Senate Amendments to HR 2810 (FY 2018 NDAA) – 7-27-17

With the Senate possibly getting ready to take up HR 2810, the FY 2018 National Defense Authorization Act (NDAA) the amendment process started in earnest last week. While a significant number of amendments were submitted on Wednesday, I did not see any of potential specific interest to readers of this blog until Thursday. Those amendments included:

• SA 427. Mr. Brown - collaboration between federal aviation administration and department of defense on unmanned aircraft systems (pg s4455);

• SA 435. Mr. Rounds - report on progress made in implementing the cyber excepted personnel system (pgs s4456-7);

• SA 437. Mr. Rounds - sense of congress on establishing an award program for the cyber community of the department of defense (pg s4457);

• SA 461. Ms. Cantwell - collaboration on cybersecurity of industrial control systems for critical infrastructure (pg s4465);

• SA 488. Ms. Heitkamp - sense of congress on use of test sites for research and development on countering unmanned aerial systems (pgs s4474-5);

• SA 525. Mr. Whitehouse - United States-Israel cybersecurity cooperation (pgs s4526-7);

• SA 557. Mr. Gardner - mandatory Sanctions with respect to Iran relating to significant activities undermining United States cybersecurity (pgs s4533-4);

• SA 559. Mr. Gardner - comptroller general of the United States report on department of defense critical telecommunications equipment or services obtained from suppliers closely linked to a leading cyber-threat actor (pg s4534);

• SA 575. Mr. Nelson - protecting critical infrastructure against cyber attacks from foreign governments (pgs s 4538-9);

• SA 613. Ms. Cortez Masto - department of defense cyber workforce development pilot program (pg s4564);

• SA 623. Mr. Warner - department of defense cyber workforce development pilot program (pgs 4568-9);

• SA 655. Ms. Klobuchar - prohibition on use of federal funds for joint cybersecurity initiative with Russia (pg s 4574);

• SA 663. Mrs. Shaheen - prohibition on use of software platforms developed by Kaspersky lab;

• SA 666. Mr. Brown - cybersecurity cooperation with Ukraine (pg s4579);

• SA 686. Ms. Warren - report on significant security vulnerabilities of the national electric grid (pg s4587);

• SA 700. Ms. Harris - pilot program on integrating into the department of defense workforce individuals with cybersecurity skills whose services are donated by private persons (pg s4590);

• SA 712. Mr. Portman - plan to meet demand for cyberspace career fields in the reserve components of the armed forces (pg s4597);

• SA 713. Mr. Portman - department of defense integration of information operations and cyber-enabled information operations (pgs s4597-8);

• SA 725. Mr. Cassidy - report on cyber capability and readiness shortfalls of army combat training centers (pg s4604).

Industrial Control Systems

Three of these amendments specifically address (or at least include) industrial control system security issues.

Sen. Cantwell’s (D,WA) SA 461 would require DOD, DOE, and DHS to provide representative to a new Center of Excellence focusing on “cybersecurity of industrial control systems for critical infrastructure” {(b)(1)}. No funding nor further details are provided.

Sen. Nelson’s (D,FL) SA 575 is a ‘sense of Congress’ statement. It starts with a very bold and broad statement of the threat: “Authoritative evidence and testimony to Congress indicate that the United States Government cannot prevent cyber attacks by determined and capable adversaries from reaching critical infrastructure in the United States and that, absent major efforts to identify and eliminate vulnerabilities in the most critical nodes of the most critical infrastructure, such attacks would succeed in causing unacceptable damage to the United States” {(a)(1)}. It does require a report to Congress that would include “an analysis of cyber vulnerabilities in the most critical nodes of the most critical infrastructure” {(c)(1)} and a listing of potential design solutions. Again, no funding is provided.

Sen. Warren’s (D,MA) SA 686 would require another report to Congress on “the significant security vulnerabilities of the national electric grid that are susceptible to significant malicious cyber-enabled activities” {(a)(1)} and their effect on DOD. While control systems are not specifically mentioned in this amendment it does use the 6 USC 1501 definition of ‘security vulnerability’ that is based upon that section’s ICS-inclusive definition of ‘information system’. Again, no funding is provided.

Moving Forward

There is a possibility that the Senate will move forward to consider HR 2810 before they start their summer recess later next month. Those chances were decreased, however, when Sen. McCain (R,AZ; Chair of the Senate Armed Services Committee) returned to Arizona to undergo treatment for his newly diagnosed cancer.

Even if the bill does come to the floor for debate and amendment, there is no telling if/when any of the above amendments would be considered.