Cyber Reforms Excised from Defense Act

111th Congress Fails to Enact Significant Cybersecurity Reform
Cyber Reforms Excised from Defense Act
The don't ask, don't tell provision wasn't the only section excised from the latest version of the National Defense Authorization Act of 2011. The provision that would have established an Office of Cyberspace in the White House, headed by a Senate-confirmed director, does not appear in H.R. 6523, the latest version of the defense bill, which passed the House Friday by a 341 to 48 vote. The measure goes to the Senate.

In May, just before the House of Representatives approved the defense bill, Reps. Diane Watson, D-Calif., and James Langevin, D-R.I., successfully sponsored a rider to not only create a Senate-confirmed cyberspace director in the White House but also establish a board to assure compliance with federal IT security regulations as well as require agencies to automate continuous monitoring of their IT systems and establish processes to acquire secure software.

Langevin, speaking on the House floor Friday, said he was greatly disheartened that the revised bill's sponsors removed the cybersecurity provisions he proposed. "Our government is under attack every single day in cyberspace, yet we lack the coordination and strategy to properly defend ourselves or operate efficiently online," he said. "Recent issues such as the WikiLeak's Cablegate, the Stuxnet virus and the disclosure of high-level attacks on our Department of Defense only drive home the urgency of addressing this crisis with a strong coordinated response.

"While there are many important provisions for the Department of Defense cyber efforts in this bill, the DOD already has the assets to begin addressing this crisis. The real challenges lie in securing our federal networks and developing a real comprehensive policy for addressing transnational threats as well as engaging international partners. I will continue to push this issue as a top national security priority next year."

The exclusion of the Watson-Langevin amendment from the defense act means that Congress has failed to enact any significant cybersecurity legislation in the past two years. Several cybersecurity bills had passed the House during the current 111th Congress, but no significant IT security bill ever came up for a vote in the Senate.

Republicans filibustered the House-passed version of the defense act because it included a provision to repeal the don't ask, don't tell law that bars homosexuals from serving openly in the military. The House Wednesday overwhelmingly approved a separate bill to repeal don't ask, don't tell. Because of the House vote, House Armed Services Committee Chairman Ike Skelton, D-Mo., introduced Wednesday the scaled-down defense bill without the don't ask, don't tell provision.

The revised National Defense Authorization Act goes back to its original focus on the military, eliminating riders viewed as extraneous to military operations such as IT security provisions aimed mostly at civilian agencies. Supporters of the cybersecurity rider had argued that it was relevant to the defense act because IT security is part of national security and defense.

Still, the revised bill includes provisions in the original measure to require the Defense Department to report to Congress on cyberwarfare policy that includes a review of legal, strategy and doctrinal issues; funding cybersecurity demonstration projects using commercial technology; developing a tailored acquisition process for cyberspace; and creating a strategy to address software vulnerabilities and supply-chain risk mitigation strategies. The measure also would require the DoD to continuously monitor its information systems.

About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.

Around the Network