Sunday, May 8, 2016

HR 4909 Reported in the House – NDAA

Yesterday the House Armed Services Committee published their report on HR 4909. While the original bill did not contain any specific cybersecurity language, the bill revised in numerous subcommittee and Committee hearings did add a number of cybersecurity related provisions and the Committee Report adds additional cybersecurity discussions and requirements.

Added Cybersecurity Provisions

A number of new cybersecurity provisions were added to this bill. They include:

Sec. 231. Strategy for assured access to trusted microelectronics
Sec. 232. Pilot program on evaluation of commercial information technology.
Sec. 911. Establishment of unified combatant command for cyber operations.
Sec. 1631. Special emergency procurement authority to facilitate the defense against or recovery from a cyber-attack.
Sec. 1632. Change in name of National Defense University’s Information Resources Management College to College of Information and Cyberspace.
Sec. 1633. Requirement to enter into agreements relating to use of cyber opposition forces.
Sec. 1634. Limitation on availability of funds for cryptographic systems and key management infrastructure.

None of these cybersecurity requirements is going to have a significant direct impact on civilian cybersecurity activities and none of them directly address control system security issues. The only one that comes close is §231, which continues and expands the DOD reporting requirements on the issue of supply chain security for microelectronics. This will only directly affect DOD contractors, but ultimately could have an effect on the whole supply chain security environment down the road.

Section 231 would require DOD, after conducting studies and issuing reports to Congress, to issue a directive by September 30th, 2020 that would describe how DOD entities would “access assured and trusted microelectronics supply chains for Department of Defense systems” {§231(d)}. The key word here is ‘trusted’ which is defined as “the ability of the Department of Defense to have confidence that the microelectronics function as intended and are free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during its life cycle” {§231(f)}.

Discussions in the Report

As we see with any authorization or spending bill report, there are a number of discussions in the report where the Committee provides additional guidance and directives to the Department of Defense. The discussion that may be of interest to readers of this blog include:

• Cellular and broadband signals exploitation (pg 79);
• Counter-unmanned aerial systems roadmap (pg 80):
• Non-destructive counterfeit parts detection tools (pg 89);
• Social media analysis cell (pg 91);
• National Guard Cyber Protection Teams (pg 135):
• Cyber Science Education at the Service Academies (pg 147);
• Wassenaar Arrangement Impacts to the Department of Defense (pg 221); and
• Facility Industrial Control Systems (pg 374)

The Committee encourages SOCOM to continue their efforts to “efforts to utilize commercial technology to conduct cellular and broadband survey, active interrogation, and directional finding capabilities from unmanned aerial systems”. While this technology certainly has ongoing military application in counter-terrorism operations, the potential use of the same technology in civilian law enforcement operations raises all sorts of interesting controversies.

The threat to forces from adversaries employing small unmanned aerial systems continues to grow. While the Army is conducting some anti-UAS research, the Committee is directing “the
Secretary of Defense to develop a technology roadmap for addressing gaps to counter the potential threats from terrorist or state actor uses of small UAS technology, with an emphasis on technology to support tactical level units, and fixed, high-value defense assets”. The value of such technology to protect critical infrastructure facilities in the homeland should also be studied.

The concern with counterfeit parts is apparently high on the Committee’s task list. They have encouraged the Department to “evaluate the need to identify or develop best-of-breed, non-destructive counterfeit parts detection tools that it can use, or that could be made available to defense industrial base suppliers, to support the overall mission of ensuring the integrity of electronic components of defense weapon systems”. Again, this type technology would have widespread applications throughout the electronics sector.

The Committee has increased the budget of the Joint Concept Technology Demonstration program by $10 Million to look into the “application of new technologies or concepts in this space, especially in the use of ever-increasing data from social media sources that can be leveraged to amplify and inform other warning, force protection and battlespace awareness activities of the Department of Defense”. Again, a potentially valuable military tool with uncomfortable applications in the civilian sector.

The brief discussion of the National Guard cyber protection teams (CPT) looks at funding issues and questions why the Army teams have not been integrated into the Cyber Command operational planning. They direct the DOD to provide additional information in the FY 2018 funding request.

In a very short discussion about cybersecurity training the Committee concludes by encouraging
“the Department to recognize the importance of cyber education within each of the U.S. military service academies and actively promote cyber sciences education and training within the service’s respective curriculum”.

Another Wassenaar report and briefing; the Committee “believes restricting export of these technologies may negatively impact use of such products for national security purposes”.

Military Industrial Control Systems

For the first time that I can remember, this Committee Report specifically address the security of industrial control systems in the military realm. It is a rather limited look, to be sure, in that it only addresses “industrial control systems integrated into systems and equipment such as air conditioners, utility meters, and other programmable controllers”.

The report applauds current efforts “to implement and promote secure procedures, adopt best government practices, and revise Department of Defense Unified Facility Criteria and Unified Facility Guide Specifications to address the cybersecurity vulnerabilities of industrial control systems”. The Committee would like to see these efforts expanded; encouraging “the Department’s cybersecurity community to look more closely at these classes of vulnerabilities and how to modify tactics, techniques, and procedures to better position the cyber mission forces to deal with new and emerging threats proactively”.

Moving Forward

This is one of those ‘must pass’ bills that needs to be passed every year. It is likely that this bill will be considered by the House in a full-blown debate and amend process later this month. The Senate will take up their own version of the bill (not yet introduced) and a conference committee will meet to iron out the differences. If past years are any indicator, final consideration of the bill will not take place until after the election in November.

No comments:

/* Use this with templates/template-twocol.html */