The final version of the defense authorization bill for fiscal year 2018 calls on the White House to develop a national cyber warfare policy and directs the Department of Defense to address lagging information technology (IT) modernization efforts.
Conference negotiations on the final version of the $700 billion fiscal year 2018 National Defense Authorization Act (NDAA) concluded Wednesday, and the final bill will fully fund $8.7 billion for DoD cyber operations.
“The committees have long expressed their concern with the lack of an effective strategy and policy for the information domain, including cyber, space, and electronic warfare,” the Senate Armed Services Committee (SASC) wrote in its summary of the completed bill. “The conferees believe that it is long past time that the federal government develops a comprehensive cyber deterrence strategy, and it is the role of the Congress to guide and impel the creation of that strategy.”
Previous NDAA directives instructed the White House to deliver a comprehensive cyber warfare strategy detailing the structure and responsibilities of protecting critical infrastructure. However, SASC wrote it found the subsequent results insufficient.
The conference defense bill requires the president to develop a national cyber strategy, including when the use of offensive capabilities is authorized and the U.S. would respond to an attack in cyberspace.
The bill also authorizes a $1.7 billion increase in funding from the previous fiscal year for DoD cyber operations.
A priority is placed on DoD to fix its approach to IT modernization, and reduces authorized funding for under-performing programs that rely on outdated legacy IT systems.
“While the DoD has committed billions of dollars to systems that would empower the warfighter with a common picture of communications, command, and control in order to manage operations within and across all domains, the Department and its partners in the defense IT industrial base have been unable to deliver many of these capabilities,” according to SASC. “Similarly, DoD’s investments in business systems are often fragmented, with the military services developing their own custom solutions to common business problems that have ready and available solutions in the commercial marketplace.”
Legislators pushed for DoD to adopt incremental development into modernization efforts, and included stipulations in their bill granting greater authority to the department’s Chief Information Officer.
The NDAA requires the DoD CIO position be presidentially-appointed and Senate-confirmed and the it will oversee the development of offensive and defensive cyber capabilities, set standards for protecting the information domain and certify military budgets meet department-wide IT needs.
The bill grants greater congressional oversight of DoD cyber initiatives, and directs the Defense Secretary to establish strategic cyber security programs to protect the resiliency of offensive cyber systems,long-range strike systems and nuclear systems.
The Defense Secretary is also required to conduct a full cyber posture review of the entire department and inform Congress of a planned cyber deterrence strategy.
“The NDAA enhances congressional oversight of sensitive military cyber operations and cyber weapons by promoting greater transparency and accountability to Congress for some of the most classified elements of our national defense,” the House Armed Services Committee wrote in its summary of the bill. “As offensive and defensive cyber capabilities evolve, it is imperative to establish clear standards, processes, and procedures for notification to Congress of sensitive operations to assure the appropriate oversight.”