Senate Defense Bill Aims to Scrub Cyber Adversaries from US Military Tech
The bill would require companies to disclose if they’d shared source code with foreign governments.
Companies that sell equipment and services to the U.S. military will be forced to disclose business ties that allow foreign governments to access their sensitive data, such as software source code, under the Senate version of an annual defense bill.
Both Russia and China have required companies to submit to source code reviews in order to win certain government contracts.
The provision, added by Sen. Jeanne Shaheen, D-N.H., comes amid heightened concern about how U.S. cyber adversaries might use private companies as spying tools.
The Senate version of the 2019 National Defense Authorization Act explicitly bars the Chinese telecoms Huawei and ZTE from Defense Department networks while the House draft banned the companies from all federal networks. Intelligence officials and lawmakers have long fretted the companies were tied too closely to the Chinese government.
Last year’s NDAA included a governmentwide ban of the Russian anti-virus provider Kaspersky Lab.
It’s not clear yet if other major tech and cyber provisions of the House bill made it into the Senate draft. Those provisions included transferring day-to-day management of the Defense Department information networks from the Defense Information Systems Agency to U.S. Cyber Command.
Just Another Warfare Domain
The Senate bill includes a number of provisions aimed at integrating cyber activities into the military’s conventional approach to conflict, according to a summary released Thursday.
The bill designates military operations in cyberspace, including clandestine operations, as “traditional military activities” and affirms the military’s authority to conduct those operations.
It also states as U.S. policy that the government and military should “employ all instruments of national power, including the use of offensive cyber capabilities,” to deter and respond to major cyberattacks that could cause loss of life or significantly disrupt society.
The bill specifically authorizes the president and defense secretary to direct U.S. Cyber Command to “take appropriate and proportional action through cyberspace” to combat digital attacks from Russia.
The provisions come just days after U.S. Cyber Command reached full operational capability and weeks after it was elevated to a full combatant command.
Boosting R&D
The Senate bill boosts Pentagon research and development spending by $1.2 billion with a special focus on cybersecurity, artificial intelligence and quantum computing, according to the summary.
The bill authorizes $600 million over the Trump administration’s request for science and technology programs, including cybersecurity and quantum computing.
The bill also authorizes $150 million to boost interactions between the Defense Department, the tech industry and academia. That effort might include establishing a nonprofit organization that would encourage private sector investment in “specific hardware technologies of interest to future defense technology needs with unique national security applications,” the bill summary states.
Another Commission
The Senate bill also authorizes a 13-member commission, proposed by Sen. Ben Sasse, R-Neb., which will be tasked with conducting a “top-to-bottom review” of the U.S. cyber posture.
The group will be dubbed the Cybersecurity Solarium Commission and modeled after the Eisenhower-era “Project Solarium,” which developed long-range U.S. strategy for the Cold War, according to a news release and fact sheet.
The commission’s main tasks will include weighing the costs and benefits of the U.S.’s current cyber efforts, analyzing national adversaries’ cyber efforts, evaluating where the U.S. is and should be focusing its cybersecurity resources and suggesting policy changes.
The commission must submit a report to the executive branch and Congress by September 2019.
The government has launched numerous cyber commissions during the past decade, including, most recently, a Commission on Enhancing National Cybersecurity, which delivered a broad swathe of recommendations at the close of the Obama administration and briefed the incoming Trump team.