The Senate on Sept. 18 passed its nearly $700 billion defense authorization bill, which will establish the first-ever cyber warfare policy, including the use of offensive digital weapons, and stipulates a $500 million federal information technology (IT) modernization plan.
The Senate’s National Defense Authorization Act (NDAA) for fiscal year 2018 passed with an 89-8 vote. The NDAA creates the first wholly-defined cyber warfare strategy meant to determine when the U.S. is able to employ tools of national power following attacks to the cyber domain, and creates a framework for utilizing offensive cyber capabilities.
Under the bill, the Department of Defense would oversee the responsibility of informing other NATO nations when the department becomes aware of third party attacks against its systems. This cyber doctrine specifically takes into account the cyber threat posed by Russia, and allows the U.S. to act unilaterally to address the attacks if the country facing a threat does not take immediate action or is unable to appropriately respond.
“It is in the core interests of the United States to enhance the offensive and defensive cyber capabilities of NATO member states to deter and defend against Russian cyber and influence operations,” the Senate wrote in its bill. “Enhanced offensive cyber capabilities would enable the United States to demonstrate strength and deter the Russian Federation from threatening NATO, while reassuring allies, without a provocative buildup of conventional military forces.”
U.S. Cyber Command also has their entire $647 million budget, requested by the White House, covered under the NDAA. This is a 16 percent increase in funding from fiscal year 2017.
The bill also directs the secretary of Defense to provide Congress with a report no later than Dec. 1 detailing the progress towards separating the dual-hat leadership role of the National Security Agency and Cyber Command, currently held by Adm. Mike Rogers.
The defense bill also includes the $500 million Modernizing Government Technology Act (MGT) as part of a last round of amendments added the week of Sept. 17.
The original MGT bill, first sponsored by Chairman of the House Information Technology Subcommittee Rep. Will Hurd (R-Texas), and then introduced in the Senate with bipartisan support from Sens. Jerry Moran (R-Kans.) and Tom Udall (D-N.M.), was included as an NDAA reform package amendment and establishes a working capital fund to incentive federal agencies to phase out legacy federal IT systems and prioritize moving to cloud computing systems.
“The amount of money that our federal government spends on antiquated technology is mind-boggling. Outdated technology policies and poor cyber security hygiene have riddled government agencies for decades, leaving our digital information vulnerable to hacks and costing taxpayers billions,” Hurd said in a statement following NDAA’s Senate passage. “By incentivizing the transition to modern technology, we will allow the government to harness cutting-edge technologies, use each dollar more efficiently, strengthen our digital infrastructure and improve government services for everyone. I thank my colleagues in both the House and Senate for working together to get the MGT Act one step closer to the finish line.”
Another amendment included in the NDAA from Sen. Jeanne Shaheen (D-N.H.) affirms the directive delivered by the Department of Homeland Security last week for all federal agencies to stop using Russian-based software company Kaspersky Labs’ products following concerns on potential ties to Kremlin cyber espionage activities.
“The strong ties between Kaspersky Labs and the Kremlin are alarming and well-documented. I’m very pleased that the Senate has acted in a bipartisan way on my amendment that removes a real vulnerability to our national security,” Shaheen said in a statement. “It’s important that this prohibition also be a part of statute and be expanded to the entire federal government, as my amendment would do. Considering the strong bipartisan, bicameral support for this proposal, I’m optimistic this will soon be signed into law.”
Another amendment from Sen. Marco Rubio (R-Fla.) calls on the Pentagon to provide a congressional report on its challenges protecting the cyber domain. No later than 90 days after the bill is enacted, the secretary of Defense, alongside the director of National Intelligence, secretary of Energy and secretary of Homeland Security, must detail significant security risks to defense critical infrastructure and assess the readiness of the armed force to protect against cyber threats.
A separate amendment from Sen. Cory Gardner (R-Colo.) blocks telecommunications companies who have close links with China, Iran, North Korea and Russia from working with the DoD.
The Senate bill now moves into final conference negotiations with the House.