Defense Funding Measure Includes 77 Cybersecurity ProvisionsCongressionally Approved Legislation Restores National Cyber Director Position
Lawmakers who participated in the bipartisan Cyberspace Solarium Commission applauded Congress’ override of President Donald Trump’s veto of the 2021 National Defense Authorization Act, pointing to its 77 cybersecurity provisions, including restoration of the position of national cyber director at the White House.
Cyberspace Solarium Commission co-chairs Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., called the legislation, which provides $740 billion for defense spending, "the most comprehensive and forward-looking piece of national cybersecurity legislation in the nation's history."
The commission had called for restoration of the national cyber director position, which had been eliminated by the Trump administration (see: White House Axes Top Cybersecurity Job).
Some 27 of the defense bill’s 77 cybersecurity-related provisions were based on commission recommendations, King says.
"The inclusion of the national cyber director housed in the Executive Office of the President is a real game-changer,” King said in a statement. “The [director] will be the president's principal adviser for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.”
The co-chair of the Congressional Cybersecurity Caucus, Rep. Jim Langevin, D-R.I., noted that while a great deal more work needs to be done to shore up the nation's cybersecurity defenses, the long list of provisions in the massive defense bill are a step in the right direction.
"With these policies enacted, we are establishing the forward-leaning, layered cyber deterrence strategy that we need to face emerging and evolving cyber threats and adversaries," Langevin says.
CISA Director Qualifications
In addition to restoring the national cyber director position, the massive defense bill specifies that the director of the U.S. Cybersecurity and Infrastructure Security Agency must have extensive knowledge in at least two of these three areas: cybersecurity, infrastructure security and security risk management. Plus, the CISA director must have at least five years of experience in fostering coordination and collaboration between the federal government, the private sector and other entities on issues related to cybersecurity, infrastructure security or security risk management.
CISA has been without a director since November when the Trump administration fired Christopher Krebs from the position (see: Trump Fires Christopher Krebs, Head of CISA).
Among the many other cybersecurity provisions included in the defense measure are:
- Section 1705, which authorizes CISA to conduct threat hunting on federal networks without having to give advance notice or receive authorization from any other agency.
- Section 1715, which establishes the Joint Cyber Planning Office under CISA to facilitate comprehensive planning of defensive cybersecurity campaigns across federal departments, agencies and the private sector. The Cyber Planning Office's responsibilities will include developing coordinated actions to protect, detect, respond to and recover from cyber incidents that pose a potential risk to critical infrastructure or national interests.
- Section 1722, which requires the secretary of defense to complete a comprehensive assessment of the current and potential threats and risks posed by quantum computing technologies.
- Section 9006, which directs the Department of Homeland Security to develop a strategy for implementing the Domain-based Message Authentication, Reporting, and Conformance, or DMARC standard across all U.S.-based email providers.
President Trump had vetoed the the defense funding bill on Dec. 13 because it contained provisions for renaming military bases named for Confederate generals and placed restraints on how many troops could be pulled from Iraq and Afghanistan. Trump also wanted the bill to contain language that would deprive social media companies of their legal liability shields.