December 8, 2020 | Insight
Congress Poised To Enact Unprecedented Cyber Defense Legislation
December 8, 2020 Insight
Congress Poised To Enact Unprecedented Cyber Defense Legislation
The National Defense Authorization Act (NDAA) for Fiscal Year 2021 (FY21) is the most significant attempt ever undertaken by Congress to improve national cybersecurity and protect U.S. critical infrastructure from nation-state, non-state, and criminal behavior. On December 3, Senate and House conferees issued their report on the FY21 NDAA, confirming that the final version of the bill retains key cybersecurity provisions.
Two years ago, by creating the Cyberspace Solarium Commission (CSC), Congress expressed deep concern about the inability of the United States to defend its interests in cyberspace. Now, Congress is set to adopt 25 of the 52 legislative recommendations put forth by the CSC, reflecting an extraordinary degree of receptiveness among lawmakers. (See the appendix for a list of CSC provisions included in the FY21 NDAA.)
Historically, commissions not created in response to a disaster (such as the 9/11 Commission) have about 31 percent of their recommendations subsequently adopted in full by the U.S. government. The CSC will surpass this milestone less than one year after issuing its March 2020 report, with other recommendations likely included in legislation in the coming years. This success is due to the bipartisan leadership of CSC Co-chairmen Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) and the commitment of commissioners Representative Jim Langevin (D-RI) and Senator Ben Sasse (R-NE), who also sponsored and shepherded the CSC recommendations through the legislative process.
Providing Strategic Leadership in Cyberspace
The CSC report emphasized the need for reform, observing, “While cyberspace has transformed the American economy and society, the government has not kept up, and existing government structures limit cyber policymaking processes, dampen government action, and impede cyber operations.” Critically, the FY21 NDAA includes a groundbreaking CSC recommendation to establish a Senate-confirmed national cyber director (NCD) and an associated office within the White House.
The NCD will be the principal advisor to the president on cybersecurity matters, leading the development and implementation of cyber strategy and coordinating major cyber incident response efforts across the federal government. The NCD will also lead coordination with the private sector and state, local, territorial, and tribal (SLTT) governments to ensure effective implementation of national cybersecurity measures. The position, as envisioned by the Commission and the FY21 NDAA, has far greater seniority and interagency coordination and defensive planning authorities than previous cyber coordinators, with the new NCD positioned as a peer to other senior presidential advisors, as opposed to simply a member of the National Security Council staff.
Congress witnessed the lack of strategic leadership in the federal government’s pre-planning and initial response to the COVID-19 crisis (itself a non-traditional national security emergency) and determined that the country needs an NCD to ensure better execution of proactive cyber policy and coordination in times of crisis. The patient and persuasive efforts of Senator Mike Rounds (R-SD) and Representative Jim Langevin (D-RI) to move the NDC provision through their respective Senate and House chambers was integral to its inclusion in the final bill.
Promoting National Cyber Resilience
Another key CSC priority was the need to promote national resilience – the ability of the government and private sector to identify, assess, and mitigate risk across national critical infrastructure in order to withstand and quickly recover from an attack. To that end, the FY21 NDAA directs the U.S. government to develop and maintain Continuity of the Economy (COTE) planning in consultation with the private sector. CSC Commissioner and FDD scholar Samantha Ravich first articulated the need for COTE – a modern rethinking of continuity of operations and continuity of government planning that developed during the Cold War – nearly two years ago. The CSC study of national cyber resilience only confirmed the dire need for this planning.
Properly developed and maintained plans will ensure, as the CSC explains, the “continuous operation of critical functions of the economy in the event of a significant cyber disruption.” At the end of the day, Senator King and Representative Gallagher explain in their chairmen’s letter, “Such a plan is a fundamental pillar of deterrence—a way to tell our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us.”
Consolidating Key Reform Initiatives
The cybersecurity measures in the FY21 NDAA also include much more than CSC-inspired recommendations. The bill has nearly 80 cybersecurity-related provisions, so many that the bill utilizes a unique “Cyberspace” title (or chapter) for the first time to help organize them. These cybersecurity provisions include numerous efforts (both CSC and non-CSC-inspired) to improve Department of Defense (DoD) cybersecurity initiatives, an expected focus of any NDAA. But the legislation also includes forward-leaning and groundbreaking efforts to reinvigorate the nation’s high-tech industrial capacity, an imperative highlighted by the CSC, by authorizing DoD efforts to assess existing research and development efforts, production capability, and manufacturing capacity.
Further FY21 NDAA provisions contribute to DoD efforts by laying the groundwork to strengthen the nation’s leading role as a developer and producer of semiconductors (by incorporating elements of the Creating Helpful Incentives to Produce Semiconductors [CHIPS] for America Act), reasserting U.S. and allied leadership in the global telecommunications market (via elements of the USA Telecommunications Act), and bolstering U.S. involvement in crucial international standard-setting fora. Still other provisions pave the way for future interaction of the Internet of Things (IoT) with existing networks (by incorporating elements of the IoT Cybersecurity Improvement Act).
Directives for the Pentagon and Department of Homeland Security
Not surprisingly, the FY21 NDAA has a great number of DoD-specific cyber provisions. Key among them is a provision that directs DoD to conduct a force-structure assessment of the Cyber Mission Force to ensure that the United States has the appropriate military cyber capability and capacity in light of growing mission requirements and increasingly capable adversaries in cyberspace. This is critical because, as the CSC report notes, DoD defined the Cyber Mission Force’s requirements “well before the United States experienced or observed some of the key events that have shaped the U.S. government’s understanding of the urgency and salience of the cyber threat posed by adversaries, as well as before the development of DoD’s defend forward strategy.”
On the defensive side of the ledger, the FY21 NDAA directs DoD to conduct a cybersecurity vulnerability assessment of all segments of the country’s nuclear command and control systems and to continually assess cyber vulnerabilities in U.S. weapons systems. The legislation also requires improved Defense Industrial Base (DIB) participation in threat-intelligence sharing programs. In addition, it requires the department to assess the feasibility of establishing a threat hunting program on DIB networks, whereby the government would work with industry to proactively search for malicious cyber activity on networks belonging to defense contractors.
This year’s NDAA is unique in that it also contains a raft of provisions intended to strengthen the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS). CISA’s mission is to ensure the resilience of national critical infrastructure, foster a more secure cyber ecosystem, and serve as the central coordinating element to support and integrate federal, SLTT, and private-sector cybersecurity efforts. The public servants at CISA have done admirable work to carry out this mission, but the agency “has not been adequately resourced,” according to CSC conclusions.
The FY21 NDAA seeks to rectify this by strengthening the position of the CISA director and requesting both a force-structure assessment and an infrastructure assessment of CISA. Congress is also authorizing CISA to threat hunt on the .gov domain and is providing the agency a much-needed administrative subpoena authority so that CISA can better identify owners and operators of vulnerable systems.
To assist the federal government in building public-private collaboration, the legislation creates a new government-wide Joint Cyber Planning Office (to include federal and SLTT governments and the private sector) under CISA’s auspices. The FY21 NDAA also strengthens the responsibilities of CISA’s integrated cyber center (working to share information with and among both federal agencies and the private sector) and establishes a biannual national cyber exercise. These legislative efforts will ensure CISA is equipped with the resources and clear authorities to achieve its critical infrastructure security and resilience missions. Collectively, these provisions, along with other provisions that identify sector risk management responsibilities for federal agencies and empower these federal agencies to better coordinate with their assigned industrial sectors (energy, financial services, water, etc.), will improve cybersecurity collaboration with the private sector, another of the CSC’s core pillars.
Finally, other notable FY21 NDAA provisions will improve the U.S. government’s ability to recruit, develop, and retain cyber talent; require a Government Accountability Office study on cyber insurance and ways to improve the cyber insurance market; and require a strategy to implement the Domain-based Message Authentication, Reporting, and Conformance standard across all U.S.-based email providers to secure emails from spam and to diminish the effectiveness of phishing scams.
The NDAA has a proven record of initiating significant cyber reforms. The NDAA for Fiscal Year 2019 contained three critical provisions that authorized the framework for existing offensive cyber operations. Section 1632 provided DoD the authority to conduct cyber surveillance and reconnaissance as a traditional military activity; Section 1636 established U.S. policy for responding to cyberattacks and or other malicious cyber activities conducted by foreign powers; and Section 1642 provided authorization to act in response to malicious Russian, Chinese, North Korean, or Iranian cyber campaigns.
The Trump administration rapidly utilized these authorities in developing National Security Presidential Memorandum 13 to streamline the process for developing and approving offensive cyber operations, and has reportedly conducted a number of operations under these authorities.
This year’s NDAA may drive equally important cybersecurity efforts: improving the government’s organization for defense, building more robust capabilities within DoD and throughout the federal agencies, establishing the ligature for public-private collaboration, and beginning to address the challenging critical technology supply chain issues facing the United States and its allies.
Finally, this year’s NDAA extends the CSC’s mandate for a second legislative cycle, giving the Commission time to work on many of its remaining legislative recommendations for improving the cyber ecosystem, addressing critical technology supply chain issues, and improving responses to cybercriminal behavior. While it would be hard to imagine a future NDAA containing as many cyber-related provisions as this year’s, reauthorizing the CSC will provide the opportunity to close even more gaps.
NDAA provisions reflecting CSC recommendations (27 provisions implementing 25 recommendations):
- Section 1705 – Strengthening Federal Networks (CSC Recommendation 1.4): Authorizes CISA to conduct threat hunting on federal networks.
- Section 1706 – Improvement Relating to the Quadrennial Cyber Posture Review (CSC Recommendations 6.1 and 6.1.3): Directs DoD to conduct a force-structure assessment of the Cyber Mission Force to ensure sufficient force structure and capabilities.
- Section 1711 – Modification of Acquisition Authority of Commander of United States Cyber Command (Recommendation 6.1.1): Amends the NDAA for Fiscal Year 2016 to change the acquisition authority of U.S. Cyber Command. (related to Section 1746)
- Section 1712 – Modification of Requirements Relating to the Strategic Cyber Security Program and the Evaluation of Cyber Vulnerabilities of Major Weapon Systems of the Department of Defense (CSC Recommendation 6.2.b): Tasks DoD with developing a plan for the annual assessment of cyber vulnerabilities of major weapon systems, and with sharing lessons learned and best practices from the annual assessment of cyber resiliency of nuclear command and control systems.
- Section 1714 – Renewing the Cyberspace Solarium Commission: Reauthorizes the CSC through late December 2021.
- Section 1715 – Establishment in DHS of the Joint Cyber Planning Office (CSC Recommendation 5.4): Establishes a Joint Cyber Planning Office under CISA to facilitate comprehensive planning of defensive cybersecurity campaigns across federal departments and agencies and the private sector.
- Section 1716 – Administrative Subpoena Authority for the Cybersecurity and Infrastructure Security Agency (CSC Recommendation 5.1.3): Grants administrative subpoena authority to CISA in order to identify vulnerable systems and notify public and private system owners.
- Section 1718 – Cybersecurity Advisory Committee (CSC Recommendation 1.4): Establishes a Cybersecurity Advisory Committee to advise DHS and CISA.
- Section 1719 – Cybersecurity Education and Training Assistance Program (CSC Recommendation 1.5.1): Authorizes the (already existing) Cybersecurity Education and Training Assistance Program at DHS/CISA – a K12 cyber education initiative. The program will continue to provide curricula, resources, and training for K12 education. It will promote and support national standards for K12 cyber education.
- Section 1722 – Report on the Risk to National Security Posed by Quantum Computing Technologies (CSC Recommendation 6.2.4): Mandates a comprehensive assessment of the threats and risks posed by quantum technologies to national security systems.
- Section 1728 – Assessing Private-Public Collaboration in Cybersecurity (CSC Recommendation 5.4.1): Requires DoD to assess of the impact of the current Pathfinder initiative, the department’s support to and integration with existing federal cybersecurity centers, and comparable initiatives led by other federal departments or agencies that support long-term public-private cybersecurity collaboration. This provision also requires DoD to make recommendations for improvements.
- Section 1729 – Clarifying the Cyber Capabilities and Interoperability of the National Guard (CSC Recommendation 3.3.6): Directs DoD to evaluate statutes, rules, regulations, and standards that pertain to the use of the National Guard for the response to and recovery from significant cyber incidents.
- Section 1730 – Evaluation of Non-Traditional Cyber Support for the Department of Defense (CSC Recommendation 6.1.7): Requires an assessment from DoD on the need and models for, and requirements of, a cyber reserve force.
- Section 1731 – Establishment of an Integrated Cybersecurity Center (CSC Recommendation 5.3): Directs the executive branch to submit a report to Congress evaluating the federal cybersecurity centers and the potential for better coordination of federal cybersecurity efforts at an integrated cybersecurity center within CISA.
- Section 1737 – Defense Industrial Base Participation in a Threat-Intelligence Sharing Program (CSC Recommendation 6.2.1): Requires DoD to assess the feasibility, suitability, and definition of, and resourcing required to establish, a DIB threat information sharing program.
- Section 1739 – Defense Industrial Base Cybersecurity Threat Hunting and Sensing, Discovery, and Mitigation (CSC Recommendation 6.2.2): Requires DoD to complete an assessment of the feasibility and suitability of, and resources required to establish, a DIB cybersecurity threat hunting program.
- Section 1744 – Creation of a Biennial National Cyber Exercise (CSC Recommendation 3.3.5): Establishes a federal government cyber exercise to be conducted every two years for 10 years. The exercise will include federal, state, and private-sector stakeholders as well as international partners.
- Section 1745 – Cybersecurity and Infrastructure Security Agency Review (CSC Recommendation 1.4): Tasks DHS with conducting a comprehensive review of CISA’s ability to fulfill its current missions and implement the recommendations detailed by the CSC.
- Section 1746 – Report on Enabling U.S. Cyber Command Resource Allocation (CSC Recommendation 6.1.1): Requires DoD to submit a report to Congress detailing actions to ensure that U.S. Cyber Command possesses the necessary authorities, direction, and control of the Cyber Operations Forces and the budget needed to fulfill its mission. (related to Section 1711)
- Section 1747 – Ensuring Cyber Resiliency of Nuclear Command and Control Systems (CSC Recommendation 6.2.a): Requires DoD to develop a comprehensive plan to implement findings and recommendations pertaining to the cyber defense of nuclear command and control systems.
- Section 1752 – Establish the National Cyber Director and the Office of the National Cyber Director (CSC Recommendation 1.3): Establishes a Senate-confirmed national cyber director within the White House to serve as the president’s principal cyber advisor and provide a nexus for cybersecurity leadership in the White House.
- Section 9001 – DHS Strengthen CISA Director (CSC Recommendation 1.4): Makes administrative changes to strengthen the director position at CISA.
- Section 9002 – Codify Sector Risk Management Agencies (CSC Recommendation 3.1): Codifies Sector Specific Agencies as Sector Risk Management Agencies, establishing minimum responsibilities and requirements for identifying, assessing, and assisting in managing risk for the critical infrastructure sectors under their purview.
- Section 9005 – GAO Study of Cybersecurity Insurance (CSC Recommendation 4.4): Calls on the Government Accountability Office to study ways to improve the market for cybersecurity insurance.
- Section 9006 – Strategy to Secure Email (CSC Recommendation 4.5.2): Directs DHS to develop a strategy to implement the Domain-based Message Authentication, Reporting, and Conformance standard across all U.S.-based email providers to secure emails from spam and diminish the effectiveness of phishing emails.
- Section 9401-9407 – Recruit, Develop, and Retain a Stronger Cyber Workforce (CSC Recommendation 1.5): Enhances the federal government’s ability to recruit, develop, and retain its cyber workforce. Makes changes to the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education, including a large grant program for national partners, and Scholarship for Service.
- Section 9603 – Continuity of the Economy Plan (CSC Recommendation 3.2): Mandates the creation of a Continuity of the Economy planning effort to ensure the rapid restart and recovery of the U.S. economy after a major disruption.
Mark Montgomery is senior director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and serves as a senior advisor to the Cyberspace Solarium Commission. Annie Fixler serves as CCTI’s deputy director. For more analysis from the authors and CCTI, please subscribe HERE. Follow Mark and Annie on Twitter @MarkCMontgomery and @afixler. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.