The House is set to begin consideration of HR 6395, the FY
2021 National Defense Authorization Act, today. The bill was originally
introduced
with skeletal language in April. The House Armed Services Committee completed
their markup of the bill earlier this month,
reporting
the bill on July 9
th, 2020. The GPO has not yet published the
reported language of the bill, but the House Rules Committee has published a
copy of the
language
that will be considered in the House.
As expected, the cybersecurity provisions in this bill are
found in Division A, Title XVI, Subtitle B, Cyberspace-Related Matters. Four
provisions in that subtitle address cybersecurity matters; two addressing government
cybersecurity oversight and two defense industrial-base cybersecurity matters.
Cybersecurity Oversight
Section 1630 would require DHS to submit a report to
Congress “a report on Federal cybersecurity centers and the potential for
better coordination of Federal cyber efforts at an integrated cyber center
within the national cybersecurity and communications integration center”
(NCCIC) in DHS {§1630(a)}. Potentially included in that integrated cyber center
would be {§1630(b)(4)}:
• The National Security Agency’s
Cyber Threat Operations Center,
• United States Cyber Command’s
Joint Operations Center,
• The Office of the Director of
National Intelligence’s Cyber Threat Intelligence Integration Center,
• The Federal Bureau of
Investigation’s National Cyber Investigative Joint Task Force,
• The Department of Defense’s
Defense Cyber Crime Center, and
• The Office of the Director of
National Intelligence’s Intelligence Community Security Coordination Center.
In an unusual move for a ‘report to Congress’ mandate, the
section includes a requirement for DHS to “begin establishing an integrated
cyber center in the national cybersecurity and communications integration
center” {§1630(e)} within one year of submitting the report to Congress. That
paragraph does not specify which components will be included in the ‘integrated
cyber center’.
Section 1631 would require DHS to develop an information
collaboration environment and associated analytic tools that enable entities to
identify, mitigate, and prevent malicious cyber activity” {§1631(a)}. The ‘collaborative
environment’ would be designed to:
• Provide limited access to
appropriate operationally relevant data about cybersecurity risks and
cybersecurity threats, including malware forensics and data from network sensor
programs, on a platform that enables query and analysis,
• Allow such tools to be used in
classified and unclassified environments drawing on classified and unclassified
data sets,
• Enable cross-correlation of data
on cybersecurity risks and cybersecurity threats at the speed and scale
necessary for rapid detection and identification;
• Facilitate a comprehensive
understanding of cybersecurity risks and cybersecurity threats; and
• Facilitate collaborative analysis
between the Federal Government and private sector critical infrastructure
entities [emphasis added] and information and analysis organizations.
Section 1631(e) would also establish the Cyber Threat Data
Standards and Interoperability Council, chaired by DHS. The Council would
include representatives from Federal agencies and “public and private sector
entities who oversee programs that generate, collect, or disseminate data or
information related to the detection, identification, analysis, and monitoring
of cybersecurity risks and cybersecurity threats” {1631(e)(2)}. The Council
would “identify, designate, and periodically update programs that shall
participate in or be interoperable with the information collaboration
environment” {§1631(e)(3)} including:
• Network-monitoring and intrusion
detection programs,
• Cyber threat indicator sharing programs,
• Certain government-sponsored network sensors or network-monitoring programs,
• Incident response and cybersecurity technical assistance programs,
• Malware forensics and reverse-engineering programs, and
• The defense industrial base threat intelligence program of the Department of
Defense.
Defense Industrial Base Cybersecurity
Section 1632 would require DOD to establish “a threat
intelligence program to share with and obtain from the defense industrial base
information and intelligence on threats to national security” {§1632(b)(1)}.
The program would include {§1632(b)(2)}:
• Cybersecurity incident reporting
requirements,
• A mechanism for developing a
shared and real-time picture of the threat environment,
• Joint, collaborative, and
co-located analytics,
• Investments in technology and
capabilities to support automated detection and analysis across the defense
industrial base,
• Coordinated intelligence sharing
with relevant domestic law enforcement and counter-intelligence agencies, in
coordination, respectively, with the Director of the Federal Bureau of
Investigation and the Director of National Intelligence, and
• A process for direct sharing of
threat intelligence related to a specific defense industrial base entity with
such entity.
Participation in the program would be required for all DOD
contractors, subcontractors, and suppliers.
Section 1634 would require DOD to report to Congress on “the
feasibility and resourcing required to establish the Defense Industrial Base
Cybersecurity Threat Hunting Program” {§1634(b)(1)}. If determined to be
feasible, DOD would be required to establish the Program “to actively identify
cybersecurity threats and vulnerabilities within the information systems,
including covered defense networks containing controlled unclassified information,
of entities in the defense industrial base” {§1634(c)(1)}.
Section 1634(e) would allow DOD to:
• Utilize Department of Defense
personnel to hunt for threats and vulnerabilities within the information
systems of entities in the defense industrial base that have an active contract
with Department of Defense,
• Certify third-party providers to
hunt for threats and vulnerabilities on behalf of the Department of Defense, or
• Require the deployment of network
sensing technologies capable of identifying and filtering malicious network
traffic.
Floor Consideration of HR 6395
Last week the House Rules Committee developed the Rule for
the consideration of HR 6395. It is a structured rule providing limited debate
and a limited number of specific amendments that can be offered on the floor of
the House.
Of the 407 amendments to be considered, the following
contain cybersecurity provisions of note:
#2 –
Bergman
- Creates a cyber attack exception under the Foreign Sovereign Immunities Act
(FSIA) to protect U.S. nationals against foreign state-sponsored cyberattacks,
#15 –
Langevin
- Establishes a National Cyber Director within the Executive Office of the President
(similar to HR 7331),
#27 –
Richmond
- Implements a recommendation from the Cyberspace Solarium Commission to
require the Department of Homeland Security to establish a cyber incident
reporting program,
#72 –
Chabot
- Increases Air Force research funding by $3 million for the National Center for
Hardware and Embedded Systems Security and Trust (CHEST),
#117 –
DeFazio
- Adds the Elijah E. Cummings Coast Guard Authorization Act of 2020,
#162 –
Green
- Enhances CISA’s ability to both protect federal civilian networks and provide
useful threat intelligence to critical infrastructure by authorizing continuous
threat hunting on the .gov domain. This will enable CISA to quickly detect,
identify, and mitigate threats to federal networks from malware, indicators of
compromise, and other unauthorized access,
#179 –
Jackson-Lee
- Implements a recommendation made by the Cyberspace Solarium Commission to require
the Secretary of Homeland Security to develop a strategy to implement
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
standard across U.S.-based email providers,
#219 –
Langevin
- Allows CISA to issue administrative subpoenas to ISPs to identify and warn
entities of cyber security vulnerabilities (similar to
HR
5680),
#220 –
Langevin
- Codifies the responsibilities of the sector risk management agencies with
regard to assessing and defending against cyber risks,
#319 –
Richmond
- Implements a recommendation from the Cyberspace Solarium Commission that there
be established at the Department of Homeland Security a Joint Planning Office
to coordinate cybersecurity planning and readiness across the Federal
government, State and local government, and critical infrastructure owners and
operators,
#320 –
Richmond
– Implements a recommendation from the Cyberspace Solarium Commission that establishes
a fixed 5-year term for the Director of the Cybersecurity and Infrastructure
Security Agency and establishes minimum qualifications for the CISA Director
(similar to HR 5679),
#329 –
Ruppersberger
- Requires the Secretary of Homeland Security to conduct a review of the ability
of the Cybersecurity and Infrastructure Security Agency of the Department of
Homeland Security to fulfill its current mission requirements, and for other
purposes,
S 4049 Consideration
A quick reminder that the Senate will also resume consideration
of their version of the NDAA (S 4049) today. The two versions will have to be reconciled
at a later date by a conference committee. Many provisions adopted in either
the House or Senate will not make it into the final bill or will be revised
enroute.