House Acts on Cyber Measures

This week, the House has voted to pass four cybersecurity measures dealing with improved information sharing between and across Federal agencies, between Federal agencies and the private sector, and coordinated among cyber research initiatives.

HR 624, the Cyber Intelligence Sharing and Protection Act, cosponsored by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD), respective Chair and Ranking Member of the House Permanent Select Committee on Intelligence, is the most controversial of the measures.  It is most unlikely to be taken up by the Senate and has already garnered a veto threat from President Obama.  The bill would expand sharing of cyber-threat information among private sector entities and the Federal government and enhance the security of networks from the growing cyber intrusion threat.

The Director of National Intelligence would be required to establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities and utilities, and encourage the sharing of such intelligence.  All such shared information shall: be shared only with certified entities; be consistent with the needs to protect national security; and be used in a manner to protect such intelligence from unauthorized disclosure.

HR 624 also requires the head of a Federal agency receiving cyber threat information to provide such information to the National Cybersecurity and Communications Integration Center (NCCIC) and identifies requirements with respect to the use and protection of shared information; including prohibiting the use of such information to gain a competitive advantage and, if shared with the Federal government, exempting such information from public disclosure.  The bill prohibits a civil or criminal cause of action against a protected entity, a self-protected entity, or a cybersecurity provider acting in good faith under the above circumstances.  The Federal government could use shared cyber threat information to ensure the integrity and/or safeguarding of a system or network; to investigate cybersecurity crimes; to protect individuals; and to protect national security.  The government is prohibited from affirmatively searching such information for any other purpose.  Finally, the bill provides for protection of sensitive personal documents (library records, firearm sales, tax returns, medical records, etc.)  It also prohibits Federal agencies from retaining shared information for any unauthorized use and outlines Federal liabilities for any violations of these provisions.

HR 756, the Cybersecurity Enhancement Act was introduced by Rep. Mike McCaul (R-TX) and is designed to coordinate research and related activities conducted across Federal agencies.  It also strengthens the efforts of the National Science Foundation (NSF) and National Institute of Standards and Technology (NIST) in the areas of cybersecurity technical standards as well as cyber awareness, education, and workforce development.  The bill tasks both NSF and NIST with conducting research to improve the scientific foundations of cybersecurity; however, it clearly states that no additional funds are authorized for any of the programs identified in the bill.  The measure has been sent to the Senate for consideration.

HR 967, Advancing America’s Networking and Information Technology Research and Development Act, introduced by Rep. Cynthia Lummis (R-WY), updates the High Performance Computing Act of 1991 and reauthorizes the Networking and Information Technology Research and Development (NITRD) program — the federal government’s central R&D investment portfolio for unclassified networking, computing, software, cybersecurity, and related information technologies.  As passed, the bill implements recommendations from the President’s Council of Advisors on Science and Technology (PCAST), including improving interagency coordination and planning with input from policy and technical experts.  The legislation rebalances R&D portfolios to focus less on short-term goals and place more emphasis on large-scale, long-term interdisciplinary research.  Finally, H.R. 967 convenes an interagency working group to identify cloud computing research gaps and examine the potential for using the cloud for federally funded research.  No additional funds are provided for these tasks or programs.  The measure has been sent to the Senate for consideration.

HR 1163, introduced by Rep. Darrell Issa (R-CA), the Federal Information Security Amendments Act amends the same Act of 2002 (FISMA) to reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information and security policies and practices.  The bill extends the security requirements of Federal agencies to include responsibilities for:  1) complying with computer standards developed by the National Institute of Standards and Technology (NIST); 2) ensuring complementary and uniform standards for information systems and national security systems; 3) ensuring that information security management processes are integrated with budget processes; 4) securing facilities for classified information; 5) maintaining sufficient personnel with security clearances; and 6) ensuring that information security performance indicators are included in the annual performance evaluations of all managers, senior executive service personnel, and political appointees.

The bill further directs senior agency officials to test and evaluate information security controls and techniques, and conduct threat assessments by monitoring information systems and identifying potential system vulnerabilities. (Current law requires only periodic testing and evaluation.)  Agencies shall collaborate with OMB and appropriate public and private sector security operations centers on security incidents that extend beyond the control of one agency.  Security incidents shall be reported, through an automated and continuous monitoring capability, when possible, to the Federal information security incident center, appropriate security operations centers, and agency Inspectors General.

HR 1163 also directs agencies to conduct vulnerability assessments and penetration tests commensurate with the risk posed to agency information systems.  Finally, agencies are required to develop, implement, and oversee an agency-wide information security (AIS) program.  No additional funds are authorized for these efforts.  The bill has been sent to the Senate for consideration.