House Cybersecurity Legislation
The House Homeland Security Committee is currently circulating a revised draft of the National Cybersecurity and Critical Protection Act (NCCIP), the committee’s cybersecurity legislation. The bill would codify many of the current cybersecurity roles of the U.S. Department of Homeland Security (DHS), including the National Cybersecurity and Communications Integration Center (NCCIC). The bill also includes identical language from the Senate Commerce, Science and Transportation Committee legislation, the Cybersecurity Act of 2013 (S. 1353), which was marked up by the Committee at the end of July. The language builds on existing authorities of the National Institute of Standards and Technology (NIST) and focuses on efforts to facilitate and support the development of voluntary, industry-led cyber standards and best practices for critical infrastructure. The bill is likely to be officially introduced and marked up in the coming weeks.
Senate Cybersecurity Legislation
While the Senate Commerce, Science and Transportation Committee marked up its bill prior to the August recess, the Senate Homeland Security and Governmental Affairs Committee and Senate Intelligence Committee are also expected to introduce separate cybersecurity bills this year. In addition, Senate Judiciary Subcommittee on Crime and Terrorism Chairman Sheldon Whitehouse (D-RI) and Ranking Member Lindsey Graham (R-SC) have been circulating draft legislation to enhance U.S. criminal laws against trade secrets theft, particularly by means of computer hacking from foreign countries.
Executive Branch Activity
DHS Undersecretary for Cybersecurity
In August, DHS named Phyllis Schneck, Vice President and Chief Technology Officer at McAfee, as the next Undersecretary for Cybersecurity after Mark Weatherford’s departure from DHS in May. Schneck will play a key role at the Department as DHS continues to implement President Obama’s Executive Order (EO).
NIST Cybersecurity Framework Workshop
The next NIST Cybersecurity Framework workshop will take place September 11-13 in Dallas, Texas. Last week, NIST released a discussion draft of the Framework in preparation for the workshop. After reviewing feedback from stakeholders that attend next week’s workshop, NIST will release its draft Cybersecurity Framework in October, as required by the EO. A final version of the Cybersecurity Framework is due in February 2014.
Incentives for Critical Infrastructure
As part of the EO, the Departments of Homeland Security, Commerce and the Treasury were required to compile a list of incentives for critical infrastructure that would be needed to promote participation in the voluntary NIST Cybersecurity Framework. The Departments released their recommendations in August which included incentives such as limited protections from legal liability, expedited security clearance approval, technical assistance, procurement considerations and other recommended incentives for entities that participate in the Cybersecurity Framework. Many of the incentives will require additional legislation before they can be implemented.