The House of Representatives passed two complimentary bills related to cybersecurity, the “Protecting Cyber Networks Act” (H.R. 1560) and the “National Cybersecurity Protection Advancement Act of 2015” (H.R. 1731). These bills provide, among other things, liability protection for (1) the use of monitoring and defensive measures to protect information systems, and (2) the sharing of cybersecurity threat information amongst non-federal entities and with the federal government. With the Senate having just recently overcome disagreement on sex trafficking legislation and the Attorney General nomination, that body is now expected to consider similar information sharing legislation entitled the “Cybersecurity Information Sharing Act” (S. 754) in the coming weeks. Assuming S. 754 also is passed by the Senate, the two Chambers of Congress will convene a Conference Committee to draft a single piece of legislation which will be then voted on by the House and Senate, before heading to the President’s desk. The White House has not committed to signing any resulting legislation, but has signaled some positive support.
H.R. 1560, passed by the House on April 22, provides liability protection for companies and other non-federal entities that share cybersecurity threat information with each other and with civilian agencies in the federal government – in other words, agencies other than the Department of Defense (“DoD”) and its National Security Agency (“NSA”). H.R. 1560, however, also authorizes a government agency receiving cybersecurity threat information to instantly share that information with any other appropriate federal agency, including the DoD and NSA. Sponsored by Representatives Devin Nunes (R-CA) and Adam Schiff (D-CA), the Chairman and Ranking Member of the House Intelligence Committee, H.R. 1560 enjoyed strong bipartisan support throughout the legislative process, reflected in the House’s 307-116 vote. Representatives Joe Barton (R-TX) and Diana DeGette (D-CO), the co-chairs of the Congressional Bipartisan Privacy Caucus, both voted against the bill, however, as did Congressman Jared Polis (D-CO), who said H.R. 1560 “falls short of its goals and likely does more than good . . . [by] raising enormous concerns about the inappropriate sharing of personal information and surveillance on Americans’ private lives.”
The next day, the House passed H.R. 1731, a bill sponsored by Representative Michael McCaul (R-TX), Chairman of the House Homeland Security Committee, which designates the U.S. Department of Homeland Security’s (“DHS”) National Cybersecurity and Communication Integration Center as the lead federal civilian interface for cybersecurity threat information sharing. As with H.R. 1560, H.R. 1731 also allows DHS to instantly share cybersecurity threat information it receives with any appropriate federal agency, including the NSA. Strong bipartisan support allowed the House to pass information sharing legislation with an overwhelming majority, 355 to 63. During consideration of the bill, a series of amendments were adopted, including one refining the definition of cyber “incident” to explicitly restrict information sharing to incidents that are directly related to protecting information systems.
House leadership’s decision to act on H.R. 1560 and H.R. 1731 as part of the House’s “Cyber Week” comes amid concern that upcoming Congressional action to reauthorize PATRIOT Act provisions set to expire on June 1 could bog information sharing legislation down in debate on NSA reform. Notably, information sharing legislation was effectively foreclosed in the last Congress when an NSA reform bill was voted down in the Senate late in 2014. As noted by H.R. 1560’s co-sponsor Rep. Schiff, however, himself a privacy advocate, “[t]he prospects for successful passage of cyber legislation has gone up dramatically.”