13 cyber provisions in the FY19 NDAA

The Senate released its text and report for the 2019 National Defense Authorization Act. Take a look at a few of the biggest cyber provisions that could make it through final passage.

Lawmakers are taking aim at foreign tech companies in the Senate's version of the 2019 National Defense Authorization Act with a keen eye on solidifying the Department of Defense cyber warfare policies.

The Senate released its version of the must-pass defense bill on June 6 and a corresponding report on June 7, with several cyber provisions encompassing everything from protecting IT supply chain to enhancing the Defense Department's ability to respond to cyberattacks to establishing cyber institutes in colleges across the country. Highlights from the recommendations include:

Designating a chief official to oversee cybersecurity integration and industrial control systems. A chief official would be responsible for DOD's integration of cybersecurity and industrial control systems, addressing concerns "that no one individual is responsible for defining industrial control system cybersecurity standards … and that the lack of such an individual has impeded holistic cybersecurity efforts across the Department and its critical infrastructure," the report states.

Providing cybersecurity assistance for small manufacturers. This would include outreach to businesses; developing cybersecurity self-assessments; sharing techniques, technology, and threat information; and creating a cyber-counseling certification program for staff to provide cyber planning to manufacturers.

Following DHS' lead on email and internet security standards. This provision would require the Defense Department to follow the Department of Homeland Security's binding cybersecurity directives, such as the Kaspersky software ban. "These simple measures would provide enormous cybersecurity benefits … and would bring the Department in line with current accepted standards," lawmakers wrote.

Shifting NSA's off-the-shelf cybersecurity program to DISA. Senators proposed the National Security Agency transfer funds and personnel for its Sharkseer cybersecurity program, which aims to sniff out and mitigate advanced persistent threats and Zero Day malware with commercial technology, to the Defense Information Systems Agency.

Eliminating the cybersecurity scorecard. The committee proposed prohibiting DOD from spending any funds on its Cybersecurity Scorecard beyond Oct. 1, 2019, unless the department can show it has implemented a "funded program" to address cybersecurity requirements established by the fiscal year 2017 NDAA.

Creating a Cyberspace Solarium Commission to develop a U.S. cyber protection and advancement strategy. The commission would include the principal deputy Director of National Intelligence, the deputy secretary of homeland security and the deputy secretary of defense, along with 10 other members chosen by Congress. The commission would be able to hold hearings, request information and subpoena witnesses.

Crafting U.S. policies on cyberspace, cybersecurity, cyber warfare and cyber deterrence. Lawmakers stressed the longstanding concern of "the lack of an effective strategy and policy for addressing cyber threats and cyber deterrence" that has been met with insufficient responses. A proposed provision would solidify U.S. policy regarding cyberspace, cybersecurity and cyber warfare.

Affirming the defense secretary's authority to conduct military activities and operations in cyberspace. That authority would cover cyber efforts "short of war and in areas outside of named areas of conflict for the purpose of preparation of the environment, adversary influence, force protection, deterrence of hostilities, and counterterrorism operations involving the Armed Forces of the United States," the report states. The provision would also count clandestine military activities or operations in cyberspace as traditional military activities.

Embedding cyber institutes in colleges and universities. The institutes would be housed in existing Reserve Officers' Training Corps programs "in order to develop the cyber workforce across the active and components."

Strengthening active defense and surveillance against Russian cyberattacks. This provision would authorize the National Command Authority to direct the Commander, U.S. Cyber Command to take "appropriate and proportional action through cyberspace to disrupt, defeat, and deter systematic and ongoing attacks by the Russian Federation in cyberspace," and provide quarterly reports.

Boosting the Cyber Commander's acquisition authority by raising it from $75 million to $250 million, and extending that authority through 2025.

Launching pilot program for simulating cyberattacks on critical infrastructure. The provision would task the assistant defense secretary for homeland defense and global security with creating a pilot program that develops risk analysis methodologies via advanced commercial simulation and modeling capabilities, using hyper-scale cloud computing technology and artificial intelligence. The report cites existing research exercises that the Army Cyber Institute conducts with the cities of New York and Houston as a model.

Mitigating risks from foreign IT providers and products. DOD would be prohibited from using any "information technology, cybersecurity, industrial control system, weapons system, or computer antivirus system" unless the provider discloses whether it has ties to a foreign government or has let another government review or access the product or source code.