National Cybersecurity and Critical Infrastructure Protection Act of 2013

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 is a bill that would amend the Homeland Security Act of 2002 to require the Secretary of the Department of Homeland Security (DHS) to conduct cybersecurity activities on behalf of the federal government and would codify the role of DHS in preventing and responding to cybersecurity incidents involving the Information Technology (IT) systems of federal civilian agencies and critical infrastructure in the United States.

The bill was introduced in the United States House of Representatives during the 113th United States Congress.

Provisions of the bill
This summary is based largely on the summary provided by the Congressional Research Service, a public domain source.

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 would amend the Homeland Security Act of 2002 to require the United States Secretary of Homeland Security to conduct cybersecurity activities, including the provision of shared situational awareness among federal entities to enable real-time, integrated, and operational actions to protect from, prevent, mitigate, respond to, and recover from cyber incidents.

The bill would define "cyber incident" as an incident resulting in, or an attempt to cause an incident that, if successful, would: (1) jeopardize the security, integrity, confidentiality, or availability of an information system or network or any information stored on, processed on, or transiting such a system; (2) violate laws or procedures relating to system security, acceptable use policies, or acts of terrorism against an information system or network; or (3) deny access to or degrade, disrupt, or destruct an information system or network or defeat an operations or technical control of such a system or network.

The bill would direct the Secretary to coordinate with federal, state, and local governments, critical infrastructure owners and operators, and other cross-sector coordinating entities to: (1) facilitate a national effort to strengthen and maintain critical infrastructure from cyber threats; (2) ensure that United States Department of Homeland Security (DHS) policies and procedures enable critical infrastructure owners and operators to receive appropriate and timely cyber threat information; (3) seek industry sector-specific expertise to develop voluntary security and resiliency strategies and to ensure that the allocation of federal resources is cost effective and reduces burdens on critical infrastructure owners and operators; (4) upon request, provide risk management assistance to entities and education to critical infrastructure owners and operators; and (5) coordinate a research and development strategy for cybersecurity technologies.

The bill would direct the Secretary: (1) to manage federal efforts to secure federal civilian information systems (excluding national security, United States Department of Defense (DOD), military, and intelligence community systems) and, upon request, to support the efforts of critical infrastructure owners and operators to protect against cyber threats; (2) to direct a DHS entity to serve as a federal civilian entity by and among federal, state, and local governments, private entities, and critical infrastructure sectors to share cyber threat information; (3) to promote national awareness and educate the public regarding information system security; (4) upon request, to facilitate cyber incident response and recovery assistance and provide analysis and warnings related to threats to, and vulnerabilities of, critical information systems, crisis and consequence management support, and other remote or on-site technical assistance to federal, state, and local government entities and private entities for cyber incidents affecting critical infrastructure; and (5) engage with international partners.

The bill would require the Secretary to: (1) designate critical infrastructure sectors; and (2) recognize, for each sector, a Sector Coordinating Council (SCC) and at least one Information Sharing and Analysis Center (ISAC).

The bill would permit to be included as critical infrastructure sectors:


 * chemical;
 * commercial facilities;
 * communications;
 * critical manufacturing;
 * dams;
 * Defense Industrial Base;
 * emergency services;
 * energy;
 * financial services;
 * food and agriculture;
 * government facilities;
 * healthcare and public health;
 * information technology;
 * nuclear reactors, materials, and waste;
 * transportation systems; and
 * water and wastewater systems.

The bill would require SCCs to: (1) be composed of small, medium, and large critical infrastructure owners and operators, private entities, and representative trade associations; and (2) serve as a self-governing, self-organized, primary policy, planning, and strategic communications entity for coordinating with DHS, sector-specific agencies, and ISACs on security and resilience activities and emergency response and recovery efforts.

The bill would allow the Secretary to enter contracts with private entities that provide electronic communication, remote computing, or cybersecurity services. Prohibits causes of action against private entities that provide such assistance to the Secretary.

The bill would establish the National Cybersecurity and Communications Integration Center as a federal civilian information sharing interface to: (1) provide shared situational awareness to enable real-time, integrated, and operational actions across the federal government; and (2) share cyber threat information among federal, state, and local government entities, ISACs, private entities, and critical infrastructure owners and operators that have information sharing relationships.

The bill would require the Secretary to establish Cyber Incident Response Teams to provide technical assistance and recommendations to federal, state, and local government entities, private entities, and critical infrastructure owners and operators.

The bill would direct the Secretary, in coordination with SCCs, ISACs, and federal, state, and local governments, to develop, regularly update, and exercise a National Cybersecurity Incident Response Plan.

The bill would require the Secretary to develop a comprehensive workforce strategy to enhance the readiness, capacity, training, recruitment, and retention of DHS cybersecurity personnel, including a 5-year recruitment plan and 10-year projections of workforce needs.

The bill would redesignate the National Protection and Programs Directorate as the Cybersecurity and Infrastructure Protection Directorate.

The bill would direct the National Institute of Standards and Technology (NIST) to facilitate and support the development of a voluntary, industry-led set of standards and processes to reduce cyber risks to critical infrastructure. Prohibits NIST from requiring the use of specific solutions, products, services, or manufacturing or design techniques.

The bill would require the Secretary to: (1) meet biannually with each SCC, and (2) submit annual reports to Congress on the state of cybersecurity in each sector.

The bill would expand liability protections for technology providers under the Support Anti-terrorism by Fostering Effective Technologies Act of 2002 to include designated cybersecurity technologies deployed in defense of qualifying cyber incidents, which include: (1) unlawful or unauthorized access incidents; (2) disruption of the integrity, operation, confidentiality, or availability of programmable electronic devices or communication networks; (3) misappropriation, corruption, or disruption of data, assets, information, or intellectual property; and (4) harm inside or outside the United States that results in damages, disruptions, or casualties severely affecting the U.S. population, infrastructure, economy, national morale, or federal, state, local, or tribal government functions.

The bill would prohibit this Act from being construed to: (1) create or authorize any new regulations or additional federal government regulatory authority, or (2) authorize the appropriation of any additional funds.

Congressional Budget Office report
''This summary is based largely on the summary provided by the Congressional Budget Office, as ordered reported by the House Committee on Homeland Security on February 5, 2014. This is a public domain source.''

H.R. 3696 would amend the Homeland Security Act of 2002 to require the Secretary of the Department of Homeland Security (DHS) to conduct cybersecurity activities on behalf of the federal government and would codify the role of DHS in preventing and responding to cybersecurity incidents involving the Information Technology (IT) systems of federal civilian agencies and critical infrastructure in the United States.

Although DHS currently conducts many of the activities covered by H.R. 3696 and has received approximately $800 million so far in fiscal year 2014 for its cybersecurity activities, some provisions in the bill would expand existing programs, provide additional authorities, or add new requirements beyond the agency's current efforts. Assuming the appropriation of the necessary amounts, the Congressional Budget Office (CBO) estimates that implementing the bill would cost an additional $160 million over the 2015-2019 period.

Pay-as-you-go procedures do not apply to this legislation because it would not affect direct spending or revenues.

H.R. 3696 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA).

Procedural history
The National Cybersecurity and Critical Infrastructure Protection Act of 2013 was introduced into the United States House of Representatives on December 11, 2013, by Rep. Michael T. McCaul (R, TX-10). It was referred to the United States House Committee on Homeland Security, the United States House Committee on Science, Space and Technology, the United States House Committee on Oversight and Government Reform, the United States House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, and the United States House Science Subcommittee on Research and Technology. On July 23, 2014, the bill was reported (amended) alongside House Report 113-550 part 1. On July 28, 2014, the House voted to pass the bill in a voice vote.

Debate and discussion
Rep. McCaul said that the bill was "an important step toward addressing the cyber threat." According to McCaul, the bill "establishes a true partnership between DHS and the private sector to ensure the distribution of real-time cyber threat information in order to secure our nation in cyberspace without burdensome mandates or regulations."

Rep. Bennie Thompson (D-MS) also supported the bill, saying that passage would mean the House has "taken meaningful action to move the ball forward on improving our Nation's cybersecurity posture."

Rep. Pat Meehan (R-PA) co-sponsored the bill, arguing that "it's only a matter of time before our power grids or financial networks are the latest victims of hackers." Meehan pointed to cyber attacks on Target Corporation, Neiman Marcus, and White Lodging as evidence of the dangers to American companies and consumers.

The American Civil Liberties Union, Boeing, AT&T, and Pepco Holdings all wrote letters in support of the legislation.