The Senate Armed Services Committee (SASC) mark-up of the defense authorization fiscal year 2018, which passed by an unanimous vote late Wednesday, pushes for increased responsibility from the Department of Defense and U.S. Cyber Command to address a lack of an effective strategy for cyber operations with the spate of recent global malware attacks.
The SASC mark of the National Defense Authorization Act (NDAA) included 27 amendments to the $640 billion budget and now moves to the Senate floor for consideration. The committee included several provisions for cyber deterrence measures, while also requesting $700 million more for cyber requirements than included in the Trump administration’s budget request.
“The malware attacks currently infecting computers and systems across the globe are just the latest in a long and steady stream of malicious cyber activity that has been growing in sophistication and reach,” Committee Chairman Sen. John McCain (R-Ariz.) said in a statement. “The National Defense Authorization Act for Fiscal Year 2018, which was passed unanimously out of the Senate Armed Service Committee today, takes significant steps forward in advancing a cyber-deterrence policy.”
Included in the committee’s mark are several concerns regarding a lack of coherency across DoD organizations on coordinating cyber deterrence policies and developing offensive strategies in the domain. SASC included a provision in the NDAA to establish a set policy that all instruments of national power be employed in response to all cyber threats meant to disrupt governmental and societal functions, attack U.S. forces or affect critical infrastructure, according to a summary of the the mark.
The committee included specific language to deal with state-based adversarial cyber threats, specifically in response to growing Russian aggression.
The mark calls for information on Russian hybrid warfare to be included in the annual reports on the nation’s military and security developments, including assessments of its information warfare strategy and updates on malicious cyber activities. The committee also prohibits the DoD from using software developed by the Moscow-based Kaspersky Lab, due to the possibility that the company may be susceptible to Russian government influence.
Several other amendments the committee made to the NDAA are meant to broaden the scope of responsibilities for cyber policies, including requiring the secretary of defense to conduct a Cyber Posture Review and for the commanders of Cyber Command and U.S. Strategic Command to jointly assess the level of cyber resiliency of the nuclear command control system.
The mark also creates a new Chief Information Warfare Officer position within the DoD to assume some of the responsibilities of the current CIO, including surveying the needs of the defense information environment to best make use cyber security, electronic warfare and electromagnetic spectrum capabilities.
In order to increase coordination of cyber security efforts the mark emphasizes the continued push for the DoD to adopt modernization efforts and move away from outdated information technology systems. The SASC included amendments for updating commercial agile software development practices, introducing more incremental development, and testing out several pilot programs for cyber training.
We must do more to combat threats in cyberspace, including by closing the gaps between national security agencies that are supposed to be responsible for defending the country against cyber attacks. Congress should address the troubling lack of coordination across the executive branch and pursue an organizational construct that recognizes the unique challenges we face in cyberspace,” said McCain. “Unless and until we develop a comprehensive approach to cyber, these destabilizing attacks to our vital interests will continue.”
The Senate is set to consider the amended FY ’18 NDAA following its July 4 recess.