S 4697 – HALO Act and Cybersecurity

Earlier this month, I mentioned-in-passing the introduction of S 4697, a bill to provide for design and safety requirements for autonomous and semi-autonomous weapon systems. I do not normally spend much time following weapons development legislation, but I did read the text of this bill after it was published yesterday. And I am glad that I did, because it contains cybersecurity provisions that deserve a brief discussion here. 

Paragraph 3(d)(2) requires that an autonomous weapon system or semi-autonomous weapon system is designed with system safety, anti-tamper mechanisms, and cybersecurity in accordance with Department instructions and military standards governing cybersecurity and system safety. Those standards are not described further in this bill, nor are they further referenced by statute or regulation. While making it difficult to evaluate what standards are required, it does provide DOD with a certain amount of leeway to select the most appropriate cybersecurity standards for such weapons. 

Later, in subsection 6(e) the legislation addresses the need to periodically test these autonomous and semi-autonomous weapons. It requires DOD to conduct quarterly cyber tests and evaluations to verify that the system is resilient and survivable in contested cyberspace. It is not clear whether that quarterly testing would be done on each deployed weapon system, a statistically significant number of randomly selected systems, or a lab maintained representative system. The first option would be the most expensive and would present additional problems when dealing with currently deployed weapon systems. The second option would conform to standards for quality assurance testing, but that kind of testing is not applicable for systems that are at potential of cyber-attack. The last would be pro forma testing to ensure that there are no design issues that allow system degradation over time. 

The final item of interest here is found in subsection 10(a). That subsection notes that the requirements of this legislation do not apply to autonomous or semi-autonomous cyberspace capabilities. The term ‘cyberspace capabilities’ is not one of the terms defined in §2, but I would expect that they are referring to cyberattacks on computer systems (IT and OT) rather than kinetic attacks that could physically damage structures, equipment or personnel. Interestingly, the definitions of ‘autonomous weapon system’ and ‘semi-autonomous weapon system’ do not differentiate between kinetic and virtual attacks. This really needs additional clarification, especially where such ‘cyberspace capability’ attacks result in kinetic effects because of loss of control in operational systems.