On the heels of the IoT Cybersecurity Improvement Act becoming law, Congress is poised to pass another significant piece of legislation related to cybersecurity.
The National Defense Authorization Act may be the most significant cybersecurity action from Congress to date as it would reshape how the federal bureaucracy handles security. The annual defense policy bill, which lays out the annual budget and expenditures for the Pentagon, has a section devoted specifically to the several dozen security-related proposals. If passed, the legislation would create a national cyber director in the White House, empower the Department of Homeland Security’s Cybersecurity and Information Security Agency (CISA) with new authority, and direct the executive branch to plan how the economy would continue to operate in case of an attack. Of the more than 80 recommendations made by the Cyberspace Solarium Commission, 26 made it into the final version of the defense package.
“I believe it’s safe to say that this is the most important piece of cybersecurity legislation ever passed” by Congress if the Senate also approves the bill this week, said Sen. Angus King (I-Maine). King was also the co-chair of the Cyberspace Solarium Commission.
The NDAA will require the Department of Defense to conduct a vulnerability assessment of the country’s nuclear command and control systems and to continually assess vulnerabilities in U.S. weapons systems. There are provisions calling for improved Defense Industrial Base (DIB) participation in threat-intelligence sharing programs and assessing the feasibility of establishing a threat hunting program on DIB networks.
The Secretary of Defense, in consultation with 12 the heads of other relevant federal agencies, will be required to submit an annual report to Congress describing Russia’s cyber warfare capabilities, “including details on the number of malicious cyber incidents and associated activities against DoD networks known or suspected to have been conducted or directed by the Government of the Russian Federation,” no later than June 1. The report will also include an assessment of Russia’s hybrid warfare strategy and capabilities, including “the use of misinformation, disinformation, and propaganda in social and traditional media” and other malicious cyber activities.
The DoD will also conduct a force-structure assessment of the Cyber Mission Force to ensure it has the military capability and capacity to carry out its mission requirements and to fight adversaries. The assessment is necessary because the requirements were defined back in 2013, “well before the United States experienced or observed some of the key events that have shaped the U.S. government’s understanding of the urgency and salience of the cyber threat posed by adversaries, as well as before the development of DoD’s defend forward strategy,” according to the Cyberspace Solarium Commission report.
The defense package addresses security concerns outside of the Department of Defense, as well. One key provision in the NDAA would create a national cyber director with policy and budgetary authority to advise the president on cybersecurity and oversee development and implementation of the national strategy. A big part of the role requires coordinating—security budgets across different agencies, national incident response efforts, and other security-related tasks in the federal government. The coordination is particularly important since there are many federal agencies with cybersecurity responsibilities. The director will not be under the National Security Council and will need to be confirmed by the Senate, unlike the White House cybersecurity coordinator position which was eliminated in 2018.
“The Office of the Director would have a range of responsibilities, including serving as the principal advisor to the president on cybersecurity matters, leading the development and implementation of cyber strategy, and coordinating major cyber incident response efforts across the federal government,” the NDAA said.
The executive branch would also need to develop plans for the “continuity of the economy,” to ensure that delivery of goods and services are not disrupted in the case of a devastating attack.
The Government Accountability Office will be asked to study cyber insurance and provide recommendations on ways to improve the cyber insurance market. The National Institute of Standards and Technology will identify and develop standards and guidelines for improving the cybersecurity workforce of an agency.
More Powers to CISA
The legislation would give CISA the power to issue administrative subpoenas to internet service providers when it detects critical infrastructure security vulnerabilities but can’t track down the owner. CISA would also have the authority to conduct threat hunting exercises on the .gov domain. The agency would also be able to “provide services, information technology, and sensors to other federal agencies upon request.” The director of CISA would be tasked with hiring a cybersecurity director for each state to improve coordination between states and the federal government, conduct a force-structure assessment and an infrastructure assessment of the agency, and implement certain Cyberspace Solarium Commission recommendations. There are provisions strengthening the responsibilities of CISA’s integrated cyber center establishing a biannual national cyber exercise.
Another good news for CISA: an Office of Joint Cyber Planning would be created within the agency to promote partnerships between government and private sector organizations to defend against nation-state attacks. The office would be at the forefront of public-private planning to develop a set of coordinated actions to respond to, and recover from, incidents. Currently this kind of planning is performed on an ad-hoc basis, by creating specific task forces as needed. An example is the Russia Small Group jointly created by the National Security Agency and U.S. Cyber Command to deal with Russian influence operations.
Finally, the defense bill contains language to extend the Cyberspace Solarium Commission for one more year, to give the commission time to develop legislative recommendations in related areas, such as addressing critical technology supply chain issues, improving responses to cybercrime, and improving the security ecosystem.
With the threat of a presidential veto looming, the defense package’s passage is not yet definite. If the Senate can’t muster support from two-thirds of the chamber, the package may not survive the veto. The possibility of a veto override is high, though, since both chambers of Congress passed the original versions of the legislation with veto-proof majorities. The House of Representatives passed this conference version with a veto-proof margin (335-78). The Senate is expected to vote this week on the NDAA.
The legislation does not include a provision removing Section 230, a law that protects technology companies such as social media companies from liability. Many lawmakers appear inclined to have a separate debate and vote on repealing Section 230, since it isn’t a military issue and doesn’t have anything to do with national security.