NDAA Negotiations Will Determine Success of Several Cyber Solarium Goals
Influence from major industry threatens once again to thwart lawmakers’ attempts to realize their policymaking goals through the annual defense authorization bill.
The most ambitious recommendations of a congressionally mandated commission on improving the nation’s cybersecurity will likely be reduced to—at most—just another report on the issue, but there are still a number of consequential provisions being considered for inclusion in this year’s National Defense Authorization Act.
Congress created the Cyberspace Solarium Commission in the 2019 NDAA. The group, which included lawmakers from across the political spectrum, as well as leaders from the federal government and major industry representatives, agreed on a path forward for cybersecurity, as articulated in a March 2020 report detailing 75 recommendations. Lawmakers on the commission committed to including as many of the recommendations as possible in subsequent NDAAs.
This year, as industry groups continue efforts to defeat the commission’s NDAA contributions, some big tech companies are making a concerted push to increase the government’s acquisition of information and communications technology by supporting provisions to cultivate faster procurement practices.
One often cited example of such practices is the use of contracting vehicles such as Other Transaction Authority agreements. These agreements allow acquisitions personnel to bypass Federal Acquisition Regulations, on which the implementation of President Joe Biden’s May, 2021 executive order on cybersecurity heavily relies.
But not all of the Solarium Commission’s material recommendations are entirely doomed. The last vestiges of the group’s surviving proposals may yet come to fruition, along with two significant related provisions included in the House bill by lawmakers outside the Solarium Commission’s circle.
Congressional members of the Solarium Commission—outgoing Rep. Jim Langevin, D-R.I., Rep. Mike Gallagher, R-Wis., and Sen. Angus King, I-Maine—along with outgoing Rep. John Katko, R-N.Y., formed the main driving force that established the Office of the National Cyber Director and increased funding and authorities for the Cybersecurity and Infrastructure Security Agency in previous years.
Linchpin Solarium proposal getting scrapped
But a proposal at the center of of the Solarium commission’s report—that a set of “Systemically Important Critical Infrastructure” entities put essential protections in place and allow government visibility into their operations in exchange for a legal-liability shield and federal assistance in the event of a cyberattack—appears headed for the wastebasket in this year’s NDAA negotiations.
“We're trying to make it so that they at least [call for] a study on what the right elements are, that should be SICI, so that people understand who we're talking about, and I don't even know if that'll happen,” Mark Montgomery, senior fellow at the Foundation for Defense of Democracies, told Nextgov, referring to sec. 1507 of the House bill, which he said is the version House lawmakers are using in negotiations with senators.
Montgomery—a former aide to the late Sen. John McCain who served as executive director of the Solarium Commission over its two-year duration—has continued working through the think tank with Solarium lawmakers on turning the commission’s recommendations into law.
Despite initial sign-off from private-sector leaders on the Solarium proposal, “industry is just generally opposed to [the SICI initiative],” he said.
Montgomery said he was particularly frustrated by the finance sector’s opposition to inclusion of the legislation in the NDAA, noting such entities’ dependence on major information technology providers, which—unlike finance, healthcare and other sectors of critical infrastructure—are generally unregulated for cybersecurity.
“It's causing us to obviously miss fixing the cloud service providers,” he said. “We have a big chunk of the ecosystem out there without any kind of floor on cybersecurity.”
Software industry trying to control the federal acquisition process
In a Sept. 14 letter to lawmakers, trade associations—collectively representing big information and communications technology companies like Microsoft, as well as internet service providers like AT&T—opposed Sec. 6722 of the House bill. That provision was also inspired by a Solarium Commission recommendation, along with requirements stemming from Biden’s May 2021 executive order responding to the infamous SolarWinds hacking campaign. It instructs DHS to guide agencies toward asking prospective contractors to submit a software bill of materials, or SBOM.
And an Oct. 20 letter to lawmakers from the Alliance for Digital Innovation—which represents AWS, Google Cloud, VMWare and several cybersecurity companies—urged Congress “to remove the SBOM language from the NDAA and give industry and agencies more time to develop solutions that will better secure the country’s cybersecurity supply chain.”
A major focus of that executive order was on agencies securing their software supply chains by gaining visibility into the practices of software vendors like SolarWinds. The Office of Management and Budget allowed agencies to ask for evidence, such as SBOMs, to support security claims from their vendors, but OMB, along with the National Institute of Standards and Technology, suggested agency procurement officers err on the side of taking vendors at their word. Changes are coming soon to Federal Acquisitions Regulations under the Biden order.
Some argue documenting the providers’ claims could be enough to hold them accountable in the event of an incident and thereby incentivize secure software development practices. Rep. Bill Foster, D-Ill.—chair of the oversight and research and technology panels on the House Science Committee—would like for at least the National Credit Union Administration to take a more proactive approach. Foster managed to attach an amendment to the House bill that would “empower NCUA to oversee the cybersecurity practices of third party vendors employed by the entities under their purview,” according to a list of approved amendments provided by the House Armed Services Committee.
The chorus call for SBOMS grew after SolarWinds hackers compromised at least nine federal agencies and 100 companies. Although CISA was initially tasked by the Biden order to autopsy the event, the agency’s Cyber Safety Review Board instead examined the implications of security vulnerabilities discovered in the popular open-source library Log4J.
A provision sponsored by Rep. Ritchie Torres, D-N.Y.—Sec. 5213 of the House bill—would ensure CISA dissects the SolarWinds event for a full understanding of the hackers’ reach into agencies’ networks and lessons to mitigate the impact of similar attacks in the future.
Industry trying to get inside the federal workforce
ADI’s Oct. 20 letter also supported changes to the Federal Risk and Authorization Management Program for cloud services—Sec. 5911 in the House bill—and inclusion of the AGILE Procurement Act, which would fast track agencies’ software acquisition.
The aim of the Agile Procurement Act, which is not currently included in the NDAA legislation, is “to foster more resilient supply chains, provide access to a wider pool of qualified vendors and increase opportunities for participation of new, small and nontraditional businesses in the procurement process, in addition to addressing other barriers,” according to the bill text.
The ADI letter also pushed for workforce development programs that would allow industry personnel to do short term stints in the federal government, including as procurement officials.
The American Federation of Government Employees is adamantly opposed to the National Digital Reserve Corps—included in the House bill by Rep. Tony Gonzales, R-Texas—and other provisions that aim to improve the technological proficiency of the federal government by allowing such stints within agencies. The union argues such programs don’t consider the needs of federal agencies, while bypassing rules on competitive hiring practices and creating potential conflicts of interest stemming from a lack of public disclosure.
“The House has one where it's defined by the [General Services Administration], and I have a real problem with that, because I think it should be within the executive agency itself to determine 'do they really have a need for someone with certain skills and for what period of time,'” John Anderson, a lobbyist for the union, told Nextgov, referring to the Gonzales provision.
In previous years, Anderson described the proposed GSA-run digital service corps as a boondoggle that would “be no more than an opportunity for private interests to obtain inside information from the government and train its workforce through access to governmental programs, without having to compete for a contract to work on those programs.”
This year, a Senate amendment sponsored by Sens. Jackie Rosen, D-Nev., and Marsha Blackburn, R-Tenn.—which would create a similar workforce program at CISA to be activated in response to cybersecurity incidents—was among those included for the upcoming negotiation process with the House, according to a list provided by Senate Armed Services Committee staff.
Solarium Commission recommendations still viable
Also up for debate, as lawmakers look to reconcile House and Senate versions of the Defense bill, are provisions that would codify a bureau of cybersecurity at the State Department through the Cyber Diplomacy Act and establish a five-year term limit and appointment processes for the CISA director.
The latter of those—sponsored by New York Republican Rep. Andrew Garbarino—could be especially important for CISA’s election security and disinformation-control responsibilities. This was highlighted by then-President Donald Trump’s firing of former CISA Director Chris Krebs, after he refused to cave under pressure to say there were irregularities with Democrats’ victory in the 2020 presidential election.
Lawmakers will also consider Sec. 1504 of the House bill, which instructs the secretary of Homeland Security to establish a cyber threat information collaboration environment, wherein public and private-sector entities “may” contribute, collect and analyze information through the use of a variety of tools, including sensors, which the government would pay for.
The provision would give the DHS secretary the ultimate power to decide which private-sector entities could have access to classified information shared by the National Security Agency and others in the intelligence community. The national cyber director would have a leading role in designing the environment and would be able to appoint advisors from the private sector to guide him on the issue.
At this stage, Senate leaders have whittled down a list of more than 900 amendments their colleagues proposed for the House bill to about 75 and are moving forward with the process of reconciling the chambers’ two versions into a final bill for the president’s signature. Lawmakers will have their hands full when they return from a recess for the midterm elections next week.