Final defense policy bill chock full of cybersecurity provisions
Lawmakers filed a compromise version of their annual defense policy bill on Tuesday that includes several major provisions for U.S. Cyber Command.
The House will vote on the fiscal 2023 National Defense Authorization Act — that would okay a total of $858 billion in funding — this week. The Senate is expected to quickly follow.
Here’s a rundown of what did (and didn’t) make it into the must-pass policy blueprint:
- The bill authorizes a $44.1 million funding boost for Cyber Command’s “hunt forward” missions. Cyber personnel have deployed to Ukraine, Lithuania and Croatia (and likely other countries) this year.
- The bipartisan measure would codify into law the State Department’s cybersecurity bureau, which launched earlier this year and is helmed by the first Senate-confirmed cyber ambassador.
- The legislation directs the Defense secretary to provide lawmakers with an annual briefing about the relationship between Cyber Command and the National Security Agency, a connection that was recently under the microscope.
- The NDAA would create an Assistant Secretary of Defense for Cyber Policy position at the Pentagon — a move the Biden administration previously objected to.
- The bill provides Cyber Command new powers to conduct offensive digital operations, with presidential approval, in response to an “active, systemic and ongoing” attack against the U.S.
- The policy roadmap directs the intelligence community to maintain a detailed list of foreign spyware vendors that pose a potential counterintelligence threat to the U.S. and grants the Office of the Director of National Intelligence the power to prohibit spy agencies from using or purchasing such software.
- It also mandates a biennial, unclassified report through the 2032 election cycle on Cyber Command’s election security efforts.
- Notably cut from the bill was a proposal to designate “systemically important entities” to the most vital U.S. critical infrastructure that would have required operators to enact strong digital security standards and share threat intelligence with the government in return for federal support. It was originally a recommendation by the Cyberspace Solarium Commission.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.