Congress is poised to vote in coming days on an $858 billion annual defense policy bill that contains significant spending increases for U.S. Cyber Command and other efforts to bolster national cybersecurity defenses.
Here’s a rundown of some of the key cyber elements of the 2023 National Defense Authorization Act and some noteworthy omissions from the bill released Tuesday night.
For starters, lawmakers allocated $44 million to Cyber Command to augment its so-called “hunt forward” missions, part of the command’s strategy for “persistent engagement,” defined as the need to constantly and speedily interact with adversaries in cyberspace. Cyber Command has reported hunt forward operations in at least 35 countries and in more than 50 foreign networks, including in Estonia, Lithuania, Montenegro, North Macedonia and Ukraine.
The legislation also creates an assistant secretary of cyber policy at the Department of Defense and directs the DOD secretary to brief lawmakers annually on how Cyber Command and the National Security Agency collaborate.
If the president determines “an active, systemic and ongoing campaign of attacks in cyberspace by a foreign power” against the U.S. government or critical infrastructure, the bill affirms the ability of Cyber Command to carry out operations with presidential approval in “foreign cyberspace.”
The Biden administration recently ended an evaluation of the “dual hat” leadership structure — under which the same person runs the NSA and Cyber Command — without making a formal recommendation about whether to end the practice, a move first reported by The Record.
The bill codifies a new cybersecurity bureau at the State Department, now run by inaugural Ambassador Nate Fick.
The NDAA also requires Cyber Command’s election security efforts to be described in a biennial, unclassified report through the 2032 election cycle. Free cybersecurity training to be developed and hosted by the Cybersecurity and Infrastructure Security Agency is also included in the legislation.
The bill also focuses on privacy and includes provisions to place guardrails on how U.S. intelligence uses commercial spyware. The legislation requires intelligence agencies including the FBI, CIA and NSA to issue a report to Congress within 90 days assessing the threat spyware poses to the United States.
It also bulks up the authorities of the Director of National Intelligence to guide how intelligence agencies can use spyware, including the power to prohibit the intelligence community from procuring or licensing spyware, though waivers could apply. The bill would also require the director of national intelligence to issue best practices to agencies on how to prevent spyware intrusions.
The White House is expected to issue an executive order early next year offering guidance on how to limit federal agencies use of spyware that poses a national security risk.
There are a few major exclusions in the combined House and Senate versions, too.
FedScoop’s John Hewitt Jones reports that the NDAA left out an amendment to codify a software bill of materials, or SBOM, in the federal procurement process. Lawmakers removed it following strong criticism from industry.
That piece of the legislation would have required “all holders of existing covered contracts and those responding to requests for proposals from the U.S. Department of Homeland Security to provide a bill of materials and to certify that items in the bill of materials are free of vulnerabilities or defects,” Hewitt Jones reported.
Additionally, the bill goes to a vote without language on the need to designate “systemically important entities,” or significant U.S. critical infrastructure. Had it been included, the language would have forced certain critical infrastructure operators to adapt rigorous standards for digital security.
Mark Montgomery, former executive director of the Cyberspace Solarium Commission, said it was “disappointing” to see the standard cut, especially given Department of Homeland Security Secretary Alejandro Mayorkas’ recent call for what Montgomery called “exactly this type of infrastructure prioritization.”
Tonya Riley and Christian Vasquez contributed reporting.