LegiStorm

Summary:

Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide. Attacks have been initiated against individuals, corporations, and countries. Targets have included government networks, companies, and political organizations, depending upon whether the attacker was seeking military intelligence, conducting diplomatic or industrial espionage, engaging in cybercrime, or intimidating political activists. In addition, national borders mean little or nothing to cyberattackers, and attributing an attack to a specific location can be difficult, which may make responding problematic. Despite many recommendations made over the past decade, most major legislative provisions relating to cybersecurity had been enacted prior to 2002. However, on December 18, 2014, in the last days of the 113th Congress, five cybersecurity bills were signed by the President. These bills change federal cybersecurity programs in a number of ways:  codifying the role of the National Institute of Standards and Technology (NIST) in developing a “voluntary, industry-led set of standards” to reduce cyber risk;  codifying the Department of Homeland Security’s (DHS’s) National Cybersecurity and Communications Integration Center as a hub for interactions with the private sector;  updating the Federal Information Security Management Act (FISMA) by requiring the Office of Management and Budget (OMB) to “eliminate ... inefficient and wasteful reports”; and  requiring DHS to develop a “comprehensive workforce strategy” within a year and giving DHS new authorities for cybersecurity hiring. In April 2011, the Obama Administration sent Congress legislative proposals that would have given the federal government new authority to ensure that corporations owning assets most critical to the nation’s security and economic prosperity adequately addressed risks posed by cybersecurity threats. This report provides links to cybersecurity legislation in the 112th, 113th , and 114th Congresses.  114th Congress Legislation, House, Table 1  114th Congress Legislation, Senate, Table 2  113th Congress, Major Legislation, Table 3 and Table 4  112th Congress, Major Legislation, Table 5 and Table 7  112th Congress, Senate Floor Debate: S. 3414, Table 6  112th Congress, House Floor Debate: H.R. 3523, Table 8 Congress has held cybersecurity hearings every year since 2001. This report also provides links to cybersecurity-related committee hearings in the 112th, 113th, and 114th Congresses.  114th Congress, Senate Hearings, Table 9 and Table 10  114th Congress, House Hearings, Table 11 and Table 12  113th Congress, House Hearings, Table 14 and Table 15  113th Congress, House Committee Markups, Table 16  113th Congress, Senate Hearings, Table 17 and Table 19  113th Congress, Other Hearings, Table 18 and Table 20  112th Congress, House Hearings, Table 21 and Table 22  112th Congress, House Markups, Table 23  112th Congress, Senate Hearings, Table 24 and Table 25  112th Congress, Congressional Committee Investigative Reports, Table 26 On April 22, 2015, the House passed H.R. 1560, which will provide liability protection to companies that share cyber threat information with the government and other companies so long as personal information is removed before the sharing of such information. On April 23, 2015, the House passed H.R. 1731, which will encourage information sharing with the Department of Homeland Security by protecting entities from civil liabilities. On November 17, 2015, the House passed H.R. 1073 by voice vote, which will secure critical infrastructure against electromagnetic threats. On November 30, 2015, the House passed H.R. 3490, which would establish in the Department of Homeland Security a National Computer Forensics Institute to be operated by the U.S. Secret Service for the dissemination of homeland security information related to the investigation and prevention of cyber and electronic crime. On October 27, 2015, the Senate passed S. 754, the Cybersecurity Information Sharing Act of 2015 (CISA), by a vote of 74-21 (Roll call vote 291). The House approved companion legislation in April, so the cybersecurity measure is now on track to reach President Obama's desk and be signed into law, once a conference report is negotiated. CISA attempts to open up communication channels between industry and federal agencies by offering legal immunity to companies that share data with the government. For more information on what is covered in the Senate bill, see CRS Legal Sidebar WSLG1429, Senate Passes Cybersecurity Information Sharing Bill –What’s Next?, by Andrew Nolan. On November 30, 2015, the House passed H.R. 3490, which would establish in the Department of Homeland Security a National Computer Forensics Institute to be operated by the U.S. Secret Service for the dissemination of homeland security information related to the investigation and prevention of cyber and electronic crime. On December 10, 2015, the House passed H.R. 3869, State and Local Cyber Protection Act of 2015, which requires the Department of Homeland Security's (DHS's) national cybersecurity and communications integration center (NCCIC) to assist state and local governments with cybersecurity, and on December 16, 2015, the House passed H.R. 3878, Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015, which requires DHS to seek to enhance cybersecurity situational awareness and information sharing between and with maritime security stakeholders from federal, state, local, and tribal governments, public safety and emergency response agencies, law enforcement and security organizations, maritime industry participants, port owners and operators, and maritime terminal owners and operators. On December 18, 2015, H.R. 2029 the Consolidated Appropriations Act, was signed into public law (P.L. 114-57). The omnibus law’s cybersecurity provisions are located in Division N (Cybersecurity Act of 2015), including Title I, Cybersecurity Information Sharing, Title II, National Cybersecurity Advancement, Title III, Federal Cybersecurity Workforce Assessment, and Title IV, Other Cyber Matters. The measure represents a compromise between the House and Senate intelligence committees and the House Homeland Security Committee. It includes various components of three separate information sharing bills: H.R. 1560 and H.R. 1731, passed by the House earlier this year, and S. 754, passed by the Senate in October. The bill encourages private companies to voluntarily share information about cyber threats with each other as well as the government. Firms that participate in the information sharing will receive liability protection. For a comparison of House and Senate information-sharing legislation in the 114th Congress, see CRS Report R44069, Cybersecurity and Information Sharing: Comparison of H.R. 1560 (PCNA and NCPAA) and S. 754 (CISA), by Eric A. Fischer. For a side-by-side comparison of cybersecurity and information legislation in the 114th Congress, see CRS Report R43996, Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731 as Passed by the House, by Eric A. Fischer and Stephanie M. Logan. For an economic analysis of information-sharing legislation, see CRS Report R43821, Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis, by N. Eric Weiss. For a discussion of selected legislative proposals in the 112th and 113th Congresses, see CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview of Major Issues, Current Laws, and Proposed Legislation, by Eric A. Fischer. Executive orders authorize the President to manage federal government operations. Presidential directives pertain to all aspects of U.S. national security policy as authorized by the President. This report provides a list of executive orders and presidential directives pertaining to information and computer security.  Executive Orders and Presidential Directives, Table 27 For a selected list of authoritative reports and resources on cybersecurity, see CRS Report R42507, Cybersecurity: Authoritative Reports and Resources, by Topic, by Rita Tehan. For selected cybersecurity data, statistics, and glossaries, see CRS Report R43310, Cybersecurity: Data, Statistics, and Glossaries, by Rita Tehan.