Senate Defense Bill Splits CIO Duties, Bans Russian Anti-virus Software

The Senate version of a major defense policy bill would bar Kaspersky anti-virus software from all Defense Department systems and fundamentally reform how the Pentagon manages its internal cybersecurity.

The bill would retire the title of Defense Department chief information officer and split the job’s responsibilities between the agency’s chief management officer and a new “chief information warfare officer” who would report directly to the defense secretary and have full authority for agency cybersecurity and cyber warfare operations, among other responsibilities.

The move comes after years of haggling between the Senate Armed Services Committee and its Chairman John McCain, R-Ariz., and DOD tech and policy officials over cyber operations.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

McCain has slammed the department repeatedly for not having a true cyber strategy that details how and when the nation will retaliate in response to a cyber strike or launch offensive cyber operations.

The provision, which passed the Senate Armed Services Committee as part of the 2018 National Defense Authorization Act Wednesday, is not included in the House version of the bill and it’s unclear how it will fare when the bills are merged.

The provision barring Defense agencies from using Kaspersky anti-virus software is also absent from the House version of the bill. That provision cites “reports that the Moscow-based company might be vulnerable to Russian government influence.”

Numerous outlets have reported on anxiety within the government intelligence and cybersecurity communities about the Moscow-based anti-virus firm Kaspersky Lab, but the U.S. government has yet to make any firm allegations against the company.

Government officials have also informally warned private companies of the anti-virus, a former Homeland Security Department official told Nextgov.

Kaspersky said in a statement the company and its founder Eugene Kaspersky “do not have ties to any government, and the company has never helped, nor will help, any government in the world with any cyber espionage efforts.”

The company added it’s “completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations.”

The Russian-made anti-virus is already informally blocked from critical government systems that deal with national security but is sometimes included in software packages that protect less critical government systems, former officials told Nextgov recently.

Kaspersky is among the world’s top anti-virus producers and has played a major role analyzing and combating the recent NotPetya attack, which its researchers say poses as ransomware but is actually aimed at destroying data.

The bill also:

• Raises cyber funding $700 million above the president’s 2018 fiscal year request.
• Urges an increased focus on offensive cyber operations.
• Mandates a full cyber posture review by the defense secretary and a review of cyber vulnerabilities in the nation’s nuclear command and control infrastructure. 

The House Armed Service Committee draft of the defense would require DOD to notify congressional defense committees about any sensitive cyber operation.