Why Certain Cybersecurity Provisions Made it into the NDAA and Others Didn’t  

Key lawmakers in the House and Senate celebrated the inclusion of cybersecurity provisions they shepherded into the final annual National Defense Authorization Act. But there were other measures they viewed as crucial that didn’t survive—some of which were stymied by the pandemic’s challenges.

The NDAA conference report approved by a veto-proof majority in the House Tuesday calls for a Senate-confirmed national cyber director within the Executive Office of the President and new powers for the Cybersecurity and Infrastructure Security Agency. CISA would be able to issue administrative subpoenas to internet service providers for the identities and contact information of entities under threat. It would also be allowed to conduct threat hunting on federal agencies’ information systems and help federal agencies by installing sensors or providing information technology if they request it.

But other measures in the version of the NDAA that passed the House in July were removed after the lawmakers’ bicameral conference to reconcile it with the Senate-passed version.

Two such efforts, championed by Rep. Jim Langevin, D-R.I., were among those. Langevin is chairman of the House Armed Services Committee’s panel on intelligence and emerging threats and capabilities and a member of the congressionally mandated Cyberspace Solarium Commission. He pushed for the creation of a joint collaborative environment where public and private-sector entities would share intelligence and ultimately have the ability through a common cloud habitat to conduct analysis and get ahead of cyber threats. The other big push was for the Secretary of Homeland Security to establish requirements for certain private-sector critical infrastructure entities to report cyber incidents through DHS’ National Cybersecurity and Communications Integration Center.

Although both of these measures arose from recommendations of the commission—which included representation from across the political spectrum and members of Congress, the administration and the private sector—industry groups opposed the cyber incident reporting provision.

The White House also took issue with the joint collaborative environment, citing potential harm to the intelligence community’s sources and methods.      

A Democratic aide familiar with the conference negotiations said, particularly with the joint collaborative environment, it came down to a lack of time and the ability to reach the right offices in the middle of a pandemic.

“We kind of ran out of time to get it fully socialized in the Senate amongst all the other stuff that was there,” the aide told Nextgov. “The sense that we certainly have at the end of this is that this is not the end of the conversation by any means.”

The aide said sources and methods did come up, as well as questions about privacy but that “normally we could work through and say well this is how it is going to fit into protections from [the Cybersecurity Information Sharing Act of 2015]" or that the effort is about having a way to voluntarily share material for analysis “that isn’t Outlook attachments.” 

There will probably also be the need to determine one agency—CISA or the National Security Agency, for example—that would be in charge of the environment, rather than having it be a shared domain, when the issue is revisited, and supporters circle back with the Biden administration, the aide said. 

The aide also added that the opposition expressed by the current White House “really read to us like an artifact from prior versions, not something that was super relevant to the actual legislative text that was in the NDAA when it passed the House.” The NSA and CISA, as well as the Office of the Director of National Intelligence, have all expressed the desire to share more of their intelligence with the private sector.   

Provisions—including the incident reporting requirement—where multiple agencies and committees have jurisdiction are particularly complex and would benefit from more time, the aide said.

Another example of this regards the commission’s recommendations around cybersecurity insurance. The House NDAA included a provision, retained in the final conference report, that calls for a Government Accountability Office report on the state of cybersecurity insurance. Federal contractors came out against this provision, but the aide said it’s an issue where, had there been time to consult more closely with the financial services committees, even more—having a federally funded research development corporation certify cyber insurance products, for example—could have been done.

“I think that having the GAO report will help enormously, but we're probably gonna have to come back, reattack that a bit,” the aide said, adding that in general, “The fact that we got as much done as we did is, is actually much better than I thought it would be before the pandemic and way better than I thought after the pandemic.” 

But not all the House provisions can be resolved simply with more time and access to members.

An amendment from then-Rep. Cedric Richmond, D-La., called for the director of CISA to be appointed to five-year terms. The aide said the idea here was to give the CISA director, like that of the FBI, a certain amount of immunity from presidential caprice—an issue that was on full display as President Donald Trump fired former CISA Director Christopher Krebs over his statements about the election. But while other key committee leaders agreed to this, the aide said others did not. The aide said the opposing position was not related to the controversy over the election, but rather a reluctance to handcuff the president, no matter the administration.      

An impending shift in administrations likely led to the exclusion in the final NDAA of a ban on the popular video-sharing app TikTok for federal employees. 

Federal agencies also won’t have to abide by a ban on foreign-made drones, which was included in the House version of the NDAA. The conference report instead calls for the Defense Secretary to share information about drone-related threats with agencies and report to Congress on such information sharing by Oct. 2021. 

Other overwhelmingly bipartisan initiatives in the House and Senate versions of the NDAA that did make it into the final bill were cybersecurity education and workforce development measures, including a call for the National Institute of Standards and Technology to develop metrics to assess existing efforts; and a Defense review of software criteria that would inform an Office of Management and Budget pilot that could shake up the procurement of code across the government.  

Also, included in the final bill is a provision that would create a fund for the development of Open Radio Access Network technology—supporters of which argue will eventually provide alternatives to Chinese suppliers Huawei and ZTE.

“For too long we’ve called for our allies and trading partners to reject Huawei digital infrastructure – without providing competitively-priced, innovative alternatives that address their needs. I’m pleased to see my bipartisan, bicameral legislation included in this year’s defense funding bill,” Sen. Mark Warner, D-Va., who has been leading the effort, said in an email. 

Finally, the NDAA conference report extends the Solarium Commission’s remit for another year and a half. 

Trump’s OMB has officially expressed the administration’s intention to recommend a presidential veto of the bill, and specifically opposes the commission’s most high-profile recommendation: the creation of the national cyber director’s office.