After much high-stakes political drama last week, the GOP-controlled US House of Representatives finally passed its version of the National Defense Authorization Act (NDAA), which details the Pentagon’s $874.2 billion budget for FY 2024. As has been the case for the past ten years, the NDAA is filled with many military-related cybersecurity provisions.
The Department of Defense said the NDAA budget features “$13.5 billion for cyberspace activities to defend and disrupt the efforts of advanced and persistent cyber adversaries, accelerate the transition to zero trust cybersecurity architecture, and increase defense of US critical infrastructure and defense industrial base partners against malicious cyberattacks.”
Cybersecurity is embedded in dozens of the NDAA sections, and cybersecurity-specific or US Cyber Command funding line items appear 75 times in the budget presented in the bill. But several of the following provisions are worth highlighting.
Cyber Command program on the dark web and deep web analysis tools
Section 1504 gives the Commander of Cyber Command the authority to integrate into the packages of tools distributed to the combatant commands tools to analyze information from locations on the dark web. Under the program established or augmented under this section, CyberCom’s chief may “develop a comprehensive and tailored approach to the use of open-source intelligence tools for the analysis and distribution of information collected from the locations on the Internet” and “develop and validate technical requirements relating to such collection, analysis, and distribution including with respect to data fidelity and data provenance.”
Just why this authority is needed is unclear. CSO contacted CyberCom and the Department of Defense for more background on this provision but received no response.
Military cybersecurity cooperation with Taiwan
Sec. 1505 of the NDAA directs the Secretary of Defense to seek to cooperate with the Ministry of Defense of Taiwan on defensive military cybersecurity activities. Acting through the Under Secretary of Defense for Policy, in concurrence with the Secretary of State and in coordination with the Commander of the United States Cyber Command and the Commander of the United States Indo-Pacific Command, the Secretary of Defense may carry out efforts to identify cooperative activities to defend military networks, infrastructure, and systems, counter malicious cyber activity that has compromised such networks, infrastructure, and systems, leverage United States commercial and military cybersecurity technology and services to harden and defend such networks, infrastructure, and systems; and conduct combined cybersecurity training activities and exercises.
The inclusion of this provision, championed by Rep. Mike Gallagher (R-WI), Chairman of the House Armed Services Committee’s Subcommittee on Cyber, Information Technologies, and Innovation, comes at a time when US-China tensions are escalating as China increasingly positions Taiwan as a renegade province that, if need be, should be retaken by force. The US government doesn’t recognize Taiwan as a country but has made clear it would defend Taiwan if China invades.
“We are in the window of maximum danger when it comes to a potential conflict with China over Taiwan,” Gallagher said. “If we are to deter Xi Jinping and prevent the devastating consequences of war, Congress must come together in bipartisan fashion to combat the Chinese Communist Party’s aggression and ensure that the US military has what it needs to deter, and if necessary, fight and win in the 21st century.”
GAO review of cyberspace operations management
Sec. 1533 of the NDAA directs the Comptroller General of the United States to conduct a comprehensive review of the management by the Secretary of Defense of matters relating to the conduct of, and preparation for, cyberspace operations. The Comptroller is assigned the task of evaluating and assessing the number of commands, organizations, units, and personnel (including an identification of the rank and grade) responsible for conducting cyberspace operations across the Department of Defense to assess the ratio of qualified personnel, assessing potential duplication and costs across the operations and the extent to which senior officials accountable to the Secretary of Defense are overseeing operations.
Study on the Occupational Resiliency of Cyber Mission Force
In a bid to address burnout in the military’s Cyber Mission Force, Sec. 1534 of the NDAA directs the Principal Cyber Advisor of the Department of Defense and the Undersecretary of Defense for Personnel and Readiness to conduct a study on the personnel and resources required to enhance and support the occupational resiliency of the Cyber Mission Force.
To be conducted in coordination with the principal cyber advisors of the military departments and the Commander of Cybercom, the study will take an inventory of how many personnel are in the Mission Force and assess the risk to the occupational resiliency of such personnel relative to their respective operational work roles.
The study will also evaluate the extent to which personnel assigned to the Cyber Mission Force have been made aware of the resources and programs and outline measures required to improve awareness. The Principal Cyber Advisor of the Department of Defense and the Undersecretary of Defense for Personnel and Readiness will submit a report to Congress on the study when it’s completed.
Other cybersecurity provisions in the 2024 NDAA
Harmonization and clarification of strategic cybersecurity program and related matters: Sec. 1501 of the bill designates the Secretary of Defense to appoint a principal staff assistant whose office shall serve as the office of primary responsibility for a new Strategic Cybersecurity Program that will count as its members a host of top brass, including the Vice Chairman of the Joint Chiefs of Staff, commanders of all the military theaters, various officials, and cyber advisors at the Department of Defense. The goal is to provide policy, protection, and oversight of systems, critical infrastructure, kill chains, and processes related to the military’s missions and mission components, including offensive cyber operations, nuclear deterrence, strike, long-range critical strike missions, and homeland missile defense.
Office for academic engagement relating to cyber activities: Sec. 1502 of the NDAA requires the Secretary of Defense, acting through the CIO of the Department of Defense, to establish an office that maintains and oversees any activities of the Department of Defense regarding relationships between the Department and academics, including with entities involved in primary, secondary, or postsecondary education, regarding cyber-related matters.
Accepting voluntary and uncompensated services from cybersecurity experts: Section 1521 of the bill allows the Cybercom commander to accept voluntary and uncompensated services from cybersecurity experts and delegate that authority to the armed forces chiefs.
Modification to pay rates for certain cyber-related positions: Section 1523 of the NDAA seeks to redress the shortage of qualified cybersecurity professionals in the military by bumping up pay grades for specific categories of qualified positions that require cyber expertise by up to 30%. For individuals who possess advanced skills and competencies and perform critical functions that execute the cyber mission of the Defense Department, pay is capped at the basic pay payable for the Vice President, which currently sits at $235,100 annually.
Prohibition on Defense Department purchase of location data and internet records: A last-minute amendment to the NDAA bars the Defense Department from data brokers’ data protected by the Fourth Amendment, such as location information and internet records
What’s ahead for the NDAA budget process
The final vote on the National Defense Authorization Act was a very narrow 219-210, with all but four Democrats voting against it due to social issues, including funding for abortions by military members, inserted into the bill by the GOP House majority. Legislative observers believe that the bill won’t pass in its current form.
However, the bill now heads to the Democrat-controlled Senate, which will likely strike the controversial social issues. Whatever happens in the Senate, it’s unlikely that the NDAA won’t pass by yearend, given that military funding has historically been considered a must-pass for both sides of the aisle. Given their bipartisan nature, it’s also unlikely that the major cybersecurity provisions will be stripped from the bill.
Critical Infrastructure, Government, Military