The Senate version of the annual National Defense Authorization Act (NDAA) approved Thursday included a raft of measures designed to shore up federal cybersecurity, including a clause giving the Department of Homeland Security’s (DHS) cybersecurity agency subpoena power.
The provision, originally introduced by Senate Homeland Security and Governmental Affairs Committee Chairman Ron Johnson (R-Wis.) and Sen. Maggie Hassan (D-N.H.) in December, would allow DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to issue subpoenas to internet service providers compelling them to release information on cyber vulnerabilities detected on the networks of critical infrastructure organizations.
“Every day our adversaries target our critical infrastructure, including our electric grids, dams, and airports, and every day, CISA is made aware of vulnerabilities to these systems — some easily fixable — but is powerless to warn the potential victims,” Johnson said in a statement following the NDAA’s passage.
“This legislation gives CISA the authority necessary to reach out and warn owners of critical infrastructure that they are open and vulnerable to cyberattacks before they become a victim,” he added. “We ask Americans: if you see something, say something. With this legislation we are empowering CISA to do the same.”
Hassan described the subpoena power proposal as “common-sense,” adding in a separate statement that she would “keep working” with Johnson to get the provision signed into law as part of the final version of the fiscal 2021 NDAA that will be conferenced between the House and Senate in coming weeks.
The legislation was also included in the House version of the NDAA, approved earlier this week, making it likely the provision will stay in the final version eventually sent to President Trump for signature.
Another key cybersecurity provision included in the Senate version of the annual defense spending bill was one establishing a federally funded cybersecurity coordinator in every state to prepare for and respond to cyberattacks.
The legislation was introduced in January by Hassan and Sens. John Cornyn (R-Texas), Gary Peters (D-Mich.), and Rob Portman (R-Ohio) after a year of increasing cyberattacks across the nation crippled city governments in New Orleans and Baltimore, among many others.
“We live in an increasingly interconnected society, and state and local governments need clear lines of communication and an understanding of what federal resources are available to protect them from ever-evolving cyber threats,” Peters, the ranking member of the Senate Homeland Security and Governmental Affairs Committee, said Thursday. “Bad actors will always target the path of least resistance — which is why we must boost cyber-security at all levels of government.
A clause meant to address the threat of “deepfakes,” or media altered by artificial intelligence to show distorted events, was also included in the Senate version of the NDAA.
The bipartisan measure would require DHS to conduct an annual study on how deepfakes are used by foreign and domestic groups, and ways to fight back against the creation of the videos.
“Fake content can damage our national security and undermine our democracy,” Sen. Brain Schatz (D-Hawaii), one of the original sponsors of the deepfakes legislation, said in a statement Thursday. “Our amendment directs the federal government to learn more about the scope and impact of deepfake technology. It’s an important step in fighting disinformation.”
One major cybersecurity provision not included was the establishment of a national cyber director at the White House to serve as a coordinating force between federal agencies on cybersecurity issues. The House-passed version of the NDAA established the position, but the Senate version only included language requiring an “assessment” of the “feasibility” of doing so.
It is unclear whether the position will eventually be included in the final version of the NDAA sent to Trump for approval. The bipartisan effort to create a national cyber director comes two years after the White House cybersecurity coordinator position was eliminated by former national security advisor John Bolton in an effort to reduce bureaucracy.