Bipartisan legislation that backers say would fortify the cybersecurity of the nation's 16 critical infrastructure sectors and the federal government by codifying, strengthening and providing oversight of the mission of the Department of Homeland Security has cleared its first hurdle.
The House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies approved the bill, HR 3696, Jan. 15 by a voice vote. The measure, the National Cybersecurity and Critical Infrastructure Protection Act of 2013, heads to the full Homeland Security Committee for consideration.
"HR 3696 recognizes this growing threat and strengthens the capabilities of DHS - a civilian, transparent agency - to protect critical infrastructure, while prohibiting new regulations," says Homeland Security Committee Chairman Michael McCaul, R-Texas.
Bill sponsors say the legislation, if enacted, would bolster the partnership between industry and government on cybersecurity. According to its sponsors, the bill would:
- Codify and strengthen the National Cybersecurity and Communications Integration Center, a federal civilian agency that promotes real-time cyberthreat information sharing across critical infrastructure sectors;
- Establish an equal partnership between industry and DHS, and ensure that DHS properly recognizes industry-led entities to facilitate critical infrastructure protection and incident response;
- Codify and strengthen the National Infrastructure Protection Plan, a public-private partnership framework that has been supported by the industry since 2003;
- Codify the Cyber Incident Response Teams to provide timely technical assistance, crisis management and actionable recommendations on cyberthreats to critical infrastructure owners and operators on a voluntary basis;
- Ensure that the National Cybersecurity Incident Response Plan is updated regularly and coordinated with federal, state, local and private-sector stakeholders;
- Codify DHS operational information security activities to ensure the resiliency of all federal civilian information systems and networks;
- Amend the SAFETY Act to establish a threshold for qualifying cyber-incidents so private entities can submit voluntarily their cybersecurity procedures to the SAFETY Act office to gain additional liability protections in the event of a qualifying cyber incident.
The bill, which would not require any additional funding, would prohibit DHS from obtaining new cybersecurity regulatory authority. That provision reflects Republican resolve that the government will not adopt cybersecurity regulations to impose on the private sector.
The House action comes a month before the Obama administration issues its cybersecurity framework that will describe how private critical infrastructure operators could protect themselves from digital assaults. Use of the framework will be voluntary, not mandatory
The bipartisan bill was introduced in December by McCaul, Ranking Member Bennie Thompson, D-Miss., Subcommittee Chairman Patrick Meehan, R-Pa., and Subcommittee Ranking Member Yvette Clarke, D-N.Y.