Because spending plans make for informative policy documents, an April markup of the 2019 National Defense Authorization Act (NDAA) offers an outline of the Department of Defense’s plans for its cyber operations and the development of new technologies.
The markup, released by the House Armed Services Committee’s Subcommittee on Emerging Threats and Capabilities, is an early step in the process for the NDAA, which annually authorizes funding for DoD and its operations. Emerging Threats and Capabilities is one of six subcommittees that have marked up the bill (the others being Tactical Air and Land Forces, Readiness, Strategic Forces, Military Personnel, and Seapower and Projection Forces). The full committee markup will be held May 9, and final congressional passage would come late in the year.
Nevertheless, the markup does include provisions that reflect DoD’s positions on the evolving cyber threat landscape and on how it is shaping its cyber defense forces.
Infrastructure Protection
The proposed NDAA calls for a more cooperative approach between DoD and the Department of Homeland Security (DHS) with regard to protecting infrastructure. It would require the two departments to study the feasibility of using cyber warriors in the Reserves as cyber civil support teams to each state to both prepare for and respond to cyber attacks. The bill also would authorize DoD to provide technical personnel to DHS for critical infrastructure protection.
Concerns over infrastructure vulnerabilities hit a peak in March, when DHS issued a rare public alert describing a large-scale Russian effort targeting the power grid and other sectors. Earlier this month, cybersecurity company Tenable reinforced those concerns with a report about critical vulnerabilities that could affect manufacturing, oil and gas, water, and wind and solar power facilities.
The U.S. Cyber Command has included infrastructure protection among its mandates, though mostly as a secondary concern to protecting DoD networks and operations. But the command has been working toward a more coordinated approach to infrastructure, releasing a joint paper with DHS outlining a whole-of-nation approach that would also include the private sector. The 2019 NDAA markup would give the departments authority to run a pilot program on improving the cybersecurity and resiliency for infrastructure.
Changing of the Guard
The NDAA would put the final touch on the transfer of cyber responsibilities from the Defense Information Systems Agency to Cybercom, which has been underway. The bill would mandate the transfer of “all roles, missions, and responsibilities” for Joint Force Headquarters-DoD Information Networks (JFHQ-DODIN) to Cybercom by Sept. 30, 2019.
The bill also wants a plan to eliminate the Strategic Capabilities Office (SCO), or transfer its work to another DoD organization by October 2019. SCO, created in 2012 by then-Deputy Defense Secretary Ash Carter, is a secretive organization intended to exploit existing technology. It’s been compared to the Defense Advanced Research Projects Agency, but while DARPA looks to develop new technologies—and tends to trumpet its work—SCO looks for ways to repurpose current technology, and most of its projects are classified.
One non-classified example of SCO’s work is the Perdix project, which uses off-the-shelf technology and employs ruggedized micro-drones that can be created on a 3-D printer and dropped in swarms from an F-16 or F/A-18 for surveillance.
SCO could be a victim of the reorganization of the Pentagon’s acquisition system, which divided the system into two parts—Acquisition and Sustainment, and Research and Engineering—each with its own undersecretary. Part of SCO’s success has been that it reported directly to the secretary of Defense, thereby allowing it to avoid a lot of the usual red tape, Defense News reports. Under the new structure, which officially took effect Feb. 1, it would report to an office several levels down.
Research and Development Approach
By the NDAA’s outline, Congress wants new technology to be developed and deployed quickly, but also wants to keep an eye on where the money is going. The markup supports the open-innovation efforts of the Defense Innovation Unit Experimental (DIUx) to work with industry to identify needs and get innovative technologies into the hands of warfighters as fast as possible. It also calls for expanding its accelerated approach to other DOD technology organizations, by developing working relationships with DARPA and the military service’s research laboratories (and, oddly enough, SCO, according to the current wording in the bill). The Armed Services Committee wants a report from DIUx on its plans by October of this year.
On one high-profile new technology project—the development of high-energy lasers—the bill would withhold 50 percent of authorized 2019 funds until DoD provides a clear assessment of the technology’s development.
The bill also voices support for developing new artificial intelligence and machine learning technologies, but doesn’t get into specifics, other than requiring DoD to conduct an assessment of new advances and submit a report to defense committees within 180 days of the NDAA’s passage.