From: Politico
By TONY ROMM
Critical Pentagon programs to protect classified data from cyberattackers and state-sponsored spies hang in the balance as lawmakers begin to confer on competing House and Senate defense authorization bills.
The two chambers approved measures that make different cybersecurity requirements for companies that sell software to the government, and they set forth competing visions for how federal contractors should respond if their networks have been breached. In addition, the House and Senate specify different roles for the Defense Department to conduct clandestine operations in cyberspace.
Lawmakers must untangle these thorny issues in a short time frame if they hope to finish work on the bill this year. On cybersecurity, the outcomes matter to tech companies and contractors with big bucks on the line, as well as to the Obama administration, which has raised red flags on how both bills approach the nation’s digital defenses.
Most of the fights on the horizon originate from late changes made to the Senate’s defense bill, which passed last week on a 98-0 vote.
One of the most controversial amendments, backed by chamber defense leaders, would require a broad swath of contractors to report to the Pentagon in the event of a successful cyberintrusion.
The problem: DOD already has a narrow, voluntary program — known as the defense-industrial base pilot — meant to encourage contractors in the DIB to report cyberintrusions while sharing threat data with their federal partners. The fear is the Senate’s proposed mandatory program would cover more entities and possibly create another more costly reporting system, creating something of a conflict between the two.
Lawmakers say the change is critical. “It’s so obvious that if a defense contractor with classified information has their networks penetrated and attacked, then the government has to know about that,” said Sen. Carl Levin (D-Mich.), who authored the amendment, after the Senate bill passed.
“I just think it’s very, very clear in those circumstances that we have an obligation to know if contractors have classified information and that we are paying for that contractor’s work,” he said.
But the tech sector has plenty of doubts.
Trey Hodgkins, senior vice president of Global Public Sector at TechAmerica, told POLITICO many companies involved in the current DIB pilot are likely to try to fight the change, given they’ve “all invested a lot of time and effort in this process” at the regulatory level. His group wrote to Levin and Sen. John McCain (R-Ariz.) on Thursday to highlight a litany of issues with the amendment, including the fact it had never been vetted before a committee.
Still, other stakeholders are concerned the new cyber section is too vague.
It doesn’t, for instance, specify whether it applies to classified or unclassified information and doesn’t clearly define what counts as an intrusion.
Many of the logistics, though, aren’t going to come as a result of any Hill bickering.
“If passed into law, the real meat of this provision will likely be added later, through implementation policy and regulation,” said Michael McNerney, a former defense official and now a fellow at the Truman National Security Project.
As lawmakers and industry leaders quarrel over that section of the bill, they’ll have to fight another battle — this one over a chunk of the Senate’s measure on software security. If the chamber has its way, vendors could have to provide their source code or follow a specific security verification process in order to sell to the feds.
Tech companies are lobbying heavily against that section, which drew criticism from the White House as part of the administration’s earlier veto threat. Sellers to DOD don’t want to use specific tools when developing their software or to adhere to any Pentagon coding standards. They don’t want to submit to third-party testing of their code, and they fear the section as a whole could generate new compliance costs while making it difficult for private companies to market to the government any commercial, off-the-shelf software.
Instead, industry hopes the House’s approach — it doesn’t have one — ultimately wins the day. And a number of tech trade associations, including the Business Software Alliance, are urging lawmakers during conference committee to drop the Senate section altogether.
“We certainly support the goal of ensuring the software in critical weapons systems is secure,” said Tim Molino, director of government relations at BSA. “Our concern is that the way [the section] initially was drafted could hurt rather than help security by undermining industry best practices.”
For now, Molino said staffers on both sides of the Capitol have been “open and receptive” to the industry’s concerns.
That’s not to say there isn’t anything in the House bill giving companies and the Obama administration some pause.
For a second time, lawmakers led by Rep. Mac Thornberry (R-Texas) are angling to give DOD explicit powers to commence clandestine operations in cyberspace — a move the administration also has criticized in a prior veto threat of the House-passed defense authorization bill. There’s no similar approach in the Senate, and it could be dropped from the final package as it has been in previous fights.
That’s the path preferred by the Obama administration. As it threatened a veto of the House-passed defense bill, it noted “concerns about this provision” but pledged to “work with the Congress to ensure that any such legislation adds clarity and value to our efforts in cyberspace.”
Leave a Reply