This year's annual national defense funding bill is chock-full of cybersecurity-related provisions with spending focused on nuclear weapons and systems security, artificial intelligence, digital diplomacy, and much more.
By a 310-118 vote, the US House of Representatives passed the $886 billion National Defense Authorization Act for Fiscal Year 2024 (NDAA), which passed the Senate one day later. The annual must-pass legislation for US military funding is now headed to President Biden for his signature.
Partisan fights over defense spending for Ukraine and controversies over women’s health care and gender-affirming rights generated a lot of headlines in the months leading up to the bill’s passage. Most of the hardline culture war provisions were ultimately stripped out of the final legislative package and much of the Ukraine funding is still mired in debate. The bill also contained a stop-gap four-month reauthorization of the controversial Section 702 of the Foreign Intelligence Surveillance Act, which enables the US government to spy on foreign nationals, and sometimes US citizens and residents, which was due to expire at year-end.
As is typical for all annual NDAAs, this year’s 3,000-plus page legislation is filled with many large and small cybersecurity-related provisions. The following sections summarize some of the more consequential cybersecurity provisions in the Act.
Following a concerted push by a group of bipartisan House lawmakers, the NDAA creates within the Department of Defense a “cybersecurity risk inventory, assessment, and mitigation working group” charged with developing a comprehensive strategy for identifying nuclear weapons information technology environments facing cybersecurity risks and implementing risk mitigation actions.
The bill also directs the Secretary of Defense to establish a cross-functional team to develop and oversee the implementation of a threat-driven cyber defense construct for the systems and networks that support the nuclear command, control, and communications, commonly called the NC3 mission. This team will comprise personnel from all the military departments, the Defense Information Systems Agency, the National Security Agency, the United States Cyber Command, the United States Strategic Command, and any other organization or element of the Department of Defense determined appropriate by the Secretary.
Consistent with the rapid rise of artificial intelligence (AI) technologies and the still uncertain impact these new systems will have on military operations and foreign diplomacy, the NDAA contains major sections that give the Pentagon and US State Department several new AI-related responsibilities.
The bill establishes a Chief Digital and Artificial Intelligence Officer Governing Council for the military to provide policy oversight to ensure the responsible, coordinated, and ethical employment of data and artificial intelligence capabilities across Department of Defense (DOD) operations and missions. The Department’s Chief Digital and Artificial Intelligence Officer (CDAO) will head the Council.
Among the many duties assigned to the CDAO under the bill are cybersecurity-related tasks, including:
The bill also requires the Secretary of Defense to develop a strategic plan for the development, use, and cybersecurity of generative artificial intelligence, including a policy governing the use of, and the defense against, adversarial use of, generative artificial intelligence. It further requires the Defense Secretary to complete a study “to assess the functionality of artificial intelligence-enabled military applications, research and development needs related to such applications, and vulnerabilities to the privacy, security, and accuracy of such applications.”
In terms of the State Department, the bill establishes an office of a Chief Artificial Intelligence Officer, who will, among other things, act as the principal advisor to the Secretary of State on the ethical use of AI and advanced analytics in conducting data-informed diplomacy. It also establishes a program, the Digital Connectivity and Cybersecurity Partnership, and promotes best practices and common standards for a national approach to cybersecurity.
The bill further establishes in the State Department a cyberspace, digital connectivity, and related technologies (CDT) fund to advance a secure and stable cyberspace by, among other things, helping countries prepare for, defend against, and respond to malicious cyber activities and adopt national strategies to enhance cybersecurity.
Of the many other provisions in the NDAA that mention cybersecurity, the following are worth noting:
Cynthia Brumfield is a veteran communications and technology analyst who is currently focused on cybersecurity. She runs a cybersecurity news destination site, Metacurity.com, consults with companies through her firm DCT-Associates, and is the author of the book published by Wiley, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework.
Sponsored Links
