Lawmakers Want Off-the-Clock ‘Cyber Protection’ for Some Pentagon Personnel

Lawmakers crafting a massive annual Pentagon policy want the Defense Department to be able to provide off-the-clock cybersecurity protection to DOD personnel deemed “to be of highest risk of vulnerability to cyberattacks on their personal devices, networks and persons,”

That provision is included in the Senate’s version of the National Defense Authorization Act, which is headed for a vote in the Senate this week. Along with personal “cyber protection support,” the Senate bill would overhaul the role of the Pentagon chief information officer.

The House approved its version of the bill, which differs in some key respects from the Senate version, last week -- although it was quickly met with a veto threat by the White House.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Under the Senate bill, the Defense secretary would be authorized to identify high-risk positions and provide “training, advisements and assistance regarding cyberattacks,” according to the bill.

Last year, self-described “stoner high school student” hackers claimed to have breached personal email accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson.

Neither man is a DOD employee, but the incidents raised concerns about the cybersecurity vulnerabilities posed by top government officials’ private email accounts.

The proposed move also comes amid increasing concerns about targeted malicious emails -- phishing and “social engineering” attacks -- aimed at tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails.

Last summer, hackers reportedly broke into the U.S. Joint Chiefs of Staff’s unclassified network by tricking personnel into clicking on unsafe links.

An annual White House report tallying up cybersecurity incidents affecting government agencies reported such attacks “continue to be a primary method for exploiting federal systems and data,” and noted the Pentagon had scored only 15 percent on its "anti-phishing" protections.

A bill report from the Senate Armed Services Committee, which has already approved the measure, notes that Pentagon employees who receive the special cyber protections “have an important obligation to refrain from any use of a personal data communication, networks, or storage devices in the performance of official duties.”

A handful of top Obama administration officials, most notably former Secretary of State Hillary Clinton, have also come under scrutiny for using personal emails accounts to conduct officials government business. Defense Secretary Ash Carter, himself, landed in hot water last year for using his personal email on the job.  

In addition, the Senate’s version of the bill calls for a major shakeup of Pentagon IT leadership, by elevating the role of Pentagon CIO to the role of assistant secretary of defense for information. The strengthened CIO role would be responsible for cybersecurity and IT policy and would have oversight of the Defense Information Systems Agency, according to the bill.

“Cyber is the ultimate cross-cutting issue, but at present, responsibility for cyber is split between three different organizations” across Pentagon leadership, states a summary of the bill from the Senate Armed Services Committee. The committee says its version of the bill “would attempt to reduce these seams.”