Kansas National Guard at Cyber Shield 19 (Source: Kansas Adjutant General Department)
Cyber Provisions in the FY2024 NDAA
BY JONATHAN G. CEDARBAUM, MATT GLUCK
Much of Congress’s cyber policy emerges from the annual National Defense Authorization Act (NDAA). What are the most important pieces of cyber legislation in this year’s Act?
In recent years, the annual National Defense Authorization Act (NDAA) has become Congress’s most important vehicle for cyber legislation. The recently enacted NDAA for fiscal year 2024 (FY24) is no exception. It contains dozens of cyber provisions, ranging from new authority for military cyber operations, to mandates for enhanced development of artificial intelligence capabilities, to a directive for deepened cybersecurity cooperation with Taiwan. And, as has become common, the NDAA does not limit itself to the Department of Defense. This time around, it also includes significant new cyber requirements or initiatives at the State Department.
We don’t have space to offer a full catalog of the cyber provisions in the FY24 NDAA, but here are brief descriptions and initial assessments of some of the more notable ones.
Targeting Mexican Criminal Organizations
The NDAA includes at least one new express grant of authority for military cyber operations. Section 1505 authorizes the secretary of defense to “conduct detection, monitoring, and other operations in cyberspace to counter Mexican transnational criminal organizations” engaged in illegal activities “that cross the southern border of the United States,” including drug smuggling, human trafficking, and weapons sales. The military may act in coordination with other federal agencies—likely the Drug Enforcement Administration and the Department of Homeland Security—and should do so “in consultation with the Government of Mexico as appropriate.” This new authorization builds on a long-standing law tapping the Defense Department to be the lead agency in monitoring and detecting aerial and maritime transit of illegal drugs into the United States and a much more recent grant of authority to conduct military cyber activities “when appropriately authorized to do so.”
This new provision fits into at least two broader trends. The first is the suggestion by a number of U.S. political figures that the United States should use the military to combat the drug cartels that appear to have ever-increasing power in Mexico, including meaningful “cartel infiltration in Mexican security agencies.” As two of our colleagues have discussed recently, using the military in another country (particularly one that is a neighbor and an important economic partner) would raise difficult questions under international law, acknowledged in part in the new provision’s reference to consulting with the Mexican government. But it is noteworthy that the provision requires only consultation, not Mexican consent, and even then only “as appropriate.” Though most cyber operations do not cross the threshold to be counted as uses of force, they too have provoked a vigorous debate about the circumstances in which cyber activities may violate international law rules concerning sovereignty or respect for the right of nations to be free from coercive interference in their internal affairs, such as their elections or their formulation of foreign policy.
This new provision also forms part of the pattern over the past decade of Congress’s supplying statutory foundations for the military’s cyber efforts. While many military operations, including ones in cyberspace, may rely on the president’s Article II powers, Congress has gradually built a framework of statutes that both authorize military cyber operations and require reporting to Congress that enables the legislature both to keep itself informed and to assert a significant role in supervising this novel and increasingly important species of military activity.
Assisting Taiwan
If threats coming across the U.S. southern border are one major national security concern reflected in the NDAA’s cyber provisions, another is the rising prospect of a Chinese invasion of Taiwan. In response to that risk, Section 1518 instructs the secretary of defense to “engage with appropriate officials of Taiwan for the purpose of cooperating with the military forces of Taiwan on defensive military cybersecurity activities.” That section identifies the following components of this deepened cooperation:
(1) defend military networks, infrastructure, and systems; (2) counter malicious cyber activity that has compromised such military networks, infrastructure, and systems; (3) leverage United States commercial and military cybersecurity technology and services to harden and defend such military networks, infrastructure, and systems; and (4) conduct combined cybersecurity training activities and exercises.
The secretary must act “with the concurrence of the Secretary of State and in coordination with the Commander of the United States Cyber Command and the Commander of the United States Indo-Pacific Command[.]” Congress gives the secretary six months to undertake this task and report to the House and Senate defense and foreign relations committees.
This congressional command clearly reflects concern about the increasingly belligerent words and actions of Chinese President Xi Jinping’s government concerning an invasion of Taiwan. But it also reflects a recognition that China has penetrated many important Taiwanese systems and that Chinese military action will include an important cyber component likely designed to disable military and civilian critical infrastructure networks, including electricity, water, and gas distribution systems as well as the satellite systems that are crucial to many communications and surveillance networks.
Congress’s action also dovetails with the central role assigned to cooperation with allies and partners in the newest version of the Defense Department’s cyber strategy, released last year. That cooperation includes both so-called hunt forward operations, in which U.S. personnel collaborate with partner militaries in monitoring partner country networks for malicious activity, and capacity-building efforts, in which the United States works with friendly countries, often ones under cyber assault by common adversaries, to strengthen their cyber defensive capabilities. Those capacity-building efforts received congressional endorsement in the FY2023 NDAA, and Section 1501 of the new NDAA adds a requirement that the Defense Department “maintain performance metrics to track the results” of these efforts.
Defending U.S. Critical Infrastructure
The FY24 NDAA includes an array of additional directives to the growing U.S. cyber forces, many of which concern defense of critical infrastructure at home. Some of those provisions reflect the reliance of military bases in the United States on water, power, rail transportation, and other crucial services supplied via infrastructure owned or operated by private companies or local governments. Others reflect a broader concern that critical infrastructure networks that supply the public have become targets for cyber penetration and thus possible attack by countries hostile to the United States.
At least since Russian hacking campaigns in 2015 and 2016 took down parts of the Ukrainian electric grid, the security of the U.S. electric grid against similar attacks has been a focus of public discussion, regulatory effort, and congressional scrutiny. Only a few months after the beginning of the Biden administration, the White House led a 100-day interagency effort to work in collaboration with industry to boost cybersecurity practices among the biggest companies responsible for the grid’s operation.
The NDAA expands the military’s role in these efforts to protect the electric power system by broadening a demonstration project begun in 2018 to improve the security of the grid’s industrial control systems. That project—which brought together the Defense Department, some of its leading engineering and applied physics contractors, and the Energy Department’s national laboratories—worked to develop more sophisticated methods of tracking and thus responding to malicious cyber activity affecting grid industrial control systems. While the federal participants collaborated with leading companies that operate components of the grid in developing this more effective monitoring technology, the technology itself and the data it generated could not be transferred to the private sector because of limitations in the statutory authorizations involved and thus on the sources of federal funding supporting the project. The FY24 NDAA supplies the additional statutory authority needed to permit the transfer to private organizations of this technology and data, thus making it available to the organizations most able to put it to effective use across the country.
Congressional and executive branch worries about penetration of U.S. critical infrastructure by adversaries such as China and Iran have not been limited to the electric power system. Attacks on or infiltrations of oil and gas pipelines, airports, and rail systems, for example, have prompted a series of emergency cybersecurity directives from the Transportation Security Administration. In line with these efforts, two of the NDAA’s additional commands to the Defense Department address enhanced cooperation with the private sector to defend critical infrastructure networks. Section 1513 establishes a four-year pilot program at the National Security Agency’s (NSA) Cybersecurity Collaboration Center to improve the security of the semiconductor supply chain. Section 1517 directs the secretary of defense to create a pilot program to assess “how to prioritize restoration of power, water, and telecommunications” for military installations “in the event of a significant cyberattack on regional critical infrastructure that has similar impacts on State and local infrastructure.”
Artificial Intelligence
The FY24 NDAA includes a series of provisions designed to bolster the Defense Department’s use of artificial intelligence (AI) systems and its ability to defend against them. Section 1542 requires the department to establish a bug bounty program “for foundational artificial intelligence models being integrated” into the department’s “missions and operations.” Drawing on research from the private sector, the act defines a “foundational artificial intelligence model” as “an adaptive generative model that is trained on a broad set of unlabeled data sets that may be used for different tasks with minimal fine-tuning.”
Section 1543 mandates the holding of a generative AI detection and watermark prize competition. The competition must be designed to “evaluate technology … for generative artificial intelligence detection and generative artificial intelligence watermarking, for the purposes of” supporting “the Secretaries of the military departments and the commanders of combatant commands in warfighting requirements” and “transitioning such technologies … from the prototyping phase to production.” Efforts to develop watermarking methods to detect and thus defend against AI-generated text, images, and code that are fake or misleading have been high on the government’s AI agenda, with the White House securing promises last summer from many of the large tech companies to develop these capabilities and a provision in the president’s recently issued AI executive order assigning to the Commerce Department the task of establishing standards for labeling AI-generated content.
The NDAA also imposes extensive planning and reporting obligations on the Defense Department concerning its use of AI systems and its ability to withstand attacks of various kinds that rely on AI-supported systems. Those obligations include development of guidance to ensure that the department’s and its contractors’ use of AI systems comports with standards for ethical and responsible AI (Section 1544). They require development of “a plan to defend the personnel, organizations, and systems of the Department against adversarial artificial intelligence” (Section 1544). And the NDAA gives the Defense Department one year to prepare a study on the potential vulnerabilities of AI-enabled military applications (Section 1545).
Defense Department (and NNSA) Cybersecurity
As has become typical, this year’s NDAA includes numerous mandates intended to push the Defense Department to improve its own cybersecurity practices, including of the nuclear command, control, and communications network (Section 1512), the principal internet access points used by Defense Department systems (Section 1515), the “identity, credential, and access management” protocols used by the department (Section 1516), supply chain risk management practices (Section 2809), and detection of insider threats (Section 1537). In this group may also be placed a provision directing the Energy Department’s National Nuclear Security Administration (NNSA), which is responsible for handling the government’s nuclear materials and weapons stockpiles, to establish a “Cybersecurity Risk Inventory, Assessment, and Mitigation Working Group” assigned to develop “a comprehensive strategy for inventorying the range of” NNSA systems “that are potentially at risk in the operational technology and nuclear weapons information technology environments” (Section 3113).
The State Department
The FY24 NDAA, like its predecessors, does not limit itself to the Department of Defense. Devoting a title to “Information Security and Cyber Diplomacy” at the State Department, the NDAA pursues goals for State that mimic four of the goals it pursues for Defense: expanded bilateral partnerships, improved artificial intelligence capabilities, better handling and use of data in decision-making, and improved security for priority department systems and personnel.
The NDAA authorizes the secretary of state to establish and create a fund to support a program for “Digital Connectivity and Cybersecurity Partnership[s].” Reflecting the intense competition between the United States and China over equipment, services, and standards for next-generation information and communications technology (ICT), these sections of the NDAA identify “expand[ing] interoperability and promot[ing] the diversification of ICT goods and supply chain services to be less reliant on imports from the People’s Republic of China” as a central goal of the proposed partnerships. These sections also seek to advance other key U.S. international technology policy priorities, now being spearheaded by the recently created Bureau of Cyberspace and Digital Policy: increased “secure internet access and digital infrastructure in emerging markets”; protection of “technological assets, including data”; and adoption of policies promoting “the free flow of data, multi-stakeholder models of internet governance, and pro-competitive and secure ICT policies and regulations.”
In order to push forward the State Department’s use of AI, Section 6303 establishes a chief artificial intelligence officer for the department as a whole, giving that official responsibility both to drive adoption of AI applications in the department’s work and to advise the secretary on all aspects of AI policy.
Responding to long-standing criticisms of the State Department’s antiquated and unreliable IT systems, the NDAA devotes three sections to improving the department’s collection, storage, and use of data. One section sets out a series of mandates to strengthen the hand of the department’s chief information officer when it comes to improving the department’s IT infrastructure. Another requires establishment of chief data officers in each of the department’s bureaus, both to improve cybersecurity practices and to ensure greater use of data analytics in decision-making.
Finally, again addressing an area in which the State Department has suffered embarrassing setbacks, the NDAA imposes a series of obligations designed to improve the security of its information systems and of its senior officials’ communications in particular. As to the latter, Section 6308 requires the secretary of state to identify “at-risk personnel”—that is, those “highly vulnerable to cyber attacks and hostile information collection activities because of their positions in the Department”—and supply them with “cyber protection support.”
Intelligence Collection and Automating Declassification
Adjacent to cybersecurity, intelligence collection and declassification also draw significant attention from Congress in the FY24 NDAA.
Section 7351 adds a section to the NSA’s organic statute requiring the NSA director to report to the congressional intelligence committees within 30 days of an “intelligence collection adjustment,” a term the NDAA defines as including “‘a change by the United States Government to a policy on intelligence collection or the prioritization thereof that results in a significant loss of intelligence.’”
Figures from across the political spectrum have complained for decades about excessive classification and sluggish and hesitant declassification of federal documents. In May 2023, a bipartisan group of senators on the Intelligence Committee introduced two bills to reform the processes for classification and declassification, and elements of one of the bills made it into Section 7605 of the NDAA. That section gives one of the more well-hidden executive branch officials, the administrator of the Office of Electronic Government, a component of the Office of Management and Budget, one year to come up with recommendations for “technology-based solutions … to support efficient and effective systems for classification and declassification … to be implemented on an interoperable … basis across the Federal Government.” Six months later, the president must report to Congress on actions taken to put the recommendations into effect. Fingers crossed.
A Concluding Hope
With a few exceptions, Congress has repeatedly struggled and failed to enact major pieces of legislation devoted to cybersecurity. Not only have those failures left the must-pass NDAAs as the carriers of often scattered pieces of national cyber policymaking; they have also passed responsibility for the bulk of federal cyber initiatives—both offensive and defensive—to the executive branch. But, as in other areas of policymaking, the executive branch can get only so far without adequate statutory grants of authority.
The recent example of the Environmental Protection Agency’s (EPA’s) aborted effort to establish cybersecurity requirements for local water systems illustrates the problem. Relying on general authorities under the Safe Drinking Water Act, the EPA in 2023 issued a memorandum providing guidance on cybersecurity practices that would be included in required audits of the adequacy of those water systems. A group of Republican state attorneys general sued, claiming the EPA lacked a statutory foundation for its action, and the EPA ultimately withdrew its memo. As a result, the plants that ensure the safety of America’s drinking water, which the government has publicly identified as ongoing targets of penetration and possible manipulation by hackers linked to the Iranian Revolutionary Guard Corps, lack adequate cybersecurity mandates.
Ideally, Congress would take a systematic approach to filling these holes in the legal foundations for protecting critical infrastructure against our adversaries. But, barring such comprehensive action, we hope that future NDAAs will concentrate more than the FY24 NDAA does on remedying the most urgent deficiencies in that statutory framework.
Jonathan G. Cedarbaum
Jonathan G. Cedarbaum is a professor of practice at George Washington University Law School, affiliated with the program in national security, cybersecurity, and foreign relations law. During the first year of the Biden Administration he served as Deputy Counsel to the President and National Security Council Legal Advisor.
Matt Gluck @matthew_gluck
Matt Gluck is a research fellow at Lawfare. He holds a BA in government from Dartmouth College.
From lawfaremedaia.com