By a 310-118 vote, the US House of Representatives passed the $886 billion National Defense Authorization Act for Fiscal Year 2024 (NDAA), which passed the Senate one day later. The annual must-pass legislation for US military funding is now headed to President Biden for his signature.
Partisan fights over defense spending for Ukraine and controversies over women’s health care and gender-affirming rights generated a lot of headlines in the months leading up to the bill’s passage. Most of the hardline culture war provisions were ultimately stripped out of the final legislative package and much of the Ukraine funding is still mired in debate. The bill also contained a stop-gap four-month reauthorization of the controversial Section 702 of the Foreign Intelligence Surveillance Act, which enables the US government to spy on foreign nationals, and sometimes US citizens and residents, which was due to expire at year-end.
As is typical for all annual NDAAs, this year’s 3,000-plus page legislation is filled with many large and small cybersecurity-related provisions. The following sections summarize some of the more consequential cybersecurity provisions in the Act.
Boosting nuclear weapons and systems cybersecurity
Following a concerted push by a group of bipartisan House lawmakers, the NDAA creates within the Department of Defense a “cybersecurity risk inventory, assessment, and mitigation working group” charged with developing a comprehensive strategy for identifying nuclear weapons information technology environments facing cybersecurity risks and implementing risk mitigation actions.
The bill also directs the Secretary of Defense to establish a cross-functional team to develop and oversee the implementation of a threat-driven cyber defense construct for the systems and networks that support the nuclear command, control, and communications, commonly called the NC3 mission. This team will comprise personnel from all the military departments, the Defense Information Systems Agency, the National Security Agency, the United States Cyber Command, the United States Strategic Command, and any other organization or element of the Department of Defense determined appropriate by the Secretary.
NDAA focus on artificial intelligence
Consistent with the rapid rise of artificial intelligence (AI) technologies and the still uncertain impact these new systems will have on military operations and foreign diplomacy, the NDAA contains major sections that give the Pentagon and US State Department several new AI-related responsibilities.
The bill establishes a Chief Digital and Artificial Intelligence Officer Governing Council for the military to provide policy oversight to ensure the responsible, coordinated, and ethical employment of data and artificial intelligence capabilities across Department of Defense (DOD) operations and missions. The Department’s Chief Digital and Artificial Intelligence Officer (CDAO) will head the Council.
Among the many duties assigned to the CDAO under the bill are cybersecurity-related tasks, including:
- Manage AI digital assets by providing “the digital infrastructure and procurement vehicles necessary to manage data assets and data analytics capabilities at scale to enable an understanding of foreign key terrain and relational frameworks in cyberspace to support the planning of cyber operations, the generation of indications and warnings regarding military operations and capabilities, and the calibration of actions and reactions in strategic competition.”
- Develop an AI bug bounty program for foundational artificial intelligence models integrated into the missions and operations of the DOD.
- Implement and oversee an educational program on data and artificial intelligence to familiarize personnel department-wide with the applications of artificial intelligence.
The bill also requires the Secretary of Defense to develop a strategic plan for the development, use, and cybersecurity of generative artificial intelligence, including a policy governing the use of, and the defense against, adversarial use of, generative artificial intelligence. It further requires the Defense Secretary to complete a study “to assess the functionality of artificial intelligence-enabled military applications, research and development needs related to such applications, and vulnerabilities to the privacy, security, and accuracy of such applications.”
In terms of the State Department, the bill establishes an office of a Chief Artificial Intelligence Officer, who will, among other things, act as the principal advisor to the Secretary of State on the ethical use of AI and advanced analytics in conducting data-informed diplomacy. It also establishes a program, the Digital Connectivity and Cybersecurity Partnership, and promotes best practices and common standards for a national approach to cybersecurity.
The bill further establishes in the State Department a cyberspace, digital connectivity, and related technologies (CDT) fund to advance a secure and stable cyberspace by, among other things, helping countries prepare for, defend against, and respond to malicious cyber activities and adopt national strategies to enhance cybersecurity.
Other noteworthy NDAA cybersecurity provisions
Of the many other provisions in the NDAA that mention cybersecurity, the following are worth noting:
- Counter illegal trafficking by Mexican transnational criminal organizations in cyberspace: The bill gives the Secretary of Defense the authority, in conjunction with other federal departments and agencies and the government of Mexico, to conduct detection, monitoring, and other operations in cyberspace to counter Mexican transnational criminal organizations that are engaged in the smuggling of illegal drugs, human trafficking, weapons trafficking, and other illegal activities.
- Cooperate with Taiwan on military cybersecurity: Under the legislation, the Secretary of Defense, acting through the Under Secretary of Defense for Policy, with the concurrence of the Secretary of State and in coordination with the Commander of the United States Cyber Command and the Commander of the United States Indo-Pacific Command, will seek to engage with appropriate officials of Taiwan to cooperate with the military forces of Taiwan on defensive military cybersecurity activities.
- Establish a military pharmaceutical and medical device vulnerability working group: The NDAA directs the Secretary of Defense, in coordination with the Chairman of the Joint Chiefs of Staff, the Under Secretary of Defense for Personnel and Readiness, and the Under Secretary of Defense for Acquisition and Sustainment, to establish a military pharmaceutical and medical device vulnerability working group to discuss issues involving access, threats, and vulnerabilities to pharmaceuticals, therapeutics, and medical devices in operational environments of the Defense Department.
- Create a pilot program relating to semiconductor supply chain and Cybersecurity Collaboration Center: The bill directs the Secretary of Defense, in coordination with the Director of the National Security Agency, to conduct a pilot program under which NSA’s Cybersecurity Collaboration Center may collaborate with eligible persons to assess the feasibility and advisability of improving the cybersecurity of the semiconductor supply chain.
- Modernize network boundary and cross-domain defense: The Act directs the Secretary of Defense to carry out a modernization program for network boundary and cross-domain defense against cyberattacks, building on a pilot program authorized under the 2023 NDAA.
- Create an office for academic engagement relating to cyber activities: Under the bill, the Secretary of Defense, acting through the CIO of the Department of Defense, is required to establish an office to establish, maintain, and oversee the activities related to the Department’s activities with academia regarding cyber-related matters.
- Authorize a pilot program on Civilian Cybersecurity Reserve. The NDAA allows the Secretary of the Army to conduct a pilot program to establish a Civilian Cybersecurity Reserve to provide the United States Cyber Command with human resources to effectively respond to malicious cyber activity and conduct cyberspace operations, among other actions.
- Study occupational resiliency of Cyber Mission Force. With a nod to the growing burnout of military cybersecurity personnel, the bill directs the Principal Cyber Advisor of the Department of Defense and the Under Secretary of Defense for Personnel and Readiness, in coordination with the principal cyber advisors of the military departments and the Commander of the United States Cyber Command, to conduct a study on the personnel and resources required to enhance and support the occupational resiliency of the Cyber Mission Force.
- Extend and modify the pilot program to improve cyber cooperation with foreign military partners in Southeast Asia. This section of the bill extends a provision in the 2021 NDAA that authorizes US cybersecurity cooperation with Vietnam, Thailand, and Indonesia, slated to expire by year-end, to December 31, 2027.
- Establish performance metrics for a pilot program on sharing cyber capabilities and related information with foreign operational partners. This bill section directs the Secretary of Defense to maintain performance metrics to track the results of sharing cyber capabilities and related information with foreign operational partners under a pilot program.
- Harmonize and clarify the Strategic Cybersecurity Program and related matters. Under the NDAA, the defense secretary will designate a principal staff assistant from within the Office of the Secretary of Defense to have primary responsibility for the Pentagon’s Strategic Cybersecurity Program.