House to Consider HR 6395 – FY 2021 NDAA

The House is set to begin consideration of HR 6395, the FY 2021 National Defense Authorization Act, today. The bill was originally introduced with skeletal language in April. The House Armed Services Committee completed their markup of the bill earlier this month, reporting the bill on July 9^th, 2020. The GPO has not yet published the reported language of the bill, but the House Rules Committee has published a copy of the language that will be considered in the House.

As expected, the cybersecurity provisions in this bill are found in Division A, Title XVI, Subtitle B, Cyberspace-Related Matters. Four provisions in that subtitle address cybersecurity matters; two addressing government cybersecurity oversight and two defense industrial-base cybersecurity matters.

Cybersecurity Oversight

Section 1630 would require DHS to submit a report to Congress “a report on Federal cybersecurity centers and the potential for better coordination of Federal cyber efforts at an integrated cyber center within the national cybersecurity and communications integration center” (NCCIC) in DHS {§1630(a)}. Potentially included in that integrated cyber center would be {§1630(b)(4)}:

• The National Security Agency’s Cyber Threat Operations Center,

• United States Cyber Command’s Joint Operations Center,

• The Office of the Director of National Intelligence’s Cyber Threat Intelligence Integration Center,

• The Federal Bureau of Investigation’s National Cyber Investigative Joint Task Force,

• The Department of Defense’s Defense Cyber Crime Center, and

• The Office of the Director of National Intelligence’s Intelligence Community Security Coordination Center.

In an unusual move for a ‘report to Congress’ mandate, the section includes a requirement for DHS to “begin establishing an integrated cyber center in the national cybersecurity and communications integration center” {§1630(e)} within one year of submitting the report to Congress. That paragraph does not specify which components will be included in the ‘integrated cyber center’.

Section 1631 would require DHS to develop an information collaboration environment and associated analytic tools that enable entities to identify, mitigate, and prevent malicious cyber activity” {§1631(a)}. The ‘collaborative environment’ would be designed to:

• Provide limited access to appropriate operationally relevant data about cybersecurity risks and cybersecurity threats, including malware forensics and data from network sensor programs, on a platform that enables query and analysis,

• Allow such tools to be used in classified and unclassified environments drawing on classified and unclassified data sets,

• Enable cross-correlation of data on cybersecurity risks and cybersecurity threats at the speed and scale necessary for rapid detection and identification;

• Facilitate a comprehensive understanding of cybersecurity risks and cybersecurity threats; and

• Facilitate collaborative analysis between the Federal Government and private sector critical infrastructure entities [emphasis added] and information and analysis organizations.

Section 1631(e) would also establish the Cyber Threat Data Standards and Interoperability Council, chaired by DHS. The Council would include representatives from Federal agencies and “public and private sector entities who oversee programs that generate, collect, or disseminate data or information related to the detection, identification, analysis, and monitoring of cybersecurity risks and cybersecurity threats” {1631(e)(2)}. The Council would “identify, designate, and periodically update programs that shall participate in or be interoperable with the information collaboration environment” {§1631(e)(3)} including:

• Network-monitoring and intrusion detection programs,
• Cyber threat indicator sharing programs,
• Certain government-sponsored network sensors or network-monitoring programs,
• Incident response and cybersecurity technical assistance programs,
• Malware forensics and reverse-engineering programs, and
• The defense industrial base threat intelligence program of the Department of Defense.

Defense Industrial Base Cybersecurity

Section 1632 would require DOD to establish “a threat intelligence program to share with and obtain from the defense industrial base information and intelligence on threats to national security” {§1632(b)(1)}. The program would include {§1632(b)(2)}:

• Cybersecurity incident reporting requirements,

• A mechanism for developing a shared and real-time picture of the threat environment,

• Joint, collaborative, and co-located analytics,

• Investments in technology and capabilities to support automated detection and analysis across the defense industrial base,

• Coordinated intelligence sharing with relevant domestic law enforcement and counter-intelligence agencies, in coordination, respectively, with the Director of the Federal Bureau of Investigation and the Director of National Intelligence, and

• A process for direct sharing of threat intelligence related to a specific defense industrial base entity with such entity.

Participation in the program would be required for all DOD contractors, subcontractors, and suppliers.

Section 1634 would require DOD to report to Congress on “the feasibility and resourcing required to establish the Defense Industrial Base Cybersecurity Threat Hunting Program” {§1634(b)(1)}. If determined to be feasible, DOD would be required to establish the Program “to actively identify cybersecurity threats and vulnerabilities within the information systems, including covered defense networks containing controlled unclassified information, of entities in the defense industrial base” {§1634(c)(1)}.

Section 1634(e) would allow DOD to:

• Utilize Department of Defense personnel to hunt for threats and vulnerabilities within the information systems of entities in the defense industrial base that have an active contract with Department of Defense,

• Certify third-party providers to hunt for threats and vulnerabilities on behalf of the Department of Defense, or

• Require the deployment of network sensing technologies capable of identifying and filtering malicious network traffic.

Floor Consideration of HR 6395

Last week the House Rules Committee developed the Rule for the consideration of HR 6395. It is a structured rule providing limited debate and a limited number of specific amendments that can be offered on the floor of the House.

Of the 407 amendments to be considered, the following contain cybersecurity provisions of note:

#2 – Bergman - Creates a cyber attack exception under the Foreign Sovereign Immunities Act (FSIA) to protect U.S. nationals against foreign state-sponsored cyberattacks,

#15 – Langevin - Establishes a National Cyber Director within the Executive Office of the President (similar to HR 7331),

#27 – Richmond - Implements a recommendation from the Cyberspace Solarium Commission to require the Department of Homeland Security to establish a cyber incident reporting program,

#72 – Chabot - Increases Air Force research funding by $3 million for the National Center for Hardware and Embedded Systems Security and Trust (CHEST),

#117 – DeFazio - Adds the Elijah E. Cummings Coast Guard Authorization Act of 2020,

#162 – Green - Enhances CISA’s ability to both protect federal civilian networks and provide useful threat intelligence to critical infrastructure by authorizing continuous threat hunting on the .gov domain. This will enable CISA to quickly detect, identify, and mitigate threats to federal networks from malware, indicators of compromise, and other unauthorized access,

#179 – Jackson-Lee - Implements a recommendation made by the Cyberspace Solarium Commission to require the Secretary of Homeland Security to develop a strategy to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard across U.S.-based email providers,

#219 – Langevin - Allows CISA to issue administrative subpoenas to ISPs to identify and warn entities of cyber security vulnerabilities (similar to HR 5680),

#220 – Langevin - Codifies the responsibilities of the sector risk management agencies with regard to assessing and defending against cyber risks,

#319 – Richmond - Implements a recommendation from the Cyberspace Solarium Commission that there be established at the Department of Homeland Security a Joint Planning Office to coordinate cybersecurity planning and readiness across the Federal government, State and local government, and critical infrastructure owners and operators,

#320 – Richmond – Implements a recommendation from the Cyberspace Solarium Commission that establishes a fixed 5-year term for the Director of the Cybersecurity and Infrastructure Security Agency and establishes minimum qualifications for the CISA Director (similar to HR 5679),

#329 – Ruppersberger - Requires the Secretary of Homeland Security to conduct a review of the ability of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security to fulfill its current mission requirements, and for other purposes,

S 4049 Consideration

A quick reminder that the Senate will also resume consideration of their version of the NDAA (S 4049) today. The two versions will have to be reconciled at a later date by a conference committee. Many provisions adopted in either the House or Senate will not make it into the final bill or will be revised enroute.