New Defense Authorization Act Sharpens Focus on DoD Cyber Capabilities

Published: January 10, 2013

USAFCONGRESSCybersecurityDEFENSEDISA

Not very much legislation has been moving through Congress, as legislators fail to reach consensus among themselves and the White House on various issues. This has been especially true when it comes to federal cybersecurity, with numerous bills stalling between the House and the Senate or receiving overt veto threats from the president. As it turns, a non-cyber-centric bill passed last week has elements in it that will likely impact federal cybersecurity for years to come.

Last week, the President signed the FY 2013 National Defense Authorization Act. In it were several directives that address the Department of Defense’s (DoD) defensive and offensive cybersecurity plans and capabilities going forward. Here is a brief synopsis of the points that jump out most:
  • Coordinating Full-Spectrum Military Cyber Operations – By early April Congress wants the Secretary of Defense to brief the respective House and Senate on Armed Services Committees on the interagency process for coordinating and de-conflicting full-spectrum military cyber operations, including the business processes and rules governing the interagency process, the membership and responsibilities of such interagency process, the current status of interagency guidance clarifying roles and responsibilities for these operations, and any plans for implementing the planning and guidance from such interagency process. Congress also wants a single DoD-wide budget estimate and detailed budget planning data for full-spectrum military cyberspace operations included in the FY 2015 budget request and going forward.
     
  • Creating a Unified U.S. Cyber Command – Recognizing the ongoing cyber threat to the nation and the implications for national security of changes to the US Cyber Command (US CYBERCOM) the Congress requires the DoD to consult with them about any proposals to elevate CYBERCOM to a unified command status. Part of this includes briefing Congress on the updated mission, benefits, costs, and legal parameters of such a change, as well as the pros, cons and justifications of having a single individual preside over such a unified command and the National Security Agency, if that is the direction the DoD proposes. Congress is also looking for DoD to establish more complete cyber policies and standing rules of engagement before moving forward with any decision to create a unified command.
      
  • DoD Next-Generation Host-Based Cyber Security System – The DoD CIO is directed to develop a strategy to acquire next-generation host-based cyber security tools and capabilities for the Department of Defense. Congress wants the system to be able to address new or rapidly morphing threats without consuming substantial communications capacity to remain threat-current and to report current status nor consume substantial storage resources to store rapidly growing threat libraries. The bill also stipulates an open architecture system to enable ‘‘plug-and-play’’ integration of new cyber tools to address intrusion detection, insider threat detection, continuous monitoring and configuration management, remediation following infections, and protection techniques that do not rely on detection of the attack. Finally, the bill stipulates that the system strategy account for ease of deployment to potentially millions of host devices, accounting for specific security needs and risks, and be compatible with cloud/thin/virtualized environments as well as battlefield devices and weapons systems. The strategy and budget justification is to be submitted to Congress with FY 2015 the budget request.
       
  • Air Force Cyber and Information Technology Research Investments – Within 6 months of the NDAA’s enactment on January 2, the Air Force is required to submit a report to the congressional defense committees detailing the Air Force’s cyber and information technology research investment strategy, covering areas like cyber science and technology; autonomy, command and control, and decision support technologies; connectivity and dissemination technologies; and processing and exploitation technologies. Congress want the Air Force to identify their near-, mid-, and far-term science and technology priorities vis-à-vis cyber and information technologies, the resources they project needing to address these priorities, and the strategies they’ll use to employ these into weapon systems, including cyber tools. In addition, Congress wants to know how the Air Force will recruit, train, and retain a skilled cyber and information technology workforce going forward.
      
  • DISA Collection and Analysis of Network Flow Data – Congress wants DISA to use their Community Data Center to develop and demonstrate collection, processing, and storage technologies for network flow data that, among other things, support the capability to detect and identify cyber security threats, networks of compromised computers, and command and control sites used for managing illicit cyber operations and receiving information from compromised computers. Congress also wants DISA to use this network data flow work to track illicit cyber operations for attribution of the source and to provide early warning and attack assessment of offensive cyber operations.
       
  • DoD Contractors to Report Penetrations of Their Networks – The Secretary of Defense is required to establish procedures that require each cleared defense contractor to report when any of their networks or information systems is successfully penetrated, including a description of the technique/method used in the penetration, a sample of the malicious software, if available, and a summary of DoD-relevant information that has been potentially compromised. The DoD procedures is also to provide mechanisms for DoD to obtain access to the contractor’s systems to conduct forensic analysis to determine if any DoD information was exfiltrated as part of the penetration, while protecting trade secrets and other company-sensitive information.
There are other security elements covered in the NDAA not covered here that have implications for DoD cybersecurity as well as contractors supporting and supplying the Pentagon, such as software assurance and supply chain security. The prominence of cyber in the bill continues to underscore the need for DoD to move further down the curve in protecting its technology assets as well as maturing its coordinated abilities to exploit those assets to achieve a proactive defense mission.