Final defense policy bill chock full of cybersecurity provisions

Lawmakers filed a compromise version of their annual defense policy bill on Tuesday that includes several major provisions for U.S. Cyber Command.

The House will vote on the fiscal 2023 National Defense Authorization Act — that would okay a total of $858 billion in funding — this week. The Senate is expected to quickly follow.

Here’s a rundown of what did (and didn’t) make it into the must-pass policy blueprint:

  • The bill authorizes a $44.1 million funding boost for Cyber Command’s “hunt forward” missions. Cyber personnel have deployed to Ukraine, Lithuania and Croatia (and likely other countries) this year.
  • The bipartisan measure would codify into law the State Department’s cybersecurity bureau, which launched earlier this year and is helmed by the first Senate-confirmed cyber ambassador.
  • The legislation directs the Defense secretary to provide lawmakers with an annual briefing about the relationship between Cyber Command and the National Security Agency, a connection that was recently under the microscope.
  • The NDAA would create an Assistant Secretary of Defense for Cyber Policy position at the Pentagon — a move the Biden administration previously objected to.
  • The bill provides Cyber Command new powers to conduct offensive digital operations, with presidential approval, in response to an “active, systemic and ongoing” attack against the U.S.
  • The policy roadmap directs the intelligence community to maintain a detailed list of foreign spyware vendors that pose a potential counterintelligence threat to the U.S. and grants the  Office of the Director of National Intelligence the power to prohibit spy agencies from using or purchasing such software.
  • It also mandates a biennial, unclassified report through the 2032 election cycle on Cyber Command’s election security efforts.
  • Notably cut from the bill was a proposal to designate “systemically important entities” to the most vital U.S. critical infrastructure that would have required operators to enact strong digital security standards and share threat intelligence with the government in return for federal support. It was originally a recommendation by the Cyberspace Solarium Commission.
Martin Matishak

Martin Matishak is a senior cybersecurity reporter for Recorded Future News. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.

Recent Posts

Deepfake news anchors spread Chinese propaganda on social media

In a series of videos posted on Twitter, Facebook and YouTube, Chinese state-aligned actors used…

6 hours ago

New info-stealing malware used against Ukraine organizations

A new information-stealing malware named Graphiron is being used against a wide range of targets…

12 hours ago

Hackers used fake websites to target state agencies in Ukraine and Poland

Hackers attempted last week to infect Ukrainian government computer systems with malware hosted on fake…

12 hours ago

‘No evidence of malicious access,’ Toyota says about serious bug exploited by outside researcher

Toyota said it remediated the vulnerability discovered by researcher Eaton Zveare. The company referred others…

13 hours ago

Turkey’s government restricts access to Twitter amid earthquake response

Internet traffic data showed that Twitter was totally inaccessible from with Turkey. The government has…

14 hours ago

CISA publishes recovery script for ESXiArgs ransomware as Florida courts, universities reel

CISA adapted work by two Turkish developers into a script for recovering files affected by…

16 hours ago