Some defense contractors would be required to quickly alert the government when their computer systems are hacked under a provision in the Pentagon policy bill the Senate passed Tuesday.
Senate Armed Services Committee (SASC) Carl Levin (D-Mich.) added the cybersecurity provision to the fiscal year 2013 defense authorization bill last Friday via a floor amendment the Senate passed without debate. Now Levin and SASC Ranking Member John McCain (R-Ariz.) will fight to keep the cyber measure in the final legislation they will negotiate with House Armed Services Committee (HASC) members starting next Wednesday, because it is not in the House-passed bill. Levin predicted yesterday the compromise House-Senate defense legislation will be ready to be passed by both chambers in two weeks.
The new cyber-attack-reporting section of the Senate-passed defense authorization bill is similar to part of controversial cybersecurity legislation that is stalled in the chamber. Both measures seek to compel more businesses to quickly notify the government when their computer systems are penetrated by outsiders. Yet the Senate proposal would apply only to firms that are working on Pentagon contracts and have been granted clearance by the Defense Security Service to store classified information they are using to bid or work on a Pentagon contract.
McCain argued the defense bill provision should not be contentious.
“It’s nonsense to think that somehow the government should not be made aware of that,” McCain told reporters about cyberattacks on such defense contractors.
“If it’s their own money, that’s one thing,” he said about private companies not working on government contracts. “Private business, that’s debatable and up for discussion. But not the federal-government contractors.”
The SASC leaders fall on different sides of the heated debate over cybersecurity legislation. Levin supported and McCain rejected the stalled Cybersecurity Act of 2012, which the business community opposes and views as leading to cumbersome regulation. Still, McCain supports the Secure IT Act, which, like the Levin-supported cyber bill, seeks to increase businesses’ reporting on cyber attacks to the government.
Levin acknowledged, during a Tuesday press conference, the debate in Congress “as to whether we should mandate companies whose networks have been breached to report to the government.”
Yet he argued it is “surely appropriate” to create such a requirement for defense contractors, “whatever one’s position is relative to other businesses.”
“I think it’s so obvious that if a defense contractor with classified information has their networks penetrated and attacked, that the government has to know about that,” he said.
Levin’s successful amendment created Section 935 in the Senate bill, which calls for “reports to (the) Department of Defense on penetrations of networks and information systems of certain contractors.”
It requires the undersecretary of defense to create a process for defense contractors that are cleared to receive classified data to report when any of their networks or information systems “that contain or process information created by or for the Department of Defense” are “successfully penetrated.”
Such reports would have to be delivered in a “rapid” timeframe and include descriptions of the techniques used by the hackers and samples of any malicious software isolated by the contractors.
The Senate language calls for a reporting process that includes “mechanisms by which Department of Defense personnel may, upon request, obtain access to equipment or information of a contractor necessary to conduct a forensic analysis to determine whether information created by or for the (Defense) Department in connection with any department program was successfully exfiltrated from a network or information system of the contractor and, if so, what information was exfiltrated.”
Under Levin’s provision, Pentagon officials would be banned from disseminating to other entities any information collected on such cyber attacks that was not created by or for the Defense Department, unless the contractors allow such data to be shared.
A conference committee of HASC and SASC members is slated to meet next Wednesday, after the House officially names its conferees on Tuesday, to negotiate a final version of the defense authorization bill to send to President Barack Obama. The White House, though, has said Obama could veto the versions passed by both the House and Senate.
Levin predicted yesterday the conference committee will be done by Monday, Dec. 17, and the House will file the conference report that day. The House could pass that final House-Senate bill mid-way through that final week before the Christmas recess, and the Senate could grant final approval toward the end of the week, he told reporters.
Levin estimated there are between “20 and 40” differences between the two bills that conferees have to resolve. HASC and SASC staff have already met and worked out “hundreds” of differences between the two measures, Levin said. He added he has not yet seen those recommendations from staffers, which will be presented at a meeting of HASC and SASC chairmen and ranking members.