Key Cyber Provisions of the NDAA
Congress’ NDAA Fiscal Year 2019 appropriation authorizations include important cyber measures among military and defense activities.
The John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA 2019), passed by Congress on August 1 and signed by President Trump yesterday, takes cybersecurity a step further, with language affirming DOD’s role in defending against attacks and operating in cyberspace, the fifth warfare domain.
Although past NDAA legislation has included some provisions on DOD’s cyber role, this year’s bill specifies that the Secretary of Defense has the authority to conduct military cyber activities or operations in cyberspace—including clandestine activities—to defend the United States and its allies.
The NDAA 2019 allows the United States to employ “all instruments of national power,” including offensive cyber capabilities. This includes response to foreign powers targeting U.S. interests, causing casualties of U.S. citizens or significantly disrupting the functionality of the U.S. democratic—including attacks against critical infrastructure. It also includes threats to the command and control of the U.S. forces, the freedom of maneuver of the military, the industrial base or other infrastructure that U.S. forces rely on to defend the country, and its interests.
If Russia, China, North Korea or Iran are conducting “an active, systematic and ongoing campaign” of cyber attacks, including attempts to influence American elections and democratic processes, the National Command Authority (NCA)—the commander-in-chief, the Secretary of Defense and other highest-level commanding officers—may authorize the Secretary, through the commander of the U.S. Cyber Command “to take appropriate and proportional action to disrupt, defeat and deter such attacks,” by conducting cyber and information operations as well as traditional military activities, according to the NDAA 2019.
The United States “must develop and, when appropriate, demonstrate to adversaries the existence of cyber capabilities to impose costs on any foreign power targeting the United States,” according to the legislation. Congress also asked DOD to provide an updated cybersecurity and cyber warfare report that assesses whether past U.S. responses to major cyber attacks have had the desired deterrent effect. In addition, the legislation enables the Secretary to share threat information related to cybermauraders, associated false online personas or compromised infrastructure with the private sector on a voluntary basis.
The legislation puts the Joint Force Headquarters–Department of Defense Information Networks (JFHQ–DODIN) of the Defense Information Support Agency (DISA) under the microscope. It asks DOD to hash out the specific roles, missions and responsibilities of the JFHQ-DODIN commander. In a unique dual-hatted role, the director of DISA—which currently is Vice Adm. Nancy Norton, USN—also serves as the commander of JFHQ–DODIN.
Congress wants DOD, by next March, to assess JFHQ-DODIN’s existing command and control structure, adequacy of the DISA’s institutional support for the JFHQ-DODIN mission, resource requirements and mission effectiveness. The intent is to see if there is justification—and a suggested timeline—to transfer “some or all roles” of JFHQ-DODIN to the commander of the Cyber Command—a position currently filled by Gen. Paul Nakasone, USA.
Under a different provision of the NDAA 2019, DISA would be getting the operations and maintenance responsibility of the SHARKSEER cybersecurity program from the National Security Agency (NSA). For the last several years, NSA’s SHARKSEER program has focused on detecting and mitigating web-based malware.
Furthermore, NDAA 2019 broadens the military’s work in assessing the cyber vulnerabilities of each major weapon system, first included in the NDAA FY 2016. Beginning in FY 2021 and annually thereafter, DOD must provide a detailed cybersecurity evaluation and mitigation “budget justification display” of each major weapons system, including the cyber vulnerability status, cybersecurity risks, planned activities and any funding needed.
In addition, the legislation is requiring DOD to designate an official to oversee the integration of cybersecurity and industrial control systems, including the development of agency-wide certification standards and possible use of National Institute of Standards and Technology (NIST) cybersecurity frameworks. DOD, with the help of NIST, also has to enhance the awareness of cybersecurity threats among small manufacturers and universities that work on DOD programs.
NDAA 2019 specifies that if there is a cyber attack that results in “significant loss” of military or civilian personally identifiable information or of controlled unclassified information by a cleared defense contractor, DOD has to inform Congress.
As part of its continued effort to improve U.S. cyber deterrence, Congress wants the Presidential Administration to inform legislators about efforts to develop cost imposition strategies, varying levels of cyber incursion and steps taken to prepare for the imposition of consequences to adversaries. The Administration must include specific planned actions, regulations and legislative action required for deterrence, as well as needs for “advancing technologies for [attack] attribution, inherently secure technology and artificial intelligence society-wide.”
Additionally, NDAA 2019 calls for the establishment of cyber institutes at higher learning institutions, particularly at senior military colleges that have Reserve Officers’ Training Corps programs. The legislation also creates several cybersecurity pilot programs including a military homeland defense operation modeling and simulation project, an effort to enhance cybersecurity and resiliency of critical infrastructure, and an Army National Guard regional cybersecurity training center.