‘Slimmed Down’ PrECISE Act Passes House Homeland Security Committee

"What we have here is good but it is not nearly as good as what we put out in the subcommittee,” Lungren said. But promoting the original bill would be like throwing a “Hail Mary” pass, he said. “I want to get something done."

Lungren’s manager’s amendment removed language that would authorize the Department of Homeland Security (DHS) to develop and regulate risk-based performance standards for the nation’s core critical infrastructure. The provision was strongly opposed by private sector groups who objected to the perceived costs and uncertainty of placing DHS regulation into their security efforts. Lungren promised to develop a subsequent cybersecurity bill that implements basic cybersecurity standards for the owners and operators of critical infrastructure.

Full Committee Chairman Peter King, R-N.Y., told us he had considered shelving the bill but went forward with the markup in order to “keep DHS in the picture. Without this bill there would be no legislation from the Homeland Security Committee. It was either that or nothing, so the idea was to push it as hard as we can.” King endorsed the manager’s amendment in his opening remarks and said “additional time is needed” to address the issue of private sector cybersecurity standards. “We cannot have a regulated or burdensome process that slows down the ability of the private sector to respond to threats or share information,” he said.

Ranking Member Bennie Thompson, D-Miss., said he was “disappointed” that the manager’s amendment failed to leave intact some key provisions of the bill and “does little to address known risks to critical infrastructure.” “Unfortunately this substitute -- which was devised behind closed doors with House Republican leadership -- bears little resemblance to the measure that the Cybersecurity Subcommittee approved in February,” Thompson said.

Thompson said he was “troubled” that the manager’s amendment strikes language in the original bill “to firmly solidify” DHS as the lead agency for securing federal civilian networks and “opens the door to duplication of efforts in the extreme.” Thompson said: “A situation where many agencies are involved in an issue but no one is ultimately responsible harkens back to a pre-9/11 scenario.”

Lungren begrudgingly opposed more than a dozen amendments said to be aimed at strengthening U.S. cybersecurity, including a Thompson amendment that would have restored the language of the original bill. “I would rather our committee have some real influence on this than be king for a day,” Lungren said. Thompson replied: “It must be very difficult for the majority to vote against your own decision and a decision you know is right. It does not make this country any safer.” Lungren was saved from voting against the amendment to restore the text of his original bill due to the fact that the amendment was not filed 24 hours prior to the commencement of the markup, in violation of House rules.

The committee voted down another Thompson amendment that would have imposed regulations of core critical infrastructure systems based on risk-based performance standards. Though Lungren opposed the amendment, he said such cybersecurity standards are necessary and offered to implement such standards in a separate piece of legislation.

It is “abundantly clear” that a core infrastructure regulatory regime would weigh down the bill “in such a way that no legislation would see the floor at this time,” Lungren said. “I can’t support it, as much as I would like to support it.” Lungren added that he has “a commitment” from House leadership that they will “resurrect” similar critical infrastructure provisions in a subsequent bill.

The manager’s amendment borrowed language from HR-3523, the Cyber Intelligence Sharing and Protection Act (CISPA), that allows the government to use cyberthreat information for “any lawful use as long as it is not regulatory and is associated with a cybersecurity purpose or a national security purpose.” The provision was worrisome to civil liberties groups like the Center for Democracy and Technology, who says the language is still evolving and previously urged a “no” vote on the amendment.

The manager’s amendment also removed an earlier proposal for a new a nonprofit organization that would aim to increase private and public sector communication called the National Information Security Organization (NISO). Instead the bill would authorize the existing National Cybersecurity and Communications Integration Center to facilitate information sharing between the private sector and the federal government. Cybersecurity Subcommittee Ranking Member Yvette Clarke, D-N.Y., previously said she had “fundamental doubts” about whether the NISO is “likely to deliver the desired results,” during the subcommittee markup in February (CD Feb 2 p8).

The committee agreed to a pair of amendments offered by Rep. Michael McCaul, R-Texas, to secure federal systems for cybersecurity purposes and to establish a “Cybersecurity Domestic Preparedness Consortium” to train state and local first responders to prepare and respond to cybersecurity threats. Also agreed to was an amendment offered by Rep. Janice Hahn, D-Calif., to require privacy impact reviews, and another amendment offered by King to strengthen the consistency between the bill and the National Security Act of 1947.