House Passes National Cybersecurity Protection Advancement Act, Will Combine With Earlier Bill

HR-1731 would establish DHS’ National Cybersecurity and Communications Integration Center (NCCIC) as the main federal civilian hub for information sharing, while HR-1560 would offer liability protections for information sharing to many federal agencies except the Department of Defense and the NSA. The House will combine the two bills into a single information sharing bill for Senate consideration, though industry observers told us the Senate faces a variety of scenarios for dealing with the combined House bill and its own Cybersecurity Information Sharing Act (S-754).

Opponents of HR-1731 were significantly sparser than they were for HR-1560, though both bills passed with overwhelming majorities. Rep. Gerry Connolly, D-Va., said he believes HR-1731 and HR-1560 require additional privacy and civil liberties protections. “I hope that the broad liability protections provided by these bills will in fact be narrowed upon further consultation with the Senate,” he said. Other speakers were strongly supportive of HR-1731. “Right now, we are in a pre-9/11 moment in cyberspace,” said House Homeland Security Committee Chairman Michael McCaul, R-Texas. “In the same way legal barriers and turf wars kept us from connecting the dots before 9/11, the lack of cyberthreat information sharing makes us as vulnerable to an attack.”

All 11 of the proposed amendments to HR-1731 that the House Rules Committee ruled were eligible for consideration easily passed. The House voted 405-8 for an amendment from Rep. Sheila Jackson Lee, D-Texas, that would require a GAO report five years after HR-1731 is enacted that would review the impact on privacy and civil liberties from information sharing via NCCIC. All other amendments passed on voice votes, including one from Rep. Mick Mulvaney, R-S.C., that would require Congress to reauthorize HR-1731 after seven years. The House passed a similar seven-year sunset amendment from Mulvaney Wednesday as part of its consideration of HR-1560. McCaul said he opposed the sunset requirement because “I’ve heard time and time again from industry and other stakeholders that a sunset would stifle the sharing of this valuable cyberthreat information. It would undermine everything that we are trying to do here today.”

Industry observers told us it will be important to watch how the provisions in the combined bill balance out. McCaul and House Intelligence Committee Chairman Devin Nunes, R-Calif., respectively, wrote HR-1731 and HR-1560 “to be complementary to each other,” said Norma Krayem, co-head of Squire Patton’s cybersecurity and data privacy practice. “We know they were working together before these bills passed, so it shouldn’t take them much time to combine them.” A combined bill will need to ensure “that the flow of information from the private sector to the government works in the bill draft, as do the privacy protections and the liability protections,” Krayem said. “You just have to make sure that the bill has a seamless approach to achieving the goal of cyber information sharing.” Unlike the DHS-centric HR-1731, a bill that also includes provisions from HR-1560 would deal with many federal agencies, which “makes the synergies really important,” she said.

There’s “a great amount of interest within the cybersecurity community in seeing a civilian face on information sharing, and that makes the [HR-1731] part of the combined bill very interesting,” said Monument Policy Group lobbyist Andrew Howell. “At the same time, there’s a great amount of interest in [HR-1560]. A lot of it really depends on your perspective and how you view the role of DHS and the role of the intelligence community in these issues.” Parties focused on the privacy and civil liberties aspects of information sharing legislation are likely to push for a stronger influence of HR-1731’s language in the combined bill, while other parties are likely to push for HR-1560’s language to dominate, he said.

The bipartisan majorities for HR-1560 and HR-1731 in the House are likely to influence how the Senate deals with the bill in relation to S-754, Howell said. “This gives the Senate an opportunity to look at these two bills and make some decisions on what they view as more passable,” he said. “There doesn’t appear to be tons of momentum behind [S-754], but there does seem to be momentum behind the combined House measure.” House and Senate leaders have sought to “get a bill to President [Barack] Obama’s desk that he will sign,” Howell said. “It’ll be up to Senate leadership to make the decision about what they view as the bill that has the best chance to [get] 60 votes.” Senate Majority Leader Mitch McConnell, R-Ky., said earlier this month that S-754 was among the bills he wanted to bring up for a Senate vote in the near future (see 1504140044), but that bill no longer appears to be a top priority in the Senate in the short term, Howell said.

The Senate could choose to take up the combined House bill instead of advancing with S-754, advance with S-754 and go to conference with the combined House bill, or advance the House bill and replace its language with the text of S-754, Krayem said. It’s unclear whether proponents of data breach notification legislation will offer data breach language as an amendment to either S-754 or to the combined House bill, Howell said. “I think a lot of folks would be attracted to it, but I don’t know if any measures have the necessary 60 votes,” he said.