House Starts Consideration of Its NDAA

The House will consider scores of amendments to change US technology policy, including a number of implement the recommendations of a congressional cybersecurity panel. However, some may not be in the final NDAA.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

As is almost always the case, House Members are using the occasion of the annual consideration of the National Defense Authorization Act (NDAA) to offer a range of amendments to the House Rules Committee. Hundreds of amendments were submitted, and at the 17 July hearing, the Committee determined which would be made in order and allow to be debated on the House floor, including scores of technology amendments. Many of these amendments to the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) would change US technology policy and funding, and some are complete bills the House has already passed, for inclusion in the NDAA increases the chances of enactment. Among the higher profile amendments made in order is one offered by Cyberspace Solarium Commission members that would establish a National Cyber Director position in the White House that the Senate declined to include in its FY 2021 NDAA, suggesting addition to the House’s bill does not necessarily this provision will make it into law.

Earlier today, the House began its consideration of H.R.6395, which may take up the better part of the week. The House Rules Committee made the following amendments in order to be offered during debate that pertain to technology:

The House Armed Services Committee has also released its Committee Report in two parts (Volume I and II) and detailed the overall funding authorized by the package:

H.R. 6395 supports an overall authorization of $740.5 billion dollars for our national defense. H.R. 6395 would authorize approximately $662.6 billion in discretionary spending for national defense and approximately $69.0 billion in discretionary spending for Over-seas Contingency Operations. This authorization level will allow our military to maintain readiness, expand capabilities, and invest in the new software and technologies required to secure our country.

The committee included a number of requests and directives of the DOD and other agencies, including but not limited to:

  • Report on Cybersecurity Maturity Model Certification
    • The committee acknowledges that the Department of Defense has taken initial steps to ensure that its contractors are aware of the actions necessary to protect the government’s data and networks from cybersecurity threats. However, the committee is concerned that there remain key unanswered questions about how it will implement its cybersecurity framework, especially given the level of collaboration necessary between industry and government for its success. Therefore, the committee directs the Under Secretary of Defense for Acquisition and Sustainment to submit a report to the congressional defense committees by January 15, 2021, regarding the Cybersecurity Maturity Model Certification (CMMC) program.
  • Report on Ties between Russia and China
    • The Department of Defense has acknowledged that China and Russia are increasingly working in cooperation on a wide range of matters, including economically, politically, and militarily; and that the Department believes the growing ties between Russia and China are challenging the rules-based order and present a threat to U.S. national security interests. The committee notes that the National Defense Strategy highlights the joint force’s eroding competitive edge against China and Russia. The committee endeavors to fully understand the extent of the ties between Russia and China. Therefore, the committee directs the Director of National Intelligence, in consultation with the Secretary of Defense, to submit a report to the congressional defense committees and the congressional intelligence committees by March 1, 2021, on the relationship between China and Russia.
  • Fourth Estate Network Optimization
    • The committee recognizes the importance of creating efficiencies and cost savings within the Fourth Estate and across the Department of Defense, to include the consolidation of information technology services away from legacy common use information technology services into a single service provider (SSP). The committee notes that on August 15, 2019 the Deputy Secretary of Defense directed the Defense Information Systems Agency (DISA) to execute such consolidation under the Fourth Estate Network Optimization (4ENO) effort over the period of fiscal year 2020 to fiscal year 2024. The committee directs the Secretary of Defense to provide a report to the congressional defense committees not later than February 1, 2021, on the status of the consolidation effort, including details on the schedule and plan for consolidation, progress on the transition of each Defense Agency and Field Activity (DAFA) from common use information technology services into the SSP environment, the list of assets and services being transitioned, a list of assets and services remaining within each DAFA, a justification for assets not transitioned, and the reallocation of funding as a result of the transition.
  • GAO Assessment on DOD Cyber Incident Management Efforts
    • The committee notes that the Department of Defense (DOD) has experienced a number of high-profile breaches to Department of Defense (DOD) systems and networks. For example, in July 2015, a phishing attack on the Joint Chiefs of Staff unclassified email servers resulted in the system being shut down for more than a week while cyber experts rebuilt the network, affecting the work of roughly 4,000 military and civilian personnel. In 2018, DOD disclosed a data breach to its contracted travel management system that allegedly affected approximately 30,000 military and civilian employees. In 2020, DOD similarly acknowledged that the Defense Information Systems Agency networks were breached that reportedly resulted in the personal data of approximately 200,000 network users being compromised.
    • The committee is concerned that while DOD established the Joint Force Headquarters–DOD Information Network (JFHQ– DODIN) to operationalize and defend DOD systems and networks, other DOD components still view these systems and networks as an administrative capability. Cyber incidents, such as those identified above, can disrupt critical military operations, lead to inappropriate access to and modification of sensitive information, result in long-term financial obligations for credit monitoring, and threaten national security. Therefore, the committee directs the Comptroller General of the United States to provide the congressional defense committees with an assessment of DOD management of cyber incidents and efforts to mitigate future cyber incidents.
  • GAO Study and Report on Electronic Continuity of Operations on the Department of Defense
    • The committee notes the centrality of electronic command, control, and communications to Department of Defense continuity of operations. To ensure that the committee is fully informed of how the Department of Defense is addressing issues related to the risk to electronic communications, the committee requests that the Comptroller General of the United States conduct a study of electronic communications continuity of operations of the Department of Defense.
  • Information Technology Asset Management and Inventory
    • The committee commends the Department of Defense for the considerable improvement made on information technology, asset discovery, and asset management. However, the committee believes the Department would benefit from an established process for auditing software and hardware inventories. The lack of a single policy framework hinders the capacity of the Department to discover license duplication and the Department is at risk of wasting valuable resources on redundant or underutilized hardware and software. The Department also lacks real-time discovery of and visibility over its network attack surface, particularly its forward-facing internet assets and Department assets held in cloud environments, resulting in increased risk of exposures exploitable by malicious adversaries. The private sector has successfully navigated this challenge through the use of automated software tools widely available on the commercial market.
    • The committee directs the Chief Information Officer of the Department of Defense, in coordination with chief information officers of the military services, to provide a briefing to the House Committee on Armed Services, not later than March 1, 2021, on the processes in place for asset discovery and management of hardware and software products.
  • Internet Architecture Security
    • The committee recognizes that the internet is inextricable and central to the American way of life, and the architecture that enables internet communications is layered, complex, and multi-faceted. The committee notes that this architecture includes high-capacity cables laid underground and underseas, cable landing stations that connect cables from continent to continent, and internet exchange points that serve as clearinghouses for data between Internet Service Providers and content delivery networks; all of which are required for the internet to operate. The committee recognizes that the executive branch has assigned responsibility for components or sectors of critical infrastructure to various executive branch departments and agencies, and internet architecture is approached in a fractured and piecemeal fashion, with multiple government stakeholder entities claiming responsibility. The committee is concerned that the lack of direction on the subject of internet architecture security creates significant risks to the nation. Consequently, the committee directs the Comptroller General of the United States to provide a report to the House Committee on Armed Services by September 1, 2021, to examine the issue of internet architecture security.
  • Report and GAO Briefing on DOD Cyber Hygiene and Cybersecurity Maturity Model Certification Framework
    • Given the importance of implementing cyber hygiene practices that could effectively protect DOD missions, information, and systems and networks, we direct the Secretary of Defense to submit a report to the defense committees identifying the extent to which each of the DOD components have implemented cyber hygiene practices and levels identified in the CMMC framework. For each DOD component that does not achieve level 3 status (referred to as ‘‘good cyber hygiene’’ in CMMC Model ver. 1.02), the head of the component is to provide the Congressional defense committees, the DOD Chief Information Officer, the commander of JFHQ–DODIN a plan on how the component will implement those security measures within one year and mitigate potential consequences until those practices are implemented. In order to aid in the under-standing of what cyber hygiene practices have been and have not been implemented by the DOD that the department requires private sector companies to implement before they receive a contract where they would have access to controlled unclassified information, the Secretary of Defense shall submit the DOD report to the Congressional defense committees and the Comptroller General of the United States by March 1, 2021. The committee further directs the Comptroller General to conduct an independent review of the Secretary’s report and provide a briefing to the Congressional defense committees no later than the end of the fiscal year.
  • Department of Defense Artificial Intelligence Capabilities and Strategy
    • The committee believes that global leadership in artificial intelligence (AI) technology is a national security priority. In 2018, the Department of Defense issued a department-wide AI strategy to provide direction for AI development. As the Department increases its investments in AI, machine learning, and other automation technologies, the committee believes that the Department’s re-sources, capabilities, and plans should continue to ensure U.S. competitive advantage over potential adversaries. Therefore, the committee directs the Comptroller General of the United States to provide the committee with an assessment of the Department’s resources, capabilities, and plans for AI.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by David Mark from Pixabay

National Cyber Director Hearing

The primary committee of jurisdiction over a bill to create a White House Cyber Director held a hearing on the ramifications of creating just such a position.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 14 July, the House Oversight and Reform Committee held a virtual hearing to discuss the recently introduced “National Cyber Director Act” (H.R.7331) that would implement one of the Cyberspace Solarium Commission’s (CSC) most significant recommendations. Representative James Langevin (D-RI), who served on the CSC, introduced the bill a few weeks ago when it appeared clear that neither Armed Services Committee will include the CSC’s recommendation that a position be established inside the Executive Office of the President of a National Cyber Director to coordinate much of the United States’ cyber policy that would need to be confirmed by the Senate. Langevin and a number of others submitted an amendment to the House Rules Committee for consideration of the “William M. (Mac) Thornberry National Defense Authorization Act (NDAA) for Fiscal Year 2021” (H.R.6395) that would add H.R.7331 to the House’s FY 2021 NDAA. It is possible this amendment is made in order and will be debated on the House floor when the chamber turns to H.R.6395, which could happen as soon as next week.

The holding of this hearing is likely part of an effort to convince House Democratic Leadership and the House Rules and Armed Services Committees of the support for H.R.7331 so that it can be debated during consideration of the FY 2021 NDAA. The chair of the House Oversight and Reform Committee cosponsored Langevin’s amendment as did a number of Republicans, demonstrating its bipartisan nature. Also, having held a hearing at which a number of witnesses endorsed the idea will lend further weight to it being allowed to be offered to the annual Department of Defense policy package.

The Senate’s NDAA does not include language establishing a National Cyber Director position. Rather, the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would require “the  Secretary  of  Defense,  in  coordination  with  the Secretary  of  Homeland  Security,  shall  seek  to  enter  into  an  agreement  with  an  independent  organization  with  relevant expertise in cyber policy and governmental organization  to  conduct  and  complete  an  assessment  of  the  feasibility and advisability of establishing a National Cyber Director.” It is possible that CSC co-chair Senator Angus King (I-ME) succeeds in getting this recommendation included in the Senate’s FY 2021 NDAA when the body continues with debate next week.

Chair Carolyn Maloney (D-NY) stated

Cyberattacks are a critical, complex, prevalent, and growing threat to the nation’s safety and economic security, touching nearly every aspect of our lives. This assessment was upheld by recent findings from the U.S. Cyberspace Solarium Commission, which was established by the 2019 National Defense Authorization Act to review the state of our cybersecurity posture and develop bipartisan solutions for defending America against cyberthreats.  This commission of Congressional, Executive Branch, and private sector cybersecurity leaders sounded the alarm that, in addition to millions of intrusions that disrupt operations in America on a daily basis, we remain vulnerable to catastrophic attacks on critical infrastructure and economic systems that could cause widespread damage and death.

Maloney noted “[a] number of the commission’s recommendations fall within the legislative jurisdiction of this Committee…[and] [t]his includes one that has sparked a high level of interest on both sides of the aisle—the recommendation for a centralized cybersecurity position at the White House to develop and streamline the federal government’s strategy, coordination, and response to cyberthreats.” She said that “[t]his role was first formalized during the George W. Bush Administration, and then elevated and expanded during the Obama Administration…[b]ut in 2018, then-National Security Adviser John Bolton eliminated the role, reportedly to cut “another layer of bureaucracy.”

Maloney said that “we will review H.R. 7331, which would implement the Commission’s recommendation to establish a National Cyber Director in the Executive Office of the President.” She said that “[t]his new position would restore that cyber coordination and planning function at the White House…[and] [i]n addition, for the first time, it would be backed with resources and statutory authority to lead strategic planning efforts, review cybersecurity budgets, and coordinate national incident response.” Maloney stated “[a] challenge as complex and pervasive as cybersecurity requires that our government be strategic, organized, and ready…[and] Democrats and Republicans agree we need a National Cyber Director to ensure we are fully prepared for, and coordinated in, our response to cyberattacks as our nation fights this silent war.” She explained “[o]ur mission today is to gain a detailed understanding of the threats we face, and to thoroughly examine H.R. 7331 as the vehicle for preparing our country against those threats.”

Ranking Member James Comer (R-KY) said the federal cyber domain is dispersed with varying jurisdictions and expertise among agencies organized to fight cyber-crime, defend national security, and support the private sector’s critical cyber infrastructure. He noted the increasingly reliance in the US on technology and growing inter-connected nature of the American economy. Comer said foreign actors, terrorist groups, domestic agitators, and criminal enterprises all have a vested interest in exploiting US networks. Comer said the remote operations of the pandemic have created new cyber vulnerabilities that malicious actors are taking advantage of. He added the same threats face private sector and state, local, tribal, and territorial governments. Comer stressed that fostering relationships across the private sector and state and local partners, vital cyber threat information can be shared that helps secure critical infrastructure.

Comer noted the witnesses have vast experience in combatting cyber threats from nations like the People’s Republic of China (PRC) that has historically hacked into agencies like the Federal Deposit Insurance Corporation, stolen intellectual property, and paid professors and researchers for research and development information. He stated he would welcome the opportunity to work with Democrats to hold the PRC accountable for these bad acts as well as their deceptive tactics over the course of the COVID-19 pandemic. Comer said the present hearing would, instead, examine a proposal to create a National Cyber Director. He stressed that Members have a duty to be good stewards of taxpayer dollars and not create more bureaucracy. Comer commended the Trump’s Administration’s performance in fending off threats to medical and health facilities and to teleworkers during the pandemic.

Comer asked whether it is truly necessary to establish a new position to coordinate cybersecurity, and, if so, would this official actually have the authority necessary to execute her responsibilities. Moreover, will other stakeholders fall in line and work in harmony, he asked. Comer said it is already he case the multiple federal agencies have cybersecurity jurisdiction and wondered whether another official would help the US government’s cyber posture. He expressed his concern that the bill may create a duplicative, bureaucratic layer of government that will hinder future responses to cyber-attacks.

Representatives and CSC Members James Langevin (D-RI) and Mike Gallagher (R-WI) claimed

First and foremost, the Executive Branch must establish a National Cyber Director to centralize and coordinate the cybersecurity mission at the national level. The National Cyber Director would work among Federal departments and agencies to bring coherence in both in the development of cybersecurity policy and strategy and in its execution. The position would provide clear leadership in the White House and signal cybersecurity is an enduring priority in U.S. national security strategy.

Langevin and Gallagher stated “[l]ooking at the history and the current structure of the Executive Branch, four clear institutional challenges emerge:

  • First, the Federal government lacks consistent, institutionalized leadership in the White House on cybersecurity strategy and policy.
  • Second, due to the absence of a consistent advocate, cybersecurity is inconsistently prioritized in the context of national security.
  • Third, the United States lacks a coordinated, cohesive, and clear strategic vision for cyber.
  • Fourth, the lack of centralized Executive Branch leadership complicates and prevents effective congressional oversight. In the March 2020 Commission report, the Commission recognized the need for a single individual at the highest level in the Federal government to take on these responsibilities.

Langevin and Gallagher explained

On the issue of whether to recommend the creation of new Executive Branch structures, or strengthen the existing structures, the Commission explored several different options. These models included the creation of a new cabinet department for cyber led by a Secretary, an independent agency for cyber led by a Director reporting to an existing cabinet department, an equivalent to a Homeland Security Advisor for cyber within the National Security Council, or a new office within the White House Executive Office of the President (EOP) led by a Director. Ultimately, the Commission decided that the Federal government would be better served by strengthening existing department and agency efforts in cybersecurity, including strengthening CISA and Sector-Specific Agencies, rather than the creation of a new department. While the creation of a new cabinet department or independent agency would give the position gravitas, the Commission recognized the protracted development of a new department would prevent, or even eliminate, much-needed near-term progress.

Cyber Threat Alliance President and Chief Executive Officer Michael Daniel claimed “we have reached the point where making more than incremental progress will prove difficult unless we address at least four impediments:

  • First, cybersecurity’s cross-cutting nature does not fit with the US government’s bureaucratic structure, making the issue difficult to deal with during policy development. 
  • Second, agencies are not incentivized to sustain the degree of coordination required for effective cybersecurity over the long term. 
  • Third, a lack of central coordination hinders effective incident response actions. 
  • Fourth, cybersecurity’s complexity and unusual nature make it tough for the President and other senior leaders to tackle without access to expertise. 

Daniel stated “[a]ddressing these impediments would be challenging under normal circumstances, but this Administration has chosen to take a step backward by eliminating the cybersecurity coordinator position at the White House, which makes it even harder.” He said that “[c]learly, no single policy action will solve these problems…[and] [t]hey are too complicated for a one-shot solution.” Daniel said “[t]hat said, creating a position like a National Cyber Director along the lines the Cyberspace Solarium Commission recommends or that Representative Langevin has proposed is a necessary part of the solution.”

Daniel asserted

  • Cybersecurity is a strategic, national level problem that defies easy categorization.  Cyberspace and the Internet are permanent features of our society, economy, public safety, and national security.  We will not “solve” our cybersecurity problems; cyber threats are now a permanent feature in society and international relations.  Instead, we will manage and mitigate the threat.  Thus, we need a strategic level leader focused on this problem with a government-wide perspective.  Moreover, we will need a national cyber director for the long-term. 
  • The EOP is the only part of the executive branch with a sufficiently broad scope to look across all the different aspects of cybersecurity.  It is the only part of the executive branch that can overcome the “you’re not the boss of me” effect and incentivize agencies to engage in regular, sustained, and intense coordination. It is the logical place to organize a cyber crisis response because it can serve as a neutral, inter-agency hub and activate resources across the entire Federal government. Finally, it is the primary organization for direct Presidential advisors.

Daniel said that “[a]s Congress debates this issue, I would urge it to consider certain parameters in crafting the position: The NCD Office should be big enough to run effective processes, but not so big that it tries to be operational.” He claimed “[i]f we want the office to succeed, then it cannot be so small that the staff do not have time to do anything right…[and] [o]n the other hand, it should not be so large that its staff are tempted to try to run operations directly.” Daniel stated that “[t]he NCD Office should integrate tightly with OMB’s budget process and NSC’s policy process, otherwise it will be irrelevant.”

Daniel stated

  • The NCD Office should have insight into and a policy oversight role for all Federal government cyber functions, including military, intelligence, or law enforcement activities; this insight must extend to offensive cyber operations. We cannot exclude those activities from the NCD’s purview and expect the position to succeed. For the record, I strongly support the independence of indictment and prosecutorial decisions from the White House, but that separation does not mean the NCD should not understand what law enforcement operations are occurring or influence our strategic level policy toward cybercrime. If the NCD only has oversight and coordination roles for network defense activities and working with the private sector, then the position would largely duplicate the CISA director, which we do not need.
  • NCD staff should not participate in policy execution. Law enforcement agencies investigates and prosecutes crime, intelligence agencies collect information, the military conducts offensive cyber operations, and the sector specific agencies work with their industries. Policy execution should remain the domain of the departments and agencies.
  • The office will need a clear relationship with the Federal Chief Information Security Officer (CISO). This existing office has worked hard to improve the security of Federal networks. The NCD’s office will need to work closely with the Federal CISO to ensure that Federal agencies are following the general guidance and advice the government gives the private sector. We must walk our talk.

Tenable Chairman and CEO Amit Yoran stated

Beyond the authorities already included in H.R. 7331, I recommend additional authorities for the National Cyber Director that would improve the nation’s cybersecurity risk management for both the public and private sectors. These additional authorities include developing a national encryption policy, managing the Vulnerabilities Equities Process (VEP), coordinating with regulatory entities, driving cybersecurity workforce development, and leading all international cybersecurity efforts, to include the development of international cyber strategies and international engagement.

Yoran added that

The Cyberspace Solarium Report also included recommendations on how to further strengthen the Cybersecurity Infrastructure Security Agency (CISA) in order to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem and serve as the central civilian authority to support federal, state, local and private sector cybersecurity efforts. CISA has established information sharing capabilities across the government, provides technical assistance to cybersecurity operators in the public and private sectors, and engages stakeholders both inside and outside the federal government. However, CISA’s role has clear limitations:

  • CISA’s convening power is not widely understood or consistently recognized.
  • CISA does not have jurisdiction over law enforcement, the Department of Defense or federal intelligence agencies, which are all critical pieces of a unified approach to U.S. cyber defense, nor are these organizations required to collaborate and share their activities with CISA.
  • CISA does not have the budget or the analytic capacity to assess, plan for and lead a unified effort to mitigate national systemic cyber risk.

Yoran said that “[t]he creation of the National Cybersecurity Director role should be done in conjunction with efforts to empower and appropriately resource CISA as a critical player to improve the nation’s cybersecurity.” He contended “[t]o strengthen CISA, Congress should elevate the Director position as recommended by the Cyberspace Solarium Commission and provide additional funding and program support that will enable the organization to enhance current operations.” Yoran stated that “[a]n expanded budget would also allow CISA to increase funding for the Continuous Diagnostics and Mitigation (CDM) program in order to meet surge capacity to protect .gov networks, support state and local cybersecurity networks and systems, and expand other programs that support the private sector, including many of the public-private operations that comprise the U.S. critical infrastructure.”

George Mason University’s National Security Institute Founder & Executive Director Jamil Jaffer stated

  • Given the general agreement that such [cyber] coordination is advisable, and indeed, necessary, one needs wonder why the Commission’s approach might be controversial.  The first and most obvious issue that would likely trouble any White House—regardless of political party and relationship with Congress—is the idea of having yet another Senate-confirmed appointee in the White House Office. 
  • The challenge, of course, with a National Cyber Director, particularly as it relates to a position in the White House Office and as described in H.R. 7331, is that this individual would have responsibilities that are generally understood by Presidents to be squarely in their control, namely matters related to the execution of the President’s textual Commander-in-Chief responsibilities. And while Congress may certainly argue that it has a number of textual commitments in this area also, like the declaration of war authority and the provisioning of the armed forces, the reality is that Presidents have long taken the view that matters of national security decisionmaking, particularly in the White House, are firmly committed to their discretion.  Thus, it is likely that any President, regardless of party or relationship with Congress, would be strongly opposed to Senate-confirmation of such an individual and, if such confirmation was ultimately required, it may actually undermine rather than buttress the individual position’s influence and role within the White House.
  • Moreover, making such a position Senate-confirmed essentially seeks to elevate it to an Assistant to the President role, namely a principal officer inside the White House Office. The challenge with doing so, of course, is that the vast majority of issues such an individual would deal with likely also fall squarely within the ambit of the existing responsibilities of the Assistant to the President for National Security (i.e., the National Security Advisor). 
  • The legislation clearly envisions the former approach—that is, direct advice to the President—which could very well create its own set of coordination and integration challenges within the White House and with the interagency. This challenge is enhanced, in particular, when it comes to areas of clear overlap between existing White House officials like the National Security Advisor (e.g., in the case of offensive and defensive cyber operations), as well as the Director of OMB (e.g., in the case of budgetary authority). Where the situation becomes even more problematic, however, is where the NCD’s assigned authorities appear to directly conflict with the authorities of another cabinet-level official. 
  • Finally, the size of the office likewise presents its own challenges.  While it is true that the USTR has an office of over 200 individuals and OMB has nearly 500, even at 75 authorized individuals, when one adds in the authority for other outside experts, consultants, and other government agency personnel in support, this number is likely to be viewed as too high for the mission.  This is particularly the case given that such an office would be roughly1/3 the size of the entire National Security Council staff, which itself is currently seen as fairly bloated (even after the Trump-directed staff reductions in 2019)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Hearing On National Cyber Director Act To Be Held This Week

Members of a Congressional cybersecurity commission introduce legislation to establish a statutory cyber position in the White House after neither NDAA has this policy change.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, the House Oversight and Reform Committee is holding a hearing to examine the “National Cyber Director Act” (H.R.7331), a bill to implement one of the Cyberspace Solarium Commission’s key recommendations.

When it became clear that neither FY 2021 National Defense Authorization Act (NDAA) would include a CSC to create a statutory position in the White House to coordinate United States’ (US) cyber policy, some CSC members and other key stakeholders introduced a bill to effectuate the recommendation that the US needs a National Cyber Director. This new position would be along the lines of a position created during the Obama Administration (i.e. White House Cybersecurity Coordinator) that was eliminated by former National Security Advisor John Bolton in 2018. However, this position would have a statutory basis and authority, which would institutionalize the position in this and future Administrations.

The bill was sponsored by CSC Member Representative James Langevin (D-RI) and cosponsored by CSC co-chair Representative Mike Gallagher (R-WI), House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-NY), the Homeland Security Committee’s Cybersecurity, Infrastructure and Innovation Subcommittee Ranking Member John Katko (R-NY), and Representatives C. A. Dutch Ruppersberger (D-MD) and Will Hurd (R-TX). Langevin has been advocating for this concept for a decade, beginning with the introduction of “Executive Cyberspace Authorities Act of 2010” (H.R.5247) that would have created a National Cyberspace Office inside the Executive Office of the President.

In terms of strategy for enactment, the sponsors could try to offer the bill as an amendment to either NDAA during floor consideration, but, depending on the procedural approach to consideration in either chamber, they may not be able to actually get a vote. Moreover, the chairs and ranking members of the Armed Services Committees who typically manage the bills on the floor may successfully argue this is an idea that is premature and should be studied. This sort of argument is often persuasive since these Members are usually respected for their expertise. Alternatively, the sponsors may try to pass the bill as a standalone measure.

The “National Cyber Director Act” (H.R.7331) would establish an Office National Cyber Director (NCD) in the Executive Office of the President (EOP) headed by a Senate-confirmed NCD, much like some of the other offices in the EOP like the Office of Management and Budget and the Office of Science and Technology Policy. Immediately beneath the NCD would be two new officials: Deputy National Cyber Director for Strategy, Capabilities, and Budget and Deputy National Cyber Director for Plans and Operations whose responsibilities are presumably spelled out in their titles for the bill does not explain on their portfolios. The NCD would be added to the statute establishing the National Security Council (NSC), and would be specifically named as an adviser the President may or may not invite to participate in NSC meetings and deliberations.

In terms of duties, the NCD would serve “as the principal advisor to the President on cybersecurity strategy and policy” “[s]ubject to the authority, direction, and control of the President.” This new official would coordinate the drafting and implementation of the United States’ National Cyber Strategy in consultation with existing stakeholders like OMB, the Department of Homeland Security, Department of Defense, and others. The NCD would also be empowered to review agency budget submissions and be required to certify they are aligned with the National Cyber Strategy. The new Director would also be added to the stakeholders that address information security across federal agencies. The NCD would “lead joint interagency planning for the Federal Government’s integrated response to cyberattacks and cyber campaigns of significant consequence,” which would be defensive operations. It appears the NCD would not be the lead US official for offensive cyber-attacks, which appears to be the province of the head of Cyber Command, currently General Paul Nakasone.  However, there are provisions that seem to suggest the National Cyber Director could be added to the inter-agency process of determining whether and when the US will launch cyber-attacks. However, the CSC envisioned the NCD not interfering with the current process for offensive operations: “The NCD will coordinate interagency efforts to defend against adversary cyber operations against domestic U.S. interests; this will not impinge on DoD responsibility for Title 10 activities, Office of the Director of National Intelligence (ODNI) responsibility for Title 50 activities, or the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) responsibility for counterintelligence activities, but the NCD would be kept fully apprised of those activities.”

The Senate’s “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would require “the  Secretary  of  Defense,  in  coordination  with  the Secretary  of  Homeland  Security,  shall  seek  to  enter  into  an  agreement  with  an  independent  organization  with  relevant expertise in cyber policy and governmental organization  to  conduct  and  complete  an  assessment  of  the  feasibility and advisability of establishing a National Cyber Director.” The text of the House’s NDAA released thus far does not address the CSC’s recommendation for the establishment of an NCD.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by cristianrodri17 from Pixabay