November 14, 2019

November 14, 2019

Subscribe to Latest Legal News and Analysis

November 13, 2019

Subscribe to Latest Legal News and Analysis

November 12, 2019

Subscribe to Latest Legal News and Analysis

House of Representatives Passes Three Cybersecurity Bills

On July 28, 2014, the U.S. House of Representatives (“House”) passed three cybersecurity bills, the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696) (“NCCIP Act”), the Critical Infrastructure Research and Development Advancement Act (H.R. 2952) (“CIRDA Act”), and the Homeland Security Cybersecurity Boots-on-the-Ground Act (H.R. 3107) (“Boots-on-the-Ground Act”) with broad bipartisan support.

The NCCIP Act was introduced in December 2013 and is the most significant of the three measures.  As we noted at the time, the bill focuses primarily on strengthening the authorities of the Department of Homeland Security (“DHS”).  Under the provisions of the bill as passed by the House, the Secretary of DHS would have broad responsibilities for the protection of critical infrastructure (“CI”) from cyber threats.  Specifically, the Secretary would be charged with facilitating “a national effort to strengthen and maintain secure, functioning and resilient critical infrastructure” by seeking “industry-specific expertise” to “identify and disrupt threats” and providing “education and assistance” to CI owners and operators who request them. 

The bill also promotes several avenues for public-private collaboration to protect CI, organized by sector.  To effectuate this collaboration, the Secretary of DHS would be directed to designate different sectors of critical infrastructure, such as communications, financial services, information technology, and transportation systems.  DHS would then interact with private sector entities on a sector-specific basis through designated federal agencies and “coordinating councils.”  The sector-specific coordinating councils would be designed to “reflect the unique composition of each sector” and would include critical infrastructure owners, operators, private sector entities and trade associations.  Government entities with any “regulating authority” would be prohibited from being members of the coordinating councils.  The bill would also direct DHS, in collaboration with the relevant coordinating council, to recognize at least one Information Sharing and Analysis Center (“ISAC”) for each CI sector, to help promote information sharing along with each coordinating council.  The bill would codify the National Cybersecurity and Communications Integration Center (“NCCIC”) within DHS to promote “ongoing multi-directional sharing” of cyber threat information among federal government entities and between such entities and the private sector, including through ISACs, the coordinating councils, the U.S. Computer Emergency Readiness Team, and other stakeholders.

The NCCIP Act bill would also codify the establishment of Cyber Incident Response Teams within DHS, which would be available to provide crisis management support to critical infrastructure owners and operators on request.  In addition, the NCCIP Act also amends and expands the SAFETY Act, 6 U.S.C. §§ 441-444, which currently affords some liability protections to companies who provide qualified anti-terrorism technologies following a traditional terrorist attack.  Under the bill, these liability protections would expanded to include qualified cybersecurity technologies in the event of a range of cyberattacks (to be further defined by the Secretary of DHS), even if wholly unconnected to terrorism.

The second bill passed by the House, the CIRDA Act, would further enhance DHS’s authority to protect CI by mandating that DHS develop and update a plan for research and development of cybersecurity technologies for the protection of critical infrastructure.  The plan would be developed with stakeholders, including sector-specific coordinating councils, and focus, among other things, on identifying risks and technology gaps and prioritizing security technology needs to address such risks and gaps.  The bill also would require DHS to report to Congress on, among other things, those aspects of critical infrastructure protection that are predominately operated by the private sector and that would most benefit from rapid security technology advancement.  The bill would also expand DHS’s Technology Clearinghouse, established pursuant to 6 U.S.C. § 193, to promote “rapidly sharing proven technology solutions for protecting critical infrastructure.”

Finally, the third bill passed by the House, the Cybersecurity-Boots-on-the-Ground Act, is focused largely on improving the DHS cyber work force.  It directs the Security of DHS to “assess the readiness and capacity” of the DHS workforce “to meet its cybersecurity mission.”  To this end, the bill requires the Secretary to establish uniform cybersecurity occupation classifications, assess the cybersecurity workforce, and develop a strategy to develop and recruit cybersecurity employees.

 The three bills now proceed to the U.S. Senate for further consideration.

© 2019 Covington & Burling LLP


About this Author

David Fagan, Data privacy attorney, Covington

David Fagan co-chairs the firm’s top ranked practice on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and also leads the firm’s cyber and data security incident response practice. Mr. Fagan is rated by Chambers USA and Chambers Global for his leading expertise in CFIUS matters and privacy and data security, and was named as a ...

Richard Hertling, Covington, public policy lawyer
Of Counsel

Richard Hertling provides regulatory and legislative advice and guidance and lobbying to a diverse set of clients in a range of industries. He joined the firm after more than 27 years of federal government service that included senior positions in both Houses of Congress and the Justice Department, during which he was respected for developing strategic and tactical approaches to advance legislation. He brings those same skills to bear for clients with complex policy challenges.

While holding senior positions on Capitol Hill and at the Department of Justice, Mr. Hertling handled intellectual property (including patents, copyrights, music licensing, and trade secrets), technology policy, cybersecurity, taxation, antitrust, immigration, communications, administrative and regulatory law and procedure, civil justice reform, and criminal justice issues.  He led numerous oversight efforts, both as an investigator in Congress and in responding to oversight requests when at the Justice Department.  He also played a key staff role in the drafting and enactment of dozens of significant laws.