In a Congress where gridlock often reigns supreme and there are precious few “must-pass” bills, the annual defense authorization process has quickly become a vehicle for members to insert preferred legislation that might not otherwise get a full hearing or vote.
Nowhere has that been more true than for cybersecurity policy, where legislators have used the NDAA to create new federal offices, programs and funding opportunities for the private sector and critical infrastructure. With more than 1,100 amendments submitted to the House Rules Committee (usually a bill’s last stop before a full floor vote) here’s a guide to some of the most important cybersecurity provisions.
Office of Cybersecurity Statistics
Rep. Jim Langevin, D-R.I., will retire from Congress later this year as one of the most influential cybersecurity legislators ever, but he’s working to put one last stamp on that legacy through what will be his last NDAA. Chief among those efforts is a provision to create an Office of Cybersecurity Statistics at the Cybersecurity and Infrastructure Security Agency (CISA) that can process, analyze and share the massive amounts of incident reporting data the agency will start receiving from businesses and critical infrastructure in the next few years.
He will also seek to add language that would mandate the Department of Homeland Security further classify and prioritize the protection of “systemically important” critical infrastructure, an idea he and colleague Rep. John Katko, R-N.Y., have been pushing since last year (Katko is also retiring). Even if the amendment doesn’t make it into the final version of House legislation, CISA Director Jen Easterly has said she likes the idea and has been working to implement it within the agency.
And Langevin has partnered with Rep. Mike Gallagher, R-Wis., on an amendment that would create new Critical Technology Security Centers that would focus on evaluating and testing the security of technologies deemed to be central to national security. It would include information and communication technologies that support national security functions, industrial control system equipment like programmable logic controllers and SCADA systems, open source software underpinning national critical functions and the security of federal software systems.
Also back again is a bill that would limit the director of CISA to a five-year term. The legislation is a direct response to President Donald Trump’s decision to fire his CISA director, Chris Krebs, in the wake of the 2020 presidential election for his failure to endorse false and debunked claims of election fraud. Some members of Congress have said they would like to see the position treated similar to the FBI, where the director serves a fixed 10-year term. It’s worth noting that Trump also fired his FBI director, and nothing in this amendment would legally prevent a future president from doing the same to CISA’s leader.
“With cyberattacks on the rise, CISA, the lead federal civilian cybersecurity agency for the United States, needs consistent and stable leadership presiding over our nation’s cyber preparedness,” lead sponsor Andrew Garbarino, ranking Republican on the House Homeland Security’s cyber subcommittee, when introducing the bill last year. “This bipartisan bill will remove any uncertainty from the CISA director role so that the director can focus squarely on strengthening our cyber posture.”
Some lawmakers are also seeking to rein in Department of Defense actions in cyberspace. A bill from Rep. Abigail Spanberger, D-Va., would prevent the secretary of defense from authorizing information operations in a foreign country without first informing the U.S. chief of mission for that, usually an ambassador, and obtaining their consent first. Such information operations could include both offensive cyber operations to disrupt or degrade a foreign government’s systems or in the defense of U.S. systems.
Similarly, Rep. Seth Moulton, D-Mass., has submitted a proposal that would force military leaders to provide Congress with an update on efforts to use authorities provided in last year’s defense authorization to create tailored cyberspace operations organizations within different branches of DoD.
Emerging tech, procurement and the supply chain
Lawmakers continue to seek further limits and reporting on how the military and other agencies buy and use unmanned aerial drones. Reps. Gallagher, R-Wis., Joe Courtney, D-Conn., Vicky Hartzler, R-Mo., and Val Demmings, D-Fla., are attempting to insert the American Security Drone Act, which would bar the federal government from purchasing drones from companies based in China or who are otherwise classified as a U.S. national security risk.
Rep. Brad Sherman, D-Calif., is proposing to vest the secretary of the treasury with the authority to prohibit cryptocurrency trading platforms from doing transactions with users based in Russia. With cryptocurrencies having a major impact on everything from ransomware and money laundering to terrorism financing, Rep. Darren Soto, D-Fla., has sponsored a pair of amendments that would add distributed ledger technologies to the curriculum for software and cybersecurity acquisitions and list them as a covered technology for prototype and demonstration energy resilience projects.
Another from Oklahoma Republican Reps. Irene Bice and Markwayne Mullin would require military leaders to submit a report on how to accelerate domestic production of rare earth metals that are used to make semiconductor chips, batteries and other components essential to computer manufacturing, including specific contract commitments across DoD. Disruptions to the supply chain caused by COVID-19 and other events over the past two years have led to shortages of computer chips, cars and other products, and much of the world’s semiconductor supply can be sourced to a single company based in Taiwan.
Those shortages, and longstanding concerns around a possible Chinese invasion of Taiwan, have pushed Congress and executive branch agencies to reconsider how they plan to access the critical rare earth metals in the future. Rep. Kat Cammack, R-Fla., has also filed an amendment that would task the Pentagon, the Department of State and other agencies to study Taiwan’s cybersecurity defense and resilience capabilities. Some have attributed the perceived lack of cyber operations in the Russia-Ukraine war to Ukraine’s robust cybersecurity posture after years of digital attacks directed against them by Moscow. U.S. leaders are keen to see if Taiwan is capable of a similar advantage against the threat of Chinese operations in cyberspace.
