By Sean Lyngaas
The House of Representatives this week overwhelmingly passeda defense policy bill with several cybersecurity measures aimed at better securing Pentagon networks.
The legislation — the fiscal 2019 National Defense Authorization Act (NDAA) — seeks closer collaboration between the departments of Defense and Homeland Security in defending against hackers, asks for quick notification of data breaches of military personnel, and continues to crack down on foreign-made telecom products that are deemed security threats.
The NDAA is an annual ritual that lawmakers use to shape Pentagon policies and budget plans while throwing in some pet projects to boot. The House bill — a $717 billion behemoth — eventually will be merged with the Senate’s version, which that chamber’s Armed Services Committee also approved this week. It’s unclear when the Senate bill will have floor votes.
One key provision of the House bill, according to the Rules Committee print, would set up a pilot program for the Pentagon to dispatch up to 50 cybersecurity staff to support the DHS’s mission to secure civilian networks. The deployment of the DOD personnel, potentially to DHS’s prized round-the-clock threat-sharing hub, would be a reminder of the overlapping turf that agencies compete for and try to reconcile in cyberspace.
While DOD may find itself loaning out a small group of its experts, lawmakers want to boost the department’s own workforce by giving the Defense secretary direct hiring authority through September 2025 for “any position involved with cybersecurity.” The Pentagon has boosted its ranks of computer gurus in recent years through U.S Cyber Command, but lawmakers and military brass are wary of losing these experts to lucrative private-sector jobs.
In the event of a “significant” breach of service members’ personal information, the Defense secretary would be required to promptly notify Congress. That issue came to the fore in January when it was revealed that GPS company Strava had published a map online that showed soldiers’ locations via devices like Fitbits.
Rep. Jim Langevin, D-R.I., co-founder of the Congressional Cybersecurity Caucus, backed the defense bill’s provisions to improve “our ability to deter adversaries in cyberspace.” In response to the Russian influence-operation to disrupt the 2016 U.S. presidential campaign, the bill would ask President Donald Trump for a report to Congress on what his administration is doing to protect against “cyber-enabled” information operations.
The House bill also keeps the pressure on Chinese telecom companies ZTE and Huawei by barring federal agencies from buying their products, and an amendment from Texas Republican Michael McCaul extends that ban to any use of federal grant money and loans.
The Senate version of the bill also tightly restricts the Pentagon’s use of technology considered a risk to national security. For example, an amendment from Sen. Jeanne Shaheen, D-N.H., would require DOD vendors to reveal if they’ve let foreign governments inspect their source code.
Senators seem intent on putting more language around offensive cyber-operations in their version of the bill compared to the House’s. According to a summary of the Senate bill, it stipulates a U.S. policy to use “all instruments of national power, including the use of offensive cyber capabilities” to deter cyberattacks that “significantly disrupt the normal functioning of our democratic society or government.”