Bills Introduced – 11-12-19

Yesterday with both the House and Senate in session there were 46 bills introduced. One of those bills may receive additional coverage in this blog:

S 2840 A bill to authorize appropriations for fiscal year 2020 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, and for other purposes. Sen. Inhofe, James M. [R-OK]

This will be the third version (earlier versions were S 1790 and S 2731) of the National Defense Authorization Act that Inhofe has introduced this year. He is still making an attempt to move this ‘must pass’ legislation forward while keeping both the President and the House Democrats happy. It will be interesting to see what cybersecurity provisions remain in this one.

S 2731 Introduced – Skinny NDAA

Last week Sen. Inhofe (R,OK) introduced S 2731, the Essential National Security Authorities Act for Fiscal Year 2020. This is a ‘skinny’ national defense authorization act (NDAA), with the bare minimum authorization requirements needed to keep the defense apparatus of the United States in operation through FY 2020. Both the House (HR 2500) and Senate (S 1790) passed expanded versions of this bill earlier in the year, but have not yet been able to work out a compromise version of the bill in conference committee.

Cybersecurity

This ‘skinny’ NDAA only contains 2 of the 49 cybersecurity sections found in Title XVI, Division A of the original bill:

§1627. Authority to use operation and maintenance funds for cyber operations-peculiar capability development projects.

§1639. Extension of authorities for Cyberspace Solarium Commission.

Moving Forward

The NDAA is a ‘must pass’ bill. While there is still a chance that the conference committee will work out their differences on the previously passed versions, Inhofe is concerned enough to offer up this bill as a minimum workable solution. I suspect that this bill could be passed in the Senate under their unanimous consent process if the failure of the conference committee became obvious enough; though I would have been more hopeful if Sen Reed (D,RI), the Ranking Member of the Senate Armed Services Committee had signed on as a cosponsor of the bill.

There is also a chance that the conference committee could use this language as a new starting point for working out a compromise version of the NDAA.

Commentary

There is an interesting set of remarks [pg S6246] by Inhofe in the Congressional Record on the introduction of this bill. He explains the dangers of a ‘must pass bill’; everyone wants to add on language that probably would not pass on its own. If that tendency is not adequately controlled, we end up in our current apparent stalemate.

This also provides a good point for the discussion of the term ‘control of the Congress’. Typically, most people mean that a party controls Congress when it has a majority of the elected legislators in both the House and the Senate. That is not exactly the case. Under current rules, the Senate requires a vote of 60 Senators to begin consideration of most legislation. Thus, a minority of 41 Senators can block legislation in that body. True legislative control of the Senate (again under current rules) requires a party to have 60 Senators.

There have been frequent calls for doing away with, or at least restricting, this requirement for a super majority to pass legislation in the Senate. The majority party frequently complains that they are being hamstrung in their efforts to pass legislation that they have promised their voters. And, to be fair, this is frequently true.

Unfortunately, we have seen in recent years what the probable outcome would be if this supermajority requirement were removed or even seriously restricted. Whenever the opposition party gained control of the Senate it would spend a great deal of its time and effort repealing laws and rules established by the other party. Now there are certainly instances where one could fairly describe this as a good thing, but business and society both require a certain amount of stability in the rules and regulations under which they operate. If the Senate could unwrite laws and regulations every two-years, nothing would ever get done and we would have regulatory anarchy.

Committee Hearings – Week of 09-17-19

This week with both the House and Senate in session and the end of the fiscal year fast approaching, spending bills are the main topic of interest. The Senate attempts to take up the first minibus while crafting spending bills and the House introduces a continuing resolution.

HR 2740 in the Senate

Yesterday the Senate began the process to begin debating HR 2740, the first minibus spending bill passed by the House. No amendments have been submitted yet (will start today) so I cannot yet tell how the Republican Senate intends to deal with the fact that they have no committee reported language to substitute for the Democratic House language for the LHHE and State portions of the bill.

The first cloture vote (to start debate on the bill) is scheduled for Wednesday. We may not see the 60 votes necessary to start that debate. If that happens it is very unlikely that we will see any of the minibus spending bills making their way to the President’s desk. In any case a CR will be necessary.

CR in the House

The House Rules Committee will meet today to take up a ‘clean’ continuing resolution that will reportedly extend the current spending until November 21^st. No actual language is currently available for review.

Three Spending Bills in Committee

The Senate Appropriations Committee will take up three additional spending bills this week. The subcommittee markup hearings will be held on Tuesday:

• Transportation, Housing and Urban Development, and Related Agencies (THUD);

• Agriculture, Rural Development, Food and Drug Administration, and Related Agencies (ARF); and

• Financial Services and General Government

On Thursday the full Committee will take up whichever spending bills are adopted by the Subcommittees. At this point, which, if any, will be reported remains a guess at best. These three bills would make up about ½ of the second minibus (HR 3055) that the House passed back in June. Presumably the Committee will take up the remaining bills (CJS, IER, Military Construction) next week.

On the Floor

Today the House will take up S 1790, the National Defense Authorization Act for Fiscal Year 2020. The House passed their version of the bill (HR 2500). The House will certainly ‘insist’ on their language and request a conference to work out the differences between the two bills.

The House will likely take up the CR discussed above on Wednesday.

Commentary

Okay, what is a ‘clean CR’? In a non-complicated world (where CR’s would never be needed anyway) a ‘clean CR’ would be just a couple of sentences extending the expiration date of the current spending authorization (in this case HJ Res 31). In the real world there are additional add-ons that would extend other expiring programs in the extension of the fiscal year.

Which programs get added is what gets interesting. Non-controversial programs do not endanger passage of the CR. The addition of controversial programs could derail the CR when it gets to the Senate. The line between the two gets more than a little fuzzy and a CR this early in the process could see the Democrats pushing the limit to see what they can get. They do, after all, have another week to come back and try again.

House Amends and Adopts HR 3494 – FY 2020 Intel Authorization

On Wednesday the House completed the amendment process and passed HR 3494, the FY 2020 Intelligence Authorization, by a bipartisan vote of 397 to 31. The Ruppersberger amendment that would establish a energy grid cybersecurity pilot program was adopted on Tuesday by a voice vote. For a more detailed discussion of that amendment see my blog posts on HR 680 and S 79 (from 115^th Congress).

What will be interesting now is figuring out how this bill will move forward. The House passed this as a stand-alone bill, but the Senate passed their version (without debate) as two divisions (Division F – 2020 authorization and Division G 2018 and 2019 authorization) within the Senate’s version of the National Defense Authorization Act, S 1790. Neither the House nor the Senate have ‘taken action’ on the other’s version of the NDAA, the process that would start the conference committee action on one of the two bills (S 1790 or HR 2500),

What would probably be easiest (for some version of easy) would be for the House to take up S 1790 and amend it to include the language from both HR 2500 and HR 3494. That would be passed with a party-line vote similar to that received on HR 2500. The Senate would then insist on its language and call for the conference committee to be formed. The resulting compromise bill would probably come back to Congress after the summer recess.

HR 3494 Reported in House – FY 2020 Intel Authorization

This week the House Intelligence Committee reported on HR 3494, Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. While the bill contains some cyber operations and cyber intelligence language, it does not address any control system cybersecurity issues. There is, however, a brief discussion in the Committee Report about the development of a “cybersecurity and intelligence collection doctrine” that bears some scrutiny.

The House Rules Committee is meeting tomorrow to create the rule under which this bill will be considered on the floor later this week. A total of 46 amendments were proposed to the Committee last week. They will consider which amendments may be considered during the consideration of the bill on the floor of the House. One of those amendments addresses cybersecurity in the energy sector.

Cybersecurity and Intelligence Collection Doctrine

On page 95 of the Report, the Committee directs the Office of the Director of National Intelligence (ODNI) “to develop an analytic framework that could support the eventual creation and execution of a Government-wide cybersecurity and intelligence collection doctrine.” The framework would include:

• An assessment of the current and medium-term cyber threats to the protection of the United States’ national security systems and critical infrastructure;

• IC definitions of key cybersecurity concepts, to include cyberespionage, cyber theft, cyber acts of aggression, and cyber deterrence;

• Intelligence collection requirements to ensure identification of cyber actors targeting U.S. national security interests, and to inform policy responses to cyberattacks and computer network operations directed against the United States;

• The IC’s methodology for assessing the impacts of cyberattacks and computer network operations incidents directed against the United States, taking into account differing levels of severity of incidents;

• Capabilities that the IC could employ in response to cyberattacks and computer network operations incidents, taking into account differing levels of severity of incidents;

• A policy and architecture for sharing cybersecurity-related intelligence with government, private sector, and international partners, including existing statutory and other authorities which may be exercised in pursuit of that goal; and

• Any necessary changes in IC authorities, governance, technology, resources, and policy to provide more capable and agile cybersecurity.

Possible Cybersecurity Amendment

Amendment #20 was submitted by Rep. Ruppersberger (D,MD) and Rep. Carter (R,TX). This amendment would authorize a pilot program identifying new classes of security vulnerabilities and researching technology to address the ever-present and changing face of cyber security threats to the energy grid. The amendment is essentially HR 680, which Ruppersberger and Carter introduced in January. No action has been taken on that bill. Nearly identical language was included (§10742) Intel Authorization Act that was included in S 1790, the FY 2020 NDAA that was passed last month.

There is no resolution of the vulnerability disclosure issue  that I discussed in my post on HR 680 in either this submitted amendment to HR 3494 or in §10742 in S 1790.

Moving Forward

The House is currently scheduled to consider HR 3494 on Tuesday. With the small number of amendments be submitted to the Rules Committee, it looks like it could complete consideration of the bill on the same day. The bill is likely to pass, but I suspect it will be largely a party-line vote. The problem is going to come with how to deal with the intel authorization once the House vote is completed. Normally, there would be a conference committee to iron out the differences, but the Senate passed their intel authorization act as part of the DOD authorization act. It will be interesting to see how this procedural issue is resolved.

House Amends and Passes HR 2500 – FY 2020 NDAA

Yesterday the House concluded the amendment process for HR 2500, the FY 2020 National Defense Authorization Act (NDAA) and passed the bill on a near party-line vote of 220 to 197 (eight Democrats voted NAY). Among the literally hundreds of amendments passed are all five of the amendments I mentioned in my post earlier in the week. As expected, they all passed by voice votes as part of en bloc amendments.

There were a number of provisions in the version of the bill considered in the House and a number of passed amendments that would not be able to pass in the Senate. The Senate already passed their version of the bill (S 1790) with a strongly bipartisan vote. A conference committee will ultimately combine the two versions into something that will subsequently pass in both the House and Senate and would ultimately be signed by the President.

Committee Adopts Rule for Consideration of HR 2500 – FY 2020 NDAA

Last night the House Rules Committee formulated the Rule for the consideration of HR 2500, the FY 2020 National Defense Authorization Act (NDAA). It is a structured rule with 439 amendments that may be offered (with provisions for en bloc consideration of amendments. I will be watching five of those amendments. Consideration of the bill begins this afternoon.

The Five Amendments

These are the five amendments that I will be watching. These are the five that I briefly listed last week in my post about the report on HR 2500.

53. Aguilar (D,CA) #244 Expands the Department of Defense Cyber Scholarship Program (formerly known as the Information Assurance Scholarship Program) to include students attending certificate programs that span 1 to 2 years.

158. Gallego (D,AZ) #415 Requires a report on the National Guard's capacity to meet Homeland Defense missions.

200. Jackson-Lee (D,TX) #160 (REVISED) Requires that a report from the Secretary of Defense 240 days after the date of the enactment to the congressional defense committees that accounts for all of the efforts, programs, initiatives, and investments of the Department of Defense to train elementary, secondary, and postsecondary students in fields related to cybersecurity, cyber defense, and cyber operations.

363. Speier (D,CA) #395 (REVISED) Increases funding for the Defense Security Service by $5,206,997 for the purposes of procurement of advanced cyber threat detection sensors, hunt and response mechanisms, and commercial cyber threat intelligence to ensure Defense Industrial Base networks remain protected from nation state adversaries.

381. Torres, Norma (D,CA), Panetta (CA), Cisneros (CA), Stevens (MI) #457 (REVISED) Requires the Department of Defense, in consultation with the Manufacturing Extension Partnership program, to develop policies to assist small- and mid-sized manufacturers to meet cybersecurity requirements.

The Gallego amendment is interesting. It would require a DOD report to Congress setting out “the roles and missions, structure, capabilities, and training of the National Guard and the United States Northern Command, and an identification of emerging gaps and shortfalls in light of current homeland security threats to our country” {new §520(1)}. Critical infrastructure cybersecurity is never explicitly mentioned in the amendment (an odd oversight) but would almost certainly be covered in any DOD report submitted in response to this amendment.

The one specific threat that is mentioned is a “multi-State electromagnetic pulse event” {new §520(2)}. Presumably DOD would also include a geomagnetic storm event in any report on the topic as the response to the two would be similar.

Moving Forward

None of the amendments listed above are very controversial and only one provides a specific spending authorization. Spier would off-set that spending increase by decreasing the spending on “in section 101 for other procurement, Air Force” {new §16XX(b)}. I suspect that all five of these amendments will be adopted; most will be included in en bloc amendments.

HR 2500 will pass, probably along a nearly party-line vote. The Senate already passed their version of the NDAA, S 1790, so differences between the two bills will have to be worked out (probably over the summer recess) in a conference committee. Normally, that reported version of the NDAA would be expected to pass, but with the whimsical nature of the current occupant of the White House, that is not a guarantee that anyone would be willing to make.

Senate Passes S 1790 – FY 2020 NDAA

Yesterday the Senate amended and passed S 1790, the National Defense Authorization Act (NDAA) for Fiscal Year 2020, by a strongly bipartisan vote of 86 to 8. Only two amendments were adopted, the most important being SA 764 [pgs S 3856- 4093]; substitute language for the bill. That amendment did not make any changes to the cybersecurity portions of the bill that I previously discussed.

The House has not yet taken up HR 2500, the House version of the NDAA. That will probably happen after the extended 4^th of July weekend. I will have more on that bill next week.

Ultimately, the House will take up the language of HR 2500 (either directly as that bill or as substitute language for S 1790). A conference committee will then iron out the differences before the bill is again voted upon in the House and Senate. As has become the new normal, we will have to watch out for last minute presidential tweets to see if the final bill will be able to be passed.

S 1790 Introduced – FY 2020 NDAA

Last week Sen. Inhofe (R,OK) introduced S 1790, the National Defense Authorization Act (NDAA) for Fiscal Year 2020. The bill was reported favorably by the Senate Armed Services Committee which Inhofe chairs. The Senate is scheduled to take up the bill this week. The bill includes an entire sub-title that addresses cyber operations; including one section that addresses the development of a set of cybersecurity standards for the defense industrial base.

Defense Industrial Base Cybersecurity

Section 1634 requires DOD to “develop a consistent, comprehensive framework to enhance cybersecurity for the United States defense industrial base” {§1634(a)}. The framework would be developed by February 1^st, 2020. The framework would include {§1634(b)}:

• Identification of unified cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements to be imposed on the defense industrial base for the purpose of assessing the cybersecurity of individual contractors.

• The roles and responsibilities of various activities within the Department of Defense, across the entire acquisition process, beginning with market research, including responsibility determination, solicitation, and award, and continuing with contractor management and oversight on matters relating to cybersecurity.

• The responsibilities of the prime contractors, and all subcontractors in the supply chain, for implementing the required cybersecurity standards, regulations, metrics, ratings, third-party certifications, and requirements identified under paragraph (1).

• A plan to provide implementation guidance, education, manuals, and, as necessary, direct technical support or assistance to such contractors on matters relating to cybersecurity.

• Methods and programs for defining and managing controlled unclassified information, and for limiting the presence of unnecessary sensitive information on contractor networks.

• Quantitative metrics for assessing the effectiveness of the overall framework over time, with respect to the exfiltration of controlled unclassified information from the defense industrial base.

While the language in the bill does not specify whether the cybersecurity concerns cover both the information technology and control system technology used in the industrial base, the Committee Report does address the matter. It notes (pg 306):

“The committee is concerned that contractors within the defense industrial base are an inviting target for our adversaries, who have been conducting cyberattacks to steal critical military technologies.”

Control System Cybersecurity

The Report does address control system cybersecurity research being conducted by DOD. On pages 325-6 the Committee “commends the Department of Defense for its efforts to address the cybersecurity of installation industrial control systems (ICSs).” It goes on to discuss a National Security Agency research program, Integrated Adaptive Cyber Defense (IACD).  It notes that “IACD technologies include sensing and automated orchestration and interoperability among cybersecurity tools and systems to defend both operational technology (such as ICSs) and information technology”. There is additional discussion of this technology under the “Software defined networking and network and cybersecurity orchestration” heading on pages 333-4.

Cybersecurity Research

The Report notes (pgs 97-8) that the Committee is recommending funding Defense-wide cybersecurity research (line item # PE 62668D8Z) at $25.1 million, an increase of $10.0 million above the Administration’s request.

Moving Forward

This bill will start to be considered on the floor of the Senate sometime this week (a number of nominations have to be completed first). Amendments have already started to be proposed to this bill, over 200 were submitted on Thursday alone. How many of those (and yet to be submitted) amendments will make it to the floor of the Senate remains to be seen.

Bills Introduced – 06-11-19

Yesterday with both the House and Senate in session, there were 55 bills introduced. One of those will likely see additional coverage in this blog:

S 1790 An original bill to authorize appropriations for fiscal year 2020 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes. Sen. Inhofe, James M. [R-OK]