[Congressional Record Volume 161, Number 179 (Thursday, December 10, 2015)]
[House]
[Pages H9255-H9257]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
{time} 1600
STATE AND LOCAL CYBER PROTECTION ACT OF 2015
Mr. HURD of Texas. Mr. Speaker, I move to suspend the rules and pass
the bill (H.R. 3869) to amend the Homeland Security Act of 2002 to
require State and local coordination on cybersecurity with the national
cybersecurity and communications integration center, and for other
purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 3869
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``State and Local Cyber
Protection Act of 2015''.
SEC. 2. STATE AND LOCAL COORDINATION ON CYBERSECURITY WITH
THE NATIONAL CYBERSECURITY AND COMMUNICATIONS
INTEGRATION CENTER.
(a) In General.--The second section 226 of the Homeland
Security Act of 2002 (6 U.S.C. 148; relating to the national
cybersecurity and communications integration center) is
amended by adding at the end the following new subsection:
``(g) State and Local Coordination on Cybersecurity.--
``(1) In general.--The Center shall, to the extent
practicable--
``(A) assist State and local governments, upon request, in
identifying information system vulnerabilities;
``(B) assist State and local governments, upon request, in
identifying information security protections commensurate
with cybersecurity risks and the magnitude of the potential
harm resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of a State or local government; or
``(ii) information systems used or operated by an agency or
by a contractor of a State or local government or other
organization on behalf of a State or local government;
``(C) in consultation with State and local governments,
provide and periodically update via a web portal tools,
products, resources, policies, guidelines, and procedures
related to information security;
``(D) work with senior State and local government
officials, including State and local Chief Information
Officers, through national associations to coordinate a
nationwide effort to ensure effective implementation of
tools, products, resources, policies, guidelines, and
procedures related to information security to secure and
ensure the resiliency of State and local information systems;
``(E) provide, upon request, operational and technical
cybersecurity training to State and local government and
fusion center analysts and operators to address cybersecurity
risks or incidents;
``(F) provide, in coordination with the Chief Privacy
Officer and the Chief Civil Rights and Civil Liberties
Officer of the Department, privacy and civil liberties
training to State and local governments related to
cybersecurity;
``(G) provide, upon request, operational and technical
assistance to State and local governments to implement tools,
products, resources, policies, guidelines, and procedures on
information security by--
``(i) deploying technology to assist such State or local
government to continuously diagnose and mitigate against
cyber threats and vulnerabilities, with or without
reimbursement;
``(ii) compiling and analyzing data on State and local
information security; and
``(iii) developing and conducting targeted operational
evaluations, including threat and vulnerability assessments,
on the information systems of State and local governments;
``(H) assist State and local governments to develop
policies and procedures for coordinating vulnerability
disclosures, to the extent practicable, consistent with
international and national standards in the information
technology industry, including standards developed by the
National Institute of Standards and Technology; and
``(I) ensure that State and local governments, as
appropriate, are made aware of the tools, products,
resources, policies, guidelines, and procedures on
information security developed by the Department and other
appropriate Federal departments and agencies for ensuring the
security and resiliency of Federal civilian information
systems.
``(2) Training.--Privacy and civil liberties training
provided pursuant to subparagraph (F) of paragraph (1) shall
include processes, methods, and information that--
``(A) are consistent with the Department's Fair Information
Practice Principles developed pursuant to section 552a of
title 5, United States Code (commonly referred to as the
`Privacy Act of 1974' or the `Privacy Act');
``(B) reasonably limit, to the greatest extent practicable,
the receipt, retention, use, and disclosure of information
related to cybersecurity risks and incidents associated with
specific persons that is not necessary, for cybersecurity
purposes, to protect an information system or network of
information systems from cybersecurity risks or to mitigate
cybersecurity risks and incidents in a timely manner;
``(C) minimize any impact on privacy and civil liberties;
``(D) provide data integrity through the prompt removal and
destruction of obsolete or erroneous names and personal
information that is unrelated to the cybersecurity risk or
incident information shared and retained by the Center in
accordance with this section;
``(E) include requirements to safeguard cyber threat
indicators and defensive measures retained by the Center,
including information that is proprietary or business-
sensitive that may be used to identify specific persons from
unauthorized access or acquisition;
``(F) protect the confidentiality of cyber threat
indicators and defensive measures associated with specific
persons to the greatest extent practicable; and
``(G) ensure all relevant constitutional, legal, and
privacy protections are observed.''.
(b) Congressional Oversight.--Not later than two years
after the date of the enactment of this Act, the national
cybersecurity and communications integration center of the
Department of Homeland Security shall provide to the
Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate information on the
activities and effectiveness of such activities under
subsection (g) of the second section 226 of the Homeland
Security Act of 2002 (6 U.S.C. 148; relating to the national
cybersecurity and communications integration center), as
added by subsection (a) of this section, on State and local
information security. The center shall seek feedback from
State and local governments regarding the effectiveness of
such activities and include such feedback in the information
required to be provided under this subsection.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
Texas (Mr. Hurd) and the gentlewoman from Texas (Ms. Jackson Lee) each
will control 20 minutes.
The Chair recognizes the gentleman from Texas.
[[Page H9256]]
General Leave
Mr. HURD of Texas. Mr. Speaker, I ask unanimous consent that all
Members have 5 legislative days within which to revise and extend their
remarks and to include any extraneous material on the bill under
consideration.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Texas?
There was no objection.
Mr. HURD of Texas. Mr. Speaker, I yield myself such time as I may
consume.
The need to address cybersecurity at the State and local levels is of
the utmost importance. From our local DMV offices and courthouses to
our critical infrastructure, the exploitable vulnerabilities and
possible consequences are alarming.
Yet, in the cybersecurity realm, State and local governments often do
not have access to the technical capabilities and training that the
Federal Government does.
My bill, H.R. 3869, the State and Local Cyber Protection Act, is a
critical step in the resolution of this problem.
In 2010, the National Governors Association released a statement on
the importance of cybersecurity in protecting the ability of Federal,
State, and local governments to perform their vital functions.
They stated:
``Due to the breadth and scope of the State role in entitlement
services, facilitating travel and commerce, regulatory oversight,
licensing and citizen services, states gather, process, store, and
share extensive amounts of personal information. From cradle to grave,
the states are the nexus of identity information for individuals. This
makes the states prime targets for external and internal cyber
threats.''
Cybersecurity is a shared responsibility involving all levels of
government and the private sector. While much has been done over the
last several years to improve the Nation's cybersecurity, a number of
challenges remain. This bill would allow State and local governments
access to the assistance, training, and tools, voluntarily and upon
request, that are required to secure our Nation's information systems
at every level.
This bill instructs the National Cybersecurity and Communications
Integration Center, the NCCIC, at the Department of Homeland Security
to coordinate with States and locals on securing their information
systems.
The NCCIC will do so by assisting in the identification of system
vulnerabilities and possible solutions for State and local information
security systems.
They will be developing a Web portal to communicate available tools
for States and locals, providing technical training for State and local
cybersecurity analysts, providing assistance and implementing
cybersecurity tools upon request, providing privacy and civil liberties
training, and informing States and locals on the current cybersecurity
guidelines already developed at the Federal level.
Lastly, the State and Local Cyber Protection Act would require the
NCCIC to seek feedback from State and local governments once the law is
implemented and voluntary assistance has begun in order to gauge the
effectiveness of these efforts and to ensure that progress is being
made.
The Department of Homeland Security has a substantial responsibility
to States and locals in the cyber realm as State and local systems host
a wide range of sensitive PII and critical infrastructure data, making
them especially attractive for cyberattacks. By reinforcing the
relationship between DHS and State and local governments, we are
supporting and urging for the continued development of cyber protection
for our State and local governments.
I urge all Members to join me in supporting this bill.
Mr. Speaker, I reserve the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may
consume.
I rise in support of H.R. 3869, the State and Local Cyber Protection
Act of 2015.
Let me first of all thank the gentleman from Texas for his leadership
in working on this legislation, to again acknowledge our chairs--Mr.
McCaul and Mr. Thompson--and also to acknowledge Mr. Ratcliffe and Mr.
Richmond for their leadership on this issue.
Mr. Speaker, the threat of the cyber attack is growing, and the
damage caused by those attacks, whether it is the theft of personally
identifiable information or the disruption of operations, is becoming
more costly.
FEMA has identified cybersecurity as an area for national improvement
in its National Preparedness Report every year since it was first
published in 2012. That finding is based, in large part, on State self-
assessments reflecting a lack of confidence in cybersecurity
capabilities. The threat posed by criminal and terrorist hackers
continues to evolve even as State and local governments work to gain a
stronger footing in the cybersecurity mission area.
Let me say that this country continues to grow, continues to increase
its population, and continues to become dependent on the cybersecurity
infrastructure. Helping to engage State and local entities by training
is a crucial, crucial action, if I might applaud the gentleman, but
also say it is a very important mission for both the Homeland Security
Department and the Committee on Homeland Security. The Department of
Homeland Security has resources and capabilities that, when shared with
State and local governments, can help them step up their games.
H.R. 3869, the State and Local Cyber Protection Act of 2015, would
codify ongoing efforts by instructing the National Cybersecurity and
Communications Integration Center, the NCCIC, and the Department of
Homeland Security to coordinate with State and local governments and
to, upon request, provide assistance to secure their information
systems.
Information systems run water entities in our communities. I remember
visiting one that was up on the Web, if you will, that could be altered
by a cyber attack. This legislation would codify DHS' ongoing
coordination effort to give assurances to State and local governments
that DHS stands ready to partner with them to protect their network.
Under this bill, DHS is authorized to assist State and local
governments to deploy technology capable of diagnosing and mitigating
against cyber threats and vulnerabilities.
H.R. 3869 authorizes DHS to provide training to State and local
entities regarding integrating policies to protect privacy and civil
liberties into their cybersecurity efforts.
It is increasingly important that all levels of government be capable
of identifying information system vulnerabilities and of protecting
them from unauthorized access, disclosure, and disruption of data.
I will say to the gentleman from Texas (Mr. Hurd) that we have
always, as a committee, been reminded of privacy and civil liberties
issues while also protecting the American people. To build that
capability, the Federal Government has a role to play in assisting
State and local entities by providing both technical training on
cybersecurity and guidance on potential privacy and civil liberties
implications.
Mr. Speaker, many stakeholders throughout the country have told us
this bill is a vital, much-needed step in advancing national
cybersecurity capabilities.
I urge all of my colleagues to support H.R. 3869.
Mr. Speaker, I support H.R. 3869, the State and Local Cyber
Protection Act.
As a Senior Member of the Homeland Security Committee, and Ranking
Member of the House Judiciary Committee's Subcommittee on Crime,
Terrorism, Homeland Security and Investigations I am well aware of the
terrorism and criminal risks to our nation's critical infrastructure,
civilian and privacy computer networks.
For this reason, I introduced H.R. 85, the Terrorism Prevention and
Critical Infrastructure Protection Act, which directs the Secretary of
Homeland Security to work with critical infrastructure owners and
operators and state, local, and territorial to take proactive steps to
address All Hazards that would impact: national security; economic
stability; public health and safety; and/or any combination of these.
This nation is presented with new challenges in confronting threats
to our national security, and cybersecurity.
Critical infrastructure remains an essential area that must receive
the needed attention to protect it against all threats and all-hazards.
[[Page H9257]]
Post-9/11 established the need to anticipate unexpected threats from
a variety of sources. The nation must plan to be a step ahead of our
enemies in order to effectively detect, deter, and defend against
terrorist attacks in whatever form they may arise, including
cyberattacks to our nation's critical infrastructure.
It is for these reasons that I proposed H.R. 85, the Terrorism
Prevention and Critical Infrastructure Protection Act of 2015. This
bill should it become law would greatly assist in our nation's ability
to protect critical infrastructure from the worse effects of cyber-
attacks.
The nation must be adequately prepared to fight cyber terrorism just
as vigorously as we combat other form of terrorism carried out through
physical violence. We can be prepared to meet and defeat cyber
terrorism threats with legislative efforts like H.R. 85, which would
offer tools to effectively address terrorist attacks against critical
infrastructure.
The Terrorism Prevention and Critical Infrastructure Protection Act
directs the Secretary of Homeland Security (DHS) to:
(1) better engage critical infrastructure owners and operators as
volunteers for the purpose of coordination of communication among
state, local, tribal, and territorial entities for the purpose of
taking proactive steps to manage risk and strengthen the security and
resilience of the nation's critical infrastructure against terrorist
attacks;
(2) establish terrorism prevention policy to engage with
international partners to strengthen the security and resilience of
domestic critical infrastructure and critical infrastructure located
outside of the United States;
(3) make available research findings and guidance to federal civilian
agencies for the identification, prioritization, assessment,
remediation, and security of their internal critical infrastructure to
assist in the prevention, mediation, and recovery from terrorism
events.
The bill sets forth the terrorism protection responsibilities of the
Department of Homeland Security as it relates to the Department's
responsibility to protection and defends civilian agencies and private
sector networks from cyber-attacks.
H.R. 85, Terrorism Prevention and Critical Infrastructure Protection
Act also provides guidance to the Secretary of Homeland Security
regarding actions to be taken to:
(1) facilitate the timely exchange of terrorism threat and
vulnerability information as well as information that allows for the
development of a situational awareness capability for federal civilian
agencies during terrorist incidents;
(2) implement an integration and analysis function for critical
infrastructure that includes operational and strategic analysis on
terrorism incidents, threats, and emerging risks; and
(3) support greater terrorism cyber security information sharing by
civilian federal agencies with the private sector that protects
constitutional privacy and civil liberties rights.
Finally the bill directs the National Research Council to evaluate
how well DHS is meeting the objectives of this Act.
I thank Chairman McCaul and Ranking Member Thompson for their support
and collaboration in working with me to improve the bill for
consideration by the Full Committee and ultimately the House of
Representatives as we work to ensure safety, security, resiliency,
trustworthiness of vital critical infrastructure networks, while at the
same time ensuring that data used for this purpose does not undermine
the privacy and civil liberties of Americans.
Mr. Speaker, I reserve the balance of my time.
Mr. HURD of Texas. Mr. Speaker, I have no further requests for time,
so I reserve the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I yield myself the balance of my time.
In closing, I include for the Record an article dated October 19 from
The Hill newspaper on boosting power grid defenses against ISIS.
[From The Hill, Oct. 19, 2015]
Jackson Lee Pushes To Boost Power-Grid Defenses Against ISIS
(By Katie Bo Williams)
Rep. Sheila Jackson Lee (D-Texas) on Friday called for
action on a bill bolstering power-grid cybersecurity after a
Department of Homeland Security (DHS) official said the
Islamic State in Iraq and Syria (ISIS) is trying to hack
American electrical power companies.
``No solace should be taken in the fact that ISIS has been
unsuccessful,'' Jackson Lee said. ``ISIS need only be
successful once to have catastrophic impact on regional
electricity supply.''
Caitlin Durkovich, assistant secretary for infrastructure
protection at DHS, told energy firm executives at an industry
conference in Philadelphia last week that ISIS ``is beginning
to perpetrate cyberattacks.''
Law enforcement officials speaking at the same event
indicated that the group's efforts have so far been
unsuccessful, thanks in part to a Balkanized power grid and
an unsophisticated approach.
``Strong intent. Thankfully, low capability,'' said John
Riggi, a section chief at the FBI's cyber division. ``But the
concern is that they'll buy that capability.''
Jackson Lee, a senior member of the House Homeland Security
Committee and ranking member on the Judiciary Committee's
Subcommittee on Crime, Terrorism, Homeland Security, and
Investigations, in January introduced the Terrorism
Prevention and Critical Infrastructure Protection Act.
The bill directs DHS to work with critical infrastructure
companies to boost their cyber defenses against terrorist
attacks, part of a swath of legislation that has attempted to
codify the agency's responsibilities in that area.
Late last year, the Senate passed its version of the House-
passed National Cybersecurity and Critical Infrastructure
Protection Act.
The bill officially authorized an already-existing
cybersecurity information-sharing hub at DHS.
Although a deadly attack on power plants or the electric
grid--a ``cyber Pearl Harbor''--is still only a hypothetical,
experts warn critical infrastructure sites are increasingly
at risk, as electric grids get smarter.
National Security Agency Director Michael Rogers told
lawmakers last fall that China and ``one or two'' other
countries would be able to shut down portions of critical
U.S. infrastructure with a cyberattack. Researchers suspect
Iran to be on that list.
In August, DHS announced the creation of a new subcommittee
dedicated to preventing attacks on the power grid.
The new panel is tasked with identifying how well the
department's lifeline sectors are prepared to meet threats
and recover from a significant cyber event.
The committee will also provide recommendations for a more
unified approach to state and local cybersecurity.
``There is a great deal that has been done and is being
done now to secure our networks,'' Homeland Security
Secretary Jeh Johnson told the House Judiciary Committee in
July. ``There is more to do.''
Ms. JACKSON LEE. Mr. Speaker, State and local governments have been
struggling to keep pace with the evolving threats posed by cyber
breaches. They just cannot do it alone. We have the resources. This
Department was crafted and designed to be able to reach out beyond
these parameters to ensure that local governments and State governments
felt that they were secure.
I believe that the enactment of H.R. 3869 would send a clear message
about our commitment to helping State and local governments address the
perennial cybersecurity challenges that permeate their providing
services for their constituents, which have been identified every year,
according to the National Preparedness Report.
In having formerly chaired this infrastructure committee, I know that
the need still remains great and that we have an opportunity to keep
building and improving on that resource.
Again, I urge my colleagues to vote ``yes'' on H.R. 3869.
Mr. Speaker, I yield back the balance of my time.
Mr. HURD of Texas. Mr. Speaker, I yield myself such time as I may
consume.
I concur with the gentlewoman. Once again, I urge my colleagues to
support H.R. 3869.
I yield back the balance of my time.
The SPEAKER pro tempore (Mr. Thompson of Pennsylvania). The question
is on the motion offered by the gentleman from Texas (Mr. Hurd) that
the House suspend the rules and pass the bill, H.R. 3869, as amended.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill, as amended, was passed.
The title of the bill was amended so as to read: ``A bill to amend
the Homeland Security Act of 2002 to assist State and local
coordination on cybersecurity with the national cybersecurity and
communications integration center, and for other purposes.''.
A motion to reconsider was laid on the table.
____________________