Sunday, June 30, 2013

S 1197 Introduced – FY 2014 DOD Authorization

As I noted earlier Sen. Levin (D,MI) introduced S 1197, the National Defense Authorization Act for Fiscal Year 2014, and the bill has been reported favorably by the Senate Armed Services Committee. As expected the bill has some significant cybersecurity provisions including support for the development of tools for checking software code vulnerability, looking at the use of National Guard troops for homeland cyber-response tasks and controls on the trade in ‘cyber-weapons’.

Cyberspace Subtitle

Subtitle D of Title IX (DOD Organization and Management) deals with ‘Cyberspace-Related Matters’. Most of the provisions relate to cyber-warfare but some deal with cybersecurity related matters. The eight sections within the Subtitle are:

• Section 941: Authorities, capabilities, and oversight of the United States Cyber Command.
• Section 942: Joint software assurance center for the Department of Defense.
• Section 943: Supervision of the acquisition of cloud computing capabilities for intelligence analysis.
• Section 944: Cyber vulnerabilities of Department of Defense weapon systems and tactical communications systems.
• Section 945: Strategy on use of the reserve components of the Armed Forces to support Department of Defense cyber missions.
• Section 946: Control of the proliferation of cyber weapons.
• Section 947: Integrated policy to deter adversaries in cyberspace.
• Section 948: Centers of Academic Excellence for Information

Probably the most significant of the DOD provisions in this Subtitle can be found in §941. It provides for the separation of the DOD cyber-warfare (offensive and defensive) organizations from the cyber intelligence program and the information security program in DOD. This specifically includes providing separate hardware and internet access capabilities for US Cyber Command (USCC) separate from the National Security Agency. It does not, however, address the current fact that the commander of both the NSA and the USCC are the same person.

Software Assurance Tools

Section 942 requires DOD to establish a Joint Software Assurance Center separate from the one established by the National Security Agency (more separation of USCC from NSA). The new JSAC would work with the NSA agency to establish a “program of research and development to improve automated software code vulnerability analysis and testing tools” {§942(c)(3)}.

The Committee report further emphasizes this the importance of this program in the Committee report (pg 46, Adobe 69) by providing an additional $10 million for the Air Force version of this proposed organization, Application Software Assurance Center of Excellence (ASACOE).

The Committee report also notes that this proposed JSAC would help the military comply with the §933 requirements of the FY 2103 National Defense Authorization Act.

There is nothing in §942 that would address the availability of such tools for work in the civilian sector, but it is reasonable to suppose that it might be made available to DHS in support of cybersecurity activities in the critical infrastructure sectors.

Homeland Cyber Response

It is apparent that the use of National Guard cyber-warriors is the ‘cybersecurity’ idea of the year. We have seen it proposed in two identical bills (HR 1640 and S 658) and a version was included in the House DOD spending bill, HR 2397, Committee Report. This bill provides yet a third version of the idea as part of §945 examination of the use of the Reserve Components in DOD cyber missions.

DOD and DHS would be required to take a coordinated look at the use of National Guard in a cyber homeland defense role. The bill specifically tasks the two departments to get input from the Governors on “State cyber capabilities, and State cyber needs that cannot be fulfilled through the private sector” {§945(b)(2)}. This is part of the requirement to determine if the National Guard, operating under State status “can operate under unique and useful authorities to support domestic cyber missions and requirements of the Department or the United States Cyber Command” {§945(b)(4)}.

The bill even goes so far as to suggest that DOD looks into if it would be appropriate to hire part-time National Guard Technicians with appropriate cybersecurity expertise to assist “the National Guard in protecting critical infrastructure [emphasis added] and carrying out cyber security missions in defense of the United States homeland” {§945(b)(5)}.

Operation of the National Guard units under State status is an important legal distinction. Because of restrictions on the domestic use of military forces under the Posse Comitatus Act (18 USC 1385) it would be necessary to use National Guard units under the command of Governors to participate in many cyber related homeland defense missions.

Control of Cyber Weapons

Section 946 addresses attempt to control the international trade in cyber weapons. It requires the President to establish yet another “interagency process to provide for the establishment of an integrated policy to control the proliferation of cyber weapons” {§946(a)}.

Since there is not currently a legal definition of ‘cyber weapons’ the same interagency process is also required to identify “the types of dangerous software that can and should be controlled through export controls” {§946(b)(1)}. The Committee Report notes:

“This process will require developing definitions and categories for controlled cyber technologies and determining how to address dual use, lawful intercept, and penetration testing technologies.” (pg 159, Adobe 181)

It is clear that someone on the Senate Armed Forces Committee staff realizes that many of these ‘cyber weapons’ might have legitimate uses in the cybersecurity field. The Committee Report states:

“However, the approaches developed must also take into account the needs of legitimate cybersecurity professionals to mitigate vulnerabilities, and not stifle innovation in tools and technology that are necessary for national security and the cybersecurity of the Nation.” (pg 160, Adobe 182)

The section requires the identification of methods that should be used to “suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense” {§946(b)(2)}.

Moving Forward

I expect that the Senate will move forward with its consideration of S 1197 in the few weeks remaining before the Summer Recess. The bill will pass after some significant amendments are offered and wrangled over. The Senate will then vote to substitute the wording from this bill for the House wording of HR 1960. The bill will then go to conference to work out the differences between the two bills. That won’t happen until sometime later this year, probably after the start of FY 2014.

No comments:

/* Use this with templates/template-twocol.html */