The National Cybersecurity and Critical Infrastructure Protection Act of 2013 would amend the Homeland Security Act of 2002 to better protect the country against potentially destructive cyber attacks targeting national utilities and other critical infrastructure systems.
The House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies has marked up and passed the bill back to the House Committee on Homeland Security. From here, H.R. 3696 will travel to the House floor for debate and an eventual vote. Should it pass in the House, it will proceed to the Senate and eventually the Oval Office.
Outside the Capitol, the American Civil Liberties Union, American Chemistry Council, Boeing Company, and National Defense Industrial Association are among the long list of strange bedfellows expressing support for the pending legislation.
In general, the bill seeks to establish a threat-information-sharing partnership between the Department of Homeland Security and the owners and operators of the nation’s critical infrastructure systems. It also establishes a framework through which the DHS can work with international partners to harden the security of systems outside the U.S. but upon which American citizens depend.
More specifically, the bill calls on the Secretary of Homeland Security to facilitate efforts to fortify and maintain a secure, functioning, and resilient critical infrastructure. Part of his responsibility will be to ensure that the handlers of infrastructure receive actionable, industry specific cyber threat intelligence in real time.
The bill – should it become law – will also call on the secretary to work with private partners to help develop and allocate funds for voluntary security and resiliency strategies. Should an attack occur, the bill would require the DHS to assist in incident response-related activities should critical infrastructure companies request such help.
The bill also opens an avenue through which infrastructure handlers can request help from the government in finding and mitigating threats and vulnerabilities. The secretary would also be required to provide more general security educational training to handlers upon request.
Beyond these requirements and the technical minutiae fills out the rest of the bill’s text, the bill mandates that the DHS educate the broader public on the importance of securing information systems.
“H.R. 3696 strengthens our cyber defenses by bolstering and providing oversight of DHS’s cybersecurity mission, fostering collaborative public-private partnerships, while also ensuring privacy and civil liberties are protected,” the bill’s sponsors wrote. “We are greatly encouraged by the strong bipartisan support of the NCCIP Act, as well as the many endorsements it has received from both industry and privacy advocates, and we look forward to moving this legislation to the House floor.”
To that effect, the ACLU read the bill and gave it their stamp of approval, stating that “information sharing provisions in this bill do not undermine current privacy laws.”
The ACLU endorsed the bill further:
“Unlike H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), your bill does not create broad exceptions to the privacy laws for cybersecurity. Instead, it strengthens private-public partnerships by supporting existing Information Sharing and Analysis Centers and Sector Coordinating Councils and reinforces voluntary sharing under current statutes that already provide for many cybersecurity scenarios.”
In a letter expressing its support for the bill, the Boeing Company noted that it is constantly challenged cyber attacks that are increasing both in number and sophistication. H.R. 3696, a company spokesperson wrote, will strengthen and focus efforts as the government works in partnership with the private sector to increase defensive capabilities.
You can can read the subcommittee’s one-page explainer, broadly outlining the terms and scope of the bill, by clicking the image above.