As I
noted earlier Sen. Levin (D,MI) introduced S
1197, the National Defense Authorization Act for Fiscal Year 2014, and the
bill has been reported
favorably by the Senate Armed Services Committee. As expected the bill has
some significant cybersecurity provisions including support for the development
of tools for checking software code vulnerability, looking at the use of
National Guard troops for homeland cyber-response tasks and controls on the
trade in ‘cyber-weapons’.
Cyberspace Subtitle
Subtitle D of Title IX (DOD Organization and Management)
deals with ‘Cyberspace-Related Matters’. Most of the provisions relate to cyber-warfare
but some deal with cybersecurity related matters. The eight sections within the
Subtitle are:
• Section 941: Authorities,
capabilities, and oversight of the United States Cyber Command.
• Section 942: Joint software
assurance center for the Department of Defense.
• Section 943: Supervision of the
acquisition of cloud computing capabilities for intelligence analysis.
• Section 944: Cyber
vulnerabilities of Department of Defense weapon systems and tactical
communications systems.
• Section 945: Strategy on use of
the reserve components of the Armed Forces to support Department of Defense
cyber missions.
• Section 946: Control of the
proliferation of cyber weapons.
• Section 947: Integrated policy to
deter adversaries in cyberspace.
• Section 948: Centers of Academic
Excellence for Information
Probably the most significant of the DOD provisions in this
Subtitle can be found in §941. It provides for the separation of the DOD cyber-warfare
(offensive and defensive) organizations from the cyber intelligence program and
the information security program in DOD. This specifically includes providing
separate hardware and internet access capabilities for US Cyber Command (USCC)
separate from the National Security Agency. It does not, however, address the
current fact that the commander of both the NSA and the USCC are the same
person.
Software Assurance
Tools
Section 942 requires DOD to establish a Joint Software
Assurance Center separate from the one established by the National Security
Agency (more separation of USCC from NSA). The new JSAC would work with the NSA
agency to establish a “program of research and development to improve automated
software code vulnerability analysis and testing tools” {§942(c)(3)}.
The Committee report further emphasizes this the importance
of this program in the Committee report (pg 46, Adobe 69) by providing an
additional $10 million for the Air Force version of this proposed organization,
Application Software Assurance Center of Excellence (ASACOE).
The Committee report also notes that this proposed JSAC
would help the military comply with the §933 requirements of the FY
2103 National Defense Authorization Act.
There is nothing in §942 that would address the availability
of such tools for work in the civilian sector, but it is reasonable to suppose
that it might be made available to DHS in support of cybersecurity activities
in the critical infrastructure sectors.
Homeland Cyber
Response
It is apparent that the use of National Guard cyber-warriors
is the ‘cybersecurity’ idea of the year. We have seen it proposed in two identical
bills (HR
1640 and S 658) and a version was included in the House DOD spending bill, HR
2397, Committee Report. This bill provides yet a third version of the idea
as part of §945 examination of the use of the Reserve Components in DOD cyber
missions.
DOD and DHS would be required to take a coordinated look at
the use of National Guard in a cyber homeland defense role. The bill
specifically tasks the two departments to get input from the Governors on “State
cyber capabilities, and State cyber needs that cannot be fulfilled through the
private sector” {§945(b)(2)}. This is part of the requirement to determine if
the National Guard, operating under State status “can operate under unique and
useful authorities to support domestic cyber missions and requirements of the
Department or the United States Cyber Command” {§945(b)(4)}.
The bill even goes so far as to suggest that DOD looks into if
it would be appropriate to hire part-time National Guard Technicians with
appropriate cybersecurity expertise to assist “the National Guard in protecting
critical infrastructure [emphasis added] and carrying out cyber security
missions in defense of the United States homeland” {§945(b)(5)}.
Operation of the National Guard units under State status is
an important legal distinction. Because of restrictions on the domestic use of
military forces under the Posse Comitatus Act (18
USC 1385) it would be necessary to use National Guard units under the
command of Governors to participate in many cyber related homeland defense
missions.
Control of Cyber
Weapons
Section 946 addresses attempt to control the international
trade in cyber weapons. It requires the President to establish yet another “interagency
process to provide for the establishment of an integrated policy to control the
proliferation of cyber weapons” {§946(a)}.
Since there is not currently a legal definition of ‘cyber
weapons’ the same interagency process is also required to identify “the types
of dangerous software that can and should be controlled through export controls”
{§946(b)(1)}. The Committee Report notes:
“This process will require
developing definitions and categories for controlled cyber technologies and
determining how to address dual use, lawful intercept, and penetration testing
technologies.” (pg 159, Adobe 181)
It is clear that someone on the Senate Armed Forces
Committee staff realizes that many of these ‘cyber weapons’ might have
legitimate uses in the cybersecurity field. The Committee Report states:
“However, the approaches developed must
also take into account the needs of legitimate cybersecurity professionals to
mitigate vulnerabilities, and not stifle innovation in tools and technology
that are necessary for national security and the cybersecurity of the Nation.”
(pg 160, Adobe 182)
The section requires the identification of methods that
should be used to “suppress the trade in cyber tools and infrastructure that
are or can be used for criminal, terrorist, or military activities while
preserving the ability of governments and the private sector to use such tools
for legitimate purposes of self-defense” {§946(b)(2)}.
Moving Forward
I expect that the Senate will move forward with its
consideration of S 1197 in the few weeks remaining before the Summer Recess. The
bill will pass after some significant amendments are offered and wrangled over.
The Senate will then vote to substitute the wording from this bill for the
House wording
of HR 1960. The bill will then go to conference to work out the differences
between the two bills. That won’t happen until sometime later this year,
probably after the start of FY 2014.
Posts
No comments:
Post a Comment