[Congressional Record Volume 161, Number 60 (Thursday, April 23, 2015)]
[House]
[Pages H2423-H2426]
{time} 0915
NATIONAL CYBERSECURITY PROTECTION ADVANCEMENT ACT OF 2015
General Leave
Mr. McCAUL. Mr. Speaker, I ask unanimous consent that all Members may
have 5 legislative days within which to revise and extend their remarks
and include extraneous materials on the bill, H.R. 1731.
The SPEAKER pro tempore (Mr. Ratcliffe). Is there objection to the
request of the gentleman from Texas?
There was no objection.
The SPEAKER pro tempore. Pursuant to House Resolution 212 and rule
XVIII, the Chair declares the House in the Committee of the Whole House
on the state of the Union for the consideration of the bill, H.R. 1731.
The Chair appoints the gentleman from Georgia (Mr. Woodall) to
preside over the Committee of the Whole.
{time} 0916
In the Committee of the Whole
Accordingly, the House resolved itself into the Committee of the
Whole House on the state of the Union for the consideration of the bill
(H.R. 1731) to amend the Homeland Security Act of 2002 to enhance
multi-directional sharing of information related to cybersecurity risks
and strengthen privacy and civil liberties protections, and for other
purposes, with Mr. Woodall in the chair.
The Clerk read the title of the bill.
The CHAIR. Pursuant to the rule, the bill is considered read the
first time.
The gentleman from Texas (Mr. McCaul) and the gentleman from
Mississippi (Mr. Thompson) each will control 30 minutes.
The Chair recognizes the gentleman from Texas.
Mr. McCAUL. Mr. Chairman, I yield myself such time as I may consume.
I am pleased to bring to the floor H.R. 1731, the National
Cybersecurity Protection Advancement Act, a proprivacy, prosecurity
bill that we desperately need to safeguard our digital networks.
I would like to commend the subcommittee chairman, Mr. Ratcliffe, for
his work on this bill as well as our minority counterparts, including
Ranking Member Thompson and subcommittee Ranking Member Richmond for
their joint work on this bill. This has been a noteworthy, bipartisan
effort. I would also like to thank House Permanent Select Committee on
Intelligence Chairman Devin Nunes and Ranking Member Adam Schiff for
their input and collaboration. Lastly, I would like to thank Committee
on the Judiciary Chairman Goodlatte and Ranking Member Conyers for
their contribution.
Make no mistake, we are in the middle of a silent crisis. At this
very moment, our Nation's businesses are being robbed, and sensitive
government information is being stolen. We are under siege by a
faceless enemy whose tracks are covered in cyberspace.
Sophisticated breaches at companies like Anthem, Target, Neiman
Marcus, Home Depot, and JPMorgan have compromised the personal
information of millions of private citizens. Nation-states like Iran
and North Korea have launched digital bombs to get revenge at U.S.-
based companies, while others like China are stealing intellectual
property. We recently witnessed brazen cyber assaults against the White
House and the State Department, which put sensitive government
information at risk.
In the meantime, our adversaries have been developing the tools to
shut down everything from power grids to water systems so they can
cripple our economy and weaken our ability to defend the United States.
This bill will allow us to turn the tide against our enemies and ramp
up our defenses by allowing for greater cyber threat information
sharing. This bill will strengthen the Department of Homeland
Security's National Cybersecurity and Communications Integration
Center, or NCCIC. The NCCIC is a primary civilian interface for
exchanging cyber threat information, and for good reason. It is not a
cyber regulator. It is not looking to prosecute anyone, and it is not
military or a spy agency. Its sole purpose, Mr. Chairman, is to prevent
and respond to cyber attacks against our public and private networks
while aggressively protecting Americans' privacy.
Right now we are in a pre-9/11 moment in cyberspace. In the same way
legal barriers and turf wars kept us from connecting the dots before 9/
11, the lack of cyber threat information sharing makes us vulnerable to
an attack. Companies are afraid to share because they do not feel they
have the adequate legal protection to do so.
H.R. 1731 removes those legal barriers and creates a safe harbor,
which will encourage companies to voluntarily exchange information
about attacks against their networks. This will allow both the
government and private sector to spot digital attacks earlier and keep
malicious actors outside of our networks and away from information that
Americans expect to be defended.
This bill also puts privacy and civil liberties first. It requires
that personal information of our citizens be protected before it
changes hands--whether it is provided to the government or exchanged
between companies--so private citizens do not have their sensitive data
exposed.
Significantly, both industry and privacy groups have announced their
support for this legislation because they recognize that we need to
work together urgently to combat the cyber threat to this country.
Today, we have a dangerously incomplete picture of the online war
being waged against us, and it is costing Americans their time, money,
and jobs. It is time for us to safeguard our digital frontier. This
legislation is a necessary and vital step to do exactly that.
Mr. Chairman, before I reserve the balance of my time, I would like
to enter into the Record an exchange of letters between the chairman of
the Committee on the Judiciary, Mr. Goodlatte, and myself, recognizing
the jurisdictional interest of the Committee on the Judiciary in H.R.
1731.
U.S. House of Representatives,
Committee on the Judiciary,
Washington, DC, April 21, 2015.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
Washington, DC.
Dear Chairman McCaul: I am writing with respect to H.R.
1731, the ``National Cybersecurity Protection Advancement Act
of 2015.'' As a result of your having consulted with us on
provisions in H.R. 1731 that fall within the Rule X
jurisdiction of the Committee on the Judiciary, I agree to
waive consideration of this bill so that it may proceed
expeditiously to the House floor for consideration.
The Judiciary Committee takes this action with our mutual
understanding that by foregoing consideration of H.R. 1731 at
this time, we do not waive any jurisdiction over the subject
matter contained in this or similar legislation, and that our
Committee will be appropriately consulted and involved as the
bill or similar legislation moves forward so that we may
address any remaining issues in our jurisdiction. Our
Committee also reserves the right to seek appointment of an
appropriate number of conferees to any House-Senate
conference involving this or similar legislation, and asks
that you support any such request.
I would appreciate a response to this letter confirming
this understanding, and would ask that a copy of our exchange
of letters on this matter be included in the Congressional
Record during Floor consideration of H.R. 1731.
Sincerely,
Bob Goodlatte,
Chairman.
[[Page H2424]]
____
U.S. House of Representatives,
Committee on Homeland Security,
Washington, DC, April 21, 2015.
Hon. Bob Goodlatte,
Chairman, Committee on Judiciary,
Washington, DC.
Dear Chairman Goodlatte: Thank you for your letter
regarding H.R. 1731, the ``National Cybersecurity Protection
Advancement Act of 2015.'' I appreciate your support in
bringing this legislation before the House of
Representatives, and accordingly, understand that the
Committee on Judiciary will not seek a sequential referral on
the bill.
The Committee on Homeland Security concurs with the mutual
understanding that by foregoing a sequential referral of this
bill at this time, the Judiciary does not waive any
jurisdiction over the subject matter contained in this bill
or similar legislation in the future. In addition, should a
conference on this bill be necessary, I would support your
request to have the Committee on Judiciary represented on the
conference committee.
I will insert copies of this exchange in the Congressional
Record during consideration of this bill on the House floor.
I thank you for your cooperation in this matter.
Sincerely,
Michael T. McCaul,
Chairman, Committee on Homeland Security.
Mr. McCAUL. With that, I urge my colleagues to support this important
legislation.
I reserve the balance of my time.
Mr. THOMPSON of Mississippi. Mr. Chairman, I yield myself such time
as I may consume.
I rise in support of H.R. 1731, the National Cybersecurity Protection
Advancement Act of 2015.
Mr. Chairman, every day U.S. networks face hundreds of millions of
cyber hacking attempts and attacks. Many of these attacks target large
corporations and negatively impact consumers. They are launched by
common hackers as well as nation-states. As the Sony attack last year
demonstrated, they have a great potential for harm and put our economy
and homeland security at risk.
Last week, it was reported that attacks against SCADA industrial
control systems rose 100 percent between 2013 and 2014. Given that
SCADA systems are essential to running our power plants, factories, and
refineries, this is a very troubling trend.
Just yesterday, we learned about an advanced persistent threat that
has targeted high-profile individuals at the White House and State
Department since last year. According to an industry expert, this cyber
threat--nicknamed CozyDuke--includes malware, information-stealing
programs, and antivirus back doors that bear the hallmarks of Russian
cyber espionage tools.
Mr. Chairman, cyber terrorists and cyber criminals are constantly
innovating. Their success is dependent on their victims not being
vigilant and protecting their systems. Cyber terrorists and cyber
criminals exploit bad practices, like opening attachments and clicking
links from unknown senders. That is why I am pleased that H.R. 1731
includes a provision authored by Representative Watson Coleman to
authorize a national cyber public awareness campaign to promote greater
cyber hygiene.
Another key element of cybersecurity is, of course, information
sharing about cyber threats. We have seen that when companies come
forward and share their knowledge about imminent cyber threats, timely
actions can be taken to prevent damage to vital IT networks. Thus,
cybersecurity is one of those places where the old adage ``knowledge is
power'' applies.
That is why I am pleased H.R. 1731 authorizes private companies to
voluntarily share timely cyber threat information and malware with DHS
or other impacted companies. Under H.R. 1731, companies may voluntarily
choose to share threat information to prevent future attacks to other
systems.
I am also pleased that the bill authorizes companies to monitor their
own IT networks to identify penetrations and take steps to protect
their networks from cyber threats. H.R. 1731 builds on bipartisan
legislation enacted last year that authorized the Department of
Homeland Security's National Cybersecurity and Communications
Integration Center, commonly referred to as NCCIC.
H.R. 1731 was unanimously approved by the committee last week and
represents months of outreach to a diverse array of stakeholders from
the private sector and the privacy community. Importantly, H.R. 1731
requires participating companies to make reasonable efforts prior to
sharing to scrub the data to remove information that could identify a
person when that person is not believed to be related to the threat.
H.R. 1731 also directs DHS to scrub the data it receives and add an
additional layer of privacy protection. Additionally, it requires the
NCCIC to have strong procedures for protecting privacy, and calls for
robust oversight by the Department's chief privacy officer, its chief
civil rights and civil liberties officer, and inspector general, and
the Privacy and Civil Liberties Oversight Board.
I am a cosponsor of H.R. 1731, but as the White House observed
earlier this week, improvements are needed to ensure that its liability
protections are appropriately targeted. In its current form, it would
potentially protect companies that are negligent in how they carry out
authorized activities under the act.
Mr. Chairman, before reserving the balance of my time, I wish to
engage in a colloquy with the gentleman from Texas (Mr. McCaul)
regarding the liability protection provisions of H.R. 1731.
At the outset, I would like to express my appreciation for the
gentleman's willingness to work with me and the other Democrats on the
committee to develop this bipartisan legislation. We have a shared goal
of bolstering cybersecurity and improving the quality of information
that the private sector receives about timely cyber threats so that
they can act to protect their networks and the valuable data stored on
them.
Therefore, it is concerning that the liability protection provision
appears to undermine this shared goal insofar as it includes language
that on its face incentivizes companies to do nothing about actionable
cyber information. Specifically, I am speaking of the language on page
36, line 18, that extends liability protections to a company that fails
to act on timely threat information provided by DHS or another impacted
company.
I would ask the gentleman from Texas to work with me to clarify the
language as it moves through the legislative process to underscore that
it is not Congress' intent to promote inaction by companies who have
timely threat information.
Mr. McCAUL. Will the gentleman yield?
Mr. THOMPSON of Mississippi. I yield to the gentleman from Texas.
Mr. McCAUL. Mr. Chair, I thank the gentleman from Mississippi for his
question and would say that I do not completely share your view of that
clause. I assure you that incentivizing companies to do nothing with
timely threat information is certainly not the intent of this
provision, as the author of this bill.
On the contrary, I believe it is important that we provide companies
with legal safe harbors to encourage sharing of cyber threat
information and also believe that every company that participates in
this information-sharing process, especially small- and medium-sized
businesses, cannot be required to act upon every piece of cyber threat
information they receive.
As such, I support looking for ways to clarify that point with you,
Mr. Thompson. I commit to working with you as this bill moves forward
to look for ways to refine the language to ensure that it is consistent
with our shared policy goal of getting timely information into the
hands of businesses so that they can protect their networks and their
data.
{time} 0930
Mr. THOMPSON of Mississippi. Mr. Chairman, I reserve the balance of
my time.
Mr. McCAUL. Mr. Chairman, I now yield 5 minutes to the gentleman from
Texas (Mr. Ratcliffe), the chairman of the Subcommittee on
Cybersecurity, my close ally and colleague on this legislation.
Mr. RATCLIFFE. I thank the gentleman for yielding.
Mr. Chairman, I am grateful for the opportunity to work with Chairman
McCaul in crafting the National Cybersecurity Protection Advancement
Act. I would also like to thank Ranking Members Richmond and Thompson
for their hard work on this issue; and a special thank you to the
Homeland Security staff, who worked incredibly
[[Page H2425]]
hard to bring this important bill to the floor today.
Mr. Chairman, for years now, the private sector has been on the front
lines in trying to guard against potentially devastating cyber attacks.
Just 2 months ago, one of the Nation's largest health insurance
providers, Anthem, suffered a devastating cyber attack that compromised
the personal information and health records of more than 80 million
Americans.
The consequences of that breach hit home for many of those Americans
just a week ago, on tax day, when thousands of them tried to file their
tax returns, only to see them be rejected because cyber criminals had
used their information to file false tax returns.
Mr. Chairman, attacks like these serve as a wake-up call to all
Americans and provide clear evidence that our cyber adversaries have
the upper hand. The consequences will get even worse if we fail to
tackle this issue head on because even greater and more frightening
threats exist, ones that extend to the critical infrastructure that
support our very way of life.
I am talking about cyber attacks against the networks which control
our bridges, our dams, our power grids, rails, and even our water
supply. Attacks on this critical infrastructure have the potential to
produce sustained blackouts, halt air traffic, shut off fuel supplies,
or, even worse, contaminate the air, food, and water that we need to
survive.
These scenarios paint a picture of economic crisis and physical chaos
that are, unfortunately, all too real and all too possible right now.
Mr. Chairman, 85 percent of our Nation's critical infrastructure is
controlled by the private sector, not by the government, a fact which
underscores the reality that America's security, when it comes to
defending against cyber attacks, largely depends on the security of our
private networks.
The simple truth is that many in the private sector can't defend
their networks or our critical infrastructure against these threats.
H.R. 1731 provides a solution for the rapid sharing of important
cyber threat information to minimize or, in some cases, prevent the
cyber attacks from being successful.
Through the Department of Homeland Security's National Cybersecurity
Communication and Integration Center, or NCCIC, this bill will
facilitate the sharing of cyber threat indicators between the private
sector entities and between the private sector and the Federal
Government.
With carefully crafted liability protections, private entities would
finally be able to share cyber threat indicators with their private
sector counterparts through the NCCIC without fear of liability.
The sharing of these cyber threat indicators, or, more specifically,
the tools, techniques, and tactics used by cyber intruders, will arm
those who protect our networks with the valuable information they need
to fortify our defenses against future cyber attacks.
Because some have said that prior proposals didn't go far enough in
safeguarding personal privacy, this bill addresses those concerns with
robust privacy measures that ensure the protection of Americans'
personal information and private data.
H.R. 1731 will provide protection only for sharing that is done
voluntarily with the Department of Homeland Security's NCCIC, which is
a civilian entity. It does not provide for or allow sharing with the
NSA or the Department of Defense. In fact, this bill expressly
prohibits information from being used for surveillance purposes.
This bill also limits the type of information that can be shared, and
it requires the removal of all personally identifiable information,
which is scrubbed out before the cyber threat indicators can be shared.
In short, this bill improves and increases protection for the
personal privacy of Americans, which currently remains so vulnerable to
malicious attacks from our cyber adversaries.
Mr. Chairman, the status quo isn't working when it comes to defending
against cyber threats. The need to better secure Americans' personal
information and better protect and safeguard our critical
infrastructure is precisely what compels congressional action right
now.
I strongly endorse the passage of this vital legislation, and I urge
my colleagues on both sides of the aisle to support it as well. I thank
the gentleman from Texas for his leadership.
Mr. THOMPSON of Mississippi. Mr. Chairman, I yield 3 minutes to the
gentleman from Rhode Island (Mr. Langevin).
(Mr. LANGEVIN asked and was given permission to revise and extend his
remarks.)
Mr. LANGEVIN. I thank the gentleman for yielding.
Mr. Chairman, I am very pleased to be back on the floor today to
support the House's second major piece of cybersecurity legislation in
less than 24 hours.
As I said yesterday afternoon, it has been a long time coming, for
sure. Cybersecurity has been a passion of mine for nearly a decade, and
I am absolutely thrilled that, after years of hard work, the House, the
Senate, and the President finally are beginning to see eye-to-eye.
The National Cybersecurity Protection Advancement Act has at its core
three basic authorizations. First, it authorizes private entities and
the DHS's NCCIC to share, for cybersecurity purposes only, cyber threat
indicators that have been stripped of personal information and details.
Second, it allows businesses to monitor their networks in search of
cybersecurity risks. And third, it authorizes companies to deploy
limited defensive measures to protect their systems from malicious
actors.
Those three authorizations perfectly describe the information-sharing
regime we so desperately need. Under the act, companies would collect
information on threats, share it with their peers and with a civilian
portal, and then use the indicators they have received to defend
themselves.
Data are scrubbed of personal identifiable information before they
are shared and after they are received by the NCCIC. Companies are
offered limited liability protections for sharing information they
gather in accordance with this bill.
This legislation also provides for the deployment of rapid automated
sharing protocols--something DHS has been hard at work on with the
STIX/TAXII program--and it expands last year's NCCIC authorization.
Mr. Chairman, I do believe that the liability protections contained
in this bill may prove overly broad, and I certainly hope that we can
address that point as the legislative process continues, particularly,
hopefully, when we get to a conference committee on this issue.
Overall, though, it is a fine piece of legislation, and I
wholeheartedly congratulate Chairman McCaul, Ranking Member Thompson,
Subcommittee Chairman Ratcliffe, and Ranking Member Richmond, as well
as the other members of the committee and especially committee staff,
for a job well done.
Information-sharing legislation, Mr. Chairman, is not a silver bullet
by any means, but it will substantially improve our Nation's cyber
defenses and get us to a place where our Nation is much more secure in
cyberspace than where we are today.
Protecting critical infrastructure, of course, is among our chief
concerns. That will allow for the type of information sharing that will
get us to a much more secure place.
So, Mr. Chairman, I urge my colleagues to support this bill, and I
hope that the Senate will quickly follow suit.
Mr. McCAUL. Mr. Chairman, I yield such time as she may consume to the
gentlewoman from Michigan (Mrs. Miller), the vice chairman of the
Homeland Security Committee.
Mrs. MILLER of Michigan. Mr. Chairman, first of all, I want to thank
the distinguished chairman for yielding the time.
I think you can see by the comments that have been made thus far that
we have a very bipartisan bill and a bipartisan approach. That is,
through our committee, in no short measure because of the leadership
that Chairman McCaul and, quite frankly, our ranking member have
exhibited with the vision that they have had, these two gentlemen
working together, and both the chair and the ranking member on our
Subcommittee on Cybersecurity, Mr. Ratcliffe and Mr. Richmond as well.
[[Page H2426]]
This really has been a tremendous effort, and so important for our
country. This particular issue, obviously, is certainly a bipartisan
issue.
I say that, Mr. Chairman, because our Constitution makes the first
and foremost responsibility of the Federal Government to provide for
the common defense. That is actually in the preamble of our
Constitution.
In our modern world, those who are seeking harm to our Nation, to our
citizens, to our companies, can use many different means, including
attacks over the Internet to attack our Nation.
Recent cyber attacks on U.S. companies like Sony, Target, and Home
Depot not only harm these companies, Mr. Chairman, but they harm the
American citizens who do business with them, putting their most
personal private information at risk.
These threats, as are well known, are coming from nation-states like
North Korea, Russia, Iran, China, as well as cyber criminals seeking to
steal not only personal information but also intellectual property and
sensitive government information.
In today's digital world, we have a duty to defend ourselves against
cyber espionage, and the best way to combat these threats is to first
recognize the threat and combine private and government resources and
intelligence. Mr. Chairman, that is exactly what this bill does.
Mr. Chairman, I think this bill will help to facilitate greater
cooperation and efforts to protect our Nation's digital infrastructure,
including power grids and other utilities and other services that
everyday Americans rely on each and every day.
By removing barriers, which will allow private companies to
voluntarily share their cybersecurity threat information with the
Department of Homeland Security and/or other companies, I think we will
in a very large way improve earlier detection and mitigation of
potential threats.
Additionally, this legislation that we are debating on the floor
today ensures that personal identification information is removed prior
to sharing information related to cyber threats and that very strong
safeguards are in place to protect personal privacy and civil
liberties.
Mr. Chairman, I point that out because that was something that was
discussed a lot by practically every member of the Homeland Security
Committee. We were all very, very united on that issue. And I think
that is an important critical component, a point to make, and it is
reflected in this legislation.
As Mr. Ratcliffe mentioned just earlier, 85 percent of America's
critical infrastructure is owned and operated by the private sector--
think about that, 85 percent--which means that cyber threats pose as
much of an economic threat to the United States as they do to our
security, and we have a constitutional responsibility, as I pointed out
in the beginning, to protect ourselves, to protect our Nation, to
protect our American citizens from this ever-evolving threat.
So, Mr. Chairman, I would urge that all of my colleagues join me,
join all of us on our committee, in voting in favor of this important
legislation that will provide an additional line, and a very important
line, of defense against cyber attacks.
The CHAIR. The Committee will rise informally.
The Speaker pro tempore (Mr. Loudermilk) assumed the chair.
____________________
[Congressional Record Volume 161, Number 60 (Thursday, April 23, 2015)]
[House]
[Pages H2426-H2446]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
NATIONAL CYBERSECURITY PROTECTION ADVANCEMENT ACT OF 2015
The Committee resumed its sitting.
Mr. THOMPSON of Mississippi. Mr. Chairman, I yield 2 minutes to the
gentleman from Virginia (Mr. Connolly).
Mr. CONNOLLY. I thank my dear friend from Mississippi (Mr. Thompson),
and I commend him and the distinguished chairman of the committee, Mr.
McCaul, for their wonderful work on this bill.
Mr. Chairman, we cannot wait. America cannot wait for a cyber Pearl
Harbor. This issue--cybersecurity--may be the most complex and
difficult challenge we confront long term as a nation.
In the wired 21st century, the line between our physical world and
cyberspace continues to blur with every aspect of our lives, from
social interaction to commerce. Yet the remarkable gains that have
accompanied an increasingly digital and connected society also have
opened up new, unprecedented vulnerabilities that threaten to undermine
this progress and cause great harm to our country's national security,
critical infrastructure, and economy.
{time} 0945
It is long overdue for Congress to modernize our cyber laws to
address those vulnerabilities present in both public and private
networks. The bills before us this week are a step in the right
direction, and I am glad to support them, but they are a first step.
Information sharing alone does not inoculate or even defend us from
cyber attacks. Indeed, in the critical three P's of enhancing
cybersecurity--people, policies, and practices--the measures before us
make improvements primarily to policy.
I commend the two committees for working in a bipartisan fashion to
improve privacy and transparency protections. More is still needed to
safeguard the civil liberties of our constituents.
Further, I hope that the broad liability protections provided by
these bills will, in fact, be narrowed upon further consultation with
the Senate. Cybersecurity must be a shared public-private
responsibility, and that includes the expectation and requirement that
our partners will, in fact, take reasonable actions.
Moving forward, I hope Congress will build on this effort to address
the security of critical infrastructure, the vast majority of which, as
has been already pointed out, is owned and operated by the private
sector.
The CHAIR. The time of the gentleman has expired.
Mr. THOMPSON of Mississippi. I yield the gentleman an additional 30
seconds.
Mr. CONNOLLY. We also need to strengthen our Nation's cyber
workforce, devise effective data breach notification policies, and
bring about a wholesale cultural revolution so that society fully
understands the critical importance of good cyber hygiene.
The bottom line is that our vulnerability in cyberspace demands that
we take decisive action and take it now, but much like the tactics used
in effective cybersecurity, we must recognize that enhancing our cyber
defenses is an iterative process that requires continuous effort.
I congratulate the staffs and the leadership of the committee.
Mr. McCAUL. Mr. Chairman, I yield 5 minutes to the gentleman from
Georgia (Mr. Loudermilk), a member of the Committee on Homeland
Security.
Mr. LOUDERMILK. Mr. Chairman, over the past 40 years, we have
experienced advancements in information technology that literally have
transformed business, education, government; it has even transformed
our culture.
Information research that only a couple of decades ago would take
days, months, maybe even years to accomplish is available, quite
literally, at our fingertips and instantaneously.
Other aspects of our lives have also been shaped by this immediate
access to information. Shopping, you can go shopping without ever going
to a store. You can conduct financial transactions without ever going
to a bank. You can even have access to entertainment without ever going
to a theater.
These advancements in technology have not only transformed the way we
access and store information, but it has also transformed the way we
communicate.
No longer is instantaneous voice-to-voice communication only
available through a phone call, but people around the world instantly
connect with one another with a variety of methods, from email, instant
text messaging, even video conferencing, and
[[Page H2427]]
this can be all down while you are on the move. You don't even have to
be chained to a desk or in your business office.
Really, every aspect of our culture has been affected by the
advancements in information technology, and, for the most part, our
lives have been improved by these advancements.
As an IT professional, with 30-plus years' experience in both the
military and private sector, I know firsthand the benefits of this
instant access to endless amounts of information, but, on the other
hand, I know all too well the vulnerabilities of these systems.
For the past 20 years, I have assisted businesses and governments to
automate their operations and ensure they can access their networks
anytime and from anywhere.
However, this global access to information requires a global
interconnection of these systems. At almost any time during the day,
Americans are connected to this global network through their phones,
tablets, health monitors, and car navigation systems. Even home
security systems are now connected to the Internet.
We have become dependent on this interconnection and so have the
businesses and government entities that provide crucial services that
we rely on, but as our dependence on technology has grown, so have our
vulnerabilities.
Cyberspace is the new battleground, a battleground for a multitude of
adversaries. Foreign nations, international terrorist organizations,
and organized crime regularly target our citizens, businesses, and
government.
Unlike traditional combat operations, cyber attackers don't require
sophisticated weaponry to carry out their warfare. On the cyber
battlefield, a single individual with a laptop computer can wreak havoc
on business, the economy, even our critical infrastructure.
In the past several months, we have seen an increasing number of
cyber attacks on national security systems and private company
networks, breaching critical information. Earlier this year, Anthem
BlueCross BlueShield's IT system was hacked by a highly sophisticated
cyber attacker, obtaining personal employee and consumer data,
including names, Social Security numbers, and mailing addresses.
An old adage among IT professionals states: There are two types of
computer users, those who have been hacked and those who don't know
that they have been hacked.
Today, this is truer than ever before. The incredible advancements
made by the IT industry over the past three decades have been
predominantly due to the competitive nature of the free market.
Without the overbearing constraints of government bureaucracy,
oversight, and regulation, technology entrepreneurs have had the
freedom to bring new innovations to the market with little cost and in
record amount of time.
It is clear that our greatest advancements in technology have come
from the private sector. That is why it is imperative that the
government partner with the private sector to combat cyber attacks
against our Nation.
The bill being debated in this House today, the National
Cybersecurity Protection Advancement Act, puts in place a framework for
voluntary partnership between government and the private sector to
share information to protect against and combat against cyber attacks.
Through this voluntary sharing of critical information, businesses
and government will voluntarily work together to respond to attacks and
to prevent our enemies from corrupting networks, attacking our highly
sensitive data systems, and compromising our personal privacy
information.
While protecting individual privacy, this legislation also includes
liability protections for the sharing of cyber threat information and
thereby promotes information sharing that enhances the
national cybersecurity posture.
We are no longer solely dealing with groups of hackers and
terrorists, but individuals who target large networks, corrupt our
database, and get hold of private material.
With today's evolving technology, we must make sure we are affirming
individual privacy rights and safeguarding both government and private
sector databases from cyberterrorism.
Protecting the civil liberties of the citizens of the United States
is a top priority for me, and it should be for this Congress.
The CHAIR. The time of the gentleman has expired.
Mr. McCAUL. I yield the gentleman an additional 30 seconds.
Mr. LOUDERMILK. That is why I do support H.R. 1731, because it
provides that framework of cooperation between the government and the
private industry, and it provides the protections and liability
protections our industries need.
We must have this bill. I do stand in support of it, and I thank you
for allowing me this time to speak.
Mr. THOMPSON of Mississippi. Mr. Chairman, I have no additional
requests for time, so I reserve the balance of my time.
Mr. McCAUL. Mr. Chairman, I yield such time as he may consume to the
gentleman from Texas (Mr. Hurd), a member of the Homeland Security
Committee.
Mr. HURD of Texas. Mr. Chairman, I have spent almost 9 years, or a
little bit over 9 years, as an undercover officer in the CIA. I chased
al Qaeda, Taliban. Towards the end of my career, we started spending a
lot more time focusing on cyber criminals, Russian organized crime,
state sponsors of terror like Iran.
What this bill does is it helps in the protection of our digital
infrastructure, both public and private, against this increasing
threat.
I had the opportunity to help build a cybersecurity company, and
seeing the threats to our infrastructure is great. This bill, which I
rise in support of, is going to create that framework in order for the
public and the private sector to work together against these threats.
When I was doing this for a living, you give me enough time, I am
going to get in your network. We have to change our mindset and begin
with the presumption of breach. How do we stop someone? How do we
detect someone getting in our system? How do we corral them? And how do
we kick them off? H.R. 1731 is a great start in doing this and making
sure that we have the right protections.
We also are helping small- and medium-sized businesses with this
bill, making sure that a lot of them have the resources that some
larger businesses do and making sure that the Department of Homeland
Security is providing as much information to them so that they can keep
their company and their customers safe.
I would like to commend everyone on both sides of the aisle that is
working to make this bill happen, and I look forward to seeing this get
past this House and our colleagues in the Senate.
Mr. THOMPSON of Mississippi. Mr. Chairman, I continue to reserve the
balance of my time.
Mr. McCAUL. Mr. Chairman, I have no further requests for time. I am
prepared to close if the gentleman from Mississippi is prepared to
close.
I reserve the balance of my time.
Mr. THOMPSON of Mississippi. Mr. Chairman, I yield myself such time
as I may consume.
As someone involved in this issue for many years, I am not surprised
by the overwhelming support that H.R. 1731 has garnered. Today, the
House has the opportunity to join with the President and stakeholders
from across our critical infrastructure sectors to make our Nation more
secure.
By casting a vote in favor of H.R. 1731, you will be putting the
Department of Homeland Security, the Federal civilian lead for cyber
information sharing, on a path to fully partnering with the private
sector to protect the U.S. networks.
Mr. Chairman, I yield back the balance of my time.
Mr. McCAUL. Mr. Chairman, I yield myself such time as I may consume.
Mr. Chairman, we are at a pivotal moment today and face a stark
reality. The cyber threats to America have gone from bad to severe, and
in many ways, we are flying blind.
The current level of cyber threat information sharing won't cut it.
In the same way that we failed to stop terrorist attacks in the past,
we are not connecting the dots well enough to prevent digital assaults
against our Nation's networks.
[[Page H2428]]
The information we need to stop destructive breaches is held in
silos, rather than being shared, preventing us from mounting an
aggressive defense. In fact, the majority of cyber intrusions go
unreported, leaving our networks vulnerable to the same attacks. When
sharing does happen, it is often too little and too late.
If we don't pass this legislation to enhance cyber threat information
sharing, we will be failing the American people and ceding more ground
to our adversaries.
I hope, today, that we have the momentum to reverse the tide and to
do what the American people expect of us, pass prosecurity, proprivacy
legislation to better safeguard our public and private networks. Our
inaction would be a permission slip for criminals, hacktivists,
terrorists, and nation-states to continue to steal our data and to do
our people harm.
I appreciate the collaboration from Members across the aisle and from
other committees in developing this legislation. I would like to
specifically commend, again, subcommittee Chairman Ratcliffe for his
work on this bill, as well as our minority counterparts, including
Ranking Member Thompson and subcommittee Ranking Member Richmond for
their joint work on this bill.
Mr. Chairman, I urge my colleagues to pass H.R. 1731.
I yield back the balance of my time.
Mr. VAN HOLLEN. Mr. Chair, I rise today to oppose H.R. 1731, the
National Cybersecurity Protection Advancement Act of 2015. I commend
Chairman McCaul and Ranking Member Thompson for crafting a
cybersecurity bill that improves upon legislation this body has
previously voted on, but ultimately I cannot support it in its current
form.
As was the case with yesterday's bill, the Protecting Cyber Networks
Act (H.R. 1560), I continue to have concerns about the ambiguous
liability provisions in this legislation. Specifically, H.R. 1731 would
grant immunity to companies for simply putting forth a ``good faith''
effort when reporting security threats to the Department of Homeland
Security. Like H.R. 1560, companies would receive liability protection
even if they fail to act on threat information in a timely manner. I
was disappointed that Republicans did not allow a vote on any of the
seven amendments offered to improve the liability provisions in this
bill.
I strongly believe that we must take steps to protect against these
cyber threats while not sacrificing our privacy and civil liberties. It
is my hope that many of these murky liability provisions can be
resolved in the Senate, but I cannot support this bill as it stands
today.
THE CHAIR. All time for general debate has expired.
In lieu of the amendment in the nature of a substitute recommended by
the Committee on Homeland Security, printed in the bill, it shall be in
order to consider as an original bill, for the purpose of amendment
under the 5-minute rule, an amendment in the nature of a substitute
consisting of the text of Rules Committee Print 114-12. That amendment
in the nature of a substitute shall be considered as read.
The text of the amendment in the nature of a substitute is as
follows:
H.R. 1731
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``National Cybersecurity
Protection Advancement Act of 2015''.
SEC. 2. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION
CENTER.
(a) Definitions.--
(1) In general.--Subsection (a) of the second section 226
of the Homeland Security Act of 2002 (6 U.S.C. 148; relating
to the National Cybersecurity and Communications Integration
Center) is amended--
(A) in paragraph (3), by striking ``and'' at the end;
(B) in paragraph (4), by striking the period at the end and
inserting ``; and''; and
(C) by adding at the end the following new paragraphs:
``(5) the term `cyber threat indicator' means technical
information that is necessary to describe or identify--
``(A) a method for probing, monitoring, maintaining, or
establishing network awareness of an information system for
the purpose of discerning technical vulnerabilities of such
information system, if such method is known or reasonably
suspected of being associated with a known or suspected
cybersecurity risk, including communications that reasonably
appear to be transmitted for the purpose of gathering
technical information related to a cybersecurity risk;
``(B) a method for defeating a technical or security
control of an information system;
``(C) a technical vulnerability, including anomalous
technical behavior that may become a vulnerability;
``(D) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(E) a method for unauthorized remote identification of,
access to, or use of an information system or information
that is stored on, processed by, or transiting an information
system that is known or reasonably suspected of being
associated with a known or suspected cybersecurity risk;
``(F) the actual or potential harm caused by a
cybersecurity risk, including a description of the
information exfiltrated as a result of a particular
cybersecurity risk;
``(G) any other attribute of a cybersecurity risk that
cannot be used to identify specific persons reasonably
believed to be unrelated to such cybersecurity risk, if
disclosure of such attribute is not otherwise prohibited by
law; or
``(H) any combination of subparagraphs (A) through (G);
``(6) the term `cybersecurity purpose' means the purpose of
protecting an information system or information that is
stored on, processed by, or transiting an information system
from a cybersecurity risk or incident;
``(7)(A) except as provided in subparagraph (B), the term
`defensive measure' means an action, device, procedure,
signature, technique, or other measure applied to an
information system or information that is stored on,
processed by, or transiting an information system that
detects, prevents, or mitigates a known or suspected
cybersecurity risk or incident, or any attribute of hardware,
software, process, or procedure that could enable or
facilitate the defeat of a security control;
``(B) such term does not include a measure that destroys,
renders unusable, or substantially harms an information
system or data on an information system not belonging to--
``(i) the non-Federal entity, not including a State, local,
or tribal government, operating such measure; or
``(ii) another Federal entity or non-Federal entity that is
authorized to provide consent and has provided such consent
to the non-Federal entity referred to in clause (i);
``(8) the term `network awareness' means to scan, identify,
acquire, monitor, log, or analyze information that is stored
on, processed by, or transiting an information system;
``(9)(A) the term `private entity' means a non-Federal
entity that is an individual or private group, organization,
proprietorship, partnership, trust, cooperative, corporation,
or other commercial or non-profit entity, including an
officer, employee, or agent thereof;
``(B) such term includes a component of a State, local, or
tribal government performing electric utility services;
``(10) the term `security control' means the management,
operational, and technical controls used to protect against
an unauthorized effort to adversely affect the
confidentially, integrity, or availability of an information
system or information that is stored on, processed by, or
transiting an information system; and
``(11) the term `sharing' means providing, receiving, and
disseminating.''.
(b) Amendment.--Subparagraph (B) of subsection (d)(1) of
such second section 226 of the Homeland Security Act of 2002
is amended--
(1) in clause (i), by striking ``and local'' and inserting
``, local, and tribal'';
(2) in clause (ii)--
(A) by inserting ``, including information sharing and
analysis centers'' before the semicolon; and
(B) by striking ``and'' at the end;
(3) in clause (iii), by striking the period at the end and
inserting ``; and''; and
(4) by adding at the end the following new clause:
``(iv) private entities.''.
SEC. 3. INFORMATION SHARING STRUCTURE AND PROCESSES.
The second section 226 of the Homeland Security Act of 2002
(6 U.S.C. 148; relating to the National Cybersecurity and
Communications Integration Center) is amended--
(1) in subsection (c)--
(A) in paragraph (1)--
(i) by striking ``a Federal civilian interface'' and
inserting ``the lead Federal civilian interface''; and
(ii) by striking ``cybersecurity risks,'' and inserting
``cyber threat indicators, defensive measures, cybersecurity
risks,'';
(B) in paragraph (3), by striking ``cybersecurity risks''
and inserting ``cyber threat indicators, defensive measures,
cybersecurity risks,'';
(C) in paragraph (5)(A), by striking ``cybersecurity
risks'' and inserting ``cyber threat indicators, defensive
measures, cybersecurity risks,'';
(D) in paragraph (6)--
(i) by striking ``cybersecurity risks'' and inserting
``cyber threat indicators, defensive measures, cybersecurity
risks,''; and
(ii) by striking ``and'' at the end;
(E) in paragraph (7)--
(i) in subparagraph (A), by striking ``and'' at the end;
(ii) in subparagraph (B), by striking the period at the end
and inserting ``; and''; and
(iii) by adding at the end the following new subparagraph:
``(C) sharing cyber threat indicators and defensive
measures;''; and
(F) by adding at the end the following new paragraphs
``(8) engaging with international partners, in consultation
with other appropriate agencies, to--
``(A) collaborate on cyber threat indicators, defensive
measures, and information related to cybersecurity risks and
incidents; and
``(B) enhance the security and resilience of global
cybersecurity;
``(9) sharing cyber threat indicators, defensive measures,
and other information related to cybersecurity risks and
incidents with Federal and non-Federal entities, including
across sectors of critical infrastructure and with State and
major urban area fusion centers, as appropriate;
``(10) promptly notifying the Secretary and the Committee
on Homeland Security of the House of Representatives and the
Committee on
[[Page H2429]]
Homeland Security and Governmental Affairs of the Senate of
any significant violations of the policies and procedures
specified in subsection (i)(6)(A);
``(11) promptly notifying non-Federal entities that have
shared cyber threat indicators or defensive measures that are
known or determined to be in error or in contravention of the
requirements of this section; and
``(12) participating, as appropriate, in exercises run by
the Department's National Exercise Program.'';
(2) in subsection (d)--
(A) in subparagraph (D), by striking ``and'' at the end;
(B) by redesignating subparagraph (E) as subparagraph (J);
and
(C) by inserting after subparagraph (D) the following new
subparagraphs:
``(E) an entity that collaborates with State and local
governments on cybersecurity risks and incidents, and has
entered into a voluntary information sharing relationship
with the Center;
``(F) a United States Computer Emergency Readiness Team
that coordinates information related to cybersecurity risks
and incidents, proactively and collaboratively addresses
cybersecurity risks and incidents to the United States,
collaboratively responds to cybersecurity risks and
incidents, provides technical assistance, upon request, to
information system owners and operators, and shares cyber
threat indicators, defensive measures, analysis, or
information related to cybersecurity risks and incidents in a
timely manner;
``(G) the Industrial Control System Cyber Emergency
Response Team that--
``(i) coordinates with industrial control systems owners
and operators;
``(ii) provides training, upon request, to Federal entities
and non-Federal entities on industrial control systems
cybersecurity;
``(iii) collaboratively addresses cybersecurity risks and
incidents to industrial control systems;
``(iv) provides technical assistance, upon request, to
Federal entities and non-Federal entities relating to
industrial control systems cybersecurity; and
``(v) shares cyber threat indicators, defensive measures,
or information related to cybersecurity risks and incidents
of industrial control systems in a timely fashion;
``(H) a National Coordinating Center for Communications
that coordinates the protection, response, and recovery of
emergency communications;
``(I) an entity that coordinates with small and medium-
sized businesses; and'';
(3) in subsection (e)--
(A) in paragraph (1)--
(i) in subparagraph (A), by inserting ``cyber threat
indicators, defensive measures, and'' before ``information'';
(ii) in subparagraph (B), by inserting ``cyber threat
indicators, defensive measures, and'' before ``information'';
(iii) in subparagraph (F), by striking ``cybersecurity
risks'' and inserting ``cyber threat indicators, defensive
measures, cybersecurity risks,'';
(iv) in subparagraph (F), by striking ``and'' at the end;
(v) in subparagraph (G), by striking ``cybersecurity
risks'' and inserting ``cyber threat indicators, defensive
measures, cybersecurity risks,''; and
(vi) by adding at the end the following:
``(H) the Center ensures that it shares information
relating to cybersecurity risks and incidents with small and
medium-sized businesses, as appropriate; and
``(I) the Center designates an agency contact for non-
Federal entities;'';
(B) in paragraph (2)--
(i) by striking ``cybersecurity risks'' and inserting
``cyber threat indicators, defensive measures, cybersecurity
risks,''; and
(ii) by inserting ``or disclosure'' before the semicolon at
the end; and
(C) in paragraph (3), by inserting before the period at the
end the following: ``, including by working with the Chief
Privacy Officer appointed under section 222 to ensure that
the Center follows the policies and procedures specified in
subsection (i)(6)(A)''; and
(4) by adding at the end the following new subsections:
``(g) Rapid Automated Sharing.--
``(1) In general.--The Under Secretary for Cybersecurity
and Infrastructure Protection, in coordination with industry
and other stakeholders, shall develop capabilities making use
of existing information technology industry standards and
best practices, as appropriate, that support and rapidly
advance the development, adoption, and implementation of
automated mechanisms for the timely sharing of cyber threat
indicators and defensive measures to and from the Center and
with each Federal agency designated as the `Sector Specific
Agency' for each critical infrastructure sector in accordance
with subsection (h).
``(2) Biannual report.--The Under Secretary for
Cybersecurity and Infrastructure Protection shall submit to
the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a biannual report on the
status and progress of the development of the capability
described in paragraph (1). Such reports shall be required
until such capability is fully implemented.
``(h) Sector Specific Agencies.--The Secretary, in
collaboration with the relevant critical infrastructure
sector and the heads of other appropriate Federal agencies,
shall recognize the Federal agency designated as of March 25,
2015, as the `Sector Specific Agency' for each critical
infrastructure sector designated in the Department's National
Infrastructure Protection Plan. If the designated Sector
Specific Agency for a particular critical infrastructure
sector is the Department, for purposes of this section, the
Secretary is deemed to be the head of such Sector Specific
Agency and shall carry out this section. The Secretary, in
coordination with the heads of each such Sector Specific
Agency, shall--
``(1) support the security and resilience actives of the
relevant critical infrastructure sector in accordance with
this section;
``(2) provide institutional knowledge, specialized
expertise, and technical assistance upon request to the
relevant critical infrastructure sector; and
``(3) support the timely sharing of cyber threat indicators
and defensive measures with the relevant critical
infrastructure sector with the Center in accordance with this
section.
``(i) Voluntary Information Sharing Procedures.--
``(1) Procedures.--
``(A) In general.--The Center may enter into a voluntary
information sharing relationship with any consenting non-
Federal entity for the sharing of cyber threat indicators and
defensive measures for cybersecurity purposes in accordance
with this section. Nothing in this section may be construed
to require any non-Federal entity to enter into any such
information sharing relationship with the Center or any other
entity. The Center may terminate a voluntary information
sharing relationship under this subsection if the Center
determines that the non-Federal entity with which the Center
has entered into such a relationship has, after repeated
notice, repeatedly violated the terms of this subsection.
``(B) National security.--The Secretary may decline to
enter into a voluntary information sharing relationship under
this subsection if the Secretary determines that such is
appropriate for national security.
``(2) Voluntary information sharing relationships.--A
voluntary information sharing relationship under this
subsection may be characterized as an agreement described in
this paragraph.
``(A) Standard agreement.--For the use of a non-Federal
entity, the Center shall make available a standard agreement,
consistent with this section, on the Department's website.
``(B) Negotiated agreement.--At the request of a non-
Federal entity, and if determined appropriate by the Center,
the Department shall negotiate a non-standard agreement,
consistent with this section.
``(C) Existing agreements.--An agreement between the Center
and a non-Federal entity that is entered into before the date
of the enactment of this section, or such an agreement that
is in effect before such date, shall be deemed in compliance
with the requirements of this subsection, notwithstanding any
other provision or requirement of this subsection. An
agreement under this subsection shall include the relevant
privacy protections as in effect under the Cooperative
Research and Development Agreement for Cybersecurity
Information Sharing and Collaboration, as of December 31,
2014. Nothing in this subsection may be construed to require
a non-Federal entity to enter into either a standard or
negotiated agreement to be in compliance with this
subsection.
``(3) Information sharing authorization.--
``(A) In general.--Except as provided in subparagraph (B),
and notwithstanding any other provision of law, a non-Federal
entity may, for cybersecurity purposes, share cyber threat
indicators or defensive measures obtained on its own
information system, or on an information system of another
Federal entity or non-Federal entity, upon written consent of
such other Federal entity or non-Federal entity or an
authorized representative of such other Federal entity or
non-Federal entity in accordance with this section with--
``(i) another non-Federal entity; or
``(ii) the Center, as provided in this section.
``(B) Lawful restriction.--A non-Federal entity receiving a
cyber threat indicator or defensive measure from another
Federal entity or non-Federal entity shall comply with
otherwise lawful restrictions placed on the sharing or use of
such cyber threat indicator or defensive measure by the
sharing Federal entity or non-Federal entity.
``(C) Removal of information unrelated to cybersecurity
risks or incidents.--Federal entities and non-Federal
entities shall, prior to such sharing, take reasonable
efforts to remove information that can be used to identify
specific persons and is reasonably believed at the time of
sharing to be unrelated to a cybersecurity risks or incident
and to safeguard information that can be used to identify
specific persons from unintended disclosure or unauthorized
access or acquisition.
``(D) Rule of construction.--Nothing in this paragraph may
be construed to--
``(i) limit or modify an existing information sharing
relationship;
``(ii) prohibit a new information sharing relationship;
``(iii) require a new information sharing relationship
between any non-Federal entity and a Federal entity;
``(iv) limit otherwise lawful activity; or
``(v) in any manner impact or modify procedures in
existence as of the date of the enactment of this section for
reporting known or suspected criminal activity to appropriate
law enforcement authorities or for participating voluntarily
or under legal requirement in an investigation.
``(E) Coordinated vulnerability disclosure.--The Under
Secretary for Cybersecurity and Infrastructure Protection, in
coordination with industry and other stakeholders, shall
develop, publish, and adhere to policies and procedures for
coordinating vulnerability disclosures, to the extent
practicable, consistent with international standards in the
information technology industry.
[[Page H2430]]
``(4) Network awareness authorization.--
``(A) In general.--Notwithstanding any other provision of
law, a non-Federal entity, not including a State, local, or
tribal government, may, for cybersecurity purposes, conduct
network awareness of--
``(i) an information system of such non-Federal entity to
protect the rights or property of such non-Federal entity;
``(ii) an information system of another non-Federal entity,
upon written consent of such other non-Federal entity for
conducting such network awareness to protect the rights or
property of such other non-Federal entity;
``(iii) an information system of a Federal entity, upon
written consent of an authorized representative of such
Federal entity for conducting such network awareness to
protect the rights or property of such Federal entity; or
``(iv) information that is stored on, processed by, or
transiting an information system described in this
subparagraph.
``(B) Rule of construction.--Nothing in this paragraph may
be construed to--
``(i) authorize conducting network awareness of an
information system, or the use of any information obtained
through such conducting of network awareness, other than as
provided in this section; or
``(ii) limit otherwise lawful activity.
``(5) Defensive measure authorization.--
``(A) In general.--Except as provided in subparagraph (B)
and notwithstanding any other provision of law, a non-Federal
entity, not including a State, local, or tribal government,
may, for cybersecurity purposes, operate a defensive measure
that is applied to--
``(i) an information system of such non-Federal entity to
protect the rights or property of such non-Federal entity;
``(ii) an information system of another non-Federal entity
upon written consent of such other non-Federal entity for
operation of such defensive measure to protect the rights or
property of such other non-Federal entity;
``(iii) an information system of a Federal entity upon
written consent of an authorized representative of such
Federal entity for operation of such defensive measure to
protect the rights or property of such Federal entity; or
``(iv) information that is stored on, processed by, or
transiting an information system described in this
subparagraph.
``(B) Rule of construction.--Nothing in this paragraph may
be construed to--
``(i) authorize the use of a defensive measure other than
as provided in this section; or
``(ii) limit otherwise lawful activity.
``(6) Privacy and civil liberties protections.--
``(A) Policies and procedures.--
``(i) In general.--The Under Secretary for Cybersecurity
and Infrastructure Protection shall, in coordination with the
Chief Privacy Officer and the Chief Civil Rights and Civil
Liberties Officer of the Department, establish and annually
review policies and procedures governing the receipt,
retention, use, and disclosure of cyber threat indicators,
defensive measures, and information related to cybersecurity
risks and incidents shared with the Center in accordance with
this section. Such policies and procedures shall apply only
to the Department, consistent with the need to protect
information systems from cybersecurity risks and incidents
and mitigate cybersecurity risks and incidents in a timely
manner, and shall--
``(I) be consistent with the Department's Fair Information
Practice Principles developed pursuant to section 552a of
title 5, United States Code (commonly referred to as the
`Privacy Act of 1974' or the `Privacy Act'), and subject to
the Secretary's authority under subsection (a)(2) of section
222 of this Act;
``(II) reasonably limit, to the greatest extent
practicable, the receipt, retention, use, and disclosure of
cyber threat indicators and defensive measures associated
with specific persons that is not necessary, for
cybersecurity purposes, to protect a network or information
system from cybersecurity risks or mitigate cybersecurity
risks and incidents in a timely manner;
``(III) minimize any impact on privacy and civil liberties;
``(IV) provide data integrity through the prompt removal
and destruction of obsolete or erroneous names and personal
information that is unrelated to the cybersecurity risk or
incident information shared and retained by the Center in
accordance with this section;
``(V) include requirements to safeguard cyber threat
indicators and defensive measures retained by the Center,
including information that is proprietary or business-
sensitive that may be used to identify specific persons from
unauthorized access or acquisition;
``(VI) protect the confidentiality of cyber threat
indicators and defensive measures associated with specific
persons to the greatest extent practicable; and
``(VII) ensure all relevant constitutional, legal, and
privacy protections are observed.
``(ii) Submission to congress.--Not later than 180 days
after the date of the enactment of this section and annually
thereafter, the Chief Privacy Officer and the Officer for
Civil Rights and Civil Liberties of the Department, in
consultation with the Privacy and Civil Liberties Oversight
Board (established pursuant to section 1061 of the
Intelligence Reform and Terrorism Prevention Act of 2004 (42
U.S.C. 2000ee)), shall submit to the Committee on Homeland
Security of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate the
policies and procedures governing the sharing of cyber threat
indicators, defensive measures, and information related to
cybsersecurity risks and incidents described in clause (i) of
subparagraph (A).
``(iii) Public notice and access.--The Under Secretary for
Cybersecurity and Infrastructure Protection, in consultation
with the Chief Privacy Officer and the Chief Civil Rights and
Civil Liberties Officer of the Department, and the Privacy
and Civil Liberties Oversight Board (established pursuant to
section 1061 of the Intelligence Reform and Terrorism
Prevention Act of 2004 (42 U.S.C. 2000ee)), shall ensure
there is public notice of, and access to, the policies and
procedures governing the sharing of cyber threat indicators,
defensive measures, and information related to cybersecurity
risks and incidents.
``(iv) Consultation.--The Under Secretary for Cybersecurity
and Infrastructure Protection when establishing policies and
procedures to support privacy and civil liberties may consult
with the National Institute of Standards and Technology.
``(B) Implementation.--The Chief Privacy Officer of the
Department, on an ongoing basis, shall--
``(i) monitor the implementation of the policies and
procedures governing the sharing of cyber threat indicators
and defensive measures established pursuant to clause (i) of
subparagraph (A);
``(ii) regularly review and update privacy impact
assessments, as appropriate, to ensure all relevant
constitutional, legal, and privacy protections are being
followed;
``(iii) work with the Under Secretary for Cybersecurity and
Infrastructure Protection to carry out paragraphs (10) and
(11) of subsection (c);
``(iv) annually submit to the Committee on Homeland
Security of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate a
report that contains a review of the effectiveness of such
policies and procedures to protect privacy and civil
liberties; and
``(v) ensure there are appropriate sanctions in place for
officers, employees, or agents of the Department who
intentionally or willfully conduct activities under this
section in an unauthorized manner.
``(C) Inspector general report.--The Inspector General of
the Department, in consultation with the Privacy and Civil
Liberties Oversight Board and the Inspector General of each
Federal agency that receives cyber threat indicators or
defensive measures shared with the Center under this section,
shall, not later than two years after the date of the
enactment of this subsection and periodically thereafter
submit to the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a report containing a
review of the use of cybersecurity risk information shared
with the Center, including the following:
``(i) A report on the receipt, use, and dissemination of
cyber threat indicators and defensive measures that have been
shared with Federal entities under this section.
``(ii) Information on the use by the Center of such
information for a purpose other than a cybersecurity purpose.
``(iii) A review of the type of information shared with the
Center under this section.
``(iv) A review of the actions taken by the Center based on
such information.
``(v) The appropriate metrics that exist to determine the
impact, if any, on privacy and civil liberties as a result of
the sharing of such information with the Center.
``(vi) A list of other Federal agencies receiving such
information.
``(vii) A review of the sharing of such information within
the Federal Government to identify inappropriate stove piping
of such information.
``(viii) Any recommendations of the Inspector General of
the Department for improvements or modifications to
information sharing under this section.
``(D) Privacy and civil liberties officers report.--The
Chief Privacy Officer and the Chief Civil Rights and Civil
Liberties Officer of the Department, in consultation with the
Privacy and Civil Liberties Oversight Board, the Inspector
General of the Department, and the senior privacy and civil
liberties officer of each Federal agency that receives cyber
threat indicators and defensive measures shared with the
Center under this section, shall biennially submit to the
appropriate congressional committees a report assessing the
privacy and civil liberties impact of the activities under
this paragraph. Each such report shall include any
recommendations the Chief Privacy Officer and the Chief Civil
Rights and Civil Liberties Officer of the Department consider
appropriate to minimize or mitigate the privacy and civil
liberties impact of the sharing of cyber threat indicators
and defensive measures under this section.
``(E) Form.--Each report required under paragraphs (C) and
(D) shall be submitted in unclassified form, but may include
a classified annex.
``(7) Uses and protection of information.--
``(A) Non-federal entities.--A non-Federal entity, not
including a State, local, or tribal government, that shares
cyber threat indicators or defensive measures through the
Center or otherwise under this section--
``(i) may use, retain, or further disclose such cyber
threat indicators or defensive measures solely for
cybersecurity purposes;
``(ii) shall, prior to such sharing, take reasonable
efforts to remove information that can be used to identify
specific persons and is reasonably believed at the time of
sharing to be unrelated to a cybersecurity risk or incident,
and to safeguard information that can be used to identify
specific persons from unintended disclosure or unauthorized
access or acquisition;
``(iii) shall comply with appropriate restrictions that a
Federal entity or non-Federal entity places on the subsequent
disclosure or retention of cyber threat indicators and
defensive measures that it discloses to other Federal
entities or non-Federal entities;
[[Page H2431]]
``(iv) shall be deemed to have voluntarily shared such
cyber threat indicators or defensive measures;
``(v) shall implement and utilize a security control to
protect against unauthorized access to or acquisition of such
cyber threat indicators or defensive measures; and
``(vi) may not use such information to gain an unfair
competitive advantage to the detriment of any non-Federal
entity.
``(B) Federal entities.--
``(i) Uses of information.--A Federal entity that receives
cyber threat indicators or defensive measures shared through
the Center or otherwise under this section from another
Federal entity or a non-Federal entity--
``(I) may use, retain, or further disclose such cyber
threat indicators or defensive measures solely for
cybersecurity purposes;
``(II) shall, prior to such sharing, take reasonable
efforts to remove information that can be used to identify
specific persons and is reasonably believed at the time of
sharing to be unrelated to a cybersecurity risk or incident,
and to safeguard information that can be used to identify
specific persons from unintended disclosure or unauthorized
access or acquisition;
``(III) shall be deemed to have voluntarily shared such
cyber threat indicators or defensive measures;
``(IV) shall implement and utilize a security control to
protect against unauthorized access to or acquisition of such
cyber threat indicators or defensive measures; and
``(V) may not use such cyber threat indicators or defensive
measures to engage in surveillance or other collection
activities for the purpose of tracking an individual's
personally identifiable information.
``(ii) Protections for information.--The cyber threat
indicators and defensive measures referred to in clause (i)--
``(I) are exempt from disclosure under section 552 of title
5, United States Code, and withheld, without discretion, from
the public under subsection (b)(3)(B) of such section;
``(II) may not be used by the Federal Government for
regulatory purposes;
``(III) may not constitute a waiver of any applicable
privilege or protection provided by law, including trade
secret protection;
``(IV) shall be considered the commercial, financial, and
proprietary information of the non-Federal entity referred to
in clause (i) when so designated by such non-Federal entity;
and
``(V) may not be subject to a rule of any Federal entity or
any judicial doctrine regarding ex parte communications with
a decisionmaking official.
``(C) State, local, or tribal government.--
``(i) Uses of information.--A State, local, or tribal
government that receives cyber threat indicators or defensive
measures from the Center from a Federal entity or a non-
Federal entity--
``(I) may use, retain, or further disclose such cyber
threat indicators or defensive measures solely for
cybersecurity purposes;
``(II) shall, prior to such sharing, take reasonable
efforts to remove information that can be used to identify
specific persons and is reasonably believed at the time of
sharing to be unrelated to a cybersecurity risk or incident,
and to safeguard information that can be used to identify
specific persons from unintended disclosure or unauthorized
access or acquisition;
``(III) shall consider such information the commercial,
financial, and proprietary information of such Federal entity
or non-Federal entity if so designated by such Federal entity
or non-Federal entity;
``(IV) shall be deemed to have voluntarily shared such
cyber threat indicators or defensive measures; and
``(V) shall implement and utilize a security control to
protect against unauthorized access to or acquisition of such
cyber threat indicators or defensive measures.
``(ii) Protections for information.--The cyber threat
indicators and defensive measures referred to in clause (i)--
``(I) shall be exempt from disclosure under any State,
local, or tribal law or regulation that requires public
disclosure of information or records by a public or quasi-
public entity; and
``(II) may not be used by any State, local, or tribal
government to regulate a lawful activity of a non-Federal
entity.
``(8) Liability exemptions.--
``(A) Network awareness.--No cause of action shall lie or
be maintained in any court, and such action shall be promptly
dismissed, against any non-Federal entity that, for
cybersecurity purposes, conducts network awareness under
paragraph (4), if such network awareness is conducted in
accordance with such paragraph and this section.
``(B) Information sharing.--No cause of action shall lie or
be maintained in any court, and such action shall be promptly
dismissed, against any non-Federal entity that, for
cybersecurity purposes, shares cyber threat indicators or
defensive measures under paragraph (3), or fails to act based
on such sharing, if such sharing is conducted in accordance
with such paragraph and this section.
``(C) Willful misconduct.--
``(i) Rule of construction.--Nothing in this section may be
construed to--
``(I) require dismissal of a cause of action against a non-
Federal entity that has engaged in willful misconduct in the
course of conducting activities authorized by this section;
or
``(II) undermine or limit the availability of otherwise
applicable common law or statutory defenses.
``(ii) Proof of willful misconduct.--In any action claiming
that subparagraph (A) or (B) does not apply due to willful
misconduct described in clause (i), the plaintiff shall have
the burden of proving by clear and convincing evidence the
willful misconduct by each non-Federal entity subject to such
claim and that such willful misconduct proximately caused
injury to the plaintiff.
``(iii) Willful misconduct defined.--In this subsection,
the term `willful misconduct' means an act or omission that
is taken--
``(I) intentionally to achieve a wrongful purpose;
``(II) knowingly without legal or factual justification;
and
``(III) in disregard of a known or obvious risk that is so
great as to make it highly probable that the harm will
outweigh the benefit.
``(D) Exclusion.--The term `non-Federal entity' as used in
this paragraph shall not include a State, local, or tribal
government.
``(9) Federal government liability for violations of
restrictions on the use and protection of voluntarily shared
information.--
``(A) In general.--If a department or agency of the Federal
Government intentionally or willfully violates the
restrictions specified in paragraph (3), (6), or (7)(B) on
the use and protection of voluntarily shared cyber threat
indicators or defensive measures, or any other provision of
this section, the Federal Government shall be liable to a
person injured by such violation in an amount equal to the
sum of--
``(i) the actual damages sustained by such person as a
result of such violation or $1,000, whichever is greater; and
``(ii) reasonable attorney fees as determined by the court
and other litigation costs reasonably occurred in any case
under this subsection in which the complainant has
substantially prevailed.
``(B) Venue.--An action to enforce liability under this
subsection may be brought in the district court of the United
States in--
``(i) the district in which the complainant resides;
``(ii) the district in which the principal place of
business of the complainant is located;
``(iii) the district in which the department or agency of
the Federal Government that disclosed the information is
located; or
``(iv) the District of Columbia.
``(C) Statute of limitations.--No action shall lie under
this subsection unless such action is commenced not later
than two years after the date of the violation of any
restriction specified in paragraph (3), (6), or 7(B), or any
other provision of this section, that is the basis for such
action.
``(D) Exclusive cause of action.--A cause of action under
this subsection shall be the exclusive means available to a
complainant seeking a remedy for a violation of any
restriction specified in paragraph (3), (6), or 7(B) or any
other provision of this section.
``(10) Anti-trust exemption.--
``(A) In general.--Except as provided in subparagraph (C),
it shall not be considered a violation of any provision of
antitrust laws for two or more non-Federal entities to share
a cyber threat indicator or defensive measure, or assistance
relating to the prevention, investigation, or mitigation of a
cybersecurity risk or incident, for cybersecurity purposes
under this Act.
``(B) Applicability.--Subparagraph (A) shall apply only to
information that is shared or assistance that is provided in
order to assist with--
``(i) facilitating the prevention, investigation, or
mitigation of a cybersecurity risk or incident to an
information system or information that is stored on,
processed by, or transiting an information system; or
``(ii) communicating or disclosing a cyber threat indicator
or defensive measure to help prevent, investigate, or
mitigate the effect of a cybersecurity risk or incident to an
information system or information that is stored on,
processed by, or transiting an information system.
``(C) Prohibited conduct.--Nothing in this section may be
construed to permit price-fixing, allocating a market between
competitors, monopolizing or attempting to monopolize a
market, or exchanges of price or cost information, customer
lists, or information regarding future competitive planning.
``(11) Construction and preemption.--
``(A) Otherwise lawful disclosures.--Nothing in this
section may be construed to limit or prohibit otherwise
lawful disclosures of communications, records, or other
information, including reporting of known or suspected
criminal activity or participating voluntarily or under legal
requirement in an investigation, by a non-Federal to any
other non-Federal entity or Federal entity under this
section.
``(B) Whistle blower protections.--Nothing in this section
may be construed to prohibit or limit the disclosure of
information protected under section 2302(b)(8) of title 5,
United States Code (governing disclosures of illegality,
waste, fraud, abuse, or public health or safety threats),
section 7211 of title 5, United States Code (governing
disclosures to Congress), section 1034 of title 10, United
States Code (governing disclosure to Congress by members of
the military), section 1104 of the National Security Act of
1947 (50 U.S.C. 3234) (governing disclosure by employees of
elements of the intelligence community), or any similar
provision of Federal or State law.
``(C) Relationship to other laws.--Nothing in this section
may be construed to affect any requirement under any other
provision of law for a non-Federal entity to provide
information to a Federal entity.
``(D) Preservation of contractual obligations and rights.--
Nothing in this section may be construed to--
``(i) amend, repeal, or supersede any current or future
contractual agreement, terms of service agreement, or other
contractual relationship between any non-Federal entities, or
between any non-Federal entity and a Federal entity; or
``(ii) abrogate trade secret or intellectual property
rights of any non-Federal entity or Federal entity.
``(E) Anti-tasking restriction.--Nothing in this section
may be construed to permit a Federal entity to--
[[Page H2432]]
``(i) require a non-Federal entity to provide information
to a Federal entity;
``(ii) condition the sharing of cyber threat indicators or
defensive measures with a non-Federal entity on such non-
Federal entity's provision of cyber threat indicators or
defensive measures to a Federal entity; or
``(iii) condition the award of any Federal grant, contract,
or purchase on the sharing of cyber threat indicators or
defensive measures with a Federal entity.
``(F) No liability for non-participation.--Nothing in this
section may be construed to subject any non-Federal entity to
liability for choosing to not engage in the voluntary
activities authorized under this section.
``(G) Use and retention of information.--Nothing in this
section may be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
Government to retain or use any information shared under this
section for any use other than permitted in this section.
``(H) Voluntary sharing.--Nothing in this section may be
construed to restrict or condition a non-Federal entity from
sharing, for cybersecurity purposes, cyber threat indicators,
defensive measures, or information related to cybersecurity
risks or incidents with any other non-Federal entity, and
nothing in this section may be construed as requiring any
non-Federal entity to share cyber threat indicators,
defensive measures, or information related to cybersecurity
risks or incidents with the Center.
``(I) Federal preemption.--This section supersedes any
statute or other provision of law of a State or political
subdivision of a State that restricts or otherwise expressly
regulates an activity authorized under this section.
``(j) Direct Reporting.--The Secretary shall develop
policies and procedures for direct reporting to the Secretary
by the Director of the Center regarding significant
cybersecurity risks and incidents.
``(k) Additional Responsibilities.--The Secretary shall
build upon existing mechanisms to promote a national
awareness effort to educate the general public on the
importance of securing information systems.
``(l) Reports on International Cooperation.--Not later than
180 days after the date of the enactment of this subsection
and periodically thereafter, the Secretary of Homeland
Security shall submit to the Committee on Homeland Security
of the House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate a report on
the range of efforts underway to bolster cybersecurity
collaboration with relevant international partners in
accordance with subsection (c)(8).
``(m) Outreach.--Not later than 60 days after the date of
the enactment of this subsection, the Secretary, acting
through the Under Secretary for Cybersecurity and
Infrastructure Protection, shall--
``(1) disseminate to the public information about how to
voluntarily share cyber threat indicators and defensive
measures with the Center; and
``(2) enhance outreach to critical infrastructure owners
and operators for purposes of such sharing.''.
SEC. 4. INFORMATION SHARING AND ANALYSIS ORGANIZATIONS.
Section 212 of the Homeland Security Act of 2002 (6 U.S.C.
131) is amended--
(1) in paragraph (5)--
(A) in subparagraph (A)--
(i) by inserting ``information related to cybersecurity
risks and incidents and'' after ``critical infrastructure
information''; and
(ii) by striking ``related to critical infrastructure'' and
inserting ``related to cybersecurity risks, incidents,
critical infrastructure, and'';
(B) in subparagraph (B)--
(i) by striking ``disclosing critical infrastructure
information'' and inserting ``disclosing cybersecurity risks,
incidents, and critical infrastructure information''; and
(ii) by striking ``related to critical infrastructure or''
and inserting ``related to cybersecurity risks, incidents,
critical infrastructure, or'' and
(C) in subparagraph (C), by striking ``disseminating
critical infrastructure information'' and inserting
``disseminating cybersecurity risks, incidents, and critical
infrastructure information''; and
(2) by adding at the end the following new paragraph:
``(8) Cybersecurity risk; incident.--The terms
`cybersecurity risk' and `incident' have the meanings given
such terms in the second section 226 (relating to the
National Cybersecurity and Communications Integration
Center).''.
SEC. 5. STREAMLINING OF DEPARTMENT OF HOMELAND SECURITY
CYBERSECURITY AND INFRASTRUCTURE PROTECTION
ORGANIZATION.
(a) Cybersecurity and Infrastructure Protection.--The
National Protection and Programs Directorate of the
Department of Homeland Security shall, after the date of the
enactment of this Act, be known and designated as the
``Cybersecurity and Infrastructure Protection''. Any
reference to the National Protection and Programs Directorate
of the Department in any law, regulation, map, document,
record, or other paper of the United States shall be deemed
to be a reference to the Cybersecurity and Infrastructure
Protection of the Department.
(b) Senior Leadership of Cybersecurity and Infrastructure
Protection.--
(1) In general.--Subsection (a) of section 103 of the
Homeland Security Act of 2002 (6 U.S.C. 113) is amended--
(A) in paragraph (1)--
(i) by amending subparagraph (H) to read as follows:
``(H) An Under Secretary for Cybersecurity and
Infrastructure Protection.''; and
(ii) by adding at the end the following new subparagraphs:
``(K) A Deputy Under Secretary for Cybersecurity.
``(L) A Deputy Under Secretary for Infrastructure
Protection.''; and
(B) by adding at the end the following new paragraph:
``(3) Deputy under secretaries.--The Deputy Under
Secretaries referred to in subparagraphs (K) and (L) of
paragraph (1) shall be appointed by the President without the
advice and consent of the Senate.''.
(2) Continuation in office.--The individuals who hold the
positions referred in subparagraphs (H), (K), and (L) of
paragraph (1) of section 103(a) the Homeland Security Act of
2002 (as amended and added by paragraph (1) of this
subsection) as of the date of the enactment of this Act may
continue to hold such positions.
(c) Report.--Not later than 90 days after the date of the
enactment of this Act, the Under Secretary for Cybersecurity
and Infrastructure Protection of the Department of Homeland
Security shall submit to the Committee on Homeland Security
of the House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate a report on
the feasibility of becoming an operational component,
including an analysis of alternatives, and if a determination
is rendered that becoming an operational component is the
best option for achieving the mission of Cybersecurity and
Infrastructure Protection, a legislative proposal and
implementation plan for becoming such an operational
component. Such report shall also include plans to more
effectively carry out the cybersecurity mission of
Cybersecurity and Infrastructure Protection, including
expediting information sharing agreements.
SEC. 6. CYBER INCIDENT RESPONSE PLANS.
(a) In General.--Section 227 of the Homeland Security Act
of 2002 (6 U.S.C. 149) is amended--
(1) in the heading, by striking ``plan'' and inserting
``plans'';
(2) by striking ``The Under Secretary appointed under
section 103(a)(1)(H) shall'' and inserting the following:
``(a) In General.--The Under Secretary for Cybersecurity
and Infrastructure Protection shall''; and
(3) by adding at the end the following new subsection:
``(b) Updates to the Cyber Incident Annex to the National
Response Framework.--The Secretary, in coordination with the
heads of other appropriate Federal departments and agencies,
and in accordance with the National Cybersecurity Incident
Response Plan required under subsection (a), shall regularly
update, maintain, and exercise the Cyber Incident Annex to
the National Response Framework of the Department.''.
(b) Clerical Amendment.--The table of contents of the
Homeland Security Act of 2002 is amended by amending the item
relating to section 227 to read as follows:
``Sec. 227. Cyber incident response plans.''.
SEC. 7. SECURITY AND RESILIENCY OF PUBLIC SAFETY
COMMUNICATIONS; CYBERSECURITY AWARENESS
CAMPAIGN.
(a) In General.--Subtitle C of title II of the Homeland
Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by
adding at the end the following new sections:
``SEC. 230. SECURITY AND RESILIENCY OF PUBLIC SAFETY
COMMUNICATIONS.
``The National Cybersecurity and Communications Integration
Center, in coordination with the Office of Emergency
Communications of the Department, shall assess and evaluate
consequence, vulnerability, and threat information regarding
cyber incidents to public safety communications to help
facilitate continuous improvements to the security and
resiliency of such communications.
``SEC. 231. CYBERSECURITY AWARENESS CAMPAIGN.
``(a) In General.--The Under Secretary for Cybersecurity
and Infrastructure Protection shall develop and implement an
ongoing and comprehensive cybersecurity awareness campaign
regarding cybersecurity risks and voluntary best practices
for mitigating and responding to such risks. Such campaign
shall, at a minimum, publish and disseminate, on an ongoing
basis, the following:
``(1) Public service announcements targeted at improving
awareness among State, local, and tribal governments, the
private sector, academia, and stakeholders in specific
audiences, including the elderly, students, small businesses,
members of the Armed Forces, and veterans.
``(2) Vendor and technology-neutral voluntary best
practices information.
``(b) Consultation.--The Under Secretary for Cybersecurity
and Infrastructure Protection shall consult with a wide range
of stakeholders in government, industry, academia, and the
non-profit community in carrying out this section.''.
(b) Clerical Amendment.--The table of contents of the
Homeland Security Act of 2002 is amended by inserting after
the item relating to section 226 (relating to cybersecurity
recruitment and retention) the following new items:
``Sec. 230. Security and resiliency of public safety communications.
``Sec. 231. Cybersecurity awareness campaign.''.
SEC. 8. CRITICAL INFRASTRUCTURE PROTECTION RESEARCH AND
DEVELOPMENT.
(a) Strategic Plan; Public-private Consortiums.--Title III
of the Homeland Security Act of 2002 (6 U.S.C. 181 et seq.)
is amended by adding at the end the following new section:
``SEC. 318. RESEARCH AND DEVELOPMENT STRATEGY FOR CRITICAL
INFRASTRUCTURE PROTECTION.
``(a) In General.--Not later than 180 days after the date
of enactment of this section, the Secretary, acting through
the Under Secretary for Science and Technology, shall submit
to
[[Page H2433]]
Congress a strategic plan to guide the overall direction of
Federal physical security and cybersecurity technology
research and development efforts for protecting critical
infrastructure, including against all threats. Such plan
shall be updated and submitted to Congress every two years.
``(b) Contents of Plan.--The strategic plan, including
biennial updates, required under subsection (a) shall include
the following:
``(1) An identification of critical infrastructure security
risks and any associated security technology gaps, that are
developed following--
``(A) consultation with stakeholders, including critical
infrastructure Sector Coordinating Councils; and
``(B) performance by the Department of a risk and gap
analysis that considers information received in such
consultations.
``(2) A set of critical infrastructure security technology
needs that--
``(A) is prioritized based on the risks and gaps identified
under paragraph (1);
``(B) emphasizes research and development of technologies
that need to be accelerated due to rapidly evolving threats
or rapidly advancing infrastructure technology; and
``(C) includes research, development, and acquisition
roadmaps with clearly defined objectives, goals, and
measures.
``(3) An identification of laboratories, facilities,
modeling, and simulation capabilities that will be required
to support the research, development, demonstration, testing,
evaluation, and acquisition of the security technologies
described in paragraph (2).
``(4) An identification of current and planned programmatic
initiatives for fostering the rapid advancement and
deployment of security technologies for critical
infrastructure protection, including a consideration of
opportunities for public-private partnerships,
intragovernment collaboration, university centers of
excellence, and national laboratory technology transfer.
``(5) A description of progress made with respect to each
critical infrastructure security risk, associated security
technology gap, and critical infrastructure technology need
identified in the preceding strategic plan required under
subsection (a).
``(c) Coordination.--In carrying out this section, the
Under Secretary for Science and Technology shall coordinate
with the Under Secretary for the National Protection and
Programs Directorate.
``(d) Consultation.--In carrying out this section, the
Under Secretary for Science and Technology shall consult
with--
``(1) critical infrastructure Sector Coordinating Councils;
``(2) to the extent practicable, subject matter experts on
critical infrastructure protection from universities,
colleges, national laboratories, and private industry;
``(3) the heads of other relevant Federal departments and
agencies that conduct research and development relating to
critical infrastructure protection; and
``(4) State, local, and tribal governments, as
appropriate.''.
(b) Clerical Amendment.--The table of contents of the
Homeland Security Act of 2002 is amended by inserting after
the item relating to section 317 the following new item:
``Sec. 318. Research and development strategy for critical
infrastructure protection.''.
SEC. 9. REPORT ON REDUCING CYBERSECURITY RISKS IN DHS DATA
CENTERS.
Not later than one year after the date of the enactment of
this Act, the Secretary of Homeland Security shall submit to
the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a report on the
feasibility of the Department of Homeland Security creating
an environment for the reduction in cybersecurity risks in
Department data centers, including by increasing
compartmentalization between systems, and providing a mix of
security controls between such compartments.
SEC. 10. ASSESSMENT.
Not later than two years after the date of the enactment of
this Act, the Comptroller General of the United States shall
submit to the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a report that contains an
assessment of the implementation by the Secretary of Homeland
Security of this Act and the amendments made by this Act and,
to the extent practicable, findings regarding increases in
the sharing of cyber threat indicators, defensive measures,
and information relating to cybersecurity risks and incidents
at the National Cybersecurity and Communications Integration
Center and throughout the United States.
SEC. 11. CONSULTATION.
The Under Secretary for Cybersecurity and Infrastructure
Protection shall produce a report on the feasibility of
creating a risk-informed prioritization plan should multiple
critical infrastructures experience cyber incidents
simultaneously.
SEC. 12. TECHNICAL ASSISTANCE.
The Inspector General of the Department of Homeland
Security shall review the operations of the United States
Computer Emergency Readiness Team (US-CERT) and the
Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) to assess the capacity to provide technical
assistance to non-Federal entities and to adequately respond
to potential increases in requests for technical assistance.
SEC. 13. PROHIBITION ON NEW REGULATORY AUTHORITY.
Nothing in this Act or the amendments made by this Act may
be construed to grant the Secretary of Homeland Security any
authority to promulgate regulations or set standards relating
to the cybersecurity of non-Federal entities, not including
State, local, and tribal governments, that was not in effect
on the day before the date of the enactment of this Act.
SEC. 14. SUNSET.
Any requirements for reports required by this Act or the
amendments made by this Act shall terminate on the date that
is seven years after the date of the enactment of this Act.
SEC. 15. PROHIBITION ON NEW FUNDING.
No funds are authorized to be appropriated to carry out
this Act and the amendments made by this Act. This Act and
such amendments shall be carried out using amounts
appropriated or otherwise made available for such purposes.
The CHAIR. No amendment to that amendment in the nature of a
substitute shall be in order except those printed in part B of House
Report 114-88. Each such amendment may be offered only in the order
printed in the report, by a Member designated in the report, shall be
considered as read, shall be debatable for the time specified in the
report, equally divided and controlled by the proponent and an
opponent, shall not be subject to amendment, and shall not be subject
to a demand for division of the question.
{time} 1000
Amendment No. 1 Offered by Mr. McCaul
The CHAIR. It is now in order to consider amendment No. 1 printed in
part B of House Report 114-88.
Mr. McCAUL. Mr. Chairman, I have an amendment at the desk.
The CHAIR. The Clerk will designate the amendment.
The text of the amendment is as follows:
In section 2, strike the following:
(a) Definitions.--
(1) In general.--Subsection (a) of the second section 226
In section 2, insert before subsection (b), the following:
(a) In General.--Subsection (a) of the second section 226
In section 2(a), redesignate proposed subparagraphs (A)
through (C) as proposed paragraphs (1) through (3),
respectively, and move such provisions two ems to the left.
Page 3, line 23, insert ``, or the purpose of identifying
the source of a cybersecurity risk or incident'' before the
semicolon at the end.
Page 5, beginning line 6, strike ``electric utility
services'' and insert ``utility services or an entity
performing utility services''.
Page 5, line 15, insert ``(including all conjugations
thereof)'' before ``means''.
Page 5, line 16, insert ``(including all conjugations of
each of such terms)'' before the first period.
Page 6, beginning line 2, strike ``striking the period at
the end and inserting `; and' '' and insert ``inserting `and'
after the semicolon at the end''.
Page 6, line 6, strike the first period and insert a
semicolon.
Page 7, line 20, insert a colon after ``paragraphs''.
Page 8, line 23, strike ``(d)'' and insert ``(d)(1)''.
Page 11, line 6, insert ``the first place it appears''
before the semicolon.
Page 14, line 25, insert ``, at the sole and unreviewable
discretion of the Secretary, acting through the Under
Secretary for Cybersecurity and Infrastructure Protection,''
after ``subsection''.
Page 15, line 8, insert ``, at the sole and unreviewable
discretion of the Secretary, acting through the Under
Secretary for Cybersecurity and Infrastructure Protection,''
after ``section''.
Page 15, line 21, insert ``at the sole and unreviewable
discretion of the Secretary, acting through the Under
Secretary for Cybersecurity and Infrastructure Protection,''
after ``Center,''.
Page 17, line 20, insert ``or exclude'' after ``remove''.
Page 17, line 23, strike ``risks'' and insert ``risk''.
Page 23, line 23, insert ``, or'' before ``that''.
Page 29, line 25, strike ``paragraphs'' and insert
``subparagraphs''.
Page 30, line 15, insert ``or exclude'' after ``remove''.
Page 32, line 4, insert ``or exclude'' after ``remove''.
Page 33, line 2, insert ``, except for purposes authorized
in this section'' before the period at the end.
Page 34, line 16, insert ``or exclude'' after ``remove''.
Page 36, line 18, insert ``in good faith'' before
``fails''.
Page 39, beginning line 19, strike ``of the violation of
any restriction specified in paragraph (3), (6), or 7(B), or
any other provision of this section, that is the basis for
such action'' and insert ``on which the cause of action
arises''.
Page 41, strike lines 5 through 11.
Page 44, line 19, strike ``(I)'' and insert ``(J)''.
Page 44, beginning line 19, insert the following:
``(I) Prohibited conduct.--Nothing in this section may be
construed to permit price-fixing, allocating a market between
competitors, monopolizing or attempting to monopolize a
market, or exchanges of price or cost information, customer
lists, or information regarding future competitive
planning.''.
[[Page H2434]]
Page 46, line 7, insert ``and'' before ``information''.
Page 48, lines 9 through 10, move the proposed subparagraph
(H) two ems to the left.
Page 48, lines 13 through 16, move the proposed
subparagraphs (K) and (L) two ems to the left.
The CHAIR. Pursuant to House Resolution 212, the gentleman from Texas
(Mr. McCaul) and a Member opposed each will control 5 minutes.
The Chair recognizes the gentleman from Texas.
Mr. McCAUL. Mr. Chairman, I yield myself such time as I may consume.
The manager's amendment to H.R. 1731 further clarifies the intent of
several important provisions of the bill. These modifications were made
in consultation with privacy groups, industry leaders, and both the
House Intelligence Committee and House Judiciary Committee.
Among the more notable changes made are: the expansion of protections
for personally identifiable information to include the ``exclusion'' of
information and not just the ``removal'' of information, a modification
to clarify that the use of cyber threat indicators and defensive
measures is limited to the purposes authorized in the bill only, and
clarifying language to say that identifying the origin of a
cybersecurity threat is a valid ``cybersecurity purpose.''
Each of these changes, along with the others made in the manager's
amendment, strengthen the bill and further support the committee's
mission to help protect America's networks and systems from cyber
attacks while, at the same time, ensuring that an individual's private
information enjoys robust protection as well.
Mr. Chairman, I yield back the balance of my time.
Mr. THOMPSON of Mississippi. Mr. Chairman, I claim the time in
opposition, although I am not opposed to the amendment.
The CHAIR. Without objection, the gentleman is recognized for 5
minutes.
There was no objection.
Mr. THOMPSON of Mississippi. Mr. Chairman, the McCaul amendment makes
several technical and clarifying changes to H.R. 1731 to reflect
feedback from committee Democrats, Department of Homeland Security, and
stakeholders.
Last week during committee consideration, the gentleman from
Louisiana, Representative Richmond, offered an amendment to refine the
2-year statute of limitations on citizen suits against the Federal
Government for privacy violations. The underlying bill requires the
clock to toll from the date when the government violated the citizen's
privacy. The likelihood that a citizen will know the exact date when
the personal information was mishandled is pretty remote. As such,
Democrats argue that the provision was tantamount to giving the Federal
Government a free pass to violate the privacy protections under this
act.
I am pleased to see that the gentleman from Texas, Chairman McCaul,
has listened to Democrats' concerns and has the amendment adjust the
language, though it could use further refinement.
I am also pleased that the amendment clarifies that all public
utilities--not just electric utilities--are covered under this bill.
The changes to the underlying bill that this amendment would make are
in line with our shared goals of bolstering cybersecurity and improving
the quality of information that the private sector receives about
timely cyber threats. Accordingly, I support the McCaul amendment.
I yield back the balance of my time.
The CHAIR. The question is on the amendment offered by the gentleman
from Texas (Mr. McCaul).
The amendment was agreed to.
Amendment No. 2 Offered by Mr. Ratcliffe
The CHAIR. It is now in order to consider amendment No. 2 printed in
part B of House Report 114-88.
Mr. RATCLIFFE. Mr. Chairman, I rise as the designee of the gentleman
from New York (Mr. Katko) to offer amendment No. 2.
The CHAIR. The Clerk will designate the amendment.
The text of the amendment is as follows:
Page 1, line 12, insert the following (and redesignate
subsequent subparagraphs accordingly):
(A) by amending paragraph (2) to read as follows:
``(2) the term `incident' means an occurrence that actually
or imminently jeopardizes, without lawful authority, the
integrity, confidentiality, or availability of information on
an information system, or actually or imminently jeopardizes,
without lawful authority, an information system;''.
The CHAIR. Pursuant to House Resolution 212, the gentleman from Texas
(Mr. Ratcliffe) and a Member opposed each will control 5 minutes.
The Chair recognizes the gentleman from Texas.
Mr. RATCLIFFE. Mr. Chairman, I rise today in support of amendment No.
2. This is a bipartisan amendment that will help clarify language in
both the Homeland Security Act and this bill.
This amendment narrows the definition of the word ``incident'' to
ensure that a cybersecurity incident is limited to actions taken
against an information system or information stored on that system.
This amendment, Mr. Chairman, ensures that information shared with the
NCCIC or other private entities is limited to threats and actions
against information systems and information stored on that system.
Mr. McCAUL. Will the gentleman yield?
Mr. RATCLIFFE. I yield to the gentleman from Texas.
Mr. McCAUL. Mr. Chairman, I support this bipartisan language that
will help clarify language in both the Homeland Security Act and this
bill by narrowing the definition of the word ``incident'' to ensure
that a cybersecurity incident is limited to actions taken against an
information system or information stored on that system.
This amendment ensures that information shared with the NCCIC or
other private entities is limited to threats to and actions against
information systems and information stored on that system.
I also want to thank the gentleman from California (Mr. McClintock)
for being a leader on this issue and for calling this loophole, if you
will, to the attention of the committee to make this a stronger bill on
this floor.
Mr. RATCLIFFE. I yield back the balance of my time.
Mr. RICHMOND. Mr. Chairman, I claim the time in opposition, although
I am not opposed to the amendment.
The CHAIR. Without objection, the gentleman from Louisiana is
recognized for 5 minutes.
There was no objection.
Mr. RICHMOND. Mr. Chairman, I support this amendment to make an
important change to a definition in the act and the law.
A strength of this bill acknowledged by some in the privacy community
are the limitations that the bill places on the authorizations for
sharing and network monitoring. These activities can only be carried
out for a ``cybersecurity purpose.'' Among other things, this
limitation is intended to ensure that information is not shared for
surveillance or law enforcement purposes and the authorization for
network monitoring is not exploited by an overzealous employer who
wants to track his employees' every move on the Internet.
However, because of the broadness of a term within the definition of
``cybersecurity purpose,'' it came to light that the language could be
interpreted far more expansively than intended.
I commend the gentleman from New York (Mr. Katko) and the gentleman
from Texas (Mr. Ratcliffe), who is now offering the amendment, for
tightening up the definition of ``incident'' in this bill and the
underlying law.
We use our smartphones, tablets, and computers for all manner of
things, from setting up doctor appointments to buying groceries or
ordering books. It is important that, even as we seek to bolster
cybersecurity, we do not lose sight of the need to protect the privacy
interest of ordinary Americans. That is why I support the Ratcliffe
amendment. It will ensure that, in practice, the activities undertaken
in this bill are limited to protecting networks and the data on them.
I urge an ``aye'' vote on this amendment, and I yield back the
balance of my time.
The CHAIR. The question is on the amendment offered by the gentleman
from Texas (Mr. Ratcliffe).
The amendment was agreed to.
Amendment No. 3 Offered by Mr. Langevin
The CHAIR. It is now in order to consider amendment No. 3 printed in
part B of House Report 114-88.
Mr. LANGEVIN. Mr. Chairman, I have an amendment at the desk.
[[Page H2435]]
The CHAIR. The Clerk will designate the amendment.
The text of the amendment is as follows:
In section 2(a)(1), redesignate subparagraphs (A) and (B)
as subparagraphs (B) and (C), respectively.
In section 2(a)(1), insert before subparagraph (B), as so
redesignated, the following:
(A) by amending paragraph (1) to read as follows:
``(1)(A) except as provided in subparagraph (B), the term
`cybersecurity risk' means threats to and vulnerabilities of
information or information systems and any related
consequences caused by or resulting from unauthorized access,
use, disclosure, degradation, disruption, modification, or
destruction of such information or information systems,
including such related consequences caused by an act of
terrorism;
``(B) such term does not include any action that solely
involves a violation of a consumer term of service or a
consumer licensing agreement;''.
The CHAIR. Pursuant to House Resolution 212, the gentleman from Rhode
Island (Mr. Langevin) and a Member opposed each will control 5 minutes.
The Chair recognizes the gentleman from Rhode Island.
Mr. LANGEVIN. Mr. Chairman, the amendment that I am offering makes a
fine bill even better. It clarifies that the definition of
``cybersecurity risk''--and, by extension, the definition of
``cybersecurity purpose''--does not apply to actions that solely
involve the violation of consumer terms of service or consumer
licensing agreements.
This is a small but important change that will protect Americans'
privacy and ensure that white hat security researchers are not
inadvertently monitored. The cyber threat data that will help turn the
tide against malicious actors are security vulnerabilities, attack
vectors, and indicators of compromise. What will not help is knowing
that a consumer has violated a Byzantine terms of service agreement or
that a researcher is testing software for exploitable bugs that he or
she will then share with the security community.
While not every terms of service violation is well-meaning or born of
ignorance, there is no doubt in my mind that the existing body of
contract law is more than capable of facilitating dispute resolution in
these cases.
The exclusion my amendment proposes is not new to this floor. Both
the 2012 and the 2013 versions of CISPA, which I worked on very closely
while a member of the House Intelligence Committee, contained similar
exclusions, and the Protecting Cyber Networks Act that passed the House
yesterday also includes this language. The amendment also makes clear
that the exclusion applies only for actions that solely violate terms
of service. An action that disrupted an information system in addition
to being a violation of terms of service would still constitute a
cybersecurity risk.
Trust is the fundamental element of any information-sharing regime.
The bill that we are considering is designed to build that trust by
limiting the use of information shared to cybersecurity purposes and
ensuring that indicators are scrubbed of any personal information
before sharing. My amendment strengthens that trust by making it clear
that our focus is on the many real cyber threats out there, not on
consumers and researchers.
I would like to again express my deep thanks to the chairman of the
committee, Mr. McCaul, for his steadfast dedication on the issue of
cybersecurity, and I would like to particularly thank his staff for
working with us on this amendment.
The chairman and the Democratic ranking member, Mr. Thompson, have
done this body proud, and I certainly urge the adoption of my amendment
and the underlying bill.
With that, I reserve the balance of my time.
Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time
in opposition, though I am not opposed to the amendment.
The CHAIR. Is there objection to the request of the gentleman from
Texas?
There was no objection.
The CHAIR. The gentleman is recognized for 5 minutes.
Mr. McCAUL. Mr. Chairman, I support this amendment, which would
clarify that the term ``cybersecurity risk'' does not apply to actions
solely involving violations of consumer terms of service or consumer
licensing agreements.
This amendment will protect consumers from having information shared
with the government due to a minor or unwitting violation of the terms
of service, such as a violation of one's Apple iTunes agreement, which
my teenage daughters would appreciate.
This amendment and this bill are meant to enhance the sharing of
cybersecurity information within the government and the public. In
order to promote voluntary sharing, the public needs to feel confident
that the sole act of violating a terms of service or licensing
agreement won't be shared with the NCCIC and that this bill is not a
tool to enforce violations regarding terms of service or licensing
agreements. These violations have robust legal remedies in place and
should be handled through those channels.
I think this strengthens the bill, and I appreciate the gentleman's
amendment to do so. I support this amendment.
I reserve the balance of my time.
Mr. LANGEVIN. I thank the chairman for his kind words of support.
As many in this Chamber know, Chairman McCaul and I have a long
history on the issue of cybersecurity, from our time as co-chairs of
the Commission on Cybersecurity for the 44th Presidency to our current
roles as the cofounders and co-chairs of the Congressional
Cybersecurity Caucus, along with a variety of other collaborations that
he and I have engaged in.
{time} 1015
Mr. McCAUL. Will the gentleman yield?
Mr. LANGEVIN. I yield to the gentleman from Texas.
Mr. McCAUL. I thank the gentleman for yielding. I would just like to
highlight for all my colleagues the great work that we do in the
Cybersecurity Caucus with my good friend and colleague from Rhode
Island. The briefings we host every few weeks bring some of the
brightest minds in both government and the private sector to the Hill
to educate Members and staff on this national security issue.
When we first started the caucus in 2008, cyber was a topic very few
Members knew anything about. It wasn't really cool to know about
cybersecurity. We have made great progress, I believe, the gentleman
and I, since that time in raising the level of debate, engagement,
awareness, and education with the Members on this critical subject.
I hope that the Members and the staff will continue to take advantage
of the opportunities afforded by our caucus as our lives become even
more interconnected in cyberspace. I think this issue has never been
more relevant and more of a threat, quite frankly, than it is today.
Mr. LANGEVIN. I thank the chairman.
I am fond of saying that cybersecurity is not a problem to be solved
but a challenge to be managed. I thank the chairman for his
collaboration and his leadership on this issue, along with Ranking
Member Thompson. I certainly look forward to the caucus' continuing
contributions to the discussion.
Ms. LOFGREN. Will the gentleman yield?
Mr. LANGEVIN. I yield to the gentlewoman from California.
Ms. LOFGREN. I thank the gentleman for yielding.
I would just like to thank him for his amendment. It prevents this
bill from becoming like the CFAA, which treats noncriminal activity as
something wrong. This and the Katko-Lofgren amendment that preceded it
narrow the bill, and both deserve support. I thank the gentleman for
yielding and his amendment.
Mr. LANGEVIN. I thank the gentlewoman for her comments and for her
support.
With that, Mr. Chairman, I urge adoption of the amendment, and I
yield back the balance of my time.
Mr. McCAUL. Mr. Chairman, I yield back the balance of my time.
The CHAIR. The question is on the amendment offered by the gentleman
from Rhode Island (Mr. Langevin).
The amendment was agreed to.
Amendment No. 4 Offered by Ms. Jackson Lee
The CHAIR. It is now in order to consider amendment No. 4 printed in
part B of House Report 114-88.
Ms. JACKSON LEE. Mr. Chairman, I have an amendment at the desk.
The CHAIR. The Clerk will designate the amendment.
[[Page H2436]]
The text of the amendment is as follows:
Page 10, line 11, strike ``and'' at the end.
Page 10, line 16, insert ``and'' after the semicolon.
Page 10, beginning line 17, insert the following:
``(vi) remains current on industrial control system
innovation; industry adoption of new technologies, and
industry best practices;''.
The CHAIR. Pursuant to House Resolution 212, the gentlewoman from
Texas (Ms. Jackson Lee) and a Member opposed each will control 5
minutes.
The Chair recognizes the gentlewoman from Texas.
Ms. JACKSON LEE. Mr. Chairman, let me express my appreciation to the
chairman and ranking member of the full committee. Again, they have
shown the kind of leadership that the Nation needs on dealing with
homeland security. My particular appreciation to the chairman and
ranking member of the Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, as they have worked together and
presented legislation that provided a very vigorous debate in the
subcommittee and the full committee.
We believe that we are making enormous leaps and bounds. We are not
where we need to be, but we are making leaps and bounds on the whole
question of cybersecurity.
Over the last couple of years, Mr. Chairman, even someone just
reaching kindergarten understands hacking, understands the collapse
that we have seen in the variety of major retail entities and banking
entities, and they recognize that we have a new lingo but a new
problem.
Frankly, almost maybe 10 years ago, or maybe somewhere around 7 years
ago, as the infrastructure of the United States was under
transportation security, we made the note that 85 percent of the
Nation's cyber is in the private sector. This legislation is a real
approach. The National Cybersecurity Protection Advancement Act of 2015
clearly puts the Department of Homeland Security where it needs to be
and provides the National Cybersecurity and Communications Integration
Center as the anchor of the information coming into the Federal
Government and the vetting entity where Americans can feel that their
data can be protected and our civil liberties are protected.
Mr. Chairman, my amendment deals with the industrial control systems.
All of us know them. I have been to water systems and seen the impact
that a cyber attack could have; the electric grid, all of these are in
the eye of the storm, and they are in private hands. Attacks against
industrial control systems doubled last year, according to a new report
from Dell.
``We have over a million firewalls sending data to us on a minute-by-
minute basis,'' said John Gordineer, director of product marketing for
network security at Dell.
Gordineer said:
We anonymize the data and see interesting trends. In
particular, attacks specifically targeting SCADA industrial
control systems rose 100 percent in 2014 compared to the
previous year--2014.
Countries most affected were Finland, the U.K., and, yes, the United
States of America. The most common attack vector against these systems
were buffer overflow attacks.
The underlying premise of my amendment, the public benefit of this
amendment, is that taxpayer dollars provided to ensure cybersecurity of
public and private computer networks will focus on real-world
applications that reflect how businesses and industries function.
So I thank both my colleagues for it. This amendment, in particular,
will be an important addition to the legislation, which I believe can
be supported by every Member. The amendment states that the Department
of Homeland Security, in carrying out the functions authorized under
this bill, remain current on industrial control system innovation,
industry adoption of new technologies, and industry best practices.
Industrial control systems are rarely thought of as long as they work
as designed. Industrial control systems are used to deliver utility
services to homes and businesses, add precision and speed to
manufacturing, and process our foods into finished products. Industrial
control systems are responsible for the lights that brighten our
cities; for the clean drinking water, which I indicated many of us
visited these systems; of the sewage; of automobiles that travel our
highways; and the rows upon rows of foods that fill our shelves at
grocery stores.
We only need to look recently at a contamination of ice cream across
the Nation to know that industrial control systems are extremely
important. They are also used in large-scale manufacturing. A day does
not pass in this country when citizens' lives are not impacted.
So, Mr. Chairman, I am asking my colleagues to recognize that we are
in control, but the industrial control systems may, in fact, control
our daily lives. My amendment is asking that the Department of Homeland
Security, in carrying out its function authorized under this bill,
remain current on industrial control system innovation, industry
adoption of new technologies, and industry best practices.
I ask my colleagues, as I ask to put my entire statement into the
Record--it lists a whole litany of the private sector infrastructure
dealing with industrial control. I am hoping that my amendment will be
passed in order to ensure that all aspects of our cyber world are
protected for the American people.
Mr. Chair, I thank Chairman McCaul and Ranking Member Thompson for
their bipartisanship in bringing H.R. 1731, the ``National
Cybersecurity Protection Advancement Act of 2015'' before the House for
consideration.
As a senior member of the House Committee on Homeland Security, I am
dedicated to protecting our nation from threats posed by terrorists or
others who would wish to do our Nation harm.
This is the first of 3 Jackson Lee amendments that will be considered
for H.R. 1731, the ``National Cybersecurity Protection Advancement Act
of 2015.''
Jackson Lee Amendment No. 4 is simple and will be an important
addition to the legislation, which I believe can be supported by every
Member of the House.
The Jackson Lee amendment states that the Department of Homeland
Security, in carrying out the functions authorized under this bill,
will remain current on industrial control system innovation, industry
adoption of new technologies, and industry best practices.
Industrial control systems are rarely thought of as long as they work
as designed.
Industrial control systems are used to: deliver utility services to
homes and businesses; add precision and speed to manufacturing; and
process raw foods into finished products.
Industrial control systems are responsible for the lights that
brighten our cities at night; the clean drinking water that flows from
faucets in our homes; automobiles that travel our highways; and the
rows upon rows of foods that fill the shelves of grocery stores.
Industrial control systems are also used in large-scale manufacturing
of home appliances, medicines, and products large and small that are
found in our homes and offices.
A day does not pass in this country when citizens' lives are not
touched by the output of industrial control systems.
The critical importance electricity; water, natural gas, and other
utility services are all provided by industrial control systems.
Industrial control systems help keep the cost of everyday consumer
products low, and they are essential to meeting consumer demand for
goods and services.
Industrial control systems undergo constant improvements as owners
and operators work to address vulnerabilities and improve efficiency.
Innovation is occurring rapidly in industrial control systems.
All industrial control systems have one thing in common--they require
computer software, firmware, and hardware.
In its wisdom, the Committee on Homeland Security incorporated
industrial control systems in its cybersecurity legislation, because
industrial control systems are vulnerable to computer errors,
accidents, and cybersecurity threats.
Coupled with the cybersecurity challenges of industrial control
systems is the rapid pace of innovation.
For example, a new innovation being adopted by industrial control
systems involves 3-Dimential or 3-D printing.
3-D printing involves scanning a physical object with a printer made
of a high-power laser that fuses small particles of plastic, metal,
ceramic, or glass powders into the object's size and shape.
According to PricewaterhouseCoopers, the 3-D printing of jet engine
parts to coffee mugs is possible.
3-D printing has the potential to shrink supply chains, save product
development times, and increase customization of products.
3-D printing is not the only innovation that will impact industrial
control systems.
[[Page H2437]]
Electricity delivery depends on industrial control systems.
The biggest innovation in electricity delivery is the smart grid,
which is quickly replacing old electricity delivery and metering
technology in cities across the Nation.
The term ``smart grid'' encompasses a host of inter-related
technologies rapidly moving into public use to reduce or better manage
electricity consumption.
Smart grid systems can aid electricity service providers, users, or
third-party electricity usage management service providers to monitor
and control electricity use.
The smart grid is also making it possible to more efficiently manage
the flow of electricity to residential and industrial consumers.
Electric utility meters that were once read once a month are being
replaced by smart meters that can be read remotely using smart grid
communication systems every 15 minutes or less.
The smart grid is capable of monitoring the consumption of
electricity down to the individual residential or commercial property.
DHS should remain current as innovations like 3-D printing and smart
grid technologies are introduced to industrial control systems.
This Jackson Lee amendment is a good contribution to H.R. 1731.
I request support of this amendment by my colleagues on both sides of
the aisle.
With that, Mr. Chairman, I yield back the balance of my time.
Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time
in opposition, though I am not opposed to the amendment.
The CHAIR. Is there objection to the request of the gentleman from
Texas?
There was no objection.
The CHAIR. The gentleman is recognized for 5 minutes.
Mr. McCAUL. Mr. Chairman, I support this amendment, which will modify
the Information Sharing Structure and Processes section of the bill
relating to the National Cybersecurity and Communications Integration
Center's, or NCCIC's, Industrial Control System.
The Cyber Emergency Response Team, ICS-CERT. This amendment directs
the ICS-CERT to remain current on ICS innovation, industry adoption of
new technologies, and industry best practices. This amendment directs
the ICS-CERT to keep abreast of new, innovative technologies. This will
enable the ICS-CERT to respond, when requested, with the latest and
most current technologies and practices.
It is a good amendment. I thank the gentlewoman for bringing it. I
urge my colleagues to support this amendment, and I yield back the
balance of my time.
The CHAIR. The question is on the amendment offered by the
gentlewoman from Texas (Ms. Jackson Lee).
The amendment was agreed to.
Amendment No. 5 Offered by Mr. Castro of Texas
The CHAIR. It is now in order to consider amendment No. 5 printed in
part B of House Report 114-88.
Mr. CASTRO of Texas. Mr. Chairman, I have an amendment at the desk.
The CHAIR. The Clerk will designate the amendment.
The text of the amendment is as follows:
Page 11, line 22, insert before the semicolon at the end
the following: ``, and, to the extent practicable, make self-
assessment tools available to such businesses to determine
their levels of prevention of cybersecurity risks''.
The CHAIR. Pursuant to House Resolution 212, the gentleman from Texas
(Mr. Castro) and a Member opposed each will control 5 minutes.
The Chair recognizes the gentleman from Texas.
Mr. CASTRO of Texas. Mr. Chairman, first, I would like to thank my
colleague and fellow Texan, Chairman McCaul, and Ranking Member Bennie
Thompson of the House Homeland Security Committee for bringing up my
amendment for consideration to H.R. 1731.
This amendment supports small businesses across the Nation at no cost
to taxpayers. My amendment would make self-assessment tools available
to small- and medium-sized businesses so they can determine their level
of cybersecurity readiness. Oftentimes, medium-sized and small
businesses don't have the framework or capability in place to protect
against cybersecurity threats. In 2014, for example, 31 percent of all
cyber attacks were directed not at large businesses but at businesses
with less than 250 employees. This is a 4 percent increase from 2013.
As the chairman knows, Texas is home to many small companies in so
many critical industries: biomed and pharmaceuticals, energy,
manufacturing, and many more. Some of these businesses employ as few as
5 to 10 people, and their technology is unprotected, vulnerable to
cyber attacks.
Today most small businesses use the Internet, collect customers'
information, and store sensitive information on business computers. Yet
many of these same companies don't have the readily available
information to self-assess their ability to defend their digital
assets. They lack the tools necessary for determining cybersecurity
readiness.
This pro-small business amendment fills that void and provides the
information and tools needed to secure and empower small businesses
across the country.
Mr. Chairman, I yield 1 minute to the gentleman from Louisiana (Mr.
Richmond).
Mr. RICHMOND. Mr. Chairman, I rise to support the amendment offered
by the gentleman from Texas (Mr. Castro). Over the course of the past
year, cyber breaches at Target, Sony, eBay, and Anthem have consumed
headlines and brought awareness to the vulnerability of large
corporations to cyber threats.
Although cyber attacks against small businesses are not well-
publicized, they are a dangerous threat that we cannot afford to
ignore. In fact, in 2012 alone, the National Cyber Security Alliance
found that 60 percent of small businesses shut down within 6 months of
a data breach. Small businesses are attractive prey for hackers because
they often lack the resources necessary to identify cyber
vulnerabilities and harden their cyber infrastructure.
Mr. Castro's amendment builds upon language I inserted into the
underlying bill that is aimed at improving cybersecurity capabilities
of small businesses.
Mr. Chairman, I urge my colleagues to help protect small businesses
from cyber threats by supporting this important amendment.
Mr. CASTRO of Texas. Thank you, Congressman Richmond, for reminding
us that the big businesses that get attacked by hacks make the big
headlines, but we can't forget about small businesses and medium-sized
businesses who day in and day out are vulnerable to the same kind of
cybersecurity threats.
So, with that, I reserve the balance of my time, Mr. Chairman.
Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time
in opposition, though I am not opposed to the amendment.
The CHAIR. Is there objection to the request of the gentleman from
Texas?
There was no objection.
The CHAIR. The gentleman is recognized for 5 minutes.
Mr. McCAUL. Mr. Chairman, I support the gentleman's amendment. The
gentleman is correct. Small- and medium-sized businesses are the
lifeblood of our economy, yet they often cannot dedicate the resources
to address cybersecurity issues. Making self-assessment tools available
to these businesses will allow them to determine their levels of cyber
risk and manage the risk through appropriate prevention.
I urge my colleagues to support this amendment, Mr. Chairman, and I
yield back the balance of my time.
Mr. CASTRO of Texas. Mr. Chairman, I yield back back the balance of
my time.
The CHAIR. The question is on the amendment offered by the gentleman
from Texas (Mr. Castro).
The amendment was agreed to.
Amendment No. 6 Offered by Mr. Castro of Texas
The CHAIR. It is now in order to consider amendment No. 6 printed in
part B of House Report 114-88.
Mr. CASTRO of Texas. Mr. Chairman, I have an amendment at the desk.
The CHAIR. The Clerk will designate the amendment.
The text of the amendment is as follows:
Page 52, beginning line 12, insert the following:
``SEC. 232. NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM.
``(a) In General.--The Secretary may establish a consortium
to be known as the `National Cybersecurity Preparedness
Consortium' (in this section referred to as the
`Consortium').
``(b) Functions.--The Consortium may--
[[Page H2438]]
``(1) provide training to State and local first responders
and officials specifically for preparing and responding to
cyber attacks;
``(2) develop and update a curriculum utilizing the
National Protection and Programs Directorate of the
Department sponsored Community Cyber Security Maturity Model
(CCSMM) for State and local first responders and officials;
``(3) provide technical assistance services to build and
sustain capabilities in support of cybersecurity preparedness
and response;
``(4) conduct cybersecurity training and simulation
exercises to defend from and respond to cyber-attacks;
``(5) coordinate with the National Cybersecurity and
Communications Integration Center to help States and
communities develop cybersecurity information sharing
programs; and
``(6) coordinate with the National Domestic Preparedness
Consortium to incorporate cybersecurity emergency responses
into existing State and local emergency management functions.
``(c) Members.--The Consortium shall consist of academic,
nonprofit, and government partners that develop, update, and
deliver cybersecurity training in support of homeland
security. Members shall have prior experience conducting
cybersecurity training and exercises for State and local
entities.''.
Page 52, before line 17, insert the following:
``Sec. 232. National Cybersecurity Preparedness Consortium.''.
The CHAIR. Pursuant to House Resolution 212, the gentleman from Texas
(Mr. Castro) and a Member opposed each will control 5 minutes.
The Chair recognizes the gentleman from Texas.
Mr. CASTRO of Texas. Mr. Chairman, first, I am very honored to be
joined by my fellow colleagues and Members of Congress from both
parties from San Antonio, Texas--Congressmen Smith, Doggett, Cuellar,
and Hurd--who each represent a portion of Bexar County and have joined
me on this amendment.
My amendment would give the Secretary of Homeland Security authority
to establish the National Cybersecurity Preparedness Consortium, or
NCPC, within the Department of Homeland Security. Doing so would
formally allow this consortium, which already exists outside of the
government, to assist State and local entities in developing their own
viable and sustainable cybersecurity programs, and it would be at no
cost to taxpayers.
The NCPC consists of five university partners. The University of
Texas at San Antonio leads the effort, along with Texas A&M University
in College Station, the University of Arkansas, the University of
Memphis, and Norwich University in Vermont.
{time} 1030
These schools proactively came together to coordinate their work,
helping State and local officials prepare for cyber attacks. The
consortium also develops and carries out trainings and exercises to
increase cybersecurity knowledge.
Additionally, the NCPC uses competitions and workshops to encourage
more people to pursue careers in cybersecurity and grow the industry's
workforce.
States and communities need the ability to prevent, detect, respond
to, and recover from cyber events as they would any other disaster or
emergency situation, and they need to be aware of the fact that cyber
events could impede emergency responders' ability to do their jobs.
This amendment helps address those State and local needs by codifying
this valuable consortium.
Mr. Chairman, I reserve the balance of my time.
Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time
in opposition, although I am not opposed to the amendment.
The CHAIR. Is there objection to the request of the gentleman from
Texas?
There was no objection.
The CHAIR. The gentleman is recognized for 5 minutes.
Mr. McCAUL. Mr. Chairman, I support this amendment, which establishes
the National Cybersecurity Preparedness Consortium, consisting of
university partners and other stakeholders who proactively coordinate
to assist State and local officials in cybersecurity preparation and
the prevention of cyber attacks.
The amendment directs the Cybersecurity and Infrastructure Protection
Directorate to update curriculum for first responders, provide
technical assistance where possible, and conduct simulations and other
training to help State and local officials be better prepared for cyber
attacks.
The amendment directs the consortium to consist of academic,
nonprofit, and government partners to deliver the best training
possible, which will further advance the overall goal of H.R. 1731, to
strengthen the resiliency of Federal and private networks and, thus,
protect the data of the American people more effectively.
I am a strong proponent of this type of consortium. I am pleased that
the gentleman from Texas brought this amendment. I urge my colleagues
to support the amendment.
Mr. Chairman, I reserve the balance of my time.
Mr. CASTRO of Texas. Mr. Chairman, I yield back the balance of my
time.
Mr. McCAUL. Mr. Chairman, I yield such time as he may consume to the
gentleman from Texas (Mr. Hurd).
Mr. HURD of Texas. Mr. Chairman, I thank the chairman for his work in
making this amendment happen. I urge my colleagues to support this
amendment to H.R. 1731.
Cybersecurity is not just a buzzword. Oftentimes, large governments
and governments have plans in place to mitigate and respond to cyber
threats, but many smaller State and local entities do not. This is why
I cosponsored and stand in support of Representative Castro's amendment
to H.R. 1731.
Five leading universities across the Nation have teamed up to face
these cyber issues head on, including the University of Texas at San
Antonio and my alma mater, Texas A&M University.
The proposed consortium would provide valuable training to local and
first responders in the event of a catastrophic cyber attack. It would
also provide technical assistance services to build and sustain
capabilities in support of cybersecurity preparedness and response, and
it would coordinate with other crucial entities, such as the Multi-
State Information Sharing and Analysis Center and NCCIC.
It is clear that we must focus on cyber preparedness not only at the
Federal level, but the local level as well.
Again, this is why I urge my colleagues to support this.
Mr. McCAUL. Mr. Chairman, I yield back the balance of my time.
The CHAIR. The question is on the amendment offered by the gentleman
from Texas (Mr. Castro).
The amendment was agreed to.
Amendment No. 7 Offered by Mr. Hurd of Texas
The CHAIR. It is now in order to consider amendment No. 7 printed in
part B of House Report 114-88.
Mr. HURD of Texas. Mr. Chairman, I have an amendment at the desk.
The CHAIR. The Clerk will designate the amendment.
The text of the amendment is as follows:
Add at the end the following:
SEC. __. PROTECTION OF FEDERAL INFORMATION SYSTEMS.
(a) In General.--Subtitle C of title II of the Homeland
Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by
adding at the end the following new section:
``SEC. 233. AVAILABLE PROTECTION OF FEDERAL INFORMATION
SYSTEMS.
``(a) In General.--The Secretary shall deploy and operate,
to make available for use by any Federal agency, with or
without reimbursement, capabilities to protect Federal agency
information and information systems, including technologies
to continuously diagnose, detect, prevent, and mitigate
against cybersecurity risks (as such term is defined in the
second section 226) involving Federal agency information or
information systems.
``(b) Activities.--In carrying out this section, the
Secretary may--
``(1) access, and Federal agency heads may disclose to the
Secretary or a private entity providing assistance to the
Secretary under paragraph (2), information traveling to or
from or stored on a Federal agency information system,
regardless of from where the Secretary or a private entity
providing assistance to the Secretary under paragraph (2)
accesses such information, notwithstanding any other
provision of law that would otherwise restrict or prevent
Federal agency heads from disclosing such information to the
Secretary or a private entity providing assistance to the
Secretary under paragraph (2);
``(2) enter into contracts or other agreements, or
otherwise request and obtain the assistance of, private
entities to deploy and operate technologies in accordance
with subsection (a); and
``(3) retain, use, and disclose information obtained
through the conduct of activities authorized under this
section only to protect Federal agency information and
information systems from cybersecurity risks, or, with the
approval of the Attorney General and if disclosure of such
information is not otherwise prohibited by law, to law
enforcement
[[Page H2439]]
only to investigate, prosecute, disrupt, or otherwise respond
to--
``(A) a violation of section 1030 of title 18, United
States Code;
``(B) an imminent threat of death or serious bodily harm;
``(C) a serious threat to a minor, including sexual
exploitation or threats to physical safety; or
``(D) an attempt, or conspiracy, to commit an offense
described in any of subparagraphs (A) through (C).
``(c) Conditions.--Contracts or other agreements under
subsection (b)(2) shall include appropriate provisions
barring--
``(1) the disclosure of information to any entity other
than the Department or the Federal agency disclosing
information in accordance with subsection (b)(1) that can be
used to identify specific persons and is reasonably believed
to be unrelated to a cybersecurity risk; and
``(2) the use of any information to which such private
entity gains access in accordance with this section for any
purpose other than to protect Federal agency information and
information systems against cybersecurity risks or to
administer any such contract or other agreement.
``(d) Limitation.--No cause of action shall lie against a
private entity for assistance provided to the Secretary in
accordance with this section and a contract or agreement
under subsection (b)(2).''.
(b) Clerical Amendment.--The table of contents of the
Homeland Security Act of 2002 is amended by inserting after
the item relating to section 226 (relating to cybersecurity
recruitment and retention) the following new item:
``Sec. 233. Available protection of Federal information systems.''.
The CHAIR. Pursuant to House Resolution 212, the gentleman from Texas
(Mr. Hurd) and a Member opposed each will control 5 minutes.
The Chair recognizes the gentleman from Texas.
Mr. HURD of Texas. Mr. Chairman, every day and every hour,
hacktivists and state actors are attempting to breach U.S. Government
systems.
This is an ongoing problem I dealt with during my time at the CIA,
and, since I have left, it has only gotten worse. They are attempting
to steal valuable information that could be used against us.
The EINSTEIN Program is a valuable tool that the U.S. Government can
deploy to respond to and mitigate cyber threats. The EINSTEIN Program
was intended to provide DHS a situational awareness snapshot of the
health of the Federal Government's cyberspace.
Based upon agreements with participating Federal agencies, DHS
installed systems at their Internet access points to collect network
flow data.
EINSTEIN 3A is the third and newest version of the program. This
groundbreaking technology uses classified and unclassified information
to block cyber espionage and attacks. E3A is allowing the Department of
Homeland Security to paint a wider and more intelligent picture of the
overall cyber threat landscape within the Federal Government, enabling
strong correlation of events and the ability to provide early warning
and greater context about emerging risks.
Cutting-edge programs such as EINSTEIN can serve as a groundbreaking
tool to stop criminals, hacktivists, and nation-states from harming the
American public and government.
I urge my colleagues to support codifying the E3A program and vote in
favor of this amendment.
Mr. McCAUL. Will the gentleman yield?
Mr. HURD of Texas. I yield to the gentleman from Texas.
Mr. McCAUL. I support this amendment, which would authorize and
codify the current EINSTEIN Program operated in the Department of
Homeland Security.
The EINSTEIN Program, as deployed, makes available the capability to
protect Federal agency information and information systems. The
Einstein Program includes technologies to diagnose, detect, prevent,
and mitigate cybersecurity risks involving Federal information systems.
I would also like to thank my colleague and fellow chairman, Mr.
Chaffetz, of the Oversight and Government Reform Committee for working
with the Committee on Homeland Security on this important issue.
Mr. HURD of Texas. Mr. Chairman, I reserve the balance of my time.
Mr. THOMPSON of Mississippi. Mr. Chair, I claim the time in
opposition, although I am not in opposition to the amendment.
The CHAIR. Without objection, the gentleman is recognized for 5
minutes.
There was no objection.
Mr. THOMPSON of Mississippi. Mr. Chairman, this amendment would
authorize the Department of Homeland Security's program to provide web-
based security services to U.S. Federal civilian agencies.
The program is known as EINSTEIN. When fully implemented, it is
expected to provide all participating Federal agencies with the ability
to know the cyber threats they face and protect their systems from
insider and outsider threats.
To fully implement EINSTEIN to protect Federal civilian networks,
there are complex interagency privacy and coordination issues that
still need to be settled.
This authorization should help the Department of Homeland Security's
efforts at closing out those issues as it confers specific statutory
authority to the Department to pursue EINSTEIN.
I support the amendment, and I urge my colleagues to vote ``aye.''
Mr. Chairman, I yield back the balance of my time.
Mr. HURD of Texas. Mr. Chairman, I yield back the balance of my time.
The CHAIR. The question is on the amendment offered by the gentleman
from Texas (Mr. Hurd).
The amendment was agreed to.
Amendment No. 8 Offered by Mr. Mulvaney
The CHAIR. It is now in order to consider amendment No. 8 printed in
part B of House Report 114-88.
Mr. MULVANEY. Mr. Chairman, I have an amendment at the desk.
The CHAIR. The Clerk will designate the amendment.
The text of the amendment is as follows:
Add at the end the following new section:
SEC. __. SUNSET.
This Act and the amendments made by this Act shall
terminate on the date that is seven years after the date of
the enactment of this Act.
The CHAIR. Pursuant to House Resolution 212, the gentleman from South
Carolina (Mr. Mulvaney) and a Member opposed each will control 5
minutes.
The Chair recognizes the gentleman from South Carolina.
Mr. MULVANEY. Mr. Chairman, I thank the chairman for the opportunity
to present this amendment, very similar, Mr. Chairman, to the amendment
that I presented yesterday that was approved by a majority of both
Republicans and Democrats. It is a 7-year sunset provision to the bill.
Here again, today, we are dealing with two very real and very serious
concerns, security of our people and the freedoms and liberties of our
people. We are called upon to do that very often here in Congress.
Sometimes, we get those balances exactly right, and sometimes, we
don't.
Sometimes, we err too much on the side of safety and protection and
security to the expense of our individual liberties. Other times, we
err on the other side and do not provide the requisite level of safety
and security that the citizens rightly demand of Congress.
All this bill does is force us to make sure that we keep an eye on
this piece of legislation to make sure that we got the balance exactly
right. I know that many folks will say: Well, you know, Mr. Mulvaney,
we have the opportunity at any time to go back in and fix the bill.
I know that, and we have done that from time to time, but, by the
same token, this is a very busy place, and a lot of bills tend to fall
between the cracks.
Putting in a hardwired 7-year sunset into this piece of legislation
will force us not only to keep an eye on this on an ongoing basis, but
to come here 7 years from now and make sure that we have done it
precisely correctly.
I think it is the exact right approach. In fact, I have often wished
that we put sunset provisions, Mr. Chairman, in every single piece of
legislation that we have, but we don't have that opportunity here
today.
We do have the opportunity to put a sunset into this very important
piece of legislation, and I hope that the House does the same thing
today as it did yesterday and approve this amendment by an overwhelming
margin.
Mr. McCAUL. Will the gentleman yield?
Mr. MULVANEY. I yield to the gentleman from Texas.
Mr. McCAUL. As an advocate for civil liberties and privacy rights, I
did
[[Page H2440]]
not oppose the inclusion of his amendment here today on the floor, and
that was for good reason.
I believe that we need an open and fair debate on this measure, this
amendment. We need transparency in the process here on the floor. My
committee has undertaken that since day one as we assembled this bill
in a bipartisan fashion.
While, normally, I do support sunset provisions, I think, in this
case, submitting a sunset provision to this vital national security
program would not be in our best interest.
I have heard, time and time again, from industry and other
stakeholders that a sunset would stifle the sharing of this valuable
cyber threat information. It would undermine everything that we are
trying to do here today as we try to incentivize participation and
investment in this voluntary program.
While I do have tremendous respect for the gentleman and his point of
view on this, I will vote ``no'' and oppose this amendment.
Mr. MULVANEY. Mr. Chairman, I applaud the chairman for doing
something that doesn't happen nearly enough in this Chamber. He is
allowing an amendment to come to the floor that he opposes.
I think that doesn't happen nearly enough here. I think it speaks
volumes to some of the recent steps we have taken to improve Member
participation in the process, and I think we will be better as an
institution for it.
Mr. Chairman, I reserve the balance of my time.
Mr. THOMPSON of Mississippi. Mr. Chairman, I claim the time in
opposition, although I am not in opposition to the amendment.
The CHAIR. Without objection, the gentleman is recognized for 5
minutes.
There was no objection.
Mr. THOMPSON of Mississippi. Mr. Chairman, I appreciate, as I said,
the maker of this amendment.
Let me be clear, I offered the very same amendment in markup. It
failed on a party-line vote, and this is democracy; but a little thing
that concerns me is that, when we went to the Rules Committee, my
chairman gave an indication that he really didn't have a problem with
the 7-year sunset.
Mr. McCAUL. Will the gentleman yield on that point?
Mr. THOMPSON of Mississippi. I yield to the gentleman from Texas, my
chairman.
Mr. McCAUL. Again, I just want to clarify what I believe to be the
record, and that was I was not opposed to this amendment going to the
floor for a full and fair debate.
I respect the gentleman's interpretation of that. I simply was not
opposed to this going to the floor, and I think it deserves a full
debate, as we saw yesterday as well.
Mr. THOMPSON of Mississippi. Thank you.
Mr. Chairman, I will read for the Record the statement my chairman
made in Rules. Mr. McCaul said:
There is an amendment that has a 7-year sunset provision,
and I will be honest, I will not oppose that. I think 7 years
is ample time to advance those relationships and while, at
the same time, giving Congress the authority to reauthorize
after a 7-year period.
Mr. McCAUL. Will the gentleman yield again?
Mr. THOMPSON of Mississippi. I yield to the gentleman from Texas.
Mr. McCAUL. I must say that, obviously, since the time the Rules
Committee discharged the amendment, there has been tremendous
opposition from industry, which concerns me, about the participation in
this program and the success of this program if the sunset provision is
allowed to go forward, just to clarify my point of view.
{time} 1045
Mr. THOMPSON of Mississippi. Mr. Chairman, reclaiming my time, I
accept the gentleman's reinterpretation of the statement, and we will
go forward.
Let me just say that, yesterday, on a 7-year sunset on an
Intelligence bill, the House resoundingly voted for this very same
amendment, 313-110. It is clear that the congressional intent is,
within 7 years, that it should have been ample time for this bill to be
law and now set a record for us to come back as Members of Congress and
do our oversight responsibility.
Mr. Chairman, I am in strong support of Mr. Mulvaney's amendment. It
is common sense.
I yield back the balance of my time.
Mr. MULVANEY. I yield back the balance of my time.
The CHAIR. The question is on the amendment offered by the gentleman
from South Carolina (Mr. Mulvaney).
The amendment was agreed to.
Amendment No. 9 Offered by Ms. Hahn
The CHAIR. It is now in order to consider amendment No. 9 printed in
part B of House Report 114-88.
Ms. HAHN. Mr. Chairman, I have an amendment at the desk.
The CHAIR. The Clerk will designate the amendment.
The text of the amendment is as follows:
Add the end the following:
SEC.__. REPORT ON CYBERSECURITY VULNERABILITIES OF UNITED
STATES PORTS.
Not later than 180 days after the date of the enactment of
this Act, the Secretary of Homeland Security shall submit to
the Committee on Homeland Security and the Committee on
Transportation and Infrastructure of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs and the Committee on Commerce, Science
and Transportation of the Senate a report on cybersecurity
vulnerabilities for the ten United States ports that the
Secretary determines are at greatest risk of a cybersecurity
incident and provide recommendations to mitigate such
vulnerabilities.
The CHAIR. Pursuant to House Resolution 212, the gentlewoman from
California (Ms. Hahn) and a Member opposed each will control 5 minutes.
The Chair recognizes the gentlewoman from California.
Ms. HAHN. Mr. Chairman, I thank Chairman McCaul and Ranking Member
Thompson for allowing me to offer this amendment.
I rise to offer a National Cybersecurity Protection Advancement Act
amendment, one to increase cybersecurity at our Nation's most at-risk
ports.
This amendment will direct the Secretary of Homeland Security to
submit a report to Congress assessing risks and providing
recommendations regarding cybersecurity at America's most at-risk
ports, such as Los Angeles, Long Beach, Oakland, New York, Houston.
According to the American Association of Port Authorities, our ports
contribute $4.6 trillion to the U.S. economy, making their security
critical to our Nation.
In order to remain efficient and globally competitive, our ports have
become increasingly reliant on complex computer networks for everyday
management. However, The Brookings Institution has found that there is
a cybersecurity gap at our Nation's ports. Currently, we do not have
cybersecurity standards for our ports to give Federal agencies the
authority to address cybersecurity issues.
This is completely unacceptable. The threat of cyber attack on the
networks that manage the flow of U.S. commerce at our ports is real.
As the Representative of the Nation's busiest port complex and as
cofounder of the Congressional Ports Caucus, I know that a significant
disruption at our ports cripples our economy. An estimated $1 billion a
day was lost during the lockout at the Ports of Los Angeles and Long
Beach back in 2002. Imagine the possible damage of a more severe
disruption. For example, if our ports were targeted and hacked and
unable to operate, it could cost our Nation billions and billions of
dollars.
While the Port of Los Angeles is a participant in the FBI's Cyberhood
Watch program and has an award-winning cybersecurity operations center,
we need to ensure that all of our ports have the same ability to
protect themselves from cyber attacks. This is why I have offered this
amendment that addresses the lack of cybersecurity standards and
safeguards at our ports.
We have ignored the cybersecurity of the networks managing our ports
long enough, and it is pointless and ironic for government to continue
awarding funds that are spent on the installation of new technologies
if the networks they are on remain vulnerable to cyber attacks. This
amendment adds no new cost to this legislation, but it will offer great
security to our Nation's movement of goods.
Mr. Chairman, I reserve the balance of my time.
Mr. RATCLIFFE. Mr. Chairman, I ask unanimous consent to claim the
time in opposition, although I am not opposed to the amendment.
[[Page H2441]]
The CHAIR. Is there objection to the request of the gentleman from
Texas?
There was no objection.
The CHAIR. The gentleman is recognized for 5 minutes.
Mr. RATCLIFFE. Mr. Chairman, I support this amendment, which requires
the Department of Homeland Security to identify and mitigate
cybersecurity threats to our Nation's seaports. It requires the
Secretary to identify the 10 ports with the highest vulnerability to
cybersecurity incidents and to fully evaluate and establish procedures
to mitigate relevant cyber vulnerabilities.
America's seaports are critical infrastructure, and 95 percent of
America's foreign trade travels through these seaports. A cybersecurity
incident which impacts a major U.S. port could have profound effects on
the global economy. The Department of Homeland Security must take
immediate, proactive measures to identify and mitigate cybersecurity
threats in America's most vulnerable ports.
I urge my colleagues to support this amendment, and I yield back the
balance of my time.
Ms. HAHN. I thank you for your support, and I applaud you and the
committee for working in this bipartisan manner. I urge all of my
colleagues to support this amendment.
Mr. Chairman, I yield back the balance of my time.
The CHAIR. The question is on the amendment offered by the
gentlewoman from California (Ms. Hahn).
The amendment was agreed to.
Amendment No. 10 Offered by Ms. Jackson Lee
The CHAIR. It is now in order to consider amendment No. 10 printed in
part B of House Report 114-88.
Ms. JACKSON LEE. Mr. Chairman, I have an amendment at the desk.
The CHAIR. The Clerk will designate the amendment.
The text of the amendment is as follows:
Add at the end the following:
SEC. __. GAO REPORT ON IMPACT PRIVACY AND CIVIL LIBERTIES.
Not later than 60 months after the date of the enactment of
this Act, the Comptroller General of the United States shall
submit to the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate an assessment on the
impact on privacy and civil liberties limited to the work of
the National Cybersecurity and Communications Integration
Center.
The CHAIR. Pursuant to House Resolution 212, the gentlewoman from
Texas (Ms. Jackson Lee) and a Member opposed each will control 5
minutes.
The Chair recognizes the gentlewoman from Texas.
Ms. JACKSON LEE. Mr. Chairman, let me thank Mr. Thompson and Mr.
McCaul for their leadership and Mr. Ratcliffe and Mr. Richmond for
their leadership and for the importance of this legislation on the
floor today and--this is something that I have often said--for the
importance of the Department of Homeland Security's being the front
armor, if you will, for domestic security, and this is a very important
component of domestic security.
The Jackson Lee-Polis amendment states that not later than 60 months
after the date of this act the Comptroller General of the United States
shall submit to the Committee on Homeland Security of the House of
Representatives and to the Committee on Homeland Security and
Governmental Affairs of the Senate an assessment on the impact of
privacy and civil liberties, limited to the work of the National
Cybersecurity and Communications Integration Center.
The public benefit of this amendment is that it will provide public
assurance from a reliable and trustworthy source that their privacy and
civil liberties are not being compromised. Whether it is the PATRIOT
Act or the USA FREEDOM Act that is now proposed, the American people
understand their security, but they understand their privacy and their
civil liberties. The intent of this report is to provide Congress with
information regarding the effectiveness of protecting the privacy of
Americans.
We have gone through too much--we have been through too much hacking,
and we have lost too much personal data from a number of retail
entities and elsewhere--for the American people not to be protected.
This amendment will result in the sole external report on the privacy
and civil liberties' impact of the programs created under this bill.
I ask that my colleagues support the Jackson Lee-Polis amendment, and
I reserve the balance of my time.
Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time
in opposition, although I am not opposed to the amendment.
The CHAIR. Is there objection to the request of the gentleman from
Texas?
There was no objection.
The CHAIR. The gentleman is recognized for 5 minutes.
Mr. McCAUL. Mr. Chairman, I support this amendment.
The report required by this amendment would provide a quantifiable
tool for the transparency, accountability, and oversight of Americans'
civil liberties, and it will address privacy concerns.
Privacy is a hallmark of H.R. 1731, and any opportunity to highlight
to the American people how well DHS is protecting their civil
liberties, while strengthening the cyber resilience of our Federal and
non-Federal networks, is a welcome endeavor.
The report will provide data on how well the program is working, and
it will potentially identify any areas of improvement, which will
further strengthen the robustness of DHS' cyber information-sharing
practices.
I urge my colleagues to support this amendment, and I yield back the
balance of my time.
Ms. JACKSON LEE. I thank the chair for his comments.
Mr. Chairman, privacy is of great concern to the American public in a
digital economy where personal information is one of the most valuable
assets of successful online business. Again, I ask for support of the
Jackson Lee-Polis amendment.
Mr. Chair, I offer my thanks to Chairman McCaul, and Ranking Member
Thompson for their leadership and work on H.R. 1731, the National
Cybersecurity Protection Advancement Act of 2015 to the floor for
consideration.
The bipartisan work done by the House Committee on Homeland Security
brought before the House this opportunity to defend our Nation against
cyber threats.
I thank Congressman Polis for joining me in sponsoring this
amendment.
The Jackson Lee-Polis amendment to H.R. 1731 is simple and would
improve the bill.
The Jackson Lee-Polis amendment states that, not later than 60 months
after the date of this act, the Comptroller General of the United
States shall submit to the Committee on Homeland Security of the House
of Representatives and the Committee on Homeland Security and
Government Affairs of the Senate an assessment on the impact of privacy
and civil liberties limited to the work of the National Cybersecurity
and Communications Integration Center.
The intent of the report is to provide Congress with information
regarding the effectiveness of protecting the privacy of Americans.
This amendment would result in the sole external report on the
privacy and civil liberties' impact of the programs created under this
bill.
Privacy is of great concern to the American public in a digital
economy where personal information is one of the most valuable assets
of successful online businesses.
Having detailed information on consumers allows companies to better
tailor services and products to meet the needs of consumers.
Instead of relying on surveys to try to determine what consumers
want, companies know what they want through their online and
increasingly offline activities that are recorded and analyzed.
In 2014, a report on consumers' views of their privacy published by
the Pew Center found that a majority of adults surveyed felt that their
privacy is being challenged along such core dimensions as the security
of their personal information and their ability to retain
confidentiality.
91% of adults in the survey believe that consumers have lost control
over how personal information is collected and used by companies.
88% of adults believe that it would be very difficult to remove
inaccurate information about them online.
80% of those who use social networking sites believe they are
concerned about third parties accessing their data.
70% of social networking site users have some concerns about the
government accessing some of the information they share on social
networking sites without their knowledge.
For this reason, the Jackson Lee amendment providing an independent
report to the public on how their privacy and civil liberties are
treated under the implementation of this bill is important.
I ask that my colleagues on both sides of the aisle support this
amendment.
[[Page H2442]]
Mr. Chair, I yield back the balance of my time.
The CHAIR. The question is on the amendment offered by the
gentlewoman from Texas (Ms. Jackson Lee).
The question was taken; and the Chair announced that the ayes
appeared to have it.
Mr. McCAUL. Mr. Chairman, I demand a recorded vote.
The CHAIR. Pursuant to clause 6 of rule XVIII, further proceedings on
the amendment offered by the gentlewoman from Texas will be postponed.
Amendment No. 11 Offered by Ms. Jackson Lee
The CHAIR. It is now in order to consider amendment No. 11 printed in
part B of House Report 114-88.
Ms. JACKSON LEE. Mr. Chairman, I have an amendment at the desk.
The CHAIR. The Clerk will designate the amendment.
The text of the amendment is as follows:
Add at the end the following:
SEC. __. REPORT ON CYBERSECURITY AND CRITICAL INFRASTRUCTURE.
The Secretary of Homeland Security may consult with sector
specific agencies, businesses, and stakeholders to produce
and submit to the Committee on Homeland Security of the House
of Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a report on how best to
align federally-funded cybersecurity research and development
activities with private sector efforts to protect privacy and
civil liberties while assuring security and resilience of the
Nation's critical infrastructure, including--
(1) promoting research and development to enable the secure
and resilient design and construction of critical
infrastructure and more secure accompanying cyber technology;
(2) enhancing modeling capabilities to determine potential
impacts on critical infrastructure of incidents or threat
scenarios, and cascading effects on other sectors; and
(3) facilitating initiatives to incentivize cybersecurity
investments and the adoption of critical infrastructure
design features that strengthen cybersesecurity and
resilience.
The CHAIR. Pursuant to House Resolution 212, the gentlewoman from
Texas (Ms. Jackson Lee) and a Member opposed each will control 5
minutes.
The Chair recognizes the gentlewoman from Texas.
Ms. JACKSON LEE. This is a comprehensive approach, Mr. Chairman, to
the issue of cybersecurity and national cybersecurity protection.
The amendment that I am offering now states that the Secretary of
Homeland Security may consult with sector-specific agencies,
businesses, and stakeholders to produce and submit to the Committee on
Homeland Security of the House of Representatives and to the Committee
on Homeland Security and Governmental Affairs of the Senate a report on
how best to align federally funded cybersecurity research and
development activities with private sector efforts to protect privacy
and civil liberties while assuring the security and resilience of the
Nation's critical infrastructure.
Again, I can recount the incidences that have brought this issue to
the attention of the American people. Certainly, one of the most
striking were the actions of Mr. Snowden's, so it is important that we
develop research that really blocks those who would intend to do wrong,
or ill, to the American people.
The amendment includes a cybersecurity research and development
objective to enable the secure and resilient design and construction of
critical infrastructure and more secure accompanying cyber technology.
We want it to be impenetrable. We want to have a firewall that stands
as a firewall. I believe that we have the capacity to have the R&D to
do so.
The public benefit of this amendment is that it will make sure, as
innovations occur in the private sector that can improve privacy and
civil liberties protections, that they will be adopted by DHS for its
programs established by this bill.
Mr. Chairman, I ask for support of the Jackson Lee amendment, and I
reserve the balance of my time.
Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time
in opposition, although I am not opposed to the amendment.
The CHAIR. Is there objection to the request of the gentleman from
Texas?
There was no objection.
The CHAIR. The gentleman is recognized for 5 minutes.
Mr. McCAUL. Mr. Chairman, I support this enhancement that allows the
Secretary of Homeland Security to consult with stakeholders and to
submit a report on how best to align federally funded cybersecurity
research and development activities with private sector efforts to
protect privacy and civil liberties, while assuring the security and
resilience of the Nation's critical infrastructure.
The promotion of research and development activities to design
resilient critical infrastructure that includes cyber threat
infrastructure and that also includes cyber threat consideration in its
plan is important as we build the fences against the cascading effect
of cyber attacks on critical infrastructures.
Again, I want to thank the gentlewoman for bringing this amendment,
and I urge my colleagues to support it.
I yield back the balance of my time.
Ms. JACKSON LEE. I thank the gentleman from Texas.
Mr. Chairman, again, the American people deserve the kind of
investigatory work that results in R&D that provides the kind of armor
against the attacks that we have noted are possible and have occurred.
With that, I ask for the support of the Jackson Lee amendment.
Mr. Chair, I offer my thanks to Chairman McCaul, and Ranking Member
Thompson for their leadership and work on H.R. 1731, the National
Cybersecurity Protection Advancement Act of 2015.
This is the final of three Jackson Lee amendments offered to this
legislation.
The Jackson Lee-Polis amendment to H.R. 1731 is simple and would
improve the bill.
The amendment states that the Secretary of Homeland Security may
consult with sector-specific agencies, businesses, and stakeholders to
produce and submit to the Committee on Homeland Security of the House
of Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a report on how best to align
federally funded cybersecurity research and development activities with
private sector efforts to protect privacy and civil liberties, while
assuring the security and resilience of the Nation's critical
infrastructure.
The amendment includes a cybersecurity research and development
objective to enable the secure and resilient design and construction of
critical infrastructure and more secure accompanying cyber technology.
Finally, this Jackson Lee amendment would support investigation into
enhanced computer-aided modeling capabilities to determine potential
impacts on critical infrastructure of incidents or threat scenarios and
cascading effects on other sectors and facilitating initiatives to
incentivize cybersecurity investments and the adoption of critical
infrastructure design features that strengthen cybersecurity and
resilience.
The ability to stay current and at the leading edge of innovation in
the fast-moving world of computing technology will be a challenge, but
one that the Department of Homeland Security can meet.
The Jackson Lee amendment lays the foundation for an array of
collaborative efforts centered on learning as much as possible about
critical infrastructure operations and technologies, then using that
knowledge to discover how best to defend against cyber-based threats.
I ask that my colleagues on both sides of the aisle support this
amendment.
Mr. Chair, I yield back the balance of my time.
The CHAIR. The question is on the amendment offered by the
gentlewoman from Texas (Ms. Jackson Lee).
The amendment was agreed to.
Amendment No. 10 Offered by Ms. Jackson Lee
The CHAIR. Pursuant to clause 6 of rule XVIII, the unfinished
business is the demand for a recorded vote on the amendment offered by
the gentlewoman from Texas (Ms. Jackson Lee) on which further
proceedings were postponed and on which the ayes prevailed by voice
vote.
The Clerk will redesignate the amendment.
The Clerk redesignated the amendment.
Recorded Vote
The CHAIR. A recorded vote has been demanded.
A recorded vote was ordered.
The vote was taken by electronic device, and there were--ayes 405,
noes 8, not voting 18, as follows:
[Roll No. 171]
AYES--405
Abraham
Adams
Aderholt
Aguilar
Allen
Amash
Amodei
Ashford
Babin
Barletta
Barr
Barton
[[Page H2443]]
Bass
Beatty
Becerra
Benishek
Bera
Beyer
Bilirakis
Bishop (GA)
Bishop (MI)
Bishop (UT)
Black
Blackburn
Blum
Blumenauer
Bonamici
Bost
Brady (PA)
Brat
Bridenstine
Brooks (AL)
Brooks (IN)
Brown (FL)
Brownley (CA)
Buchanan
Buck
Bucshon
Burgess
Bustos
Byrne
Calvert
Capps
Capuano
Caardenas
Carney
Carson (IN)
Carter (GA)
Cartwright
Castor (FL)
Castro (TX)
Chabot
Chaffetz
Chu, Judy
Cicilline
Clark (MA)
Clarke (NY)
Clawson (FL)
Clay
Cleaver
Coffman
Cohen
Cole
Collins (GA)
Collins (NY)
Comstock
Conaway
Connolly
Conyers
Cook
Cooper
Costa
Costello (PA)
Courtney
Cramer
Crawford
Crenshaw
Crowley
Cuellar
Culberson
Cummings
Curbelo (FL)
Davis (CA)
Davis, Danny
DeFazio
DeGette
Delaney
DeLauro
DelBene
Denham
Dent
DeSantis
DeSaulnier
DesJarlais
Deutch
Diaz-Balart
Dingell
Doggett
Dold
Doyle, Michael F.
Duckworth
Duffy
Duncan (SC)
Duncan (TN)
Edwards
Ellison
Ellmers (NC)
Emmer (MN)
Engel
Esty
Farenthold
Farr
Fattah
Fincher
Fitzpatrick
Fleischmann
Fleming
Flores
Forbes
Fortenberry
Foster
Foxx
Frankel (FL)
Franks (AZ)
Frelinghuysen
Fudge
Gabbard
Gallego
Garamendi
Garrett
Gibbs
Gibson
Gohmert
Goodlatte
Gosar
Gowdy
Graham
Granger
Graves (GA)
Graves (LA)
Grayson
Green, Al
Green, Gene
Griffith
Grijalva
Grothman
Guinta
Guthrie
Gutieerrez
Hahn
Hanna
Hardy
Harper
Harris
Hartzler
Heck (NV)
Heck (WA)
Hensarling
Herrera Beutler
Hice, Jody B.
Higgins
Hill
Himes
Hinojosa
Holding
Honda
Hoyer
Hudson
Huelskamp
Huffman
Huizenga (MI)
Hultgren
Hunter
Hurd (TX)
Hurt (VA)
Israel
Issa
Jackson Lee
Jeffries
Jenkins (KS)
Jenkins (WV)
Johnson (GA)
Johnson (OH)
Johnson, Sam
Jolly
Jones
Jordan
Joyce
Katko
Keating
Kelly (IL)
Kelly (PA)
Kennedy
Kildee
Kilmer
Kind
King (IA)
King (NY)
Kinzinger (IL)
Kirkpatrick
Kline
Knight
Kuster
Labrador
Lamborn
Lance
Langevin
Larsen (WA)
Larson (CT)
Latta
Lawrence
Lee
Levin
Lewis
Lieu, Ted
LoBiondo
Loebsack
Lofgren
Long
Loudermilk
Love
Lowenthal
Lowey
Lucas
Luetkemeyer
Lujan Grisham (NM)
Lujaan, Ben Ray (NM)
Lummis
Lynch
MacArthur
Maloney, Carolyn
Maloney, Sean
Marino
Massie
Matsui
McCarthy
McCaul
McClintock
McCollum
McDermott
McGovern
McHenry
McKinley
McMorris Rodgers
McNerney
McSally
Meadows
Meehan
Meng
Messer
Mica
Miller (FL)
Miller (MI)
Moolenaar
Mooney (WV)
Moulton
Mullin
Mulvaney
Murphy (FL)
Murphy (PA)
Nadler
Napolitano
Neal
Neugebauer
Newhouse
Noem
Nolan
Norcross
Nugent
Nunes
O'Rourke
Palazzo
Palmer
Pascrell
Paulsen
Pearce
Pelosi
Perlmutter
Perry
Peters
Peterson
Pingree
Pittenger
Pitts
Pocan
Poe (TX)
Poliquin
Polis
Pompeo
Posey
Price (NC)
Price, Tom
Quigley
Rangel
Ratcliffe
Reed
Reichert
Renacci
Ribble
Rice (NY)
Rice (SC)
Richmond
Rigell
Roby
Roe (TN)
Rogers (AL)
Rogers (KY)
Rohrabacher
Rokita
Rooney (FL)
Ros-Lehtinen
Roskam
Ross
Rothfus
Rouzer
Roybal-Allard
Royce
Ruiz
Ruppersberger
Rush
Russell
Ryan (OH)
Ryan (WI)
Salmon
Saanchez, Linda T.
Sanchez, Loretta
Sanford
Sarbanes
Scalise
Schakowsky
Schiff
Schrader
Schweikert
Scott (VA)
Scott, Austin
Scott, David
Sensenbrenner
Serrano
Sessions
Sewell (AL)
Sherman
Shimkus
Shuster
Simpson
Sinema
Sires
Slaughter
Smith (MO)
Smith (NE)
Smith (NJ)
Smith (TX)
Stefanik
Stewart
Stivers
Stutzman
Swalwell (CA)
Takai
Takano
Thompson (CA)
Thompson (MS)
Thompson (PA)
Thornberry
Tiberi
Tipton
Titus
Tonko
Torres
Tsongas
Turner
Upton
Valadao
Van Hollen
Vargas
Veasey
Vela
Velaazquez
Visclosky
Wagner
Walberg
Walden
Walker
Walorski
Walters, Mimi
Walz
Wasserman Schultz
Waters, Maxine
Watson Coleman
Webster (FL)
Welch
Wenstrup
Westerman
Whitfield
Williams
Wilson (FL)
Wilson (SC)
Wittman
Womack
Woodall
Yarmuth
Yoder
Yoho
Young (IA)
Young (IN)
Zeldin
Zinke
NOES--8
Boustany
Brady (TX)
Carter (TX)
LaMalfa
Marchant
Weber (TX)
Westmoreland
Young (AK)
NOT VOTING--18
Boyle, Brendan F.
Butterfield
Clyburn
Davis, Rodney
Eshoo
Graves (MO)
Hastings
Johnson, E. B.
Kaptur
Lipinski
Meeks
Moore
Olson
Pallone
Payne
Smith (WA)
Speier
Trott
{time} 1130
Messrs. BUCSHON, POSEY, Mrs. McMORRIS RODGERS, Messrs. BRIDENSTINE,
COFFMAN, TIPTON, CRAWFORD, GIBBS, MILLER of Florida, and GOHMERT
changed their vote from ``no'' to ``aye.''
So the amendment was agreed to.
The result of the vote was announced as above recorded.
The Acting CHAIR (Mr. Harper). The question is on the amendment in
the nature of a substitute.
The amendment was agreed to.
The Acting CHAIR. Under the rule, the Committee rises.
Accordingly, the Committee rose; and the Speaker pro tempore (Mr.
Fortenberry) having assumed the chair, Mr. Harper, Acting Chair of the
Committee of the Whole House on the state of the Union, reported that
that Committee, having had under consideration the bill (H.R. 1731) to
amend the Homeland Security Act of 2002 to enhance multi-directional
sharing of information related to cybersecurity risks and strengthen
privacy and civil liberties protections, and for other purposes, and,
pursuant to House Resolution 212, he reported the bill back to the
House with an amendment adopted in the Committee of the Whole.
The SPEAKER pro tempore. Under the rule, the previous question is
ordered.
Is a separate vote demanded on any amendment to the amendment
reported from the Committee of the Whole?
If not, the question is on the amendment in the nature of a
substitute, as amended.
The amendment was agreed to.
The SPEAKER pro tempore. The question is on the engrossment and third
reading of the bill.
The bill was ordered to be engrossed and read a third time, and was
read the third time.
Motion to Recommit
Mr. ISRAEL. Mr. Speaker, I have a motion to recommit at the desk.
The SPEAKER pro tempore. Is the gentleman opposed to the bill?
Mr. ISRAEL. I am, in its current form, Mr. Speaker.
Mr. McCAUL. Mr. Chair, I reserve a point of order.
The SPEAKER pro tempore. A point of order is reserved.
The Clerk will report the motion to recommit.
The Clerk read as follows:
Mr. Israel moves to recommit the bill H.R. 1731 to the
Committee on Homeland Security with instructions to report
the same back to the House forthwith, with the following
amendment:
Add at the end of the bill the following:
SEC. __. PROTECTING CRITICAL INFRASTRUCTURE, AMERICAN JOBS,
AND HEALTH INFORMATION FROM CYBERATTACKS.
(a) In General.--Subtitle C of title II of the Homeland
Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by
adding at the end the following new section:
``SEC. 232. PROTECTING CRITICAL INFRASTRUCTURE, AMERICAN
JOBS, AND HEALTH INFORMATION FROM CYBERATTACKS.
``(a) In General.--The Secretary of Homeland Security shall
undertake on-going risk-informed outreach, including the
provision of technical assistance, to the owners and
operators of at-risk critical infrastructure to promote the
sharing of cyber threat indicators and defensive measures (as
such terms are defined in the second section 226 (relating to
the National Cybersecurity and Communications Integration
Center). In carrying out this outreach, the Secretary shall
prioritize the protection of at-risk Supervisory Control and
Data Acquisition (SCADA) industrial control systems, which
are critical to the operation of the United States economy.
``(b) Prioritization.--In carrying out outreach under
subsection (a), the Secretary of Homeland Security shall
prioritize the protection and welfare of the American people
and economy and give special attention to protecting the
following:
``(1) United States critical infrastructure, including the
electrical grid, nuclear power plants, oil and gas pipelines,
financial services, and transportation systems, from
cyberattacks, as attacks on SCADA industrial control systems
increased by 100 percent in 2014 over the previous year.
``(2) The intellectual property of United States
corporations, particularly the intellectual property of at-
risk small and medium-sized businesses, in order to maintain
United States competitiveness and job growth.
``(3) The privacy and property rights of at-risk Americans,
including Social Security numbers, dates of birth, and
employment information, and health records, insofar as the
health records of more than 29,000,000 Americans were
compromised in data breaches between 2010 and 2013, and, in
2015, the information of 80,000,000 Americans was compromised
by the attack on Anthem Health Insurance.''.
[[Page H2444]]
(b) Clerical Amendment.--The table of contents of the
Homeland Security Act of 2002 is amended by inserting after
the item relating to section 231 the following new item:
``Sec. 232. Protecting critical infrastructure, American jobs, and
health information from cyberattacks.''.
Mr. McCAUL (during the reading). Mr. Speaker, I ask unanimous consent
to dispense with the reading.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Texas?
There was no objection.
The SPEAKER pro tempore. The gentleman from New York is recognized
for 5 minutes.
Mr. ISRAEL. Mr. Speaker, this is a final amendment. It will not kill
the bill. It will not send the bill back to committee. If adopted, the
bill will immediately proceed to final passage, as amended.
Mr. Speaker, 2 weeks ago, D.C. went dark. The lights went out, the
power stopped near the White House, lights out, no power at the
Department of State. Federal agencies were plunged into darkness, small
businesses plunged into darkness. Business stopped. The business of
government stopped because there was a blackout.
Now, in this case, Mr. Speaker, this loss of energy was because of a
blown transformer, and there was no indication that this was a result
of a cyber attack on our energy sources or systems.
There are indications, Mr. Speaker, every day, of attempted attacks
on our critical energy infrastructure, and this amendment simply
strengthens the response of the Department of Homeland Security to
protect our constituents, our government, our infrastructure, and our
country from this attack.
Mr. Speaker, in the first 6 months of 2012, we know that there was a
sustained and persistent cyber attack on critical gas pipeline control
systems. Now, the good news is that we successfully defended against
those attacks.
The bad news is, as we all know, the very nature of cyber war means
that every time you defend against an attack, you are transmitting to
your attackers what your defenses are.
The DHS reports that, of roughly 200 cases of major cyber attacks
handled by DHS' cybersecurity team in 2013, 40 percent were in the
energy sector. There have been attacks on supervisory control and data
acquisitions, SCADA. Those attacks doubled between 2013 and 2014, so we
know these attacks are being attempted. We know how serious it is.
We learned, 2 weeks ago, what happens when we plunge into the
darkness. We know the economic devastation, the social devastation, the
military devastation that will occur when an attack is successful, when
a cyber attack against our energy systems succeeds.
We know it is coming, and we cannot wait until the day after, when we
ask ourselves, in the dark: Why didn't we do more yesterday?
This is like being told that Pearl Harbor is coming, that 9/11 is
coming, knowing it is coming, and deciding: Are you going to do
something about it? Or are you going to continue to bury your head in
the sand?
Now, this amendment is very simple, Mr. Speaker. It simply directs
the Department of Homeland Security to organize a strong, concerted,
focused partnership with energy companies throughout this country.
Those partnerships would provide technical assistance from DHS to
energy companies and information sharing. These partnerships would be
focused on critical infrastructure, the electrical grid, oil and gas
pipelines, and nuclear power plants.
Mr. Speaker, what happened in Washington, D.C., on April 7 of this
year can happen in any congressional district in this body. Instead of
a blown transformer, it will be a cyber attack against energy systems
in any one of the districts represented here today, Mr. Speaker.
When that happens, our constituents will ask us, from that place in
the dark: What did you do to prevent it? And what did you do to protect
me from it?
This vote on this motion to recommit will be your answer.
Let's put the protection of our businesses, our government, our
military, and our constituents ahead of partisanship and vote ``yes''
on this motion to recommit.
Mr. Speaker, I yield back the balance of my time.
Mr. McCAUL. Mr. Speaker, I withdraw my reservation of a point of
order.
The SPEAKER pro tempore. The reservation of the point of order is
withdrawn.
Mr. McCAUL. Mr. Speaker, I rise today in strong opposition to the
motion to recommit.
The SPEAKER pro tempore. The gentleman from Texas is recognized for 5
minutes.
Mr. McCAUL. The gentleman from New York is correct regarding the
nature of the threat. However, the activities he has discussed were
authorized by Congress last Congress with a bill that I sponsored. In
addition, the bill currently before the House strengthens those
provisions.
This bipartisan bill passed out of committee unanimously. This motion
is nothing more than an eleventh hour attempt to bring down the bill
that we worked so hard on to get to this point where we are today.
Mr. Speaker, people always ask me what keeps me up at night. In
addition to the kinetic threats posed by al Qaeda and ISIS, it is a
cyber attack against our Nation that concerns me the most.
This legislation is necessary to protect Americans. Every day,
America is under attack. Our offensive capabilities are strong, but our
defensive capabilities are weak. The attacks on Target and Home Depot
stole the personal information and credit cards of millions of
Americans.
The cyber breach at Anthem compromised the healthcare accounts of 80
million individuals, impacting one out of every four Americans in the
most private way. North Korea's destructive attack on Sony attempted to
chill our freedom of speech. Russia and China continue to steal our
intellectual property and conduct espionage against our Nation.
General Alexander described this as ``the greatest transfer of wealth
in history.''
At the same time, Iran attacks our financial sector on a daily basis
in response to the sanctions. We also face a growing threat from
cyberterrorists, like the ISIS sympathizers who hacked into USCENTCOM's
social media account.
Terrorists and state sponsors of terror, like Iran, want nothing more
than to carry out a destructive cyber attack to bring things down in
the United States, including our power grids.
This bill protects our Nation's networks, both public and private, by
removing legal barriers to the sharing of threat information.
{time} 1145
The bill is voluntary. It is both proprivacy and prosecurity and has
widespread support from industry. It allows us to obtain the keys for
information sharing, to lock the door, and to keep these nation-states
and criminals out. We cannot send a signal of weakness to our
adversaries.
Many, Mr. Speaker, refer to the threat of a cyber Pearl Harbor. My
father, part of the Greatest Generation, was a bombardier in a B-17
during World War II. He participated in the air campaign in advance of
the D-day invasion against the Nazis.
Today a new generation faces different threats to our national
security, and we must protect America in this new frontier. We now live
in a new threat environment where digital bombs can go undetected and
cause massive devastation. This bill will defend America from these
attacks.
Inaction today, Mr. Speaker, would be nothing short of reckless. It
is urgent that we pass this bill today, for if Congress fails to act
and the United States is attacked, then Congress will have that on its
hands.
I urge my colleagues to vote against the motion to recommit and
support this bill.
I yield back the balance of my time.
The SPEAKER pro tempore. Without objection, the previous question is
ordered on the motion to recommit.
There was no objection.
The SPEAKER pro tempore. The question is on the motion to recommit.
The question was taken; and the Speaker pro tempore announced that
the noes appeared to have it.
Recorded Vote
Mr. ISRAEL. Mr. Speaker, I demand a recorded vote.
[[Page H2445]]
A recorded vote was ordered.
The SPEAKER pro tempore. Pursuant to clause 9 of rule XX, this 5-
minute vote on the motion to recommit will be followed by a 5-minute
vote on the passage of the bill, if ordered.
The vote was taken by electronic device, and there were--ayes 180,
noes 238, not voting 13, as follows:
[Roll No. 172]
AYES--180
Adams
Aguilar
Ashford
Bass
Beatty
Becerra
Bera
Beyer
Bishop (GA)
Blumenauer
Bonamici
Brady (PA)
Brown (FL)
Brownley (CA)
Bustos
Butterfield
Capps
Capuano
Caardenas
Carney
Carson (IN)
Cartwright
Castor (FL)
Castro (TX)
Chu, Judy
Cicilline
Clark (MA)
Clarke (NY)
Clay
Cleaver
Clyburn
Cohen
Connolly
Conyers
Cooper
Costa
Courtney
Crowley
Cuellar
Cummings
Davis (CA)
Davis, Danny
DeFazio
DeGette
Delaney
DeLauro
DelBene
DeSaulnier
Deutch
Dingell
Doggett
Doyle, Michael F.
Duckworth
Edwards
Ellison
Engel
Esty
Farr
Fattah
Foster
Frankel (FL)
Fudge
Gabbard
Gallego
Garamendi
Graham
Grayson
Green, Al
Green, Gene
Grijalva
Gutieerrez
Hahn
Heck (WA)
Higgins
Himes
Hinojosa
Honda
Hoyer
Huffman
Israel
Jackson Lee
Jeffries
Johnson (GA)
Johnson, E. B.
Jones
Keating
Kelly (IL)
Kennedy
Kildee
Kilmer
Kind
Kirkpatrick
Kuster
Langevin
Larsen (WA)
Larson (CT)
Lawrence
Lee
Levin
Lewis
Lieu, Ted
Loebsack
Lofgren
Lowenthal
Lowey
Lujan Grisham (NM)
Lujaan, Ben Ray (NM)
Lynch
Maloney, Carolyn
Maloney, Sean
Matsui
McCollum
McDermott
McGovern
McNerney
Meeks
Meng
Moulton
Murphy (FL)
Nadler
Napolitano
Neal
Nolan
Norcross
O'Rourke
Pascrell
Payne
Pelosi
Perlmutter
Peters
Peterson
Pingree
Pocan
Polis
Price (NC)
Quigley
Rangel
Rice (NY)
Richmond
Roybal-Allard
Ruiz
Ruppersberger
Rush
Ryan (OH)
Saanchez, Linda T.
Sanchez, Loretta
Sarbanes
Schakowsky
Schiff
Schrader
Scott (VA)
Scott, David
Serrano
Sewell (AL)
Sherman
Sinema
Sires
Slaughter
Swalwell (CA)
Takai
Takano
Thompson (CA)
Thompson (MS)
Titus
Tonko
Torres
Tsongas
Van Hollen
Vargas
Veasey
Vela
Velaazquez
Visclosky
Walz
Wasserman Schultz
Waters, Maxine
Watson Coleman
Welch
Wilson (FL)
Yarmuth
NOES--238
Abraham
Aderholt
Allen
Amash
Amodei
Babin
Barletta
Barr
Barton
Benishek
Bilirakis
Bishop (MI)
Bishop (UT)
Black
Blackburn
Blum
Bost
Boustany
Brady (TX)
Brat
Bridenstine
Brooks (AL)
Brooks (IN)
Buchanan
Buck
Bucshon
Burgess
Byrne
Calvert
Carter (GA)
Carter (TX)
Chabot
Chaffetz
Clawson (FL)
Coffman
Cole
Collins (GA)
Collins (NY)
Comstock
Conaway
Cook
Costello (PA)
Cramer
Crawford
Crenshaw
Culberson
Curbelo (FL)
Denham
Dent
DeSantis
DesJarlais
Diaz-Balart
Dold
Duffy
Duncan (SC)
Duncan (TN)
Ellmers (NC)
Emmer (MN)
Farenthold
Fincher
Fitzpatrick
Fleischmann
Fleming
Flores
Forbes
Fortenberry
Foxx
Franks (AZ)
Frelinghuysen
Garrett
Gibbs
Gibson
Gohmert
Goodlatte
Gosar
Gowdy
Granger
Graves (GA)
Graves (LA)
Griffith
Grothman
Guinta
Guthrie
Hanna
Hardy
Harper
Harris
Hartzler
Heck (NV)
Hensarling
Herrera Beutler
Hice, Jody B.
Hill
Holding
Hudson
Huelskamp
Huizenga (MI)
Hultgren
Hunter
Hurd (TX)
Hurt (VA)
Issa
Jenkins (KS)
Jenkins (WV)
Johnson (OH)
Johnson, Sam
Jolly
Jordan
Joyce
Katko
Kelly (PA)
King (IA)
King (NY)
Kinzinger (IL)
Kline
Knight
Labrador
LaMalfa
Lamborn
Lance
Latta
LoBiondo
Long
Loudermilk
Love
Lucas
Luetkemeyer
Lummis
MacArthur
Marchant
Marino
Massie
McCarthy
McCaul
McClintock
McHenry
McKinley
McMorris Rodgers
McSally
Meadows
Meehan
Messer
Mica
Miller (FL)
Miller (MI)
Moolenaar
Mooney (WV)
Mullin
Mulvaney
Murphy (PA)
Neugebauer
Newhouse
Noem
Nugent
Nunes
Palazzo
Palmer
Paulsen
Pearce
Perry
Pittenger
Pitts
Poe (TX)
Poliquin
Pompeo
Posey
Price, Tom
Ratcliffe
Reed
Reichert
Renacci
Ribble
Rice (SC)
Rigell
Roby
Roe (TN)
Rogers (AL)
Rogers (KY)
Rohrabacher
Rokita
Rooney (FL)
Ros-Lehtinen
Roskam
Ross
Rothfus
Rouzer
Royce
Russell
Ryan (WI)
Salmon
Sanford
Scalise
Schweikert
Scott, Austin
Sensenbrenner
Sessions
Shimkus
Shuster
Simpson
Smith (MO)
Smith (NE)
Smith (NJ)
Smith (TX)
Stefanik
Stewart
Stivers
Stutzman
Thompson (PA)
Thornberry
Tiberi
Tipton
Turner
Upton
Valadao
Wagner
Walberg
Walden
Walker
Walorski
Walters, Mimi
Weber (TX)
Webster (FL)
Wenstrup
Westerman
Westmoreland
Whitfield
Williams
Wilson (SC)
Wittman
Womack
Woodall
Yoder
Yoho
Young (AK)
Young (IA)
Young (IN)
Zeldin
Zinke
NOT VOTING--13
Boyle, Brendan F.
Davis, Rodney
Eshoo
Graves (MO)
Hastings
Kaptur
Lipinski
Moore
Olson
Pallone
Smith (WA)
Speier
Trott
{time} 1153
Mr. RICHMOND changed his vote from ``no'' to ``aye.''
So the motion to recommit was rejected.
The result of the vote was announced as above recorded.
The SPEAKER pro tempore. The question is on the passage of the bill.
The question was taken; and the Speaker pro tempore announced that
the ayes appeared to have it.
Recorded Vote
Mr. McCAUL. Mr. Speaker, I demand a recorded vote.
A recorded vote was ordered.
The SPEAKER pro tempore. This is a 5-minute vote.
The vote was taken by electronic device, and there were--ayes 355,
noes 63, not voting 13, as follows:
[Roll No. 173]
AYES--355
Abraham
Adams
Aderholt
Aguilar
Allen
Amodei
Ashford
Babin
Barletta
Barr
Barton
Beatty
Benishek
Bera
Beyer
Bilirakis
Bishop (GA)
Bishop (MI)
Bishop (UT)
Black
Blackburn
Blum
Bonamici
Bost
Boustany
Brady (TX)
Brooks (AL)
Brooks (IN)
Brown (FL)
Brownley (CA)
Buchanan
Buck
Bucshon
Burgess
Bustos
Butterfield
Byrne
Calvert
Capps
Caardenas
Carney
Carson (IN)
Carter (GA)
Carter (TX)
Castor (FL)
Castro (TX)
Chabot
Chaffetz
Clarke (NY)
Clawson (FL)
Clay
Cleaver
Clyburn
Coffman
Cohen
Cole
Collins (GA)
Collins (NY)
Comstock
Conaway
Connolly
Cook
Cooper
Costa
Costello (PA)
Cramer
Crawford
Crenshaw
Crowley
Cuellar
Culberson
Cummings
Curbelo (FL)
Davis (CA)
Davis, Danny
DeFazio
DeGette
Delaney
DelBene
Denham
Dent
DeSantis
DeSaulnier
Diaz-Balart
Dingell
Doggett
Dold
Duckworth
Duffy
Duncan (SC)
Duncan (TN)
Ellmers (NC)
Emmer (MN)
Engel
Farenthold
Farr
Fincher
Fitzpatrick
Fleischmann
Flores
Forbes
Fortenberry
Foster
Foxx
Frankel (FL)
Franks (AZ)
Frelinghuysen
Fudge
Gabbard
Gallego
Garamendi
Gibbs
Gibson
Goodlatte
Gowdy
Graham
Granger
Graves (GA)
Green, Al
Green, Gene
Griffith
Grothman
Guthrie
Gutieerrez
Hahn
Hanna
Hardy
Harper
Harris
Hartzler
Heck (NV)
Heck (WA)
Hensarling
Herrera Beutler
Hice, Jody B.
Higgins
Hill
Himes
Hinojosa
Holding
Honda
Hoyer
Hudson
Huffman
Huizenga (MI)
Hultgren
Hunter
Hurd (TX)
Hurt (VA)
Israel
Jackson Lee
Jeffries
Jenkins (KS)
Jenkins (WV)
Johnson (GA)
Johnson (OH)
Johnson, Sam
Jolly
Joyce
Katko
Keating
Kelly (IL)
Kelly (PA)
Kennedy
Kildee
Kilmer
Kind
King (IA)
King (NY)
Kinzinger (IL)
Kirkpatrick
Kline
Knight
Kuster
LaMalfa
Lamborn
Lance
Langevin
Larsen (WA)
Latta
Lawrence
Levin
Lewis
LoBiondo
Loebsack
Lofgren
Long
Loudermilk
Love
Lowey
Lucas
Luetkemeyer
Lujan Grisham (NM)
Lujaan, Ben Ray (NM)
Lummis
Lynch
MacArthur
Maloney, Carolyn
Maloney, Sean
Marchant
Marino
Matsui
McCarthy
McCaul
McClintock
McCollum
McDermott
McHenry
McKinley
McMorris Rodgers
McNerney
McSally
Meadows
Meehan
Meeks
Meng
Messer
Mica
Miller (FL)
Miller (MI)
Moolenaar
Moulton
Mullin
Mulvaney
Murphy (FL)
Murphy (PA)
Napolitano
Neal
Neugebauer
Newhouse
Noem
Norcross
Nugent
Nunes
O'Rourke
Palazzo
Palmer
Pascrell
Paulsen
Payne
Pearce
Pelosi
Perlmutter
Perry
Peters
Peterson
Pittenger
Pitts
Poe (TX)
Poliquin
Pompeo
Posey
Price (NC)
Price, Tom
Quigley
Rangel
Ratcliffe
Reed
Reichert
Renacci
Ribble
Rice (NY)
Rice (SC)
Richmond
Rigell
Roby
Roe (TN)
Rogers (AL)
Rogers (KY)
Rohrabacher
Rokita
Rooney (FL)
Ros-Lehtinen
Roskam
Ross
Rothfus
Rouzer
Roybal-Allard
Royce
Ruiz
Ruppersberger
Rush
Russell
Ryan (WI)
[[Page H2446]]
Saanchez, Linda T.
Sanchez, Loretta
Scalise
Schakowsky
Schiff
Schrader
Schweikert
Scott (VA)
Scott, Austin
Scott, David
Sensenbrenner
Sessions
Sewell (AL)
Sherman
Shimkus
Shuster
Simpson
Sinema
Sires
Smith (MO)
Smith (NE)
Smith (NJ)
Smith (TX)
Stefanik
Stewart
Stivers
Stutzman
Swalwell (CA)
Takai
Thompson (CA)
Thompson (MS)
Thompson (PA)
Thornberry
Tiberi
Tipton
Titus
Torres
Turner
Upton
Valadao
Vargas
Veasey
Vela
Visclosky
Wagner
Walberg
Walden
Walker
Walorski
Walters, Mimi
Walz
Watson Coleman
Weber (TX)
Webster (FL)
Wenstrup
Westerman
Westmoreland
Whitfield
Williams
Wilson (FL)
Wilson (SC)
Wittman
Womack
Woodall
Yoder
Yoho
Young (AK)
Young (IA)
Young (IN)
Zeldin
Zinke
NOES--63
Amash
Bass
Becerra
Blumenauer
Brady (PA)
Brat
Bridenstine
Capuano
Cartwright
Chu, Judy
Cicilline
Clark (MA)
Conyers
Courtney
DeLauro
DesJarlais
Deutch
Doyle, Michael F.
Edwards
Ellison
Esty
Fattah
Fleming
Garrett
Gohmert
Gosar
Graves (LA)
Grayson
Grijalva
Guinta
Huelskamp
Issa
Johnson, E. B.
Jones
Jordan
Labrador
Larson (CT)
Lee
Lieu, Ted
Lowenthal
Massie
McGovern
Mooney (WV)
Nadler
Nolan
Pingree
Pocan
Polis
Ryan (OH)
Salmon
Sanford
Sarbanes
Serrano
Slaughter
Takano
Tonko
Tsongas
Van Hollen
Velaazquez
Wasserman Schultz
Waters, Maxine
Welch
Yarmuth
NOT VOTING--13
Boyle, Brendan F.
Davis, Rodney
Eshoo
Graves (MO)
Hastings
Kaptur
Lipinski
Moore
Olson
Pallone
Smith (WA)
Speier
Trott
{time} 1203
So the bill was passed.
The result of the vote was announced as above recorded.
A motion to reconsider was laid on the table.
____________________
