Last week Sen. Cochran (R,MS) introduced S 3000, the Department of Defense Appropriations Act, 2017. As we have come to expect with the DOD spending bill there is no specific mention of cybersecurity issues in the bill itself, but there are numerous references found in the Senate Appropriations Committee report on the bill. Few of the references have any direct impact on the industrial control system community, but operations of the largest cyber-active organization in the country will inevitably have an influence on all cybersecurity operations.
With breaches of information systems being daily news the Committee is directing DOD to (Pg 183) “to undertake a comprehensive review of classified systems and systems that have PII information, and validate that protection measures are in place to insure data integrity and appropriate access” and report back to Congress with the results of the review.
The Committee continues to be concerned about the issue of counterfeit electronic parts. While recognizing that suppliers have the primary responsibility to prevent the use of these counterfeit parts, the Committee wants DOD (pgs 32-3) “to be proactive about identifying, developing, and validating independent tools that suppliers could easily use to rapidly identify counterfeit electronics in the supply chain accurately and at low cost”.
Training for the cyberwarfare force continues to be a matter of concern for the Committee and the Report reflects this by identifying a number of specific training issues that it wants to see DOD address. These areas include
• Training shortfalls in the cyber kinetic combat environment (pg 33);
• Expanding training to sites with Active or Reserve components with secure infrastructure and qualified cyber personnel, including aggressor units and cyber red team units, capable of training military personnel in various cyber missions (pg 34); and
• Development of a competitive hacking environment that includes the ability for participants to build novel working exploits and defend against them (pg 34).
The Committee recognizes that building an effective cyberwarfare force is going to require additional R&D efforts. The Committee report identifies three specific areas that are of immediate concern in the R&D realm:
• The interdisciplinary nature of cyber systems including consideration of the role of human behavior (pg 160);
• Research in automated exploit generation, exploit hardening, and vulnerability identification capabilities of systems when source code is not available, and to focus on implementation, integration, and software tooling (pg 183); and
• Support institutions with strong cybersecurity, cyber-physical, and networks of systems research programs that will develop methods to identify vulnerabilities in large networked systems, rapidly prototype and build security prototypes and tools, and with institutional capabilities to transfer basic research into Department of Defense mission areas and platforms (pg 183).
The Committee recognizes that the ubiquity of civilian and military unmanned aerial systems (UAS) means that a wide variety of adversaries are going to be able to deploy such devices against US forces. The Committee is encouraging DOD (pg 168) to continue research and development of tactics using radar systems, advanced communications, and cyber security technologies to counter UAS threats.
The Defense spending bill is one of the bills that the House and Senate leadership would certainly want to see on the floor of both houses before the summer recess in mid-July. The two separate bills would then be combined in a conference committee with the desire to see final action before the end of the fiscal year. This Senate bill may not be able to get to the floor, however, because of Democratic concerns about increases in spending. If it is held up, it will be interesting to see if Sen. McCain modifies the spending levels in a subsequent bill in response to those concerns to move a bill to the floor, or waits to try to push the issue forward after the election.