Last week, the House passed (350-80) the $858 billion annual defense policy bill, which sets the policy agenda and authorizes funding for the Department of Defense (DoD). More formally known as the National Defense Authorization Act (NDAA), the 2023 bill now awaiting Senate approval includes bipartisan provisions for cybersecurity important to critical infrastructure.
First, the bill includes a provision to allocate $44 million to support the U.S. Cyber Command’s Hunt Forward Operations (HFOs) -- strictly defensive cyber operations conducted by at the request of partner nations. If “an active, systemic and ongoing campaign of attacks in cyberspace by a foreign power” is made against the U.S. government or critical infrastructure, the bill affirms the ability of Cyber Command to carry out operations with presidential approval in “foreign cyberspace.”
House lawmakers also passed an increase of $25 million for the Air Force Cyber Resilience for Weapons Systems (CROWS), and $20 million for establishment and initial operations of the Nuclear Command, Control, and Communications Rapid Engineering Architecture Collaboration Hub (REACH).
In addition to several other investment authorizations, the NDAA sets forward policies for improving the nation’s cybersecurity, including required five-year plans for adopting artificial intelligence (AI) in cyber missions within the DoD.
Legislation also included an initiative within CISA to provider no-cost training around securing industrial control systems (ICS), in the Industrial Control Systems Cybersecurity Training Act. The bill would also require the Navy to establish a cyber operations designator and rating, and a program executive office to manage the implementation of the Join Cyber Warfighting Architecture.
Another interesting provision related to industrial policy that hasn’t received much attention is the section calling the DoD to reduce reliance on Russian energy for all main operating bases in the area of responsibility of the United States European Command. This part of the bill would require the Secretary of Defense to create installation energy plans for each operating base, including an assessment of energy-related cybersecurity requirements.
Rebuilding the energy infrastructures across these bases provides the challenge and opportunity of implementing security systems that meet the unique needs for operational technology (OT) and ICS environments. Confidence in safety, reliability and performance of power systems in foreign countries would require visibility into asset states, their level of hardening, software/firmware versions for vulnerabilities, and any changes that would indicate a breach or break in security policy.
The Senate is expected to begin consideration of the NDAA this week, with passage before Congress adjourns.