[Congressional Record (Bound Edition), Volume 161 (2015), Part 4]
[House]
[Pages 5446-5450]
[From the U.S. Government Publishing Office, www.gpo.gov]




                              {time}  0915
       NATIONAL CYBERSECURITY PROTECTION ADVANCEMENT ACT OF 2015


                             General Leave

  Mr. McCAUL. Mr. Speaker, I ask unanimous consent that all Members may 
have 5 legislative days within which to revise and extend their remarks 
and include extraneous materials on the bill, H.R. 1731.

[[Page 5447]]

  The SPEAKER pro tempore (Mr. Ratcliffe). Is there objection to the 
request of the gentleman from Texas?
  There was no objection.
  The SPEAKER pro tempore. Pursuant to House Resolution 212 and rule 
XVIII, the Chair declares the House in the Committee of the Whole House 
on the state of the Union for the consideration of the bill, H.R. 1731.
  The Chair appoints the gentleman from Georgia (Mr. Woodall) to 
preside over the Committee of the Whole.

                              {time}  0916


                     In the Committee of the Whole

  Accordingly, the House resolved itself into the Committee of the 
Whole House on the state of the Union for the consideration of the bill 
(H.R. 1731) to amend the Homeland Security Act of 2002 to enhance 
multi-directional sharing of information related to cybersecurity risks 
and strengthen privacy and civil liberties protections, and for other 
purposes, with Mr. Woodall in the chair.
  The Clerk read the title of the bill.
  The CHAIR. Pursuant to the rule, the bill is considered read the 
first time.
  The gentleman from Texas (Mr. McCaul) and the gentleman from 
Mississippi (Mr. Thompson) each will control 30 minutes.
  The Chair recognizes the gentleman from Texas.
  Mr. McCAUL. Mr. Chairman, I yield myself such time as I may consume.
  I am pleased to bring to the floor H.R. 1731, the National 
Cybersecurity Protection Advancement Act, a proprivacy, prosecurity 
bill that we desperately need to safeguard our digital networks.
  I would like to commend the subcommittee chairman, Mr. Ratcliffe, for 
his work on this bill as well as our minority counterparts, including 
Ranking Member Thompson and subcommittee Ranking Member Richmond for 
their joint work on this bill. This has been a noteworthy, bipartisan 
effort. I would also like to thank House Permanent Select Committee on 
Intelligence Chairman Devin Nunes and Ranking Member Adam Schiff for 
their input and collaboration. Lastly, I would like to thank Committee 
on the Judiciary Chairman Goodlatte and Ranking Member Conyers for 
their contribution.
  Make no mistake, we are in the middle of a silent crisis. At this 
very moment, our Nation's businesses are being robbed, and sensitive 
government information is being stolen. We are under siege by a 
faceless enemy whose tracks are covered in cyberspace.
  Sophisticated breaches at companies like Anthem, Target, Neiman 
Marcus, Home Depot, and JPMorgan have compromised the personal 
information of millions of private citizens. Nation-states like Iran 
and North Korea have launched digital bombs to get revenge at U.S.-
based companies, while others like China are stealing intellectual 
property. We recently witnessed brazen cyber assaults against the White 
House and the State Department, which put sensitive government 
information at risk.
  In the meantime, our adversaries have been developing the tools to 
shut down everything from power grids to water systems so they can 
cripple our economy and weaken our ability to defend the United States.
  This bill will allow us to turn the tide against our enemies and ramp 
up our defenses by allowing for greater cyber threat information 
sharing. This bill will strengthen the Department of Homeland 
Security's National Cybersecurity and Communications Integration 
Center, or NCCIC. The NCCIC is a primary civilian interface for 
exchanging cyber threat information, and for good reason. It is not a 
cyber regulator. It is not looking to prosecute anyone, and it is not 
military or a spy agency. Its sole purpose, Mr. Chairman, is to prevent 
and respond to cyber attacks against our public and private networks 
while aggressively protecting Americans' privacy.
  Right now we are in a pre-9/11 moment in cyberspace. In the same way 
legal barriers and turf wars kept us from connecting the dots before 9/
11, the lack of cyber threat information sharing makes us vulnerable to 
an attack. Companies are afraid to share because they do not feel they 
have the adequate legal protection to do so.
  H.R. 1731 removes those legal barriers and creates a safe harbor, 
which will encourage companies to voluntarily exchange information 
about attacks against their networks. This will allow both the 
government and private sector to spot digital attacks earlier and keep 
malicious actors outside of our networks and away from information that 
Americans expect to be defended.
  This bill also puts privacy and civil liberties first. It requires 
that personal information of our citizens be protected before it 
changes hands--whether it is provided to the government or exchanged 
between companies--so private citizens do not have their sensitive data 
exposed.
  Significantly, both industry and privacy groups have announced their 
support for this legislation because they recognize that we need to 
work together urgently to combat the cyber threat to this country.
  Today, we have a dangerously incomplete picture of the online war 
being waged against us, and it is costing Americans their time, money, 
and jobs. It is time for us to safeguard our digital frontier. This 
legislation is a necessary and vital step to do exactly that.
  Mr. Chairman, before I reserve the balance of my time, I would like 
to enter into the Record an exchange of letters between the chairman of 
the Committee on the Judiciary, Mr. Goodlatte, and myself, recognizing 
the jurisdictional interest of the Committee on the Judiciary in H.R. 
1731.

                                    U.S. House of Representatives,


                                   Committee on the Judiciary,

                                   Washington, DC, April 21, 2015.
     Hon. Michael McCaul,
     Chairman, Committee on Homeland Security,
     Washington, DC.
       Dear Chairman McCaul: I am writing with respect to H.R. 
     1731, the ``National Cybersecurity Protection Advancement Act 
     of 2015.'' As a result of your having consulted with us on 
     provisions in H.R. 1731 that fall within the Rule X 
     jurisdiction of the Committee on the Judiciary, I agree to 
     waive consideration of this bill so that it may proceed 
     expeditiously to the House floor for consideration.
       The Judiciary Committee takes this action with our mutual 
     understanding that by foregoing consideration of H.R. 1731 at 
     this time, we do not waive any jurisdiction over the subject 
     matter contained in this or similar legislation, and that our 
     Committee will be appropriately consulted and involved as the 
     bill or similar legislation moves forward so that we may 
     address any remaining issues in our jurisdiction. Our 
     Committee also reserves the right to seek appointment of an 
     appropriate number of conferees to any House-Senate 
     conference involving this or similar legislation, and asks 
     that you support any such request.
       I would appreciate a response to this letter confirming 
     this understanding, and would ask that a copy of our exchange 
     of letters on this matter be included in the Congressional 
     Record during Floor consideration of H.R. 1731.
           Sincerely,
                                                    Bob Goodlatte,
     Chairman.
                                  ____

                                    U.S. House of Representatives,


                               Committee on Homeland Security,

                                   Washington, DC, April 21, 2015.
     Hon. Bob Goodlatte, 
     Chairman, Committee on Judiciary,
     Washington, DC.
       Dear Chairman Goodlatte: Thank you for your letter 
     regarding H.R. 1731, the ``National Cybersecurity Protection 
     Advancement Act of 2015.'' I appreciate your support in 
     bringing this legislation before the House of 
     Representatives, and accordingly, understand that the 
     Committee on Judiciary will not seek a sequential referral on 
     the bill.
       The Committee on Homeland Security concurs with the mutual 
     understanding that by foregoing a sequential referral of this 
     bill at this time, the Judiciary does not waive any 
     jurisdiction over the subject matter contained in this bill 
     or similar legislation in the future. In addition, should a 
     conference on this bill be necessary, I would support your 
     request to have the Committee on Judiciary represented on the 
     conference committee.
       I will insert copies of this exchange in the Congressional 
     Record during consideration of this bill on the House floor. 
     I thank you for your cooperation in this matter.
           Sincerely,
                                                Michael T. McCaul,
                         Chairman, Committee on Homeland Security.

  Mr. McCAUL. With that, I urge my colleagues to support this important 
legislation.
  I reserve the balance of my time.
  Mr. THOMPSON of Mississippi. Mr. Chairman, I yield myself such time 
as I may consume.

[[Page 5448]]

  I rise in support of H.R. 1731, the National Cybersecurity Protection 
Advancement Act of 2015.
  Mr. Chairman, every day U.S. networks face hundreds of millions of 
cyber hacking attempts and attacks. Many of these attacks target large 
corporations and negatively impact consumers. They are launched by 
common hackers as well as nation-states. As the Sony attack last year 
demonstrated, they have a great potential for harm and put our economy 
and homeland security at risk.
  Last week, it was reported that attacks against SCADA industrial 
control systems rose 100 percent between 2013 and 2014. Given that 
SCADA systems are essential to running our power plants, factories, and 
refineries, this is a very troubling trend.
  Just yesterday, we learned about an advanced persistent threat that 
has targeted high-profile individuals at the White House and State 
Department since last year. According to an industry expert, this cyber 
threat--nicknamed CozyDuke--includes malware, information-stealing 
programs, and antivirus back doors that bear the hallmarks of Russian 
cyber espionage tools.
  Mr. Chairman, cyber terrorists and cyber criminals are constantly 
innovating. Their success is dependent on their victims not being 
vigilant and protecting their systems. Cyber terrorists and cyber 
criminals exploit bad practices, like opening attachments and clicking 
links from unknown senders. That is why I am pleased that H.R. 1731 
includes a provision authored by Representative Watson Coleman to 
authorize a national cyber public awareness campaign to promote greater 
cyber hygiene.
  Another key element of cybersecurity is, of course, information 
sharing about cyber threats. We have seen that when companies come 
forward and share their knowledge about imminent cyber threats, timely 
actions can be taken to prevent damage to vital IT networks. Thus, 
cybersecurity is one of those places where the old adage ``knowledge is 
power'' applies.
  That is why I am pleased H.R. 1731 authorizes private companies to 
voluntarily share timely cyber threat information and malware with DHS 
or other impacted companies. Under H.R. 1731, companies may voluntarily 
choose to share threat information to prevent future attacks to other 
systems.
  I am also pleased that the bill authorizes companies to monitor their 
own IT networks to identify penetrations and take steps to protect 
their networks from cyber threats. H.R. 1731 builds on bipartisan 
legislation enacted last year that authorized the Department of 
Homeland Security's National Cybersecurity and Communications 
Integration Center, commonly referred to as NCCIC.
  H.R. 1731 was unanimously approved by the committee last week and 
represents months of outreach to a diverse array of stakeholders from 
the private sector and the privacy community. Importantly, H.R. 1731 
requires participating companies to make reasonable efforts prior to 
sharing to scrub the data to remove information that could identify a 
person when that person is not believed to be related to the threat.
  H.R. 1731 also directs DHS to scrub the data it receives and add an 
additional layer of privacy protection. Additionally, it requires the 
NCCIC to have strong procedures for protecting privacy, and calls for 
robust oversight by the Department's chief privacy officer, its chief 
civil rights and civil liberties officer, and inspector general, and 
the Privacy and Civil Liberties Oversight Board.
  I am a cosponsor of H.R. 1731, but as the White House observed 
earlier this week, improvements are needed to ensure that its liability 
protections are appropriately targeted. In its current form, it would 
potentially protect companies that are negligent in how they carry out 
authorized activities under the act.
  Mr. Chairman, before reserving the balance of my time, I wish to 
engage in a colloquy with the gentleman from Texas (Mr. McCaul) 
regarding the liability protection provisions of H.R. 1731.
  At the outset, I would like to express my appreciation for the 
gentleman's willingness to work with me and the other Democrats on the 
committee to develop this bipartisan legislation. We have a shared goal 
of bolstering cybersecurity and improving the quality of information 
that the private sector receives about timely cyber threats so that 
they can act to protect their networks and the valuable data stored on 
them.
  Therefore, it is concerning that the liability protection provision 
appears to undermine this shared goal insofar as it includes language 
that on its face incentivizes companies to do nothing about actionable 
cyber information. Specifically, I am speaking of the language on page 
36, line 18, that extends liability protections to a company that fails 
to act on timely threat information provided by DHS or another impacted 
company.
  I would ask the gentleman from Texas to work with me to clarify the 
language as it moves through the legislative process to underscore that 
it is not Congress' intent to promote inaction by companies who have 
timely threat information.
  Mr. McCAUL. Will the gentleman yield?
  Mr. THOMPSON of Mississippi. I yield to the gentleman from Texas.
  Mr. McCAUL. Mr. Chair, I thank the gentleman from Mississippi for his 
question and would say that I do not completely share your view of that 
clause. I assure you that incentivizing companies to do nothing with 
timely threat information is certainly not the intent of this 
provision, as the author of this bill.
  On the contrary, I believe it is important that we provide companies 
with legal safe harbors to encourage sharing of cyber threat 
information and also believe that every company that participates in 
this information-sharing process, especially small- and medium-sized 
businesses, cannot be required to act upon every piece of cyber threat 
information they receive.
  As such, I support looking for ways to clarify that point with you, 
Mr. Thompson. I commit to working with you as this bill moves forward 
to look for ways to refine the language to ensure that it is consistent 
with our shared policy goal of getting timely information into the 
hands of businesses so that they can protect their networks and their 
data.

                              {time}  0930

  Mr. THOMPSON of Mississippi. Mr. Chairman, I reserve the balance of 
my time.
  Mr. McCAUL. Mr. Chairman, I now yield 5 minutes to the gentleman from 
Texas (Mr. Ratcliffe), the chairman of the Subcommittee on 
Cybersecurity, my close ally and colleague on this legislation.
  Mr. RATCLIFFE. I thank the gentleman for yielding.
  Mr. Chairman, I am grateful for the opportunity to work with Chairman 
McCaul in crafting the National Cybersecurity Protection Advancement 
Act. I would also like to thank Ranking Members Richmond and Thompson 
for their hard work on this issue; and a special thank you to the 
Homeland Security staff, who worked incredibly hard to bring this 
important bill to the floor today.
  Mr. Chairman, for years now, the private sector has been on the front 
lines in trying to guard against potentially devastating cyber attacks.
  Just 2 months ago, one of the Nation's largest health insurance 
providers, Anthem, suffered a devastating cyber attack that compromised 
the personal information and health records of more than 80 million 
Americans.
  The consequences of that breach hit home for many of those Americans 
just a week ago, on tax day, when thousands of them tried to file their 
tax returns, only to see them be rejected because cyber criminals had 
used their information to file false tax returns.
  Mr. Chairman, attacks like these serve as a wake-up call to all 
Americans and provide clear evidence that our cyber adversaries have 
the upper hand. The consequences will get even worse if we fail to 
tackle this issue head on because even greater and more

[[Page 5449]]

frightening threats exist, ones that extend to the critical 
infrastructure that support our very way of life.
  I am talking about cyber attacks against the networks which control 
our bridges, our dams, our power grids, rails, and even our water 
supply. Attacks on this critical infrastructure have the potential to 
produce sustained blackouts, halt air traffic, shut off fuel supplies, 
or, even worse, contaminate the air, food, and water that we need to 
survive.
  These scenarios paint a picture of economic crisis and physical chaos 
that are, unfortunately, all too real and all too possible right now.
  Mr. Chairman, 85 percent of our Nation's critical infrastructure is 
controlled by the private sector, not by the government, a fact which 
underscores the reality that America's security, when it comes to 
defending against cyber attacks, largely depends on the security of our 
private networks.
  The simple truth is that many in the private sector can't defend 
their networks or our critical infrastructure against these threats.
  H.R. 1731 provides a solution for the rapid sharing of important 
cyber threat information to minimize or, in some cases, prevent the 
cyber attacks from being successful.
  Through the Department of Homeland Security's National Cybersecurity 
Communication and Integration Center, or NCCIC, this bill will 
facilitate the sharing of cyber threat indicators between the private 
sector entities and between the private sector and the Federal 
Government.
  With carefully crafted liability protections, private entities would 
finally be able to share cyber threat indicators with their private 
sector counterparts through the NCCIC without fear of liability.
  The sharing of these cyber threat indicators, or, more specifically, 
the tools, techniques, and tactics used by cyber intruders, will arm 
those who protect our networks with the valuable information they need 
to fortify our defenses against future cyber attacks.
  Because some have said that prior proposals didn't go far enough in 
safeguarding personal privacy, this bill addresses those concerns with 
robust privacy measures that ensure the protection of Americans' 
personal information and private data.
  H.R. 1731 will provide protection only for sharing that is done 
voluntarily with the Department of Homeland Security's NCCIC, which is 
a civilian entity. It does not provide for or allow sharing with the 
NSA or the Department of Defense. In fact, this bill expressly 
prohibits information from being used for surveillance purposes.
  This bill also limits the type of information that can be shared, and 
it requires the removal of all personally identifiable information, 
which is scrubbed out before the cyber threat indicators can be shared.
  In short, this bill improves and increases protection for the 
personal privacy of Americans, which currently remains so vulnerable to 
malicious attacks from our cyber adversaries.
  Mr. Chairman, the status quo isn't working when it comes to defending 
against cyber threats. The need to better secure Americans' personal 
information and better protect and safeguard our critical 
infrastructure is precisely what compels congressional action right 
now.
  I strongly endorse the passage of this vital legislation, and I urge 
my colleagues on both sides of the aisle to support it as well. I thank 
the gentleman from Texas for his leadership.
  Mr. THOMPSON of Mississippi. Mr. Chairman, I yield 3 minutes to the 
gentleman from Rhode Island (Mr. Langevin).
  Mr. LANGEVIN. I thank the gentleman for yielding.
  Mr. Chairman, I am very pleased to be back on the floor today to 
support the House's second major piece of cybersecurity legislation in 
less than 24 hours.
  As I said yesterday afternoon, it has been a long time coming, for 
sure. Cybersecurity has been a passion of mine for nearly a decade, and 
I am absolutely thrilled that, after years of hard work, the House, the 
Senate, and the President finally are beginning to see eye-to-eye.
  The National Cybersecurity Protection Advancement Act has at its core 
three basic authorizations. First, it authorizes private entities and 
the DHS's NCCIC to share, for cybersecurity purposes only, cyber threat 
indicators that have been stripped of personal information and details. 
Second, it allows businesses to monitor their networks in search of 
cybersecurity risks. And third, it authorizes companies to deploy 
limited defensive measures to protect their systems from malicious 
actors.
  Those three authorizations perfectly describe the information-sharing 
regime we so desperately need. Under the act, companies would collect 
information on threats, share it with their peers and with a civilian 
portal, and then use the indicators they have received to defend 
themselves.
  Data are scrubbed of personal identifiable information before they 
are shared and after they are received by the NCCIC. Companies are 
offered limited liability protections for sharing information they 
gather in accordance with this bill.
  This legislation also provides for the deployment of rapid automated 
sharing protocols--something DHS has been hard at work on with the 
STIX/TAXII program--and it expands last year's NCCIC authorization.
  Mr. Chairman, I do believe that the liability protections contained 
in this bill may prove overly broad, and I certainly hope that we can 
address that point as the legislative process continues, particularly, 
hopefully, when we get to a conference committee on this issue.
  Overall, though, it is a fine piece of legislation, and I 
wholeheartedly congratulate Chairman McCaul, Ranking Member Thompson, 
Subcommittee Chairman Ratcliffe, and Ranking Member Richmond, as well 
as the other members of the committee and especially committee staff, 
for a job well done.
  Information-sharing legislation, Mr. Chairman, is not a silver bullet 
by any means, but it will substantially improve our Nation's cyber 
defenses and get us to a place where our Nation is much more secure in 
cyberspace than where we are today.
  Protecting critical infrastructure, of course, is among our chief 
concerns. That will allow for the type of information sharing that will 
get us to a much more secure place.
  So, Mr. Chairman, I urge my colleagues to support this bill, and I 
hope that the Senate will quickly follow suit.
  Mr. McCAUL. Mr. Chairman, I yield such time as she may consume to the 
gentlewoman from Michigan (Mrs. Miller), the vice chairman of the 
Homeland Security Committee.
  Mrs. MILLER of Michigan. Mr. Chairman, first of all, I want to thank 
the distinguished chairman for yielding the time.
  I think you can see by the comments that have been made thus far that 
we have a very bipartisan bill and a bipartisan approach. That is, 
through our committee, in no short measure because of the leadership 
that Chairman McCaul and, quite frankly, our ranking member have 
exhibited with the vision that they have had, these two gentlemen 
working together, and both the chair and the ranking member on our 
Subcommittee on Cybersecurity, Mr. Ratcliffe and Mr. Richmond as well.
  This really has been a tremendous effort, and so important for our 
country. This particular issue, obviously, is certainly a bipartisan 
issue.
  I say that, Mr. Chairman, because our Constitution makes the first 
and foremost responsibility of the Federal Government to provide for 
the common defense. That is actually in the preamble of our 
Constitution.
  In our modern world, those who are seeking harm to our Nation, to our 
citizens, to our companies, can use many different means, including 
attacks over the Internet to attack our Nation.
  Recent cyber attacks on U.S. companies like Sony, Target, and Home 
Depot not only harm these companies, Mr. Chairman, but they harm the

[[Page 5450]]

American citizens who do business with them, putting their most 
personal private information at risk.
  These threats, as are well known, are coming from nation-states like 
North Korea, Russia, Iran, China, as well as cyber criminals seeking to 
steal not only personal information but also intellectual property and 
sensitive government information.
  In today's digital world, we have a duty to defend ourselves against 
cyber espionage, and the best way to combat these threats is to first 
recognize the threat and combine private and government resources and 
intelligence. Mr. Chairman, that is exactly what this bill does.
  Mr. Chairman, I think this bill will help to facilitate greater 
cooperation and efforts to protect our Nation's digital infrastructure, 
including power grids and other utilities and other services that 
everyday Americans rely on each and every day.
  By removing barriers, which will allow private companies to 
voluntarily share their cybersecurity threat information with the 
Department of Homeland Security and/or other companies, I think we will 
in a very large way improve earlier detection and mitigation of 
potential threats.
  Additionally, this legislation that we are debating on the floor 
today ensures that personal identification information is removed prior 
to sharing information related to cyber threats and that very strong 
safeguards are in place to protect personal privacy and civil 
liberties.
  Mr. Chairman, I point that out because that was something that was 
discussed a lot by practically every member of the Homeland Security 
Committee. We were all very, very united on that issue. And I think 
that is an important critical component, a point to make, and it is 
reflected in this legislation.
  As Mr. Ratcliffe mentioned just earlier, 85 percent of America's 
critical infrastructure is owned and operated by the private sector--
think about that, 85 percent--which means that cyber threats pose as 
much of an economic threat to the United States as they do to our 
security, and we have a constitutional responsibility, as I pointed out 
in the beginning, to protect ourselves, to protect our Nation, to 
protect our American citizens from this ever-evolving threat.
  So, Mr. Chairman, I would urge that all of my colleagues join me, 
join all of us on our committee, in voting in favor of this important 
legislation that will provide an additional line, and a very important 
line, of defense against cyber attacks.
  The CHAIR. The Committee will rise informally.
  The Speaker pro tempore (Mr. Loudermilk) assumed the chair.

                          ____________________