12.18.15

Landmark Cybersecurity Legislation Included in Omnibus Passes House

WASHINGTON, D.C. – Every day, our government and businesses are under attack. Countries such as China, Russia, Iran, and North Korea carry out cyber-attacks while cyber thieves steal the intellectual property of American companies, and criminals, hacktivists and hack the personal information of Americans. The hacks of the Office of Personnel Management (OPM), State Department, White House, health insurer Anthem, Sony Pictures, and Target are only the most recent examples of this growing threat. To defend America’s vital digital networks the government and private sector must work together.

The Cybersecurity Act, landmark legislation included in the Omnibus, protects our nation’s private sector and federal networks which are under continuous threat from foreign hackers and cyber terrorists. Many of the provisions originated in H.R. 1731, the National Cybersecurity Protection Advancement Act, which was introduced by Homeland Security Committee Chairman Michael McCaul (R-TX) and overwhelmingly passed the House on April 23, 2015 by a vote of 355-63.

DHS Portal

“It is vital to have DHS as the sole portal for companies to voluntarily share information with the federal government while expressly prohibiting the military and NSA from potentially becoming a portal,” said Chairman McCaul. “Given DHS’ clearly defined and prominent lead role for cyber information sharing in the Cybersecurity Act of 2015, my Committee will have strong oversight hearings to ensure effective implementation of this measure and to protect American’s privacy and civil liberties.”

Liability Protections

“It is extremely important for private companies that voluntarily share cyber threat indicators and defensive measures with DHS, or each other, have liability protections to ensure they are shielded from the threat of unfounded litigation,” said Chairman McCaul. “This will better secure public and private networks.”

Protection of .gov

“Enhancing DHS’s ability to more effectively secure federal networks is something I have personally been working hard to enact since  introducing H.R. 3313, the Federal Defense of Cyber Networks Act,” said Chairman McCaul. “In light of the OPM breach, this provision ensures our federal cyber networks are able to defend against nation-states like China, Russia, Iran, and North Korea and terrorist threats. Furthermore, this streamlines the Federal government’s ability to more effectively identify and thwart cyber-attacks.”

Background

The Cybersecurity Act creates a voluntary cybersecurity information sharing process that will encourage public and private sector entities to share cyber threat information, without legal barriers and the threat of unfounded litigation—while protecting private information. This legislation also includes provisions to improve Federal network and information system security, provide assessments on the Federal cybersecurity workforce, and provide reporting and strategies on cybersecurity industry-related and criminal-related matters.

The Cybersecurity Act of 2015:

  • Establishes the Department of Homeland Security, a civilian agency, as the sole interface where companies can receive liability protections for sharing cyber threat information with the federal government.
  • Requires companies to review and remove any Personally Identifiable Information (PII) unrelated to cyber threats before sharing information with the government.
  • Requires DHS to be co-author of all the privacy procedures to ensure that the robust privacy protections already in place at DHS’ cyber operations center, the NCCIC, will be “baked” into all privacy procedures for information sharing.
  • Requires DHS to deploy intrusion detection and prevention capabilities to secure federal networks.
  • Requires DHS to utilize advanced network security tools to improve network visibility and to detect and mitigate intrusions and anomalous activity.
  • Authorizes DHS to execute intrusion detection and prevention capabilities when an imminent cyber threat to an agency information system is identified.

###