The National Defense Authorization Act (NDAA) for FY 2019 took a big step toward passage with the release of the conference report late yesterday that unifies House and Senate NDAA legislation and places in sharp focus concerns about growing cyber and electronic warfare threats and ways that the United States should address them.
The must-pass legislation–which still needs to be approved by both houses of Congress and signed by President Trump–specifically calls out Russia and China as “strategic competitors that seek to shape the world toward their authoritarian model through destabilizing activities, threatening the security of the United States and its allies,” and details numerous provisions to shore up U.S. cyber defenses.
The legislation creates a new senior role within the Department of Defense (DoD) tasked with updating and improving the June 2017 Department of Defense Electronic Warfare strategy, as well as a “comprehensive roadmap” of operational and organizational reforms, new requirements, and updated plans. The updated materials would then be reported to Congress.
As part of the NDAA, Congress also affirms that the Secretary of Defense is authorized to “conduct military activities and operations in cyberspace, including clandestine military activities and operations, by designating these as traditional military activities.” The NDAA also tasks U.S. Cyber Command with disrupting, deterring, and defeating “systematic and ongoing attacks” from Russia, China, North Korea, and Iran in cyberspace.
In a move that will create the nation’s first cyber warfare policy, the NDAA establishes that U.S. policy is to employ “all instruments of national power,” including offensive cyber capabilities, to deter or respond to cyberattacks that target “U.S. interests with the intent to cause casualties, significantly disrupt the normal functioning of our democratic society or government, threaten the Armed Forces or the critical infrastructure they rely upon, achieve an effect comparable to an armed attack, or imperil a U.S. vital interest.”
As MeriTalk reported last week, Senate Republicans agreed to drop their tougher amendment against Chinese communications equipment makers ZTE and Huawei, which called for a ban on the public or private sector doing business with the companies, in favor of the House’s more lenient ban.
The NDAA now “[p]rohibits the Federal government from procuring or obtaining, as well as entering into, extending, or renewing a contract with an entity that uses telecommunications equipment or services produced by Huawei Technologies Company or ZTE Corporation.” While the Trump Administration opposed any ban on ZTE or Huawei, it remains to be seen how President Trump and allies will react to the more lenient compromise on the Hill.
Also included in the NDAA is an amendment creating the Cyberspace Solarium Commission, initially proposed by Sen. Ben Sasse, R-Neb. The Solarium “is designed to develop clear consensus on a strategic approach to protecting and defending the United States in cyberspace,” according to a press release. Sasse modeled his proposed Commission after President Eisenhower’s Project Solarium, which created the strategy that guided American policy for much of the Cold War.
“This is a critical piece of this year’s defense bill and an important step on cybersecurity,” said Sen. Sasse in a statement. “The Cyberspace Solarium Commission is an opportunity to set America’s cyber doctrine before it’s too late. This is a major victory for those who have been sounding the alarm on cybersecurity. Washington is late to the game–we don’t have a playbook and our enemies are already on offense. This is the new frontier of warfare and America cannot fall behind. The hardest work is still ahead.”
The legislation also includes a provision requiring DoD to notify lawmakers of cybersecurity breaches and loss of information from approved defense contractors, according to Politico. That measure is likely a response to a recent cyber attack where Chinese hackers stole sensitive data regarding U.S. submarine forces from a contractor.
The Secretary of Defense also is required to notify lawmakers in the event of a data breach that compromises personal information of U.S. Service members. In a move to protect the Pentagon’s critical infrastructure, the NDAA includes a provision to establish a pilot program within the Defense Digital Service to evaluate cyber vulnerabilities, according to Politico.
The House will likely vote on the final bill later this week.
For more on the final NDAA, click here to learn more about IT modernization and innovation provisions.