The House Armed Services Committee gave its stamp of approval to a National Defense Authorization Act bill that will include a bevy of cyber-related reporting provisions as lawmakers seek to better understand how the military is adapting to new threats in cyberspace and implementing past mandates.
On Wednesday the House committee passed an amended version of the FY 2023 NDAA that authorizes $131 billion in spending to bolster research and development for the Department of Defense, requires military leaders to further clarify how they define information operations and give Congress a 48-hour heads up before engaging in clandestine cyber operations and establishes a cyber threat information collaboration environment between DoD, the intelligence community and the Department of Homeland Security.
It would also require the head of U.S. Cyber Command to report on whether it is receiving sufficient support in cyberspace operations from each branch of military service. Rep. Jim Langevin, D-R.I., the outgoing chair of the Subcommittee on Cyber, Innovative Technologies and Information Systems who has played a major role standing up Cyber Command as a unified combatant command, urged his colleagues to continue supporting the agency as it engages in cybersecurity defense and intelligence collection in Ukraine and among allied nations.
“We must continue to provide U.S. Cyber Command the resources it needs to keep us safe in cyberspace while ensuring there are robust oversight mechanisms in place,” said Langevin, who is retiring at the end of this term. “A cyber mission force is a tremendous asset in our arsenal, and in this mark we continue our efforts to ensure our cyber operators have the resources, the training and career trajectories that they need in order to succeed.”
Langevin’s subcommittee mark dangles a stick to entice Pentagon leaders to hand over a joint lexicon of the different terms they use military information operations, including language that limits the department from accessing more than 75% of funds appropriated for the defense authorization bill until they do so. They also want a comprehensive review of the Cyber Excepted Service — a program that gives military leaders more flexibility to hire, recruit and retain critical cybersecurity personnel, including how easily civilian workers can advance
It would also require DoD to hire a third-party contractor to examine costs around “underperforming” software and IT. The study would include a survey of members of the armed forces on how relying on this technology leads to lost working hours and impacts mission delivery, look at technical or policy challenges that prevent leaders at each branch from implementing reforms and recommending improvements.
While the language in the bill doesn’t directly tie that underperformance issues to the need for IT modernization, out of date legacy IT systems and hardware have for years been a plague on DoD operations and efficiency. A Government Accountability Office report last year found that 10 out of 15 major IT projects reviewed at DoD had schedule delays ranging between one month to five years. Earlier this year, an open letter published by Michael Kanaan, director of operations for the Air Force/MIT Artificial Intelligence Accelerator, went viral for echoing the frustrations that many in the military feel about the IT environment they operate in daily.
“Want innovation? You lost literally HUNDREDS OF THOUSANDS of employee hours last year because computers don’t work. Fix our computers,” Kanaan wrote, later adding “Ultimately, we can’t solve problems with the same tools that made them … and yet somehow fundamental IT funding is still an afterthought. … It’s not a money problem, it’s a priority problem.”
As usual, the markup included a raft of cybersecurity-related provisions that were passed through a single En Bloc amendment.
An amendment from Rep. Don Bacon, R-Neb., would require DHS and the Cybersecurity and Infrastructure Security Agency to sketch out roles and responsibilities in cyberspace for each component agency and clarify how those roles would interact in the face of an incident response engagement within the federal government.
Lawmakers are increasingly concerned about the ability of foreign adversaries to leverage facial recognition and other biometric technologies to collect genetic data on American military personnel, which could be used to identify spies and expose clandestine operations. A provision added by Rep. Jason Crow, D-Colo., requires a DoD briefing by March next year on any research efforts within DoD around emerging technologies that can potentially encrypt or scramble that genetic data.
“The committee is aware of ongoing research that applies novel cryptography directly to DNA molecules, significantly enhancing the protection provided for genetic information, reducing the risk of incidental data breaches, supply chain vulnerabilities, and malicious cyber actors,” members noted in a written explanation of the amendment.
Another amendment from Rep. Blake Moore, R-Utah, requests a similar report on how the National Security Agency is managing its Commercial Solutions for Classified Systems program, which allows the intelligence agency to more quickly tap into new or modern private sector commercial technologies. While Moore’s amendment praises NSA for the “success” of the program thus far, it also alluded to griping from some in industry about how responsive the program is to outside advice.
The committee “is aware that some stakeholders from industry have made claims that the CSfC Architecture is not reviewed or updated in a timely manner, and may not incorporate feedback from the private sector,” the explanation for the amendment reads. “While the committee is aware of recent and upcoming updates of CSfC Capability and Annexes, [we believe] that greater clarity on the issue is required.”