National Defense Authorization Act – Cyber Security is Important, But What’s the Plan?

In mid-December 2017, the White House signed the $700 billion National Defense Authorization Act (NDAA).  The law sets policies and budget guidelines for the U.S. military for the next fiscal year, including cyber-related projects and initiatives. While established cyber programs are bolstered by the Act, the 2018 NDAA proscribes some new efforts.  For example, all Kaspsersky products and services (including from company subsidiaries) are prohibited across the Department of Defense (DoD), an initiative working in tandem with the Department of Homeland Security’s (DHS) push to ban Kaspersky from federal government offices.  Similarly, in an effort to safeguard U.S. communications channels from cyber risks, the NDAA forbids the acquisition of satellite technology from a foreign country or any company affiliated with one.  These mandates are important as they acknowledge the potential threats that exist when acquiring technologies and/or services from sources outside a secure chain.

Of particular note, is a provision that could force the federal government to upgrade its out-of-date IT systems. The Modernizing Government Technology Act (MGTA), which was enacted in tandem with the NDAA, creates a $500 million fund over the course of two years to be used for modernizing legacy IT systems.  Trying to secure old and outdated legacy systems has been thorn in the side of government cyber security efforts.  In 2016, 71 percent of federal IT system administrators used old operating system to run important applications.  The MGTA will provide necessary funding to address these technical shortcomings.

From an offensive cyber capability standpoint, the DoD Secretary will provide a plan to Congress that highlights a strategy of how the military will deter, counter, and mitigate information operations targeting U.S. citizens.  Coming on the heels of the 2016 U.S. presidential election where fake news and disinformation gained so much prominence, and whose impacts on the voter calculus are still being determined, a strategic plan forward is an important initiative particularly as social media and Internet media sources are now viewed as potential potent influencing agents.

The White House is still expected to develop a national policy for the United States that addresses “all things cyber” (ie, cyber security, cyber warfare, cyberspace).  According to reporting, the policy should clearly define what plans, policies, and roles that federal agencies have when reacting to a significant cyber attack, a necessary implementation particularly as national level cyber security roles, responsibilities, and missions remain muddied and overlapping.  While this is a promising development, particularly as early indications are that such a policy will likely be multi-pronged rather than being one-dimensional, there is concern that there is no deadline for the creation of this policy.  The United States succeeds in developing broad strategic cyber plans, but is challenged when it comes to successfully implementing these plans.  This is worrisome especially when global competitors like China are passing necessary cyber-related legislation and enforcing punitive measures for compliance failure to bolster their security profiles.  China has already implemented a national-level plan to respond to serious cyber attacks, a move to increasingly fortify defenses from internal and external cyber threats.  Primary competitors seem to moving forward while the United States appears stuck in bureaucratic limbo.

When it comes to establishing a cyber warfare strategy, the White House appears hesitant to commit to any particular direction.  The president objected to this course of action as it inhibits the Executive Office’s ability to negotiate on its terms, and not be held “hostage” by Congress.  While the president did implement Executive Order 13800 in May 2017 intended to set guidance on strengthen the cyber security of federal networks and critical infrastructure, there have been few updates as to where this effort stands and what progress has been made.  Among the most notable cyber security advancements since the new Administration took over have been the potential renaming of DHS’ National Protection and Programs Directorate (NPPD) to the Cyber Security Agency, and the elimination of the Department of State’s Office of the Coordinator for Cyber Issues.  Passed in the House, the bill to rename NPPD would command a “Director of National Cybersecurity and Infrastructure Security to lead national efforts to protect and enhance the security and resilience of US cyber-security, emergency communications, and critical infrastructure.”  Currently, cyber authorities remain across several federal agencies.

Addressing the complex nature of cyber space and all that it entails remains a puzzling endeavor for the United States.  While there is a consensus that the United States is a cyber force from an offensive operations perspective, cyber security and network defense remains an elusive goal, a troublesome reality for a government and country that relies on technology for its continued economic, military, and social advancement and global standing.  The President in the recently released national security strategy acknowledged cyber security as an imperative.  This is promising, but one major hurdle facing national level efforts is that by the time strategies are developed and enacted, they are already outdated for the period in which they go into force.   And this lies the problem with cyber strategies – they are generally positioned to address the cyber landscape of the present, rather than poised to address the future.  The is part of the equation that must be fixed with concrete steps that can be measured and accountability enforced for any setbacks.  Otherwise, we will find ourselves repeating what we already know without any real understanding of how to correct our mistakes.

This is a guest post written by Emilio Iasiello