WASHINGTON — While the new annual defense policy bill won’t be as consequential for the Department of Defense as in years past, it’s poised to shape DoD’s cyber forces, operations and lawmaker oversight.
The National Defense Authorization Act is a sweeping piece of national cyber legislation with major revisions to government bureaucracy and structure, due in large part to adopting 26 provisions stemming from recommendations from the Cyberspace Solarium Commission’s report in March. The commission is a bipartisan organization created in 2019 to develop a multipronged U.S. cyber strategy. However, several of these provisions aren’t focused solely on DoD.
One of the more consequential sections of this year’s bill for the Pentagon is Section 1706, which directs DoD to conduct a force structure of the cyber mission force, among other requirements.
Many lawmakers have discussed for months the need to assess of the structure of the cyber mission forces. Given that the cyber mission force was designed in 2013, long before the strategic threats facing the nation today, many within the cyber community believe that the DoD must reexamined the force to determine whether it has the right amount of people, if the teams are focusing on the right targets, and if they have the right mix of skills.
As part of changes to the department’s quadrennial cyber posture review under the new law, DoD will need to provide a comprehensive assessment cyber operations forces.
This is in line with the commission’s recommendation to not only examine the cyber mission force, but also the resource implications for the National Security Agency in its combat support agency role.
“The nature of the threat environment has changed and the DoD’s missions have also grown, especially with the introduction the defend forward concept,” Erica Borghard, senior fellow with the New American Engagement Initiative at the Atlantic Council and a director on the Solarium Commission, wrote to C4ISRNET. “The NDAA’s inclusion of assessing the impact on combat support agencies in the intelligence community is crucial, because these agencies have been asked to provide tactical intelligence support and the demands on them have also grown over time.”
The defend forward concept, outlined in the DoD’s 2018 cyber strategy, charges Cyber Command to get as close to adversaries in foreign networks before they reach can reach the United States. Cyber Command meets that charge through what it calls persistent engagement, or challenging adversary activities wherever they operate to discover malware and tactics that enemies could use against American networks.
It would be reasonable to think the results of such an assessment would lead to a growth of the cyber mission force, Borghard said.
She also pointed to a pair of provisions in the bill related to improving the acquisition power of Cyber Command, Sections 1746 and 1711.
The former requires a report regarding Cyber Command resource allocation, while the latter modifies Cyber Command’s acquisition authority.
The Solarium Commission recommended creating what’s called a major force program funding category for Cyber Command on par with Special Operations Command, which is an aggregation of program elements that reflects a force or support mission of DoD and contains the resources to achieve a plan.
The bill eliminates the $75 million cap on purchasing for Cyber Command, Borghard said. When Congress initially granted the command acquisition authority in 2016, Congress sought a so-called crawl, walk, run approach to determine whether the command could execute the authority. Despite hiccups along the way, Congress appears satisfied enough to eliminate the cap and move forward.
Moreover, the bill includes other oversight provisions directly related to DoD’s operations. One in particular is a modification to requirements to notify Congress of so-called sensitive military cyber operations.
This is a piece of a larger oversight framework for cyber that Congress has built up, said Bobby Chesney, associate dean for Academic Affairs at the University of Texas School of Law.
This year’s bill updates the framework. Previously, one of the factors requiring reporting to Congress on a high-risk sensitive military cyber operation was the intended effect of the operation was somewhere outside an area the United States is in conflict. The update to the law eliminates that geographic requirement in favor of specific entities that are targeted.
Now, reporting is only required when a high-risk operation targets a foreign government, a foreign non-government group acting on behalf of a government, or a foreign terrorist organization as long as the United States is not engaged in conflict with them. As such, targeting non-state actors not affiliated with a nation state, such as a group conducting for-profit ransomware, wouldn’t trigger the new reporting requirement.
“It’s hard to compare the scope of the current version versus the proposed change, since the triggers are so different. At any rate, someone must have felt that the status quo is either requiring reporting too broadly or too narrowly, or perhaps both at the same time,” Chesney said.
Also on the operations front, Gary Corn, formerly the staff judge advocate at Cyber Command and now a senior fellow of cybersecurity and emerging threats at the R Street Institute, noted that Congress appears to endorse Cyber Command’s recent operational construct for so-called hunt forward operations when Cyber Command teams deploy to other nations to assist with cyber defense.
These operations provide American cyber teams insight into tactics that adversaries could turn against U.S. networks or use to disrupt elections, officials say.
Section 1720 requires DoD to develop a specific framework for hunt forward operations to include roles and responsibilities for a variety of entities within DoD and combatant commands — to also include the National Security Agency — as well as criteria for the operations, a standardized force presentation model across the services, and metrics of effectiveness, among others.
Corn said that the hunt forward provision signals Congress’ endorsement of the construct; however, he noted that lawmakers seem somewhat overly prescriptive in what they’re asking the department to do.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.