Congress Cybersecurity & Tech

The NDAA and Cybersecurity

Paul Rosenzweig
Tuesday, December 11, 2012, 1:26 PM
A colleague just pointed this out to me today.  Buried in the Senate-approved NDAA is Section 936, which would require the Pentagon to "establish a process" for defense contractors that have classified information on their networks to report any successful cyber penetration of their systems to the Defense Department.

Published by The Lawfare Institute
in Cooperation With
Brookings

A colleague just pointed this out to me today.  Buried in the Senate-approved NDAA is Section 936, which would require the Pentagon to "establish a process" for defense contractors that have classified information on their networks to report any successful cyber penetration of their systems to the Defense Department. "The report by a contractor on a successful penetration of a designated network or information system under the process shall include the following:  (A) A description of the technique or method used in the penetration;  [and] (B) A sample of the malicious software, if discovered and isolated by the contractor."  In addition, upon request, contractors would be required to give DoD access to "equipment or information" to determine if any classified "information created by or for" the DoD had been "successfully exfiltrated."  DoD would not be allowed to distribute this information outside of DoD without the contractor's approval. This looks a lot like the voluntary information sharing system suggested in the President's draft Executive Order, made mandatory for DoD contractors, but with the limitation that the information sharing will only be partial and exclusively within the DoD community.  Almost seems the worst of both worlds -- mandatory disclosure without any liability protection for the contractors AND no comprehensive improvement in information sharing about threats and vulnerabilities by keeping the information stove-piped.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare