National Defense Authorization Act

A new National Defense Authorization Act (NDAA) has been signed by President Trump, and it contains provisions for cybersecurity that are a good first step in building a comprehensive infrastructure for national cybersecurity defense.The informal ban on Kaspersky product has become formal. Section 1634 makes the Kaspersky ban official for the Defense Department with a compliance deadline of October 2018. The ban includes any and all products and service owned by Kaspersky Lab along with software developed by subsidiaries.

The definition of what a cyberwar is has always been a murky subject (you read about it here), but going forward there will be a definition of what a cyberwar is in Section 1633. Furthermore, the policy will layout what plans, powers and roles each federal agency has when reacting to a  significant cyber attack. The policy is going to be “multi-prong” that includes deterrence, defensive and offensive strategy. Currently, there is no deadline for the policy to be completed but is being developed with a loosely related comprehensive National Security Strategy.

Current cybersecurity efforts are decentralized within the Pentagon with compartmentalization into groups, but Section 1641, 1644, and others are designed to change that. There are several references to the need for Pentagon leadership to consider changes to the internal organizational structure around its multitude of cybersecurity missions. The language in these sections appears to be an attempt by Congress to force the Pentagon to find a solution to better respond to attacks, coordinate a response and collaborate on cybersecurity threats. Under the new NDAA, the Defense Secretary will be required to review and come up with a plan for how the department can integrate and better organize its cybersecurity capabilities and responsibilities.

A cyberscholarship program has been outlined in Section 1649 that tasks the National Science Foundation and the Office of Personnel Management to launch a joint scholarship program that involves fice to 10 community colleges. The purpose is to educate and recruit skilled professionals out of universities. Also, a minimum of five percent of the total funds available for financial assistance under the NDAA is to be applied to cyber education programs to include K-12 schools.

In Section 1641, the US needs to have more of a plan in place in counter Russian information operations such as what happened during the 2016 election. The Defense Secretary will design a plan for Congress that outlines how the Pentagon will deter, counter and mitigate information operations that target US citizens.

In section 1642, US Cyber Command will re-evaluate how it develops hacking and defensive cyber tools. The leader of US Cyber Command, the NSA director, will explore “alternative methods for developing, acquiring, and maintain software-based cyber tools and applications.” The idea is to decrease costs, speed up development and improve effectiveness. Section 1642 might be delayed due to Section 1648 that stipulates that Pentagon leadership must submit a report by May 2018 that details the operational and budgetary impact of ending the dual-hat responsibilities of the NSA Director as the head of US Cyber Command also.

Source: Cyberscoop and