The House of Representatives this month approved a pair of cybersecurity bills designed to promote data protection and information sharing on cyber threats, while preserving the Republican majority’s pledge to avoid new cyber-related regulations from the federal government.
H.R. 1731, the “National Cybersecurity Protection Advancement Act,” passed the House following its approval by the Homeland Security Committee, while H.R. 1560, the “Protecting Cyber Networks Act,” won passage after being reported out of the House Intelligence Committee.
Taken together, the two bills would: establish voluntary standards for public and private sector entities to follow when sharing sensitive cyber threat information with federal officials and with each other; authorize network operators to monitor networks for cyber threats and take “defensive measures” when threats are identified; and provide liability protections for activities related to carrying out these objectives.
While the bills seek to encourage a wide swath of network operators to share cyber threat information and build robust cyber defenses, early versions appeared to exclude most municipal utility agencies – such as public water systems – from receiving the same monitoring authorizations and liability protections as their private sector counterparts. This was amended when the bills went to the House floor, as the bills’ definitions of “private entities” subject to the legislation’s provisions were expanded to cover local government agencies that perform utility services.
In a letter to the bills’ sponsors, AMWA and other water and wastewater utility organizations expressed support for the bills’ “non-regulatory approach” to cybersecurity, and praised the language clarifying the ability of water systems to take part in the bills’ information sharing and network security initiatives.
According to a Homeland Security Committee summary of H.R. 1731, the bill would recognize the National Cybersecurity Communications Integration Center (NCCIC) as the lead federal agency for sharing information about cyber risks and incidents while encouraging and incentivizing the private sector to share cyber threat information with the government and with other stakeholders.
Similarly, H.R. 1560 would direct the Director of National Intelligence to develop procedures for sharing information “about imminent or ongoing cyber threats” with the stakeholder community, including municipal utility systems. Water utilities and other network operators would be authorized to monitor networks for cyber threats and respond with “defensive measures” in cyberspace when threats are detected. Indicators of cyber threats and effective responses could be shared across sectors, but network operators would have to implement security controls to prevent unauthorized access while also making efforts to remove data that could be used to identify individual customers. To encourage participation, liability protections would be offered for activities related to monitoring, sharing, or receiving information under the bill.
In a statement on H.R. 1731, Chairman McCaul warned that a major cyber attack could, among other things, “cut off the water supply,” and said the legislation is necessary to establish a “safe harbor” that will incentivize network operators to share cyber threat information with NCCIC and with each other.
The legislation will now be sent to the U.S. Senate, where lawmakers are expected to soon unveil their own cybersecurity proposal.