Last week the Senate finished their lengthy amendment
process and passed HR 1735, the FY 2016 National Defense Authorization Act
(NDA). The amendments started with substitute language offered by Sen. McCain
(R,AZ) that was pretty much S 1118 (the Senate version of the bill which I did
not review) and then the amendments went from there. The final vote was 71 to
25 with two of the Nays coming from Sen. Cruz (R-TX) and Sen. Paul (R-KY).
The House version of HR 1735 had essentially not
cybersecurity language in the original
bill and only two minor cyber related amendments were added in the
committee markup
process. The floor amendment process in the House resulted in a cybersecurity
and a drone
amendment being
added. The new Senate version included a number of cyber related provisions
and a couple more were added during the amendment process.
TWIC for Separating
Servicemembers
I’ll start of the review of the passed version of HR 1735
with a non-cyber provision that may be of interest. Section 589 directs the
Secretary of Defense to consult with the DHS Secretary “to afford a priority in
the processing of applications for a Transportation Worker Identification
Credential (TWIC) to applications submitted by members of the Armed Forces who
are undergoing separation, discharge, or release from the Armed Forces under
honorable conditions” {§589(a)}.
The goal is to get separating service members their TWIC within 14 days of
application.
Counterfeit Parts
Section 232 requires the Secretary of Defense to conduct a
‘hardware assurance study’ to “assess the presence, scope, and effect on
Department of Defense operations of counterfeit electronic parts that have
passed through the Department supply chain and into field systems” {§232(a)}. There has been
some interest in previous NDA’s in trying to prevent counterfeit hardware from
getting into the supply chain.
Cyber Command Acquisition
Authority
Section 807 would give special procurement authority to the
Commander of the United States Cyber Command essentially equal to the Service Secretaries,
Secretary of DHS, and the NASA Administrator {§807(a)(2); see 10
USC 2302(a)(1) for definition of Agency Head}. That authority would apply
to the following procurement activities:
∙ Development and acquisition of cyber operations-peculiar
equipment and capabilities; and
∙ Acquisition
of cyber capability-peculiar equipment, capabilities, and services.
Defense Positioning,
Navigation and Timing Oversight
Section 1610 establishes the ‘Council on Oversight of the
Department of Defense Positioning, Navigation, and Timing (PNT) Enterprise’ co-chaired by the Under
Secretary of Defense for Acquisition, Technology, and Logistics and the Vice
Chairman of the Joint Chiefs of Staff. It will be “responsible for oversight of
the Department of Defense positioning, navigation, and timing enterprise,
including positioning, navigation, and timing services provided to civil,
commercial, scientific, and international users” {§1610(d)(1)}. It will include {§1610(d)(2)}:
∙ Oversight of performance assessments (including
interoperability);
∙ Vulnerability identification and mitigation;
∙ Architecture development;
∙ Resource prioritization; and
∙ Such other responsibilities as the Secretary of Defense shall
specify for purposes of this section.
Authorization of
Military Cyber Operations
Section 1631 would amend 10
USC Chapter 3 by adding a new §130g
directing the Secretary of Defense to “develop, prepare, coordinate, and, when
authorized by the President to do so, conduct a military cyber operation in
response to malicious cyber activity carried out against the United States or a
United States person by a foreign power (as defined in section 101 of the
Foreign Intelligence Surveillance Act of 1978 (50
USC 1801)).”
This is an important legal formality, especially in regards
to the ‘develop, prepare, and coordinate’ functions.
Integrated Policy to
Deter Adversaries in Cyberspace
In the 2014 NDA (PL
113-66) Congress directed the President “to develop a deterrence policy for
reducing cyber risks to the United States and our allies” {§941(b)} and to report to
Congress on that policy. Apparently the report has not been forthcoming so §1633 of this bill would withhold
$10 Million in DOD funding for providing “support services to the Executive
Office of the President” until the report is submitted; the power of the purse.
Cyber Vulnerabilities
of Major Weapon Systems
With news
reports earlier this year that DOD weapon systems are vulnerable to cyber
attack §1635
requires the Secretary to conduct “an evaluation of the cyber vulnerabilities
of each major weapon system of the Department of Defense by not later than
December 31, 2019” {§1635(a)(1)}.
The evaluation will include “strategies for mitigating the risks of cyber
vulnerabilities identified in the course of such evaluations” {§1635(d)}. The
bill authorizes $200 Million to conduct the study.
Cyber Defense
Activities
Three separate sections of the bill deal with defending the
United States and its critical infrastructure from foreign cyber-attacks.
Section 1636 requires an assessment of the capability of the Cyber Command to “reliably
prevent or block large-scale attacks on the United States by foreign powers
with capabilities comparable to the capabilities of China, Iran, North Korea,
and Russia expected in the years 2020 and 2025” {§1636(a)(1)}. This assessment would include a series
of war games “through the Warfighting Analysis Division of the Force Structure,
Resources, and Assessment Directorate to assess the strategy, assumptions, and
capabilities of the United States Cyber Command to prevent large-scale cyber
attacks” {§1636(b)}.
Section 1637 would require biennial exercises on responding
to cyber-attacks against critical infrastructure. DOD would coordinate these
exercises with Secretary of Homeland Security, the Director of National
Intelligence, the Director of the Federal Bureau of Investigation, and the
heads of the critical infrastructure sector-specific agencies. The purpose of
these exercises is to {§1637(b)}.
∙ Improve cooperation and coordination between various parts of the
Government and industry so that the Government and industry can more
effectively and efficiently respond to cyber-attacks;
∙ Exercise command and control, coordination, communications, and
information sharing capabilities under the stressing conditions of an ongoing
cyber-attack; and
∙ Identify gaps and problems that require new enhanced training,
capabilities, procedures, or authorities
Section 1638 would require the Secretary of Defense to prepare
a comprehensive plant to support civil authorities in response to cyber-attacks
by foreign powers. This was added as an amendment and the wording is taken
directly form S
1478 that was introduced by Sen Rounds (R,SD). I covered its provisions in
some detail in an earlier post.
Guard and Reserve
Cyber Capabilities
The final cyber provision is in §1639. It expresses the ‘sense of Congress’ that the
Secretary of Defense “should review and consider any findings and
recommendations of the Council of
Governors [link added] pertaining to cyber mission force requirements and
any proposed reductions in and synchronization of the cyber capabilities of
active or reserve components of the Armed Forces”.
Moving Forward
Posts
No comments:
Post a Comment