Rep. Liz Cheney (R-WY), Rep. Mike Gallagher (R-WI), HASC Ranking Member Rep. Mac Thornberry (R-TX), incoming HASC Ranking Member Rep. Mike Rogers (R-AL), HASC Strategic Forces Subcommittee Ranking Member Rep. Mike Turner (R-OH), and HASC Intelligence,
Emerging Threats and Capabilities Subcommittee Ranking Member Rep. Elise Stefanik (R-NY) -- all members of the House Armed Services Committee -- issued a joint statement highlighting the critical provisions in the FY 2021 NDAA that will bolster America's cybersecurity defenses.
The statement comes following reports of serious coordinated cyberattacks launched by the Kremlin against federal government agencies:
"Our nation must respond to the reported cyber espionage operation targeting America's nuclear infrastructure and federal government and hold the perpetrator accountable. This attack serves as a stark warning that our nation must bolster its cybersecurity posture and capabilities, and it must do so without delay.
"This year's national defense bill contains over two dozen provisions that would make critical progress in cybersecurity, including provisions that would help ensure the resiliency of our nation's nuclear command and control systems. The NDAA also fully funds long overdue modernization of our nuclear infrastructure, including $375 million to bolster cyber security of our nuclear weapons production facilities.
"There is no doubt that our adversaries will take advantage of any opportunity to attack vulnerabilities in our cyber infrastructure. The measures in this year's bill will provide critical safeguards to protect the information and capabilities most foundational to our nation's security."
In addition to the above statement from the lawmakers, the information below includes key specifics about the provisions included in the FY 2021 NDAA that will make critical progress our country's cybersecurity defenses:
The FY21 NDAA adopts 26 recommendations from the bipartisan Cyber Solarium Commission that strengthen the Cybersecurity and Infrastructure Security Agency, empower the government to better protect against a cyber-attack against adversaries, and safeguard our nuclear enterprise. This is in addition to overall nuclear modernization and NNSA cyber security investments in the bill.
The most notable of those measures include:
Ensuring Cyber Resiliency of Nuclear Command and Control Systems: The FY21 NDAA requires the Department of Defense to implement a comprehensive plan that strengthens the cyber defense of nuclear command and control systems.
Strengthening Cyber Security at the Nation's Nuclear Weapons Production Facilities -- America's nuclear deterrent is the bedrock of our national security and reported hacks at the Department of Energy and the National Nuclear Security Administration (NNSA) may represent an extraordinarily grave threat to the safety of every American. In recognition that cyber infrastructure modernization is an important part of the overall nuclear modernization plan, the FY21 NDAA specifically authorizes $375.5 million for information technology and cyber security within the NNSA's weapons activities accounts.
Establishing a National Cyber Director -- The FY21 NDAA creates the National Cyber Director (NCD) position in the White House to serve as the president's principal advisor on cyber issues and as a point of coordination and leadership within the federal government on these issues. In situations like this, the NCD would provide centralized White House leadership to coordinate federal response efforts and liaise with critical private-sector stakeholders.
Strengthening the Cybersecurity and Infrastructure Security Agency (CISA) -- The FY21 NDAA contains several provisions aimed at strengthening CISA's capacity to carry out its mission, including a provision authorizing CISA to conduct threat hunting on U.S. government networks. In addition, the Cyberspace Solarium Commission is calling on appropriators to increase funding to CISA to build out more Hunt and Incident Response Teams (HIRTs).
Early reporting from affected departments and agencies suggests that CISA's incident response capacities may be overwhelmed. More HIRTs would bolster CISA capacity to assist departments and agencies in responding to the incident in a timely manner.
Better threat hunting on the .gov domain would have identified the campaign earlier on and possibly stopped the attack in its tracks.
CISA is and will continue to be crucial in both identifying and responding to cybersecurity incidents on federal government networks.
Strengthening an Integrated Cyber Center -- The FY21 NDAA contains a provision calling on the Secretary of Homeland Security to conduct a review of federal cybersecurity centers and propose a plan to establish an integrated cyber center at CISA to improve coordination among federal government cybersecurity centers.
A stronger integrated cyber center would help facilitate greater information exchange between federal departments and agencies, helping to quickly paint a clearer picture of the scope and scale of incidents like this and to inform incident response and the allocation of critical incident response capabilities.
Protecting Against Industrial Espionage and Cyber Theft -- The FY21 NDAA contains a requirement for a Presidential assessment on the effectiveness of the National Cyber Strategy to deter industrial espionage and large-scale cyber theft of intellectual property and personal information conducted by China.