Grant Gross | Washingtonexaminer.com
The military bill President Trump vetoed in December contains several cybersecurity provisions that are crucial for protecting government networks, lawmakers and observers said.
The National Defense Authorization Act, which Congress passes easily in most years, includes a provision that would establish a White House national cybersecurity director. Trump eliminated the position, which was created by President Barack Obama.
The bill would also give the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency the power to issue administrative subpoenas to internet service providers when it can’t determine the owner of critical infrastructure with security vulnerabilities.
The bill allows the CISA to hunt for threats in federal networks, and it implements several recommendations from the Cyberspace Solarium Commission, a bipartisan panel established by Congress in 2019.
Sen. Angus King has called the bill the “most important piece of cybersecurity legislation ever passed.” King served as co-chairman of the cyberspace commission.
The provision allowing the CISA to engage in threat-hunting activities is needed, added Jason Meller, CEO and founder of cybersecurity vendor Kolide. The cybersecurity provisions in the act “untie the hands of our incredibly talented cyberdefense personnel in the DOD and CIA so they can actually defend the United States competently from bad actors at home and abroad,” he told the Washington Examiner.
Trump objected to the defense bill’s provision to rename military bases named after Confederate figures. He also has demanded that the bill include a provision unrelated to defense issues that would strip away long-standing legal protections under Section 230 of the Communications Decency Act for user-generated content posted on social media networks and other websites. The bill passed by Congress did not remove these lawsuit protections.
Meller questioned Trump’s decision to veto the act just after U.S. officials announced a massive breach of government networks, allegedly by Russian hackers.
“The president holding up the NDAA and the essential cybersecurity provisions within it over an unrelated concern about social media any other time would already be extremely foolish,” he said. “Now, faced with the biggest hack the U.S. government has seen in years, delaying this legislation any longer is dangerous to our national security.”
Congress needs to send “a clear message to our adversaries that one individual will not impact our readiness” to defend government networks, Meller added.
The subpoena power provision will allow the CISA to track down vulnerabilities more quickly by identifying vulnerable systems owners, added Joshua Crumbaugh, chief hacker and CEO at cybersecurity firms PhishFirewall and PeopleSec.
“These provisions are incredibly important in protecting against attacks,” he told the Washington Examiner. “The subpoena ability is key to protecting critical infrastructure since many of these networks lack adequate protection since a great deal of critical infrastructure is made up of small organizations.”
Action to address cybersecurity shortcomings at a national level is “long overdue,” added Saryu Nayyar, CEO at cybersecurity vendor Gurucul. The defense bill goes “some way” toward addressing cybersecurity problems, she told the Washington Examiner.
In addition to the bill, Congress can take several more steps to protect government IT systems, she added. “Congress can best protect government IT systems by empowering the dedicated cybersecurity professionals tasked with defending vital IT systems with the authorization and tools to do their jobs,” she said. “Cybersecurity is not a partisan effort. It takes knowledge, skill, and tools to execute.”
However, it also takes authorization and adequate budgets to “bring cybersecurity to a level where IT infrastructure can thwart attacks by state, state-sponsored, and criminal organizations,” Nayyar said.
External Link: Defense authorization will pump up government cybersecurity