4 ways the defense spending bill could have addressed AI, other issues to boost cybersecurity

The Senate in late July passed the National Defense Authorization Act for fiscal 2024, setting up a clash with the House when Congress reconvenes after Labor Day.

The $886 billion package includes a 5.2 percent pay raise for troops — the largest increase in 22 years — and policies for the Department of Defense to counter adversaries at a time of rising threats. Worthy moves, to be sure, but I wish the bill packed a bigger wallop on cybersecurity. Here are four initiatives I would like to have seen included.

Better understanding of how artificial intelligence can be used to fight hackers

Here’s a head-scratcher: The defense bill would require the Cybersecurity and Infrastructure Security Agency to thoroughly investigate the landmark 2020 SolarWinds attack – which already has been thoroughly studied and feels like yesterday’s news – while there’s little to nothing about one of the most talked-about technology topics of the day, AI.

The Washington Post reported that “it’s become a point of contention” among some legislators that the Cyber Safety Review Board, designed to investigate breaches in the way that the National Transportation Safety Board evaluates air crashes, never looked into the SolarWinds attack. Fair enough, but AI will be a game changer for years to come, and I’d think its implications for cybersecurity would have attracted lawmakers’ attention.

Specifically, at a time when cyber criminals are increasingly adopting AI techniques – and sharing their techniques with other bad actors across the dark web – AI also is emerging as a powerful weapon to detect and thwart attacks.

How can the Pentagon and civilian agencies better use AI to improve their cybersecurity posture? That’s a question, with appropriate policy direction, I would have liked to see addressed in the bill.

A mandate for stronger cooperation with allies

The bill includes 10 bipartisan recommendations advanced by the House China Committee to protect Taiwan, including one requiring DOD to cooperate with Taiwan on cybersecurity. That’s an excellent idea, but the bill could have gone further and addressed international collaboration on a broader scale to help ensure the U.S. is working with all its allies on enhancing cyberdefenses.

Make no mistake, that cooperation is happening — for example in July 2021, when the U.S. and allies, including the European Union, the United Kingdom and NATO, criticized China for “irresponsible and destabilizing behavior in cyberspace” and announced several actions meant to counter it.

But in today’s especially volatile world, the more that this kind of cooperation can be expanded and formalized, the better off we’ll be.

A good example is a bipartisan bill sponsored in June by Sens. Gary Peters, D-Mich., chairman of the Homeland Security and Governmental Affairs Committee, and James Lankford, R-Okla. It would allow the Department of Homeland Security to quickly provide cyberdefense support to foreign partners, such as Ukraine, and ensure that CISA can work with international allies to protect critical infrastructure assets.

Here’s hoping this move makes it into the final version of the bill.

Broadening voluntary services from private sector experts

The measure allows DOD and the military services to accept voluntary services from cybersecurity experts in the private sector. That’s an important and helpful change because the government traditionally is not allowed to accept such free services.

I support this idea wholeheartedly — my only reservation is that The Washington Post reported the proposal is “meant to strengthen the legal footing of the Marine Corps Cyber Auxiliary program, which trains Marines to hone their cyber skills, and allow other services to create their own similar programs.” I’d like to see more clarity and specificity around the initiative in a broader way, encouraging the entire defense establishment to take advantage of these services.

A move toward longer-term rather than one-year-at-a-time funding

IT dollars, including for cybersecurity, must be reauthorized every year. When I was running IT or cyber programs in the federal government, for example, I could buy equipment authorized in a given fiscal year, but I was limited in managing multi-year efforts such as expanding the workforce or acquiring new software licenses. Without knowing if the money would keep flowing to support those programs in the following years, I had to carefully place bets, sometimes to the detriment of what was truly needed for a layered, multi-component cyberdefense.

Multi-year budgets for IT and cyber as part of the authorization process would allow for better and more strategic and coordinated planning. Long-term projects such as military base construction have always worked this way, yet IT historically has been pigeonholed as a cost-efficiency driver whose entire budgets should be re-evaluated year to year. I wish the bill had found a way to recognize IT and cybersecurity as critical mission drivers and finance them in a way that makes more sense.

With measures such as these four, the defense bill could have put a stronger foot forward on cybersecurity. As the legislation weaves through the Senate and, most likely, a conference committee in the coming days, perhaps these and other ideas can still find their way into the package.

Michael Mestrovich is chief information security officer at zero trust data security company Rubrik and former acting CISO at the Central Intelligence Agency and Principal Deputy CIO at the Department of State