Monday, September 11, 2017

Senate Amendments to HR 2810 (FY 2018 NDAA) – 9-7-17

This week the Senate is scheduled to take up HR 2810, the FY 2018 National Defense Authorization Act (NDAA). In addition to the amendments introduced before the summer recess, Senators began proposing new amendments to HR 2810 last week. Those amendments included three that may be of interest to readers of this blog:

SA 794. Ms. WARREN - report on significant security risks of the national electric grid (pg S5008);
SA 824. Mr. THUNE - cybersecurity training program in the army senior reserve officers’ training corps (pg S5006); and
SA 849. Mr. KAINE - Cyber Scholarship Opportunities (pgs S 5072-3)

Electric Grid Study

The electric grid security study would be conducted by DOD (in coordination with the Director of National Intelligence and the Secretary of Energy) and would specifically look at:

• Identification of significant security risks to defense critical electric infrastructure posed by significant malicious cyber-enabled activities;
• An assessment of the potential effect of the security risks identified pursuant to paragraph (1) on the readiness of the Armed Forces; and
• An assessment of the strategic benefits derived from, and the challenges associated with, isolating military infrastructure from the national electric grid and the use of microgrids by the Armed Forces.

DOD is also expected to include in the report recommendations to:

• Eliminate or mitigate the security risks identified pursuant above; and
• Address the effect of those security risks on the readiness of the Armed Forces identified above.
A one of the key terms in this amendment that is specifically defined is ‘significant malicious cyberenabled activities’. In addition to the expected malware attacks and service disruption attacks it specifically includes more purely IT-centric attacks to:

• Deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or
• Exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization.

Including these IT type attacks greatly expands the potential scope of this study. To somewhat limit that, the second IT-centric attack is restricted to those attacks that are conducted for the purposes of:

• Conducting influence operations; or
• Causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive advantage or private financial gain

Moving Forward

The cloture motion for HR 2810 was filed on Thursday and the vote on cloture is scheduled for 5:30 pm (EDT) today. If the leadership has worked out a deal on the amendment process (and it looks like it may have) then the 60-votes will be available to start the that process. I expect that we will see some additional amendments offered this week before a potential final vote on Thursday.

Since the bill will be amended in the Senate (the only question is when) a conference committee will be necessary to work out the differences in the bill. The passage of continuing resolution in HR 601 last week will make it easier for that conference to meet and work out the differences in the two versions of the bill. We might actually see a final vote on the bill before the end of the fiscal year (but do not hold your breath).

No comments:

/* Use this with templates/template-twocol.html */