[Congressional Record Volume 161, Number 60 (Thursday, April 23, 2015)] [House] [Pages H2423-H2426] {time} 0915 NATIONAL CYBERSECURITY PROTECTION ADVANCEMENT ACT OF 2015 General Leave Mr. McCAUL. Mr. Speaker, I ask unanimous consent that all Members may have 5 legislative days within which to revise and extend their remarks and include extraneous materials on the bill, H.R. 1731. The SPEAKER pro tempore (Mr. Ratcliffe). Is there objection to the request of the gentleman from Texas? There was no objection. The SPEAKER pro tempore. Pursuant to House Resolution 212 and rule XVIII, the Chair declares the House in the Committee of the Whole House on the state of the Union for the consideration of the bill, H.R. 1731. The Chair appoints the gentleman from Georgia (Mr. Woodall) to preside over the Committee of the Whole. {time} 0916 In the Committee of the Whole Accordingly, the House resolved itself into the Committee of the Whole House on the state of the Union for the consideration of the bill (H.R. 1731) to amend the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cybersecurity risks and strengthen privacy and civil liberties protections, and for other purposes, with Mr. Woodall in the chair. The Clerk read the title of the bill. The CHAIR. Pursuant to the rule, the bill is considered read the first time. The gentleman from Texas (Mr. McCaul) and the gentleman from Mississippi (Mr. Thompson) each will control 30 minutes. The Chair recognizes the gentleman from Texas. Mr. McCAUL. Mr. Chairman, I yield myself such time as I may consume. I am pleased to bring to the floor H.R. 1731, the National Cybersecurity Protection Advancement Act, a proprivacy, prosecurity bill that we desperately need to safeguard our digital networks. I would like to commend the subcommittee chairman, Mr. Ratcliffe, for his work on this bill as well as our minority counterparts, including Ranking Member Thompson and subcommittee Ranking Member Richmond for their joint work on this bill. This has been a noteworthy, bipartisan effort. I would also like to thank House Permanent Select Committee on Intelligence Chairman Devin Nunes and Ranking Member Adam Schiff for their input and collaboration. Lastly, I would like to thank Committee on the Judiciary Chairman Goodlatte and Ranking Member Conyers for their contribution. Make no mistake, we are in the middle of a silent crisis. At this very moment, our Nation's businesses are being robbed, and sensitive government information is being stolen. We are under siege by a faceless enemy whose tracks are covered in cyberspace. Sophisticated breaches at companies like Anthem, Target, Neiman Marcus, Home Depot, and JPMorgan have compromised the personal information of millions of private citizens. Nation-states like Iran and North Korea have launched digital bombs to get revenge at U.S.- based companies, while others like China are stealing intellectual property. We recently witnessed brazen cyber assaults against the White House and the State Department, which put sensitive government information at risk. In the meantime, our adversaries have been developing the tools to shut down everything from power grids to water systems so they can cripple our economy and weaken our ability to defend the United States. This bill will allow us to turn the tide against our enemies and ramp up our defenses by allowing for greater cyber threat information sharing. This bill will strengthen the Department of Homeland Security's National Cybersecurity and Communications Integration Center, or NCCIC. The NCCIC is a primary civilian interface for exchanging cyber threat information, and for good reason. It is not a cyber regulator. It is not looking to prosecute anyone, and it is not military or a spy agency. Its sole purpose, Mr. Chairman, is to prevent and respond to cyber attacks against our public and private networks while aggressively protecting Americans' privacy. Right now we are in a pre-9/11 moment in cyberspace. In the same way legal barriers and turf wars kept us from connecting the dots before 9/ 11, the lack of cyber threat information sharing makes us vulnerable to an attack. Companies are afraid to share because they do not feel they have the adequate legal protection to do so. H.R. 1731 removes those legal barriers and creates a safe harbor, which will encourage companies to voluntarily exchange information about attacks against their networks. This will allow both the government and private sector to spot digital attacks earlier and keep malicious actors outside of our networks and away from information that Americans expect to be defended. This bill also puts privacy and civil liberties first. It requires that personal information of our citizens be protected before it changes hands--whether it is provided to the government or exchanged between companies--so private citizens do not have their sensitive data exposed. Significantly, both industry and privacy groups have announced their support for this legislation because they recognize that we need to work together urgently to combat the cyber threat to this country. Today, we have a dangerously incomplete picture of the online war being waged against us, and it is costing Americans their time, money, and jobs. It is time for us to safeguard our digital frontier. This legislation is a necessary and vital step to do exactly that. Mr. Chairman, before I reserve the balance of my time, I would like to enter into the Record an exchange of letters between the chairman of the Committee on the Judiciary, Mr. Goodlatte, and myself, recognizing the jurisdictional interest of the Committee on the Judiciary in H.R. 1731. U.S. House of Representatives, Committee on the Judiciary, Washington, DC, April 21, 2015. Hon. Michael McCaul, Chairman, Committee on Homeland Security, Washington, DC. Dear Chairman McCaul: I am writing with respect to H.R. 1731, the ``National Cybersecurity Protection Advancement Act of 2015.'' As a result of your having consulted with us on provisions in H.R. 1731 that fall within the Rule X jurisdiction of the Committee on the Judiciary, I agree to waive consideration of this bill so that it may proceed expeditiously to the House floor for consideration. The Judiciary Committee takes this action with our mutual understanding that by foregoing consideration of H.R. 1731 at this time, we do not waive any jurisdiction over the subject matter contained in this or similar legislation, and that our Committee will be appropriately consulted and involved as the bill or similar legislation moves forward so that we may address any remaining issues in our jurisdiction. Our Committee also reserves the right to seek appointment of an appropriate number of conferees to any House-Senate conference involving this or similar legislation, and asks that you support any such request. I would appreciate a response to this letter confirming this understanding, and would ask that a copy of our exchange of letters on this matter be included in the Congressional Record during Floor consideration of H.R. 1731. Sincerely, Bob Goodlatte, Chairman. [[Page H2424]] ____ U.S. House of Representatives, Committee on Homeland Security, Washington, DC, April 21, 2015. Hon. Bob Goodlatte, Chairman, Committee on Judiciary, Washington, DC. Dear Chairman Goodlatte: Thank you for your letter regarding H.R. 1731, the ``National Cybersecurity Protection Advancement Act of 2015.'' I appreciate your support in bringing this legislation before the House of Representatives, and accordingly, understand that the Committee on Judiciary will not seek a sequential referral on the bill. The Committee on Homeland Security concurs with the mutual understanding that by foregoing a sequential referral of this bill at this time, the Judiciary does not waive any jurisdiction over the subject matter contained in this bill or similar legislation in the future. In addition, should a conference on this bill be necessary, I would support your request to have the Committee on Judiciary represented on the conference committee. I will insert copies of this exchange in the Congressional Record during consideration of this bill on the House floor. I thank you for your cooperation in this matter. Sincerely, Michael T. McCaul, Chairman, Committee on Homeland Security. Mr. McCAUL. With that, I urge my colleagues to support this important legislation. I reserve the balance of my time. Mr. THOMPSON of Mississippi. Mr. Chairman, I yield myself such time as I may consume. I rise in support of H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015. Mr. Chairman, every day U.S. networks face hundreds of millions of cyber hacking attempts and attacks. Many of these attacks target large corporations and negatively impact consumers. They are launched by common hackers as well as nation-states. As the Sony attack last year demonstrated, they have a great potential for harm and put our economy and homeland security at risk. Last week, it was reported that attacks against SCADA industrial control systems rose 100 percent between 2013 and 2014. Given that SCADA systems are essential to running our power plants, factories, and refineries, this is a very troubling trend. Just yesterday, we learned about an advanced persistent threat that has targeted high-profile individuals at the White House and State Department since last year. According to an industry expert, this cyber threat--nicknamed CozyDuke--includes malware, information-stealing programs, and antivirus back doors that bear the hallmarks of Russian cyber espionage tools. Mr. Chairman, cyber terrorists and cyber criminals are constantly innovating. Their success is dependent on their victims not being vigilant and protecting their systems. Cyber terrorists and cyber criminals exploit bad practices, like opening attachments and clicking links from unknown senders. That is why I am pleased that H.R. 1731 includes a provision authored by Representative Watson Coleman to authorize a national cyber public awareness campaign to promote greater cyber hygiene. Another key element of cybersecurity is, of course, information sharing about cyber threats. We have seen that when companies come forward and share their knowledge about imminent cyber threats, timely actions can be taken to prevent damage to vital IT networks. Thus, cybersecurity is one of those places where the old adage ``knowledge is power'' applies. That is why I am pleased H.R. 1731 authorizes private companies to voluntarily share timely cyber threat information and malware with DHS or other impacted companies. Under H.R. 1731, companies may voluntarily choose to share threat information to prevent future attacks to other systems. I am also pleased that the bill authorizes companies to monitor their own IT networks to identify penetrations and take steps to protect their networks from cyber threats. H.R. 1731 builds on bipartisan legislation enacted last year that authorized the Department of Homeland Security's National Cybersecurity and Communications Integration Center, commonly referred to as NCCIC. H.R. 1731 was unanimously approved by the committee last week and represents months of outreach to a diverse array of stakeholders from the private sector and the privacy community. Importantly, H.R. 1731 requires participating companies to make reasonable efforts prior to sharing to scrub the data to remove information that could identify a person when that person is not believed to be related to the threat. H.R. 1731 also directs DHS to scrub the data it receives and add an additional layer of privacy protection. Additionally, it requires the NCCIC to have strong procedures for protecting privacy, and calls for robust oversight by the Department's chief privacy officer, its chief civil rights and civil liberties officer, and inspector general, and the Privacy and Civil Liberties Oversight Board. I am a cosponsor of H.R. 1731, but as the White House observed earlier this week, improvements are needed to ensure that its liability protections are appropriately targeted. In its current form, it would potentially protect companies that are negligent in how they carry out authorized activities under the act. Mr. Chairman, before reserving the balance of my time, I wish to engage in a colloquy with the gentleman from Texas (Mr. McCaul) regarding the liability protection provisions of H.R. 1731. At the outset, I would like to express my appreciation for the gentleman's willingness to work with me and the other Democrats on the committee to develop this bipartisan legislation. We have a shared goal of bolstering cybersecurity and improving the quality of information that the private sector receives about timely cyber threats so that they can act to protect their networks and the valuable data stored on them. Therefore, it is concerning that the liability protection provision appears to undermine this shared goal insofar as it includes language that on its face incentivizes companies to do nothing about actionable cyber information. Specifically, I am speaking of the language on page 36, line 18, that extends liability protections to a company that fails to act on timely threat information provided by DHS or another impacted company. I would ask the gentleman from Texas to work with me to clarify the language as it moves through the legislative process to underscore that it is not Congress' intent to promote inaction by companies who have timely threat information. Mr. McCAUL. Will the gentleman yield? Mr. THOMPSON of Mississippi. I yield to the gentleman from Texas. Mr. McCAUL. Mr. Chair, I thank the gentleman from Mississippi for his question and would say that I do not completely share your view of that clause. I assure you that incentivizing companies to do nothing with timely threat information is certainly not the intent of this provision, as the author of this bill. On the contrary, I believe it is important that we provide companies with legal safe harbors to encourage sharing of cyber threat information and also believe that every company that participates in this information-sharing process, especially small- and medium-sized businesses, cannot be required to act upon every piece of cyber threat information they receive. As such, I support looking for ways to clarify that point with you, Mr. Thompson. I commit to working with you as this bill moves forward to look for ways to refine the language to ensure that it is consistent with our shared policy goal of getting timely information into the hands of businesses so that they can protect their networks and their data. {time} 0930 Mr. THOMPSON of Mississippi. Mr. Chairman, I reserve the balance of my time. Mr. McCAUL. Mr. Chairman, I now yield 5 minutes to the gentleman from Texas (Mr. Ratcliffe), the chairman of the Subcommittee on Cybersecurity, my close ally and colleague on this legislation. Mr. RATCLIFFE. I thank the gentleman for yielding. Mr. Chairman, I am grateful for the opportunity to work with Chairman McCaul in crafting the National Cybersecurity Protection Advancement Act. I would also like to thank Ranking Members Richmond and Thompson for their hard work on this issue; and a special thank you to the Homeland Security staff, who worked incredibly [[Page H2425]] hard to bring this important bill to the floor today. Mr. Chairman, for years now, the private sector has been on the front lines in trying to guard against potentially devastating cyber attacks. Just 2 months ago, one of the Nation's largest health insurance providers, Anthem, suffered a devastating cyber attack that compromised the personal information and health records of more than 80 million Americans. The consequences of that breach hit home for many of those Americans just a week ago, on tax day, when thousands of them tried to file their tax returns, only to see them be rejected because cyber criminals had used their information to file false tax returns. Mr. Chairman, attacks like these serve as a wake-up call to all Americans and provide clear evidence that our cyber adversaries have the upper hand. The consequences will get even worse if we fail to tackle this issue head on because even greater and more frightening threats exist, ones that extend to the critical infrastructure that support our very way of life. I am talking about cyber attacks against the networks which control our bridges, our dams, our power grids, rails, and even our water supply. Attacks on this critical infrastructure have the potential to produce sustained blackouts, halt air traffic, shut off fuel supplies, or, even worse, contaminate the air, food, and water that we need to survive. These scenarios paint a picture of economic crisis and physical chaos that are, unfortunately, all too real and all too possible right now. Mr. Chairman, 85 percent of our Nation's critical infrastructure is controlled by the private sector, not by the government, a fact which underscores the reality that America's security, when it comes to defending against cyber attacks, largely depends on the security of our private networks. The simple truth is that many in the private sector can't defend their networks or our critical infrastructure against these threats. H.R. 1731 provides a solution for the rapid sharing of important cyber threat information to minimize or, in some cases, prevent the cyber attacks from being successful. Through the Department of Homeland Security's National Cybersecurity Communication and Integration Center, or NCCIC, this bill will facilitate the sharing of cyber threat indicators between the private sector entities and between the private sector and the Federal Government. With carefully crafted liability protections, private entities would finally be able to share cyber threat indicators with their private sector counterparts through the NCCIC without fear of liability. The sharing of these cyber threat indicators, or, more specifically, the tools, techniques, and tactics used by cyber intruders, will arm those who protect our networks with the valuable information they need to fortify our defenses against future cyber attacks. Because some have said that prior proposals didn't go far enough in safeguarding personal privacy, this bill addresses those concerns with robust privacy measures that ensure the protection of Americans' personal information and private data. H.R. 1731 will provide protection only for sharing that is done voluntarily with the Department of Homeland Security's NCCIC, which is a civilian entity. It does not provide for or allow sharing with the NSA or the Department of Defense. In fact, this bill expressly prohibits information from being used for surveillance purposes. This bill also limits the type of information that can be shared, and it requires the removal of all personally identifiable information, which is scrubbed out before the cyber threat indicators can be shared. In short, this bill improves and increases protection for the personal privacy of Americans, which currently remains so vulnerable to malicious attacks from our cyber adversaries. Mr. Chairman, the status quo isn't working when it comes to defending against cyber threats. The need to better secure Americans' personal information and better protect and safeguard our critical infrastructure is precisely what compels congressional action right now. I strongly endorse the passage of this vital legislation, and I urge my colleagues on both sides of the aisle to support it as well. I thank the gentleman from Texas for his leadership. Mr. THOMPSON of Mississippi. Mr. Chairman, I yield 3 minutes to the gentleman from Rhode Island (Mr. Langevin). (Mr. LANGEVIN asked and was given permission to revise and extend his remarks.) Mr. LANGEVIN. I thank the gentleman for yielding. Mr. Chairman, I am very pleased to be back on the floor today to support the House's second major piece of cybersecurity legislation in less than 24 hours. As I said yesterday afternoon, it has been a long time coming, for sure. Cybersecurity has been a passion of mine for nearly a decade, and I am absolutely thrilled that, after years of hard work, the House, the Senate, and the President finally are beginning to see eye-to-eye. The National Cybersecurity Protection Advancement Act has at its core three basic authorizations. First, it authorizes private entities and the DHS's NCCIC to share, for cybersecurity purposes only, cyber threat indicators that have been stripped of personal information and details. Second, it allows businesses to monitor their networks in search of cybersecurity risks. And third, it authorizes companies to deploy limited defensive measures to protect their systems from malicious actors. Those three authorizations perfectly describe the information-sharing regime we so desperately need. Under the act, companies would collect information on threats, share it with their peers and with a civilian portal, and then use the indicators they have received to defend themselves. Data are scrubbed of personal identifiable information before they are shared and after they are received by the NCCIC. Companies are offered limited liability protections for sharing information they gather in accordance with this bill. This legislation also provides for the deployment of rapid automated sharing protocols--something DHS has been hard at work on with the STIX/TAXII program--and it expands last year's NCCIC authorization. Mr. Chairman, I do believe that the liability protections contained in this bill may prove overly broad, and I certainly hope that we can address that point as the legislative process continues, particularly, hopefully, when we get to a conference committee on this issue. Overall, though, it is a fine piece of legislation, and I wholeheartedly congratulate Chairman McCaul, Ranking Member Thompson, Subcommittee Chairman Ratcliffe, and Ranking Member Richmond, as well as the other members of the committee and especially committee staff, for a job well done. Information-sharing legislation, Mr. Chairman, is not a silver bullet by any means, but it will substantially improve our Nation's cyber defenses and get us to a place where our Nation is much more secure in cyberspace than where we are today. Protecting critical infrastructure, of course, is among our chief concerns. That will allow for the type of information sharing that will get us to a much more secure place. So, Mr. Chairman, I urge my colleagues to support this bill, and I hope that the Senate will quickly follow suit. Mr. McCAUL. Mr. Chairman, I yield such time as she may consume to the gentlewoman from Michigan (Mrs. Miller), the vice chairman of the Homeland Security Committee. Mrs. MILLER of Michigan. Mr. Chairman, first of all, I want to thank the distinguished chairman for yielding the time. I think you can see by the comments that have been made thus far that we have a very bipartisan bill and a bipartisan approach. That is, through our committee, in no short measure because of the leadership that Chairman McCaul and, quite frankly, our ranking member have exhibited with the vision that they have had, these two gentlemen working together, and both the chair and the ranking member on our Subcommittee on Cybersecurity, Mr. Ratcliffe and Mr. Richmond as well. [[Page H2426]] This really has been a tremendous effort, and so important for our country. This particular issue, obviously, is certainly a bipartisan issue. I say that, Mr. Chairman, because our Constitution makes the first and foremost responsibility of the Federal Government to provide for the common defense. That is actually in the preamble of our Constitution. In our modern world, those who are seeking harm to our Nation, to our citizens, to our companies, can use many different means, including attacks over the Internet to attack our Nation. Recent cyber attacks on U.S. companies like Sony, Target, and Home Depot not only harm these companies, Mr. Chairman, but they harm the American citizens who do business with them, putting their most personal private information at risk. These threats, as are well known, are coming from nation-states like North Korea, Russia, Iran, China, as well as cyber criminals seeking to steal not only personal information but also intellectual property and sensitive government information. In today's digital world, we have a duty to defend ourselves against cyber espionage, and the best way to combat these threats is to first recognize the threat and combine private and government resources and intelligence. Mr. Chairman, that is exactly what this bill does. Mr. Chairman, I think this bill will help to facilitate greater cooperation and efforts to protect our Nation's digital infrastructure, including power grids and other utilities and other services that everyday Americans rely on each and every day. By removing barriers, which will allow private companies to voluntarily share their cybersecurity threat information with the Department of Homeland Security and/or other companies, I think we will in a very large way improve earlier detection and mitigation of potential threats. Additionally, this legislation that we are debating on the floor today ensures that personal identification information is removed prior to sharing information related to cyber threats and that very strong safeguards are in place to protect personal privacy and civil liberties. Mr. Chairman, I point that out because that was something that was discussed a lot by practically every member of the Homeland Security Committee. We were all very, very united on that issue. And I think that is an important critical component, a point to make, and it is reflected in this legislation. As Mr. Ratcliffe mentioned just earlier, 85 percent of America's critical infrastructure is owned and operated by the private sector-- think about that, 85 percent--which means that cyber threats pose as much of an economic threat to the United States as they do to our security, and we have a constitutional responsibility, as I pointed out in the beginning, to protect ourselves, to protect our Nation, to protect our American citizens from this ever-evolving threat. So, Mr. Chairman, I would urge that all of my colleagues join me, join all of us on our committee, in voting in favor of this important legislation that will provide an additional line, and a very important line, of defense against cyber attacks. The CHAIR. The Committee will rise informally. The Speaker pro tempore (Mr. Loudermilk) assumed the chair. ____________________ [Congressional Record Volume 161, Number 60 (Thursday, April 23, 2015)] [House] [Pages H2426-H2446] From the Congressional Record Online through the Government Publishing Office [www.gpo.gov] NATIONAL CYBERSECURITY PROTECTION ADVANCEMENT ACT OF 2015 The Committee resumed its sitting. Mr. THOMPSON of Mississippi. Mr. Chairman, I yield 2 minutes to the gentleman from Virginia (Mr. Connolly). Mr. CONNOLLY. I thank my dear friend from Mississippi (Mr. Thompson), and I commend him and the distinguished chairman of the committee, Mr. McCaul, for their wonderful work on this bill. Mr. Chairman, we cannot wait. America cannot wait for a cyber Pearl Harbor. This issue--cybersecurity--may be the most complex and difficult challenge we confront long term as a nation. In the wired 21st century, the line between our physical world and cyberspace continues to blur with every aspect of our lives, from social interaction to commerce. Yet the remarkable gains that have accompanied an increasingly digital and connected society also have opened up new, unprecedented vulnerabilities that threaten to undermine this progress and cause great harm to our country's national security, critical infrastructure, and economy. {time} 0945 It is long overdue for Congress to modernize our cyber laws to address those vulnerabilities present in both public and private networks. The bills before us this week are a step in the right direction, and I am glad to support them, but they are a first step. Information sharing alone does not inoculate or even defend us from cyber attacks. Indeed, in the critical three P's of enhancing cybersecurity--people, policies, and practices--the measures before us make improvements primarily to policy. I commend the two committees for working in a bipartisan fashion to improve privacy and transparency protections. More is still needed to safeguard the civil liberties of our constituents. Further, I hope that the broad liability protections provided by these bills will, in fact, be narrowed upon further consultation with the Senate. Cybersecurity must be a shared public-private responsibility, and that includes the expectation and requirement that our partners will, in fact, take reasonable actions. Moving forward, I hope Congress will build on this effort to address the security of critical infrastructure, the vast majority of which, as has been already pointed out, is owned and operated by the private sector. The CHAIR. The time of the gentleman has expired. Mr. THOMPSON of Mississippi. I yield the gentleman an additional 30 seconds. Mr. CONNOLLY. We also need to strengthen our Nation's cyber workforce, devise effective data breach notification policies, and bring about a wholesale cultural revolution so that society fully understands the critical importance of good cyber hygiene. The bottom line is that our vulnerability in cyberspace demands that we take decisive action and take it now, but much like the tactics used in effective cybersecurity, we must recognize that enhancing our cyber defenses is an iterative process that requires continuous effort. I congratulate the staffs and the leadership of the committee. Mr. McCAUL. Mr. Chairman, I yield 5 minutes to the gentleman from Georgia (Mr. Loudermilk), a member of the Committee on Homeland Security. Mr. LOUDERMILK. Mr. Chairman, over the past 40 years, we have experienced advancements in information technology that literally have transformed business, education, government; it has even transformed our culture. Information research that only a couple of decades ago would take days, months, maybe even years to accomplish is available, quite literally, at our fingertips and instantaneously. Other aspects of our lives have also been shaped by this immediate access to information. Shopping, you can go shopping without ever going to a store. You can conduct financial transactions without ever going to a bank. You can even have access to entertainment without ever going to a theater. These advancements in technology have not only transformed the way we access and store information, but it has also transformed the way we communicate. No longer is instantaneous voice-to-voice communication only available through a phone call, but people around the world instantly connect with one another with a variety of methods, from email, instant text messaging, even video conferencing, and [[Page H2427]] this can be all down while you are on the move. You don't even have to be chained to a desk or in your business office. Really, every aspect of our culture has been affected by the advancements in information technology, and, for the most part, our lives have been improved by these advancements. As an IT professional, with 30-plus years' experience in both the military and private sector, I know firsthand the benefits of this instant access to endless amounts of information, but, on the other hand, I know all too well the vulnerabilities of these systems. For the past 20 years, I have assisted businesses and governments to automate their operations and ensure they can access their networks anytime and from anywhere. However, this global access to information requires a global interconnection of these systems. At almost any time during the day, Americans are connected to this global network through their phones, tablets, health monitors, and car navigation systems. Even home security systems are now connected to the Internet. We have become dependent on this interconnection and so have the businesses and government entities that provide crucial services that we rely on, but as our dependence on technology has grown, so have our vulnerabilities. Cyberspace is the new battleground, a battleground for a multitude of adversaries. Foreign nations, international terrorist organizations, and organized crime regularly target our citizens, businesses, and government. Unlike traditional combat operations, cyber attackers don't require sophisticated weaponry to carry out their warfare. On the cyber battlefield, a single individual with a laptop computer can wreak havoc on business, the economy, even our critical infrastructure. In the past several months, we have seen an increasing number of cyber attacks on national security systems and private company networks, breaching critical information. Earlier this year, Anthem BlueCross BlueShield's IT system was hacked by a highly sophisticated cyber attacker, obtaining personal employee and consumer data, including names, Social Security numbers, and mailing addresses. An old adage among IT professionals states: There are two types of computer users, those who have been hacked and those who don't know that they have been hacked. Today, this is truer than ever before. The incredible advancements made by the IT industry over the past three decades have been predominantly due to the competitive nature of the free market. Without the overbearing constraints of government bureaucracy, oversight, and regulation, technology entrepreneurs have had the freedom to bring new innovations to the market with little cost and in record amount of time. It is clear that our greatest advancements in technology have come from the private sector. That is why it is imperative that the government partner with the private sector to combat cyber attacks against our Nation. The bill being debated in this House today, the National Cybersecurity Protection Advancement Act, puts in place a framework for voluntary partnership between government and the private sector to share information to protect against and combat against cyber attacks. Through this voluntary sharing of critical information, businesses and government will voluntarily work together to respond to attacks and to prevent our enemies from corrupting networks, attacking our highly sensitive data systems, and compromising our personal privacy information. While protecting individual privacy, this legislation also includes liability protections for the sharing of cyber threat information and thereby promotes information sharing that enhances the national cybersecurity posture. We are no longer solely dealing with groups of hackers and terrorists, but individuals who target large networks, corrupt our database, and get hold of private material. With today's evolving technology, we must make sure we are affirming individual privacy rights and safeguarding both government and private sector databases from cyberterrorism. Protecting the civil liberties of the citizens of the United States is a top priority for me, and it should be for this Congress. The CHAIR. The time of the gentleman has expired. Mr. McCAUL. I yield the gentleman an additional 30 seconds. Mr. LOUDERMILK. That is why I do support H.R. 1731, because it provides that framework of cooperation between the government and the private industry, and it provides the protections and liability protections our industries need. We must have this bill. I do stand in support of it, and I thank you for allowing me this time to speak. Mr. THOMPSON of Mississippi. Mr. Chairman, I have no additional requests for time, so I reserve the balance of my time. Mr. McCAUL. Mr. Chairman, I yield such time as he may consume to the gentleman from Texas (Mr. Hurd), a member of the Homeland Security Committee. Mr. HURD of Texas. Mr. Chairman, I have spent almost 9 years, or a little bit over 9 years, as an undercover officer in the CIA. I chased al Qaeda, Taliban. Towards the end of my career, we started spending a lot more time focusing on cyber criminals, Russian organized crime, state sponsors of terror like Iran. What this bill does is it helps in the protection of our digital infrastructure, both public and private, against this increasing threat. I had the opportunity to help build a cybersecurity company, and seeing the threats to our infrastructure is great. This bill, which I rise in support of, is going to create that framework in order for the public and the private sector to work together against these threats. When I was doing this for a living, you give me enough time, I am going to get in your network. We have to change our mindset and begin with the presumption of breach. How do we stop someone? How do we detect someone getting in our system? How do we corral them? And how do we kick them off? H.R. 1731 is a great start in doing this and making sure that we have the right protections. We also are helping small- and medium-sized businesses with this bill, making sure that a lot of them have the resources that some larger businesses do and making sure that the Department of Homeland Security is providing as much information to them so that they can keep their company and their customers safe. I would like to commend everyone on both sides of the aisle that is working to make this bill happen, and I look forward to seeing this get past this House and our colleagues in the Senate. Mr. THOMPSON of Mississippi. Mr. Chairman, I continue to reserve the balance of my time. Mr. McCAUL. Mr. Chairman, I have no further requests for time. I am prepared to close if the gentleman from Mississippi is prepared to close. I reserve the balance of my time. Mr. THOMPSON of Mississippi. Mr. Chairman, I yield myself such time as I may consume. As someone involved in this issue for many years, I am not surprised by the overwhelming support that H.R. 1731 has garnered. Today, the House has the opportunity to join with the President and stakeholders from across our critical infrastructure sectors to make our Nation more secure. By casting a vote in favor of H.R. 1731, you will be putting the Department of Homeland Security, the Federal civilian lead for cyber information sharing, on a path to fully partnering with the private sector to protect the U.S. networks. Mr. Chairman, I yield back the balance of my time. Mr. McCAUL. Mr. Chairman, I yield myself such time as I may consume. Mr. Chairman, we are at a pivotal moment today and face a stark reality. The cyber threats to America have gone from bad to severe, and in many ways, we are flying blind. The current level of cyber threat information sharing won't cut it. In the same way that we failed to stop terrorist attacks in the past, we are not connecting the dots well enough to prevent digital assaults against our Nation's networks. [[Page H2428]] The information we need to stop destructive breaches is held in silos, rather than being shared, preventing us from mounting an aggressive defense. In fact, the majority of cyber intrusions go unreported, leaving our networks vulnerable to the same attacks. When sharing does happen, it is often too little and too late. If we don't pass this legislation to enhance cyber threat information sharing, we will be failing the American people and ceding more ground to our adversaries. I hope, today, that we have the momentum to reverse the tide and to do what the American people expect of us, pass prosecurity, proprivacy legislation to better safeguard our public and private networks. Our inaction would be a permission slip for criminals, hacktivists, terrorists, and nation-states to continue to steal our data and to do our people harm. I appreciate the collaboration from Members across the aisle and from other committees in developing this legislation. I would like to specifically commend, again, subcommittee Chairman Ratcliffe for his work on this bill, as well as our minority counterparts, including Ranking Member Thompson and subcommittee Ranking Member Richmond for their joint work on this bill. Mr. Chairman, I urge my colleagues to pass H.R. 1731. I yield back the balance of my time. Mr. VAN HOLLEN. Mr. Chair, I rise today to oppose H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015. I commend Chairman McCaul and Ranking Member Thompson for crafting a cybersecurity bill that improves upon legislation this body has previously voted on, but ultimately I cannot support it in its current form. As was the case with yesterday's bill, the Protecting Cyber Networks Act (H.R. 1560), I continue to have concerns about the ambiguous liability provisions in this legislation. Specifically, H.R. 1731 would grant immunity to companies for simply putting forth a ``good faith'' effort when reporting security threats to the Department of Homeland Security. Like H.R. 1560, companies would receive liability protection even if they fail to act on threat information in a timely manner. I was disappointed that Republicans did not allow a vote on any of the seven amendments offered to improve the liability provisions in this bill. I strongly believe that we must take steps to protect against these cyber threats while not sacrificing our privacy and civil liberties. It is my hope that many of these murky liability provisions can be resolved in the Senate, but I cannot support this bill as it stands today. THE CHAIR. All time for general debate has expired. In lieu of the amendment in the nature of a substitute recommended by the Committee on Homeland Security, printed in the bill, it shall be in order to consider as an original bill, for the purpose of amendment under the 5-minute rule, an amendment in the nature of a substitute consisting of the text of Rules Committee Print 114-12. That amendment in the nature of a substitute shall be considered as read. The text of the amendment in the nature of a substitute is as follows: H.R. 1731 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``National Cybersecurity Protection Advancement Act of 2015''. SEC. 2. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER. (a) Definitions.-- (1) In general.--Subsection (a) of the second section 226 of the Homeland Security Act of 2002 (6 U.S.C. 148; relating to the National Cybersecurity and Communications Integration Center) is amended-- (A) in paragraph (3), by striking ``and'' at the end; (B) in paragraph (4), by striking the period at the end and inserting ``; and''; and (C) by adding at the end the following new paragraphs: ``(5) the term `cyber threat indicator' means technical information that is necessary to describe or identify-- ``(A) a method for probing, monitoring, maintaining, or establishing network awareness of an information system for the purpose of discerning technical vulnerabilities of such information system, if such method is known or reasonably suspected of being associated with a known or suspected cybersecurity risk, including communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cybersecurity risk; ``(B) a method for defeating a technical or security control of an information system; ``(C) a technical vulnerability, including anomalous technical behavior that may become a vulnerability; ``(D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; ``(E) a method for unauthorized remote identification of, access to, or use of an information system or information that is stored on, processed by, or transiting an information system that is known or reasonably suspected of being associated with a known or suspected cybersecurity risk; ``(F) the actual or potential harm caused by a cybersecurity risk, including a description of the information exfiltrated as a result of a particular cybersecurity risk; ``(G) any other attribute of a cybersecurity risk that cannot be used to identify specific persons reasonably believed to be unrelated to such cybersecurity risk, if disclosure of such attribute is not otherwise prohibited by law; or ``(H) any combination of subparagraphs (A) through (G); ``(6) the term `cybersecurity purpose' means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity risk or incident; ``(7)(A) except as provided in subparagraph (B), the term `defensive measure' means an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity risk or incident, or any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control; ``(B) such term does not include a measure that destroys, renders unusable, or substantially harms an information system or data on an information system not belonging to-- ``(i) the non-Federal entity, not including a State, local, or tribal government, operating such measure; or ``(ii) another Federal entity or non-Federal entity that is authorized to provide consent and has provided such consent to the non-Federal entity referred to in clause (i); ``(8) the term `network awareness' means to scan, identify, acquire, monitor, log, or analyze information that is stored on, processed by, or transiting an information system; ``(9)(A) the term `private entity' means a non-Federal entity that is an individual or private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or non-profit entity, including an officer, employee, or agent thereof; ``(B) such term includes a component of a State, local, or tribal government performing electric utility services; ``(10) the term `security control' means the management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentially, integrity, or availability of an information system or information that is stored on, processed by, or transiting an information system; and ``(11) the term `sharing' means providing, receiving, and disseminating.''. (b) Amendment.--Subparagraph (B) of subsection (d)(1) of such second section 226 of the Homeland Security Act of 2002 is amended-- (1) in clause (i), by striking ``and local'' and inserting ``, local, and tribal''; (2) in clause (ii)-- (A) by inserting ``, including information sharing and analysis centers'' before the semicolon; and (B) by striking ``and'' at the end; (3) in clause (iii), by striking the period at the end and inserting ``; and''; and (4) by adding at the end the following new clause: ``(iv) private entities.''. SEC. 3. INFORMATION SHARING STRUCTURE AND PROCESSES. The second section 226 of the Homeland Security Act of 2002 (6 U.S.C. 148; relating to the National Cybersecurity and Communications Integration Center) is amended-- (1) in subsection (c)-- (A) in paragraph (1)-- (i) by striking ``a Federal civilian interface'' and inserting ``the lead Federal civilian interface''; and (ii) by striking ``cybersecurity risks,'' and inserting ``cyber threat indicators, defensive measures, cybersecurity risks,''; (B) in paragraph (3), by striking ``cybersecurity risks'' and inserting ``cyber threat indicators, defensive measures, cybersecurity risks,''; (C) in paragraph (5)(A), by striking ``cybersecurity risks'' and inserting ``cyber threat indicators, defensive measures, cybersecurity risks,''; (D) in paragraph (6)-- (i) by striking ``cybersecurity risks'' and inserting ``cyber threat indicators, defensive measures, cybersecurity risks,''; and (ii) by striking ``and'' at the end; (E) in paragraph (7)-- (i) in subparagraph (A), by striking ``and'' at the end; (ii) in subparagraph (B), by striking the period at the end and inserting ``; and''; and (iii) by adding at the end the following new subparagraph: ``(C) sharing cyber threat indicators and defensive measures;''; and (F) by adding at the end the following new paragraphs ``(8) engaging with international partners, in consultation with other appropriate agencies, to-- ``(A) collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents; and ``(B) enhance the security and resilience of global cybersecurity; ``(9) sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate; ``(10) promptly notifying the Secretary and the Committee on Homeland Security of the House of Representatives and the Committee on [[Page H2429]] Homeland Security and Governmental Affairs of the Senate of any significant violations of the policies and procedures specified in subsection (i)(6)(A); ``(11) promptly notifying non-Federal entities that have shared cyber threat indicators or defensive measures that are known or determined to be in error or in contravention of the requirements of this section; and ``(12) participating, as appropriate, in exercises run by the Department's National Exercise Program.''; (2) in subsection (d)-- (A) in subparagraph (D), by striking ``and'' at the end; (B) by redesignating subparagraph (E) as subparagraph (J); and (C) by inserting after subparagraph (D) the following new subparagraphs: ``(E) an entity that collaborates with State and local governments on cybersecurity risks and incidents, and has entered into a voluntary information sharing relationship with the Center; ``(F) a United States Computer Emergency Readiness Team that coordinates information related to cybersecurity risks and incidents, proactively and collaboratively addresses cybersecurity risks and incidents to the United States, collaboratively responds to cybersecurity risks and incidents, provides technical assistance, upon request, to information system owners and operators, and shares cyber threat indicators, defensive measures, analysis, or information related to cybersecurity risks and incidents in a timely manner; ``(G) the Industrial Control System Cyber Emergency Response Team that-- ``(i) coordinates with industrial control systems owners and operators; ``(ii) provides training, upon request, to Federal entities and non-Federal entities on industrial control systems cybersecurity; ``(iii) collaboratively addresses cybersecurity risks and incidents to industrial control systems; ``(iv) provides technical assistance, upon request, to Federal entities and non-Federal entities relating to industrial control systems cybersecurity; and ``(v) shares cyber threat indicators, defensive measures, or information related to cybersecurity risks and incidents of industrial control systems in a timely fashion; ``(H) a National Coordinating Center for Communications that coordinates the protection, response, and recovery of emergency communications; ``(I) an entity that coordinates with small and medium- sized businesses; and''; (3) in subsection (e)-- (A) in paragraph (1)-- (i) in subparagraph (A), by inserting ``cyber threat indicators, defensive measures, and'' before ``information''; (ii) in subparagraph (B), by inserting ``cyber threat indicators, defensive measures, and'' before ``information''; (iii) in subparagraph (F), by striking ``cybersecurity risks'' and inserting ``cyber threat indicators, defensive measures, cybersecurity risks,''; (iv) in subparagraph (F), by striking ``and'' at the end; (v) in subparagraph (G), by striking ``cybersecurity risks'' and inserting ``cyber threat indicators, defensive measures, cybersecurity risks,''; and (vi) by adding at the end the following: ``(H) the Center ensures that it shares information relating to cybersecurity risks and incidents with small and medium-sized businesses, as appropriate; and ``(I) the Center designates an agency contact for non- Federal entities;''; (B) in paragraph (2)-- (i) by striking ``cybersecurity risks'' and inserting ``cyber threat indicators, defensive measures, cybersecurity risks,''; and (ii) by inserting ``or disclosure'' before the semicolon at the end; and (C) in paragraph (3), by inserting before the period at the end the following: ``, including by working with the Chief Privacy Officer appointed under section 222 to ensure that the Center follows the policies and procedures specified in subsection (i)(6)(A)''; and (4) by adding at the end the following new subsections: ``(g) Rapid Automated Sharing.-- ``(1) In general.--The Under Secretary for Cybersecurity and Infrastructure Protection, in coordination with industry and other stakeholders, shall develop capabilities making use of existing information technology industry standards and best practices, as appropriate, that support and rapidly advance the development, adoption, and implementation of automated mechanisms for the timely sharing of cyber threat indicators and defensive measures to and from the Center and with each Federal agency designated as the `Sector Specific Agency' for each critical infrastructure sector in accordance with subsection (h). ``(2) Biannual report.--The Under Secretary for Cybersecurity and Infrastructure Protection shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a biannual report on the status and progress of the development of the capability described in paragraph (1). Such reports shall be required until such capability is fully implemented. ``(h) Sector Specific Agencies.--The Secretary, in collaboration with the relevant critical infrastructure sector and the heads of other appropriate Federal agencies, shall recognize the Federal agency designated as of March 25, 2015, as the `Sector Specific Agency' for each critical infrastructure sector designated in the Department's National Infrastructure Protection Plan. If the designated Sector Specific Agency for a particular critical infrastructure sector is the Department, for purposes of this section, the Secretary is deemed to be the head of such Sector Specific Agency and shall carry out this section. The Secretary, in coordination with the heads of each such Sector Specific Agency, shall-- ``(1) support the security and resilience actives of the relevant critical infrastructure sector in accordance with this section; ``(2) provide institutional knowledge, specialized expertise, and technical assistance upon request to the relevant critical infrastructure sector; and ``(3) support the timely sharing of cyber threat indicators and defensive measures with the relevant critical infrastructure sector with the Center in accordance with this section. ``(i) Voluntary Information Sharing Procedures.-- ``(1) Procedures.-- ``(A) In general.--The Center may enter into a voluntary information sharing relationship with any consenting non- Federal entity for the sharing of cyber threat indicators and defensive measures for cybersecurity purposes in accordance with this section. Nothing in this section may be construed to require any non-Federal entity to enter into any such information sharing relationship with the Center or any other entity. The Center may terminate a voluntary information sharing relationship under this subsection if the Center determines that the non-Federal entity with which the Center has entered into such a relationship has, after repeated notice, repeatedly violated the terms of this subsection. ``(B) National security.--The Secretary may decline to enter into a voluntary information sharing relationship under this subsection if the Secretary determines that such is appropriate for national security. ``(2) Voluntary information sharing relationships.--A voluntary information sharing relationship under this subsection may be characterized as an agreement described in this paragraph. ``(A) Standard agreement.--For the use of a non-Federal entity, the Center shall make available a standard agreement, consistent with this section, on the Department's website. ``(B) Negotiated agreement.--At the request of a non- Federal entity, and if determined appropriate by the Center, the Department shall negotiate a non-standard agreement, consistent with this section. ``(C) Existing agreements.--An agreement between the Center and a non-Federal entity that is entered into before the date of the enactment of this section, or such an agreement that is in effect before such date, shall be deemed in compliance with the requirements of this subsection, notwithstanding any other provision or requirement of this subsection. An agreement under this subsection shall include the relevant privacy protections as in effect under the Cooperative Research and Development Agreement for Cybersecurity Information Sharing and Collaboration, as of December 31, 2014. Nothing in this subsection may be construed to require a non-Federal entity to enter into either a standard or negotiated agreement to be in compliance with this subsection. ``(3) Information sharing authorization.-- ``(A) In general.--Except as provided in subparagraph (B), and notwithstanding any other provision of law, a non-Federal entity may, for cybersecurity purposes, share cyber threat indicators or defensive measures obtained on its own information system, or on an information system of another Federal entity or non-Federal entity, upon written consent of such other Federal entity or non-Federal entity or an authorized representative of such other Federal entity or non-Federal entity in accordance with this section with-- ``(i) another non-Federal entity; or ``(ii) the Center, as provided in this section. ``(B) Lawful restriction.--A non-Federal entity receiving a cyber threat indicator or defensive measure from another Federal entity or non-Federal entity shall comply with otherwise lawful restrictions placed on the sharing or use of such cyber threat indicator or defensive measure by the sharing Federal entity or non-Federal entity. ``(C) Removal of information unrelated to cybersecurity risks or incidents.--Federal entities and non-Federal entities shall, prior to such sharing, take reasonable efforts to remove information that can be used to identify specific persons and is reasonably believed at the time of sharing to be unrelated to a cybersecurity risks or incident and to safeguard information that can be used to identify specific persons from unintended disclosure or unauthorized access or acquisition. ``(D) Rule of construction.--Nothing in this paragraph may be construed to-- ``(i) limit or modify an existing information sharing relationship; ``(ii) prohibit a new information sharing relationship; ``(iii) require a new information sharing relationship between any non-Federal entity and a Federal entity; ``(iv) limit otherwise lawful activity; or ``(v) in any manner impact or modify procedures in existence as of the date of the enactment of this section for reporting known or suspected criminal activity to appropriate law enforcement authorities or for participating voluntarily or under legal requirement in an investigation. ``(E) Coordinated vulnerability disclosure.--The Under Secretary for Cybersecurity and Infrastructure Protection, in coordination with industry and other stakeholders, shall develop, publish, and adhere to policies and procedures for coordinating vulnerability disclosures, to the extent practicable, consistent with international standards in the information technology industry. [[Page H2430]] ``(4) Network awareness authorization.-- ``(A) In general.--Notwithstanding any other provision of law, a non-Federal entity, not including a State, local, or tribal government, may, for cybersecurity purposes, conduct network awareness of-- ``(i) an information system of such non-Federal entity to protect the rights or property of such non-Federal entity; ``(ii) an information system of another non-Federal entity, upon written consent of such other non-Federal entity for conducting such network awareness to protect the rights or property of such other non-Federal entity; ``(iii) an information system of a Federal entity, upon written consent of an authorized representative of such Federal entity for conducting such network awareness to protect the rights or property of such Federal entity; or ``(iv) information that is stored on, processed by, or transiting an information system described in this subparagraph. ``(B) Rule of construction.--Nothing in this paragraph may be construed to-- ``(i) authorize conducting network awareness of an information system, or the use of any information obtained through such conducting of network awareness, other than as provided in this section; or ``(ii) limit otherwise lawful activity. ``(5) Defensive measure authorization.-- ``(A) In general.--Except as provided in subparagraph (B) and notwithstanding any other provision of law, a non-Federal entity, not including a State, local, or tribal government, may, for cybersecurity purposes, operate a defensive measure that is applied to-- ``(i) an information system of such non-Federal entity to protect the rights or property of such non-Federal entity; ``(ii) an information system of another non-Federal entity upon written consent of such other non-Federal entity for operation of such defensive measure to protect the rights or property of such other non-Federal entity; ``(iii) an information system of a Federal entity upon written consent of an authorized representative of such Federal entity for operation of such defensive measure to protect the rights or property of such Federal entity; or ``(iv) information that is stored on, processed by, or transiting an information system described in this subparagraph. ``(B) Rule of construction.--Nothing in this paragraph may be construed to-- ``(i) authorize the use of a defensive measure other than as provided in this section; or ``(ii) limit otherwise lawful activity. ``(6) Privacy and civil liberties protections.-- ``(A) Policies and procedures.-- ``(i) In general.--The Under Secretary for Cybersecurity and Infrastructure Protection shall, in coordination with the Chief Privacy Officer and the Chief Civil Rights and Civil Liberties Officer of the Department, establish and annually review policies and procedures governing the receipt, retention, use, and disclosure of cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents shared with the Center in accordance with this section. Such policies and procedures shall apply only to the Department, consistent with the need to protect information systems from cybersecurity risks and incidents and mitigate cybersecurity risks and incidents in a timely manner, and shall-- ``(I) be consistent with the Department's Fair Information Practice Principles developed pursuant to section 552a of title 5, United States Code (commonly referred to as the `Privacy Act of 1974' or the `Privacy Act'), and subject to the Secretary's authority under subsection (a)(2) of section 222 of this Act; ``(II) reasonably limit, to the greatest extent practicable, the receipt, retention, use, and disclosure of cyber threat indicators and defensive measures associated with specific persons that is not necessary, for cybersecurity purposes, to protect a network or information system from cybersecurity risks or mitigate cybersecurity risks and incidents in a timely manner; ``(III) minimize any impact on privacy and civil liberties; ``(IV) provide data integrity through the prompt removal and destruction of obsolete or erroneous names and personal information that is unrelated to the cybersecurity risk or incident information shared and retained by the Center in accordance with this section; ``(V) include requirements to safeguard cyber threat indicators and defensive measures retained by the Center, including information that is proprietary or business- sensitive that may be used to identify specific persons from unauthorized access or acquisition; ``(VI) protect the confidentiality of cyber threat indicators and defensive measures associated with specific persons to the greatest extent practicable; and ``(VII) ensure all relevant constitutional, legal, and privacy protections are observed. ``(ii) Submission to congress.--Not later than 180 days after the date of the enactment of this section and annually thereafter, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department, in consultation with the Privacy and Civil Liberties Oversight Board (established pursuant to section 1061 of the Intelligence Reform and Terrorism Prevention Act of 2004 (42 U.S.C. 2000ee)), shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate the policies and procedures governing the sharing of cyber threat indicators, defensive measures, and information related to cybsersecurity risks and incidents described in clause (i) of subparagraph (A). ``(iii) Public notice and access.--The Under Secretary for Cybersecurity and Infrastructure Protection, in consultation with the Chief Privacy Officer and the Chief Civil Rights and Civil Liberties Officer of the Department, and the Privacy and Civil Liberties Oversight Board (established pursuant to section 1061 of the Intelligence Reform and Terrorism Prevention Act of 2004 (42 U.S.C. 2000ee)), shall ensure there is public notice of, and access to, the policies and procedures governing the sharing of cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents. ``(iv) Consultation.--The Under Secretary for Cybersecurity and Infrastructure Protection when establishing policies and procedures to support privacy and civil liberties may consult with the National Institute of Standards and Technology. ``(B) Implementation.--The Chief Privacy Officer of the Department, on an ongoing basis, shall-- ``(i) monitor the implementation of the policies and procedures governing the sharing of cyber threat indicators and defensive measures established pursuant to clause (i) of subparagraph (A); ``(ii) regularly review and update privacy impact assessments, as appropriate, to ensure all relevant constitutional, legal, and privacy protections are being followed; ``(iii) work with the Under Secretary for Cybersecurity and Infrastructure Protection to carry out paragraphs (10) and (11) of subsection (c); ``(iv) annually submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report that contains a review of the effectiveness of such policies and procedures to protect privacy and civil liberties; and ``(v) ensure there are appropriate sanctions in place for officers, employees, or agents of the Department who intentionally or willfully conduct activities under this section in an unauthorized manner. ``(C) Inspector general report.--The Inspector General of the Department, in consultation with the Privacy and Civil Liberties Oversight Board and the Inspector General of each Federal agency that receives cyber threat indicators or defensive measures shared with the Center under this section, shall, not later than two years after the date of the enactment of this subsection and periodically thereafter submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report containing a review of the use of cybersecurity risk information shared with the Center, including the following: ``(i) A report on the receipt, use, and dissemination of cyber threat indicators and defensive measures that have been shared with Federal entities under this section. ``(ii) Information on the use by the Center of such information for a purpose other than a cybersecurity purpose. ``(iii) A review of the type of information shared with the Center under this section. ``(iv) A review of the actions taken by the Center based on such information. ``(v) The appropriate metrics that exist to determine the impact, if any, on privacy and civil liberties as a result of the sharing of such information with the Center. ``(vi) A list of other Federal agencies receiving such information. ``(vii) A review of the sharing of such information within the Federal Government to identify inappropriate stove piping of such information. ``(viii) Any recommendations of the Inspector General of the Department for improvements or modifications to information sharing under this section. ``(D) Privacy and civil liberties officers report.--The Chief Privacy Officer and the Chief Civil Rights and Civil Liberties Officer of the Department, in consultation with the Privacy and Civil Liberties Oversight Board, the Inspector General of the Department, and the senior privacy and civil liberties officer of each Federal agency that receives cyber threat indicators and defensive measures shared with the Center under this section, shall biennially submit to the appropriate congressional committees a report assessing the privacy and civil liberties impact of the activities under this paragraph. Each such report shall include any recommendations the Chief Privacy Officer and the Chief Civil Rights and Civil Liberties Officer of the Department consider appropriate to minimize or mitigate the privacy and civil liberties impact of the sharing of cyber threat indicators and defensive measures under this section. ``(E) Form.--Each report required under paragraphs (C) and (D) shall be submitted in unclassified form, but may include a classified annex. ``(7) Uses and protection of information.-- ``(A) Non-federal entities.--A non-Federal entity, not including a State, local, or tribal government, that shares cyber threat indicators or defensive measures through the Center or otherwise under this section-- ``(i) may use, retain, or further disclose such cyber threat indicators or defensive measures solely for cybersecurity purposes; ``(ii) shall, prior to such sharing, take reasonable efforts to remove information that can be used to identify specific persons and is reasonably believed at the time of sharing to be unrelated to a cybersecurity risk or incident, and to safeguard information that can be used to identify specific persons from unintended disclosure or unauthorized access or acquisition; ``(iii) shall comply with appropriate restrictions that a Federal entity or non-Federal entity places on the subsequent disclosure or retention of cyber threat indicators and defensive measures that it discloses to other Federal entities or non-Federal entities; [[Page H2431]] ``(iv) shall be deemed to have voluntarily shared such cyber threat indicators or defensive measures; ``(v) shall implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicators or defensive measures; and ``(vi) may not use such information to gain an unfair competitive advantage to the detriment of any non-Federal entity. ``(B) Federal entities.-- ``(i) Uses of information.--A Federal entity that receives cyber threat indicators or defensive measures shared through the Center or otherwise under this section from another Federal entity or a non-Federal entity-- ``(I) may use, retain, or further disclose such cyber threat indicators or defensive measures solely for cybersecurity purposes; ``(II) shall, prior to such sharing, take reasonable efforts to remove information that can be used to identify specific persons and is reasonably believed at the time of sharing to be unrelated to a cybersecurity risk or incident, and to safeguard information that can be used to identify specific persons from unintended disclosure or unauthorized access or acquisition; ``(III) shall be deemed to have voluntarily shared such cyber threat indicators or defensive measures; ``(IV) shall implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicators or defensive measures; and ``(V) may not use such cyber threat indicators or defensive measures to engage in surveillance or other collection activities for the purpose of tracking an individual's personally identifiable information. ``(ii) Protections for information.--The cyber threat indicators and defensive measures referred to in clause (i)-- ``(I) are exempt from disclosure under section 552 of title 5, United States Code, and withheld, without discretion, from the public under subsection (b)(3)(B) of such section; ``(II) may not be used by the Federal Government for regulatory purposes; ``(III) may not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection; ``(IV) shall be considered the commercial, financial, and proprietary information of the non-Federal entity referred to in clause (i) when so designated by such non-Federal entity; and ``(V) may not be subject to a rule of any Federal entity or any judicial doctrine regarding ex parte communications with a decisionmaking official. ``(C) State, local, or tribal government.-- ``(i) Uses of information.--A State, local, or tribal government that receives cyber threat indicators or defensive measures from the Center from a Federal entity or a non- Federal entity-- ``(I) may use, retain, or further disclose such cyber threat indicators or defensive measures solely for cybersecurity purposes; ``(II) shall, prior to such sharing, take reasonable efforts to remove information that can be used to identify specific persons and is reasonably believed at the time of sharing to be unrelated to a cybersecurity risk or incident, and to safeguard information that can be used to identify specific persons from unintended disclosure or unauthorized access or acquisition; ``(III) shall consider such information the commercial, financial, and proprietary information of such Federal entity or non-Federal entity if so designated by such Federal entity or non-Federal entity; ``(IV) shall be deemed to have voluntarily shared such cyber threat indicators or defensive measures; and ``(V) shall implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicators or defensive measures. ``(ii) Protections for information.--The cyber threat indicators and defensive measures referred to in clause (i)-- ``(I) shall be exempt from disclosure under any State, local, or tribal law or regulation that requires public disclosure of information or records by a public or quasi- public entity; and ``(II) may not be used by any State, local, or tribal government to regulate a lawful activity of a non-Federal entity. ``(8) Liability exemptions.-- ``(A) Network awareness.--No cause of action shall lie or be maintained in any court, and such action shall be promptly dismissed, against any non-Federal entity that, for cybersecurity purposes, conducts network awareness under paragraph (4), if such network awareness is conducted in accordance with such paragraph and this section. ``(B) Information sharing.--No cause of action shall lie or be maintained in any court, and such action shall be promptly dismissed, against any non-Federal entity that, for cybersecurity purposes, shares cyber threat indicators or defensive measures under paragraph (3), or fails to act based on such sharing, if such sharing is conducted in accordance with such paragraph and this section. ``(C) Willful misconduct.-- ``(i) Rule of construction.--Nothing in this section may be construed to-- ``(I) require dismissal of a cause of action against a non- Federal entity that has engaged in willful misconduct in the course of conducting activities authorized by this section; or ``(II) undermine or limit the availability of otherwise applicable common law or statutory defenses. ``(ii) Proof of willful misconduct.--In any action claiming that subparagraph (A) or (B) does not apply due to willful misconduct described in clause (i), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each non-Federal entity subject to such claim and that such willful misconduct proximately caused injury to the plaintiff. ``(iii) Willful misconduct defined.--In this subsection, the term `willful misconduct' means an act or omission that is taken-- ``(I) intentionally to achieve a wrongful purpose; ``(II) knowingly without legal or factual justification; and ``(III) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit. ``(D) Exclusion.--The term `non-Federal entity' as used in this paragraph shall not include a State, local, or tribal government. ``(9) Federal government liability for violations of restrictions on the use and protection of voluntarily shared information.-- ``(A) In general.--If a department or agency of the Federal Government intentionally or willfully violates the restrictions specified in paragraph (3), (6), or (7)(B) on the use and protection of voluntarily shared cyber threat indicators or defensive measures, or any other provision of this section, the Federal Government shall be liable to a person injured by such violation in an amount equal to the sum of-- ``(i) the actual damages sustained by such person as a result of such violation or $1,000, whichever is greater; and ``(ii) reasonable attorney fees as determined by the court and other litigation costs reasonably occurred in any case under this subsection in which the complainant has substantially prevailed. ``(B) Venue.--An action to enforce liability under this subsection may be brought in the district court of the United States in-- ``(i) the district in which the complainant resides; ``(ii) the district in which the principal place of business of the complainant is located; ``(iii) the district in which the department or agency of the Federal Government that disclosed the information is located; or ``(iv) the District of Columbia. ``(C) Statute of limitations.--No action shall lie under this subsection unless such action is commenced not later than two years after the date of the violation of any restriction specified in paragraph (3), (6), or 7(B), or any other provision of this section, that is the basis for such action. ``(D) Exclusive cause of action.--A cause of action under this subsection shall be the exclusive means available to a complainant seeking a remedy for a violation of any restriction specified in paragraph (3), (6), or 7(B) or any other provision of this section. ``(10) Anti-trust exemption.-- ``(A) In general.--Except as provided in subparagraph (C), it shall not be considered a violation of any provision of antitrust laws for two or more non-Federal entities to share a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity risk or incident, for cybersecurity purposes under this Act. ``(B) Applicability.--Subparagraph (A) shall apply only to information that is shared or assistance that is provided in order to assist with-- ``(i) facilitating the prevention, investigation, or mitigation of a cybersecurity risk or incident to an information system or information that is stored on, processed by, or transiting an information system; or ``(ii) communicating or disclosing a cyber threat indicator or defensive measure to help prevent, investigate, or mitigate the effect of a cybersecurity risk or incident to an information system or information that is stored on, processed by, or transiting an information system. ``(C) Prohibited conduct.--Nothing in this section may be construed to permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, or exchanges of price or cost information, customer lists, or information regarding future competitive planning. ``(11) Construction and preemption.-- ``(A) Otherwise lawful disclosures.--Nothing in this section may be construed to limit or prohibit otherwise lawful disclosures of communications, records, or other information, including reporting of known or suspected criminal activity or participating voluntarily or under legal requirement in an investigation, by a non-Federal to any other non-Federal entity or Federal entity under this section. ``(B) Whistle blower protections.--Nothing in this section may be construed to prohibit or limit the disclosure of information protected under section 2302(b)(8) of title 5, United States Code (governing disclosures of illegality, waste, fraud, abuse, or public health or safety threats), section 7211 of title 5, United States Code (governing disclosures to Congress), section 1034 of title 10, United States Code (governing disclosure to Congress by members of the military), section 1104 of the National Security Act of 1947 (50 U.S.C. 3234) (governing disclosure by employees of elements of the intelligence community), or any similar provision of Federal or State law. ``(C) Relationship to other laws.--Nothing in this section may be construed to affect any requirement under any other provision of law for a non-Federal entity to provide information to a Federal entity. ``(D) Preservation of contractual obligations and rights.-- Nothing in this section may be construed to-- ``(i) amend, repeal, or supersede any current or future contractual agreement, terms of service agreement, or other contractual relationship between any non-Federal entities, or between any non-Federal entity and a Federal entity; or ``(ii) abrogate trade secret or intellectual property rights of any non-Federal entity or Federal entity. ``(E) Anti-tasking restriction.--Nothing in this section may be construed to permit a Federal entity to-- [[Page H2432]] ``(i) require a non-Federal entity to provide information to a Federal entity; ``(ii) condition the sharing of cyber threat indicators or defensive measures with a non-Federal entity on such non- Federal entity's provision of cyber threat indicators or defensive measures to a Federal entity; or ``(iii) condition the award of any Federal grant, contract, or purchase on the sharing of cyber threat indicators or defensive measures with a Federal entity. ``(F) No liability for non-participation.--Nothing in this section may be construed to subject any non-Federal entity to liability for choosing to not engage in the voluntary activities authorized under this section. ``(G) Use and retention of information.--Nothing in this section may be construed to authorize, or to modify any existing authority of, a department or agency of the Federal Government to retain or use any information shared under this section for any use other than permitted in this section. ``(H) Voluntary sharing.--Nothing in this section may be construed to restrict or condition a non-Federal entity from sharing, for cybersecurity purposes, cyber threat indicators, defensive measures, or information related to cybersecurity risks or incidents with any other non-Federal entity, and nothing in this section may be construed as requiring any non-Federal entity to share cyber threat indicators, defensive measures, or information related to cybersecurity risks or incidents with the Center. ``(I) Federal preemption.--This section supersedes any statute or other provision of law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this section. ``(j) Direct Reporting.--The Secretary shall develop policies and procedures for direct reporting to the Secretary by the Director of the Center regarding significant cybersecurity risks and incidents. ``(k) Additional Responsibilities.--The Secretary shall build upon existing mechanisms to promote a national awareness effort to educate the general public on the importance of securing information systems. ``(l) Reports on International Cooperation.--Not later than 180 days after the date of the enactment of this subsection and periodically thereafter, the Secretary of Homeland Security shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on the range of efforts underway to bolster cybersecurity collaboration with relevant international partners in accordance with subsection (c)(8). ``(m) Outreach.--Not later than 60 days after the date of the enactment of this subsection, the Secretary, acting through the Under Secretary for Cybersecurity and Infrastructure Protection, shall-- ``(1) disseminate to the public information about how to voluntarily share cyber threat indicators and defensive measures with the Center; and ``(2) enhance outreach to critical infrastructure owners and operators for purposes of such sharing.''. SEC. 4. INFORMATION SHARING AND ANALYSIS ORGANIZATIONS. Section 212 of the Homeland Security Act of 2002 (6 U.S.C. 131) is amended-- (1) in paragraph (5)-- (A) in subparagraph (A)-- (i) by inserting ``information related to cybersecurity risks and incidents and'' after ``critical infrastructure information''; and (ii) by striking ``related to critical infrastructure'' and inserting ``related to cybersecurity risks, incidents, critical infrastructure, and''; (B) in subparagraph (B)-- (i) by striking ``disclosing critical infrastructure information'' and inserting ``disclosing cybersecurity risks, incidents, and critical infrastructure information''; and (ii) by striking ``related to critical infrastructure or'' and inserting ``related to cybersecurity risks, incidents, critical infrastructure, or'' and (C) in subparagraph (C), by striking ``disseminating critical infrastructure information'' and inserting ``disseminating cybersecurity risks, incidents, and critical infrastructure information''; and (2) by adding at the end the following new paragraph: ``(8) Cybersecurity risk; incident.--The terms `cybersecurity risk' and `incident' have the meanings given such terms in the second section 226 (relating to the National Cybersecurity and Communications Integration Center).''. SEC. 5. STREAMLINING OF DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AND INFRASTRUCTURE PROTECTION ORGANIZATION. (a) Cybersecurity and Infrastructure Protection.--The National Protection and Programs Directorate of the Department of Homeland Security shall, after the date of the enactment of this Act, be known and designated as the ``Cybersecurity and Infrastructure Protection''. Any reference to the National Protection and Programs Directorate of the Department in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Cybersecurity and Infrastructure Protection of the Department. (b) Senior Leadership of Cybersecurity and Infrastructure Protection.-- (1) In general.--Subsection (a) of section 103 of the Homeland Security Act of 2002 (6 U.S.C. 113) is amended-- (A) in paragraph (1)-- (i) by amending subparagraph (H) to read as follows: ``(H) An Under Secretary for Cybersecurity and Infrastructure Protection.''; and (ii) by adding at the end the following new subparagraphs: ``(K) A Deputy Under Secretary for Cybersecurity. ``(L) A Deputy Under Secretary for Infrastructure Protection.''; and (B) by adding at the end the following new paragraph: ``(3) Deputy under secretaries.--The Deputy Under Secretaries referred to in subparagraphs (K) and (L) of paragraph (1) shall be appointed by the President without the advice and consent of the Senate.''. (2) Continuation in office.--The individuals who hold the positions referred in subparagraphs (H), (K), and (L) of paragraph (1) of section 103(a) the Homeland Security Act of 2002 (as amended and added by paragraph (1) of this subsection) as of the date of the enactment of this Act may continue to hold such positions. (c) Report.--Not later than 90 days after the date of the enactment of this Act, the Under Secretary for Cybersecurity and Infrastructure Protection of the Department of Homeland Security shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on the feasibility of becoming an operational component, including an analysis of alternatives, and if a determination is rendered that becoming an operational component is the best option for achieving the mission of Cybersecurity and Infrastructure Protection, a legislative proposal and implementation plan for becoming such an operational component. Such report shall also include plans to more effectively carry out the cybersecurity mission of Cybersecurity and Infrastructure Protection, including expediting information sharing agreements. SEC. 6. CYBER INCIDENT RESPONSE PLANS. (a) In General.--Section 227 of the Homeland Security Act of 2002 (6 U.S.C. 149) is amended-- (1) in the heading, by striking ``plan'' and inserting ``plans''; (2) by striking ``The Under Secretary appointed under section 103(a)(1)(H) shall'' and inserting the following: ``(a) In General.--The Under Secretary for Cybersecurity and Infrastructure Protection shall''; and (3) by adding at the end the following new subsection: ``(b) Updates to the Cyber Incident Annex to the National Response Framework.--The Secretary, in coordination with the heads of other appropriate Federal departments and agencies, and in accordance with the National Cybersecurity Incident Response Plan required under subsection (a), shall regularly update, maintain, and exercise the Cyber Incident Annex to the National Response Framework of the Department.''. (b) Clerical Amendment.--The table of contents of the Homeland Security Act of 2002 is amended by amending the item relating to section 227 to read as follows: ``Sec. 227. Cyber incident response plans.''. SEC. 7. SECURITY AND RESILIENCY OF PUBLIC SAFETY COMMUNICATIONS; CYBERSECURITY AWARENESS CAMPAIGN. (a) In General.--Subtitle C of title II of the Homeland Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by adding at the end the following new sections: ``SEC. 230. SECURITY AND RESILIENCY OF PUBLIC SAFETY COMMUNICATIONS. ``The National Cybersecurity and Communications Integration Center, in coordination with the Office of Emergency Communications of the Department, shall assess and evaluate consequence, vulnerability, and threat information regarding cyber incidents to public safety communications to help facilitate continuous improvements to the security and resiliency of such communications. ``SEC. 231. CYBERSECURITY AWARENESS CAMPAIGN. ``(a) In General.--The Under Secretary for Cybersecurity and Infrastructure Protection shall develop and implement an ongoing and comprehensive cybersecurity awareness campaign regarding cybersecurity risks and voluntary best practices for mitigating and responding to such risks. Such campaign shall, at a minimum, publish and disseminate, on an ongoing basis, the following: ``(1) Public service announcements targeted at improving awareness among State, local, and tribal governments, the private sector, academia, and stakeholders in specific audiences, including the elderly, students, small businesses, members of the Armed Forces, and veterans. ``(2) Vendor and technology-neutral voluntary best practices information. ``(b) Consultation.--The Under Secretary for Cybersecurity and Infrastructure Protection shall consult with a wide range of stakeholders in government, industry, academia, and the non-profit community in carrying out this section.''. (b) Clerical Amendment.--The table of contents of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 226 (relating to cybersecurity recruitment and retention) the following new items: ``Sec. 230. Security and resiliency of public safety communications. ``Sec. 231. Cybersecurity awareness campaign.''. SEC. 8. CRITICAL INFRASTRUCTURE PROTECTION RESEARCH AND DEVELOPMENT. (a) Strategic Plan; Public-private Consortiums.--Title III of the Homeland Security Act of 2002 (6 U.S.C. 181 et seq.) is amended by adding at the end the following new section: ``SEC. 318. RESEARCH AND DEVELOPMENT STRATEGY FOR CRITICAL INFRASTRUCTURE PROTECTION. ``(a) In General.--Not later than 180 days after the date of enactment of this section, the Secretary, acting through the Under Secretary for Science and Technology, shall submit to [[Page H2433]] Congress a strategic plan to guide the overall direction of Federal physical security and cybersecurity technology research and development efforts for protecting critical infrastructure, including against all threats. Such plan shall be updated and submitted to Congress every two years. ``(b) Contents of Plan.--The strategic plan, including biennial updates, required under subsection (a) shall include the following: ``(1) An identification of critical infrastructure security risks and any associated security technology gaps, that are developed following-- ``(A) consultation with stakeholders, including critical infrastructure Sector Coordinating Councils; and ``(B) performance by the Department of a risk and gap analysis that considers information received in such consultations. ``(2) A set of critical infrastructure security technology needs that-- ``(A) is prioritized based on the risks and gaps identified under paragraph (1); ``(B) emphasizes research and development of technologies that need to be accelerated due to rapidly evolving threats or rapidly advancing infrastructure technology; and ``(C) includes research, development, and acquisition roadmaps with clearly defined objectives, goals, and measures. ``(3) An identification of laboratories, facilities, modeling, and simulation capabilities that will be required to support the research, development, demonstration, testing, evaluation, and acquisition of the security technologies described in paragraph (2). ``(4) An identification of current and planned programmatic initiatives for fostering the rapid advancement and deployment of security technologies for critical infrastructure protection, including a consideration of opportunities for public-private partnerships, intragovernment collaboration, university centers of excellence, and national laboratory technology transfer. ``(5) A description of progress made with respect to each critical infrastructure security risk, associated security technology gap, and critical infrastructure technology need identified in the preceding strategic plan required under subsection (a). ``(c) Coordination.--In carrying out this section, the Under Secretary for Science and Technology shall coordinate with the Under Secretary for the National Protection and Programs Directorate. ``(d) Consultation.--In carrying out this section, the Under Secretary for Science and Technology shall consult with-- ``(1) critical infrastructure Sector Coordinating Councils; ``(2) to the extent practicable, subject matter experts on critical infrastructure protection from universities, colleges, national laboratories, and private industry; ``(3) the heads of other relevant Federal departments and agencies that conduct research and development relating to critical infrastructure protection; and ``(4) State, local, and tribal governments, as appropriate.''. (b) Clerical Amendment.--The table of contents of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 317 the following new item: ``Sec. 318. Research and development strategy for critical infrastructure protection.''. SEC. 9. REPORT ON REDUCING CYBERSECURITY RISKS IN DHS DATA CENTERS. Not later than one year after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on the feasibility of the Department of Homeland Security creating an environment for the reduction in cybersecurity risks in Department data centers, including by increasing compartmentalization between systems, and providing a mix of security controls between such compartments. SEC. 10. ASSESSMENT. Not later than two years after the date of the enactment of this Act, the Comptroller General of the United States shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report that contains an assessment of the implementation by the Secretary of Homeland Security of this Act and the amendments made by this Act and, to the extent practicable, findings regarding increases in the sharing of cyber threat indicators, defensive measures, and information relating to cybersecurity risks and incidents at the National Cybersecurity and Communications Integration Center and throughout the United States. SEC. 11. CONSULTATION. The Under Secretary for Cybersecurity and Infrastructure Protection shall produce a report on the feasibility of creating a risk-informed prioritization plan should multiple critical infrastructures experience cyber incidents simultaneously. SEC. 12. TECHNICAL ASSISTANCE. The Inspector General of the Department of Homeland Security shall review the operations of the United States Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to assess the capacity to provide technical assistance to non-Federal entities and to adequately respond to potential increases in requests for technical assistance. SEC. 13. PROHIBITION ON NEW REGULATORY AUTHORITY. Nothing in this Act or the amendments made by this Act may be construed to grant the Secretary of Homeland Security any authority to promulgate regulations or set standards relating to the cybersecurity of non-Federal entities, not including State, local, and tribal governments, that was not in effect on the day before the date of the enactment of this Act. SEC. 14. SUNSET. Any requirements for reports required by this Act or the amendments made by this Act shall terminate on the date that is seven years after the date of the enactment of this Act. SEC. 15. PROHIBITION ON NEW FUNDING. No funds are authorized to be appropriated to carry out this Act and the amendments made by this Act. This Act and such amendments shall be carried out using amounts appropriated or otherwise made available for such purposes. The CHAIR. No amendment to that amendment in the nature of a substitute shall be in order except those printed in part B of House Report 114-88. Each such amendment may be offered only in the order printed in the report, by a Member designated in the report, shall be considered as read, shall be debatable for the time specified in the report, equally divided and controlled by the proponent and an opponent, shall not be subject to amendment, and shall not be subject to a demand for division of the question. {time} 1000 Amendment No. 1 Offered by Mr. McCaul The CHAIR. It is now in order to consider amendment No. 1 printed in part B of House Report 114-88. Mr. McCAUL. Mr. Chairman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: In section 2, strike the following: (a) Definitions.-- (1) In general.--Subsection (a) of the second section 226 In section 2, insert before subsection (b), the following: (a) In General.--Subsection (a) of the second section 226 In section 2(a), redesignate proposed subparagraphs (A) through (C) as proposed paragraphs (1) through (3), respectively, and move such provisions two ems to the left. Page 3, line 23, insert ``, or the purpose of identifying the source of a cybersecurity risk or incident'' before the semicolon at the end. Page 5, beginning line 6, strike ``electric utility services'' and insert ``utility services or an entity performing utility services''. Page 5, line 15, insert ``(including all conjugations thereof)'' before ``means''. Page 5, line 16, insert ``(including all conjugations of each of such terms)'' before the first period. Page 6, beginning line 2, strike ``striking the period at the end and inserting `; and' '' and insert ``inserting `and' after the semicolon at the end''. Page 6, line 6, strike the first period and insert a semicolon. Page 7, line 20, insert a colon after ``paragraphs''. Page 8, line 23, strike ``(d)'' and insert ``(d)(1)''. Page 11, line 6, insert ``the first place it appears'' before the semicolon. Page 14, line 25, insert ``, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary for Cybersecurity and Infrastructure Protection,'' after ``subsection''. Page 15, line 8, insert ``, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary for Cybersecurity and Infrastructure Protection,'' after ``section''. Page 15, line 21, insert ``at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary for Cybersecurity and Infrastructure Protection,'' after ``Center,''. Page 17, line 20, insert ``or exclude'' after ``remove''. Page 17, line 23, strike ``risks'' and insert ``risk''. Page 23, line 23, insert ``, or'' before ``that''. Page 29, line 25, strike ``paragraphs'' and insert ``subparagraphs''. Page 30, line 15, insert ``or exclude'' after ``remove''. Page 32, line 4, insert ``or exclude'' after ``remove''. Page 33, line 2, insert ``, except for purposes authorized in this section'' before the period at the end. Page 34, line 16, insert ``or exclude'' after ``remove''. Page 36, line 18, insert ``in good faith'' before ``fails''. Page 39, beginning line 19, strike ``of the violation of any restriction specified in paragraph (3), (6), or 7(B), or any other provision of this section, that is the basis for such action'' and insert ``on which the cause of action arises''. Page 41, strike lines 5 through 11. Page 44, line 19, strike ``(I)'' and insert ``(J)''. Page 44, beginning line 19, insert the following: ``(I) Prohibited conduct.--Nothing in this section may be construed to permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.''. [[Page H2434]] Page 46, line 7, insert ``and'' before ``information''. Page 48, lines 9 through 10, move the proposed subparagraph (H) two ems to the left. Page 48, lines 13 through 16, move the proposed subparagraphs (K) and (L) two ems to the left. The CHAIR. Pursuant to House Resolution 212, the gentleman from Texas (Mr. McCaul) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from Texas. Mr. McCAUL. Mr. Chairman, I yield myself such time as I may consume. The manager's amendment to H.R. 1731 further clarifies the intent of several important provisions of the bill. These modifications were made in consultation with privacy groups, industry leaders, and both the House Intelligence Committee and House Judiciary Committee. Among the more notable changes made are: the expansion of protections for personally identifiable information to include the ``exclusion'' of information and not just the ``removal'' of information, a modification to clarify that the use of cyber threat indicators and defensive measures is limited to the purposes authorized in the bill only, and clarifying language to say that identifying the origin of a cybersecurity threat is a valid ``cybersecurity purpose.'' Each of these changes, along with the others made in the manager's amendment, strengthen the bill and further support the committee's mission to help protect America's networks and systems from cyber attacks while, at the same time, ensuring that an individual's private information enjoys robust protection as well. Mr. Chairman, I yield back the balance of my time. Mr. THOMPSON of Mississippi. Mr. Chairman, I claim the time in opposition, although I am not opposed to the amendment. The CHAIR. Without objection, the gentleman is recognized for 5 minutes. There was no objection. Mr. THOMPSON of Mississippi. Mr. Chairman, the McCaul amendment makes several technical and clarifying changes to H.R. 1731 to reflect feedback from committee Democrats, Department of Homeland Security, and stakeholders. Last week during committee consideration, the gentleman from Louisiana, Representative Richmond, offered an amendment to refine the 2-year statute of limitations on citizen suits against the Federal Government for privacy violations. The underlying bill requires the clock to toll from the date when the government violated the citizen's privacy. The likelihood that a citizen will know the exact date when the personal information was mishandled is pretty remote. As such, Democrats argue that the provision was tantamount to giving the Federal Government a free pass to violate the privacy protections under this act. I am pleased to see that the gentleman from Texas, Chairman McCaul, has listened to Democrats' concerns and has the amendment adjust the language, though it could use further refinement. I am also pleased that the amendment clarifies that all public utilities--not just electric utilities--are covered under this bill. The changes to the underlying bill that this amendment would make are in line with our shared goals of bolstering cybersecurity and improving the quality of information that the private sector receives about timely cyber threats. Accordingly, I support the McCaul amendment. I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from Texas (Mr. McCaul). The amendment was agreed to. Amendment No. 2 Offered by Mr. Ratcliffe The CHAIR. It is now in order to consider amendment No. 2 printed in part B of House Report 114-88. Mr. RATCLIFFE. Mr. Chairman, I rise as the designee of the gentleman from New York (Mr. Katko) to offer amendment No. 2. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Page 1, line 12, insert the following (and redesignate subsequent subparagraphs accordingly): (A) by amending paragraph (2) to read as follows: ``(2) the term `incident' means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;''. The CHAIR. Pursuant to House Resolution 212, the gentleman from Texas (Mr. Ratcliffe) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from Texas. Mr. RATCLIFFE. Mr. Chairman, I rise today in support of amendment No. 2. This is a bipartisan amendment that will help clarify language in both the Homeland Security Act and this bill. This amendment narrows the definition of the word ``incident'' to ensure that a cybersecurity incident is limited to actions taken against an information system or information stored on that system. This amendment, Mr. Chairman, ensures that information shared with the NCCIC or other private entities is limited to threats and actions against information systems and information stored on that system. Mr. McCAUL. Will the gentleman yield? Mr. RATCLIFFE. I yield to the gentleman from Texas. Mr. McCAUL. Mr. Chairman, I support this bipartisan language that will help clarify language in both the Homeland Security Act and this bill by narrowing the definition of the word ``incident'' to ensure that a cybersecurity incident is limited to actions taken against an information system or information stored on that system. This amendment ensures that information shared with the NCCIC or other private entities is limited to threats to and actions against information systems and information stored on that system. I also want to thank the gentleman from California (Mr. McClintock) for being a leader on this issue and for calling this loophole, if you will, to the attention of the committee to make this a stronger bill on this floor. Mr. RATCLIFFE. I yield back the balance of my time. Mr. RICHMOND. Mr. Chairman, I claim the time in opposition, although I am not opposed to the amendment. The CHAIR. Without objection, the gentleman from Louisiana is recognized for 5 minutes. There was no objection. Mr. RICHMOND. Mr. Chairman, I support this amendment to make an important change to a definition in the act and the law. A strength of this bill acknowledged by some in the privacy community are the limitations that the bill places on the authorizations for sharing and network monitoring. These activities can only be carried out for a ``cybersecurity purpose.'' Among other things, this limitation is intended to ensure that information is not shared for surveillance or law enforcement purposes and the authorization for network monitoring is not exploited by an overzealous employer who wants to track his employees' every move on the Internet. However, because of the broadness of a term within the definition of ``cybersecurity purpose,'' it came to light that the language could be interpreted far more expansively than intended. I commend the gentleman from New York (Mr. Katko) and the gentleman from Texas (Mr. Ratcliffe), who is now offering the amendment, for tightening up the definition of ``incident'' in this bill and the underlying law. We use our smartphones, tablets, and computers for all manner of things, from setting up doctor appointments to buying groceries or ordering books. It is important that, even as we seek to bolster cybersecurity, we do not lose sight of the need to protect the privacy interest of ordinary Americans. That is why I support the Ratcliffe amendment. It will ensure that, in practice, the activities undertaken in this bill are limited to protecting networks and the data on them. I urge an ``aye'' vote on this amendment, and I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from Texas (Mr. Ratcliffe). The amendment was agreed to. Amendment No. 3 Offered by Mr. Langevin The CHAIR. It is now in order to consider amendment No. 3 printed in part B of House Report 114-88. Mr. LANGEVIN. Mr. Chairman, I have an amendment at the desk. [[Page H2435]] The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: In section 2(a)(1), redesignate subparagraphs (A) and (B) as subparagraphs (B) and (C), respectively. In section 2(a)(1), insert before subparagraph (B), as so redesignated, the following: (A) by amending paragraph (1) to read as follows: ``(1)(A) except as provided in subparagraph (B), the term `cybersecurity risk' means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; ``(B) such term does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;''. The CHAIR. Pursuant to House Resolution 212, the gentleman from Rhode Island (Mr. Langevin) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from Rhode Island. Mr. LANGEVIN. Mr. Chairman, the amendment that I am offering makes a fine bill even better. It clarifies that the definition of ``cybersecurity risk''--and, by extension, the definition of ``cybersecurity purpose''--does not apply to actions that solely involve the violation of consumer terms of service or consumer licensing agreements. This is a small but important change that will protect Americans' privacy and ensure that white hat security researchers are not inadvertently monitored. The cyber threat data that will help turn the tide against malicious actors are security vulnerabilities, attack vectors, and indicators of compromise. What will not help is knowing that a consumer has violated a Byzantine terms of service agreement or that a researcher is testing software for exploitable bugs that he or she will then share with the security community. While not every terms of service violation is well-meaning or born of ignorance, there is no doubt in my mind that the existing body of contract law is more than capable of facilitating dispute resolution in these cases. The exclusion my amendment proposes is not new to this floor. Both the 2012 and the 2013 versions of CISPA, which I worked on very closely while a member of the House Intelligence Committee, contained similar exclusions, and the Protecting Cyber Networks Act that passed the House yesterday also includes this language. The amendment also makes clear that the exclusion applies only for actions that solely violate terms of service. An action that disrupted an information system in addition to being a violation of terms of service would still constitute a cybersecurity risk. Trust is the fundamental element of any information-sharing regime. The bill that we are considering is designed to build that trust by limiting the use of information shared to cybersecurity purposes and ensuring that indicators are scrubbed of any personal information before sharing. My amendment strengthens that trust by making it clear that our focus is on the many real cyber threats out there, not on consumers and researchers. I would like to again express my deep thanks to the chairman of the committee, Mr. McCaul, for his steadfast dedication on the issue of cybersecurity, and I would like to particularly thank his staff for working with us on this amendment. The chairman and the Democratic ranking member, Mr. Thompson, have done this body proud, and I certainly urge the adoption of my amendment and the underlying bill. With that, I reserve the balance of my time. Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time in opposition, though I am not opposed to the amendment. The CHAIR. Is there objection to the request of the gentleman from Texas? There was no objection. The CHAIR. The gentleman is recognized for 5 minutes. Mr. McCAUL. Mr. Chairman, I support this amendment, which would clarify that the term ``cybersecurity risk'' does not apply to actions solely involving violations of consumer terms of service or consumer licensing agreements. This amendment will protect consumers from having information shared with the government due to a minor or unwitting violation of the terms of service, such as a violation of one's Apple iTunes agreement, which my teenage daughters would appreciate. This amendment and this bill are meant to enhance the sharing of cybersecurity information within the government and the public. In order to promote voluntary sharing, the public needs to feel confident that the sole act of violating a terms of service or licensing agreement won't be shared with the NCCIC and that this bill is not a tool to enforce violations regarding terms of service or licensing agreements. These violations have robust legal remedies in place and should be handled through those channels. I think this strengthens the bill, and I appreciate the gentleman's amendment to do so. I support this amendment. I reserve the balance of my time. Mr. LANGEVIN. I thank the chairman for his kind words of support. As many in this Chamber know, Chairman McCaul and I have a long history on the issue of cybersecurity, from our time as co-chairs of the Commission on Cybersecurity for the 44th Presidency to our current roles as the cofounders and co-chairs of the Congressional Cybersecurity Caucus, along with a variety of other collaborations that he and I have engaged in. {time} 1015 Mr. McCAUL. Will the gentleman yield? Mr. LANGEVIN. I yield to the gentleman from Texas. Mr. McCAUL. I thank the gentleman for yielding. I would just like to highlight for all my colleagues the great work that we do in the Cybersecurity Caucus with my good friend and colleague from Rhode Island. The briefings we host every few weeks bring some of the brightest minds in both government and the private sector to the Hill to educate Members and staff on this national security issue. When we first started the caucus in 2008, cyber was a topic very few Members knew anything about. It wasn't really cool to know about cybersecurity. We have made great progress, I believe, the gentleman and I, since that time in raising the level of debate, engagement, awareness, and education with the Members on this critical subject. I hope that the Members and the staff will continue to take advantage of the opportunities afforded by our caucus as our lives become even more interconnected in cyberspace. I think this issue has never been more relevant and more of a threat, quite frankly, than it is today. Mr. LANGEVIN. I thank the chairman. I am fond of saying that cybersecurity is not a problem to be solved but a challenge to be managed. I thank the chairman for his collaboration and his leadership on this issue, along with Ranking Member Thompson. I certainly look forward to the caucus' continuing contributions to the discussion. Ms. LOFGREN. Will the gentleman yield? Mr. LANGEVIN. I yield to the gentlewoman from California. Ms. LOFGREN. I thank the gentleman for yielding. I would just like to thank him for his amendment. It prevents this bill from becoming like the CFAA, which treats noncriminal activity as something wrong. This and the Katko-Lofgren amendment that preceded it narrow the bill, and both deserve support. I thank the gentleman for yielding and his amendment. Mr. LANGEVIN. I thank the gentlewoman for her comments and for her support. With that, Mr. Chairman, I urge adoption of the amendment, and I yield back the balance of my time. Mr. McCAUL. Mr. Chairman, I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from Rhode Island (Mr. Langevin). The amendment was agreed to. Amendment No. 4 Offered by Ms. Jackson Lee The CHAIR. It is now in order to consider amendment No. 4 printed in part B of House Report 114-88. Ms. JACKSON LEE. Mr. Chairman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. [[Page H2436]] The text of the amendment is as follows: Page 10, line 11, strike ``and'' at the end. Page 10, line 16, insert ``and'' after the semicolon. Page 10, beginning line 17, insert the following: ``(vi) remains current on industrial control system innovation; industry adoption of new technologies, and industry best practices;''. The CHAIR. Pursuant to House Resolution 212, the gentlewoman from Texas (Ms. Jackson Lee) and a Member opposed each will control 5 minutes. The Chair recognizes the gentlewoman from Texas. Ms. JACKSON LEE. Mr. Chairman, let me express my appreciation to the chairman and ranking member of the full committee. Again, they have shown the kind of leadership that the Nation needs on dealing with homeland security. My particular appreciation to the chairman and ranking member of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, as they have worked together and presented legislation that provided a very vigorous debate in the subcommittee and the full committee. We believe that we are making enormous leaps and bounds. We are not where we need to be, but we are making leaps and bounds on the whole question of cybersecurity. Over the last couple of years, Mr. Chairman, even someone just reaching kindergarten understands hacking, understands the collapse that we have seen in the variety of major retail entities and banking entities, and they recognize that we have a new lingo but a new problem. Frankly, almost maybe 10 years ago, or maybe somewhere around 7 years ago, as the infrastructure of the United States was under transportation security, we made the note that 85 percent of the Nation's cyber is in the private sector. This legislation is a real approach. The National Cybersecurity Protection Advancement Act of 2015 clearly puts the Department of Homeland Security where it needs to be and provides the National Cybersecurity and Communications Integration Center as the anchor of the information coming into the Federal Government and the vetting entity where Americans can feel that their data can be protected and our civil liberties are protected. Mr. Chairman, my amendment deals with the industrial control systems. All of us know them. I have been to water systems and seen the impact that a cyber attack could have; the electric grid, all of these are in the eye of the storm, and they are in private hands. Attacks against industrial control systems doubled last year, according to a new report from Dell. ``We have over a million firewalls sending data to us on a minute-by- minute basis,'' said John Gordineer, director of product marketing for network security at Dell. Gordineer said: We anonymize the data and see interesting trends. In particular, attacks specifically targeting SCADA industrial control systems rose 100 percent in 2014 compared to the previous year--2014. Countries most affected were Finland, the U.K., and, yes, the United States of America. The most common attack vector against these systems were buffer overflow attacks. The underlying premise of my amendment, the public benefit of this amendment, is that taxpayer dollars provided to ensure cybersecurity of public and private computer networks will focus on real-world applications that reflect how businesses and industries function. So I thank both my colleagues for it. This amendment, in particular, will be an important addition to the legislation, which I believe can be supported by every Member. The amendment states that the Department of Homeland Security, in carrying out the functions authorized under this bill, remain current on industrial control system innovation, industry adoption of new technologies, and industry best practices. Industrial control systems are rarely thought of as long as they work as designed. Industrial control systems are used to deliver utility services to homes and businesses, add precision and speed to manufacturing, and process our foods into finished products. Industrial control systems are responsible for the lights that brighten our cities; for the clean drinking water, which I indicated many of us visited these systems; of the sewage; of automobiles that travel our highways; and the rows upon rows of foods that fill our shelves at grocery stores. We only need to look recently at a contamination of ice cream across the Nation to know that industrial control systems are extremely important. They are also used in large-scale manufacturing. A day does not pass in this country when citizens' lives are not impacted. So, Mr. Chairman, I am asking my colleagues to recognize that we are in control, but the industrial control systems may, in fact, control our daily lives. My amendment is asking that the Department of Homeland Security, in carrying out its function authorized under this bill, remain current on industrial control system innovation, industry adoption of new technologies, and industry best practices. I ask my colleagues, as I ask to put my entire statement into the Record--it lists a whole litany of the private sector infrastructure dealing with industrial control. I am hoping that my amendment will be passed in order to ensure that all aspects of our cyber world are protected for the American people. Mr. Chair, I thank Chairman McCaul and Ranking Member Thompson for their bipartisanship in bringing H.R. 1731, the ``National Cybersecurity Protection Advancement Act of 2015'' before the House for consideration. As a senior member of the House Committee on Homeland Security, I am dedicated to protecting our nation from threats posed by terrorists or others who would wish to do our Nation harm. This is the first of 3 Jackson Lee amendments that will be considered for H.R. 1731, the ``National Cybersecurity Protection Advancement Act of 2015.'' Jackson Lee Amendment No. 4 is simple and will be an important addition to the legislation, which I believe can be supported by every Member of the House. The Jackson Lee amendment states that the Department of Homeland Security, in carrying out the functions authorized under this bill, will remain current on industrial control system innovation, industry adoption of new technologies, and industry best practices. Industrial control systems are rarely thought of as long as they work as designed. Industrial control systems are used to: deliver utility services to homes and businesses; add precision and speed to manufacturing; and process raw foods into finished products. Industrial control systems are responsible for the lights that brighten our cities at night; the clean drinking water that flows from faucets in our homes; automobiles that travel our highways; and the rows upon rows of foods that fill the shelves of grocery stores. Industrial control systems are also used in large-scale manufacturing of home appliances, medicines, and products large and small that are found in our homes and offices. A day does not pass in this country when citizens' lives are not touched by the output of industrial control systems. The critical importance electricity; water, natural gas, and other utility services are all provided by industrial control systems. Industrial control systems help keep the cost of everyday consumer products low, and they are essential to meeting consumer demand for goods and services. Industrial control systems undergo constant improvements as owners and operators work to address vulnerabilities and improve efficiency. Innovation is occurring rapidly in industrial control systems. All industrial control systems have one thing in common--they require computer software, firmware, and hardware. In its wisdom, the Committee on Homeland Security incorporated industrial control systems in its cybersecurity legislation, because industrial control systems are vulnerable to computer errors, accidents, and cybersecurity threats. Coupled with the cybersecurity challenges of industrial control systems is the rapid pace of innovation. For example, a new innovation being adopted by industrial control systems involves 3-Dimential or 3-D printing. 3-D printing involves scanning a physical object with a printer made of a high-power laser that fuses small particles of plastic, metal, ceramic, or glass powders into the object's size and shape. According to PricewaterhouseCoopers, the 3-D printing of jet engine parts to coffee mugs is possible. 3-D printing has the potential to shrink supply chains, save product development times, and increase customization of products. 3-D printing is not the only innovation that will impact industrial control systems. [[Page H2437]] Electricity delivery depends on industrial control systems. The biggest innovation in electricity delivery is the smart grid, which is quickly replacing old electricity delivery and metering technology in cities across the Nation. The term ``smart grid'' encompasses a host of inter-related technologies rapidly moving into public use to reduce or better manage electricity consumption. Smart grid systems can aid electricity service providers, users, or third-party electricity usage management service providers to monitor and control electricity use. The smart grid is also making it possible to more efficiently manage the flow of electricity to residential and industrial consumers. Electric utility meters that were once read once a month are being replaced by smart meters that can be read remotely using smart grid communication systems every 15 minutes or less. The smart grid is capable of monitoring the consumption of electricity down to the individual residential or commercial property. DHS should remain current as innovations like 3-D printing and smart grid technologies are introduced to industrial control systems. This Jackson Lee amendment is a good contribution to H.R. 1731. I request support of this amendment by my colleagues on both sides of the aisle. With that, Mr. Chairman, I yield back the balance of my time. Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time in opposition, though I am not opposed to the amendment. The CHAIR. Is there objection to the request of the gentleman from Texas? There was no objection. The CHAIR. The gentleman is recognized for 5 minutes. Mr. McCAUL. Mr. Chairman, I support this amendment, which will modify the Information Sharing Structure and Processes section of the bill relating to the National Cybersecurity and Communications Integration Center's, or NCCIC's, Industrial Control System. The Cyber Emergency Response Team, ICS-CERT. This amendment directs the ICS-CERT to remain current on ICS innovation, industry adoption of new technologies, and industry best practices. This amendment directs the ICS-CERT to keep abreast of new, innovative technologies. This will enable the ICS-CERT to respond, when requested, with the latest and most current technologies and practices. It is a good amendment. I thank the gentlewoman for bringing it. I urge my colleagues to support this amendment, and I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentlewoman from Texas (Ms. Jackson Lee). The amendment was agreed to. Amendment No. 5 Offered by Mr. Castro of Texas The CHAIR. It is now in order to consider amendment No. 5 printed in part B of House Report 114-88. Mr. CASTRO of Texas. Mr. Chairman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Page 11, line 22, insert before the semicolon at the end the following: ``, and, to the extent practicable, make self- assessment tools available to such businesses to determine their levels of prevention of cybersecurity risks''. The CHAIR. Pursuant to House Resolution 212, the gentleman from Texas (Mr. Castro) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from Texas. Mr. CASTRO of Texas. Mr. Chairman, first, I would like to thank my colleague and fellow Texan, Chairman McCaul, and Ranking Member Bennie Thompson of the House Homeland Security Committee for bringing up my amendment for consideration to H.R. 1731. This amendment supports small businesses across the Nation at no cost to taxpayers. My amendment would make self-assessment tools available to small- and medium-sized businesses so they can determine their level of cybersecurity readiness. Oftentimes, medium-sized and small businesses don't have the framework or capability in place to protect against cybersecurity threats. In 2014, for example, 31 percent of all cyber attacks were directed not at large businesses but at businesses with less than 250 employees. This is a 4 percent increase from 2013. As the chairman knows, Texas is home to many small companies in so many critical industries: biomed and pharmaceuticals, energy, manufacturing, and many more. Some of these businesses employ as few as 5 to 10 people, and their technology is unprotected, vulnerable to cyber attacks. Today most small businesses use the Internet, collect customers' information, and store sensitive information on business computers. Yet many of these same companies don't have the readily available information to self-assess their ability to defend their digital assets. They lack the tools necessary for determining cybersecurity readiness. This pro-small business amendment fills that void and provides the information and tools needed to secure and empower small businesses across the country. Mr. Chairman, I yield 1 minute to the gentleman from Louisiana (Mr. Richmond). Mr. RICHMOND. Mr. Chairman, I rise to support the amendment offered by the gentleman from Texas (Mr. Castro). Over the course of the past year, cyber breaches at Target, Sony, eBay, and Anthem have consumed headlines and brought awareness to the vulnerability of large corporations to cyber threats. Although cyber attacks against small businesses are not well- publicized, they are a dangerous threat that we cannot afford to ignore. In fact, in 2012 alone, the National Cyber Security Alliance found that 60 percent of small businesses shut down within 6 months of a data breach. Small businesses are attractive prey for hackers because they often lack the resources necessary to identify cyber vulnerabilities and harden their cyber infrastructure. Mr. Castro's amendment builds upon language I inserted into the underlying bill that is aimed at improving cybersecurity capabilities of small businesses. Mr. Chairman, I urge my colleagues to help protect small businesses from cyber threats by supporting this important amendment. Mr. CASTRO of Texas. Thank you, Congressman Richmond, for reminding us that the big businesses that get attacked by hacks make the big headlines, but we can't forget about small businesses and medium-sized businesses who day in and day out are vulnerable to the same kind of cybersecurity threats. So, with that, I reserve the balance of my time, Mr. Chairman. Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time in opposition, though I am not opposed to the amendment. The CHAIR. Is there objection to the request of the gentleman from Texas? There was no objection. The CHAIR. The gentleman is recognized for 5 minutes. Mr. McCAUL. Mr. Chairman, I support the gentleman's amendment. The gentleman is correct. Small- and medium-sized businesses are the lifeblood of our economy, yet they often cannot dedicate the resources to address cybersecurity issues. Making self-assessment tools available to these businesses will allow them to determine their levels of cyber risk and manage the risk through appropriate prevention. I urge my colleagues to support this amendment, Mr. Chairman, and I yield back the balance of my time. Mr. CASTRO of Texas. Mr. Chairman, I yield back back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from Texas (Mr. Castro). The amendment was agreed to. Amendment No. 6 Offered by Mr. Castro of Texas The CHAIR. It is now in order to consider amendment No. 6 printed in part B of House Report 114-88. Mr. CASTRO of Texas. Mr. Chairman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Page 52, beginning line 12, insert the following: ``SEC. 232. NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM. ``(a) In General.--The Secretary may establish a consortium to be known as the `National Cybersecurity Preparedness Consortium' (in this section referred to as the `Consortium'). ``(b) Functions.--The Consortium may-- [[Page H2438]] ``(1) provide training to State and local first responders and officials specifically for preparing and responding to cyber attacks; ``(2) develop and update a curriculum utilizing the National Protection and Programs Directorate of the Department sponsored Community Cyber Security Maturity Model (CCSMM) for State and local first responders and officials; ``(3) provide technical assistance services to build and sustain capabilities in support of cybersecurity preparedness and response; ``(4) conduct cybersecurity training and simulation exercises to defend from and respond to cyber-attacks; ``(5) coordinate with the National Cybersecurity and Communications Integration Center to help States and communities develop cybersecurity information sharing programs; and ``(6) coordinate with the National Domestic Preparedness Consortium to incorporate cybersecurity emergency responses into existing State and local emergency management functions. ``(c) Members.--The Consortium shall consist of academic, nonprofit, and government partners that develop, update, and deliver cybersecurity training in support of homeland security. Members shall have prior experience conducting cybersecurity training and exercises for State and local entities.''. Page 52, before line 17, insert the following: ``Sec. 232. National Cybersecurity Preparedness Consortium.''. The CHAIR. Pursuant to House Resolution 212, the gentleman from Texas (Mr. Castro) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from Texas. Mr. CASTRO of Texas. Mr. Chairman, first, I am very honored to be joined by my fellow colleagues and Members of Congress from both parties from San Antonio, Texas--Congressmen Smith, Doggett, Cuellar, and Hurd--who each represent a portion of Bexar County and have joined me on this amendment. My amendment would give the Secretary of Homeland Security authority to establish the National Cybersecurity Preparedness Consortium, or NCPC, within the Department of Homeland Security. Doing so would formally allow this consortium, which already exists outside of the government, to assist State and local entities in developing their own viable and sustainable cybersecurity programs, and it would be at no cost to taxpayers. The NCPC consists of five university partners. The University of Texas at San Antonio leads the effort, along with Texas A&M University in College Station, the University of Arkansas, the University of Memphis, and Norwich University in Vermont. {time} 1030 These schools proactively came together to coordinate their work, helping State and local officials prepare for cyber attacks. The consortium also develops and carries out trainings and exercises to increase cybersecurity knowledge. Additionally, the NCPC uses competitions and workshops to encourage more people to pursue careers in cybersecurity and grow the industry's workforce. States and communities need the ability to prevent, detect, respond to, and recover from cyber events as they would any other disaster or emergency situation, and they need to be aware of the fact that cyber events could impede emergency responders' ability to do their jobs. This amendment helps address those State and local needs by codifying this valuable consortium. Mr. Chairman, I reserve the balance of my time. Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time in opposition, although I am not opposed to the amendment. The CHAIR. Is there objection to the request of the gentleman from Texas? There was no objection. The CHAIR. The gentleman is recognized for 5 minutes. Mr. McCAUL. Mr. Chairman, I support this amendment, which establishes the National Cybersecurity Preparedness Consortium, consisting of university partners and other stakeholders who proactively coordinate to assist State and local officials in cybersecurity preparation and the prevention of cyber attacks. The amendment directs the Cybersecurity and Infrastructure Protection Directorate to update curriculum for first responders, provide technical assistance where possible, and conduct simulations and other training to help State and local officials be better prepared for cyber attacks. The amendment directs the consortium to consist of academic, nonprofit, and government partners to deliver the best training possible, which will further advance the overall goal of H.R. 1731, to strengthen the resiliency of Federal and private networks and, thus, protect the data of the American people more effectively. I am a strong proponent of this type of consortium. I am pleased that the gentleman from Texas brought this amendment. I urge my colleagues to support the amendment. Mr. Chairman, I reserve the balance of my time. Mr. CASTRO of Texas. Mr. Chairman, I yield back the balance of my time. Mr. McCAUL. Mr. Chairman, I yield such time as he may consume to the gentleman from Texas (Mr. Hurd). Mr. HURD of Texas. Mr. Chairman, I thank the chairman for his work in making this amendment happen. I urge my colleagues to support this amendment to H.R. 1731. Cybersecurity is not just a buzzword. Oftentimes, large governments and governments have plans in place to mitigate and respond to cyber threats, but many smaller State and local entities do not. This is why I cosponsored and stand in support of Representative Castro's amendment to H.R. 1731. Five leading universities across the Nation have teamed up to face these cyber issues head on, including the University of Texas at San Antonio and my alma mater, Texas A&M University. The proposed consortium would provide valuable training to local and first responders in the event of a catastrophic cyber attack. It would also provide technical assistance services to build and sustain capabilities in support of cybersecurity preparedness and response, and it would coordinate with other crucial entities, such as the Multi- State Information Sharing and Analysis Center and NCCIC. It is clear that we must focus on cyber preparedness not only at the Federal level, but the local level as well. Again, this is why I urge my colleagues to support this. Mr. McCAUL. Mr. Chairman, I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from Texas (Mr. Castro). The amendment was agreed to. Amendment No. 7 Offered by Mr. Hurd of Texas The CHAIR. It is now in order to consider amendment No. 7 printed in part B of House Report 114-88. Mr. HURD of Texas. Mr. Chairman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Add at the end the following: SEC. __. PROTECTION OF FEDERAL INFORMATION SYSTEMS. (a) In General.--Subtitle C of title II of the Homeland Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by adding at the end the following new section: ``SEC. 233. AVAILABLE PROTECTION OF FEDERAL INFORMATION SYSTEMS. ``(a) In General.--The Secretary shall deploy and operate, to make available for use by any Federal agency, with or without reimbursement, capabilities to protect Federal agency information and information systems, including technologies to continuously diagnose, detect, prevent, and mitigate against cybersecurity risks (as such term is defined in the second section 226) involving Federal agency information or information systems. ``(b) Activities.--In carrying out this section, the Secretary may-- ``(1) access, and Federal agency heads may disclose to the Secretary or a private entity providing assistance to the Secretary under paragraph (2), information traveling to or from or stored on a Federal agency information system, regardless of from where the Secretary or a private entity providing assistance to the Secretary under paragraph (2) accesses such information, notwithstanding any other provision of law that would otherwise restrict or prevent Federal agency heads from disclosing such information to the Secretary or a private entity providing assistance to the Secretary under paragraph (2); ``(2) enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities to deploy and operate technologies in accordance with subsection (a); and ``(3) retain, use, and disclose information obtained through the conduct of activities authorized under this section only to protect Federal agency information and information systems from cybersecurity risks, or, with the approval of the Attorney General and if disclosure of such information is not otherwise prohibited by law, to law enforcement [[Page H2439]] only to investigate, prosecute, disrupt, or otherwise respond to-- ``(A) a violation of section 1030 of title 18, United States Code; ``(B) an imminent threat of death or serious bodily harm; ``(C) a serious threat to a minor, including sexual exploitation or threats to physical safety; or ``(D) an attempt, or conspiracy, to commit an offense described in any of subparagraphs (A) through (C). ``(c) Conditions.--Contracts or other agreements under subsection (b)(2) shall include appropriate provisions barring-- ``(1) the disclosure of information to any entity other than the Department or the Federal agency disclosing information in accordance with subsection (b)(1) that can be used to identify specific persons and is reasonably believed to be unrelated to a cybersecurity risk; and ``(2) the use of any information to which such private entity gains access in accordance with this section for any purpose other than to protect Federal agency information and information systems against cybersecurity risks or to administer any such contract or other agreement. ``(d) Limitation.--No cause of action shall lie against a private entity for assistance provided to the Secretary in accordance with this section and a contract or agreement under subsection (b)(2).''. (b) Clerical Amendment.--The table of contents of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 226 (relating to cybersecurity recruitment and retention) the following new item: ``Sec. 233. Available protection of Federal information systems.''. The CHAIR. Pursuant to House Resolution 212, the gentleman from Texas (Mr. Hurd) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from Texas. Mr. HURD of Texas. Mr. Chairman, every day and every hour, hacktivists and state actors are attempting to breach U.S. Government systems. This is an ongoing problem I dealt with during my time at the CIA, and, since I have left, it has only gotten worse. They are attempting to steal valuable information that could be used against us. The EINSTEIN Program is a valuable tool that the U.S. Government can deploy to respond to and mitigate cyber threats. The EINSTEIN Program was intended to provide DHS a situational awareness snapshot of the health of the Federal Government's cyberspace. Based upon agreements with participating Federal agencies, DHS installed systems at their Internet access points to collect network flow data. EINSTEIN 3A is the third and newest version of the program. This groundbreaking technology uses classified and unclassified information to block cyber espionage and attacks. E3A is allowing the Department of Homeland Security to paint a wider and more intelligent picture of the overall cyber threat landscape within the Federal Government, enabling strong correlation of events and the ability to provide early warning and greater context about emerging risks. Cutting-edge programs such as EINSTEIN can serve as a groundbreaking tool to stop criminals, hacktivists, and nation-states from harming the American public and government. I urge my colleagues to support codifying the E3A program and vote in favor of this amendment. Mr. McCAUL. Will the gentleman yield? Mr. HURD of Texas. I yield to the gentleman from Texas. Mr. McCAUL. I support this amendment, which would authorize and codify the current EINSTEIN Program operated in the Department of Homeland Security. The EINSTEIN Program, as deployed, makes available the capability to protect Federal agency information and information systems. The Einstein Program includes technologies to diagnose, detect, prevent, and mitigate cybersecurity risks involving Federal information systems. I would also like to thank my colleague and fellow chairman, Mr. Chaffetz, of the Oversight and Government Reform Committee for working with the Committee on Homeland Security on this important issue. Mr. HURD of Texas. Mr. Chairman, I reserve the balance of my time. Mr. THOMPSON of Mississippi. Mr. Chair, I claim the time in opposition, although I am not in opposition to the amendment. The CHAIR. Without objection, the gentleman is recognized for 5 minutes. There was no objection. Mr. THOMPSON of Mississippi. Mr. Chairman, this amendment would authorize the Department of Homeland Security's program to provide web- based security services to U.S. Federal civilian agencies. The program is known as EINSTEIN. When fully implemented, it is expected to provide all participating Federal agencies with the ability to know the cyber threats they face and protect their systems from insider and outsider threats. To fully implement EINSTEIN to protect Federal civilian networks, there are complex interagency privacy and coordination issues that still need to be settled. This authorization should help the Department of Homeland Security's efforts at closing out those issues as it confers specific statutory authority to the Department to pursue EINSTEIN. I support the amendment, and I urge my colleagues to vote ``aye.'' Mr. Chairman, I yield back the balance of my time. Mr. HURD of Texas. Mr. Chairman, I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from Texas (Mr. Hurd). The amendment was agreed to. Amendment No. 8 Offered by Mr. Mulvaney The CHAIR. It is now in order to consider amendment No. 8 printed in part B of House Report 114-88. Mr. MULVANEY. Mr. Chairman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Add at the end the following new section: SEC. __. SUNSET. This Act and the amendments made by this Act shall terminate on the date that is seven years after the date of the enactment of this Act. The CHAIR. Pursuant to House Resolution 212, the gentleman from South Carolina (Mr. Mulvaney) and a Member opposed each will control 5 minutes. The Chair recognizes the gentleman from South Carolina. Mr. MULVANEY. Mr. Chairman, I thank the chairman for the opportunity to present this amendment, very similar, Mr. Chairman, to the amendment that I presented yesterday that was approved by a majority of both Republicans and Democrats. It is a 7-year sunset provision to the bill. Here again, today, we are dealing with two very real and very serious concerns, security of our people and the freedoms and liberties of our people. We are called upon to do that very often here in Congress. Sometimes, we get those balances exactly right, and sometimes, we don't. Sometimes, we err too much on the side of safety and protection and security to the expense of our individual liberties. Other times, we err on the other side and do not provide the requisite level of safety and security that the citizens rightly demand of Congress. All this bill does is force us to make sure that we keep an eye on this piece of legislation to make sure that we got the balance exactly right. I know that many folks will say: Well, you know, Mr. Mulvaney, we have the opportunity at any time to go back in and fix the bill. I know that, and we have done that from time to time, but, by the same token, this is a very busy place, and a lot of bills tend to fall between the cracks. Putting in a hardwired 7-year sunset into this piece of legislation will force us not only to keep an eye on this on an ongoing basis, but to come here 7 years from now and make sure that we have done it precisely correctly. I think it is the exact right approach. In fact, I have often wished that we put sunset provisions, Mr. Chairman, in every single piece of legislation that we have, but we don't have that opportunity here today. We do have the opportunity to put a sunset into this very important piece of legislation, and I hope that the House does the same thing today as it did yesterday and approve this amendment by an overwhelming margin. Mr. McCAUL. Will the gentleman yield? Mr. MULVANEY. I yield to the gentleman from Texas. Mr. McCAUL. As an advocate for civil liberties and privacy rights, I did [[Page H2440]] not oppose the inclusion of his amendment here today on the floor, and that was for good reason. I believe that we need an open and fair debate on this measure, this amendment. We need transparency in the process here on the floor. My committee has undertaken that since day one as we assembled this bill in a bipartisan fashion. While, normally, I do support sunset provisions, I think, in this case, submitting a sunset provision to this vital national security program would not be in our best interest. I have heard, time and time again, from industry and other stakeholders that a sunset would stifle the sharing of this valuable cyber threat information. It would undermine everything that we are trying to do here today as we try to incentivize participation and investment in this voluntary program. While I do have tremendous respect for the gentleman and his point of view on this, I will vote ``no'' and oppose this amendment. Mr. MULVANEY. Mr. Chairman, I applaud the chairman for doing something that doesn't happen nearly enough in this Chamber. He is allowing an amendment to come to the floor that he opposes. I think that doesn't happen nearly enough here. I think it speaks volumes to some of the recent steps we have taken to improve Member participation in the process, and I think we will be better as an institution for it. Mr. Chairman, I reserve the balance of my time. Mr. THOMPSON of Mississippi. Mr. Chairman, I claim the time in opposition, although I am not in opposition to the amendment. The CHAIR. Without objection, the gentleman is recognized for 5 minutes. There was no objection. Mr. THOMPSON of Mississippi. Mr. Chairman, I appreciate, as I said, the maker of this amendment. Let me be clear, I offered the very same amendment in markup. It failed on a party-line vote, and this is democracy; but a little thing that concerns me is that, when we went to the Rules Committee, my chairman gave an indication that he really didn't have a problem with the 7-year sunset. Mr. McCAUL. Will the gentleman yield on that point? Mr. THOMPSON of Mississippi. I yield to the gentleman from Texas, my chairman. Mr. McCAUL. Again, I just want to clarify what I believe to be the record, and that was I was not opposed to this amendment going to the floor for a full and fair debate. I respect the gentleman's interpretation of that. I simply was not opposed to this going to the floor, and I think it deserves a full debate, as we saw yesterday as well. Mr. THOMPSON of Mississippi. Thank you. Mr. Chairman, I will read for the Record the statement my chairman made in Rules. Mr. McCaul said: There is an amendment that has a 7-year sunset provision, and I will be honest, I will not oppose that. I think 7 years is ample time to advance those relationships and while, at the same time, giving Congress the authority to reauthorize after a 7-year period. Mr. McCAUL. Will the gentleman yield again? Mr. THOMPSON of Mississippi. I yield to the gentleman from Texas. Mr. McCAUL. I must say that, obviously, since the time the Rules Committee discharged the amendment, there has been tremendous opposition from industry, which concerns me, about the participation in this program and the success of this program if the sunset provision is allowed to go forward, just to clarify my point of view. {time} 1045 Mr. THOMPSON of Mississippi. Mr. Chairman, reclaiming my time, I accept the gentleman's reinterpretation of the statement, and we will go forward. Let me just say that, yesterday, on a 7-year sunset on an Intelligence bill, the House resoundingly voted for this very same amendment, 313-110. It is clear that the congressional intent is, within 7 years, that it should have been ample time for this bill to be law and now set a record for us to come back as Members of Congress and do our oversight responsibility. Mr. Chairman, I am in strong support of Mr. Mulvaney's amendment. It is common sense. I yield back the balance of my time. Mr. MULVANEY. I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentleman from South Carolina (Mr. Mulvaney). The amendment was agreed to. Amendment No. 9 Offered by Ms. Hahn The CHAIR. It is now in order to consider amendment No. 9 printed in part B of House Report 114-88. Ms. HAHN. Mr. Chairman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Add the end the following: SEC.__. REPORT ON CYBERSECURITY VULNERABILITIES OF UNITED STATES PORTS. Not later than 180 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to the Committee on Homeland Security and the Committee on Transportation and Infrastructure of the House of Representatives and the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science and Transportation of the Senate a report on cybersecurity vulnerabilities for the ten United States ports that the Secretary determines are at greatest risk of a cybersecurity incident and provide recommendations to mitigate such vulnerabilities. The CHAIR. Pursuant to House Resolution 212, the gentlewoman from California (Ms. Hahn) and a Member opposed each will control 5 minutes. The Chair recognizes the gentlewoman from California. Ms. HAHN. Mr. Chairman, I thank Chairman McCaul and Ranking Member Thompson for allowing me to offer this amendment. I rise to offer a National Cybersecurity Protection Advancement Act amendment, one to increase cybersecurity at our Nation's most at-risk ports. This amendment will direct the Secretary of Homeland Security to submit a report to Congress assessing risks and providing recommendations regarding cybersecurity at America's most at-risk ports, such as Los Angeles, Long Beach, Oakland, New York, Houston. According to the American Association of Port Authorities, our ports contribute $4.6 trillion to the U.S. economy, making their security critical to our Nation. In order to remain efficient and globally competitive, our ports have become increasingly reliant on complex computer networks for everyday management. However, The Brookings Institution has found that there is a cybersecurity gap at our Nation's ports. Currently, we do not have cybersecurity standards for our ports to give Federal agencies the authority to address cybersecurity issues. This is completely unacceptable. The threat of cyber attack on the networks that manage the flow of U.S. commerce at our ports is real. As the Representative of the Nation's busiest port complex and as cofounder of the Congressional Ports Caucus, I know that a significant disruption at our ports cripples our economy. An estimated $1 billion a day was lost during the lockout at the Ports of Los Angeles and Long Beach back in 2002. Imagine the possible damage of a more severe disruption. For example, if our ports were targeted and hacked and unable to operate, it could cost our Nation billions and billions of dollars. While the Port of Los Angeles is a participant in the FBI's Cyberhood Watch program and has an award-winning cybersecurity operations center, we need to ensure that all of our ports have the same ability to protect themselves from cyber attacks. This is why I have offered this amendment that addresses the lack of cybersecurity standards and safeguards at our ports. We have ignored the cybersecurity of the networks managing our ports long enough, and it is pointless and ironic for government to continue awarding funds that are spent on the installation of new technologies if the networks they are on remain vulnerable to cyber attacks. This amendment adds no new cost to this legislation, but it will offer great security to our Nation's movement of goods. Mr. Chairman, I reserve the balance of my time. Mr. RATCLIFFE. Mr. Chairman, I ask unanimous consent to claim the time in opposition, although I am not opposed to the amendment. [[Page H2441]] The CHAIR. Is there objection to the request of the gentleman from Texas? There was no objection. The CHAIR. The gentleman is recognized for 5 minutes. Mr. RATCLIFFE. Mr. Chairman, I support this amendment, which requires the Department of Homeland Security to identify and mitigate cybersecurity threats to our Nation's seaports. It requires the Secretary to identify the 10 ports with the highest vulnerability to cybersecurity incidents and to fully evaluate and establish procedures to mitigate relevant cyber vulnerabilities. America's seaports are critical infrastructure, and 95 percent of America's foreign trade travels through these seaports. A cybersecurity incident which impacts a major U.S. port could have profound effects on the global economy. The Department of Homeland Security must take immediate, proactive measures to identify and mitigate cybersecurity threats in America's most vulnerable ports. I urge my colleagues to support this amendment, and I yield back the balance of my time. Ms. HAHN. I thank you for your support, and I applaud you and the committee for working in this bipartisan manner. I urge all of my colleagues to support this amendment. Mr. Chairman, I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentlewoman from California (Ms. Hahn). The amendment was agreed to. Amendment No. 10 Offered by Ms. Jackson Lee The CHAIR. It is now in order to consider amendment No. 10 printed in part B of House Report 114-88. Ms. JACKSON LEE. Mr. Chairman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Add at the end the following: SEC. __. GAO REPORT ON IMPACT PRIVACY AND CIVIL LIBERTIES. Not later than 60 months after the date of the enactment of this Act, the Comptroller General of the United States shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate an assessment on the impact on privacy and civil liberties limited to the work of the National Cybersecurity and Communications Integration Center. The CHAIR. Pursuant to House Resolution 212, the gentlewoman from Texas (Ms. Jackson Lee) and a Member opposed each will control 5 minutes. The Chair recognizes the gentlewoman from Texas. Ms. JACKSON LEE. Mr. Chairman, let me thank Mr. Thompson and Mr. McCaul for their leadership and Mr. Ratcliffe and Mr. Richmond for their leadership and for the importance of this legislation on the floor today and--this is something that I have often said--for the importance of the Department of Homeland Security's being the front armor, if you will, for domestic security, and this is a very important component of domestic security. The Jackson Lee-Polis amendment states that not later than 60 months after the date of this act the Comptroller General of the United States shall submit to the Committee on Homeland Security of the House of Representatives and to the Committee on Homeland Security and Governmental Affairs of the Senate an assessment on the impact of privacy and civil liberties, limited to the work of the National Cybersecurity and Communications Integration Center. The public benefit of this amendment is that it will provide public assurance from a reliable and trustworthy source that their privacy and civil liberties are not being compromised. Whether it is the PATRIOT Act or the USA FREEDOM Act that is now proposed, the American people understand their security, but they understand their privacy and their civil liberties. The intent of this report is to provide Congress with information regarding the effectiveness of protecting the privacy of Americans. We have gone through too much--we have been through too much hacking, and we have lost too much personal data from a number of retail entities and elsewhere--for the American people not to be protected. This amendment will result in the sole external report on the privacy and civil liberties' impact of the programs created under this bill. I ask that my colleagues support the Jackson Lee-Polis amendment, and I reserve the balance of my time. Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time in opposition, although I am not opposed to the amendment. The CHAIR. Is there objection to the request of the gentleman from Texas? There was no objection. The CHAIR. The gentleman is recognized for 5 minutes. Mr. McCAUL. Mr. Chairman, I support this amendment. The report required by this amendment would provide a quantifiable tool for the transparency, accountability, and oversight of Americans' civil liberties, and it will address privacy concerns. Privacy is a hallmark of H.R. 1731, and any opportunity to highlight to the American people how well DHS is protecting their civil liberties, while strengthening the cyber resilience of our Federal and non-Federal networks, is a welcome endeavor. The report will provide data on how well the program is working, and it will potentially identify any areas of improvement, which will further strengthen the robustness of DHS' cyber information-sharing practices. I urge my colleagues to support this amendment, and I yield back the balance of my time. Ms. JACKSON LEE. I thank the chair for his comments. Mr. Chairman, privacy is of great concern to the American public in a digital economy where personal information is one of the most valuable assets of successful online business. Again, I ask for support of the Jackson Lee-Polis amendment. Mr. Chair, I offer my thanks to Chairman McCaul, and Ranking Member Thompson for their leadership and work on H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015 to the floor for consideration. The bipartisan work done by the House Committee on Homeland Security brought before the House this opportunity to defend our Nation against cyber threats. I thank Congressman Polis for joining me in sponsoring this amendment. The Jackson Lee-Polis amendment to H.R. 1731 is simple and would improve the bill. The Jackson Lee-Polis amendment states that, not later than 60 months after the date of this act, the Comptroller General of the United States shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Government Affairs of the Senate an assessment on the impact of privacy and civil liberties limited to the work of the National Cybersecurity and Communications Integration Center. The intent of the report is to provide Congress with information regarding the effectiveness of protecting the privacy of Americans. This amendment would result in the sole external report on the privacy and civil liberties' impact of the programs created under this bill. Privacy is of great concern to the American public in a digital economy where personal information is one of the most valuable assets of successful online businesses. Having detailed information on consumers allows companies to better tailor services and products to meet the needs of consumers. Instead of relying on surveys to try to determine what consumers want, companies know what they want through their online and increasingly offline activities that are recorded and analyzed. In 2014, a report on consumers' views of their privacy published by the Pew Center found that a majority of adults surveyed felt that their privacy is being challenged along such core dimensions as the security of their personal information and their ability to retain confidentiality. 91% of adults in the survey believe that consumers have lost control over how personal information is collected and used by companies. 88% of adults believe that it would be very difficult to remove inaccurate information about them online. 80% of those who use social networking sites believe they are concerned about third parties accessing their data. 70% of social networking site users have some concerns about the government accessing some of the information they share on social networking sites without their knowledge. For this reason, the Jackson Lee amendment providing an independent report to the public on how their privacy and civil liberties are treated under the implementation of this bill is important. I ask that my colleagues on both sides of the aisle support this amendment. [[Page H2442]] Mr. Chair, I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentlewoman from Texas (Ms. Jackson Lee). The question was taken; and the Chair announced that the ayes appeared to have it. Mr. McCAUL. Mr. Chairman, I demand a recorded vote. The CHAIR. Pursuant to clause 6 of rule XVIII, further proceedings on the amendment offered by the gentlewoman from Texas will be postponed. Amendment No. 11 Offered by Ms. Jackson Lee The CHAIR. It is now in order to consider amendment No. 11 printed in part B of House Report 114-88. Ms. JACKSON LEE. Mr. Chairman, I have an amendment at the desk. The CHAIR. The Clerk will designate the amendment. The text of the amendment is as follows: Add at the end the following: SEC. __. REPORT ON CYBERSECURITY AND CRITICAL INFRASTRUCTURE. The Secretary of Homeland Security may consult with sector specific agencies, businesses, and stakeholders to produce and submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on how best to align federally-funded cybersecurity research and development activities with private sector efforts to protect privacy and civil liberties while assuring security and resilience of the Nation's critical infrastructure, including-- (1) promoting research and development to enable the secure and resilient design and construction of critical infrastructure and more secure accompanying cyber technology; (2) enhancing modeling capabilities to determine potential impacts on critical infrastructure of incidents or threat scenarios, and cascading effects on other sectors; and (3) facilitating initiatives to incentivize cybersecurity investments and the adoption of critical infrastructure design features that strengthen cybersesecurity and resilience. The CHAIR. Pursuant to House Resolution 212, the gentlewoman from Texas (Ms. Jackson Lee) and a Member opposed each will control 5 minutes. The Chair recognizes the gentlewoman from Texas. Ms. JACKSON LEE. This is a comprehensive approach, Mr. Chairman, to the issue of cybersecurity and national cybersecurity protection. The amendment that I am offering now states that the Secretary of Homeland Security may consult with sector-specific agencies, businesses, and stakeholders to produce and submit to the Committee on Homeland Security of the House of Representatives and to the Committee on Homeland Security and Governmental Affairs of the Senate a report on how best to align federally funded cybersecurity research and development activities with private sector efforts to protect privacy and civil liberties while assuring the security and resilience of the Nation's critical infrastructure. Again, I can recount the incidences that have brought this issue to the attention of the American people. Certainly, one of the most striking were the actions of Mr. Snowden's, so it is important that we develop research that really blocks those who would intend to do wrong, or ill, to the American people. The amendment includes a cybersecurity research and development objective to enable the secure and resilient design and construction of critical infrastructure and more secure accompanying cyber technology. We want it to be impenetrable. We want to have a firewall that stands as a firewall. I believe that we have the capacity to have the R&D to do so. The public benefit of this amendment is that it will make sure, as innovations occur in the private sector that can improve privacy and civil liberties protections, that they will be adopted by DHS for its programs established by this bill. Mr. Chairman, I ask for support of the Jackson Lee amendment, and I reserve the balance of my time. Mr. McCAUL. Mr. Chairman, I ask unanimous consent to claim the time in opposition, although I am not opposed to the amendment. The CHAIR. Is there objection to the request of the gentleman from Texas? There was no objection. The CHAIR. The gentleman is recognized for 5 minutes. Mr. McCAUL. Mr. Chairman, I support this enhancement that allows the Secretary of Homeland Security to consult with stakeholders and to submit a report on how best to align federally funded cybersecurity research and development activities with private sector efforts to protect privacy and civil liberties, while assuring the security and resilience of the Nation's critical infrastructure. The promotion of research and development activities to design resilient critical infrastructure that includes cyber threat infrastructure and that also includes cyber threat consideration in its plan is important as we build the fences against the cascading effect of cyber attacks on critical infrastructures. Again, I want to thank the gentlewoman for bringing this amendment, and I urge my colleagues to support it. I yield back the balance of my time. Ms. JACKSON LEE. I thank the gentleman from Texas. Mr. Chairman, again, the American people deserve the kind of investigatory work that results in R&D that provides the kind of armor against the attacks that we have noted are possible and have occurred. With that, I ask for the support of the Jackson Lee amendment. Mr. Chair, I offer my thanks to Chairman McCaul, and Ranking Member Thompson for their leadership and work on H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015. This is the final of three Jackson Lee amendments offered to this legislation. The Jackson Lee-Polis amendment to H.R. 1731 is simple and would improve the bill. The amendment states that the Secretary of Homeland Security may consult with sector-specific agencies, businesses, and stakeholders to produce and submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on how best to align federally funded cybersecurity research and development activities with private sector efforts to protect privacy and civil liberties, while assuring the security and resilience of the Nation's critical infrastructure. The amendment includes a cybersecurity research and development objective to enable the secure and resilient design and construction of critical infrastructure and more secure accompanying cyber technology. Finally, this Jackson Lee amendment would support investigation into enhanced computer-aided modeling capabilities to determine potential impacts on critical infrastructure of incidents or threat scenarios and cascading effects on other sectors and facilitating initiatives to incentivize cybersecurity investments and the adoption of critical infrastructure design features that strengthen cybersecurity and resilience. The ability to stay current and at the leading edge of innovation in the fast-moving world of computing technology will be a challenge, but one that the Department of Homeland Security can meet. The Jackson Lee amendment lays the foundation for an array of collaborative efforts centered on learning as much as possible about critical infrastructure operations and technologies, then using that knowledge to discover how best to defend against cyber-based threats. I ask that my colleagues on both sides of the aisle support this amendment. Mr. Chair, I yield back the balance of my time. The CHAIR. The question is on the amendment offered by the gentlewoman from Texas (Ms. Jackson Lee). The amendment was agreed to. Amendment No. 10 Offered by Ms. Jackson Lee The CHAIR. Pursuant to clause 6 of rule XVIII, the unfinished business is the demand for a recorded vote on the amendment offered by the gentlewoman from Texas (Ms. Jackson Lee) on which further proceedings were postponed and on which the ayes prevailed by voice vote. The Clerk will redesignate the amendment. The Clerk redesignated the amendment. Recorded Vote The CHAIR. A recorded vote has been demanded. A recorded vote was ordered. The vote was taken by electronic device, and there were--ayes 405, noes 8, not voting 18, as follows: [Roll No. 171] AYES--405 Abraham Adams Aderholt Aguilar Allen Amash Amodei Ashford Babin Barletta Barr Barton [[Page H2443]] Bass Beatty Becerra Benishek Bera Beyer Bilirakis Bishop (GA) Bishop (MI) Bishop (UT) Black Blackburn Blum Blumenauer Bonamici Bost Brady (PA) Brat Bridenstine Brooks (AL) Brooks (IN) Brown (FL) Brownley (CA) Buchanan Buck Bucshon Burgess Bustos Byrne Calvert Capps Capuano Caardenas Carney Carson (IN) Carter (GA) Cartwright Castor (FL) Castro (TX) Chabot Chaffetz Chu, Judy Cicilline Clark (MA) Clarke (NY) Clawson (FL) Clay Cleaver Coffman Cohen Cole Collins (GA) Collins (NY) Comstock Conaway Connolly Conyers Cook Cooper Costa Costello (PA) Courtney Cramer Crawford Crenshaw Crowley Cuellar Culberson Cummings Curbelo (FL) Davis (CA) Davis, Danny DeFazio DeGette Delaney DeLauro DelBene Denham Dent DeSantis DeSaulnier DesJarlais Deutch Diaz-Balart Dingell Doggett Dold Doyle, Michael F. Duckworth Duffy Duncan (SC) Duncan (TN) Edwards Ellison Ellmers (NC) Emmer (MN) Engel Esty Farenthold Farr Fattah Fincher Fitzpatrick Fleischmann Fleming Flores Forbes Fortenberry Foster Foxx Frankel (FL) Franks (AZ) Frelinghuysen Fudge Gabbard Gallego Garamendi Garrett Gibbs Gibson Gohmert Goodlatte Gosar Gowdy Graham Granger Graves (GA) Graves (LA) Grayson Green, Al Green, Gene Griffith Grijalva Grothman Guinta Guthrie Gutieerrez Hahn Hanna Hardy Harper Harris Hartzler Heck (NV) Heck (WA) Hensarling Herrera Beutler Hice, Jody B. Higgins Hill Himes Hinojosa Holding Honda Hoyer Hudson Huelskamp Huffman Huizenga (MI) Hultgren Hunter Hurd (TX) Hurt (VA) Israel Issa Jackson Lee Jeffries Jenkins (KS) Jenkins (WV) Johnson (GA) Johnson (OH) Johnson, Sam Jolly Jones Jordan Joyce Katko Keating Kelly (IL) Kelly (PA) Kennedy Kildee Kilmer Kind King (IA) King (NY) Kinzinger (IL) Kirkpatrick Kline Knight Kuster Labrador Lamborn Lance Langevin Larsen (WA) Larson (CT) Latta Lawrence Lee Levin Lewis Lieu, Ted LoBiondo Loebsack Lofgren Long Loudermilk Love Lowenthal Lowey Lucas Luetkemeyer Lujan Grisham (NM) Lujaan, Ben Ray (NM) Lummis Lynch MacArthur Maloney, Carolyn Maloney, Sean Marino Massie Matsui McCarthy McCaul McClintock McCollum McDermott McGovern McHenry McKinley McMorris Rodgers McNerney McSally Meadows Meehan Meng Messer Mica Miller (FL) Miller (MI) Moolenaar Mooney (WV) Moulton Mullin Mulvaney Murphy (FL) Murphy (PA) Nadler Napolitano Neal Neugebauer Newhouse Noem Nolan Norcross Nugent Nunes O'Rourke Palazzo Palmer Pascrell Paulsen Pearce Pelosi Perlmutter Perry Peters Peterson Pingree Pittenger Pitts Pocan Poe (TX) Poliquin Polis Pompeo Posey Price (NC) Price, Tom Quigley Rangel Ratcliffe Reed Reichert Renacci Ribble Rice (NY) Rice (SC) Richmond Rigell Roby Roe (TN) Rogers (AL) Rogers (KY) Rohrabacher Rokita Rooney (FL) Ros-Lehtinen Roskam Ross Rothfus Rouzer Roybal-Allard Royce Ruiz Ruppersberger Rush Russell Ryan (OH) Ryan (WI) Salmon Saanchez, Linda T. Sanchez, Loretta Sanford Sarbanes Scalise Schakowsky Schiff Schrader Schweikert Scott (VA) Scott, Austin Scott, David Sensenbrenner Serrano Sessions Sewell (AL) Sherman Shimkus Shuster Simpson Sinema Sires Slaughter Smith (MO) Smith (NE) Smith (NJ) Smith (TX) Stefanik Stewart Stivers Stutzman Swalwell (CA) Takai Takano Thompson (CA) Thompson (MS) Thompson (PA) Thornberry Tiberi Tipton Titus Tonko Torres Tsongas Turner Upton Valadao Van Hollen Vargas Veasey Vela Velaazquez Visclosky Wagner Walberg Walden Walker Walorski Walters, Mimi Walz Wasserman Schultz Waters, Maxine Watson Coleman Webster (FL) Welch Wenstrup Westerman Whitfield Williams Wilson (FL) Wilson (SC) Wittman Womack Woodall Yarmuth Yoder Yoho Young (IA) Young (IN) Zeldin Zinke NOES--8 Boustany Brady (TX) Carter (TX) LaMalfa Marchant Weber (TX) Westmoreland Young (AK) NOT VOTING--18 Boyle, Brendan F. Butterfield Clyburn Davis, Rodney Eshoo Graves (MO) Hastings Johnson, E. B. Kaptur Lipinski Meeks Moore Olson Pallone Payne Smith (WA) Speier Trott {time} 1130 Messrs. BUCSHON, POSEY, Mrs. McMORRIS RODGERS, Messrs. BRIDENSTINE, COFFMAN, TIPTON, CRAWFORD, GIBBS, MILLER of Florida, and GOHMERT changed their vote from ``no'' to ``aye.'' So the amendment was agreed to. The result of the vote was announced as above recorded. The Acting CHAIR (Mr. Harper). The question is on the amendment in the nature of a substitute. The amendment was agreed to. The Acting CHAIR. Under the rule, the Committee rises. Accordingly, the Committee rose; and the Speaker pro tempore (Mr. Fortenberry) having assumed the chair, Mr. Harper, Acting Chair of the Committee of the Whole House on the state of the Union, reported that that Committee, having had under consideration the bill (H.R. 1731) to amend the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cybersecurity risks and strengthen privacy and civil liberties protections, and for other purposes, and, pursuant to House Resolution 212, he reported the bill back to the House with an amendment adopted in the Committee of the Whole. The SPEAKER pro tempore. Under the rule, the previous question is ordered. Is a separate vote demanded on any amendment to the amendment reported from the Committee of the Whole? If not, the question is on the amendment in the nature of a substitute, as amended. The amendment was agreed to. The SPEAKER pro tempore. The question is on the engrossment and third reading of the bill. The bill was ordered to be engrossed and read a third time, and was read the third time. Motion to Recommit Mr. ISRAEL. Mr. Speaker, I have a motion to recommit at the desk. The SPEAKER pro tempore. Is the gentleman opposed to the bill? Mr. ISRAEL. I am, in its current form, Mr. Speaker. Mr. McCAUL. Mr. Chair, I reserve a point of order. The SPEAKER pro tempore. A point of order is reserved. The Clerk will report the motion to recommit. The Clerk read as follows: Mr. Israel moves to recommit the bill H.R. 1731 to the Committee on Homeland Security with instructions to report the same back to the House forthwith, with the following amendment: Add at the end of the bill the following: SEC. __. PROTECTING CRITICAL INFRASTRUCTURE, AMERICAN JOBS, AND HEALTH INFORMATION FROM CYBERATTACKS. (a) In General.--Subtitle C of title II of the Homeland Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by adding at the end the following new section: ``SEC. 232. PROTECTING CRITICAL INFRASTRUCTURE, AMERICAN JOBS, AND HEALTH INFORMATION FROM CYBERATTACKS. ``(a) In General.--The Secretary of Homeland Security shall undertake on-going risk-informed outreach, including the provision of technical assistance, to the owners and operators of at-risk critical infrastructure to promote the sharing of cyber threat indicators and defensive measures (as such terms are defined in the second section 226 (relating to the National Cybersecurity and Communications Integration Center). In carrying out this outreach, the Secretary shall prioritize the protection of at-risk Supervisory Control and Data Acquisition (SCADA) industrial control systems, which are critical to the operation of the United States economy. ``(b) Prioritization.--In carrying out outreach under subsection (a), the Secretary of Homeland Security shall prioritize the protection and welfare of the American people and economy and give special attention to protecting the following: ``(1) United States critical infrastructure, including the electrical grid, nuclear power plants, oil and gas pipelines, financial services, and transportation systems, from cyberattacks, as attacks on SCADA industrial control systems increased by 100 percent in 2014 over the previous year. ``(2) The intellectual property of United States corporations, particularly the intellectual property of at- risk small and medium-sized businesses, in order to maintain United States competitiveness and job growth. ``(3) The privacy and property rights of at-risk Americans, including Social Security numbers, dates of birth, and employment information, and health records, insofar as the health records of more than 29,000,000 Americans were compromised in data breaches between 2010 and 2013, and, in 2015, the information of 80,000,000 Americans was compromised by the attack on Anthem Health Insurance.''. [[Page H2444]] (b) Clerical Amendment.--The table of contents of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 231 the following new item: ``Sec. 232. Protecting critical infrastructure, American jobs, and health information from cyberattacks.''. Mr. McCAUL (during the reading). Mr. Speaker, I ask unanimous consent to dispense with the reading. The SPEAKER pro tempore. Is there objection to the request of the gentleman from Texas? There was no objection. The SPEAKER pro tempore. The gentleman from New York is recognized for 5 minutes. Mr. ISRAEL. Mr. Speaker, this is a final amendment. It will not kill the bill. It will not send the bill back to committee. If adopted, the bill will immediately proceed to final passage, as amended. Mr. Speaker, 2 weeks ago, D.C. went dark. The lights went out, the power stopped near the White House, lights out, no power at the Department of State. Federal agencies were plunged into darkness, small businesses plunged into darkness. Business stopped. The business of government stopped because there was a blackout. Now, in this case, Mr. Speaker, this loss of energy was because of a blown transformer, and there was no indication that this was a result of a cyber attack on our energy sources or systems. There are indications, Mr. Speaker, every day, of attempted attacks on our critical energy infrastructure, and this amendment simply strengthens the response of the Department of Homeland Security to protect our constituents, our government, our infrastructure, and our country from this attack. Mr. Speaker, in the first 6 months of 2012, we know that there was a sustained and persistent cyber attack on critical gas pipeline control systems. Now, the good news is that we successfully defended against those attacks. The bad news is, as we all know, the very nature of cyber war means that every time you defend against an attack, you are transmitting to your attackers what your defenses are. The DHS reports that, of roughly 200 cases of major cyber attacks handled by DHS' cybersecurity team in 2013, 40 percent were in the energy sector. There have been attacks on supervisory control and data acquisitions, SCADA. Those attacks doubled between 2013 and 2014, so we know these attacks are being attempted. We know how serious it is. We learned, 2 weeks ago, what happens when we plunge into the darkness. We know the economic devastation, the social devastation, the military devastation that will occur when an attack is successful, when a cyber attack against our energy systems succeeds. We know it is coming, and we cannot wait until the day after, when we ask ourselves, in the dark: Why didn't we do more yesterday? This is like being told that Pearl Harbor is coming, that 9/11 is coming, knowing it is coming, and deciding: Are you going to do something about it? Or are you going to continue to bury your head in the sand? Now, this amendment is very simple, Mr. Speaker. It simply directs the Department of Homeland Security to organize a strong, concerted, focused partnership with energy companies throughout this country. Those partnerships would provide technical assistance from DHS to energy companies and information sharing. These partnerships would be focused on critical infrastructure, the electrical grid, oil and gas pipelines, and nuclear power plants. Mr. Speaker, what happened in Washington, D.C., on April 7 of this year can happen in any congressional district in this body. Instead of a blown transformer, it will be a cyber attack against energy systems in any one of the districts represented here today, Mr. Speaker. When that happens, our constituents will ask us, from that place in the dark: What did you do to prevent it? And what did you do to protect me from it? This vote on this motion to recommit will be your answer. Let's put the protection of our businesses, our government, our military, and our constituents ahead of partisanship and vote ``yes'' on this motion to recommit. Mr. Speaker, I yield back the balance of my time. Mr. McCAUL. Mr. Speaker, I withdraw my reservation of a point of order. The SPEAKER pro tempore. The reservation of the point of order is withdrawn. Mr. McCAUL. Mr. Speaker, I rise today in strong opposition to the motion to recommit. The SPEAKER pro tempore. The gentleman from Texas is recognized for 5 minutes. Mr. McCAUL. The gentleman from New York is correct regarding the nature of the threat. However, the activities he has discussed were authorized by Congress last Congress with a bill that I sponsored. In addition, the bill currently before the House strengthens those provisions. This bipartisan bill passed out of committee unanimously. This motion is nothing more than an eleventh hour attempt to bring down the bill that we worked so hard on to get to this point where we are today. Mr. Speaker, people always ask me what keeps me up at night. In addition to the kinetic threats posed by al Qaeda and ISIS, it is a cyber attack against our Nation that concerns me the most. This legislation is necessary to protect Americans. Every day, America is under attack. Our offensive capabilities are strong, but our defensive capabilities are weak. The attacks on Target and Home Depot stole the personal information and credit cards of millions of Americans. The cyber breach at Anthem compromised the healthcare accounts of 80 million individuals, impacting one out of every four Americans in the most private way. North Korea's destructive attack on Sony attempted to chill our freedom of speech. Russia and China continue to steal our intellectual property and conduct espionage against our Nation. General Alexander described this as ``the greatest transfer of wealth in history.'' At the same time, Iran attacks our financial sector on a daily basis in response to the sanctions. We also face a growing threat from cyberterrorists, like the ISIS sympathizers who hacked into USCENTCOM's social media account. Terrorists and state sponsors of terror, like Iran, want nothing more than to carry out a destructive cyber attack to bring things down in the United States, including our power grids. This bill protects our Nation's networks, both public and private, by removing legal barriers to the sharing of threat information. {time} 1145 The bill is voluntary. It is both proprivacy and prosecurity and has widespread support from industry. It allows us to obtain the keys for information sharing, to lock the door, and to keep these nation-states and criminals out. We cannot send a signal of weakness to our adversaries. Many, Mr. Speaker, refer to the threat of a cyber Pearl Harbor. My father, part of the Greatest Generation, was a bombardier in a B-17 during World War II. He participated in the air campaign in advance of the D-day invasion against the Nazis. Today a new generation faces different threats to our national security, and we must protect America in this new frontier. We now live in a new threat environment where digital bombs can go undetected and cause massive devastation. This bill will defend America from these attacks. Inaction today, Mr. Speaker, would be nothing short of reckless. It is urgent that we pass this bill today, for if Congress fails to act and the United States is attacked, then Congress will have that on its hands. I urge my colleagues to vote against the motion to recommit and support this bill. I yield back the balance of my time. The SPEAKER pro tempore. Without objection, the previous question is ordered on the motion to recommit. There was no objection. The SPEAKER pro tempore. The question is on the motion to recommit. The question was taken; and the Speaker pro tempore announced that the noes appeared to have it. Recorded Vote Mr. ISRAEL. Mr. Speaker, I demand a recorded vote. [[Page H2445]] A recorded vote was ordered. The SPEAKER pro tempore. Pursuant to clause 9 of rule XX, this 5- minute vote on the motion to recommit will be followed by a 5-minute vote on the passage of the bill, if ordered. The vote was taken by electronic device, and there were--ayes 180, noes 238, not voting 13, as follows: [Roll No. 172] AYES--180 Adams Aguilar Ashford Bass Beatty Becerra Bera Beyer Bishop (GA) Blumenauer Bonamici Brady (PA) Brown (FL) Brownley (CA) Bustos Butterfield Capps Capuano Caardenas Carney Carson (IN) Cartwright Castor (FL) Castro (TX) Chu, Judy Cicilline Clark (MA) Clarke (NY) Clay Cleaver Clyburn Cohen Connolly Conyers Cooper Costa Courtney Crowley Cuellar Cummings Davis (CA) Davis, Danny DeFazio DeGette Delaney DeLauro DelBene DeSaulnier Deutch Dingell Doggett Doyle, Michael F. Duckworth Edwards Ellison Engel Esty Farr Fattah Foster Frankel (FL) Fudge Gabbard Gallego Garamendi Graham Grayson Green, Al Green, Gene Grijalva Gutieerrez Hahn Heck (WA) Higgins Himes Hinojosa Honda Hoyer Huffman Israel Jackson Lee Jeffries Johnson (GA) Johnson, E. B. Jones Keating Kelly (IL) Kennedy Kildee Kilmer Kind Kirkpatrick Kuster Langevin Larsen (WA) Larson (CT) Lawrence Lee Levin Lewis Lieu, Ted Loebsack Lofgren Lowenthal Lowey Lujan Grisham (NM) Lujaan, Ben Ray (NM) Lynch Maloney, Carolyn Maloney, Sean Matsui McCollum McDermott McGovern McNerney Meeks Meng Moulton Murphy (FL) Nadler Napolitano Neal Nolan Norcross O'Rourke Pascrell Payne Pelosi Perlmutter Peters Peterson Pingree Pocan Polis Price (NC) Quigley Rangel Rice (NY) Richmond Roybal-Allard Ruiz Ruppersberger Rush Ryan (OH) Saanchez, Linda T. Sanchez, Loretta Sarbanes Schakowsky Schiff Schrader Scott (VA) Scott, David Serrano Sewell (AL) Sherman Sinema Sires Slaughter Swalwell (CA) Takai Takano Thompson (CA) Thompson (MS) Titus Tonko Torres Tsongas Van Hollen Vargas Veasey Vela Velaazquez Visclosky Walz Wasserman Schultz Waters, Maxine Watson Coleman Welch Wilson (FL) Yarmuth NOES--238 Abraham Aderholt Allen Amash Amodei Babin Barletta Barr Barton Benishek Bilirakis Bishop (MI) Bishop (UT) Black Blackburn Blum Bost Boustany Brady (TX) Brat Bridenstine Brooks (AL) Brooks (IN) Buchanan Buck Bucshon Burgess Byrne Calvert Carter (GA) Carter (TX) Chabot Chaffetz Clawson (FL) Coffman Cole Collins (GA) Collins (NY) Comstock Conaway Cook Costello (PA) Cramer Crawford Crenshaw Culberson Curbelo (FL) Denham Dent DeSantis DesJarlais Diaz-Balart Dold Duffy Duncan (SC) Duncan (TN) Ellmers (NC) Emmer (MN) Farenthold Fincher Fitzpatrick Fleischmann Fleming Flores Forbes Fortenberry Foxx Franks (AZ) Frelinghuysen Garrett Gibbs Gibson Gohmert Goodlatte Gosar Gowdy Granger Graves (GA) Graves (LA) Griffith Grothman Guinta Guthrie Hanna Hardy Harper Harris Hartzler Heck (NV) Hensarling Herrera Beutler Hice, Jody B. Hill Holding Hudson Huelskamp Huizenga (MI) Hultgren Hunter Hurd (TX) Hurt (VA) Issa Jenkins (KS) Jenkins (WV) Johnson (OH) Johnson, Sam Jolly Jordan Joyce Katko Kelly (PA) King (IA) King (NY) Kinzinger (IL) Kline Knight Labrador LaMalfa Lamborn Lance Latta LoBiondo Long Loudermilk Love Lucas Luetkemeyer Lummis MacArthur Marchant Marino Massie McCarthy McCaul McClintock McHenry McKinley McMorris Rodgers McSally Meadows Meehan Messer Mica Miller (FL) Miller (MI) Moolenaar Mooney (WV) Mullin Mulvaney Murphy (PA) Neugebauer Newhouse Noem Nugent Nunes Palazzo Palmer Paulsen Pearce Perry Pittenger Pitts Poe (TX) Poliquin Pompeo Posey Price, Tom Ratcliffe Reed Reichert Renacci Ribble Rice (SC) Rigell Roby Roe (TN) Rogers (AL) Rogers (KY) Rohrabacher Rokita Rooney (FL) Ros-Lehtinen Roskam Ross Rothfus Rouzer Royce Russell Ryan (WI) Salmon Sanford Scalise Schweikert Scott, Austin Sensenbrenner Sessions Shimkus Shuster Simpson Smith (MO) Smith (NE) Smith (NJ) Smith (TX) Stefanik Stewart Stivers Stutzman Thompson (PA) Thornberry Tiberi Tipton Turner Upton Valadao Wagner Walberg Walden Walker Walorski Walters, Mimi Weber (TX) Webster (FL) Wenstrup Westerman Westmoreland Whitfield Williams Wilson (SC) Wittman Womack Woodall Yoder Yoho Young (AK) Young (IA) Young (IN) Zeldin Zinke NOT VOTING--13 Boyle, Brendan F. Davis, Rodney Eshoo Graves (MO) Hastings Kaptur Lipinski Moore Olson Pallone Smith (WA) Speier Trott {time} 1153 Mr. RICHMOND changed his vote from ``no'' to ``aye.'' So the motion to recommit was rejected. The result of the vote was announced as above recorded. The SPEAKER pro tempore. The question is on the passage of the bill. The question was taken; and the Speaker pro tempore announced that the ayes appeared to have it. Recorded Vote Mr. McCAUL. Mr. Speaker, I demand a recorded vote. A recorded vote was ordered. The SPEAKER pro tempore. This is a 5-minute vote. The vote was taken by electronic device, and there were--ayes 355, noes 63, not voting 13, as follows: [Roll No. 173] AYES--355 Abraham Adams Aderholt Aguilar Allen Amodei Ashford Babin Barletta Barr Barton Beatty Benishek Bera Beyer Bilirakis Bishop (GA) Bishop (MI) Bishop (UT) Black Blackburn Blum Bonamici Bost Boustany Brady (TX) Brooks (AL) Brooks (IN) Brown (FL) Brownley (CA) Buchanan Buck Bucshon Burgess Bustos Butterfield Byrne Calvert Capps Caardenas Carney Carson (IN) Carter (GA) Carter (TX) Castor (FL) Castro (TX) Chabot Chaffetz Clarke (NY) Clawson (FL) Clay Cleaver Clyburn Coffman Cohen Cole Collins (GA) Collins (NY) Comstock Conaway Connolly Cook Cooper Costa Costello (PA) Cramer Crawford Crenshaw Crowley Cuellar Culberson Cummings Curbelo (FL) Davis (CA) Davis, Danny DeFazio DeGette Delaney DelBene Denham Dent DeSantis DeSaulnier Diaz-Balart Dingell Doggett Dold Duckworth Duffy Duncan (SC) Duncan (TN) Ellmers (NC) Emmer (MN) Engel Farenthold Farr Fincher Fitzpatrick Fleischmann Flores Forbes Fortenberry Foster Foxx Frankel (FL) Franks (AZ) Frelinghuysen Fudge Gabbard Gallego Garamendi Gibbs Gibson Goodlatte Gowdy Graham Granger Graves (GA) Green, Al Green, Gene Griffith Grothman Guthrie Gutieerrez Hahn Hanna Hardy Harper Harris Hartzler Heck (NV) Heck (WA) Hensarling Herrera Beutler Hice, Jody B. Higgins Hill Himes Hinojosa Holding Honda Hoyer Hudson Huffman Huizenga (MI) Hultgren Hunter Hurd (TX) Hurt (VA) Israel Jackson Lee Jeffries Jenkins (KS) Jenkins (WV) Johnson (GA) Johnson (OH) Johnson, Sam Jolly Joyce Katko Keating Kelly (IL) Kelly (PA) Kennedy Kildee Kilmer Kind King (IA) King (NY) Kinzinger (IL) Kirkpatrick Kline Knight Kuster LaMalfa Lamborn Lance Langevin Larsen (WA) Latta Lawrence Levin Lewis LoBiondo Loebsack Lofgren Long Loudermilk Love Lowey Lucas Luetkemeyer Lujan Grisham (NM) Lujaan, Ben Ray (NM) Lummis Lynch MacArthur Maloney, Carolyn Maloney, Sean Marchant Marino Matsui McCarthy McCaul McClintock McCollum McDermott McHenry McKinley McMorris Rodgers McNerney McSally Meadows Meehan Meeks Meng Messer Mica Miller (FL) Miller (MI) Moolenaar Moulton Mullin Mulvaney Murphy (FL) Murphy (PA) Napolitano Neal Neugebauer Newhouse Noem Norcross Nugent Nunes O'Rourke Palazzo Palmer Pascrell Paulsen Payne Pearce Pelosi Perlmutter Perry Peters Peterson Pittenger Pitts Poe (TX) Poliquin Pompeo Posey Price (NC) Price, Tom Quigley Rangel Ratcliffe Reed Reichert Renacci Ribble Rice (NY) Rice (SC) Richmond Rigell Roby Roe (TN) Rogers (AL) Rogers (KY) Rohrabacher Rokita Rooney (FL) Ros-Lehtinen Roskam Ross Rothfus Rouzer Roybal-Allard Royce Ruiz Ruppersberger Rush Russell Ryan (WI) [[Page H2446]] Saanchez, Linda T. Sanchez, Loretta Scalise Schakowsky Schiff Schrader Schweikert Scott (VA) Scott, Austin Scott, David Sensenbrenner Sessions Sewell (AL) Sherman Shimkus Shuster Simpson Sinema Sires Smith (MO) Smith (NE) Smith (NJ) Smith (TX) Stefanik Stewart Stivers Stutzman Swalwell (CA) Takai Thompson (CA) Thompson (MS) Thompson (PA) Thornberry Tiberi Tipton Titus Torres Turner Upton Valadao Vargas Veasey Vela Visclosky Wagner Walberg Walden Walker Walorski Walters, Mimi Walz Watson Coleman Weber (TX) Webster (FL) Wenstrup Westerman Westmoreland Whitfield Williams Wilson (FL) Wilson (SC) Wittman Womack Woodall Yoder Yoho Young (AK) Young (IA) Young (IN) Zeldin Zinke NOES--63 Amash Bass Becerra Blumenauer Brady (PA) Brat Bridenstine Capuano Cartwright Chu, Judy Cicilline Clark (MA) Conyers Courtney DeLauro DesJarlais Deutch Doyle, Michael F. Edwards Ellison Esty Fattah Fleming Garrett Gohmert Gosar Graves (LA) Grayson Grijalva Guinta Huelskamp Issa Johnson, E. B. Jones Jordan Labrador Larson (CT) Lee Lieu, Ted Lowenthal Massie McGovern Mooney (WV) Nadler Nolan Pingree Pocan Polis Ryan (OH) Salmon Sanford Sarbanes Serrano Slaughter Takano Tonko Tsongas Van Hollen Velaazquez Wasserman Schultz Waters, Maxine Welch Yarmuth NOT VOTING--13 Boyle, Brendan F. Davis, Rodney Eshoo Graves (MO) Hastings Kaptur Lipinski Moore Olson Pallone Smith (WA) Speier Trott {time} 1203 So the bill was passed. The result of the vote was announced as above recorded. A motion to reconsider was laid on the table. ____________________