Acquisition and compensation reform dominated the 2016 defense authorization bill’s reconciliation process, but the final bill highlights a growing concern about cyber threats, giving rise to new funds and laws meant to beef up the U.S. military’s own capabilities in cyberspace.
“This domain of modern warfare continues to grow in scope and sophistication,” the conference bill summary states. “The country has witnessed recent, bold cyber-attacks against OPM (the Office of Personnel Management), Google, large financial institutions, congressional computer systems and the Pentagon. Congress has a responsibility to address this evolving threat, and this includes taking action to update and improve the national security authorities, organizations, and policies necessary to do so.”
Some of the most exhaustive changes include new language that gives limited acquisition powers–and a $75 million budget–to the head of Cyber Command to buy goods and services that aren’t otherwise purchased by the services. The bill also codifies a more formal acquisition structure for Cyber Command, which will be able to name a command acquisition executive and hire its own acquisition personnel.
Additionally, the bill would expand the rapid acquisition authorities of the defense secretary, allowing him or her to procure offensive or defensive cyber capabilities to counter an attack that could cause loss of life or severe economic effects.
If signed into law, the 2016 National Defense Authorization Act would create a $400 million technology offset fund for areas such as cyber, directed energy, autonomous, advanced munitions and undersea warfare.
Safeguarding current and future weapons and information technology systems from intrusions makes up a large portion of the cybersecurity-related language. The bill would require the department to assess whether the Open Trusted Technology Provided Standard, or a similar set of standards that guard against counterfeit components, is effectively applied to IT products.
It also directs the department to evaluate the vulnerabilities of major weapons systems and create a plan for mitigating those risks by the end of 2019. Last week, Deputy Defense Secretary Robert Work told the Senate Armed Services Committee that the Pentagon’s acquisition chief, Frank Kendall, had already begun that effort (Defense Daily, Sept. 29).
In an attempt to improve information sharing between private entities and the government, the NDAA contains liability protections that would apply to certain defense contractors that report an intrusion to the government, as well as language that would limit what information could be shared among government agencies.
The proposed legislation would increase the number and frequency of cyber-themed wargames, mandating biennial exercises where the Defense Department and other government agencies respond to cyber attacks against critical infrastructure. Congress also instructed Cyber Command to conduct a series of wargames meant to test U.S. capabilities against a simulated large-scale cyber attack similar to one that could be conducted by Russia, China, Iran or North Korea.