Infosec Set Back by 'Don't Ask' Vote

Cybersecurity is truly a bipartisan issue in Congress, but measures aimed at enhancing the protection of military IT systems fell victim Tuesday to political squabbling over the repeal of the don't ask, don't tell policy on gays in the military.

Republicans who oppose a section of the National Defense Authorization Act that would have rescinded don't ask, don't tell successfully blocked continuation of debate on the entire bill, which also includes provisions to substantially strengthen military cyber defenses.

Senate Majority Leader Harry Reid, D-Nev., couldn't muster the 60 votes needed to block the filibuster. Ironically, a potential 60th vote belonged to Sen. Susan Collins, R-Maine, a champion of cybersecurity reform as the ranking minority member of the Senate Homeland Security and Governmental Affairs Committee and sponsor of major cybersecurity legislation. Collins supports revoking don't ask, don't tell, but objects to Reid's decision not to allow amendments to the defense measure.

Provisions in the bill that would enhance the military's effort to secure its digital assets include:

• Directing the Defense Department to implement continuous monitoring of its IT systems;


• Creating processes to assure that acquired information technology is not built in a manner to surveil, deny, disrupt or degrade the function, use or operation of purchased systems;


• Instituting a strategy to acquire rapidly tools, applications and other capabilities for cyber warfare for the United States Cyber Command; and


• Implementing a strategy to assure the security of software and software-based applications for IT systems.

It's not just these cybersecurity provisions that could be at risk by the failure of the Senate to enact the National Defense Authorization Act. In May, the House passed its version of the defense bill, which includes cybersecurity provisions that go beyond the military to affect civilian federal agencies, too. The House version of the National Defense Authorization Act would create a National Office for Cyberspace in the White House, headed by a Senate-confirmed director, that would have strong budgetary oversight powers on cybersecurity matters. The House measure also would expand the procurement and software assurance provisions beyond what's in the Senate bill to include all federal agencies.

The defense bill, though stalled, isn't necessarily dead. It could come up for a vote if Collins or another Republican changes his or her mind, especially if Reid reconsiders his amendment ban. More likely, the bill could be resurrected in a lame-duck session of Congress after the midterm elections when don't ask, don't tell won't be as politically charged.

If the Senate version eventually passes - it's almost unheard of for Congress not to enact a defense authorization bill - either the House would pass the Senate version without amendment or more likely both bills would go to a conference committee where senators and House members would resolve their differences. An enacted National Defense Authorization Act could substantially change how the federal government governs information security.