On July 28, 2014, the U.S. House of Representatives (“House”) passed three cybersecurity bills, the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696) (“NCCIP Act”), the Critical Infrastructure Research and Development Advancement Act (H.R. 2952) (“CIRDA Act”), and the Homeland Security Cybersecurity Boots-on-the-Ground Act (H.R. 3107) (“Boots-on-the-Ground Act”) with broad bipartisan support.

The NCCIP Act was introduced in December 2013 and is the most significant of the three measures.  As we noted at the time, the bill focuses primarily on strengthening the authorities of the Department of Homeland Security (“DHS”).  Under the provisions of the bill as passed by the House, the Secretary of DHS would have broad responsibilities for the protection of critical infrastructure (“CI”) from cyber threats.  Specifically, the Secretary would be charged with facilitating “a national effort to strengthen and maintain secure, functioning and resilient critical infrastructure” by seeking “industry-specific expertise” to “identify and disrupt threats” and providing “education and assistance” to CI owners and operators who request them.

The bill also promotes several avenues for public-private collaboration to protect CI, organized by sector.  To effectuate this collaboration, the Secretary of DHS would be directed to designate different sectors of critical infrastructure, such as communications, financial services, information technology, and transportation systems.  DHS would then interact with private sector entities on a sector-specific basis through designated federal agencies and “coordinating councils.”  The sector-specific coordinating councils would be designed to “reflect the unique composition of each sector” and would include critical infrastructure owners, operators, private sector entities and trade associations.  Government entities with any “regulating authority” would be prohibited from being members of the coordinating councils.  The bill would also direct DHS, in collaboration with the relevant coordinating council, to recognize at least one Information Sharing and Analysis Center (“ISAC”) for each CI sector, to help promote information sharing along with each coordinating council.  The bill would codify the National Cybersecurity and Communications Integration Center (“NCCIC”) within DHS to promote “ongoing multi-directional sharing” of cyber threat information among federal government entities and between such entities and the private sector, including through ISACs, the coordinating councils, the U.S. Computer Emergency Readiness Team, and other stakeholders.

The NCCIP Act bill would also codify the establishment of Cyber Incident Response Teams within DHS, which would be available to provide crisis management support to critical infrastructure owners and operators on request.  In addition, the NCCIP Act also amends and expands the SAFETY Act, 6 U.S.C. §§ 441-444, which currently affords some liability protections to companies who provide qualified anti-terrorism technologies following a traditional terrorist attack.  Under the bill, these liability protections would expanded to include qualified cybersecurity technologies in the event of a range of cyberattacks (to be further defined by the Secretary of DHS), even if wholly unconnected to terrorism.

The second bill passed by the House, the CIRDA Act, would further enhance DHS’s authority to protect CI by mandating that DHS develop and update a plan for research and development of cybersecurity technologies for the protection of critical infrastructure.  The plan would be developed with stakeholders, including sector-specific coordinating councils, and focus, among other things, on identifying risks and technology gaps and prioritizing security technology needs to address such risks and gaps.  The bill also would require DHS to report to Congress on, among other things, those aspects of critical infrastructure protection that are predominately operated by the private sector and that would most benefit from rapid security technology advancement.  The bill would also expand DHS’s Technology Clearinghouse, established pursuant to 6 U.S.C. § 193, to promote “rapidly sharing proven technology solutions for protecting critical infrastructure.”

Finally, the third bill passed by the House, the Cybersecurity-Boots-on-the-Ground Act, is focused largely on improving the DHS cyber work force.  It directs the Security of DHS to “assess the readiness and capacity” of the DHS workforce “to meet its cybersecurity mission.”  To this end, the bill requires the Secretary to establish uniform cybersecurity occupation classifications, assess the cybersecurity workforce, and develop a strategy to develop and recruit cybersecurity employees.

The three bills now proceed to the U.S. Senate for further consideration.

This post can also be found on InsidePrivacy, the firm’s blog on developments in global privacy and data security.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and…

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer for 2016 and 2019. Clients laud him for providing “excellent advice,” “know[ing] everything there is to know about CFIUS” and being “extremely well regarded” by key regulators. (Chambers USA)

In the foreign investment and national security area, Mr. Fagan is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense firms, private equity firms, and sovereign investors, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

Mr. Fagan’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues – including through proactive mitigation and carve-outs – is a critical path for the transaction. Mr. Fagan is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, Mr. Fagan is regularly engaged by multi-national companies, including the world’s leading technology companies, to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China. Mr. Fagan also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In the privacy and data security area, Mr. Fagan has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. Mr. Fagan has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.

In addition, he routinely counsels clients on preparing for and responding to cyber-based attacks on their networks and information, enhancing their supply chain and product development practices, assessing their security controls and practices for the protection of data, developing and implementing information security programs, and complying with federal and state regulatory requirements. He also frequently advises clients on transactional matters involving the transfer of personal data.