On July 28, 2014, the House of Representatives passed three bills aimed at enhancing the cybersecurity efforts of the Department of Homeland Security (DHS) in certain critical infrastructure sectors, including the energy sector: 1
- H.R. 3696 – the National Cybersecurity and Critical Infrastructure Protection Act (NCCIPA), the primary bill of the three, which passed by voice vote;
- H.R. 2952 – the Critical Infrastructure Research and Development Act (CIRDA), a bill promoting cybersecurity research and development, which passed by voice vote and
- H.R. 3107 – the Homeland Security Cybersecurity Boots-on-the-Ground Act, a bill seeking to bolster the cybersecurity workforce, which passed by a 395-8 vote.
NCCIPA directs the Secretary of Homeland Security to coordinate with federal, state and local government entities and, most notably, private entities and critical infrastructure owners and operators to perform numerous cybersecurity improvement tasks. Those tasks include facilitating information sharing, developing resiliency strategies and providing cyber incident response. The bill, introduced by House Homeland Security Committee Chairman Michael McCaul (R-TX), Ranking Member Bennie G. Thompson (D-MS), Subcommittee Chairman Patrick Meehan (R-PA) and Subcommittee Ranking Member Yvette Clarke (D-NY), also recognizes the National Cybersecurity and Communications Integration Center, a subdivision of DHS established in 2009, as the interface for sharing real-time cyber threat information.
CIRDA aims to enhance cybersecurity research and development, requiring the Secretary to submit to Congress (1) “a strategic plan to guide the overall direction of federal physical security and cybersecurity technology research and development efforts for protecting critical infrastructure” and (2) “a report on the Department’s utilization of public-private research and development consortiums for accelerating technology development for critical infrastructure protection,” both of which must be updated every two years.
Finally, the Boots-on-the-Ground Act requires the Secretary of Homeland Security to classify and evaluate the individuals performing cybersecurity-related duties, identify weaknesses in the workforce, and develop a workforce strategy including a recruitment plan, 5-year implementation plan, and 10-year projection of needs.
Chairman McCaul noted that one of the primary purposes of the collective legislation was to address the “pre-9/11 mindset when it comes to cybersecurity.”2 Specifically, Chairman McCaul noted that an attack on the nation’s “oil and gas pipelines [or] power grids . . . could cause crippling economic damage and could even cost lives.” Furthermore, DHS has acknowledged both that “[t]he reliance of virtually all industries on electric power and fuels means that all sectors have some dependence on the Energy Sector,” and that “[m]ore than 80 percent of the country’s energy infrastructure is owned by the private sector.”3 Thus, it is significant that these House bills (1) recognize Energy as a “critical infrastructure sector” and (2) aim to utilize public-private sector cooperation to improve the nation’s cybersecurity.
Also, the proponents of the bills contend that they strike the right balance between security and privacy concerns. While any bill that requires information sharing, especially among government and private sector entities, will likely raise privacy concerns, Rep. Meehan was quick to note that these bills have received support from the American Civil Liberties Union (ACLU) as both “pro-privacy and pro-security.”4 The ACLU has previously supported the idea that from a transparency perspective, among the various federal agencies, DHS is best suited to handle cybersecurity issues.5