Monday, June 22, 2015

Senate Amends and Passes HR 1735

Last week the Senate finished their lengthy amendment process and passed HR 1735, the FY 2016 National Defense Authorization Act (NDA). The amendments started with substitute language offered by Sen. McCain (R,AZ) that was pretty much S 1118 (the Senate version of the bill which I did not review) and then the amendments went from there. The final vote was 71 to 25 with two of the Nays coming from Sen. Cruz (R-TX) and Sen. Paul (R-KY).

The House version of HR 1735 had essentially not cybersecurity language in the original bill and only two minor cyber related amendments were added in the committee markup process. The floor amendment process in the House resulted in a cybersecurity and a drone amendment being added. The new Senate version included a number of cyber related provisions and a couple more were added during the amendment process.

TWIC for Separating Servicemembers

I’ll start of the review of the passed version of HR 1735 with a non-cyber provision that may be of interest. Section 589 directs the Secretary of Defense to consult with the DHS Secretary “to afford a priority in the processing of applications for a Transportation Worker Identification Credential (TWIC) to applications submitted by members of the Armed Forces who are undergoing separation, discharge, or release from the Armed Forces under honorable conditions” {§589(a)}. The goal is to get separating service members their TWIC within 14 days of application.

Counterfeit Parts

Section 232 requires the Secretary of Defense to conduct a ‘hardware assurance study’ to “assess the presence, scope, and effect on Department of Defense operations of counterfeit electronic parts that have passed through the Department supply chain and into field systems” {§232(a)}. There has been some interest in previous NDA’s in trying to prevent counterfeit hardware from getting into the supply chain.

Cyber Command Acquisition Authority

Section 807 would give special procurement authority to the Commander of the United States Cyber Command essentially equal to the Service Secretaries, Secretary of DHS, and the NASA Administrator {§807(a)(2); see 10 USC 2302(a)(1) for definition of Agency Head}. That authority would apply to the following procurement activities:

Development and acquisition of cyber operations-peculiar equipment and capabilities; and
Acquisition of cyber capability-peculiar equipment, capabilities, and services.

Defense Positioning, Navigation and Timing Oversight

Section 1610 establishes the ‘Council on Oversight of the Department of Defense Positioning, Navigation, and Timing  (PNT) Enterprise’ co-chaired by the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Vice Chairman of the Joint Chiefs of Staff. It will be “responsible for oversight of the Department of Defense positioning, navigation, and timing enterprise, including positioning, navigation, and timing services provided to civil, commercial, scientific, and international users” {§1610(d)(1)}. It will include {§1610(d)(2)}:

Oversight of performance assessments (including interoperability);
Vulnerability identification and mitigation;
Architecture development;
Resource prioritization; and
Such other responsibilities as the Secretary of Defense shall specify for purposes of this section.

Authorization of Military Cyber Operations

Section 1631 would amend 10 USC Chapter 3 by adding a new §130g directing the Secretary of Defense to “develop, prepare, coordinate, and, when authorized by the President to do so, conduct a military cyber operation in response to malicious cyber activity carried out against the United States or a United States person by a foreign power (as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 USC 1801)).”

This is an important legal formality, especially in regards to the ‘develop, prepare, and coordinate’ functions.

Integrated Policy to Deter Adversaries in Cyberspace

In the 2014 NDA (PL 113-66) Congress directed the President “to develop a deterrence policy for reducing cyber risks to the United States and our allies” {§941(b)} and to report to Congress on that policy. Apparently the report has not been forthcoming so §1633 of this bill would withhold $10 Million in DOD funding for providing “support services to the Executive Office of the President” until the report is submitted; the power of the purse.

Cyber Vulnerabilities of Major Weapon Systems

With news reports earlier this year that DOD weapon systems are vulnerable to cyber attack §1635 requires the Secretary to conduct “an evaluation of the cyber vulnerabilities of each major weapon system of the Department of Defense by not later than December 31, 2019” {§1635(a)(1)}. The evaluation will include “strategies for mitigating the risks of cyber vulnerabilities identified in the course of such evaluations” {§1635(d)}. The bill authorizes $200 Million to conduct the study.

Cyber Defense Activities

Three separate sections of the bill deal with defending the United States and its critical infrastructure from foreign cyber-attacks. Section 1636 requires an assessment of the capability of the Cyber Command to “reliably prevent or block large-scale attacks on the United States by foreign powers with capabilities comparable to the capabilities of China, Iran, North Korea, and Russia expected in the years 2020 and 2025” {§1636(a)(1)}. This assessment would include a series of war games “through the Warfighting Analysis Division of the Force Structure, Resources, and Assessment Directorate to assess the strategy, assumptions, and capabilities of the United States Cyber Command to prevent large-scale cyber attacks” {§1636(b)}.

Section 1637 would require biennial exercises on responding to cyber-attacks against critical infrastructure. DOD would coordinate these exercises with Secretary of Homeland Security, the Director of National Intelligence, the Director of the Federal Bureau of Investigation, and the heads of the critical infrastructure sector-specific agencies. The purpose of these exercises is to {§1637(b)}.

Improve cooperation and coordination between various parts of the Government and industry so that the Government and industry can more effectively and efficiently respond to cyber-attacks;
Exercise command and control, coordination, communications, and information sharing capabilities under the stressing conditions of an ongoing cyber-attack; and
Identify gaps and problems that require new enhanced training, capabilities, procedures, or authorities

Section 1638 would require the Secretary of Defense to prepare a comprehensive plant to support civil authorities in response to cyber-attacks by foreign powers. This was added as an amendment and the wording is taken directly form S 1478 that was introduced by Sen Rounds (R,SD). I covered its provisions in some detail in an earlier post.

Guard and Reserve Cyber Capabilities

The final cyber provision is in §1639. It expresses the ‘sense of Congress’ that the Secretary of Defense “should review and consider any findings and recommendations of the Council of Governors [link added] pertaining to cyber mission force requirements and any proposed reductions in and synchronization of the cyber capabilities of active or reserve components of the Armed Forces”.
Moving Forward

The bill now heads back to the House to see if they will accept the changes made by the Senate. The House consideration is not currently scheduled for this week. If the House accepts the Senate version the bill goes to the President. The House could further amend the bill and send it back to the Senate. Or the House could ask for a Conference Committee to work out the differences. I suspect that the latter will be what we see.

No comments:

/* Use this with templates/template-twocol.html */