|Per usual, the NDAA contains a number of technology related provisions, including a some of the CSC’s recommendations. The People’s Republic of China and the Russian Federation continue to receive attention.|
This week, legislative work began on the FY 2021 National Defense Authorization Act (NDAA). The Senate Armed Services Committee conducted markups at the subcommittee and committee level, almost of which were in closed settings, and announced a finished bill that has not yet been made available per committee tradition. However, as in years past, a summary of the NDAA has been released that provides a high level overview of the bill, including its cybersecurity and technology related provisions. Bill text will not likely be released before the bill comes to the Senate floor.
Most notably, a number of the Cyberspace Solarium Commission’s (CSC) recommendations were apparently included in the bill, an outcome the four CSC Members who also serve in Congress were working towards; Senators Ben Sasse (R-NE) and Angus King (I-ME) served on the CSC and are also on the Senate Armed Services Committee.
The CSC’s highest profile recommendation was not entirely accepted, however. The CSC had called for a National Cyber Director its final report that would be “be the President’s principal advisor for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.” However, the FY 2021 NDAA merely uses an old strategy on possibly controversial changes: a study would be conducted on a National Cyber Director. Nevertheless, the CSC’s mandate would be extended another 16 months if this legislation is enacted, giving the body more time to work to see this and other recommendations possibly come to fruition.
All of the recommendations in the FY 2021 NDAA are those within the jurisdiction of the Armed Services Committees, suggesting the non-defense cybersecurity recommendations will need to be enacted by the various committees of jurisdiction. Ironically, this is the very issue the CSC addressed in its recommendation that Congress establish “House Permanent Select and Senate Select Committees on Cybersecurity.” However, it is a rare occurrence for Congress to redraw committee jurisdictions in such a significant way, and the Homeland Security Committees were created after the attacks on the United States on 11 September 2001. And yet, it is not uncommon for legislation that pertains mostly to civilian agencies and affairs to get added to the NDAA. For example, the “Federal Information Technology Acquisition Reform” (FITARA) (P.L. 113-291) was enacted as part of the FY 2013 NDAA.
The Committee explained that the NDAA includes 11 of the CSC’s recommendations:
- A review of National Guard response to cyberattacks,
- Adding a force structure assessment in the quadrennial cyber posture review,
- A report on enabling Cyber Command authorities, direction, and control of Cyber Operations Forces-related budgets, ensuring flexibility and agility to control acquisition,
- An evaluation of cyber reserve force options, which could provide capable surge capability and enable DOD to draw on cyber talent in the department sector,
- Improving cyber resiliency of nuclear command and control systems,
- A modification to fortify the Strategic Cybersecurity program and further cyber vulnerability assessment of weapons systems,
- A Defense Industrial Base threat intelligence sharing program to support companies’ ability to defend themselves,
- An assessment of the risk posed by quantum computing to national security systems,
- An extension of the Cyberspace Solarium Commission for tracking and facilitating the implementation of its recommendations for 16 months,
- An independent assessment on the feasibility and advisability of establishing a National Cyber Director.
The House Armed Services Committee will begin marking up its FY 2021 NDAA later this month with a full committee markup scheduled for 1 July. It is very likely CSC recommendations make it into this bill, and so it will be a matter of final negotiations to determine which recommendations are part of the bill, which is seen as must-pass on Capitol Hill. Moreover, CSC recommendations could get folded into appropriations bills for FY 2021, which is often one of the last matters Congress addresses before recessing for the winter holidays.
The Committee highlighted other cybersecurity and cyberspace provisions:
- Updates the responsibilities of the Principal Cyber Advisor, a key driver of the Department’s development and implementation of its 2018 cyber strategy, by increasing the integration and coordination responsibilities of that office to ensure that DOD’s cyber policies are coherent, cohesive, and meet needs,
- Improves transparency and requires DOD to provide more regular updates on cyber operations to Congress,
- Requires pilot programs, demonstrations, and/or plans for: speed-based cybersecurity capability metrics to measure DOD performance and effectiveness; interoperability and automated orchestration of cybersecurity systems (increased by $10 million above the President’s request); addressing network timing and address inconsistencies; and integration of user activity monitoring and cybersecurity systems,
- Requires an assessment of gaps between Cyber Mission Forces and Cybersecurity Service Providers,
- Authorizes increased funding ($25 million for Air Force Operation and Maintenance and $5 million for Army Operation and Maintenance) to provide Cyber Mission Forces with more resources to access, operate, and train as required by increased operational demands,
- Improves cyber readiness and “man, train, and equip” by:
- Authorizing a pilot program to prepare the National Guard for providing cyber assistance remotely in the case of cyber attacks,
- Prohibiting the Secretary of Defense from taking any action on the National Defense University’s College of Information and Cyber Space until completing an assessment of educational requirements for military and civilian leaders in this domain,
- Modifying authority to use Operation and Maintenance funds to allow for rapid creation, testing, and fielding of cyber capabilities to respond more quickly to threats, and
- Improving the training and retention of highly qualified cyber personnel, including providing Cyber Command with the same hiring authority for technical talent as exists at DARPA, the Strategic Capabilities Office, and the Joint Artificial Intelligence Center, and by allowing for pay that is more competitive with commercial industry.
Again, the Committee addressed the threats posed by the DOD having a significant part of its supply chain rooted in the People’s Republic of China (PRC) and the challenges posed by the nation to US military and national security:
- The FY21 NDAA takes numerous steps to reshape the Defense Industrial Base as a National Security Innovation Base, expanding its industrial capacity, promoting agility and resiliency, and identifying and mitigating risks associated with reliance on foreign adversaries, while investing in relationships with allies and partners. The shift to a National Security Innovation Base requires acknowledging that a whole-of-government approach is needed, and this bill encourages DOD to study broad factors that shape the industrial base and engage with outside stakeholders and interests. Recognizing that procurement restrictions are very powerful, the bill also ensures DOD is exploring all pathways to expand domestic capacity, including increased research and development. Lastly, the legislation safeguards proprietary technology, intellectual property, and other defense-sensitive data from being infiltrated by the government of China.
- Further implements recommendations from DOD’s report proceeding from Executive Order 13806 on assessing and strengthening the manufacturing and defense industrial base and supply chain resiliency of the U.S., and updates the framework for modernizing acquisition processes to ensure the integrity of the Defense Industrial Base,
- Requires analyses of a variety of materials and technology sectors, such as microelectronics, rare earth minerals, medical devices, personal protective equipment and pharmaceutical ingredients, to determine actions to take to address sourcing and industrial capacity,
- Directs additional steps for certain items, such as microelectronics, printed circuit boards, critical raw materials, and unmanned aircraft systems to mitigate risk of relying on foreign sources for products, materials, components, and manufacturing,
- Strengthens the National Technology and Industrial Base (NTIB) by creating a Regulatory Council and directing DOD to establish a process for admitting new members,
- Requires assessment of foreign industrial base capabilities and capacity to see how these drive risk to the U.S. from overreliance on China and their economic aggression,
- Continues to expand the role of small business, extending the authorization of a pilot program to streamline contracting and auditing processes for innovative technology programs and ensuring DOD pays small business contractors quickly,
- Directs steps to safeguard defense-sensitive U.S. intellectual property and technology from acquisition by China and with post-employment restricts pertaining to China.
The Committee highlighted provisions aimed at the PRC and Russia:
- Extends the limitation on providing sensitive missile defense information to Russia and on the integration of U.S. missile defense systems into those of China and Russia,
- Requires the Secretary of Defense to submit a report on the risk to DOD personnel, equipment, and operations due to Huawei 5G architecture in host countries and possible steps for mitigation,
- Requires the Secretary of Defense to consider 5G and 6G security risks posed by vendors like Huawei and ZTE when making overseas basing decisions,
- Protects the defense industrial base and supply chain, as well as intellectual property and technology, from disruption, infiltration, or theft by the Government of China (see “Innovation Base”),
- Fully funds the European Deterrence Initiative and increases funding to support rotational forces in Europe,
- Requires a report on Russian support to racially and ethnically motivated violent extremist groups and networks in Europe and the United States that creates or causes growing national security threats, information warfare, and increasing risks to societal stability and democratic institutions,
- Extends restrictions on military-to-military cooperation with Russia and any activities that would recognize Russian sovereignty over Crimea,
- Expresses a sense of the Senate that long-term strategic competition with Russia is a top defense priority that requires sustained investment and enhanced deterrence due to the level of threat posed,
The Committee added
As our strategic competitors develop more and more advanced weapons, equipment, and technology, it’s critical that the United States keep pace through deliberate, knowledge-based development. The FY21 NDAA directs investments and implements policies that will maintain or expand our comparative advantage over China and Russia for key capabilities and technologies. One strategy for accelerating innovation will be through a tailored approach of both subsystem prototypes, including for unmanned surface vessels, and full-scale prototypes, including for hypersonic weapons, based on a detailed understanding of what is necessary to achieve technical and technological maturity.
The bill also
- Supports the development of fifth-generation (5G) wireless networks by establishing a cross- functional team for 5G wireless networks and designates the DOD Chief Information Officer to lead the team and serve as the senior designated official for related policy, oversight, guidance, and coordination at DOD,
- Strengthens Science and Technology efforts in emerging technologies, including by requiring: an assessment of U.S. efforts to develop biotechnologies compared to our adversaries; development of Artificial Intelligence use-cases for reform efforts; enhancements to the Quantum Information Science research and development program; and a demonstration of innovative 5G commercial technologies, Encourages DOD to leverage commercially available technology where appropriate, particularly for artificial intelligence,
- Includes several provisions designed to recruit and retain talent with technology expertise, including requiring a study comparing methods for recruiting and retaining technology researchers used by both the U.S. and Chinese governments and authorizing a pilot program to permit university students and faculty to take on part-time and term employment at DOD labs to work on critical technologies and research activities,
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.