Cyber Security Themes in the FY 2014 NDAA
Published: July 23, 2013
Two versions of the 2014 National Defense Authorization Act (NDAA) are presently making their way through Congress. The House version examined here just left the Committee on Armed Services. This version of the legislation contains several provisions concerning cyber security at the Department of Defense. These provisions include directives for procuring cyber solutions that could point the way to future spending.
Last week in this space I provided readers with an early look at some big data requirements and initiatives in the House Committee on Armed Services’ version of the National Defense Authorization Act (NDAA) for Fiscal Year 2014. This week I will stick with the technology theme, but focus instead on the cyber security provisions and directives in the House committee’s version of the legislation.
From mandating the modernization of business systems, to fostering the adoption of commercial cloud services, the technology priorities Congress sets out in the NDAA have for years helped to shape IT spending at the Department of Defense. Arguably, Congress’ influence has grown even more decisive in the last few years as the DoD’s IT budget shrinks and it is compelled by law to devote a greater percentage of its available funding to priorities set out in each year’s NDAA. Take for example DISA’s current competition for commercial cloud computing services, which began as a provision in the FY 2012 NDAA. Fiscal 2014’s version of the NDAA will have an impact as well, particularly in the area of cyber security. The cyber themes in this year’s pending iteration of the NDAA focus on both supply chain integrity and on defensive and offensive cyber capabilities.
Supply Chain Integrity
Two sections in the committee report (pp. 289-290 & 297-298) order the removal of IT hardware manufactured by the Huawei and ZTE Corporations from government and computer networks. The issue of supply chain integrity has been under discussion across the DoD for some time now. However, these two corporations have been linked explicitly with spying operations by the People’s Republic of China, comprising a clear and present danger to networks where their equipment has been installed.
My Take - Although it seems unlikely that government and vendors have not already purged equipment from these two manufacturers from their networks, the inclusion of this directive indicates that Congress believes the threat remains. Hopefully Congress is wrong on this, but if it isn’t then vendors that still have Huawei and/or ZTE equipment in their environments will incur additional costs replacing it. Assuming this provision makes it through to the final version of the legislation, vendors seeking to do business with the DoD will be required to prove that they have removed this hardware from their networks.
In a section on exploiting foreign commercial cellular networks (p. 201), the committee report expresses concern that the future security of U.S. forces deployed abroad will depend on the DoD acquiring “the ability to both exploit and defend against modern commercial cellular networks.” The committee therefore encourages relevant DoD commands to assess the level of the threat in different geographic areas and to acquire capabilities to “exploit and defend against any vulnerabilities” that are identified.
My Take – In the unlikely event that U.S. Cyber Command does not already possess capabilities for exploiting foreign commercial cellular networks this sounds like a potentially new area of investment for the DoD.
In the ever evolving world of cyber warfare, the committee notes that adversaries abroad are increasingly using techniques that can compromise the “perimeter defenses” of DoD networks (p. 205). Securing data within networks and not just securing the network itself is one area of investment that the DoD has actively promoted in recent years. In fact, a central tenet of the Joint Information Environment (JIE) is creating a unified environment that reduces the network surface vulnerable to cyber attacks. Congress, however, also wants the DoD to look into acquiring new capabilities, such as “dynamic maneuvering” and “moving target” technologies, and to integrate these capabilities into the emerging JIE.
My Take – The committee report also directs that the DoD brief the House Armed Services committee quarterly on its adoption of these new perimeter defense capabilities. This tells me that Congress will continue to stay on top of the DoD’s implementation of the law. Close scrutiny in this area suggests that the DoD will be under pressure to procure newer cyber defensive tools, not only because these tools will help defend networks, but also because Congress intends to keep its foot in DoD’s back. This area could therefore provide a business opportunity for vendors that provide such solutions.