s been a significant increase in cyber attacks to US critical infrastructure, pointing out that in 2012 there were 82 reported attacks against the energy field, 29 reported attacks against the water industry, seven reported attacks against chemical plants and six reported attacks against nuclear companies. Several of these nuclear companies reported that their networks were compromised and that, in some cases, data was seized.
Continuing, Payne said many cyber attacks on critical infrastructure may go undetected or unrecognized because they can initially be perceived as a technical glitch or human error, and because there is a lack of consensus as to what constitutes a cyber attack. As a result, critical sources of data detailing potential threats to our nation’s control systems are missed.
Applauding passage of the legislation is the Retail Industry Leaders Association (RILA), which said the bill “encourage businesses to share cyber threat information electronically with federal law enforcement agencies, making it easier to track and guard against cyber attacks.”
“Retailers have taken extraordinary steps in the past year to combat cybercrime and protect our customers from the impact of data breaches and other cyber attacks,” said Nicholas Ahrens, RILA Vice President for Privacy and Cybersecurity. “Passage of House cyber information sharing legislation is a strong first step toward enacting meaningful government reforms that complement our own efforts to defend against the threat posed by cyber thieves and hackers.”
With strong bipartisan support in the House, it’s up to see what the Senate does in May on its similar companion legislation.
