A House subcommittee approved a critical infrastructure cybersecurity bill in early February as action began to heat up on one of the year’s top security issues before Congress.
On February 1 the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies marked up and approved H.R. 3674, the “Protecting and Enhancing Cybersecurity Information Sharing Effectiveness (PrECISE) Act,” legislation sponsored by subcommittee chairman Dan Lungren (R-Calif.). The bill would introduce the first federal cybersecurity standards for critical infrastructure assets whose “destruction or disruption” due to a cyber intrusion could lead to a significant loss of life, a major economic disruption, or mass evacuations of a major population center. The water sector is not mentioned specifically, but some major drinking water systems would likely meet this threshold due to the potential ramifications of a major cyber attack on a water utility network.
Chairman Lungren’s bill would direct DHS to work with critical infrastructure stakeholders to identify cybersecurity risks to various critical infrastructure sectors, and include these risks in annual sector risk assessments required under the National Infrastructure Protection Plan. DHS, the National Institute of Standards and Technology (NIST), and the heads of sector specific agencies with critical infrastructure oversight would then examine existing cybersecurity performance standards to identify the best methods to mitigate known cyber risks to various sectors, or develop performance standards for a sector if none exist. Sector specific agencies with oversight of covered critical infrastructure (such as EPA for the water sector) would subsequently propose rulemaking to include “the most effective and cost-efficient risk-based performance standards” for cybersecurity in that sector’s regulatory regime.
Chairman Lungren noted at the markup that these provisions have generated some concerns among private critical infrastructure operators, but argued that his framework is “less intrusive” than other proposals that would give DHS broader regulatory authority, and that “the status quo of voluntary action” on cybersecurity is “no longer acceptable.” In an attempt to address some of the concerns, an amendment was added at markup to clarify that the bill does not expand any government agency’s regulatory authority over critical infrastructure sectors beyond codifying identified risk-based performance standards. While the subcommittee approved the bill by a unanimous voice vote, several committee members expressed reservations they would like to address as the bill moves forward through the legislative process.
Another section of H.R. 3674 would establish a new National Information Sharing Organization (NISO) charged with providing technical assistance and collecting and sharing of cyberthreat information across critical infrastructure sectors and stakeholders, the private sector and the federal government. Members of NISO’s board of directors would come from the federal government and the private sector, with eight seats reserved for representatives of specific critical infrastructure sectors. The version of the bill approved by the subcommittee would
guarantee a seat on the NISO board for a water sector representative, after AMWA met with committee staff to encourage the sector’s inclusion. Under the terms of the bill, each appropriate sector coordinating council and sector specific agency would recommend board appointees for the sector they oversee, and DHS officials would formally approve each appointment.
More information on the “PrECISE Act” is available athttp://homeland.house.gov/markup/subcommittee-markup-hr-3674. The full Homeland Security Committee is expected to consider the bill as early as March.