[Congressional Record Volume 160, Number 119 (Monday, July 28, 2014)]
[House]
[Pages H6908-H6922]
NATIONAL CYBERSECURITY AND CRITICAL INFRASTRUCTURE PROTECTION ACT OF
2014
Mr. McCAUL. Mr. Speaker, I move to suspend the rules and pass the
bill (H.R. 3696) to amend the Homeland Security Act of 2002 to make
certain improvements regarding cybersecurity
[[Page H6909]]
and critical infrastructure protection, and for other purposes, as
amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 3696
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``National Cybersecurity and
Critical Infrastructure Protection Act of 2014''.
SEC. 2. TABLE OF CONTENTS.
The table of contents for this Act is as follows:
Sec. 1. Short title.
Sec. 2. Table of contents.
TITLE I--SECURING THE NATION AGAINST CYBER ATTACK
Sec. 101. Homeland Security Act of 2002 definitions.
Sec. 102. Enhancement of cybersecurity.
Sec. 103. Protection of critical infrastructure and information
sharing.
Sec. 104. National Cybersecurity and Communications Integration Center.
Sec. 105. Cyber incident response and technical assistance.
Sec. 106. Streamlining of Department cybersecurity organization.
TITLE II--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY
Sec. 201. Public-private collaboration on cybersecurity.
Sec. 202. SAFETY Act and qualifying cyber incidents.
Sec. 203. Prohibition on new regulatory authority.
Sec. 204. Prohibition on additional authorization of appropriations.
Sec. 205. Prohibition on collection activities to track individuals'
personally identifiable information.
Sec. 206. Cybersecurity scholars.
Sec. 207. National Research Council study on the resilience and
reliability of the Nation's power grid.
TITLE III--HOMELAND SECURITY CYBERSECURITY WORKFORCE
Sec. 301. Homeland security cybersecurity workforce.
Sec. 302. Personnel authorities.
TITLE I--SECURING THE NATION AGAINST CYBER ATTACK
SEC. 101. HOMELAND SECURITY ACT OF 2002 DEFINITIONS.
Section 2 of the Homeland Security Act of 2002 (6 U.S.C.
101) is amended by adding at the end the following new
paragraphs:
``(19) The term `critical infrastructure' has the meaning
given that term in section 1016(e) of the USA Patriot Act (42
U.S.C. 5195c(e)).
``(20) The term `critical infrastructure owner' means a
person that owns critical infrastructure.
``(21) The term `critical infrastructure operator' means a
critical infrastructure owner or other person that manages,
runs, or operates, in whole or in part, the day-to-day
operations of critical infrastructure.
``(22) The term `cyber incident' means an incident, or an
attempt to cause an incident, that, if successful, would--
``(A) jeopardize or imminently jeopardize, without lawful
authority, the security, integrity, confidentiality, or
availability of an information system or network of
information systems or any information stored on, processed
on, or transiting such a system or network;
``(B) constitute a violation or imminent threat of
violation of law, security policies, security procedures, or
acceptable use policies related to such a system or network,
or an act of terrorism against such a system or network; or
``(C) result in the denial of access to or degradation,
disruption, or destruction of such a system or network, or
the defeat of an operations control or technical control
essential to the security or operation of such a system or
network.
``(23) The term `cybersecurity mission' means activities
that encompass the full range of threat reduction,
vulnerability reduction, deterrence, incident response,
resiliency, and recovery activities to foster the security
and stability of cyberspace.
``(24) The term `cybersecurity purpose' means the purpose
of ensuring the security, integrity, confidentiality, or
availability of, or safeguarding, an information system or
network of information systems, including protecting such a
system or network, or data residing on such a system or
network, including protection of such a system or network,
from--
``(A) a vulnerability of such a system or network;
``(B) a threat to the security, integrity, confidentiality,
or availability of such a system or network, or any
information stored on, processed on, or transiting such a
system or network;
``(C) efforts to deny access to or degrade, disrupt, or
destroy such a system or network; or
``(D) efforts to gain unauthorized access to such a system
or network, including to gain such unauthorized access for
the purpose of exfiltrating information stored on, processed
on, or transiting such a system or network.
``(25) The term `cyber threat' means any action that may
result in unauthorized access to, exfiltration of,
manipulation of, harm of, or impairment to the security,
integrity, confidentiality, or availability of an information
system or network of information systems, or information that
is stored on, processed by, or transiting such a system or
network.
``(26) The term `cyber threat information' means
information directly pertaining to--
``(A) a vulnerability of an information system or network
of information systems of a government or private entity;
``(B) a threat to the security, integrity, confidentiality,
or availability of such a system or network of a government
or private entity, or any information stored on, processed
on, or transiting such a system or network;
``(C) efforts to deny access to or degrade, disrupt, or
destroy such a system or network of a government or private
entity;
``(D) efforts to gain unauthorized access to such a system
or network, including to gain such unauthorized access for
the purpose of exfiltrating information stored on, processed
on, or transiting such a system or network; or
``(E) an act of terrorism against an information system or
network of information systems.
``(27) The term `Federal civilian information systems'--
``(A) means information, information systems, and networks
of information systems that are owned, operated, controlled,
or licensed for use by, or on behalf of, any Federal agency,
including such systems or networks used or operated by
another entity on behalf of a Federal agency; but
``(B) does not include--
``(i) a national security system; or
``(ii) information, information systems, and networks of
information systems that are owned, operated, controlled, or
licensed solely for use by, or on behalf of, the Department
of Defense, a military department, or an element of the
intelligence community.
``(28) The term `information security' means the protection
of information, information systems, and networks of
information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order
to provide--
``(A) integrity, including guarding against improper
information modification or destruction, including ensuring
nonrepudiation and authenticity;
``(B) confidentiality, including preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; and
``(C) availability, including ensuring timely and reliable
access to and use of information.
``(29) The term `information system' means the underlying
framework and functions used to process, transmit, receive,
or store information electronically, including programmable
electronic devices, communications networks, and industrial
or supervisory control systems and any associated hardware,
software, or data.
``(30) The term `private entity' means any individual or
any private or publically-traded company, public or private
utility (including a utility that is a unit of a State or
local government, or a political subdivision of a State
government), organization, or corporation, including an
officer, employee, or agent thereof.
``(31) The term `shared situational awareness' means an
environment in which cyber threat information is shared in
real time between all designated Federal cyber operations
centers to provide actionable information about all known
cyber threats.''.
SEC. 102. ENHANCEMENT OF CYBERSECURITY.
(a) In General.--Subtitle C of title II of the Homeland
Security Act of 2002 is amended by adding at the end the
following new section:
``SEC. 226. ENHANCEMENT OF CYBERSECURITY.
``The Secretary, in collaboration with the heads of other
appropriate Federal Government entities, shall conduct
activities for cybersecurity purposes, including the
provision of shared situational awareness to each other to
enable real-time, integrated, and operational actions to
protect from, prevent, mitigate, respond to, and recover from
cyber incidents.''.
(b) Clerical Amendments.--
(1) Subtitle heading.--The heading for subtitle C of title
II of such Act is amended to read as follows:
``Subtitle C--Cybersecurity and Information Sharing''.
(2) Table of contents.--The table of contents in section
1(b) of such Act is amended--
(A) by adding after the item relating to section 225 the
following new item:
``Sec. 226. Enhancement of cybersecurity.'';
and
(B) by striking the item relating to subtitle C of title II
and inserting the following new item:
``Subtitle C--Cybersecurity and Information Sharing''.
SEC. 103. PROTECTION OF CRITICAL INFRASTRUCTURE AND
INFORMATION SHARING.
(a) In General.--Subtitle C of title II of the Homeland
Security Act of 2002, as amended by section 102, is further
amended by adding at the end the following new section:
``SEC. 227. PROTECTION OF CRITICAL INFRASTRUCTURE AND
INFORMATION SHARING.
``(a) Protection of Critical Infrastructure.--
[[Page H6910]]
``(1) In general.--The Secretary shall coordinate, on an
ongoing basis, with Federal, State, and local governments,
national laboratories, critical infrastructure owners,
critical infrastructure operators, and other cross sector
coordinating entities to--
``(A) facilitate a national effort to strengthen and
maintain secure, functioning, and resilient critical
infrastructure from cyber threats;
``(B) ensure that Department policies and procedures enable
critical infrastructure owners and critical infrastructure
operators to receive real-time, actionable, and relevant
cyber threat information;
``(C) seek industry sector-specific expertise to--
``(i) assist in the development of voluntary security and
resiliency strategies; and
``(ii) ensure that the allocation of Federal resources are
cost effective and reduce any burden on critical
infrastructure owners and critical infrastructure operators;
``(D) upon request of entities, facilitate and assist risk
management efforts of such entities to reduce
vulnerabilities, identify and disrupt threats, and minimize
consequences to their critical infrastructure;
``(E) upon request of critical infrastructure owners or
critical infrastructure operators, provide education and
assistance to such owners and operators on how they may use
protective measures and countermeasures to strengthen the
security and resilience of the Nation's critical
infrastructure; and
``(F) coordinate a research and development strategy to
facilitate and promote advancements and innovation in
cybersecurity technologies to protect critical
infrastructure.
``(2) Additional responsibilities.--The Secretary shall--
``(A) manage Federal efforts to secure, protect, and ensure
the resiliency of Federal civilian information systems using
a risk-based and performance-based approach, and, upon
request of critical infrastructure owners or critical
infrastructure operators, support such owners' and operators'
efforts to secure, protect, and ensure the resiliency of
critical infrastructure from cyber threats;
``(B) direct an entity within the Department to serve as a
Federal civilian entity by and among Federal, State, and
local governments, private entities, and critical
infrastructure sectors to provide multi-directional sharing
of real-time, actionable, and relevant cyber threat
information;
``(C) build upon existing mechanisms to promote a national
awareness effort to educate the general public on the
importance of securing information systems;
``(D) upon request of Federal, State, and local government
entities and private entities, facilitate expeditious cyber
incident response and recovery assistance, and provide
analysis and warnings related to threats to and
vulnerabilities of critical information systems, crisis and
consequence management support, and other remote or on-site
technical assistance with the heads of other appropriate
Federal agencies to Federal, State, and local government
entities and private entities for cyber incidents affecting
critical infrastructure;
``(E) engage with international partners to strengthen the
security and resilience of domestic critical infrastructure
and critical infrastructure located outside of the United
States upon which the United States depends; and
``(F) conduct outreach to educational institutions,
including historically black colleges and universities,
Hispanic serving institutions, Native American colleges, and
institutions serving persons with disabilities, to encourage
such institutions to promote cybersecurity awareness.
``(3) Rule of construction.--Nothing in this section may be
construed to require any private entity to request assistance
from the Secretary, or require any private entity requesting
such assistance to implement any measure or recommendation
suggested by the Secretary.
``(b) Critical Infrastructure Sectors.--The Secretary, in
collaboration with the heads of other appropriate Federal
agencies, shall designate critical infrastructure sectors
(that may include subdivisions of sectors within a sector as
the Secretary may determine appropriate). The critical
infrastructure sectors designated under this subsection may
include the following:
``(1) Chemical.
``(2) Commercial facilities.
``(3) Communications.
``(4) Critical manufacturing.
``(5) Dams.
``(6) Defense Industrial Base.
``(7) Emergency services.
``(8) Energy.
``(9) Financial services.
``(10) Food and agriculture.
``(11) Government facilities.
``(12) Healthcare and public health.
``(13) Information technology.
``(14) Nuclear reactors, materials, and waste.
``(15) Transportation systems.
``(16) Water and wastewater systems.
``(17) Such other sectors as the Secretary determines
appropriate.
``(c) Sector Specific Agencies.--The Secretary, in
collaboration with the relevant critical infrastructure
sector and the heads of other appropriate Federal agencies,
shall recognize the Federal agency designated as of November
1, 2013, as the `Sector Specific Agency' for each critical
infrastructure sector designated under subsection (b). If the
designated Sector Specific Agency for a particular critical
infrastructure sector is the Department, for the purposes of
this section, the Secretary shall carry out this section. The
Secretary, in coordination with the heads of each such Sector
Specific Agency shall--
``(1) support the security and resilience activities of the
relevant critical infrastructure sector in accordance with
this subtitle; and
``(2) provide institutional knowledge and specialized
expertise to the relevant critical infrastructure sector.
``(d) Sector Coordinating Councils.--
``(1) Recognition.--The Secretary, in collaboration with
each critical infrastructure sector and the relevant Sector
Specific Agency, shall recognize and partner with the Sector
Coordinating Council for each critical infrastructure sector
designated under subsection (b) to coordinate with each such
sector on security and resilience activities and emergency
response and recovery efforts.
``(2) Membership.--
``(A) In general.--The Sector Coordinating Council for a
critical infrastructure sector designated under subsection
(b) shall--
``(i) be comprised exclusively of relevant critical
infrastructure owners, critical infrastructure operators,
private entities, and representative trade associations for
the sector;
``(ii) reflect the unique composition of each sector; and
``(iii) as appropriate, include relevant small, medium, and
large critical infrastructure owners, critical infrastructure
operators, private entities, and representative trade
associations for the sector.
``(B) Prohibition.--No government entity with regulating
authority shall be a member of the Sector Coordinating
Council.
``(C) Limitation.--The Secretary shall have no role in the
determination of the membership of a Sector Coordinating
Council.
``(3) Roles and responsibilities.--The Sector Coordinating
Council for a critical infrastructure sector shall--
``(A) serve as a self-governing, self-organized primary
policy, planning, and strategic communications entity for
coordinating with the Department, the relevant Sector-
Specific Agency designated under subsection (c), and the
relevant Information Sharing and Analysis Centers under
subsection (e) on security and resilience activities and
emergency response and recovery efforts;
``(B) establish governance and operating procedures, and
designate a chairperson for the sector to carry out the
activities described in this subsection;
``(C) coordinate with the Department, the relevant
Information Sharing and Analysis Centers under subsection
(e), and other Sector Coordinating Councils to update,
maintain, and exercise the National Cybersecurity Incident
Response Plan in accordance with section 229(b); and
``(D) provide any recommendations to the Department on
infrastructure protection technology gaps to help inform
research and development efforts at the Department.
``(e) Sector Information Sharing and Analysis Centers.--
``(1) Recognition.--The Secretary, in collaboration with
the relevant Sector Coordinating Council and the critical
infrastructure sector represented by such Council, and in
coordination with the relevant Sector Specific Agency, shall
recognize at least one Information Sharing and Analysis
Center for each critical infrastructure sector designated
under subsection (b) for purposes of paragraph (3). No other
Information Sharing and Analysis Organizations, including
Information Sharing and Analysis Centers, may be precluded
from having an information sharing relationship within the
National Cybersecurity and Communications Integration Center
established pursuant to section 228. Nothing in this
subsection or any other provision of this subtitle may be
construed to limit, restrict, or condition any private entity
or activity utilized by, among, or between private entities.
``(2) Roles and responsibilities.--In addition to such
other activities as may be authorized by law, at least one
Information Sharing and Analysis Center for a critical
infrastructure sector shall--
``(A) serve as an information sharing resource for such
sector and promote ongoing multi-directional sharing of real-
time, relevant, and actionable cyber threat information and
analysis by and among such sector, the Department, the
relevant Sector Specific Agency, and other critical
infrastructure sector Information Sharing and Analysis
Centers;
``(B) establish governance and operating procedures to
carry out the activities conducted under this subsection;
``(C) serve as an emergency response and recovery
operations coordination point for such sector, and upon
request, facilitate cyber incident response capabilities in
coordination with the Department, the relevant Sector
Specific Agency and the relevant Sector Coordinating Council;
``(D) facilitate cross-sector coordination and sharing of
cyber threat information to prevent related or consequential
impacts to other critical infrastructure sectors;
``(E) coordinate with the Department, the relevant Sector
Coordinating Council, the relevant Sector Specific Agency,
and other critical infrastructure sector Information Sharing
and Analysis Centers on the development, integration, and
implementation of procedures to support technology neutral,
[[Page H6911]]
real-time information sharing capabilities and mechanisms
within the National Cybersecurity and Communications
Integration Center established pursuant to section 228,
including--
``(i) the establishment of a mechanism to voluntarily
report identified vulnerabilities and opportunities for
improvement;
``(ii) the establishment of metrics to assess the
effectiveness and timeliness of the Department's and
Information Sharing and Analysis Centers' information sharing
capabilities; and
``(iii) the establishment of a mechanism for anonymous
suggestions and comments;
``(F) implement an integration and analysis function to
inform sector planning, risk mitigation, and operational
activities regarding the protection of each critical
infrastructure sector from cyber incidents;
``(G) combine consequence, vulnerability, and threat
information to share actionable assessments of critical
infrastructure sector risks from cyber incidents;
``(H) coordinate with the Department, the relevant Sector
Specific Agency, and the relevant Sector Coordinating Council
to update, maintain, and exercise the National Cybersecurity
Incident Response Plan in accordance with section 229(b); and
``(I) safeguard cyber threat information from unauthorized
disclosure.
``(3) Funding.--Of the amounts authorized to be
appropriated for each of fiscal years 2014, 2015, and 2016
for the Cybersecurity and Communications Office of the
Department, the Secretary is authorized to use not less than
$25,000,000 for any such year for operations support at the
National Cybersecurity and Communications Integration Center
established under section 228(a) of all recognized
Information Sharing and Analysis Centers under paragraph (1)
of this subsection.
``(f) Clearances.--The Secretary--
``(1) shall expedite the process of security clearances
under Executive Order 13549 or successor orders for
appropriate representatives of Sector Coordinating Councils
and the critical infrastructure sector Information Sharing
and Analysis Centers; and
``(2) may so expedite such processing to--
``(A) appropriate personnel of critical infrastructure
owners and critical infrastructure operators; and
``(B) any other person as determined by the Secretary.
``(g) Public-Private Collaboration.--The Secretary, in
collaboration with the critical infrastructure sectors
designated under subsection (b), such sectors' Sector
Specific Agencies recognized under subsection (c), and the
Sector Coordinating Councils recognized under subsection (d),
shall--
``(1) conduct an analysis and review of the existing
public-private partnership model and evaluate how the model
between the Department and critical infrastructure owners and
critical infrastructure operators can be improved to ensure
the Department, critical infrastructure owners, and critical
infrastructure operators are equal partners and regularly
collaborate on all programs and activities of the Department
to protect critical infrastructure;
``(2) develop and implement procedures to ensure
continuous, collaborative, and effective interactions between
the Department, critical infrastructure owners, and critical
infrastructure operators; and
``(3) ensure critical infrastructure sectors have a
reasonable period for review and comment of all jointly
produced materials with the Department.
``(h) Recommendations Regarding New Agreements.--Not later
than 180 days after the date of the enactment of this
section, the Secretary shall submit to the appropriate
congressional committees recommendations on how to expedite
the implementation of information sharing agreements for
cybersecurity purposes between the Secretary and critical
information owners and critical infrastructure operators and
other private entities. Such recommendations shall address
the development and utilization of a scalable form that
retains all privacy and other protections in such agreements
in existence as of such date, including Cooperative and
Research Development Agreements. Such recommendations should
also include any additional authorities or resources that may
be needed to carry out the implementation of any such new
agreements.
``(i) Rule of Construction.--No provision of this title may
be construed as modifying, limiting, or otherwise affecting
the authority of any other Federal agency under any other
provision of law.''.
(b) Clerical Amendment.--The table of contents in section
1(b) of such Act is amended by adding after the item relating
to section 226 (as added by section 102) the following new
item:
``Sec. 227. Protection of critical infrastructure and information
sharing.''.
SEC. 104. NATIONAL CYBERSECURITY AND COMMUNICATIONS
INTEGRATION CENTER.
(a) In General.--Subtitle C of title II of the Homeland
Security Act of 2002, as amended by sections 102 and 103, is
further amended by adding at the end the following new
section:
``SEC. 228. NATIONAL CYBERSECURITY AND COMMUNICATIONS
INTEGRATION CENTER.
``(a) Establishment.--There is established in the
Department the National Cybersecurity and Communications
Integration Center (referred to in this section as the
`Center'), which shall be a Federal civilian information
sharing interface that provides shared situational awareness
to enable real-time, integrated, and operational actions
across the Federal Government, and share cyber threat
information by and among Federal, State, and local government
entities, Information Sharing and Analysis Centers, private
entities, and critical infrastructure owners and critical
infrastructure operators that have an information sharing
relationship with the Center.
``(b) Composition.--The Center shall include each of the
following entities:
``(1) At least one Information Sharing and Analysis Center
established under section 227(e) for each critical
infrastructure sector.
``(2) The Multi-State Information Sharing and Analysis
Center to collaborate with State and local governments.
``(3) The United States Computer Emergency Readiness Team
to coordinate cyber threat information sharing, proactively
manage cyber risks to the United States, collaboratively
respond to cyber incidents, provide technical assistance to
information system owners and operators, and disseminate
timely notifications regarding current and potential cyber
threats and vulnerabilities.
``(4) The Industrial Control System Cyber Emergency
Response Team to coordinate with industrial control systems
owners and operators and share industrial control systems-
related security incidents and mitigation measures.
``(5) The National Coordinating Center for
Telecommunications to coordinate the protection, response,
and recovery of national security emergency communications.
``(6) Such other Federal, State, and local government
entities, private entities, organizations, or individuals as
the Secretary may consider appropriate that agree to be
included.
``(c) Cyber Incident.--In the event of a cyber incident,
the Secretary may grant the entities referred to in
subsection (a) immediate temporary access to the Center as a
situation may warrant.
``(d) Roles and Responsibilities.--The Center shall--
``(1) promote ongoing multi-directional sharing by and
among the entities referred to in subsection (a) of timely
and actionable cyber threat information and analysis on a
real-time basis that includes emerging trends, evolving
threats, incident reports, intelligence information, risk
assessments, and best practices;
``(2) coordinate with other Federal agencies to streamline
and reduce redundant reporting of cyber threat information;
``(3) provide, upon request, timely technical assistance
and crisis management support to Federal, State, and local
government entities and private entities that own or operate
information systems or networks of information systems to
protect from, prevent, mitigate, respond to, and recover from
cyber incidents;
``(4) facilitate cross-sector coordination and sharing of
cyber threat information to prevent related or consequential
impacts to other critical infrastructure sectors;
``(5) collaborate and facilitate discussions with Sector
Coordinating Councils, Information Sharing and Analysis
Centers, Sector Specific Agencies, and relevant critical
infrastructure sectors on the development of prioritized
Federal response efforts, if necessary, to support the
defense and recovery of critical infrastructure from cyber
incidents;
``(6) collaborate with the Sector Coordinating Councils,
Information Sharing and Analysis Centers, Sector Specific
Agencies, and the relevant critical infrastructure sectors on
the development and implementation of procedures to support
technology neutral real-time information sharing capabilities
and mechanisms;
``(7) collaborate with the Sector Coordinating Councils,
Information Sharing and Analysis Centers, Sector Specific
Agencies, and the relevant critical infrastructure sectors to
identify requirements for data and information formats and
accessibility, system interoperability, and redundant systems
and alternative capabilities in the event of a disruption in
the primary information sharing capabilities and mechanisms
at the Center;
``(8) within the scope of relevant treaties, cooperate with
international partners to share information and respond to
cyber incidents;
``(9) safeguard sensitive cyber threat information from
unauthorized disclosure;
``(10) require other Federal civilian agencies to--
``(A) send reports and information to the Center about
cyber incidents, threats, and vulnerabilities affecting
Federal civilian information systems and critical
infrastructure systems and, in the event a private vendor
product or service of such an agency is so implicated, the
Center shall first notify such private vendor of the
vulnerability before further disclosing such information;
``(B) provide to the Center cyber incident detection,
analysis, mitigation, and response information; and
``(C) immediately send and disclose to the Center cyber
threat information received by such agencies;
``(11) perform such other duties as the Secretary may
require to facilitate a national effort to strengthen and
maintain secure, functioning, and resilient critical
infrastructure from cyber threats;
``(12) implement policies and procedures to--
[[Page H6912]]
``(A) provide technical assistance to Federal civilian
agencies to prevent and respond to data breaches involving
unauthorized acquisition or access of personally identifiable
information that occur on Federal civilian information
systems;
``(B) require Federal civilian agencies to notify the
Center about data breaches involving unauthorized acquisition
or access of personally identifiable information that occur
on Federal civilian information systems without unreasonable
delay after the discovery of such a breach; and
``(C) require Federal civilian agencies to notify all
potential victims of a data breach involving unauthorized
acquisition or access of personally identifiable information
that occur on Federal civilian information systems without
unreasonable delay, based on a reasonable determination of
the level of risk of harm and consistent with the needs of
law enforcement; and
``(13) participate in exercises run by the Department's
National Exercise Program, where appropriate.
``(e) Integration and Analysis.--The Center, in
coordination with the Office of Intelligence and Analysis of
the Department, shall maintain an integration and analysis
function, which shall --
``(1) integrate and analyze all cyber threat information
received from other Federal agencies, State and local
governments, Information Sharing and Analysis Centers,
private entities, critical infrastructure owners, and
critical infrastructure operators, and share relevant
information in near real-time;
``(2) on an ongoing basis, assess and evaluate consequence,
vulnerability, and threat information to share with the
entities referred to in subsection (a) actionable assessments
of critical infrastructure sector risks from cyber incidents
and to assist critical infrastructure owners and critical
infrastructure operators by making recommendations to
facilitate continuous improvements to the security and
resiliency of the critical infrastructure of the United
States;
``(3) facilitate cross-sector integration, identification,
and analysis of key interdependencies to prevent related or
consequential impacts to other critical infrastructure
sectors;
``(4) collaborate with the Information Sharing and Analysis
Centers to tailor the analysis of information to the specific
characteristics and risk to a relevant critical
infrastructure sector; and
``(5) assess and evaluate consequence, vulnerability, and
threat information regarding cyber incidents in coordination
with the Office of Emergency Communications of the Department
to help facilitate continuous improvements to the security
and resiliency of public safety communications networks.
``(f) Report of Cyber Attacks Against Federal Government
Networks.--The Secretary shall submit to the Committee on
Homeland Security of the House of Representatives, the
Committee on Homeland Security and Governmental Affairs of
the Senate, and the Comptroller General of the United States
an annual report that summarizes major cyber incidents
involving Federal civilian agency information systems and
provides aggregate statistics on the number of breaches, the
extent of any personally identifiable information that was
involved, the volume of data exfiltrated, the consequential
impact, and the estimated cost of remedying such breaches.
``(g) Report on the Operations of the Center.--The
Secretary, in consultation with the Sector Coordinating
Councils and appropriate Federal Government entities, shall
submit to the Committee on Homeland Security of the House of
Representatives, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Comptroller
General of the United States an annual report on--
``(1) the capability and capacity of the Center to carry
out its cybersecurity mission in accordance with this
section, and sections 226, 227, 229, 230, 230A, and 230B;
``(2) the extent to which the Department is engaged in
information sharing with each critical infrastructure sector
designated under section 227(b), including--
``(A) the extent to which each such sector has
representatives at the Center; and
``(B) the extent to which critical infrastructure owners
and critical infrastructure operators of each critical
infrastructure sector participate in information sharing at
the Center;
``(3) the volume and range of activities with respect to
which the Secretary collaborated with the Sector Coordinating
Councils and the Sector-Specific Agencies to promote greater
engagement with the Center; and
``(4) the volume and range of voluntary technical
assistance sought and provided by the Department to each
critical infrastructure owner and critical infrastructure
operator.''.
(b) Clerical Amendment.--The table of contents in section
1(b) of such Act is amended by adding after the item relating
to section 227 (as added by section 103) the following new
item:
``Sec. 228. National Cybersecurity and Communications Integration
Center.''.
(c) GAO Report.--Not later than one year after the date of
the enactment of this Act, the Comptroller General of the
United States shall submit to the Committee on Homeland
Security of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate a
report on the effectiveness of the National Cybersecurity and
Communications Integration Center established under section
228 of the Homeland Security Act of 2002, as added by
subsection (a) of this section, in carrying out its
cybersecurity mission (as such term is defined in section 2
of the Homeland Security Act of 2002, as amended by section
101) in accordance with this Act and such section 228 and
sections 226, 227, 229, 230, 230A, and 230B of the Homeland
Security Act of 2002, as added by this Act.
SEC. 105. CYBER INCIDENT RESPONSE AND TECHNICAL ASSISTANCE.
(a) In General.--Subtitle C of title II of the Homeland
Security Act of 2002, as amended by sections 102, 103, and
104, is further amended by adding at the end the following
new section:
``SEC. 229. CYBER INCIDENT RESPONSE AND TECHNICAL ASSISTANCE.
``(a) In General.--The Secretary shall establish Cyber
Incident Response Teams to--
``(1) upon request, provide timely technical assistance and
crisis management support to Federal, State, and local
government entities, private entities, and critical
infrastructure owners and critical infrastructure operators
involving cyber incidents affecting critical infrastructure;
and
``(2) upon request, provide actionable recommendations on
security and resilience measures and countermeasures to
Federal, State, and local government entities, private
entities, and critical infrastructure owners and critical
infrastructure operators prior to, during, and after cyber
incidents.
``(b) Coordination.--In carrying out subsection (a), the
Secretary shall coordinate with the relevant Sector Specific
Agencies, if applicable.
``(c) Cyber Incident Response Plan.--The Secretary, in
coordination with the Sector Coordinating Councils,
Information Sharing and Analysis Centers, and Federal, State,
and local governments, shall develop, regularly update,
maintain, and exercise a National Cybersecurity Incident
Response Plan which shall--
``(1) include effective emergency response plans associated
with cyber threats to critical infrastructure, information
systems, or networks of information systems;
``(2) ensure that such National Cybersecurity Incident
Response Plan can adapt to and reflect a changing cyber
threat environment, and incorporate best practices and
lessons learned from regular exercises, training, and after-
action reports; and
``(3) facilitate discussions on the best methods for
developing innovative and useful cybersecurity exercises for
coordinating between the Department and each of the critical
infrastructure sectors designated under section 227(b).
``(d) Update to Cyber Incident Annex to the National
Response Framework.--The Secretary, in coordination with the
heads of other Federal agencies and in accordance with the
National Cybersecurity Incident Response Plan under
subsection (c), shall regularly update, maintain, and
exercise the Cyber Incident Annex to the National Response
Framework of the Department.''.
(b) Clerical Amendment.--The table of contents in section
1(b) of such Act is amended by adding after the item relating
to section 228 (as added by section 104) the following new
item:
``Sec. 229. Cyber incident response and technical assistance.''.
SEC. 106. STREAMLINING OF DEPARTMENT CYBERSECURITY
ORGANIZATION.
(a) Cybersecurity and Infrastructure Protection
Directorate.--The National Protection and Programs
Directorate of the Department of Homeland Security shall,
after the date of the enactment of this Act, be known and
designated as the ``Cybersecurity and Infrastructure
Protection Directorate''. Any reference to the National
Protection and Programs Directorate of the Department in any
law, regulation, map, document, record, or other paper of the
United States shall be deemed to be a reference to the
Cybersecurity and Infrastructure Protection Directorate of
the Department.
(b) Senior Leadership of the Cybersecurity and
Infrastructure Protection Directorate.--
(1) In general.--Paragraph (1) of section 103(a) of the
Homeland Security Act of 2002 (6 U.S.C. 113(a)) is amended by
adding at the end the following new subparagraphs:
``(K) Under Secretary for Cybersecurity and Infrastructure
Protection.
``(L) Deputy Under Secretary for Cybersecurity.
``(M) Deputy Under Secretary for Infrastructure
Protection.''.
(2) Continuation in office.--The individuals who hold the
positions referred to in subparagraphs (K), (L), and (M) of
subsection (a) of section 103 of the Homeland Security Act of
2002 (as added by paragraph (1) of this subsection) as of the
date of the enactment of this Act may continue to hold such
positions.
(c) Report on Improving the Capability and Effectiveness of
the Cybersecurity and Communications Office.--To improve the
operational capability and effectiveness in carrying out the
cybersecurity mission (as such term is defined in section 2
of the Homeland Security Act of 2002, as amended by section
101) of the Department of Homeland Security, the Secretary of
Homeland Security shall submit to the Committee on Homeland
Security of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate a
report on--
[[Page H6913]]
(1) the feasibility of making the Cybersecurity and
Communications Office of the Department an operational
component of the Department;
(2) recommendations for restructuring the SAFETY Act Office
within the Department to protect and maintain operations in
accordance with the Office's mission to provide incentives
for the development and deployment of anti-terrorism
technologies while elevating the profile and mission of the
Office, including the feasibility of utilizing third-party
registrars for improving the throughput and effectiveness of
the certification process.
(d) Report on Cybersecurity Acquisition Capabilities.--The
Secretary of Homeland Security shall assess the effectiveness
of the Department of Homeland Security's acquisition
processes and the use of existing authorities for acquiring
cybersecurity technologies to ensure that such processes and
authorities are capable of meeting the needs and demands of
the Department's cybersecurity mission (as such term is
defined in section 2 of the Homeland Security Act of 2002, as
amended by section 101). Not later than 180 days after the
date of the enactment of this Act, the Secretary shall submit
to the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a report on the
effectiveness of the Department's acquisition processes for
cybersecurity technologies.
(e) Resource Information.--The Secretary of Homeland
Security shall make available Department of Homeland Security
contact information to serve as a resource for Sector
Coordinating Councils and critical infrastructure owners and
critical infrastructure operators to better coordinate
cybersecurity efforts with the Department relating to
emergency response and recovery efforts for cyber incidents.
TITLE II--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY
SEC. 201. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.
(a) National Institute of Standards and Technology.--
(1) In general.--The Director of the National Institute of
Standards and Technology, in coordination with the Secretary
of Homeland Security, shall, on an ongoing basis, facilitate
and support the development of a voluntary, industry-led set
of standards, guidelines, best practices, methodologies,
procedures, and processes to reduce cyber risks to critical
infrastructure. The Director, in coordination with the
Secretary--
(A) shall--
(i) coordinate closely and continuously with relevant
private entities, critical infrastructure owners and critical
infrastructure operators, Sector Coordinating Councils,
Information Sharing and Analysis Centers, and other relevant
industry organizations, and incorporate industry expertise to
the fullest extent possible;
(ii) consult with the Sector Specific Agencies, Federal,
State and local governments, the governments of other
countries, and international organizations;
(iii) utilize a prioritized, flexible, repeatable,
performance-based, and cost-effective approach, including
information security measures and controls, that may be
voluntarily adopted by critical infrastructure owners and
critical infrastructure operators to help them identify,
assess, and manage cyber risks;
(iv) include methodologies to--
(I) identify and mitigate impacts of the cybersecurity
measures or controls on business confidentiality; and
(II) protect individual privacy and civil liberties;
(v) incorporate voluntary consensus standards and industry
best practices, and align with voluntary international
standards to the fullest extent possible;
(vi) prevent duplication of regulatory processes and
prevent conflict with or superseding of regulatory
requirements, mandatory standards, and processes; and
(vii) include such other similar and consistent elements as
determined necessary; and
(B) shall not prescribe or otherwise require--
(i) the use of specific solutions;
(ii) the use of specific information technology products or
services; or
(iii) that information technology products or services be
designed, developed, or manufactured in a particular manner.
(2) Limitation.--Information shared with or provided to the
Director of the National Institute of Standards and
Technology or the Secretary of Homeland Security for the
purpose of the activities under paragraph (1) may not be used
by any Federal, State, or local government department or
agency to regulate the activity of any private entity.
(b) Amendment.--
(1) In general.--Subtitle C of title II of the Homeland
Security Act of 2002, as amended by sections 102, 103, 104,
and 105, is further amended by adding at the end the
following new section:
``SEC. 230. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.
``(a) Meetings.--The Secretary shall meet with the Sector
Coordinating Council for each critical infrastructure sector
designated under section 227(b) on a biannual basis to
discuss the cybersecurity threat to critical infrastructure,
voluntary activities to address cybersecurity, and ideas to
improve the public-private partnership to enhance
cybersecurity, in which the Secretary shall--
``(1) provide each Sector Coordinating Council an
assessment of the cybersecurity threat to each critical
infrastructure sector designated under section 227(b),
including information relating to--
``(A) any actual or assessed cyber threat, including a
consideration of adversary capability and intent,
preparedness, target attractiveness, and deterrence
capabilities;
``(B) the extent and likelihood of death, injury, or
serious adverse effects to human health and safety caused by
an act of terrorism or other disruption, destruction, or
unauthorized use of critical infrastructure;
``(C) the threat to national security caused by an act of
terrorism or other disruption, destruction, or unauthorized
use of critical infrastructure; and
``(D) the harm to the economy that would result from an act
of terrorism or other disruption, destruction, or
unauthorized use of critical infrastructure; and
``(2) provide recommendations, which may be voluntarily
adopted, on ways to improve cybersecurity of critical
infrastructure.
``(b) Report.--
``(1) In general.--Starting 30 days after the end of the
fiscal year in which the National Cybersecurity and Critical
Infrastructure Protection Act of 2013 is enacted and annually
thereafter, the Secretary shall submit to the appropriate
congressional committees a report on the state of
cybersecurity for each critical infrastructure sector
designated under section 227(b) based on discussions between
the Department and the Sector Coordinating Council in
accordance with subsection (a) of this section. The Secretary
shall maintain a public copy of each report, and each report
may include a non-public annex for proprietary, business-
sensitive information, or other sensitive information. Each
report shall include, at a minimum information relating to--
``(A) the risk to each critical infrastructure sector,
including known cyber threats, vulnerabilities, and potential
consequences;
``(B) the extent and nature of any cybersecurity incidents
during the previous year, including the extent to which cyber
incidents jeopardized or imminently jeopardized information
systems;
``(C) the current status of the voluntary, industry-led set
of standards, guidelines, best practices, methodologies,
procedures, and processes to reduce cyber risks within each
critical infrastructure sector; and
``(D) the volume and range of voluntary technical
assistance sought and provided by the Department to each
critical infrastructure sector.
``(2) Sector coordinating council response.--Before making
public and submitting each report required under paragraph
(1), the Secretary shall provide a draft of each report to
the Sector Coordinating Council for the critical
infrastructure sector covered by each such report. The Sector
Coordinating Council at issue may provide to the Secretary a
written response to such report within 45 days of receiving
the draft. If such Sector Coordinating Council provides a
written response, the Secretary shall include such written
response in the final version of each report required under
paragraph (1).
``(c) Limitation.--Information shared with or provided to a
Sector Coordinating Council, a critical infrastructure
sector, or the Secretary for the purpose of the activities
under subsections (a) and (b) may not be used by any Federal,
State, or local government department or agency to regulate
the activity of any private entity.''.
(2) Clerical amendment.--The table of contents in section
1(b) of such Act is amended by adding after the item relating
to section 229 (as added by section 105) the following new
item:
``Sec. 230. Public-private collaboration on cybersecurity.''.
SEC. 202. SAFETY ACT AND QUALIFYING CYBER INCIDENTS.
(a) In General.--The Support Anti-Terrorism By Fostering
Effective Technologies Act of 2002 (6 U.S.C. 441 et seq.) is
amended--
(1) in section 862(b) (6 U.S.C. 441(b))--
(A) in the heading, by striking ``Designation of Qualified
Anti-Terrorism Technologies'' and inserting ``Designation of
Anti-Terrorism and Cybersecurity Technologies'';
(B) in the matter preceding paragraph (1), by inserting
``and cybersecurity'' after ``anti-terrorism'';
(C) in paragraphs (3), (4), and (5), by inserting ``or
cybersecurity'' after ``anti-terrorism'' each place it
appears; and
(D) in paragraph (7)--
(i) by inserting ``or cybersecurity technology'' after
``Anti-terrorism technology''; and
(ii) by inserting ``or qualifying cyber incidents'' after
``acts of terrorism'';
(2) in section 863 (6 U.S.C. 442)--
(A) by inserting ``or cybersecurity'' after ``anti-
terrorism'' each place it appears;
(B) by inserting ``or qualifying cyber incident'' after
``act of terrorism'' each place it appears; and
(C) by inserting ``or qualifying cyber incidents'' after
``acts of terrorism'' each place it appears;
(3) in section 864 (6 U.S.C. 443)--
(A) by inserting ``or cybersecurity'' after ``anti-
terrorism'' each place it appears; and
(B) by inserting ``or qualifying cyber incident'' after
``act of terrorism'' each place it appears; and
(4) in section 865 (6 U.S.C. 444)--
[[Page H6914]]
(A) in paragraph (1)--
(i) in the heading, by inserting ``or cybersecurity'' after
``anti-terrorism'';
(ii) by inserting ``or cybersecurity'' after ``anti-
terrorism'';
(iii) by inserting ``or qualifying cyber incidents'' after
``acts of terrorism''; and
(iv) by inserting ``or incidents'' after ``such acts''; and
(B) by adding at the end the following new paragraph:
``(7) Qualifying cyber incident.--
``(A) In general.--The term `qualifying cyber incident'
means any act that the Secretary determines meets the
requirements under subparagraph (B), as such requirements are
further defined and specified by the Secretary.
``(B) Requirements.--A qualifying cyber incident meets the
requirements of this subparagraph if--
``(i) the incident is unlawful or otherwise exceeds
authorized access authority;
``(ii) the incident disrupts or imminently jeopardizes the
integrity, operation, confidentiality, or availability of
programmable electronic devices, communication networks,
including hardware, software and data that are essential to
their reliable operation, electronic storage devices, or any
other information system, or the information that system
controls, processes, stores, or transmits;
``(iii) the perpetrator of the incident gains access to an
information system or a network of information systems
resulting in--
``(I) misappropriation or theft of data, assets,
information, or intellectual property;
``(II) corruption of data, assets, information, or
intellectual property;
``(III) operational disruption; or
``(IV) an adverse effect on such system or network, or the
data, assets, information, or intellectual property contained
therein; and
``(iv) the incident causes harm inside or outside the
United States that results in material levels of damage,
disruption, or casualties severely affecting the United
States population, infrastructure, economy, or national
morale, or Federal, State, local, or tribal government
functions.
``(C) Rule of construction.--For purposes of clause (iv) of
subparagraph (B), the term `severely' includes any qualifying
cyber incident, whether at a local, regional, state,
national, international, or tribal level, that affects--
``(i) the United States population, infrastructure,
economy, or national morale, or
``(ii) Federal, State, local, or tribal government
functions.''.
(b) Funding.--Of the amounts authorized to be appropriated
for each of fiscal years 2014, 2015, and 2016 for the
Department of Homeland Security, the Secretary of Homeland
Security is authorized to use not less than $20,000,000 for
any such year for the Department's SAFETY Act Office.
SEC. 203. PROHIBITION ON NEW REGULATORY AUTHORITY.
This Act and the amendments made by this Act (except that
this section shall not apply in the case of section 202 of
this Act and the amendments made by such section 202) do
not--
(1) create or authorize the issuance of any new regulations
or additional Federal Government regulatory authority; or
(2) permit regulatory actions that would duplicate,
conflict with, or supercede regulatory requirements,
mandatory standards, or related processes.
SEC. 204. PROHIBITION ON ADDITIONAL AUTHORIZATION OF
APPROPRIATIONS.
No additional funds are authorized to be appropriated to
carry out this Act and the amendments made by this Act. This
Act and such amendments shall be carried out using amounts
otherwise available for such purposes.
SEC. 205. PROHIBITION ON COLLECTION ACTIVITIES TO TRACK
INDIVIDUALS' PERSONALLY IDENTIFIABLE
INFORMATION.
Nothing in this Act shall permit the Department of Homeland
Security to engage in the monitoring, surveillance,
exfiltration, or other collection activities for the purpose
of tracking an individual's personally identifiable
information.
SEC. 206. CYBERSECURITY SCHOLARS.
The Secretary of Homeland Security shall determine the
feasibility and potential benefit of developing a visiting
security researchers program from academia, including
cybersecurity scholars at the Department of Homeland
Security's Centers of Excellence, as designated by the
Secretary, to enhance knowledge with respect to the unique
challenges of addressing cyber threats to critical
infrastructure. Eligible candidates shall possess necessary
security clearances and have a history of working with
Federal agencies in matters of national or domestic security.
SEC. 207. NATIONAL RESEARCH COUNCIL STUDY ON THE RESILIENCE
AND RELIABILITY OF THE NATION'S POWER GRID.
(a) Independent Study.--Not later than 60 days after the
date of the enactment of this Act, the Secretary of Homeland
Security, in coordination with the heads of other departments
and agencies, as necessary, shall enter into an agreement
with the National Research Council to conduct research of the
future resilience and reliability of the Nation's electric
power transmission and distribution system. The research
under this subsection shall be known as the ``Saving More
American Resources Today Study'' or the ``SMART Study''. In
conducting such research, the National Research Council
shall--
(1) research the options for improving the Nation's ability
to expand and strengthen the capabilities of the Nation's
power grid, including estimation of the cost, time scale for
implementation, and identification of the scale and scope of
any potential significant health and environmental impacts;
(2) consider the forces affecting the grid, including
technical, economic, regulatory, environmental, and
geopolitical factors, and how such forces are likely to
affect--
(A) the efficiency, control, reliability and robustness of
operation;
(B) the ability of the grid to recover from disruptions,
including natural disasters and terrorist attacks;
(C) the ability of the grid to incorporate greater reliance
on distributed and intermittent power generation and
electricity storage;
(D) the ability of the grid to adapt to changing patterns
of demand for electricity; and
(E) the economic and regulatory factors affecting the
evolution of the grid;
(3) review Federal, State, industry, and academic research
and development programs and identify technological options
that could improve the future grid;
(4) review studies and analyses prepared by the North
American Electric Reliability Corporation (NERC) regarding
the future resilience and reliability of the grid;
(5) review the implications of increased reliance on
digital information and control of the power grid for
improving reliability, resilience, and congestion and for
potentially increasing vulnerability to cyber attack;
(6) review regulatory, industry, and institutional factors
and programs affecting the future of the grid;
(7) research the costs and benefits, as well as the
strengths and weaknesses, of the options identified under
paragraph (1) to address the emerging forces described in
paragraph (2) that are shaping the grid;
(8) identify the barriers to realizing the options
identified and suggest strategies for overcoming those
barriers including suggested actions, priorities, incentives,
and possible legislative and executive actions; and
(9) research the ability of the grid to integrate existing
and future infrastructure, including utilities,
telecommunications lines, highways, and other critical
infrastructure.
(b) Cooperation and Access to Information and Personnel.--
The Secretary shall ensure that the National Research Council
receives full and timely cooperation, including full access
to information and personnel, from the Department of Homeland
Security, the Department of Energy, including the management
and operating components of the Departments, and other
Federal departments and agencies, as necessary, for the
purposes of conducting the study described in subsection (a).
(c) Report.--
(1) In general.--Not later than 18 months from the date on
which the Secretary enters into the agreement with the
National Research Council described in subsection (a), the
National Research Council shall submit to the Secretary and
the Committee on Homeland Security and the Committee on
Energy and Commerce of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs and
the Committee on Energy and Natural Resources of the Senate a
report containing the findings of the research required by
that subsection.
(2) Form of report.--The report under paragraph (1) shall
be submitted in unclassified form, but may include a
classified annex.
(d) Funding.--Of the amounts authorized to be appropriated
for 2014 for the Department of Homeland Security, the
Secretary of Homeland Security is authorized to obligate and
expend not more than $2,000,000 for the National Research
Council report.
TITLE III--HOMELAND SECURITY CYBERSECURITY WORKFORCE
SEC. 301. HOMELAND SECURITY CYBERSECURITY WORKFORCE.
(a) In General.--Subtitle C of title II of the Homeland
Security Act of 2002, as amended by sections 101, 102, 103,
104, 105, and 201, is further amended by adding at the end
the following new section:
``SEC. 230A. CYBERSECURITY OCCUPATION CATEGORIES, WORKFORCE
ASSESSMENT, AND STRATEGY.
``(a) Short Title.--This section may be cited as the
`Homeland Security Cybersecurity Boots-on-the-Ground Act'.
``(b) Cybersecurity Occupation Categories.--
``(1) In general.--Not later than 90 days after the date of
the enactment of this section, the Secretary shall develop
and issue comprehensive occupation categories for individuals
performing activities in furtherance of the cybersecurity
mission of the Department.
``(2) Applicability.--The Secretary shall ensure that the
comprehensive occupation categories issued under paragraph
(1) are used throughout the Department and are made available
to other Federal agencies.
``(c) Cybersecurity Workforce Assessment.--
``(1) In general.--Not later than 180 days after the date
of the enactment of this section and annually thereafter, the
Secretary shall assess the readiness and capacity of the
workforce of the Department to meet its cybersecurity
mission.
[[Page H6915]]
``(2) Contents.--The assessment required under paragraph
(1) shall, at a minimum, include the following:
``(A) Information where cybersecurity positions are located
within the Department, specified in accordance with the
cybersecurity occupation categories issued under subsection
(b).
``(B) Information on which cybersecurity positions are--
``(i) performed by--
``(I) permanent full time departmental employees, together
with demographic information about such employees' race,
ethnicity, gender, disability status, and veterans status;
``(II) individuals employed by independent contractors; and
``(III) individuals employed by other Federal agencies,
including the National Security Agency; and
``(ii) vacant.
``(C) The number of individuals hired by the Department
pursuant to the authority granted to the Secretary in 2009 to
permit the Secretary to fill 1,000 cybersecurity positions
across the Department over a three year period, and
information on what challenges, if any, were encountered with
respect to the implementation of such authority.
``(D) Information on vacancies within the Department's
cybersecurity supervisory workforce, from first line
supervisory positions through senior departmental
cybersecurity positions.
``(E) Information on the percentage of individuals within
each cybersecurity occupation category who received essential
training to perform their jobs, and in cases in which such
training is not received, information on what challenges, if
any, were encountered with respect to the provision of such
training.
``(F) Information on recruiting costs incurred with respect
to efforts to fill cybersecurity positions across the
Department in a manner that allows for tracking of overall
recruiting and identifying areas for better coordination and
leveraging of resources within the Department.
``(d) Workforce Strategy.--
``(1) In general.--Not later than 180 days after the date
of the enactment of this section, the Secretary shall
develop, maintain, and, as necessary, update, a comprehensive
workforce strategy that enhances the readiness, capacity,
training, recruitment, and retention of the cybersecurity
workforce of the Department.
``(2) Contents.--The comprehensive workforce strategy
developed under paragraph (1) shall include--
``(A) a multiphased recruitment plan, including relating to
experienced professionals, members of disadvantaged or
underserved communities, the unemployed, and veterans;
``(B) a 5-year implementation plan;
``(C) a 10-year projection of the Department's
cybersecurity workforce needs; and
``(D) obstacles impeding the hiring and development of a
cybersecurity workforce at the Department.
``(e) Information Security Training.--Not later than 270
days after the date of the enactment of this section, the
Secretary shall establish and maintain a process to verify on
an ongoing basis that individuals employed by independent
contractors who serve in cybersecurity positions at the
Department receive initial and recurrent information security
training comprised of general security awareness training
necessary to perform their job functions, and role-based
security training that is commensurate with assigned
responsibilities. The Secretary shall maintain documentation
to ensure that training provided to an individual under this
subsection meets or exceeds requirements for such
individual's job function.
``(f) Updates.--The Secretary shall submit to the
appropriate congressional committees annual updates regarding
the cybersecurity workforce assessment required under
subsection (c), information on the progress of carrying out
the comprehensive workforce strategy developed under
subsection (d), and information on the status of the
implementation of the information security training required
under subsection (e).
``(g) GAO Study.--The Secretary shall provide the
Comptroller General of the United States with information on
the cybersecurity workforce assessment required under
subsection (c) and progress on carrying out the comprehensive
workforce strategy developed under subsection (d). The
Comptroller General shall submit to the Secretary and the
appropriate congressional committees a study on such
assessment and strategy.
``(h) Cybersecurity Fellowship Program.--Not later than 120
days after the date of the enactment of this section, the
Secretary shall submit to the appropriate congressional
committees a report on the feasibility of establishing a
Cybersecurity Fellowship Program to offer a tuition payment
plan for undergraduate and doctoral candidates who agree to
work for the Department for an agreed-upon period of time.''.
(b) Clerical Amendment.--The table of contents in section
1(b) of such Act is amended by adding after the item relating
to section 230 (as added by section 201) the following new
item:
``Sec. 230A. Cybersecurity occupation categories, workforce assessment,
and strategy.''.
SEC. 302. PERSONNEL AUTHORITIES.
(a) In General.--Subtitle C of title II of the Homeland
Security Act of 2002, as amended by sections 101, 102, 103,
104, 105, 106, 201, and 301 is further amended by adding at
the end the following new section:
``SEC. 230B. PERSONNEL AUTHORITIES.
``(a) In General.--
``(1) Personnel authorities.--The Secretary may exercise
with respect to qualified employees of the Department the
same authority that the Secretary of Defense has with respect
to civilian intelligence personnel and the scholarship
program under sections 1601, 1602, 1603, and 2200a of title
10, United States Code, to establish as positions in the
excepted service, appoint individuals to such positions, fix
pay, and pay a retention bonus to any employee appointed
under this section if the Secretary determines that such is
needed to retain essential personnel. Before announcing the
payment of a bonus under this paragraph, the Secretary shall
submit to the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a written explanation of
such determination. Such authority shall be exercised--
``(A) to the same extent and subject to the same conditions
and limitations that the Secretary of Defense may exercise
such authority with respect to civilian intelligence
personnel of the Department of Defense; and
``(B) in a manner consistent with the merit system
principles set forth in section 2301 of title 5, United
States Code.
``(2) Civil service protections.--Sections 1221 and 2302,
and chapter 75 of title 5, United States Code, shall apply to
the positions established pursuant to the authorities
provided under paragraph (1).
``(3) Plan for execution of authorities.--Not later than
120 days after the date of the enactment of this section, the
Secretary shall submit to the Committee on Homeland Security
of the House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate a report that
contains a plan for the use of the authorities provided under
this subsection.
``(b) Annual Report.--Not later than one year after the
date of the enactment of this section and annually thereafter
for four years, the Secretary shall submit to the Committee
on Homeland Security of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs of
the Senate a detailed report (including appropriate metrics
on actions occurring during the reporting period) that
discusses the processes used by the Secretary in implementing
this section and accepting applications, assessing
candidates, ensuring adherence to veterans' preference, and
selecting applicants for vacancies to be filled by a
qualified employee.
``(c) Definition of Qualified Employee.--In this section,
the term `qualified employee' means an employee who performs
functions relating to the security of Federal civilian
information systems, critical infrastructure information
systems, or networks of either of such systems.''.
(b) Clerical Amendment.--The table of contents in section
1(b) of such Act is amended by adding after the item relating
to section 230A (as added by section 301) the following new
item:
``Sec. 230B. Personnel authorities.''.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
Texas (Mr. McCaul) and the gentlewoman from New York (Ms. Clarke) each
will control 20 minutes.
The Chair recognizes the gentleman from Texas.
General Leave
Mr. McCAUL. Mr. Speaker, I ask unanimous consent that all Members may
have 5 legislative days in which to revise and extend their remarks and
include any extraneous material on the bill under consideration.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Texas?
There was no objection.
Mr. McCAUL. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise today in support of H.R. 3696, the National
Cybersecurity and Critical Infrastructure Protection Act of 2014. I
have worked on this for a long time and introduced this bill with my
good friend and colleague, the chairman of the Cybersecurity
Subcommittee, the gentleman from Pennsylvania, Congressman Pat Meehan.
I would also like to thank Ranking Member Thompson, as well as Ranking
Member Clarke of the Cybersecurity Subcommittee, for all their hard
work in forging this bipartisan bill. These efforts once again prove
that we can work together, despite our differences, to craft
legislation that improves our national security and helps protect
American critical infrastructure from devastating cyber attacks.
Just last week, the Homeland Security Committee heard testimony that
we are at a pre-9/11 mindset when it comes to cybersecurity and that
the government needs to do a better job at warning the public about the
dangers of attacks on networks we rely upon. That was from the 9/11
Commission itself.
[[Page H6916]]
Cyber vulnerabilities in our Nation's critical infrastructure are an
Achilles heel in our homeland security defenses. Let me be very clear.
The cyber threat is real and it is happening right now. The Internet
has become the next battlefield for warfare, but unlike land, sea, and
air, cyber attacks occur at the speed of light, they are global, and
they are more difficult to attribute.
Criminals, hacktivists, terrorists, and nation-state actors such as
Russia, China, and Iran are increasingly using malicious malware to
hack into U.S. companies for espionage purposes or financial gain, our
defense systems to steal our sensitive military information, and our
critical infrastructure to gain access to our gas lines, power grids,
and water systems.
Iranian hackers, for example, continue to attack the American
financial services sector to shut down Web sites and restrict America's
access to their bank accounts. Additionally, Iran continues to build
more sophisticated cyber weapons to target U.S. energy companies and
has demonstrated these capabilities when they attacked Saudi Arabia's
national oil company, Aramco, and erased critical files on 30,000
computers. We cannot allow rogue nations like Iran to be able to shut
things down and have capabilities that match our defenses. That would
be a game-changer for our national security.
The Chinese, in particular, are hacking into major U.S. companies to
give their industries competitive economic advantages in our global
economy. I applaud the recent efforts taken by the Justice Department
for indicting five members of the Chinese government for conducting
cyber espionage attacks against U.S. industry, but more needs to be
done. Those indictments send a clear message to our adversaries that
cyber espionage and theft of American intellectual property, trade
secrets, military blueprints, and jobs will not be tolerated.
A recent McAfee and Center for Strategic and International Studies
report on the economic impact of cyber crime found an annual effect of
roughly $455 billion globally, with 200,000 jobs lost in the United
States alone as a result. In fact, former Director of the NSA, General
Keith Alexander, described cyber espionage and the loss of American
intellectual property and innovation as ``the greatest transfer of
wealth in history.''
A recent poll conducted by Defense News revealed that our top
Nation's top security analysts see cyber attacks as the greatest threat
to our Nation. In fact, Director of National Intelligence, James
Clapper, testified earlier this year that: ``Critical infrastructure,
particularly the systems used in water management, oil, and gas
pipelines, electrical power distribution, and mass transit, provides an
enticing target to malicious actors.''
{time} 1645
A cyber attack on U.S. critical infrastructure--such as gas
pipelines, financial services, transportation, and communication
networks--could result in catastrophic regional or national effects on
public health or safety, economic security, and national security.
High-profile retail breaches like the ones at Target and Neiman
Marcus that compromised the personal information of over 110 million
American consumers resonate with Americans, but as bad as those
breaches were, a successful cyber attack on our critical infrastructure
could cause much more damage in terms of lives lost and monetary
damage. We cannot and will not wait for a catastrophic 9/11-scaled
cyber attack to occur before moving greatly needed cybersecurity
legislation.
The National Cybersecurity and Critical Infrastructure Protection Act
ensures that DHS and not the military is responsible for domestic
critical infrastructure protection.
Specifically, H.R. 3696 ensures that there is a ``civilian
interface'' to the private sector to share real-time cyber threat
information across the critical infrastructure sectors, particularly in
light of the Snowden revelations.
Importantly, the bill protects civil liberties by putting a civilian
agency with the Nation's most robust privacy and civil liberties office
in charge of preventing personal information from being shared. While
also prohibiting any new regulatory authority, this bill builds upon
the groundwork already laid by industry and DHS to facilitate critical
infrastructure protection and incidence response efforts.
This bipartisan bill, which is rare in this day and age, Mr. Speaker,
is a product of 19 months of extensive outreach and great collaboration
with all stakeholders, including more than 300 meetings with experts,
industry, government agencies, academics, privacy advocates, and other
committees of jurisdiction.
We went through several drafts and countless hours of negotiations to
bring this commonsense legislation to the floor with support from all
of the critical infrastructure sectors.
I will enter in the Record some of the letters of support,
representing over 33 trade associations from across industry sectors,
U.S. businesses, national security experts, and privacy and civil
liberty advocates.
Specifically, we have received support letters from the American
Civil Liberties Union, the American Chemistry Council, AT&T, Boeing,
Con Edison, the Depository Trust and Clearing Corporation, GridWise
Alliance, and multiple trade associations in the energy sector and the
financial services sector, Information Technology Industry Council, the
Internet Security Alliance, Rapid7, National Defense Industrial
Association, Professional Services Council, Oracle, Entergy, Pepco,
Verizon, and Symantec.
I believe that is a very impressive showing on behalf of the privacy
advocates and also the private sector.
American Civil Liberties Union,
January 14, 2014.
Re H.R. 3696, the ``National Cybersecurity and Critical
Infrastructure Protection Act of 2013'' (NCCIP Act)
Hon. Michael McCaul, Chairman,
Hon. Bennie Thompson, Ranking Member,
Hon. Patrick Meehan, Subcommittee Chairman,
Hon. Yvette Clarke, Subcommittee Ranking Member,
House Homeland Security Committee,
Washington, DC.
Dear Chairmen and Ranking Members: On behalf of the
American Civil Liberties Union (ACLU), its over half a
million members, countless additional supporters and
activists, and 53 affiliates nationwide, we write in regard
to H.R. 3696, the National Cybersecurity and Critical
Infrastructure Protection Act of 2013 (NCCIP Act). We have
reviewed this legislation and have found that information
sharing provisions in this bill do not undermine current
privacy laws.
As we testified before the Committee last year, it is
crucial that civilian agencies like the Department of
Homeland Security lead domestic cybersecurity efforts and the
NCCIP Act makes strides towards that end. The bill directs
DHS to coordinate cybersecurity efforts among non-
intelligence government agencies and critical infrastructure
entities. The NCCIP Act smartly does that by focusing on
coordination and information sharing within current law and
leveraging existing structures that have proven successful in
the past. Unlike H.R. 624, the Cyber Intelligence Sharing and
Protection Act (CISPA), your bill does not create broad
exceptions to the privacy laws for cybersecurity. Instead, it
strengthens private-public partnerships by supporting
existing Information Sharing and Analysis Centers and Sector
Coordinating Councils and reinforces voluntary sharing under
current statutes that already provide for many cybersecurity
scenarios.
We commend the Committee for advancing cyber legislation
that is both pro-security and pro-privacy and we look forward
to working with you further on this matter. Please contact
Michelle Richardson, Legislative Counsel, at 202-715-0825 or
[email protected] for more information.
Sincerely,
Laura W. Murphy,
Director,
Michelle Richardson,
Legislative Counsel.
____
American Gas Association, Edison Electric Institute,
American Public Power Association, National Rural
Electric Cooperative Association,
January 8, 2014.
Hon. Michael McCaul,
Chairman, House Committee on Homeland Security, Washington,
DC.
Hon. Bennie G. Thompson,
Ranking Member, House Committee on Homeland Security,
Washington, DC.
Dear Chairman McCaul and Ranking Member Thompson: We write
to thank you and your colleagues for your outreach in
drafting H.R. 3696, the ``National Cybersecurity and Critical
Infrastructure Protection Act of 2013'' (the ``NCCIP Act'').
Like you, we are very focused on protecting the nation's
critical energy infrastructure from the impacts of a cyber
event. While thankfully the nation has yet to experience a
cyber attack that has damaged infrastructure, we appreciate
that the House
[[Page H6917]]
Committee on Homeland Security has taken the time and effort
to craft legislation that attempts to help address the
preparedness for and response to such events should they
occur in the future.
The undersigned associations represent the vast majority of
electric and gas utilities. We are proud of the efforts our
members have undertaken, collectively and individually, to
improve the reliability and resiliency of their systems. In
the gas sector, this encompasses a variety of public, private
and, jointly developed public-private sector cybersecurity
standards designed to protect pipeline infrastructure and
ensure safe and reliable gas delivery. In the electric
sector, this includes mandatory and enforceable cybersecurity
standards already in place. Developed by the North American
Electric Reliability Corporation for review and approval by
the Federal Energy Regulatory Commission and applicable
Canadian governmental authorities, these standards ensure
that owners, users, and operators of the North American bulk
electric system meet a baseline level of security.
Even considering those measures, the issue of liability
after a cyber event creates serious concerns for us and our
members. In particular, we are deeply concerned that no
matter what steps are taken, our members could face costly
and unnecessary litigation in state or federal courts after a
cyber event that would serve no purpose.
Therefore, we applaud Section II of the NCCIP Act,
specifically the section seeking to clarify the scope of the
Support Anti-Terrorism By Fostering Effective Technologies
Act of 2002 (the ``SAFETY Act''). The language of the SAFETY
Act statute as well as its Final Rule have always made clear
that the protections offered by the law applies to cyber
events, and indeed that the SAFETY Act applies regardless of
whether a ``terrorist'' group conducted such an attack.
However, in practice there has been some hesitancy on the
part of industry to utilize the SAFETY Act to protect against
federal claims arising out of cyber attacks due to the
requirement that the attack be deemed an ``act of terrorism''
by the Secretary of Homeland Security before liability
protections become available.
The decision to include in H.R. 3696 a provision that
explicitly allows the Secretary of Homeland Security to
declare that a ``qualifying cyber incident'' triggers the
liability protections of the SAFETY Act is an excellent one.
Removing the need to link a cyber attack to an ``act of
terrorism'' is a good step. While state liability actions
remain a concern, the industry and vendors of cyber security
technologies and services will be much more likely to use the
SAFETY Act program, thereby fulfilling the law's original
intent of promoting the widespread deployment of products and
services that can deter, defend against, respond to,
mitigate, defeat, or otherwise mitigate a variety of
malicious events, including those related to cyber security.
We share your goal of protecting the nation's critical
infrastructure from cyber threats and appreciate your efforts
to address this important national security issue. We look
forward to continuing to work together to ensure H.R. 3696
remains focused on these principles as it moves through the
legislative process.
Respectfully,
American Gas Association,
American Public Power Association,
Edison Electric Institute,
National Rural Electric Cooperative Association.
____
AT&T Services, Inc.,
Washington, DC, January 8, 2014.
Hon. Michael T. McCaul,
Chairman, Committee on Homeland Security, Washington, DC.
Dear Chairman McCaul: We applaud you and your staff for
working so hard to update and streamline the Homeland
Security Act of 2002 to address today's cyber security
challenges. In your efforts to update the important role of
the Department of Homeland Security within the national
policy framework for critical infrastructure protection, you
and your staff have actively listened to multiple stakeholder
concerns to ensure that the best aspects of existing private
public partnerships, which are the hallmark of our nation's
efforts to address cyber threats, remain as such.
Your bill joins other important items introduced by your
colleagues in the 113th Congress. We look forward to
continuing to work with you and your colleagues to forge a
bipartisan legislative framework for the practice of
cybersecurity in the coming decade that encourages continued
private sector investment in innovation and cyber education
and provides legal clarity in the day-to-day operational
world of identifying and addressing cyber threats in a
globally interconnected network of networks.
Sincerely,
Timothy P. McKone.
____
January 13, 2014.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security, U.S. House of
Representatives, Washington, DC.
Hon. Bennie Thompson,
Ranking Member, Committee on Homeland Security, U.S. House of
Representatives, Washington, DC.
Dear Chairman McCaul and Ranking Member Thompson: The
undersigned organizations, representing the financial
services industry, appreciate your efforts to introduce H.R.
3696, the National Cybersecurity and Critical Infrastructure
Protection Act. We welcome your leadership in this crucial
fight against cyber threats and your work in forging this
commonsense, bipartisan legislation.
While Congress considers much needed legislative action,
our associations and the financial services industry have
taken major steps to address the cybersecurity threats facing
the Nation's critical infrastructure. The financial services
sector continues to invest in our infrastructure, has
improved coordination among institutions of all sizes, and is
continually enhancing our partnerships with government.
H.R. 3696 recognizes the necessary partnership between the
private and public sectors that is required to better protect
our Nation's cybersecurity infrastructure. Among other
provisions, this bill would strengthen existing mechanisms
such as the Financial Services Sector Coordinating Council
(FSSCC) and the Financial Services Information Sharing and
Analysis Center (FS-ISAC) that help our sector identify
threats, respond to cyber incidents and coordinate with
government partners. These organizations work closely with
partners throughout the government, including our sector
specific agency, the Department of Treasury, as well as the
Department of Homeland Security. Each agency has a civilian
mission and plays a unique role in sector cybersecurity
efforts and both work to strengthen the sector's
understanding of the threat environment.
Additionally H.R. 3696 seeks to improve the provisioning of
security clearances for those involved in cybersecurity
information sharing. Your recognition that this is a system
that demands improvement is strongly supported by our
industry and we further encourage the expansion of this to
specifically include individuals within critical
infrastructure responsible for key aspects of network defense
or mitigation. It is essential that all sizes of institutions
within critical infrastructure receive access to classified
threat information in a timely manner.
Finally, H.R. 3696 expands the existing Support Anti-
Terrorism by Fostering Effective Technologies Act (SAFETY
Act) to provide important legal liability protections for
providers and users of certified cybersecurity technology in
the event of a qualified Cybersecurity incident. We urge
Congress to work with the Department of Homeland Security to
ensure that, should this provision be adopted, the expanded
SAFETY Act is implemented in a manner that does not duplicate
or conflict with existing regulatory requirements, mandatory
standards, or the evolving voluntary National Institute for
Standards and Technology (NIST) Cybersecurity Framework. An
expansion of the program must be coupled with additional
funding to enable DHS to handle the increased scope of
program and subsequent increase in applicants. Further, it is
incumbent that an expansion enables DHS to streamline its
SAFETY Act review and approval process so as not to
discourage participation in the program.
Our sector has actively engaged in the implementation of
Executive Order 13636 and the development by the National
Institute of Standards and Technology of a Cybersecurity
Framework. We believe the process outlined in H.R. 3696
should reflect the Framework developed through this cross-
sector collaborative process.
Each of our organizations and respective member firms have
made cybersecurity a top priority. We are committed to
working with you as you lead in this crucial fight for
cybersecurity of critical infrastructure.
American Bankers Association, The Clearing House,
Consumer Bankers Association, Credit Union National
Association (CUNA), Electronic Funds Transfer
Association, Financial Services--Information Sharing
and Analysis Center (FS-ISAC), Financial Services
Roundtable, Independent Community Bankers Association
(ICBA) Investment Company Institute, NACHA--The
Electronic Payments Association, National Association
of Federal Credit Unions (NAFCU), Securities Industry
and Financial Markets Association (SIFMA).
Mr. McCAUL. I want to give a great deal of thanks not only to the
Members involved, but to the staff on this committee on both sides of
the aisle who have worked countless hours to bring this bill to its
fruition on the floor of the House.
I also would like to bring special attention to the endorsement from
the ACLU. They refer to H.R. 3696 as ``both pro-security and pro-
privacy.'' When have we heard these two coming together?
Striking a balance between security and privacy, I believe, is one of
the most difficult challenges in developing cybersecurity legislation,
and I am so very proud that this committee and this bill achieves that
goal.
I want to close with the threat that I see out there from cyber.
People ask me: What keeps you up at night? We can talk about al Qaeda,
Mr. Putin, or
[[Page H6918]]
ISIS in Iraq and Syria, we can talk about our border and the threats
south of the border, but when I see our offensive capability and what
we can do offensively, knowing at night that we don't have the
defensive capability to stop attacks not only to steal things, not only
criminal IP theft, not just espionage, but the power to shut things
down and to bring this country to its knees with a cyber 9/11, Mr.
Speaker, is really what keeps me up at night.
My father was a World War II bombardier on a B-17. He flew over 32
missions in Europe in support of the D-day invasion and the Battle of
the Bulge. In his days, bombs won that war.
We have a new kind of warfare out there. It is a digital warfare, and
the game has changed. It is done anonymously. There are no boundaries
to this cyber threat any more. It can come from anywhere, at any time,
without being able to attribute it back to the source from where the
attack came from.
This bill will for the first time codify DHS' ability--and the NCCIC,
which is their cyber command, to better defend and support critical
infrastructure in the United States that we so heavily depend on, and
it will ultimately protect not only our economy and our infrastructure,
but ultimately protect the American people.
With that, Mr. Speaker, I ask my colleagues to support this important
legislation to protect America, and I reserve the balance of my time.
Ms. CLARKE of New York. Mr. Speaker, I yield myself such time as I
may consume.
Mr. Speaker, I rise in strong support of H.R. 3696, the National
Cybersecurity and Critical Infrastructure Protection Act of 2014, and I
am pleased to be here today as an original cosponsor of this
legislation.
This bipartisan legislation gives the Department of Homeland Security
the legislative authority it needs to carry out its cyber mission and
to help protect our Nation's critical infrastructure from cyber attacks
and intrusions.
The approach taken in this bill is very much in line with DHS'
approach since 2007, when President Bush designated the Department as
the lead Federal civilian agency for cybersecurity.
This is a dual mission. DHS is responsible for working with Federal
civilian agencies to protect Federal IT networks and the dot-gov
domain. At the same time, DHS is responsible for effectively partnering
with the private sector to raise its level of cyber hygiene and foster
greater cybersecurity.
I am pleased that H.R. 3696 authorizes the 247 operations of the
National Cybersecurity and Communications Integration Center, also
referred to as NCCIC. The NCCIC has been the epicenter for information
sharing about the activities of cyberterrorists and criminals and the
reporting of cyber incidents by critical infrastructure owners and
operators.
Additionally, the bill codifies ongoing efforts to raise the level of
cybersecurity within critical infrastructure sectors. Specifically, it
authorizes the development and implementation, in coordination with the
private sector, of voluntary risk-based security standards.
This provision essentially codifies the process that the National
Institute of Standards and Technology, also known as NIST, undertook
pursuant to an executive order that President Obama issued in February
of 2013.
Under the approach taken in this bill, we are asking business and
government to come together to find an adaptable and cooperative
cybersecurity framework, not an off-the-shelf or check-the-box
solution, to raise the level of cybersecurity across the Nation.
I am pleased that the measured and targeted approach taken to working
with the private sector was supported by the American Civil Liberties
Union, which called our bill ``pro-security and pro-privacy.''
The President said it best:
It is the policy of the United States to enhance the
security and resilience of the Nation's critical
infrastructure and to maintain a cyber environment that
encourages efficiency, innovation, and economic prosperity
while promoting safety, security, business confidentiality,
privacy, and civil liberties.
While I am also pleased about all we do with respect to the
Department's mission to work with the private sector on cybersecurity,
I am a bit disappointed that key language that clarifies DHS' roles
with respect to other Federal agencies and protection of the dot-gov
domain is not in the bill before you today.
Unfortunately, the striking of these provisions appears to have been
the price the Committee on Homeland Security had to pay to get this
important legislation to the floor.
It seems that the provisions that would have given DHS specific
authority to respond in a more timely manner to Federal network
breaches were opposed by another committee chairman. Unfortunately,
that chairman has willfully chosen to ignore reality.
The reality is that since 2008, DHS has assumed responsibility for
working with agencies to protect the dot-gov domain, not the Office of
Management and Budget.
It is my hope that, as this legislation moves through the legislative
process, there will be progress on efforts to ensure that the law
reflects this reality.
With that, Mr. Speaker, I urge passage of H.R. 3696, and I reserve
the balance of my time.
Mr. McCAUL. Mr. Speaker, I yield such time as he may consume to the
gentleman from Pennsylvania (Mr. Meehan), chairman of the Committee on
Homeland Security's Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, who has spent, I must say,
countless hours advancing this bill, meeting with the private sector
and privacy groups to get to this point where we are today.
I want to commend you, sir, for a job well done.
Mr. MEEHAN. I want to thank the gentleman from Texas and my
colleagues from both sides of the aisle.
Mr. Speaker, I rise in strong support of H.R. 3696, the National
Cybersecurity and Critical Infrastructure Protection Act of 2014.
Before I really talk about the substance, I want to associate myself
for a moment with the comments and very effective commentary of the
gentleman from Texas (Mr. McCaul), but his closing, I think, really
summed it up. It is not just what we are doing; but why does this
matter? Why does this matter now?
We have generated tremendous economic prosperity by virtue of the
creation of a global Internet, but the fact of the matter is that while
this has closed our world and enabled instantaneous communications and
other kinds of benefits, it has also created a situation, for the first
time in the history of our Nation, in which we aren't protected by two
oceans and, effectively, two friendly countries on our borders. Now, we
are able to be accessed from anywhere in the world at a moment's
notice.
It was instructive to me that I often used to say, when we were
handling a case, that you let the evidence be put in through the words
of the witnesses. If you pay attention to the words of the witness,
that is more powerful than what you can say.
It is instructive to me that the first thing former CIA Director and
former Secretary of Defense Leon Panetta did when he stepped down as
Secretary of Defense was to travel to New York and warn not just New
York, but this Nation about the potential impact of what he termed a
``cyber Pearl Harbor.''
As a result, this is a critically important and timely issue that we
are working on. As importantly, it has been addressed in an effective
bipartisan fashion.
In the wake of more aggressive and escalating cyber attacks on our
Nation's critical infrastructure, including our financial systems,
NASDAQ, and the recent Neiman Marcus and Target breaches of Americans'
personal information, we bring H.R. 3696 to the House floor.
{time} 1700
Cyber attacks and cyber hacks are now front and center in our
homeland, and the media is reporting more now than ever on what cyber
targets already know--that the threat is constant and evolving.
Americans expect Congress to act.
We who serve in Congress and government know all too well that the
cyber threat is real and imminent and can do catastrophic damage and
destruction to the critical infrastructure of our Nation--our bridges,
tunnels, oil
[[Page H6919]]
and gas pipelines, water systems, financial systems and their markets,
air traffic control systems, and more. Today, the U.S. House of
Representatives takes a significant step forward in protecting and
securing cyberspace through the cyber infrastructure act that we have
put on the floor today.
I am very proud of this bill and of all of the good work and due
diligence that went into it. Chairman McCaul and I and our staffs held
over 300 stakeholder meetings to ensure we got this legislation right.
I want to thank as well my good friends on the other side of the
aisle--Ranking Member Bennie Thompson and subcommittee Ranking Member
Yvette Clarke--for their leadership and their work collectively on
this.
This is bipartisan legislation but not just amongst those of us
working together here within the House. As the chairman identified, it
has also been supported by private sector stakeholders, by the ACLU. In
fact, the ACLU has called it--and the chairman as well--pro-security
and pro-privacy. That is because, very notably, this bill puts the
Department of Homeland Security, a civilian agency with the Nation's
first-created and most robust privacy office, in charge of preventing
personal information from getting inadvertently caught in the net,
which is a big, important part of the work that has been done here.
This bill builds upon the Department of Homeland Security's unique
public-private partnership in securing the Nation's critical
infrastructure, and it codifies the Department's critical cybersecurity
mission. Public-private is important, as 90 percent of the assets in
the cyber world are in the private sector. The Department of Homeland
Security works with the other Federal Government partners in a
collaborative effort to secure our Nation against cyber attacks, and
this bill cements DHS' critical role.
Specifically, this bill requires the Department to collaborate with
industry to facilitate both the protection of our infrastructure and
our response to a cyber attack. The bill, very importantly, strengthens
DHS' civilian, transparent interface to allow real-time cyber threat
sharing across the critical infrastructure sectors. This legislation
also strengthens the integrity of our Nation's information systems, and
it makes it more difficult for online hackers to compromise consumer
and personal information, like we saw in Target, and it prevents
hackers from stealing Americans' business and intellectual property--
another point well driven home by the chairman in talking about jobs
and of the hundreds of billions of dollars in research and development
that are stolen from America by virtue of these cyber attacks.
The ability of these attacks to take place at the level of
sophistication necessary to penetrate some of the world's most mature
networks should come as no surprise. Foreign adversaries, including
China, Iran, and Russian criminal enterprises, have spent years and
have invested billions of dollars into crafting and securing the tools
and intelligence necessary to target American citizens. Whether it is
the theft of wealth or intelligence or that of launching a malicious
attack on our Nation's energy, transportation, or chemical networks,
American lives and livelihoods remain at risk without sufficient
security.
Last year, President Obama issued an executive order on cybersecurity
because Congress failed to act on this issue, but the threshold of
securing our Nation in the 21st century cannot rely on executive orders
and Presidential directives. As Members of Congress, we have the
responsibility to act in a way that best protects the American
citizens. Our enemies live and breathe to catch us asleep at the
switch, and I am unwilling, as my colleagues are, to stand by,
speechless, when they are asked, What did you do to prevent a cyber
attack? Now is the time to show them what we have and what we can do.
This bill doesn't address every issue in cybersecurity, and it is not
a comprehensive cybersecurity fix, but it is a giant and critical step
forward. Together, we can unite our Nation against those who wish to do
us harm, and I have no doubt that we can get it done. In fact, we have
no other choice. I urge the support of H.R. 3696.
Mr. McCAUL. Mr. Speaker, I have no further requests for time. I
believe the gentlewoman from New York has a few additional speakers, so
I am prepared to close once the gentlewoman does.
I continue to reserve the balance of my time.
Ms. CLARKE of New York. Mr. Speaker, I yield 2 minutes to the
distinguished gentleman from New Jersey (Mr. Payne).
Mr. PAYNE. Mr. Speaker, I rise in support of H.R. 3696, the National
Cybersecurity and Critical Infrastructure Protection Act.
In October of 2012, Hurricane Sandy wreaked havoc up and down the
east coast, including in my home State of New Jersey. According to the
Department of Energy, between 2003 and 2012, close to 700 power outages
occurred due to weather-related events, costing the Nation an annual
average of $18 billion to $33 billion. Even worse, in 2012, Hurricane
Sandy carried an estimated price tag of between $40 billion and $52
billion, and as we have seen recently, our power systems are exposed to
cyber attacks more than ever before.
Disasters, whether manmade or by Mother Nature, are a drain on our
Nation's economy and expose us to other potentially more harmful
attacks on our financial industry, water and waste systems, chemical,
telecommunications, and energy sectors. Put simply, it is clear that
our electric grid needs an upgrade. That is why I am pleased that,
during the committee process, the committee unanimously supported my
amendment, H.R. 2962, the SMART Grid Study Act.
The study will be conducted by the National Research Council in full
cooperation with the Department of Homeland Security and other
government agencies as necessary, and will provide a comprehensive
assessment of actions necessary to expand and strengthen the
capabilities of the electric grid to prepare for, respond to, mitigate,
and recover from a natural disaster or a cyber attack. Further, it was
supported by the National Electrical Manufacturers Association, the
Demand Response and Smart Grid Coalition, and the American Public Power
Association.
The SPEAKER pro tempore. The time of the gentleman has expired.
Ms. CLARKE of New York. I yield the gentleman an additional 1 minute.
Mr. PAYNE. Mr. Speaker, in closing, I want to thank Chairman McCaul
and Ranking Member Thompson, Chairman Meehan, and Ranking Member Clarke
for really showing us what a bipartisan effort is all about. At
Homeland Security, we all have a common goal, which is to keep the
homeland and the Nation safe. I urge my colleagues to support this
bill.
Ms. CLARKE of New York. Mr. Speaker, I yield 2 minutes to the
distinguished gentleman from Rhode Island (Mr. Langevin), the cochair
of the House Cybersecurity Caucus.
(Mr. LANGEVIN asked and was given permission to revise and extend his
remarks.)
Mr. LANGEVIN. I thank the gentlewoman for yielding.
Mr. Speaker, I rise in strong support of H.R. 3696, H.R. 2952, and
H.R. 3107.
I want to thank Ranking Member Thompson, Chairman Meehan, and Ranking
Member Clarke for their hard work in bringing these bills to the floor
today.
Most especially and in particular, I want to thank Chairman McCaul,
the chairman of the full Homeland Security Committee, who also serves
with me as a founder and a cochair of the Congressional Cybersecurity
Caucus. I want to thank him for his dedication to bringing these bills
to the floor today and for his commitment to enacting strong
cybersecurity legislation. In today's political climate, moving
significant reform in a consensus manner is exceptionally difficult,
and this success reflects Chairman McCaul's bipartisan approach.
Mr. Speaker, we all know that we depend on cyberspace and the
Internet every day. It is vitally important to the American people. It
is an inseparable part of our everyday lives. It is in everything that
we do--vital to everything from banking to national security--but it is
also highly contested. Unfortunately, the pace of the threats is ever-
increasing. We see them every day, whether it is the theft of personal
information or of credit card information that is used for criminal
intent or
[[Page H6920]]
whether it is the theft of intellectual property that costs America its
competitiveness and jobs. We also know of the threats to our critical
infrastructure in particular, both to our electric grid and to our
financial system--things that I have been calling attention to for
years now.
We must tap into our creative and innovative spirit to address
today's challenges and position ourselves to be agile in the face of
both today's threats as well as tomorrow's. I believe that the three
bills that are before us today, in conjunction with the information
sharing and other measures passed by this House earlier in this
Congress, will help to enable a better future for our Nation's
cyberspace capabilities.
I know, Mr. Speaker, that we will never be 100 percent secure in
cyberspace. It is an ever-evolving and moving threat, and we will never
be 100 percent secure. Yet I do know this: that we can close that
aperture of vulnerability down to something that is much more
manageable, and I urge my colleagues to support the bills that are
before us today.
I thank the gentleman from Texas for his leadership, and I strongly
urge the support of these three bills.
Ms. CLARKE of New York. Mr. Speaker, I have no more speakers. If the
gentleman from Texas has no more speakers, then, in closing, I urge the
passage of H.R. 3696. It is legislation that will enhance DHS' ability
to execute its cybersecurity mission. I am particularly pleased that it
includes language that I authored to help ensure that DHS has the cyber
workforce it needs to execute that mission.
I would like to thank Chairman McCaul and Ranking Member Thompson, as
well as the subcommittee chair, Mr. Meehan, for their leadership and
their vision, and for their understanding that this is something that
keeps us up at night, that this is something that this body must move
forward to address--that this is a 21st century threat for which we
cannot sit idly by and do nothing about. Their leadership on H.R. 3696
and on the suite of cyber legislation on the floor today speaks volumes
to moving us in the right direction.
With that, Mr. Speaker, I urge the passage of H.R. 3696, and I yield
back the balance of my time.
Mr. McCAUL. Mr. Speaker, in closing, let me echo the sentiments of
the gentlewoman from New York.
I want to thank you and Mr. Meehan for your work on this bill. You
are truly the workhorses--the engines--behind this bill, and I want to
thank you for helping us get to this point where we are today.
Congressman Langevin, we were talking about cybersecurity before it
was cool to talk about cybersecurity.
Forming the Cybersecurity Caucus, I think, raises awareness of
Members of Congress about how important this issue really is, because,
I think, when you talk about this issue, Mr. Speaker, people's eyes
tend to glaze over. They don't understand how important this is in
protecting the American people.
This is a national security bill. I don't believe partisan politics
has a place in that. I was at The Aspen Institute with Jane Harman, who
served on our committee and on the Intelligence Committee for many
years, who also believes that our adversaries don't care whether we are
Democrat or Republican. They care about the fact that we are Americans,
and they want to hit us. We have adversaries who want to hit us--China,
Russia, Iran, and countless others--in the cybersecurity space.
This is a pro-security and pro-privacy bill. I had a reporter ask me,
How could you possibly get the ACLU to agree on any security bill? It
protects Americans' privacy but also their security through the private
civilian interface to the private sector, and that is how we do it. It
is not through the military. The NSA has a foreign intelligence role,
and the DHS has a domestic critical infrastructure role. Of course,
Director Alexander called cybersecurity and what has happened in recent
years the largest transfer of wealth in history.
{time} 1715
So when the American people say: Why is this so important; the
largest transfer of wealth in American history? Why is this so
important? Because cyber can bring down things, can shut down things in
a 9/11 style.
We have a historical moment in this Congress to pass the first
cybersecurity bill through the House and Senate and be signed into law
in the history of the Congress. As this bill passes--I hope, in a few
minutes--and we send it over to the Senate, I hope our colleagues on
the Senate side will respond to this.
They have made great progress on the Senate side in getting work done
on cybersecurity. We have a unique opportunity and a great moment here
to pass this bill out of the House, get it married with the Senate bill
in a bipartisan way to protect the American people, and get it signed
into law by the President, something that we very rarely have seen in
this Congress. So I think it is a very historic moment.
To close, Mr. Speaker, when 9/11 happened, a lot of people did a lot
of finger pointing around here and pointed to Members of Congress and
to the executive branch and said: What did you do to stop this? What
did you do to stop this?
We had a 9/11 Commission that pointed out all the vulnerabilities and
the things that we didn't do as Members of Congress. I don't want that
to happen again today. I want to be able to say, Mr. Speaker, if, God
forbid, we get hit, and we get hit hard in a cyber attack against the
United States of America, that we as Members of Congress and members of
this committee did everything within our power to stop it.
Mr. Speaker, I am proud of the great work we have done together. I
look forward to the passage of this bill.
I yield back the balance of my time.
House of Representatives, Committee on Science, Space,
and Technology,
Washington, DC, February 24, 2014.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
Washington, DC.
Dear Chairman McCaul: I am writing to you concerning the
jurisdictional interest of the Committee on Science, Space,
and Technology in H.R. 3696, the ``National Cybersecurity and
Critical Infrastructure Protection Act of 2013.'' The bill
contains provisions that fall within the jurisdiction of the
Committee on Science, Space, and Technology.
I recognize and appreciate the desire to bring this
legislation before the House of Representatives in an
expeditious manner, and accordingly, I will waive further
consideration of this bill in Committee, notwithstanding any
provisions that fall within the jurisdiction of the Committee
on Science, Space, and Technology. This waiver, of course, is
conditional on our mutual understanding that agreeing to
waive consideration of this bill should not be construed as
waiving, reducing, or affecting the jurisdiction of the
Committee on Science, Space, and Technology.
This waiver is also given with the understanding that the
Committee on Science, Space, and Technology expressly
reserves its authority to seek conferees on any provision
within its jurisdiction during any House-Senate conference
that may be convened on this, or any similar legislation. I
ask for your commitment to support any request by the
Committee for conferees on H.R. 3696 as well as any similar
or related legislation.
I ask that a copy of this letter and your response be
included in the report on H.R. 3696 and also be placed in the
Congressional Record during consideration of this bill on the
House floor.
Sincerely,
Lamar Smith,
Chairman, Committee on Science, Space, and Technology.
____
House of Representatives,
Committee on Homeland Security
Washington, DC, February 24, 2014.
Hon. Lamar Smith,
Chairman, Committee on Science, Space, and Technology,
Washington, DC.
Dear Chairman Smith: Thank you for your letter regarding
H.R. 3696, the ``National Cybersecurity and Critical
Infrastructure Protection Act of 2014.'' I acknowledge your
Committee's jurisdictional interest in this legislation and
agree that by forgoing a sequential referral on this
legislation, your Committee is not diminishing or altering
its jurisdiction.
I also concur with you that forgoing action on H.R. 3696
does not in any way prejudice the Committee on Science,
Space, and Technology with respect to its jurisdictional
prerogatives on this bill or similar legislation in the
future. I would support your effort to seek appointment of an
appropriate number of conferees to any House-Senate
conference involving H.R. 3696 or similar legislation.
Finally, I will include your letter and this response in
the report accompanying H.R. 3696 as well as the
Congressional Record during consideration of this bill on the
House floor. I appreciate your cooperation regarding this
legislation, and I look forward to working with the Committee
on Science, Space, and Technology as H.R. 3696 moves through
the legislative process.
Sincerely,
Michael T. McCaul,
Chairman.
[[Page H6921]]
____
House of Representatives, Committee on Oversight and
Government Reform,
Washington, DC, July 23, 2014.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
Washington, DC.
Dear Mr. Chairman: I am writing concerning H.R. 3696, the
``National Cybersecurity and Critical Infrastructure
Protection Act of 2013,'' which your Committee reported on
February 5, 2014.
H.R. 3696 contains provisions within the Committee on
Oversight and Government Reform's Rule X jurisdiction. As a
result of your having consulted with the Committee, and in
order to expedite this bill for floor consideration, the
Committee on Oversight and Government Reform will forego
action on the bill, contingent on the removal of subsection
(h) ``Protection of Federal Civilian Information Systems,''
(beginning at line 17 of page 23 of the reported version).
This is being done on the basis of our mutual understanding
that doing so will in no way diminish or alter the
jurisdiction of the Committee on Oversight and Government
Reform with respect to the appointment of conferees, or to
any future jurisdictional claim over the subject matters
contained in the bill or similar legislation.
I would appreciate your response to this letter confirming
this understanding, and would request that you include a copy
of this letter and your response in the Committee Report and
in the Congressional Record during the floor consideration of
this bill. Thank you in advance for your cooperation.
Sincerely,
Darrell Issa,
Chairman.
____
House of Representatives,
Committee on Homeland Security,
Washington, DC, July 23, 2014.
Hon. Darrell E. Issa,
Chairman, Committee on Oversight and Government Reform,
Washington, DC.
Dear Chairman Issa: Thank you for your letter regarding the
Committee on the Oversight and Government Reform's
jurisdictional interest in H.R. 3696, the ``National
Cybersecurity and Critical Infrastructure Protection Act of
2013.'' I acknowledge that by foregoing further action on
this legislation, your Committee is not diminishing or
altering its jurisdiction.
I also concur with you that forgoing action on this bill
does not in any way prejudice the Committee on Oversight and
Government Reform with respect to its jurisdictional
prerogatives on this bill or similar legislation in the
future. Moving forward, subsection (h), referred to in your
letter, will be removed from H.R. 3696 prior to consideration
on the House floor. As you have requested, I would support
your effort to seek an appointment of an appropriate number
of conferees to any House-Senate conference involving this or
similar legislation.
Finally, I will include your letter and this response in
the report accompanying H.R. 3696 and in the Congressional
Record during consideration of this bill on the House floor.
I appreciate your cooperation regarding this legislation, and
I look forward to working with the Committee on Oversight and
Government Reform as H.R. 3696 moves through the legislative
process.
Sincerely,
Michael T. McCaul,
Chairman.
____
House of Representatives,
Committee on Energy and Commerce,
Washington, DC, July 22, 2014.
Hon. Michael T. McCaul,
Chairman, Committee on Homeland Security,
Washington, DC.
Dear Chairman McCaul: I write concerning H.R. 3696, the
``National Cybersecurity and Critical Infrastructure
Protection Act of 2014.'' As you are aware, the bill was
referred primarily to the Committee on Homeland Security, but
the Committee on Energy and Commerce has a jurisdictional
interest in the bill and has requested a sequential referral.
However, given your desire to bring this legislation before
the House in an expeditious manner, I will not insist on a
sequential referral of H.R. 3696. I do so with the
understanding that, by foregoing such a referral, the
Committee on Energy and Commerce does not waive any
jurisdictional claim on this or similar matters, and the
Committee reserves the right to seek the appointment of
conferees.
I would appreciate your response to this letter confirming
this understanding, and ask that a copy of our exchange of
letters on this matter be included in the Congressional
Record during consideration of H.R. 3696 on the House floor.
Sincerely,
Fred Upton,
Chairman.
____
House of Representatives,
Committee on Homeland Security,
Washington, DC, July 23, 2014.
Hon. Fred Upton,
Chairman, Committee on Energy and Commerce,
Washington, DC.
Dear Chairman Upton: Thank you for your letter regarding
the Committee on Energy and Commerce's jurisdictional
interest in H.R. 3696, the ``National Cybersecurity and
Critical Infrastructure Protection Act of 2014.'' I
acknowledge that by foregoing a sequential referral on this
legislation, your Committee is not diminishing or altering
its jurisdiction.
I also concur with you that forgoing action on this bill
does not in any way prejudice the Committee on Energy and
Commerce with respect to its jurisdictional prerogatives on
this bill or similar legislation in the future, and I would
support your effort to seek an appointment of an appropriate
number of conferees to any House-Senate conference involving
this or similar legislation.
Finally, I will include your letter and this response in
the Congressional Record during consideration of this bill on
the House floor. I appreciate your cooperation regarding this
legislation, and I look forward to working with the Committee
on Energy and Commerce as H.R. 3696 moves through the
legislative process.
Sincerely,
Michael T. McCaul,
Chairman.
Ms. JACKSON LEE. Mr. Speaker, I rise in support of H.R. 3696, the
National Cybersecurity and Critical Infrastructure Protection Act of
2014.
I would like to thank Chairman McCaul and Ranking Member Thompson for
their leadership on the protection of our nation's critical
infrastructure.
Several Jackson Lee amendments were included in the H.R. 3696, the
``National Cybersecurity and Critical Infrastructure Protection Act of
2014.''
I submit to the committee for its consideration the following five
amendments that would:
Identify the best methods for developing exercise to challenge the
security measures taken to protect critical infrastructure from cyber
attacks or incidents;
Assure efforts to conduct outreach to education institutions to
promote cybersecurity awareness;
Provide better coordination for cyber incident emergency response and
recovery;
Explore the benefits of establishing a visiting scholars program; and
Prioritized response efforts to aid in recovery of critical
infrastructure from cyber incidents.
The Jackson Lee amendments improved H.R. 3696:
The first Jackson Lee amendment supports discussions among
stakeholders on the best methods of developing innovative cybersecurity
exercises for coordinating between the Department and each of the
critical infrastructure sectors designated under section 227.
The second Jackson Lee amendment directs the Secretary to conduct
outreach to universities, which shall include historically black
colleges and universities, Hispanic serving institutions, Native
American colleges and institutions serving persons with disabilities to
promote cybersecurity awareness.
The third Jackson Lee amendment directs the Secretary of Homeland
Security to make available Department contact information to serve as a
resource for Sector Coordinating Councils and critical infrastructure
owners and critical infrastructure operators to better coordinate
cybersecurity efforts with the agency related to emergency response and
recovery efforts for cyber incidents.
The fourth Jackson Lee amendment directs the Department of Homeland
Security to determine the feasibility and potential benefit of
developing a visiting security researchers program from academia,
including cybersecurity scholars at the Department of Homeland
Security's Centers of Excellence.
The fifth Jackson Lee amendment directs the Secretary of Homeland
Security to collaborate with Sector Coordinating Councils, Information
Sharing and Analysis Centers, Sector Specific Agencies, and relevant
critical infrastructure sectors on the development of prioritized
response efforts, if necessary, to support the defense and recovery of
critical infrastructure from cyber incidents.
Global dependence on the Internet and particularly the interconnected
nature of the cyber-space makes cyber security a very difficult public
policy challenge, but H.R. 3696 is making a significant step forward in
addressing cyber security threats.
Cyber thieves work around the clock to probe and breach computer
systems resulting in the largest unlawful transfer of wealth in
history.
H.R. 3696 emphases on public/private partnerships and information
sharing is a critically important first step in combating illegal,
damaging and expensive data breaches. This legislation already
addresses many useful and essential cybersecurity tools and initiatives
such as: enhanced education, increased research, information sharing,
data breach security and technical assistance strategies.
H.R. 3639 will allow the Department of Homeland Security to partner
with and support the efforts of critical infrastructure owners and
operators to secure their facilities and guide the agency in its work
to create resources to support the global mission of infrastructure
protection, which is vital to the nation.
[[Page H6922]]
I encourage my colleagues to vote in favor of H.R. 3696.
Mr. THOMPSON of Mississippi. Mr. Speaker, I am pleased to be here
today as an original cosponsor of this legislation, the National Cyber
Security and Critical Infrastructure Protection Act.
This bipartisan legislation gives the Department of Homeland Security
Congressional Authority to more fully carry out its civilian cyber
mission, and to increase protection for our national critical
infrastructure.
Importantly, this legislation also gives the Committee on Homeland
Security a robust oversight position to make sure the Department
carries out an innovative and cooperative relationship with industry,
to protect the nation's privately owned critical infrastructure.
By giving DHS specific civilian authorities, it codifies what the
President has already set into motion with his Cyber Executive Order
13636, issued in February of 2013, but Executive Authority goes only so
far, and the President has said that his efforts cannot take the place
Congressional action.
Mr. Speaker, we have stepped up to the plate. The legislation that
Mr. McCaul and I worked on together, directs Federal agencies and
private industry to coordinate the development and implementation of
voluntary risk-based security standards, and codifies the ongoing
process that the National Institute of Standards and Technology (NIST)
and private industry have taken on.
We are asking that business and government find an adaptable and
cooperative cyber security framework, for both government and private
companies, not an off-the-shelf, or check-the-box solution.
We must depend on strong private sector leadership and accountability
to focus on our nation's most pressing cyber vulnerabilities,
protecting critical systems that when disrupted could cause
catastrophic damage to our citizens. I believe this legislation will
allow that process to move forward.
The President said it best, ``It is the policy of the United States
to enhance the security and resilience of the Nation's critical
infrastructure and to maintain a cyber environment that encourages
efficiency, innovation, and economic prosperity while promoting safety,
security, business confidentiality, privacy and civil liberties.''
Critical infrastructure provides the essential services that underpin
American society, and I suggest that the owners and operators of
America's critical infrastructure are in a unique position to manage
their own business risks with the help of civilian government agencies,
to develop operational approaches that can make our critical
infrastructure protected and durable.
Mr. Speaker, I have worked long and hard with the chairman to hammer
out privacy and liability concerns held by myself, and many others, on
both sides of the aisle.
There are no broad exceptions to the current privacy laws in this
legislation, and it focuses on information sharing using existing
structures. In fact, the ACLU commended the construction of this
legislation by saying, ``. . . it is both pro-security and pro-privacy
. . .''
We still have much work to do to achieve a higher level of cyber
security in this country, and internationally.
We must approach the cyber threat arena in a way that is consistent
with traditional American values, and by leading on the issue of
respecting personal privacy in the efforts to achieve cyber security,
we must continue to respect the safeguards for our constitutional right
of freedom of speech.
The wrong way is to assume that we must cede all of our personal
privacy and freedoms to remain safe.
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from Texas (Mr. McCaul) that the House suspend the rules and
pass the bill, H.R. 3696, as amended.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill, as amended, was passed.
A motion to reconsider was laid on the table.
____________________
