Monday, May 23, 2016

S 2943 Introduced – FY 2016 NDAA

Last week Sen. McCain (R,AZ) introduced S 2943, the National Defense Authorization Act (NDAA) for Fiscal Year 2017. The House version of this bill (HR 4909) passed last week. It provides authorization for military activities for the next fiscal year.

Like the House bill, there is an entire subtitle of this bill (Subtitle C of Title XVI) related to cyber issues. The following sections are listed in that subtitle:

Sec. 1631. Cyber protection support for Department of Defense personnel in positions highly vulnerable to cyber attack.
Sec. 1632. Cyber Mission Forces matters.
Sec. 1633. Limitation on ending of arrangement in which the Commander of the United States Cyber Command is also Director of the National Security Agency.
Sec. 1634. Pilot program on application of consequence-driven, cyber-informed engineering to mitigate against cybersecurity threats to operating technologies of military installations.
Sec. 1635. Evaluation of cyber vulnerabilities of F–35 aircraft and support systems.
Sec. 1636. Review and assessment of technology strategy and development at Defense Information Systems Agency.
Sec. 1637. Evaluation of cyber vulnerabilities of Department of Defense critical infrastructure.
Sec. 1638. Plan for information security continuous monitoring capability and comply-to-connect policy.
Sec. 1639. Report on authority delegated to Secretary of Defense to conduct cyber operations.
Sec. 1640. Deterrence of adversaries in cyberspace.

There are no overlaps between the items found in this subtitle of the bill and the corresponding subtitle of the House version. Two of the sections in this version of the bill may be of specific interest to readers of this blog: §1634 and §1640

Cyber-Informed Engineering

Section 1634 requires the DOD to establish “a pilot program to assess the feasibility and advisability of applying consequence-driven, cyber-informed engineering methodologies to the operating technologies of military installations, including industrial control systems, in order to increase the resilience of military installations against cybersecurity threats and prevent or mitigate the potential for high-consequence cyberattacks.”

While I am waiting for the Armed Forces Committee report on S 2943 to see if there are any additional insights into what the Committee expects to see included in the ‘cyber-informed engineering’ pilot, I did find an interestingpaper [updated link, 23:21 1-28-17]on the topic from a couple of engineers at the Idaho National Laboratory. They note that modern industrial processes are constructed with the assumption that the control system is trusted, an assumption that is increasingly proving to be incorrect. They call for a new engineering design process that takes the potential insecurity of the control system into account as part of the design basis for the entire industrial process.

Deterrence of Adversaries in Cyberspace

In many ways §1640 is similar to HR 5220 and S 2905 in that it requires the President to report to Congress on “determining when an action carried out in cyberspace constitutes an act of war against the United States” {§1640(b)(1)}. The important difference here is that that report only comes after the Joint Chiefs of Staff provide a detailed report to Congress “on the military and nonmilitary options available to the United States to deter Russia, China, Iran, North Korea, and terrorist organizations in cyberspace” {§1640(a)(1)}. This makes the report more of a policy development requirement rather than just a political gotcha game.

Moving Forward

The Senate Armed Services Committee has already completed their action on this bill (and I am expecting their report to be published today or tomorrow) so this bill is cleared to move to the Floor of the Senate. It is being reported on that this bill will come to the floor of the Senate this week, though it is not the first bill slated for floor action today.

There are a number of controversies that could arise in connection with this bill (unrelated to cybersecurity issues) that could slow consideration especially considering that the Senate is heading home for a week of campaigning at the close of the week. It would not be surprising to see some vocal posturing before the Memorial Day Recess and then more reasonable actions following the return to Washington.

When this bill is eventually passed, it will have to go to a conference committee to work out the significant differences with that House over a number of matters. It is not entirely clear at this point that a House-Senate compromise bill would be acceptable to the President as both sides try to make points going into the election. I suspect that a final version of this bill will only be achieved in the lame duck session.


It is interesting to see a piece of legislation addressing a new and innovative engineering concept like cyber-informed engineering. It is less surprising that it was found in a defense authorization bill, particularly in the Senate. McCain did after all receive a pretty good technical education at the US Naval Academy. And as a military pilot he did come to have a pretty good personal understanding of the importance of good engineering. I am not saying that he came up with the concept, but he was better able to comprehend its importance when briefed on it by DOD than a less technologically trained congress critter would have.

In many ways the chemical engineering profession has embraced the basic idea behind this new engineering concept in the way they that have developed their stand-alone safety systems. Those systems were not developed with cybersecurity in mind, but rather to deal with problems with another less-than-trusted part of the chemical manufacturing process, the human operator. The lessons that chemical engineers have learned over the last couple of decades in dealing with human-engineering issues should be directly applicable to cyber-informed engineering.

No comments:

/* Use this with templates/template-twocol.html */