WASHINGTON ― Pointing to the huge hack of U.S. government agencies disclosed this week, lawmakers of both parties are calling on President Donald Trump to sign the sweeping national defense policy bill because it contains a host of cybersecurity provisions.
Trump repeated a threat Thursday to veto the 2021 National Defense Authorization Act, which suggests the pleas are unlikely to gain traction at the White House. Otherwise, Trump’s silence on the attack may suggest retaliation - if any - will be left in the hands of President-elect Joe Biden’s incoming administration.
“It’s the most serious external risk this country faces from a number of potential adversaries, and that’s why we’ve got to get this defense bill passed because there’s so much to help us defend ourselves,” Maine Independent Sen. Angus King, who co-chairs bipartisan Cyber Solarium Commission told CNN on Thursday. King is a member of the Senate armed services and intelligence panels.
The popular 4,500-plus-page bill authorizes a broad array of military equipment purchases and personnel policies, but Trump has threatened to veto it because it lacks language stripping legal protections from social media companies, known as Section 230, and includes a mandate renaming bases which currently honor Confederate leaders.
This year’s bill included two dozen recommendations of the Cyberspace Solarium Commission, with language to authorize the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to hunt threats on federal networks. It would also establish a Joint Cyber Planning Office under CISA to coordinate across the federal government and private sector ― which were both targeted in the latest hack ― and establish a Senate-confirmed national cyber director as the nexus of cybersecurity leadership at the White House.
Other provisions would help the defense industrial base, which was reportedly part of the private sector targets in the breach, to participate in a threat-intelligence sharing program. Also, the Defense Department would be tasked with developing a comprehensive plan for the annual assessment of cyber vulnerabilities of major weapon systems.
All fingers are pointing to Russia as the source of the hack, though the Trump administration is not leveling public accusations of blame. Attribution of cyber attacks can be difficult, and U.S. officials say they only recently became aware of devastating breaches at multiple government agencies in which foreign intelligence agents rooted around undetected for as much as nine months.
Asked about Russian involvement in a radio interview Monday, Secretary of State Mike Pompeo acknowledged that Russia consistently tries to penetrate American servers, but quickly pivoted to threats from China and North Korea.
Some lawmakers briefed Tuesday on the hacking campaign in a classified setting have been less shy about blaming Russia.
“This cyber attack likely perpetrated by the Russians spotlights the glaring vulnerabilities of our federal cybersecurity system,” Maine Republican Sen. Susan Collins, a member of the Senate Intelligence Committee, said Friday in a post to Twitter. “The President should immediately sign the NDAA not only to keep our military strong but also because it contains significant cyber security provisions that would help thwart future attacks.”
“Instead of vetoing the NDAA, which in addition to a pay raise for our troops contains a provision for a National Cyber Director, the president should sign it into law immediately,” Outgoing Texas Republican Rep. Will Hurd, of the House Intelligence Committee, said in tweet. “We need to find the inaugural director ASAP because he/she is going to have a full plate on day one.”
Trump’s response, or lack thereof, is being closely watched because of his preoccupation with a fruitless effort to overturn the results of last month’s election and because of his reluctance to consistently acknowledge that Russian hackers interfered in the 2016 presidential election in his favor.
Republican Sen. Mitt Romney, of Utah, said in a SiriusXM interview that it was “extraordinary” the White House has not spoken out.
Sen. Jack Reed, the top Democrat on Senate Armed Services Committee, which helped draft the NDAA, criticized Trump as missing in action. Reed, D-R.I., also serves on the Senate Intelligence Committee.
“Why is Pres Trump MIA & why won’t he say anything about the massive suspected Russian cyber hack? Signing the NDAA is step one to mitigate the damage from this breach & strengthen our defenses,” Reed said in a tweet Friday.
Trump has 10 days (not including Sundays) after Congress’ final action on the measure to veto it. That means he’ll have until Dec. 23 to formally issue the veto.
The defense authorization act has been signed into law for 59 consecutive years, and is widely viewed as one of the last true areas of bipartisan cooperation and agreement in Congress.
The Associated Press contributed to this report.
Joe Gould is senior Pentagon reporter for Defense News, covering the intersection of national security policy, politics and the defense industry.