The House Homeland Security Committee debated the National Cybersecurity Protection Advancement Act today. The markup further cemented the goal to encourage the private sector to shore up its cybersecurity systems and to voluntarily share cyber threat information with the federal government.
To do that, the NCPA Act would offer liability protections for private sector businesses from lawsuits in the event they share personal information about customers. The bill also outlines privacy protocols to protect the rights of citizens who interact with those companies.
Rep. Michael McCaul (R-Texas), the committee chairman, introduced the bill yesterday. The NCPA Act would protect companies that report data to the National Cybersecurity and Communications Integration Center (NCCIC) at the Homeland Security Department. It extends protections for information sharing with other private organizations, too.
In exchange for liability protections, businesses and federal agencies must follow specific parameters in the bill to protect the privacy of the data.
Both Republicans and Democrats on the committee expressed strong support for the bill, which Rep, Bennie Thompson (D-Miss.), the ranking member, called the product of “months of bipartisan stakeholder outreach and collaboration, [and] the bill has strong privacy and civil liberties protections.”
The markup included a range of amendments that McCaul characterized as “largely bipartisan,” with many passing without controversy. Those led to some changes that added more responsibilities for some federal agencies and expanded the network responsible for collaborating on the data supplied by the private sector.
The role of NCCIC and federal watchdogs
From a privacy standpoint, NCCIC serves as the primary “portal” for information sharing on cybersecurity. It also strengthens the DHS Privacy Office to oversee the process, and requires private sector companies to “scrub” any personal information from reports that doesn’t impact the relevant cyber threat data.
One amendment approved during the markup today was for the Government Accountability Office to monitor the implementation of the law and NCCIC. The committee agreed GAO should continuously monitor the processes to ensure Congress is constantly apprised of performance and compliance. That performance includes both how the program handles the information sharing side of the equation, and how well it protects the privacy of citizens.
An amendment to extend the information sharing to state and local fusion centers was also approved. The fusion centers already handle a variety of threat-related information and partially rely on federal funding. NCCIC would collaborate with those fusion centers to increase the widespread availability of specific attacks reported by the private sector.
The committee passed another amendment that would turn the DHS secretary into a public ambassador for increasing cybersecurity awareness. The secretary would not only serve as a leader for increasing cyber hygiene among the general public, but he or she would also detail specific cyber threats as necessary to protect and prevent future attacks.
An early amendment posed by Thompson was a sunset clause to require Congress to reappropriate the bill every five years. The reason, he said, was to address constantly changing cybersecurity threats. By sunsetting the bill, it would force Congress to readdress the current threat landscape and provide an opportunity to tweak the bill as needed.
That idea ultimately failed, as enough members of the committee felt the five-year sunset would discourage the private sector from investing time and resources into the information sharing process. The fear, as expressed by Rep. Will Hurd (R-Texas), could materialize as a lack of faith in the liability protections.
Instead, an amendment passed that aims to accomplish the same goal, but it places federal agencies in the spotlight. The amendment doesn’t sunset the entire bill, so all liability and privacy protections stay permanent. Instead, the reporting requirements for all federal agencies involved in the information sharing process would sunset every seven years.
That would still require Congress to readdress the NCPA Act, while cutting down on the cost of keeping and collecting every single agency compliance report. Congress would have authority over past reports to keep or discard, while also reviewing the entire process as a whole.
“I just want to thank members on both sides of the aisle,” McCaul said. “This is an important national security issue, that the Congress has to deal with to protect Americans. And that’s what this committee does. I’m very proud of the work that not only the members have done, in a full debate and the participation of the members of the staff on both sides of the aisle.”