Several provisions in the Senate’s version of the annual defense policy bill aim to increase oversight of cyber activities in the Department of Defense, including a new two-star general officer to serve as the senior military adviser to cyber policy.
The bill, which passed the Senate Armed Services Committee in late May, adds new positions at the Pentagon to ensure the military’s cyber capabilities continue to mature. The full text of the legislation was released June 12.
One section of the bill directs the undersecretary of defense for policy to create a position known as the senior military adviser to cyber policy.
This uniformed official – while concurrently serving as the deputy principal cyber adviser, an existing position – will advise the undersecretary for policy on all cyber matters. The official will also work with the Pentagon’s chief information officer, joint staff, services and combatant commands regarding cyber policy decisions. In the Pentagon’s current hierarchy, there is already a similar position: a deputy assistant secretary of defense for cyber policy within the undersecretary for policy office.
The bill also directs each of the services to designate a principal cyber adviser who will advise the service secretary on cyber forces, cyber program and other cybersecurity matters. If approved, this position would be held by a senior civilian.
Here is a rundown of several other cyber related provisions in the Senate’s version of the National Defense Authorization Act:
The Senate bill also directs the Pentagon’s principal cyber adviser to examine the best way to organize and staff three military cyber agencies.
The study would look at what it means it would mean if the personnel in these agencies were moved from services to joint organizations. It would also consider what would happen if those billets were moved to Cyber Command.
The first of the organizations would be the Joint Force Headquarters-Cyber (JFHQ-C). The four JFHQ-Cs deploy offensive cyber teams within the combatant commands. They provide planning, targeting, intelligence and cyber capabilities to the combatant commands they’re assigned and are led by the heads of the four service cyber components.
The second is the Joint Mission Operations Centers and the third group is what’s known as cyber operations-integrated planning elements. These are small teams currently being created by each service cyber component that will serve as a forward element of the JFHQ-C locally at the combatant command staff to help coordinate cyber effects for battle plans.
The Senate bill also requires quarterly assessments of the readiness of the cyber mission force. The cyber mission force reached its critical staffing milestone in May 2018 and now Cyber Command leaders have said they are transitioning from building to maintaining and sustaining that force. The Senate wants the report to address the abilities of the department to conduct cyber operations based on capability and capacity of personnel, equipment, training, and equipment condition using both quantitative and qualitative metrics.
Better buying for cyber
Senators have authorized the Pentagon to use one pot of money to fund “cyber operations-peculiar capability development projects.”
In the past, cyber leaders have feared misusing funds appropriated for other items to go toward cyber systems. But the Senate’s bill clears the way to use operations and maintenance funds for these cyber capabilities. It limits that amount to $3 million a year.
The Air Force’s cyber command has followed a similar model in recent years.
Another cyber purchasing provision in the Senate’s bill requires the National Security Agency to assist the Pentagon in the acquisition and adoption of cybersecurity products from industry.
The bill notes this is an extension of NSA’s mission to secure information systems of DoD.
Cyber cooperation with homeland security
As a means of creating greater continuity for protecting the United States from significant cyber incidents, leaders from the Department of Defense and the Department of Homeland Security signed a memorandum of understanding last fall.
The Senate bill asks leaders to provide more information on that memo and requires a briefing to Congress.
The briefing must include the number of planners assigned by the Pentagon, whether the planners are co-located with DHS counterparts and are assigned full time, if the planners are developing plans or playbooks to be used in the case of national level cyberattacks, whether the National Cyber Strategy of 2018 provides a multi-agency organization the ability to plan and direct responses to national cyberattacks and a copy of the charter and implementation plan of the Joint Department of Defense and Department of Homeland Security Cyber Protection and Defense Steering Group required by the memo.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.