HR 1960 Reported in House – FY 2014 NDA

On Friday the House Armed Services Committee reported (though the House was not in session) HR 1960, the National Defense Authorization Act for Fiscal Year 2014. A copy of the actual report is not currently available at the GPO site, but it is available on the Library of Congress site by clicking on the report number.

Cybersecurity

I mentioned in an earlier post that the version of HR 1960 that was introduced did not have any cybersecurity language, but that that might change during the ‘legislative process’. That is certainly the case now. The following cybersecurity related sections are now in the bill:

Sec. 214. Limitation on availability of funds for defensive cyberspace operations of the Air Force.

Sec. 811. Additional contractor responsibilities in regulations relating to detection and avoidance of counterfeit electronic parts.

Sec. 812. Amendments relating to detection and avoidance of counterfeit electronic parts.

Subtitle D—Cyberspace-Related Matters

Sec. 931. Modification of requirement for inventory of Department of Defense tactical data link systems.

Sec. 932. Defense Science Board assessment of United States Cyber Command.

Sec. 933. Mission analysis for cyber operations of Department of Defense.

Sec. 934. Notification of investigations related to compromise of critical program information.

Sec. 935. Additional requirements relating to the software licenses of the Department of Defense.

Section 214 is probably the most significant in the terms of money in that it withholds 10% of the Air Force FY 2014 funding for procurement, RDT&E, and Defensive Cyberspace Operations until 30 days after the Secretary of the Air Force submits a report to Congress on the Application Software Assurance Center of Excellence. No additional information on this section is available in the Committee Report.

Section 932 will probably have a longer term impact on DOD cyber-operations. A major component of this study will be the review of the command relationship between the United States Cyber Command and the National Security Agency since the Commander and the Director are one and the same person. The Defense Science Board is specifically tasked with looking at that relationship and:

• The positive and negative impact on the Command resulting from a single individual simultaneously serving as the Commander of the United States Cyber Command and the Director of the National Security Agency {§932(b)(1)(A)};

• How the respective oversight activities of the Commander and the Director affect the ability of each entity to complete the respective missions of such entity {§932(b)(1)(B)};

• The dependencies of the Command and the Agency on one another {§932(b)(1)(C)};

• The ability of the existing management structure of the Command and the Agency to identify and adequately address potential conflicts of interest {§932(b)(1)(D)};

• The ability of the Department of Defense to train and develop, through professional assignment, individuals with the appropriate subject-matter expertise and management experience to support both the cyber operations missions of the Command and the signals intelligence missions of the Agency {§932(b)(1)(D)}.

The importance of this report is further highlighted by the requirement of a follow-up report (within 30 days) by the Secretary of Defense and the Director of National Intelligence on their assessment of the situation {§932(c)(2)}.

The report to Congress required by §933 sounds fairly straight forward when reading the legislative language. It is when you get to the discussion of the section in the Committee Report that the full import of this report. That discussion makes it clear that ‘cyber-operations’ are not limited to nice, clean digital attacks, but incorporates the full spectrum of military response including “a mix of forces necessary to conduct assured operations, including systems such as penetrating bombers, submarines with long range cruise missiles, Conventional Prompt Global Strike (CPGS), and survivable senior leadership command and control.”

A portion of this report seems to be directly targeted at the provisions of HR 1640 and S 658, the Cyber Warrior Act of 2013. The legislative language requires the Chief of the National Guard Bureau to report to Congress on his “assessment of the role of the National Guard in supporting the cyber operations mission of the Department of Defense” {§933(d)}. The Committee report language goes much further:

“While the committee supports these considerations, it is also concerned that current legislative proposals to dictate National Guard units for each of the states and territories is premature and may be detrimental to the overall national effort. In addition to the hefty price tag, which is estimated to be about $400.0 million per year, current proposals only address National Guard participation and do not include the Reserve Component. Whereas only the Army and the Air Force have National Guard units, all of the military services have Reserve Components that have unique authorities and capabilities that should be addressed by the national effort. The committee believes that more time is needed to evaluate full participation of the Reserve Components, including the implications and limitations of using National Guard forces in a `title 32' capacity, before broader action is taken. The committee encourages the Department to examine these issues in the course of the mission analysis required by this section.”

Interestingly, the reports required by both §932 and §933 are required to be prepared in ‘unclassified form’ (with classified annexes, of course). With the requirement in this bill (§1078) to post such DOD reports on a public web site, we may actually get a chance to see these reports.

Chemical Safety

There is an oddly out-of-place amendment to the Toxic Substances Control Act. Section 315 of this bill would amend 15 USC 2602(2)(B)(v) to expand the TSCA firearms exemption specifically to “any component of such an article (including, without limitation, shot, bullets and other projectiles, propellants when manufactured for or used in such an article, and primers)”. This is probably due to efforts by some environmentalists to require DOD to change their ammunition to exclude such toxic material as lead.

Moving Forward

The House Rules Committee will be holding two hearings this week to define the Rule for the consideration of HR 1960 before the House later this week. The first hearing will be on Tuesday to craft the rule. The second hearing will be Wednesday afternoon to determine what amendments will be offered on the floor. So there may still be changes to the cybersecurity provisions of this bill before it is voted upon by the House.

This bill will certainly pass in the House, historically by a substantially bipartisan vote. A different version will be considered in the Senate and then a compromise version will be worked out in Conference.