NDAA Improves Military Cybersecurity but Fails on Broader Reform before November Midterms
The Senate passed the 2019 National Defense Authorization Act (NDAA) on Monday. While the bill made advancements in our military cyber-capabilities and deterrence against foreign cyber operations, it lacks significant improvements to cybersecurity for critical infrastructure that is continuously targeted by foreign state actors — and could be a target of the November midterms.
A comprehensive approach to cybersecurity that extends beyond the military is vital because cyberwarfare is not limited to military targets. Cyber-attacks can be used to cripple access to power; disrupt financial markets; and manipulate elections, which can both harm citizens and undermine their faith in government and institutions. Election security is of particular concern to Americans given recent election manipulation and the upcoming midterm vulnerabilities, as Secretary of State Pompeo has warned.
As the pace of cyber-attacks on U.S. critical infrastructure continues to increase, the Department of Homeland Security released a new cybersecurity strategy last month that cites a more than ten-fold increase in U.S.-targeted cyber-attacks between 2006 and 2015. In March, the Trump administration accused Russia of targeting U.S. “energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors,” for which it imposed sanctions on five Russian entities and 19 individuals, also citing Russia’s cyber activities to interfere in the 2016 election. And earlier this month, the administration slapped more sanctions on Russian companies and individuals for perpetrating cyberattacks, including the 2017 NotPetya cyber-attack, which cost companies more than $1.2 billion worldwide. This threat necessitates a comprehensive approach to cybersecurity that encompasses critical infrastructure.
Some senators are taking notice. A group of senators recently pressured the Trump administration on how it responds to cyberattacks, and there is bipartisan frustration regarding the lack of senior cybersecurity leadership throughout the U.S. government. Senators also tried to attach amendments to NDAA that would have addressed gaps in U.S. cybersecurity that make our government agencies and elections vulnerable. These included an amendment introduced by Senator Heinrich (D-NM) that mandated the president appoint a cybersecurity coordinator at the White House, and another, the Secure Elections Act, proposed by Senator Lankford (R-OK), that would have improved information sharing throughout government and between the federal, state, and local levels on cyber threats to elections. Unfortunately, these amendments were not adopted.
With the NDAA failing to enact more comprehensive cybersecurity reform, one of Congress’s best chances of passing cybersecurity reform for critical infrastructure in the near-term rests with legislation to reauthorize the Department of Homeland Security (DHS). Included in this legislation is the Cybersecurity and Infrastructure Security Agency Act, originally introduced by Chairman of the House Homeland Security Committee McCaul (R-TX) and passed in the House in December. This bill, which the Alliance for Securing Democracy included in its ten legislative steps needed to protect the United States from malign foreign interference, consolidates the work of the current National Protection and Programs Directorate (NPPD) that protects federal network and critical infrastructure from both physical and cyber-attacks, transforming it into an operational agency named the Cybersecurity and Infrastructure Security Agency.
Even though DHS has become one of the government’s key cybersecurity authorities and is tasked with securing critical voting infrastructure, numerous government agencies oversee elements of the U.S. government’s cyber response. This leads to jurisdictional jockeying within the administration and on the Hill regarding who has the lead on cyber-related issues. This dysfunction may be impacting the legislation’s prospects for passage, serving to balkanize the U.S. government’s cyber response and impede a coherent cyber defense to malign foreign cyber activity against our critical infrastructure.
Passing McCaul’s legislation is one way to improve national cybersecurity and the security of critical infrastructure; however, it is not a panacea. More needs to be done to improve the security of our critical infrastructure, including greater coordination and information-sharing between DHS and critical infrastructure operators, implementing redundancies, increasing education on cyber hygiene and best practices, and securing supply chains. Congress should also work in a bipartisan manner with DHS to ensure all critical infrastructure operators have the resources they need, especially states that have requested federal assistance to secure electoral infrastructure from cyberattacks before November 8.
Looking further ahead, the norms and cybersecurity tools and defenses we establish in the coming years will be critical in defining our trajectory relative to a rising China, a resurgent Russia, and other state and non-state adversaries that possess offensive cyber capabilities. Policymakers will need to think about how America will respond to cyber-attacks in order to deter them and establish norms that prevent their escalation. The U.S. government must also anticipate the cyber threats of tomorrow — whether ongoing attacks on critical infrastructure, cryptocurrencies that allow for sanctions evasion, or intellectual property theft that undermines our economy’s comparative advantage — and project a coherent deterrent. The earlier we begin reforming our cyber apparatus, the better equipped we will be in the future.