OPINION — As the House and Senate versions of the fiscal 2021 Defense Authorization Bill are put together in conference, new offensive and defensive cyber operations are major topics in both versions of the legislation.
Many of the proposals follow recommendations made last March by the Cyberspace Solarium Commission, which Congress established in the 2019 NDAA to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.”
The House bill extends the Commission for two years and directs it to review implementations of its recommendations, make new ones, and file reports to relevant congressional committees.
The Senate bill would require the Defense Secretary to create “a comprehensive framework to enhance the consistency and execution of cyber hunt forward operations.” These are operations in which Cyber Command teams “defend forward” by going abroad to disrupt or halt malicious cyber activities directed against the U.S. or its forces.
In requiring such a framework, the Senate seeks to institutionalize such missions, “forcing commanders to assess the costs, potential gains, and requirements of hunt forward missions,” according to the Senate Armed Services Committee report on their bill.
“The committee does not seek to delay or else discourage the performance of these missions; to the contrary, the committee hopes that the framework will enable Cyber Command’s execution of more successful missions at an increased operational tempo,” the report says.
Although the committee was encouraged by Cyber Command’s “innovative approaches to finding new ways to impose costs on cyber adversaries,” its oversight found “insufficient coordination across the Federal Government, inadequate manning and time spent abroad, and the inability to access relevant networks.” The Senate bill would also change the legal requirements for notifying congressional defense committees of sensitive military cyber operations.
The new provision is broader and more specific, requiring notification of operations “that are intended to achieve a cyber effect against a foreign terrorist organization or a country, including its armed forces and the proxy forces of that country located elsewhere, with which the Armed Forces of the United States are not involved in hostilities or with respect to which the involvement of the Armed Forces of the United States in hostilities has not been acknowledged publicly by the United States,” according to the committee report.
The Senate report also recognized the challenge in improving the cybersecurity of more than 300,000 Department of Defense (DOD) suppliers and smaller sub-tier suppliers. The House bill takes this issue a step further. It would require the Secretary of Defense to establish a complex defense industrial base threat intelligence program that goes beyond current law which requires companies to report certain cybersecurity incidents. It calls for a single clearinghouse for the mandatory incident reporting, including unclassified and classified information. Beyond that, the House bill seeks creation of a mechanism for developing “a shared and real-time picture of the threat environment,” aided by “new technology and capabilities to support automated detection and analysis across the defense industrial base.” The measure would allow for “direct sharing of threat intelligence related to a specific defense industrial base entity with such entity.”
Both bills include measures to improve cyber readiness by recruiting and retaining qualified cybersecurity professionals, using National Guard and Reservists and allowing for pay that is more competitive with the private sector.
One other House proposal is worth mentioning. It requires whoever is President, beginning in 2021, to “participate in a large-scale exercise of the nuclear command, control and communications system during the first year of each term.” Not every President has participated in past such exercises and even the proposed measure allows the President to waive taking part, if a war, pandemic or some other “exigent circumstance” is already underway.
Read more expert-driven national security insight, perspective and analysis in The Cipher Brief
