A House Armed Services subcommittee that oversees cyber security issues on Sunday released its planned markup of its portion of the next defense authorization bill that includes similar provisions being proposed by the Senate Armed Services Committee (SASC) such as requiring the Defense Department to assess threats and risks posed by quantum computing to national security systems and a review of how the National Guard is used to respond to cyber-attacks.
But, unlike the SASC, the House Armed Services (HASC) Subcommittee on Intelligence, Emerging Threats and Capabilities doesn’t address a recent report’s recommendation to create a National Cyber Director (NCD) within the executive branch and it doesn’t direct DoD to review how to get the nation’s defense industrial base (DIB) to do more to share information about cyber security threats it encounters.
Due to “cross jurisdictional challenges” within the House, the subcommittee didn’t take up the recommendation for an NCD that was made by the Cyberspace Solarium Commission in its bipartisan report, a committee aide told reporters last Friday during a background call on the markup, which is scheduled for Monday at 11 a.m. ET. The aide said the markup isn’t a “reflection of the views on the National Cyber Director but rather a reflection of the way in which we maneuver the bill through our process.”
The SASC, which earlier this month marked up its version of the fiscal year 2021 National Defense Authorization Act (NDAA) but has only released a summary, wants an independent study done of the “feasibility and advisability” of having and NCD. The commission recommends that the position be Senate-confirmed.
The SASC also followed the commission in calling for finding ways to incentivize the DIB to expand its sharing of cyber threat information. A committee aide for the House panel pointed to a section of the FY ’20 NDAA that directs DoD to develop a comprehensive framework to enhance cybersecurity” of the DIB that would include “standards, metrics, ratings, third-party certifications, or requirements to be imposed on the defense industrial base for the purpose of assessing the cybersecurity of individual contractors.”
The HASC committee aide pointed out that the FY ’20 defense bill is only six months old and the department has reported to Congress on some of its deadlines but that it still needs “space” to complete its work on the framework. This includes work the department is doing to protect the cyber security of the supply chain through its Cybersecurity Maturation Model Certification to create standards and best practices for the DIB to comply with, the aide said.
The HASC panel in its latest proposed markup also doesn’t require a force structure assessment in DoD’s quadrennial cyber posture review as proposed by the SASC because the FY ’20 NDAA includes direction on the cyber posture review to allow the government to “reevaluate every four years on cyber posture,” the committee aide said.
In its planned markup related to threats from quantum computing, the Intelligence, Emerging Threats and Capabilities panel wants the DoD assessment to identify vulnerable national security systems, quantum-resistant cryptographic standards, alternative quantum-resistant models and any funding shortfalls in the public and private sectors to develop these models, and recommendations for countering threats posed by quantum computing.
Other cyber security related provisions in Monday’s markup include directing the Navy to assess its Cyber Warfare Development Group (NCWDG) and ways to improve and strengthen it. Markup language also calls for the other military services and Special Operations Command to establish organizations similar to the NCWDG.
The HASC panel also directs cyber workforce initiatives, including have DoD civilians doing cyber security work help address the nation’s cyber workforce shortage and ways to improve training with industry. The pending markup also wants a DoD review of current collaborative efforts between the department and private sector on cyber security and defense of critical infrastructure and ways this can be improved.
For the National Guard, the subcommittee wants a review of how it currently is used in response and recovery from “significant cyber incidents.” The review will include how the National Guard works with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the FBI.
The markup will also call for an “evaluation of non-traditional cyber support” for DoD to include a “dedicated reserve cadre specific to United States Cyber Command and Cyber Operations Forces.” It also wants an assessment of current reserve and National Guard support to Cyber Operations Forces.