House adds cyber strategy provision to defense bill

The House overwhelmingly passed the 2018 defense bill after adding cyber provisions, including the requirement for the DOD to update its cyber strategy and definition of cyber deterrence.

Shutterstock image (by Maksim Kabakou): pixelated shield, protection concept.

The House has joined the Senate in calling for the Department of Defense to update its cyber strategy and to more clearly define the meaning of cyber deterrence.

The House on July 14 overwhelmingly passed the 2018 National Defense Authorization Act, which included a number of cyber-related amendments, including a provision directing the secretary of defense to "develop a definition of the term 'deterrence' as such term is used in the context of the cyber operations of the Department of Defense; and assess how the definition...affects the overall cyber strategy of the Department."

The Senate's draft of the NDAA establishes a U.S. cyber deterrence and response policy and calls on the administration to develop a clear cyber deterrence strategy. 

An amendment to the House defense bill introduced by Rep. Luis Correa (D-Calif.) gives the president 180 days to "develop a written strategy for the offensive use of cyber capabilities by departments and agencies of the Federal Government."

The amendment says the strategy should include a description of measures needed to improve offensive cyber capabilities and "a statement of principles concerning the appropriate deployment of offensive cyber capabilities."

In addition, the amendment directs the defense secretary to update the department's cyber strategy released in April 2015.

The provision states that in updating the strategy, the secretary should "specifically develop an offensive cyber strategy that includes plans for the offensive use of cyber capabilities, including computer network exploitation and computer network attacks, to thwart air, land, or sea attacks by the regime of Russian President Vladimir Putin and other adversaries."

The amendment also directs the secretary to provide guidance on integrating offensive cyber tools into the DOD's arsenal, and on assisting NATO partners in developing offensive cyber capabilities.

Another amendment to the House bill requires the secretary to furnish annual training to all service members and DOD civilians on how to resist Russian influence and efforts to recruit DOD personnel into influence campaigns by Russia and its proxies.

The secretary of the Army is tasked with providing Congress a report on cyber capabilities and training at combat training centers, "to examine potential training readiness shortfalls and ensure that pre-rotational cyber training needs are met."

The bill also establishes a five-year ''Cyber Workforce Development Pilot Program'' that will assess the effectiveness of implementing a full-scale cyber talent management program. The pilot will be administered by the DOD CIO in coordination with the principal cyber advisor, and will assess cyber talent shortfalls, changes to skills needed in the workforce and incentives to recruit and retain cyber personnel.

The final version of the House bill gives the DOD an additional two years to meet data center consolidation requirements under the Federal Data Center Consolidation Initiative. The sunset outlined in the 2015 NDAA is moved from 2018 to 2020.

The same amendment also eliminates the Federal Information Technology Acquisition Reform Act sunsets on transparency and risk management requirements for IT investments and IT portfolio review requirements.

Members voted 344-81 to pass the $696.5 billion defense bill. The bill passed by the Senate Armed Services Committee authorizes $700 billion in defense spending.

However, unless Congress repeals or overrides the 2011 Budget Control Act, defense spending for 2018 is capped at $549 billion.