Yesterday the House Armed Services Committee published their
report on HR 4909. While the original
bill did not contain any specific cybersecurity language, the bill
revised in numerous subcommittee and Committee hearings did add a number of
cybersecurity related provisions and the Committee
Report adds additional cybersecurity discussions and requirements.
Added Cybersecurity Provisions
A number of new cybersecurity provisions were added to this
bill. They include:
Sec. 231. Strategy for assured
access to trusted microelectronics
Sec. 232. Pilot program on
evaluation of commercial information technology.
Sec. 911. Establishment of unified
combatant command for cyber operations.
Sec. 1631. Special emergency
procurement authority to facilitate the defense against or recovery from a
cyber-attack.
Sec. 1632. Change in name of
National Defense University’s Information Resources Management College to
College of Information and Cyberspace.
Sec. 1633. Requirement to enter
into agreements relating to use of cyber opposition forces.
Sec. 1634. Limitation on
availability of funds for cryptographic systems and key management
infrastructure.
None of these cybersecurity requirements is going to have a
significant direct impact on civilian cybersecurity activities and none of them
directly address control system security issues. The only one that comes close
is §231, which
continues and expands the DOD reporting requirements on the issue of supply
chain security for microelectronics. This will only directly affect DOD
contractors, but ultimately could have an effect on the whole supply chain
security environment down the road.
Section 231 would require DOD, after conducting studies and
issuing reports to Congress, to issue a directive by September 30th,
2020 that would describe how DOD entities would “access assured and trusted
microelectronics supply chains for Department of Defense systems” {§231(d)}. The key word
here is ‘trusted’ which is defined as “the ability of the Department of Defense
to have confidence that the microelectronics function as intended and are free
of exploitable vulnerabilities, either intentionally or unintentionally
designed or inserted as part of the system at any time during its life cycle” {§231(f)}.
Discussions in the Report
As we see with any authorization or spending bill report,
there are a number of discussions in the report where the Committee provides
additional guidance and directives to the Department of Defense. The discussion
that may be of interest to readers of this blog include:
• Cellular and broadband signals
exploitation (pg 79);
• Counter-unmanned aerial systems
roadmap (pg 80):
• Non-destructive counterfeit parts
detection tools (pg 89);
• Social media analysis cell (pg 91);
• National Guard Cyber Protection
Teams (pg 135):
• Cyber Science Education at the
Service Academies (pg 147);
• Wassenaar Arrangement Impacts to
the Department of Defense (pg 221); and
• Facility Industrial Control Systems (pg 374)
The Committee encourages SOCOM to continue their efforts to “efforts
to utilize commercial technology to conduct cellular and broadband survey,
active interrogation, and directional finding capabilities from unmanned aerial
systems”. While this technology certainly has ongoing military application in
counter-terrorism operations, the potential use of the same technology in
civilian law enforcement operations raises all sorts of interesting
controversies.
The threat to forces from adversaries employing small
unmanned aerial systems continues to grow. While the Army is conducting some
anti-UAS research, the Committee is directing “the
Secretary of Defense to develop a technology roadmap for
addressing gaps to counter the potential threats from terrorist or state actor
uses of small UAS technology, with an emphasis on technology to support
tactical level units, and fixed, high-value defense assets”. The value of such
technology to protect critical infrastructure facilities in the homeland should
also be studied.
The concern with counterfeit parts is apparently high on the
Committee’s task list. They have encouraged the Department to “evaluate the
need to identify or develop best-of-breed, non-destructive counterfeit parts
detection tools that it can use, or that could be made available to defense
industrial base suppliers, to support the overall mission of ensuring the
integrity of electronic components of defense weapon systems”. Again, this type
technology would have widespread applications throughout the electronics
sector.
The Committee has increased the budget of the Joint Concept Technology
Demonstration program by $10 Million to look into the “application of new
technologies or concepts in this space, especially in the use of
ever-increasing data from social media sources that can be leveraged to amplify
and inform other warning, force protection and battlespace awareness activities
of the Department of Defense”. Again, a potentially valuable military tool with
uncomfortable applications in the civilian sector.
The brief discussion of the National Guard cyber protection
teams (CPT) looks at funding issues and questions why the Army teams have not
been integrated into the Cyber Command operational planning. They direct the
DOD to provide additional information in the FY 2018 funding request.
In a very short discussion about cybersecurity training the
Committee concludes by encouraging
“the Department to recognize the importance of cyber
education within each of the U.S. military service academies and actively promote
cyber sciences education and training within the service’s respective
curriculum”.
Another Wassenaar report and briefing; the Committee “believes
restricting export of these technologies may negatively impact use of such
products for national security purposes”.
Military Industrial Control Systems
For the first time that I can remember, this Committee
Report specifically address the security of industrial control systems in the
military realm. It is a rather limited look, to be sure, in that it only
addresses “industrial control systems integrated into systems and equipment
such as air conditioners, utility meters, and other programmable controllers”.
The report applauds current efforts “to implement and
promote secure procedures, adopt best government practices, and revise
Department of Defense Unified Facility Criteria and Unified Facility Guide
Specifications to address the cybersecurity vulnerabilities of industrial
control systems”. The Committee would like to see these efforts expanded;
encouraging “the Department’s cybersecurity community to look more closely at
these classes of vulnerabilities and how to modify tactics, techniques, and procedures
to better position the cyber mission forces to deal with new and emerging
threats proactively”.
Moving Forward
This is one of those ‘must pass’ bills that needs to be
passed every year. It is likely that this bill will be considered by the House in
a full-blown debate and amend process later this month. The Senate will take up
their own version of the bill (not yet introduced) and a conference committee
will meet to iron out the differences. If past years are any indicator, final
consideration of the bill will not take place until after the election in
November.
No comments:
Post a Comment