House Homeland Security introduces new critical infrastructure cybersecurity bill

Prospects for Rockefeller-Thune NIST bill diminished

A bipartisan cybersecurity bill introduced Wednesday by members of the House Homeland Security Committee would codify the department's existing governmentwide civilian agency cybersecurity duties and require it to analyze its current public-private partnership model with critical infrastructure sectors to ensure that owners and operators "are equal partners and regularly collaborate on all programs and activities" of DHS to protect critical infrastructure.

The bill (H.R. 3696) states explicitly it would not create any new federal regulatory authority, nor would it authorize DHS additional money, stating that the act would have to be "carried out using the amount otherwise available."

Its sponsors are Reps. Michael McCaul (R-Texas) and Bennie Thompson (D-Miss.), the chairman and ranking member of the committee, respectively, as well as Reps. Patrick Meehan (R-Pa.) and Yvette Clarke (D-N.Y.), the chairman and ranking member, respectively, of the cybersecurity, infrastructure protection and security technologies subcommittee.

The bill does not include a provision for the sharing of cyber threat information from the private sector – an issue heavy with privacy implications that has helped derail other cybersecurity bills over the past two years.

It does call for the homeland security secretary to coordinate a "national effort to strengthen and maintain secure, functioning and resilience critical infrastructure from cyber threats" and to ensure that DHS policies and procedures enable critical infrastructure owners and operators "to receive real-time, actionable and relevant cyber threat information."

It also says that DHS should "upon request," undertake a number of measures to assist the private sector, such as assisting with risk management, providing education and assistance, and assisting with incident response and recover assistance.

The bill doesn't reference the cybersecurity framework for critical infrastructure systems being developed by the National Institute of Standards and Technology.

The prospects for an unrelated Senate bill that would codify the framework into law have diminished somewhat. Sen. Jay Rockefeller (D-W. Va.) attached a bill (S. 1353) voted out of the Commerce, Science and Transportation Committee, which he chairs, as an amendment to the fiscal 2014 national defense authorization act.The bill is co-sponsored by the committee's ranking member, Sen. John Thune (R-S.D.). 

But, a compromise NDAA unveiled Dec. 10 by the Senate and House armed services committees doesn't include the Rockefeller language; a Senate Armed Services Committee spokeswoman said it encountered opposition in the Senate.

For more:
- go to a House Homeland Security Committee press release on H.R. 3696
- download a committee fact sheet on the bill (.pdf)
- go to the webpage for H.R. 3696
- go to a HASC press release on the compromise fiscal 2014 NDAA

Related Articles:
House Homeland Security approves two cybersecurity bills
NIST cybersecurity framework bill voted out of Senate committee
House approves CISPA (again)