King & Spalding — Earlier this month, House Majority Leader Kevin McCarthy (R-CA) released an April agenda in which he designated the upcoming week to passing legislation to secure cyber networks and prevent data breaches. Making good on that promise, the House will vote Wednesday and Thursday on two bills to promote cybersecurity information sharing, while providing liability protection.
The Protecting Cyber Networks Act (H.R. 1560), which would encourage businesses and the federal government to share information on known cyber threats on a voluntary basis, is up first. The bill was introduced last month by House Intelligence Committee member Devin Nunes (R-CA) and the Intelligence Committee reported the bill on April 13.
The National Cybersecurity Protection Advancement Act (H.R. 1731) is on the agenda for Thursday. The bill would provide liability protections to companies that voluntarily share cyberattack information and would strengthen the National Cybersecurity and Communications Integration Center’s (NCCIC) role as the lead civilian interface for the sharing of cybersecurity risks. House Homeland Security Committee Chairman Mike McCaul (R-TX) and Committee member John Ratcliffe (R-TX) introduced the bill, and the Committee approved it by unanimous voice vote on Tuesday, April 14.
Both pieces of legislation are expected to be considered under structured rules that limit the number of amendments that can be offered. Majority Leader McCarthy said that the bills would be voted on separately, but then combined, before heading to the Senate. Minority Whip Steny Hoyer (D-MD) referred to the bills as “relatively noncontroversial” and, in a press conference last week, Whip Hoyer said that he expected the legislation to pass “in a strong bipartisan fashion.”
Another bill that may see floor action soon is the Data Security and Breach Notification Act (H.R. 1770). On April 15, the House Energy and Commerce Committee approved the bill, which would establish a nationwide safety regime for breach notification and data protection. The bill passed 29-20 on a party-line vote and, although it was initially expected to be included on the agenda this week, House leaders from both parties have acknowledged that more work needs to be done before it can be brought to the floor for a vote.
House Energy and Commerce Committee Chairman Fred Upton (R-MI) recently noted that, “Over 40 bills have been introduced in Congress since the first major data breach in 2005 and we haven’t yet reached the finish line.” After this week, the finish line may be within view.
Reporter, Lauren M. Donoghue, Washington, DC, +1 202 626 8999, [email protected].
The GAO Issued A Report Recommending Improvements For Aircraft Cybersecurity — On April 14, the Government Accountability Office (“GAO”) issued a report highlighting cybersecurity challenges as the Federal Aviation Administration (“FAA”) transitions to the Next Generation Air Transportation System (“NextGen”) and making recommendations to protect air travel from cyber threats. NextGen is a modernization effort to transform the current ground-based air traffic control system into a system that uses satellite-based surveillance and navigation. Given that NextGen uses IP-networking technologies, as well as digital and Internet-based computer networking technologies, air traffic control and aircraft avionics used to operate the aircraft are more susceptible to cybersecurity risks.
The GAO recommends that the FAA design and implement more effective cybersecurity controls. The new information systems for NextGen are designed to interoperate with other systems, creating greater ease of access for pernicious actors and the ability for damage to spread to other systems. While the FAA has been developing “common controls” to operate on an enterprise-level across subsystems, the GAO recommends that the FAA develop threat modeling, a cybersecurity best practice, and continuous monitoring efforts to ensure that it is funneling resources to the parts of the systems most likely to be compromised.
The GAO also recommends that the FAA better protect aircraft avionics, used to guide and operate the aircraft, to prevent hackers from gaining access to IP networking systems and compromising the avionics.
For example, passengers in the cabin increasingly can access the Internet through wireless broadband systems, but the firewalls that protect avionics systems in the cockpit from intrusion by cabin users are vulnerable to hacking or circumvention like any other software. Additional security controls should be implemented onboard to strengthen the system. The GAO recommends that the FAA develop new regulations requiring cybersecurity assurance in certifying the airworthiness of new aircraft and aviation equipment. The FAA’s current aircraft airworthiness certification does not include assurance that cybersecurity has been addressed because historically aircraft avionics systems were isolated within the aircraft and not considered vulnerable to cybersecurity threats.
[table id=9 /]