Industry Objections Spur Changes to Cybersecurity Provisions in Defense Bill  

An important set of lawmakers trying to advance U.S. cybersecurity policy in this year’s National Defense Authorization Act—with implications for agencies’ procurement and risk management—is reworking their initial proposals after industry complaints, according to one of the lawmakers.

“I think we've made a good faith attempt to meet them halfway,” said Rep. Mike Gallagher, R-Wis., referring to his efforts—along with other decision-makers from the now-dissolved Cyberspace Solarium Commission—to move forward with new versions of two key provisions in the House-passed NDAA that are facing industry opposition.

Gallagher, and Sen. Angus King, I-Maine, spoke at an event hosted by the Foundation for Defense of Democracies on Wednesday as part of Solarium 2.0, the think tank’s initiative to continue the commission’s objective after its congressional charter expired in December. 

Mark Montgomery, who served as executive director of the commission and now directs the follow-up effort as senior director of FDD’s Center on Cyber and Technology Innovation, told Nextgov he is working with Gallagher and King to get the new provisions into the final NDAA. That could happen either through floor amendments to the coming Senate bill or the later-stage bicameral conference that occurs each year to reconcile it with the House version, he said.  

Gallagher and King were co-chairs of the Solarium commission which produced a comprehensive set of policy recommendations for improving cybersecurity in March, 2020. The recommendations were endorsed by policymakers from across the political spectrum, as well as the leaders of major critical infrastructure corporations who also served as its members. Many of the group’s recommendations, most notably the creation of a national cyber director’s office, became law through subsequent defense bills. 

But some of the commission’s most crucial recommendations—including those currently represented by the provisions the big companies are unhappy with—are still on the lawmakers’ to-do list. 

Systemically important entities

The first of the two provisions now in flux would create an interagency council chaired by the directors of the Cybersecurity and Infrastructure Security Agency and the Office of the National Cyber Director. That council would then identify no more than 200 systemically important entities and determine which agencies should manage cybersecurity risks they present within and across specific sectors of critical infrastructure. 

Gallagher said the latest iteration includes a process to address concerns about duplicative reporting the finance sector raised in opposing the provision, which was attached to the House bill as an amendment by Rep. Jim Langevin, D-R.I.—also a former Cyber Solarium commissioner. He did not say whether new language for the provision addresses gripes made by groups like the U.S. Chamber of Commerce regarding the general concept of regulating the private sector to improve cybersecurity, instead of their preferred “partnership” model that relies on industry’s voluntary participation in government efforts.

“Obviously we're going to try to ameliorate their concerns but without gutting the bill,” King said regarding the amendment. “I mean, that's, that's the challenge.”

Securing the software supply chain  

Gallagher also suggested he and other lawmakers have made changes for the Defense bill to address the concerns raised by major vendors of information and communications technology. 

Reducing cybersecurity risks by addressing vulnerabilities in software-based ICT products and services has long been a priority for Langevin, a pivotal member of the Solarium crew, given his position as chairman of the House Armed Services Committee’s panel on cybersecurity. And the 2023 House NDAA includes a provision—outlined in section 6722—which draws from one of the Solarium commission’s most ambitious recommendations.

In a new progress report, Solarium 2.0 itself identified the recommendation—that “Congress should pass a law establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities”—as among the unlikeliest to come to pass.

“As was the case in the prior year, this recommendation has encountered significant barriers to implementation,” reads the report, highlighting the outstanding item in bright red.

The Solarium Commission’s legislative proposal for implementing the recommendation calls for Congress to establish a private right of action—in which individuals can sue to enforce their rights, instead of relying on the government. It also instructs the Federal Trade Commission to create and enforce rules that would require the ICT industry to have programs for managing  vulnerabilities in their products. They would only be liable for incidents in which the vulnerabilities leveraged were known to them, either through their own internal means, researchers’ disclosure or their registration in public vulnerability databases, such as one maintained by the National Institute of Standards and Technology.

But the private right of action is one of the most contested levers in information security policy, as demonstrated by efforts to pass a national privacy law, which is one of the few other recommendations Solarium 2.0 marks as having significant barriers to implementation. The House NDAA tries to use a much less controversial way of driving the same vulnerability management activities by ICT vendors: federal procurement. 

Section 6722 also tries to ride the momentum of Executive Order 14028, which highlights the importance of a software bill of materials. It instructs the Secretary of Homeland Security to issue guidance to agencies that could lead them to require potential contractors to submit bills of materials—which would ideally identify the various libraries of code used to build their software—and associated certifications regarding any associated vulnerabilities to their government buyers. 

Industry seized on the opportunity to highlight what it described as an internal inconsistency in the bill—requiring that vendors certify their products are free of known vulnerabilities while at the same time asking them to show agencies a plan to mitigate any vulnerabilities identified through the bill of materials or other means.

In a Sept. 14 letter to Senate leaders, trade associations for big information and communications technology companies more generally complained that “the amendment is premature and conflicts with existing administration efforts.” The letter coincided with a memo the Office of Management and Budget issued the same day that said agencies “may” ask vendors for SBOMs to serve as an artifact for attestations to the quality of their products and services.  The memo also commits CISA to “publish[ing] updated guidance on Software Bill of Materials (SBOM) for federal agencies, as appropriate.”

“Federal guidance around SBOM is still being developed, with the National Telecommunications and Information Administration and CISA just completing listening sessions and standing up working groups,” the industry letter reads.  

“Some of the pushback we heard from the software industry, you know, we're trying to internalize and meet them halfway,” Gallagher said Wednesday. “The bottom line is, we've modified it substantially. We've listened to our colleagues that had objections and I'm—I guess—cautiously optimistic that there is a path forward.”

Gallagher said the negotiation ultimately comes back to trying to strike the right balance and settling on an appropriate framework for regulating the private sector. That’s no small task, and given Langevin’s imminent retirement from Congress, this year’s NDAA may be the last chance to secure his legacy, and that of the Cyberspace Solarium Commission.