The House will consider scores of amendments to change US technology policy, including a number of implement the recommendations of a congressional cybersecurity panel. However, some may not be in the final NDAA. |
First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.
As is almost always the case, House Members are using the occasion of the annual consideration of the National Defense Authorization Act (NDAA) to offer a range of amendments to the House Rules Committee. Hundreds of amendments were submitted, and at the 17 July hearing, the Committee determined which would be made in order and allow to be debated on the House floor, including scores of technology amendments. Many of these amendments to the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) would change US technology policy and funding, and some are complete bills the House has already passed, for inclusion in the NDAA increases the chances of enactment. Among the higher profile amendments made in order is one offered by Cyberspace Solarium Commission members that would establish a National Cyber Director position in the White House that the Senate declined to include in its FY 2021 NDAA, suggesting addition to the House’s bill does not necessarily this provision will make it into law.
Earlier today, the House began its consideration of H.R.6395, which may take up the better part of the week. The House Rules Committee made the following amendments in order to be offered during debate that pertain to technology:
- “Creates a cyber attack exception under the Foreign Sovereign Immunities Act (FSIA) to protect U.S. nationals against foreign state-sponsored cyber attacks.”
- “Requires reports to Congress on the defense and military implications of deepfake videos.”
- “Instructs the Steering Committee on Emerging Technology to establish a Deepfake Working Group to assess the national security implications of machine-manipulated media, such as deepfake videos.”
- “Expands and clarifies the mandate of entities authorized by the National Artificial Intelligence Initiative Act to include combatting discriminatory algorithmic bias against protected classes of persons.”
- “Requires the Secretary of Homeland Security to conduct a review of the ability of the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security to fulfill its current mission requirements, and for other purposes.”
- “Allows CISA to issue administrative subpoenas to ISPs to identify and warn entities of cyber security vulnerabilities.”
- “Establishes a National Cyber Director within the Executive Office of the President.”
- “Makes permanent a pilot program for the direct commissioning of cyber professionals and would give the services the authority to consider advanced degrees when deciding on the rank of the person obtaining the direct commission.”
- “Prohibits the use of certain DOD funds on the acquisition of artificial intelligence systems unless such systems have been or will be vetted for discriminatory algorithmic bias against protected classes of persons.”
- “Codifies the responsibilities of the sector risk management agencies with regard to assessing and defending against cyber risks.”
- “Implements a recommendation from the Cyberspace Solarium Commission that there be established at the Department of Homeland Security a Joint Planning Office to coordinate cybersecurity planning and readiness across the Federal government, State and local government, and critical infrastructure owners and operators.”
- “Reforms and codifies the Federal Risk and Authorization Management Program (FedRAMP). This amendment is the text of the bipartisan, House-passed H.R. 3941.”
- “Authorizes appropriations to establish a federal initiative to accelerate and coordinate Federal investments and facilitate new public-private partnerships in research, standards, and education in artificial intelligence in order to ensure the United States leads the world in the development and use of trustworthy artificial intelligence systems.”
- “Requires the Director of National Intelligence to report to Congress on foreign influence campaigns targeting federal elections.”
- “Directs the Secretary of Defense to ensure emerging technologies procured and used by the military are tested for algorithmic bias and discriminatory outcomes.”
- “Expresses a Sense of Congress that the additive manufacturing and machine learning initiative of the Army has the potential to accelerate the ability to deploy additive manufacturing capabilities in expeditionary settings and strengthen the United States defense industrial supply chain.”
- “Requires the Secretary of Defense to submit a report to Congress regarding recommendations on cyber hygiene practices. Additionally, requires DOD to assess each DOD component’s cyber hygiene and requires a GAO assessment of that report.”
- “Establishes within the Department of Veterans Affairs an office of cyber engagement to work with veterans, federal agencies, and social media platforms to identify cyber risks, including identity theft, to veterans and their families, as well as determine ways to address these risks, and provide information to veterans.”
- “Authorizes permanently the United States Patent and Trademark Office teleworking pilot program established by the Telework Enhancement Act of 2010.”
- “Requires the DOD to create and implement a training program for members of the Armed Forces and employees of DOD regarding foreign disinformation campaigns targeting them.”
- “Implements a recommendation from the Cyberspace Solarium Commission by authorizing the Cybersecurity and Infrastructure Security Agency to provide shared cybersecurity services to agencies, upon request, to assist in meeting Federal Information Security Modernization Act requirements and other agency functions.”
- “Amends existing biannual reporting requirements related to the DOD’s Joint Artificial Intelligence Center (JAIC) to include a description of the contribution to the development by the JAIC and DOD to AI standards.”
- “Directs the Department of Energy (DOE) to establish a research program in artificial intelligence and high-performance computing focused on the development of tools to solve big data challenges associated with veterans’ healthcare and the Department of Veterans Affairs activities in identifying potential health risks and challenges in veteran populations. Authorizes DOE to develop analysis tools that can address various big data challenges in industry, academia, and relevant Federal agencies, to promote data sharing and collaboration, and to establish multiple user facilities that serve as data enclaves capable of securely storing relevant data sets.”
- “Amends existing biannual reporting requirements related to the DOD’s Joint Artificial Intelligence Center to include position descriptions for roles that servicemembers take after the conclusion of their assignment with the JAIC.”
- “A Government Accountability Office (GAO) study to assess and analyze the state and availability of insurance coverage in the United States for cybersecurity risks and provide recommendations.”
- “Requires the Department of Defense to consult with stakeholders to develop guidelines for the acquisition of intellectual property (e.g., technological processes), to include model forms and definitions of key terms.”
- “Encourages the protection and promotion of internationally recognized human rights during and after the novel coronavirus pandemic, through reporting, orientation of foreign assistance programming, conditioning of security sector assistance, provision of DOD guidance, and ongoing tracking of the misuse of emergency powers or surveillance capacities.”
- “Expresses the sense of Congress with respect to the importance of preparing for catastrophic critical infrastructure failure events, and requires DoD to assess gaps in existing critical infrastructure resilience strategies.”
- “Requires the SecDef, in consultation with SecAF and CSO, to report on DOD processes and procedures for identifying and securing frequency licenses for national security space ground assets.”
- “Creates a National Supply Chain Database run by the Manufacturing Extension Partnership (MEP) Centers to connect small and mid-size manufacturers and prevent supply chain disruptions.”
- “Report on the effect of COVID-19 on the space industrial base and space programs of the Department of Defense.”
- “Adds “advanced sensors manufacturing” to the items considered within the updated approach to ensuring the continued production of cutting-edge microelectrics for national security needs.”
- “Directs GAO to do a report on ZTE’s compliance with the settlement agreement it reached with the Department of Commerce on June 8, 2018.”
- “Adds “distributed ledger technologies” to the definition of “emerging technologies” so that it be included in the assessment of what must be done for the United States to maintain their technological edge performed by the newly formed Steering Committee on Emerging Technology and Security Needs.”
- “Requires the Secretary of DHS, in consultation with the Secretary of Defense, to administer a large-scale exercise to test the United States ability to respond to a cyber attack against critical infrastructure. This exercise must be held at least every two years and include DoD, DHS, FBI, and appropriate elements of the IC.”
- “Enumerates the elements of an uncompleted briefing from the FY20 NDAA conference report on the potential use of distributed ledger technologies for defense purposes by the Under Secretary of Defense for Research and Engineering and adds a reporting requirement. The report is to summarize key findings of the briefing, analyze research activities of adversarial countries, make recommendations for additional research and development within the Department, and analyze the benefits of consolidating research within a single hub or center of excellence within the Department for distributed ledger technologies.”
- “Directs the Under Secretary of Defense for Acquisition and Sustainment to issue guidance that ensures the elimination of United States dependency on rare earth materials from China by fiscal year 2035.”
- “Expresses a sense of the Congress that the National Science Foundation is critical to the expansion of the frontiers of scientific knowledge and advancing American technological leadership in key technologies, and that in order to continue to achieve its mission in the face of rising challenges from strategic competitors, the National Science Foundation should receive a significant increase in funding, expand its use of its existing authorities to carry out new and innovative types of activities, consider new authorities that it may need, and increase existing activities such as the convergence accelerators aimed at accelerating the translation of fundamental research for the economic and national security benefit of the United States.”
- “Prohibits federal employees from downloading or using TikTok on any technology device issued by the United States government.”
- “Expresses the sense of Congress that the Secretary of Defense should include in existing reporting, an assessment of and recommendations to address, gaps or vulnerabilities within the National Technology and Industrial Base Sector that enable theft of intellectual property critical to the development and long-term sustainability of defense technologies.”
- “Examines how AI can enhance opportunities for different geographic regions, underrepresented populations, and our nation’s workforce, among other areas.”
- “Requires the National Security Innovation Network (NSIN) to leverage commercial software platforms and databases to enable DoD to access information on private sector, venture capital, and technology solutions to DoD innovation challenges.”
- “Requires the President to produce a whole-of-government strategy to impose costs on and achieve deterrence toward China for cyber-enabled corporate espionage and personal data theft.”
- “Establishes the Open Technology Fund to promote global internet freedom by countering internet censorship and repressive surveillance by authoritarian regimes. This amendment version is the same as H.R. 6621, which is a bipartisan bill.”
- “Implements a recommendation from the Cyberspace Solarium Commission that establishes a fixed 5-year term for the Director of the Cybersecurity and Infrastructure Security Agency and establishes minimum qualifications for the CISA Director.”
- “Restores American leadership in semiconductor manufacturing by increasing federal incentives to enable advanced research and development, secure the supply chain, and ensure long-term national security and economic competitiveness.”
- “Extends by 2 years the sunset date for Sec. 1651 of the FY2019 NDAA (Public Law 115–232; 32 U.S.C. 501 note) Pilot Program on Regional Cybersecurity Training Center for the Army National Guard.”
- “Implements a recommendation made by the Cyberspace Solarium Commission to require the Secretary of Homeland Security to develop a strategy to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard across U.S.-based email providers.”
- “Requires the Secretary of Defense to, no later than 180 days after enactment of this Act, submit to Congress a report regarding partnerships with institutions of higher education for rare earth material supply chain security.”
- “Requires the Science and Technology Directorate in the Department of Homeland Security to report at specified intervals on the state of digital content forgery technology. Digital content forgery is the use of emerging technologies, including artificial intelligence and machine learning techniques, to fabricate or manipulate audio, visual, or text content with the intent to mislead.”
- “Implements a recommendation from the Cyberspace Solarium Commission to require the Department of Homeland Security to establish a cyber incident reporting program.”
- “Enhances CISA’s ability to both protect federal civilian networks and provide useful threat intelligence to critical infrastructure by authorizing continuous threat hunting on the .gov domain. This will enable CISA to quickly detect, identify, and mitigate threats to federal networks from malware, indicators of compromise, and other unauthorized access.”
- “Directs the Secretary of Defense, in consultation with relevant Federal departments and agencies, to prepare an assessment on the People’s Liberation Army of the People’s Republic of China 2035 modernization targets.”
- “Requires DOD to assess each DOD component’s cyber hygiene and requires a GAO assessment of that report.”
- “Encourages the Department of Defense to build partnerships with minority and women-owned Department of Defense contractors to establish STEM apprenticeships and internships.”
- “Requires Defense Secretary to consider additional installations for purposes of the 5G test bed program.”
- “Directs the National Institute of Standards and Technology to carry out a program that will improve the United States’ capacity for verifying and manufacturing advanced microelectronics.”
The House Armed Services Committee has also released its Committee Report in two parts (Volume I and II) and detailed the overall funding authorized by the package:
H.R. 6395 supports an overall authorization of $740.5 billion dollars for our national defense. H.R. 6395 would authorize approximately $662.6 billion in discretionary spending for national defense and approximately $69.0 billion in discretionary spending for Over-seas Contingency Operations. This authorization level will allow our military to maintain readiness, expand capabilities, and invest in the new software and technologies required to secure our country.
The committee included a number of requests and directives of the DOD and other agencies, including but not limited to:
- Report on Cybersecurity Maturity Model Certification
- The committee acknowledges that the Department of Defense has taken initial steps to ensure that its contractors are aware of the actions necessary to protect the government’s data and networks from cybersecurity threats. However, the committee is concerned that there remain key unanswered questions about how it will implement its cybersecurity framework, especially given the level of collaboration necessary between industry and government for its success. Therefore, the committee directs the Under Secretary of Defense for Acquisition and Sustainment to submit a report to the congressional defense committees by January 15, 2021, regarding the Cybersecurity Maturity Model Certification (CMMC) program.
- Report on Ties between Russia and China
- The Department of Defense has acknowledged that China and Russia are increasingly working in cooperation on a wide range of matters, including economically, politically, and militarily; and that the Department believes the growing ties between Russia and China are challenging the rules-based order and present a threat to U.S. national security interests. The committee notes that the National Defense Strategy highlights the joint force’s eroding competitive edge against China and Russia. The committee endeavors to fully understand the extent of the ties between Russia and China. Therefore, the committee directs the Director of National Intelligence, in consultation with the Secretary of Defense, to submit a report to the congressional defense committees and the congressional intelligence committees by March 1, 2021, on the relationship between China and Russia.
- Fourth Estate Network Optimization
- The committee recognizes the importance of creating efficiencies and cost savings within the Fourth Estate and across the Department of Defense, to include the consolidation of information technology services away from legacy common use information technology services into a single service provider (SSP). The committee notes that on August 15, 2019 the Deputy Secretary of Defense directed the Defense Information Systems Agency (DISA) to execute such consolidation under the Fourth Estate Network Optimization (4ENO) effort over the period of fiscal year 2020 to fiscal year 2024. The committee directs the Secretary of Defense to provide a report to the congressional defense committees not later than February 1, 2021, on the status of the consolidation effort, including details on the schedule and plan for consolidation, progress on the transition of each Defense Agency and Field Activity (DAFA) from common use information technology services into the SSP environment, the list of assets and services being transitioned, a list of assets and services remaining within each DAFA, a justification for assets not transitioned, and the reallocation of funding as a result of the transition.
- GAO Assessment on DOD Cyber Incident Management Efforts
- The committee notes that the Department of Defense (DOD) has experienced a number of high-profile breaches to Department of Defense (DOD) systems and networks. For example, in July 2015, a phishing attack on the Joint Chiefs of Staff unclassified email servers resulted in the system being shut down for more than a week while cyber experts rebuilt the network, affecting the work of roughly 4,000 military and civilian personnel. In 2018, DOD disclosed a data breach to its contracted travel management system that allegedly affected approximately 30,000 military and civilian employees. In 2020, DOD similarly acknowledged that the Defense Information Systems Agency networks were breached that reportedly resulted in the personal data of approximately 200,000 network users being compromised.
- The committee is concerned that while DOD established the Joint Force Headquarters–DOD Information Network (JFHQ– DODIN) to operationalize and defend DOD systems and networks, other DOD components still view these systems and networks as an administrative capability. Cyber incidents, such as those identified above, can disrupt critical military operations, lead to inappropriate access to and modification of sensitive information, result in long-term financial obligations for credit monitoring, and threaten national security. Therefore, the committee directs the Comptroller General of the United States to provide the congressional defense committees with an assessment of DOD management of cyber incidents and efforts to mitigate future cyber incidents.
- GAO Study and Report on Electronic Continuity of Operations on the Department of Defense
- The committee notes the centrality of electronic command, control, and communications to Department of Defense continuity of operations. To ensure that the committee is fully informed of how the Department of Defense is addressing issues related to the risk to electronic communications, the committee requests that the Comptroller General of the United States conduct a study of electronic communications continuity of operations of the Department of Defense.
- Information Technology Asset Management and Inventory
- The committee commends the Department of Defense for the considerable improvement made on information technology, asset discovery, and asset management. However, the committee believes the Department would benefit from an established process for auditing software and hardware inventories. The lack of a single policy framework hinders the capacity of the Department to discover license duplication and the Department is at risk of wasting valuable resources on redundant or underutilized hardware and software. The Department also lacks real-time discovery of and visibility over its network attack surface, particularly its forward-facing internet assets and Department assets held in cloud environments, resulting in increased risk of exposures exploitable by malicious adversaries. The private sector has successfully navigated this challenge through the use of automated software tools widely available on the commercial market.
- The committee directs the Chief Information Officer of the Department of Defense, in coordination with chief information officers of the military services, to provide a briefing to the House Committee on Armed Services, not later than March 1, 2021, on the processes in place for asset discovery and management of hardware and software products.
- Internet Architecture Security
- The committee recognizes that the internet is inextricable and central to the American way of life, and the architecture that enables internet communications is layered, complex, and multi-faceted. The committee notes that this architecture includes high-capacity cables laid underground and underseas, cable landing stations that connect cables from continent to continent, and internet exchange points that serve as clearinghouses for data between Internet Service Providers and content delivery networks; all of which are required for the internet to operate. The committee recognizes that the executive branch has assigned responsibility for components or sectors of critical infrastructure to various executive branch departments and agencies, and internet architecture is approached in a fractured and piecemeal fashion, with multiple government stakeholder entities claiming responsibility. The committee is concerned that the lack of direction on the subject of internet architecture security creates significant risks to the nation. Consequently, the committee directs the Comptroller General of the United States to provide a report to the House Committee on Armed Services by September 1, 2021, to examine the issue of internet architecture security.
- Report and GAO Briefing on DOD Cyber Hygiene and Cybersecurity Maturity Model Certification Framework
- Given the importance of implementing cyber hygiene practices that could effectively protect DOD missions, information, and systems and networks, we direct the Secretary of Defense to submit a report to the defense committees identifying the extent to which each of the DOD components have implemented cyber hygiene practices and levels identified in the CMMC framework. For each DOD component that does not achieve level 3 status (referred to as ‘‘good cyber hygiene’’ in CMMC Model ver. 1.02), the head of the component is to provide the Congressional defense committees, the DOD Chief Information Officer, the commander of JFHQ–DODIN a plan on how the component will implement those security measures within one year and mitigate potential consequences until those practices are implemented. In order to aid in the under-standing of what cyber hygiene practices have been and have not been implemented by the DOD that the department requires private sector companies to implement before they receive a contract where they would have access to controlled unclassified information, the Secretary of Defense shall submit the DOD report to the Congressional defense committees and the Comptroller General of the United States by March 1, 2021. The committee further directs the Comptroller General to conduct an independent review of the Secretary’s report and provide a briefing to the Congressional defense committees no later than the end of the fiscal year.
- Department of Defense Artificial Intelligence Capabilities and Strategy
- The committee believes that global leadership in artificial intelligence (AI) technology is a national security priority. In 2018, the Department of Defense issued a department-wide AI strategy to provide direction for AI development. As the Department increases its investments in AI, machine learning, and other automation technologies, the committee believes that the Department’s re-sources, capabilities, and plans should continue to ensure U.S. competitive advantage over potential adversaries. Therefore, the committee directs the Comptroller General of the United States to provide the committee with an assessment of the Department’s resources, capabilities, and plans for AI.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.
Image by David Mark from Pixabay