House Homeland Security Committee Passes DHS Cybersecurity Bill

The House Cybersecurity Subcommittee cleared HR-3696 in January, adding in language addressing data breaches and limiting the collection of personally identifiable information (PII) (CD Jan 16 p6). One of several amendments added to HR-3696 Wednesday also addressed data breaches and protections for PII, but Rep. Loretta Sanchez, D-Calif., ultimately withdrew a controversial amendment that would have addressed PII protections during U.S. Customs and Border Protection searches. The revised version of the bill offered Wednesday, in the form of a manager’s amendment, would also require DHS to issue a report detailing the extent it fills jobs using contractors.

Sanchez withdrew her amendment amid concerns voiced by committee Republicans that it would place an undue burden on CBP officers, could lead to larger consequences for other law enforcement searches and could ultimately damage HR-3696. Sanchez’s amendment would have provided what she called “safeguards” for any PII that CBP retains from devices it examines during a border search. Rep. Michael McCaul, R-Texas, and other Republicans said DHS already has established practices in place to protect PII during device searches, but Sanchez argued it was necessary to codify those practices into law.

DHS said it was willing to accept most of a revised version of the Sanchez amendment, but objected to a provision that would have required the department to provide written notification when PII collected in a search is potentially exposed to a data breach. McCaul said he was unwilling to support the amendment without additional changes, saying he was “concerned about unintended consequences” of potentially imprecise language. Sanchez agreed to withdraw it from consideration at the committee level, but said she plans to reintroduce it for full House consideration following a planned collaboration with Rep. Mark Sanford, R-S.C. Sanford offered to collaborate because he believed debate was reaching an “impasse."

Rep. Ron Barber, D-Ariz., successfully added an amendment that would require DHS to develop risk-based and performance-based cybersecurity standards for .gov websites, including Healthcare.gov. The amendment “leaves no doubt that Congress intends DHS to manage the federal civilian network in a way that targets real threats and vulnerabilities and keeps safe the private information of the American people,” Barber said.

The committee approved four amendments from Rep. Susan Brooks, R-Ind., that would address cyber preparedness on public safety communications networks. The amendments would require the National Cybersecurity and Communications Integration Center and DHS’s Office of Intelligence and Analysis to share potential cyberthreat information in order to “gain a complete picture” of cyberthreats. The amendments would also require NCCIC to work with the DHS Office of Emergency Communications to evaluate cybersecurity vulnerabilities in emergency communications networks. Brooks said hackers were able to infiltrate the Emergency Alert System in February 2013, allowing them to broadcast a fake “zombie attack” warning. The EAS hacking was one of the several incidents that Republicans on the Senate Homeland Security Committee referenced in a report released Tuesday criticizing federal agencies’ lack of cybersecurity preparedness (CD Feb 5 p8). Brooks’ amendments would also require NCCIC to participate in National Exercise Program drills when they involve cybersecurity incidents. The amendments would mandate regular updates to the National Response Plan’s Cyber Incident Annex, which has not been updated since its 2004 release.

Rep. Sheila Jackson Lee, D-Texas, successfully added five amendments that would ensure what she called a “unity of effort between DHS and cybersecurity infrastructure owners and operators.” The amendments’ provisions would direct DHS to improve its coordination with critical infrastructure sector coordinating councils, conduct cybersecurity outreach to colleges and universities and explore the feasibility of creating a visiting security research program at DHS.

The committee approved an amendment from Rep. Eric Swalwell, D-Calif., that would require DHS to work with the Department of Energy’s national laboratories on its cybersecurity initiatives. He withdrew another amendment, which would have required the secretary of homeland security to explain in the Federal Register why a particular critical infrastructure entity qualified for liability protections for cybersecurity work under the SAFETY Act. Swalwell agreed to withdraw the amendment after McCaul promised to work with him on language in a committee report on the bill that would urge DHS to be transparent on why a company’s cyber work qualifies it for liability protection.

The committee also passed an amendment from Rep. Donald Payne, D-N.J., that would insert language from his Saving More American Resources Today Grid Study Act (HR-2962), which would require the National Research Council to work with DHS and other agencies to conduct a study of options for strengthening the U.S. electrical grid against cyberattacks, physical attacks and natural disasters. The National Electrical Manufacturers Association praised the committee for including HR-2962’s language in HR-3696, with NEMA President Evan Gaddis saying in a statement that “cyber threats are a major challenge as we transition to a modern electric grid.”