Hacking Book | Free Online Hacking Learning


cyber security component of the national defense authorization act 2018 (ndaa)

Posted by verstraete at 2020-03-02

(1) Introduction

President trump on Tuesday signed a $700 billion national defense authorization act (NDAA), which sets policy and budget guidelines for the U.S. fiscal year 2018. Generally speaking, annual authorization acts often include new projects and policy provisions. This year's NDAA has promoted several important network security work and formulated new rules and plans related to information security.

Here are some key network security rules:

1. Official ban of Kaspersky laboratory software (sec. 1634)

Although the Department of homeland security has taken concrete measures to make the federal government prohibit the launch of Kaspersky laboratory products, 1634 makes the Department of Defense's ban officially effective, and sets a deadline for the complete removal in October 2018. It is prohibited to specifically mention all products owned by Kaspersky laboratories, including services and software produced by subsidiaries.

2. What "cyber warfare" will president trump define (sec. 1633)

The president is expected to "develop U.S. national policies on cyberspace, cybersecurity and cyber warfare" and present them to Congress. The policy will describe and clearly define the plans, powers and roles of different federal agencies in response to major cyber attacks. The White House should describe the options cyberspace can rely on during the war. It should be "multifaceted", including deterrence, defense and offensive strategies. There is no deadline for the submission of national policies. According to Thomas Bossert, the White House's chief security adviser, the White House is currently working on a comprehensive national security strategy.

3. The Secretary of defense will be asked to review and propose a plan to more integrate and better organize the various cyber security capabilities and responsibilities of multiple departments (SEC 1641, SEC 1644, and others)

Throughout the NDAA, there are several references to the need for Pentagon leadership to revisit the internal organizational structure of many different cybersecurity related tasks. The basic purpose of these requirements is to show that Congress wants the Pentagon to consider how it plans to respond to attacks and coordinate its response to digital threats. At present, network security work is managed in the Pentagon by specific offices.

4. Online Scholarship Program (SEC 1649)

The National Science Foundation and the office of personnel management will launch a joint pilot scholarship program involving five to 10 universities with the aim of improving education and recruiting talents directly from universities. In addition, the NDAA requires that at least 5% of the total amount of financial assistance available under the NDAA be dedicated to online education programs, including K-12 schools.

5. Ryan Pelosi will give new powers to deal with cyber attacks against the house of Representatives (SEC 1090)

If the speaker of the house of representatives or a minority of leaders believe that additional resources or support are needed for an attack in Congress, they will have new authority to seek additional funding. The types of organizations that can provide such support to Congress may include other government agencies, such as the national security agency or private cybersecurity companies.

6. Due to network risk, the United States will not purchase satellite technology (SEC 1603) from foreign governments (especially Russia) soon

The U.S. Department of defense and other U.S. defense organizations are now prohibited from entering into satellite service contracts with companies or entities or representatives that the Secretary of defense believes may be affiliated with a "foreign country" or that are wholly or partially controlled by a foreign country, Although the clause explicitly refers to any and all companies controlled with "foreign government", it directly refers to Russia due to the obvious "cyber security risk".

7. Lawmakers should learn more about US backed covert offensive cyber operations and hacking capabilities (SEC 1631, SEC 1632)

Within 48 hours of the end of the relevant mission, the Pentagon will notify the Congressional Committee of all sensitive military led cyber operations initiated under Title 10 authorities (as if the United States defined military laws). Sec.1632 also requires legislators to be informed of the military's inventory of cyber weapons and their use on a quarterly basis.

8. The DOD CIO will gain additional authority to control the Pentagon's cyber security mission (SEC 909)

The DOD CIO will take on new responsibilities, including the ability to plan and support offensive cyber operations. In NDAA, it expands its functions by rewriting the key areas of responsibility, and now includes all of the following: "information technology, network, information assurance, network security and network capability architecture". When updated, the CIO will also advise on budget decisions and will send them directly to the Secretary of defense.

9. The United States needs to develop more anti Russian information action plans, such as what happened in 2016 (SEC 1641)

In less than 180 days, the Secretary of defense will provide Congress with a plan to explain how the Pentagon deterred, resisted, and denied information operations against U.S. citizens. The United States can work with its allies to respond to Russia's digital propaganda.

10. Planning end of cybercommand / NSA dual management (SEC 1648)

The Pentagon leadership will submit a report by may 2018 on the business and budget implications of ending dual leadership at cyber command, which is currently managed by the director of the National Security Administration (NSA).

11. U.S. cyber command to reassess how to develop hacker and defense cyber tools (SEC 1642)

The head of U.S. cyber command, who is still the director of the national security agency, will evaluate "alternative approaches to developing, acquiring, and maintaining software based networking tools and applications.". The idea is to find new ways to reduce costs, accelerate development and improve efficiency as part of a repeatable "discipline" process. The review will include a review of existing training and education plans for software developers. At present, Congress is planning that Netcom will have its own leader next year to separate the leadership of NSA and upgrade the organization to a unified one like SOCOM.