Taking up some of the recommendations of a recent major bipartisan cyber security commission, the Senate Armed Services Committee (SASC) on Wednesday called for the Defense Department to review how it can get the nation’s defense industrial base to expand its sharing of information on the cyber threats it encounters.
The cyber provision, one of 11 recommendations the committee addresses from the March report by the Cyberspace Solarium Commission, is aimed at improving “existing threat sharing programs” for defense industrial base (DIB) and directs the Secretary of Defense “to consider either requiring participation or providing incentives to increase participation, among other aspects aimed at increasing participation,” a SASC aide told Defense Daily on Thursday.
The committee on Thursday released a summary from its proposed version of the fiscal year 2021 National Defense Authorization Act that includes a section on “Superiority in Cyberspace” and a bullet point on the DIB “threat intelligence sharing program to support companies’ ability to defend themselves.” The information sharing mention aims to address recommendation 6.2.1 of the Solarium Commission’s report, which says DIB participation in a threat intelligence sharing program should be required.
A longstanding DIB cyber security information sharing program exists but the commission’s report, fashioned by a bipartisan group that included U.S. senators and representatives from both sides of the aisle, says it is “insufficient,” adding the programs are “largely voluntary.”
The commission says Congress should pass legislation requiring DoD to consider incentives for DIB information sharing, such as incident reporting, as part of contracts. Other elements of a threat intelligence sharing effort should include a current threat picture, investments to support automated threat detection and analysis, allowing the National Security Agency to review foreign intelligence threats to the DIB and share threat intelligence with these companies, and coordinating with law enforcement and counter-intelligence agencies, the March report says.
“The programs’ ideal end state is to leverage U.S. government intelligence collection to create a better understanding of adversaries’ intelligence collection requirements,” the commission says. “This action would help DoD and the intelligence community anticipate where adversaries will seek to collect against DIB targets, and then communicate that information to DIB network owners and operators so they can proactively defense against impending adversary activities.”
One of the commission’s key recommendations is the creation of a senate-confirmed National Cyber Director within the executive branch that would report direct to the president. The SASC bill calls for an “independent assessment on the feasibility and advisability of establishing” this position.
The commission says the National Cyber Director would oversee cyber security budgets of executive branch agencies and be on the National Security Council.
The SASC bill, which was approved by a 25 to 2 vote, also calls for improving the cyber resiliency of nuclear command and control systems, assessing the risks of quantum computing to national security systems, requiring a report on U.S. Cyber Command’s authorities and control of Cyber Operations Forces budgets to ensure it has the flexibility to control acquisitions, reviewing the National Guard’s response to cyber-attacks, evaluating cyber reserve force options, assessing gaps between Cyber Mission Forces and Cybersecurity Service Providers, and updates the responsibilities of the Pentagon’s Principal Cyber Advisor to provide more integration and coordination responsibilities to ensure department cyber policies meet its needs.
The SASC bill also directs a number of other actions, including improving cyber readiness of the National Guard and boosting Air Force and Army operations and maintenance (O&M) funding for their Cyber Mission Forces to respond faster to threats, using O&M funds to field cyber capabilities more quickly, and giving Cyber Command authorities that exist elsewhere in DoD for training and retaining “highly qualified cyber personnel.”
SASC aides on Thursday told media in a background call to discuss the markup that the committee hopes to have the bill introduced on the Senate floor next week.
Sen. Jack Reed (D-R.I.), ranking member of the SASC, said in an on-the-record portion of the media briefing the markup includes many of the Solarium Commission’s recommendations that relate to DoD and that during upcoming debate on the bill in the Senate more recommendations will likely be “incorporated” that are outside the committee’s jurisdiction.
The House Armed Services Committee later this month is scheduled to begin marking up its version of the FY ’21 defense authorization bill. The markup will also likely include recommendations of the Solarium Commission.