The massive defense bill that President Donald Trump is threatening to veto contains provisions for increased cybersecurity, which has taken on significantly more importance in the wake of a massive cyberattack on federal agencies at the hands of suspected Russian hackers.
The National Defense Authorization Act includes pay raises for America’s soldiers, modernizations for equipment and provisions to require more scrutiny before troops are withdrawn from Germany or Afghanistan.
But its congressional backers also call the bill the “most comprehensive and forward-looking piece of national cybersecurity in the nation’s history” and argue it would bolster US cyberdefenses.
More than two dozen of the provisions in the NDAA are recommendations from the Cyberspace Solarium Commission, a bipartisan group of lawmakers and security experts established last year to devise and propose a strategy to strengthen the US against cyberattacks.
It would establish a new role within the White House of “national cyber director,” a top priority of the commission, who would advise the President on all cybermatters, including policy, oversee the government’s cyberstrategy and coordinate federal response efforts.
The $740 billion bill, which passed both the Senate and House earlier this month with veto-proof majorities, would allocate over $375 million to the Department of Energy to modernize the US’ nuclear infrastructure and safeguard the nuclear weapons stockpile from cyberattacks. CNN reported that the Energy Department had detected malware associated with the ongoing massive data breach, but said it had not impacted the agency’s essential national security functions.
The bill also works to depoliticize the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency by making assistant directors career staffers within the agency. It also creates a fixed five-year term for the relatively new role of CISA director, preventing a situation such as the one last month when Trump fired the most recent CISA director, Chris Krebs, over his assurances that the 2020 election was secure. Krebs, the first head of CISA, had been on the job about two years.
The NDAA would require the Department of Homeland Security to review CISA’s force structure and facilities to meet the growing expectations from its cyber arm. It would also grant CISA subpoena power so the agency can find vulnerable systems and alert public and private system owners.
In the wake of the SolarWinds hack, both Rep. Mike Gallagher, a Wisconsin Republican and a co-chair of the commission, and Trump’s former Homeland security adviser Tom Bossert have pointed to the bill’s provision that would authorize DHS to perform threat hunting identification on federal networks.
Trump White House
In an interview for Defense One Thursday, Gallagher said the provision “would’ve put us in a position of detecting it more quickly and responding more quickly.”
“We have to have a federal government that is more capable of detecting intrusions like this. And I think that’s why it’s so important to get some of these NDAA recommendations across the finish line,” the Wisconsin congressman said.
And Bossert argued in a New York Times op-ed Wednesday that the NDAA is “a must-sign piece of legislation, and it will not be the last congressional action needed” before the fallout from the attack is resolved.
Trump, who has remained publicly silent on the cyberattack, has cited other issues in his threat to veto the NDAA, specifically its lack of a provision to repeal liability protections for internet companies, though he has also voiced displeasure in the past with congressional attempts to rename military installations named after Confederate officials, which is also addressed in the legislation. The bill would also limit how much money Trump can move around for his border wall. Trump has until Wednesday to veto or to allow the measure to become law.
In the wake of last week’s cyberattack, however, some Republicans and Democrats have pointed to the cybersecurity measures as another reason for Trump to sign the defense bill into law.
A group of Republicans on the House Armed Services Committee, including Gallagher, argue that “the measures in this year’s bill will provide critical safeguards to protect the information and capabilities most foundational to our nation’s security.”
“This attack serves as a stark warning that our nation must bolster its cybersecurity posture and capabilities, and it must do so without delay,” six House Republicans said in a joint statement Thursday.
And Independent Sen. Angus King of Maine, the other Cyberspace Solarium Commission chair, on Friday urged Trump to make the NDAA law, stressing that “our protection from cyberattack is hanging in the balance the next few days.”
“Mr. President, if you’re listening, please sign it. We need these protections. If ever we had doubt about it, we learned this week how serious this is,” King said during an interview with CNN’s Dana Bash Friday.
CNN’s Zachary Cohen, Brian Fung, Geneva Sands, Alex Marquardt, Daniella Diaz, Ted Barrett, Jeremy Herb and Clare Foran contributed to this report.