The US Senate passed The National Defense Authorization Act (NDAA) on Wednesday, approving the $768 billion annual defense spending bill that was packed with cybersecurity provisions. The bill now heads to the desk of President Joe Biden.
In an explainer document released alongside the text of the bill, the US House of representatives armed services committee said the cyber provisions in the bill would initiate "the widest empowerment and expansion of CISA through legislation since the SolarWinds incident."
In addition to significantly more cybersecurity investments, the bill gives greater budget authority to the Commander of US Cyber Command, "modernizes" the relationship between the Department of Defense Chief Information Officer and the National Security Agency's components responsible for cybersecurity while also establishing a program office within Joint Forces Headquarters-DODIN to centralize the management of cyber threat information products across the Defense Department.
The bill also mandates the first taxonomy of cyber weapons and cyber capabilities and requires the Defense Secretary to create a software development and acquisition cadre to assist with developing and acquiring software by providing expert advice, assistance, and resources. A grant program created by Congress will fund cybersecurity research in coordination with Israel.
A National Cyber Exercise Program is also outlined in the bill. It will force CISA and other government bodies to test the National Cyber Incident Response Plan and, "to the extent practicable, simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident." An amendment also requires CISA to update its incident response plan at least every two years.
The DOD is now required to submit a report on how its Cybersecurity Maturity Model Certification program affects small businesses, thanks to the bill. Experts also touted the addition of the apprentice program to expand the available cyber talent as well as the Veteran training program.
CISA is given more funding for a program called "CyberSentry" that provides "continuous monitoring of cybersecurity risks to critical infrastructure that own or operate industrial control systems that support national critical functions."
Bill Lawrence, CISO at SecurityGate, said CyberSentry was a somewhat controversial provision because it says CISA "may access all network traffic, including the content of communications, as stored within the CyberSentry stack to further analyze the origins of an alert and/or evaluate the state of the network."
"There are valid reasons for CISA to help protect US critical infrastructure just as there are valid reasons for CI owners and operators to not want government sensors on their networks, as well as valid arguments from security providers that the government is giving cyber services away for free (using taxpayer money, of course)," Lawrence said.
"DHS does include a great deal of privacy considerations in the CyberSentry write-up. It would be helpful to also read about the tactical and strategic objectives of this program and see if rapid information sharing with all CI asset owners and operators is included and help determine if this juice is worth the squeeze on the commercial providers. I have my apprehensions."
But what garnered the most interest was what the bill was lacking, namely a cyber incident reporting provision that was hotly debated and ultimately scuttled at the last minute.
For months, Democratic and Republican Senators jockeyed over the language of a cyber incident reporting provision in the NDAA. In November, two Democrats -- Gary Peters and Mark Warner -- worked alongside two Republicans -- Rob Portman and Susan Collins -- to introduce a new amendment to the NDAA that would have forced critical infrastructure owners and operators as well as civilian federal agencies to report all cyberattacks and ransomware payments to CISA.
But by December, The Washington Post reported that Florida Senator Rick Scott took issue with the ransomware reporting provision and called it too broad, asking senators to limit the language to enterprises in the 16 critical industries. Sources told CyberScoop's Tim Starks that debate over the ransomware language ran too long, and negotiators in the House and Senate ended up leaving the entire provision out.
Lawrence noted that some companies had issues with reporting breaches or ransomware attacks within 72 hours of discovery and ransom payments within 24 hours of payout. He explained that smaller organizations do not have a 24/7 security operations center available to them, limiting their ability to respond to such incidents, much less telling the US government what is happening during incident response.
Rep. Bennie Thompson and Rep. Yvette Clarke noted that cybersecurity incident response legislation was included in the House NDAA, which passed in September. The two -- who respectively serve as Chairman of the Committee on Homeland Security and Chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation -- explained in a statement that there were intensive efforts to get cyber incident reporting in the bill but "ultimately the clock ran out on getting it in the NDAA."
"There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today – well past the NDAA deadline. This result is beyond disappointing and undermines national security," Thompson and Clarke said.
"We had hoped to mark the one-year anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President's desk. Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA. We are profoundly disappointed that the momentum we had coming into the NDAA did not yield success but are fully committed to working across the aisle and with the Senate to find another path forward."