HR 6395 Amended and Passed in Senate – FY 2021 NDAA

On Monday, the Senate adopted substitute language for, and passed, HR 6395, the National Defense Authorization Act for Fiscal Year 2021, by a voice vote. The substitute language closely tracks the language the Senate earlier adopted for S 4049, the Senate version of this bill. The Senate’s action set up today’s scheduled vote in the House to go to conference on the bill. This would allow the House and Senate to work out the differences between the two versions of the bill.

The Senate language does include a version of the FY 2021 Intelligence Authorization Act.

I would suspect that most of the cybersecurity provisions that were added during floor action in the House will remain in the approved conference version of the bill.

S 3045 Reported in Senate – CISA Subpoenas

Last month the Senate Homeland Security and Governmental Affairs Committee published their report on S 3045, the Cybersecurity Vulnerability Identification and Notification Act of 2019. The Committee amended and ordered the bill reported at a meeting held in March 2020. . The bill would provide the Cybersecurity and Infrastructure Security Agency (CISA) with the authority to issue subpoenas “for the production of information necessary to identify and notify the [an] entity at risk”.

Subpoenas Limited to ISP’s?

I noted in my commentary on the introduction of S 3045 that:

“Much has been made in the more popular press (see here for example) about how this bill would allow CISA to issue these subpoenas to information services providers. This would certainly be helpful where CISA has been able to identify an IP address where a vulnerable system exists, but needs point of contact information from the ISP.”

There is nothing in the bill that specifically limits the application of the new CISA subpoena authority to just ISPs. In fact, there are just two mentions in the bill that would reference statutes applicable to ISPs. In the new §659(o) being added by the bill subparagraphs (2)(B)(i) and (2)(C) both refer to 18 USC 2703, Required disclosure of customer communications or records. The first two paragraphs of §2703 deal with obtaining copies of electronic communications while paragraph (c)(2) allows, upon application of an administrative subpoena “authorized by a Federal or State statute”, a Federal agency to require a “provider of electronic communication service or remote computing service” certain limited information about a “a subscriber to or customer of such service”.

If the intent of this bill were limited to collecting information from ISP’s, the crafters of the bill would have specifically provided reference to §2703(c)(2) in the new §659(o)(2)(A), rewording the final phrase of that sub-section to read:

“the Director may issue a subpoena under 18 USC 2703(c)(2) for the production of information necessary to identify and notify the entity at risk, in order to carry out a function authorized under subsection (c)(12).”

Failing to limit the subpoena authority to the referenced subparagraph means that someone in the crafting process intended to extend the subpoena authority to obtaining information identifying owner/operators of vulnerable equipment in critical infrastructure to other entities than just ISPs. And there is nothing in the language of the report that obviate that conclusion.

Moving Forward

The publication of the Committee Report technically clears this bill for consideration by the full Senate. It is unlikely that this bill would be considered under regular order with the full debate and amendment process. The bill is just not important enough (in the grand scheme of things, it is important to CISA) to take up any of the limited time left in the session to address this bill.

This leaves two options for consideration. The first would be to take this bill up under the unanimous consent process. This bill would allow a single Senator to object to the consideration of the bill to block consideration. I suspect that there would be a number of Democrats that would object to the bill under general principles just to object to anything from DHS without a chance to debate and amend the bill.

The other path would be to add the provisions of this bill to a must pass bill. There is nothing in this bill that would cause serious enough objections to stall or even delay a must pass bill. I almost expected this to be added to the new Division E added to S 4049, the FY 2021 NDAA. Sen Johnson (R,WI) did propose similar language as two separate amendments (SA 1807 – pgs S3329-30; and SA 2195 – pgs S3584-5) to that bill. Neither were taken up by the Senate. Neither amendment was taken up on the floor of the Senate.

The only other ‘must pass bill’ that this bill could be appended to would be the DHS spending division of the final omnibus spending bill that may be taken up much later this year.

House Adopts Amendments to HR 6365 – FY 2021 NDAA

Yesterday during the considerationof HR 6365, the FY 2021 National Defense Authorization Act, the House took up all of the proposed amendments related to cybersecurity that I described in yesterday’s post. None of the twelve amendments were considered individually; they were all part of the two en bloc amendments considered by the House.

The first six cybersecurity amendments (#s 2, 15, 27, 72, 117 and 162) were included in the first en bloc consideration. This group was approved by a roll call vote of 336 to 71 at 7:08 pm EDT. The second group (#s 179, 219, 220, 319, 320, and 329) was adopted by a voice vote at 8:38 pm EDT.

The House will resume consideration of the bill this morning with votes on six amendments that were debated yesterday. The House will then move to vote on the bill. The bill is expected to pass on essentially party lines. The Senate is still considering S 4049 and it too is expected to be approved in a mainly partisan vote. The two versions of the NDAA will have to be reconciled by a conference committee.

House to Consider HR 6395 – FY 2021 NDAA

The House is set to begin consideration of HR 6395, the FY 2021 National Defense Authorization Act, today. The bill was originally introduced with skeletal language in April. The House Armed Services Committee completed their markup of the bill earlier this month, reporting the bill on July 9^th, 2020. The GPO has not yet published the reported language of the bill, but the House Rules Committee has published a copy of the language that will be considered in the House.

As expected, the cybersecurity provisions in this bill are found in Division A, Title XVI, Subtitle B, Cyberspace-Related Matters. Four provisions in that subtitle address cybersecurity matters; two addressing government cybersecurity oversight and two defense industrial-base cybersecurity matters.

Cybersecurity Oversight

Section 1630 would require DHS to submit a report to Congress “a report on Federal cybersecurity centers and the potential for better coordination of Federal cyber efforts at an integrated cyber center within the national cybersecurity and communications integration center” (NCCIC) in DHS {§1630(a)}. Potentially included in that integrated cyber center would be {§1630(b)(4)}:

• The National Security Agency’s Cyber Threat Operations Center,

• United States Cyber Command’s Joint Operations Center,

• The Office of the Director of National Intelligence’s Cyber Threat Intelligence Integration Center,

• The Federal Bureau of Investigation’s National Cyber Investigative Joint Task Force,

• The Department of Defense’s Defense Cyber Crime Center, and

• The Office of the Director of National Intelligence’s Intelligence Community Security Coordination Center.

In an unusual move for a ‘report to Congress’ mandate, the section includes a requirement for DHS to “begin establishing an integrated cyber center in the national cybersecurity and communications integration center” {§1630(e)} within one year of submitting the report to Congress. That paragraph does not specify which components will be included in the ‘integrated cyber center’.

Section 1631 would require DHS to develop an information collaboration environment and associated analytic tools that enable entities to identify, mitigate, and prevent malicious cyber activity” {§1631(a)}. The ‘collaborative environment’ would be designed to:

• Provide limited access to appropriate operationally relevant data about cybersecurity risks and cybersecurity threats, including malware forensics and data from network sensor programs, on a platform that enables query and analysis,

• Allow such tools to be used in classified and unclassified environments drawing on classified and unclassified data sets,

• Enable cross-correlation of data on cybersecurity risks and cybersecurity threats at the speed and scale necessary for rapid detection and identification;

• Facilitate a comprehensive understanding of cybersecurity risks and cybersecurity threats; and

• Facilitate collaborative analysis between the Federal Government and private sector critical infrastructure entities [emphasis added] and information and analysis organizations.

Section 1631(e) would also establish the Cyber Threat Data Standards and Interoperability Council, chaired by DHS. The Council would include representatives from Federal agencies and “public and private sector entities who oversee programs that generate, collect, or disseminate data or information related to the detection, identification, analysis, and monitoring of cybersecurity risks and cybersecurity threats” {1631(e)(2)}. The Council would “identify, designate, and periodically update programs that shall participate in or be interoperable with the information collaboration environment” {§1631(e)(3)} including:

• Network-monitoring and intrusion detection programs,
• Cyber threat indicator sharing programs,
• Certain government-sponsored network sensors or network-monitoring programs,
• Incident response and cybersecurity technical assistance programs,
• Malware forensics and reverse-engineering programs, and
• The defense industrial base threat intelligence program of the Department of Defense.

Defense Industrial Base Cybersecurity

Section 1632 would require DOD to establish “a threat intelligence program to share with and obtain from the defense industrial base information and intelligence on threats to national security” {§1632(b)(1)}. The program would include {§1632(b)(2)}:

• Cybersecurity incident reporting requirements,

• A mechanism for developing a shared and real-time picture of the threat environment,

• Joint, collaborative, and co-located analytics,

• Investments in technology and capabilities to support automated detection and analysis across the defense industrial base,

• Coordinated intelligence sharing with relevant domestic law enforcement and counter-intelligence agencies, in coordination, respectively, with the Director of the Federal Bureau of Investigation and the Director of National Intelligence, and

• A process for direct sharing of threat intelligence related to a specific defense industrial base entity with such entity.

Participation in the program would be required for all DOD contractors, subcontractors, and suppliers.

Section 1634 would require DOD to report to Congress on “the feasibility and resourcing required to establish the Defense Industrial Base Cybersecurity Threat Hunting Program” {§1634(b)(1)}. If determined to be feasible, DOD would be required to establish the Program “to actively identify cybersecurity threats and vulnerabilities within the information systems, including covered defense networks containing controlled unclassified information, of entities in the defense industrial base” {§1634(c)(1)}.

Section 1634(e) would allow DOD to:

• Utilize Department of Defense personnel to hunt for threats and vulnerabilities within the information systems of entities in the defense industrial base that have an active contract with Department of Defense,

• Certify third-party providers to hunt for threats and vulnerabilities on behalf of the Department of Defense, or

• Require the deployment of network sensing technologies capable of identifying and filtering malicious network traffic.

Floor Consideration of HR 6395

Last week the House Rules Committee developed the Rule for the consideration of HR 6395. It is a structured rule providing limited debate and a limited number of specific amendments that can be offered on the floor of the House.

Of the 407 amendments to be considered, the following contain cybersecurity provisions of note:

#2 – Bergman - Creates a cyber attack exception under the Foreign Sovereign Immunities Act (FSIA) to protect U.S. nationals against foreign state-sponsored cyberattacks,

#15 – Langevin - Establishes a National Cyber Director within the Executive Office of the President (similar to HR 7331),

#27 – Richmond - Implements a recommendation from the Cyberspace Solarium Commission to require the Department of Homeland Security to establish a cyber incident reporting program,

#72 – Chabot - Increases Air Force research funding by $3 million for the National Center for Hardware and Embedded Systems Security and Trust (CHEST),

#117 – DeFazio - Adds the Elijah E. Cummings Coast Guard Authorization Act of 2020,

#162 – Green - Enhances CISA’s ability to both protect federal civilian networks and provide useful threat intelligence to critical infrastructure by authorizing continuous threat hunting on the .gov domain. This will enable CISA to quickly detect, identify, and mitigate threats to federal networks from malware, indicators of compromise, and other unauthorized access,

#179 – Jackson-Lee - Implements a recommendation made by the Cyberspace Solarium Commission to require the Secretary of Homeland Security to develop a strategy to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard across U.S.-based email providers,

#219 – Langevin - Allows CISA to issue administrative subpoenas to ISPs to identify and warn entities of cyber security vulnerabilities (similar to HR 5680),

#220 – Langevin - Codifies the responsibilities of the sector risk management agencies with regard to assessing and defending against cyber risks,

#319 – Richmond - Implements a recommendation from the Cyberspace Solarium Commission that there be established at the Department of Homeland Security a Joint Planning Office to coordinate cybersecurity planning and readiness across the Federal government, State and local government, and critical infrastructure owners and operators,

#320 – Richmond – Implements a recommendation from the Cyberspace Solarium Commission that establishes a fixed 5-year term for the Director of the Cybersecurity and Infrastructure Security Agency and establishes minimum qualifications for the CISA Director (similar to HR 5679),

#329 – Ruppersberger - Requires the Secretary of Homeland Security to conduct a review of the ability of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security to fulfill its current mission requirements, and for other purposes,

S 4049 Consideration

A quick reminder that the Senate will also resume consideration of their version of the NDAA (S 4049) today. The two versions will have to be reconciled at a later date by a conference committee. Many provisions adopted in either the House or Senate will not make it into the final bill or will be revised enroute.

S 4024 Introduced – Cybersecurity Advisory Committee

Last month Sen Perdue (R,GA) introduced S 4024, the Cybersecurity Advisory Committee Authorization Act of 2020. The bill would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to establish a Cybersecurity Advisory Committee to advise, consult with, report to, and make recommendations to the Director on the development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of the Agency.

The Committee would consist of not more than 35 people from a cross-section industries and State and local governments. The Committee would meet at least twice a year and one meeting per year would be required to be open to the public. Committee members would not be compensated. There are no funds appropriated in this bill.

The Committee would not be subject to the requirements of the Federal Advisory Committee Act (FACA, 5 USC APP).

Moving Forward

Perdue is not a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. His cosponsor {Sen Sinema (D,AZ)}, however, is a member. This means that there is a chance that the bill may be considered in Committee. Unfortunately, in this COVID-19 restricted election year, the chance of this bill being considered is low.

I see nothing in the language of the bill that would engender any significant opposition to the bill.

Similar language to this bill was included as §6614 in the Substitute Language (SA 2301, pg S3944) for S 4049, the FY 2020 National Defense Authorization Act.

Commentary

This type of advisory committee has been very useful in providing a wide range of expertise and experience to the government for little or no expense. The DOT, for example, has found this type of committee very helpful in crafting regulatory language.

The FACA exception is necessary because it is expected that this Committee will handle classified and sensitive but unclassified information. FACA has no provisions for exempting such information from the open records requirements of the act.

S 4049 Amendments Adopted – 7-3-20

Yesterday during consideration of S 4049, the FY 2021 National Defense Authorization Act, the Senate adopted by unanimous consent 62 amendments in an en bloc consideration. Four amendments were included that are of interest here. They include:

SA 2178 – Sen Wicker (R,MS) - to improve the cyber workforce and establish cyber challenges [pg S 3569],

SA 2215 – Sen King (I,ME) - to strengthen the Cybersecurity and Infrastructure Security Agency [pg S 3660],

SA 2231 – Sen Fischer (R,NE) - to ensure appropriate prioritization, spectrum planning, and interagency coordination to support the Internet of Things [pg S 3688], and

SA 2275 – Sen Peters (D,MI) - to require a plan for the continuity of the economy [pg S 3719]

Cyber Workforce

SA 2178 would add a new Title, Cyber Workforce Matters, to the bill. It includes sections on:

• Improving national initiative for cybersecurity education,

• Development of standards and guidelines for improving cybersecurity workforce of federal agencies,

• Modifications to federal cyber scholarship-for-service program,

• Modifications to federal cyber scholarship-for-service program,

• Cybersecurity in programs of the national science foundation,

• Cybersecurity in stem programs of the national aeronautics and space administration,

• Cybersecurity in department of transportation programs, and

• National cybersecurity challenges [Similar to S 3712].

The first section of the bill would amend 15 USC 7451(a), National cybersecurity awareness and education program. Part of that amendment would be to add a new subparagraph:

“(8) in coordination with the Department of Defense and the Department of Homeland Security, considering any specific needs of the cybersecurity workforce of critical infrastructure, to include cyber physical systems and control systems;”

The section on DOT programs makes to changes to 49 USC. The first would amend 49 USC 5505, University transportation centers program. The amendment would add to focused research grant program description found in §5505(c)(3)(E):

“, including the cybersecurity implications of technologies relating to connected vehicles, connected infrastructure, and autonomous vehicles”

Strengthening CISA

SA 2215 would move the Cybersecurity and Infrastructure Security Agency (CISA) Director from Level III to Level II of the Executive Schedule, increasing the importance of the Agency. The second section of the amendment would require DHS to conduct a comprehensive review of the ability of CISA to:

• Fulfill the missions of CISA and

• Fulfill the recommendations detailed in the report issued by the Cyberspace Solarium Commission under section 1652(k) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115–232).

The third section would require a similar review by the Government Services Administration.

Internet of Things

SA 2231 is very similar to S 1611, the Developing Innovation and Growing the Internet of Things Act, that Fischer introduced in 2019 (and earlier versions of the same bill in 2017 and 2016). The bill was passed in the Senate in January under the unanimous consent process. It has not been taken up the House.

Continuity of the Economy

SA 2275 would require the President to “develop and maintain a plan to maintain and restore the economy of the United States in response to a significant event.” {§XXX(a)(1)}. The term significant event is defined as an event that causes severe degradation to economic activity in the United States due to a cyberattack; or another significant event that is natural or human-caused.

Additional Amendments to be Considered

The Senate reached an agreement to resume consideration of the bill after the July 4^th recess (on July 20^th) by taking up six specific amendment with 2 hours of debate on each amendment. Once those amendments are dealt with the Senate will vote on the substitute language. One of the listed amendments address issues that I will cover in this blog.

There still remains a possibility that another batch of en bloc amendments will be considered before the listed amendments are brought up.

S 4049 Substitute Language – FY 2021 NDAA

On Monday (Congressional Record is running a day behind) the Senate voted to begin consideration of S 4049, the FY 2021 National Defense Authorization Act (NDAA). This is just the first hurdle the bill has to clear. The debate will center around substitute language (SA 2301, pg S3739) for the bill that was offered by Sen Inhofe (R,OH), one of the 121 amendments to S 4049 that was offered on Monday.

Substitute Language

The Inhofe amendment contains substantial additions to the original language and changes at least some provisions within the bill. The amendment adds two new Divisions to the bill:

Division E – Additional Provisions

Division F – Intelligence Authorization Act for Fiscal Year 2021

All of the cybersecurity provisions that I described in the original bill remain in the revised language. The new Division E includes (among a bunch of other stuff) adds three new cybersecurity provisions:

§6613. Cybersecurity State Coordinator Act. [similar to S 3207]

§6614. Cybersecurity Advisory Committee. [similar to S 4024?]

§6615. Cybersecurity Education and Training Assistance Program.

I note that §6613 is similar to S 3207, but I have not done a word for word comparison to tell how closely it matches the earlier bill. The §6614 comparison is more theoretical since the Government Printing Office has not yet published S 4024.

The Division F language is very similar to S 3205, including §9503 which is the same as §504 in the original bill. There are no new cybersecurity provisions in this Division.

Other Amendments Proposed

As I mentioned earlier there were 120 other amendments to S 4049 submitted on Monday. They include the following amendments that I intend to follow here:

SA 2214 Sen King (I,ME) - Subtitle X National Cybersecurity Certification and Labeling [S 3658],

SA 2215 Sen King - SEC. XXX CISA Director,

SA 2226 Sen Rubio (R,FL) – DIVISION XX - Intelligence Authorizations for Fiscal Year 2021 [S 3665],

SA 2231 Sen Fischer (R,ND) - SEC. XXX Internet of Things [S 3688],

SA 2263 Sen Cassidy (R,LA) - SEC. 10XX. Small Scale Lng Access [S 3712],

None of the amendments (other than the substitute language, of course) that I have listed here or in my earlier post have yet been listed as potentially being considered in the floor consideration of S 4049.

Committee Hearings – Week of 6-28-20

This week with both the House and Senate in Washington there is a more normal slate of congressional hearings being held. One of interest here; the final markup of HR 6395, the House version of the FY 2021 National Defense Authorization Act (NDAA).

NDAA Markup

On Wednesday the House Armed Services Committee will be marking up HR 6395. Last week subcommittees conducted their markups. The Intelligence and Emerging Threats and Capabilities Subcommittee added some cyber provisions to the bill. We are likely to see additional provisions added in the full committee markup tomorrow.

The Subcommittee language included two cybersecurity provisions that could affect the private sector:

§1627—Assessing Private-Public Collaboration in Cybersecurity

§1628—Cyber Capabilities and Interoperability of the National Guard

Neither of those provisions were as proactive in mandating private sector actions as we saw in some of the provisions reported out on S 4049, the Senate version of the NDAA.

Bills Introduced – 6-23-20

Yesterday with just the Senate in session there were 20 bills introduced. Two of those bills may receive additional coverage in this blog:

S 4049 An original bill to authorize appropriations for fiscal year 2021 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes.  Sen. Inhofe, James M. [R-OK]

S 4051 A bill to improve the ability of law enforcement agencies to access encrypted data, and for other purposes.  Sen. Graham, Lindsey [R-SC]

S 4051 will almost certainly not have anything to do with control systems, so this does not directly fit in with most of the stuff that I write about. There has been significant press coverage (see here for example) and it would seem that there is going to be some push for this bill by the authors to move this bill forward. I am looking forward to reading the actual language, so I am adding it to my tracking list. I just do not know if it will receive additional mention in this blog.