Here’s what the newly signed NDAA means for cybersecurity
President Donald Trump signed the $700 billion National Defense Authorization Act (NDAA) on Tuesday, a law that sets policies and budget guidelines for the U.S. military for fiscal 2018, including its various cybersecurity-focused initiatives.
The mammoth piece of annual legislation often includes brand-new projects and policy provisions. This year’s NDAA advances several important cybersecurity efforts while also establishing new rules and programs related to information security.
Here’s a closer look at some key cybersecurity provisions:
- The ban on Kaspersky Lab software becomes official (SEC. 1634)
While the Homeland Security Department has already taken concrete steps to push Kaspersky Lab products out of the federal government, Sec. 1634 makes the ban official across the Defense Department and sets a deadline of October 2018 for total removal. The ban specifically mentions any and all products owned by Kaspersky Lab, including both services and software produced by subsidiaries.
- Trump will define what “cyberwar” means (SEC. 1633)
The president will be expected to “develop a national policy for the United States relating to cyberspace, cybersecurity, and cyber warfare,” which will be submitted to Congress. The policy will describe and clearly define what plans, powers and roles different federal agencies boast when reacting to a cyberattack of significant consequence. In addition, the White House should outline what sort of options it could rely on in cyberspace during a time of war. The doctrine is supposed to be “multi-prong,” including a deterrence, defense and offensive strategy. There is no deadline for the submission of this national policy. The White House is currently working to develop a semi-related, comprehensive National Security Strategy, according to Thomas Bossert, the president’s top homeland security adviser.
- The Defense Secretary will be required to review and come up with a plan for how the broader department can integrate and better organize its various cybersecurity capabilities, responsibilities (SEC. 1641, SEC. 1644 and portions of others)
Throughout the NDAA, there are multiple references to the need for Pentagon leadership to reexamine the department’s internal organizational structure surrounding its many different cybersecurity-related missions. The underlying purpose of these requests suggests that Congress wants the Pentagon to think about how it plans to respond to attacks, coordinate a response and collaborate on digital threats. At the moment, cybersecurity efforts are decentralized within the Pentagon and have been compartmentalized into specific groups and offices.
- Cyber scholarship programs in focus (SEC. 1649)
The National Science Foundation and Office of Personnel Management will launch a joint pilot scholarship program, involving five to 10 community colleges, aimed at educating and recruiting talent directly out of universities. In addition, the NDAA requires that at least 5 percent of the total amount available for financial assistance under the NDAA be applied specifically to cyber education programs, including K-12 schools.
- Ryan, Pelosi given new powers to thwart cyberattacks aimed at House of Representatives (SEC. 1090)
If either the speaker of the House or minority leader determines that a breach has occurred in Congress that requires additional resources or support, they will have new power to seek additional funding. The types of organizations capable of providing such support to Congress may include other governmental agencies, like the NSA, or private cybersecurity companies.
- America won’t be buying satellite technology from a foreign government (especially Russia) anytime soon because of cyber risks (SEC. 1603)
The Defense Department, and other U.S. defense organizations, are now barred from signing satellite service contracts with companies the Defense secretary believes could be affiliated with a “foreign country, or by an entity controlled in whole or in part by, or acting on behalf of, the government of a covered foreign country.” Although the provision clearly mentions the creation of a barrier with any and all companies controlled by “foreign governments,” it goes so far as to directly name Russia, due to apparent associated “cybersecurity risk[s].”
- Lawmakers should know more about clandestine U.S.-backed offensive cyber-operations and hacking capabilities (SEC. 1631, SEC. 1632)
The Pentagon will notify the appropriate congressional committees of any sensitive military-led cyber operations it launches under Title 10 authorities within 48 hours following the conclusion of a related mission. SEC. 1632 also requires that lawmakers be informed of the military’s stock of cyber weapons, as well as their usage, on a quarterly basis.
- DoD’s chief information officer will be getting additional power to control the Pentagon’s cybersecurity mission (SEC. 909)
The Chief Information Officer for the Defense Department will take on new responsibilities, including the ability to plan and support offensive cyber-operations. The expansion in role is described in the NDAA through a rewriting of the position’s focus areas, which now includes all of the following: “information technology, networking, information assurance, cybersecurity, and cyber capability architectures.” As part of this upgrade, the CIO will also provide an opinion on budgetary decisions which will be sent directly to the Defense Secretary.
- U.S. needs to have more of a plan in place in counter Russian information operations, like what happened in 2016 (SEC. 1641)
In less than 180 days, the Defense Secretary will provide a plan to Congress that explains how the Pentagon will deter, counter and negate information operations aimed at U.S. citizens. This plan will reference areas where the U.S. can partner with allies to address digital propaganda created by Russia.
- Planning for end end to the dual-arrangement at Cyber Command/NSA (SEC. 1648)
Pentagon leadership will submit a report by May 2018 addressing the operational and budgetary impact of ending the dual-hat arrangement at Cyber Command, which currently allows for the NSA director to manage both organizations.
- U.S. Cyber Command will reevaluate how it develops hacking and defensive cyber tools (SEC. 1642)
The leader of U.S. Cyber Command, which today continues to be the NSA director, will evaluate “alternative methods for developing, acquiring, and maintaining software-based cyber tools and applications.” The idea is for command to find new ways to decrease costs, speed up development and improve effectiveness as part of a repeatable, “disciplined” process. This review will include an examination of the current training and education programs in place for software developers. At the moment, Congress is planning for Cyber Command to receive its own leader next year, separating NSA leadership and elevating the organization to a unified combatant command on par with the likes of SOCOM.