The House Homeland Security Committee unanimously passed a substitute bill for the National Cybersecurity and Critical Infrastructure Protection Act of 2013 last week. The bill now heads to the full House for a floor vote.
Broadly supported by both parties, the current version of HR 3696 gives the Department of Homeland Security (DHS) the responsibility for civilian cybersecurity research and development, incident detection and response, and facilitating the exchange of cyber-threat information between government and the private sector.
If passed, the DHS would be in charge of establishing cybersecurity standards for the federal government and infrastructure networks.
“We cannot wait for a major attack to take action, and I am pleased that the Committee today unanimously passed legislation that improves DHS’s ability to defend against the many threats to our critical infrastructure,” Rep. Patrick Meehan (R-Pa), the chairman of the subcommittee on cybersecurity and one of the bill’s backers, said in a statement.
The bill, also backed by Committee Chairman Michael McCaul (R-Texas), calls for the establishment of industry sector coordinating councils under a public-private sharing model. The bill would also establish the National Cybersecurity and Communications Integration Center as a federal civilian agency within the DHS that encourages real-time cyberthreat information sharing between the private and public sectors. DHS would be prohibited from obtaining new cybersecurity
regulatory authority.
“I’m proud to say the final product is – as our friends in the ACLU have called it – both pro-security and pro-privacy,” said McCaul. “I think that is a rare concept in today’s world.”
The bill also addressed industry concerns by expanding the tort liability immunity provisions of the SAFETY Act by adding cyber-security technologies to the anti-terrorism technologies.
There is one privacy concern in the bill. The DHS would be authorized to make deals with the private organizations which “provide electronic communication services, remote computing services, or cyber-security services to acquire, intercept, retain, use, and disclose communication and other system traffic…No cause of action shall exist against private entities for assistance provided to the Secretary in accordance with this subsection,” according to the language in the bill.
As it stands, it appears that private electronic communications services will be given liability immunity for selling information about customer communications.
Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst. She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products.