Cybersecurity & Tech

The Lawfare Podcast: Jonathan Cedarbaum and Matt Gluck on the NDAA’s Cyber Provisions

Jonathan G. Cedarbaum, Matt Gluck, Stephanie Pell, Jen Patja
Thursday, February 15, 2024, 8:00 AM
What are the cyber provisions in the NDAA for FY2024? 

Published by The Lawfare Institute
in Cooperation With
Brookings

The National Defense Authorization Act, or NDAA, is considered must-pass legislation and is increasingly becoming the only reliable vehicle for national cyber policymaking. Lawfare Senior Editor Stephanie Pell sat down with Jonathan Cedarbaum, Professor of Practice at George Washington University Law School and Book Review Editor at Lawfare, and Matt Gluck, Research Fellow at Lawfare, to talk about the key cyber provisions of the NDAA for Fiscal Year 2024. They talked about new cyber provisions that address threats from Mexican criminal organizations and China, along with how some of the new cyber provisions expand the military’s role in protecting against threats to critical infrastructure. They also discussed what Jonathan and Matt would like to see in future versions of the NDAA.

 

Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.

 

Transcript

[Audio Excerpt]

Jonathan Cedarbaum: Because those cyber operations involve intrusions into another country's sovereignty, the default rule should be that you cannot undertake those activities without getting the consent of that other state. And so that's why we were talking a little bit about the issue of seeking the Mexican government's views about these activities. But as you noted, the statute doesn't require consent. It only requires consultation and it doesn't even require consultation in all cases. It leaves to DoD to determine when is it appropriate to undertake those consultations.

[Main Podcast]

Stephanie Pell: I'm Stephanie Pell, Senior Editor at Lawfare, and this is the Lawfare Podcast, February 15th, 2024.

The National Defense Authorization Act, or NDAA, is considered must-pass legislation, and is increasingly becoming the only reliable vehicle for national cyber policymaking. I sat down with Jonathan Cederba Professor of Practice at George Washington University Law School and Lawfare's Book Review Editor, and Matt Gluck, Research Fellow at Lawfare, to talk about the key cyber provisions of the NDAA for fiscal year 2024. We talked about new cyber provisions that address threats from Mexican criminal organizations and Chinalong with how some of the new cyber provisions expand the military's role in protecting against threats to critical infrastructure. We also discussed what Jonathan and Matt would like to see in future versions of the NDAA.

It's the Lawfare Podcast, February 15th: Jonathan Cederbaum and Matt Gluck on the NDAA's Cyber Provisions.

So I'd like to start by having you talk about the purpose of the National Defense Authorization Act. What does it do and why is it considered must-pass legislation?

Jonathan Cedarbaum: Very good. First, what does it do? Well, to explain that, I think it's helpful to remind folks about the two basic categories of legislation that are involved in the budget process. One category are authorization acts, and as the word "authorization" suggests, those are the laws in which Congress provides the legal basis for government programs and activities, tells the departments and agencies what it wants them to do and what it permits them to do. And of course, it also often adds requirements and restrictions. And then the second big category are appropriations act. And for agencies or departments to go ahead with any kind of activities, they need both of those kinds of laws. The NDAagain as its name suggests, is the authorization step in that process, the Authorization Act for the Defense Department, which of course is a major, major source of federal activity and federal spending.

Why is it must-pass? It is must-pass because it's one of the few areas where senators and representatives from across the aisle can come to agreement on how important these activities are because they involve the military. And so even in our very divided Congress today, folks are able to agree across party lines that keeping the military going and giving the military clear directions is so important that they must get together and enact this kind of basic law.

I happened to look at a report by the Congressional Research Service just before we came on, and it said that the NDAA has passed every year for the last 62 years straight. And I can assure you, there is no other bill in the entire Congressional budget process that comes close to that kind of track record.

Stephanie Pell: Well, that is an interesting fact. And when did Congress pass the current NDAA?

Jonathan Cedarbaum: Congress enacted the current NDAA in December of last year. President Biden signed it into law on December 22nd. It's the NDAA for fiscal year 2024. Federal fiscal years actually start on October 1 of the prior year and run through September 30th of the covered year. So fiscal year 2024 runs from October 1, 2023 through September 30th, 2024. So this law was actually enacted a little after the beginning of the fiscal year that it was covering. Even this must-pass law didn't quite get enacted on time, but not too long after the beginning of the fiscal year it was addressing.

Stephanie Pell: Now, Jonathan, you and Matt wrote in a piece for Lawfare that the NDAA is not limited to provisions affecting the Department of Defense. And that certainly isn't the case in the current NDAA, but is that common?

Jonathan Cedarbaum: That has become common in the NDAA in recent years, and that's because, as we discussed before, the NDAA is one of the very few pieces of legislation that has become must-pass. And so, people in Congress, representatives and senators, who have other pieces of legislation that they want to get through, but that they can't get through by themselves as standalone pieces of legislation, they know that if they can get it into the NDAA, It will get through. And that, of course, has created a great incentive to pack into the NDAA other provisions, that is, provisions that go beyond the Defense Department.

Stephanie Pell: And that's where we can start talking about the numerous cyber provisions that are in the current NDAA. I want to talk about some of the most significant ones that you all highlight in your piece. Let's start with the provision that targets the Mexican criminal organizations. What, first of all, is the nature of the threat that the government is trying to counter with this provision?

Matt Gluck: The primary nature of the threat posed by these transnational criminal organizations is twofold. One is the flow of drugs, especially fentanyl, into the United States across the southern border. And the second is the smuggling of individuals across the border.

So just a couple of data points to get started and to contextualize this. So, fentanyl seizures at the border increased by 80 percent in the first 11 months of fiscal year 2023, and about 90 percent of fentanyl seizures take place at legal entry ports. And the reason this is so significant, or one of the reasons, is in 2021, just under 71,000 people in the U.S. Died from drug overdoses tied to fentanyl. So this is a critical national security and health threat to the United States. And the cartels primarily hire U.S. Citizens to help smuggle drugs from Mexico into the United States. Over 85 percent of individuals convicted for fentanyl-related charges in the U.S. Are U.S. Citizens. So that's the nature of the threat that the NDAA seeks to counter with this provision.

Stephanie Pell: And what new cyber authority does the NDAA provide to the military for these purposes?

Matt Gluck: The NDAA provides authority for the DoD to engage in detection, monitoring, and other unnamed operations. One interesting note about this provision is that it requires consultation with the Mexican government and other federal agencies, but it does not require consent from the Mexican government, which was something that it's worth noting. That's from Section 1505.

Stephanie Pell: And I want to come back to that issue of consent when we talk about application of rules to international law with the type of cyber operations that this new authority might enable. But before we get to that, does this authority build upon existing law, and if so, how?

Matt Gluck: Yes. So this provision builds on two statutes primarily. The first is 10 USC Section 124, which designates the DoD as the lead agency in monitoring the transit of illegal narcotics into the U.S. And the second is a more recent authority, 10 USC Section 394, which authorizes the DoD to conduct military cyber activities, including in response to malicious cyber actions taken by foreign powers against the United States. Congress has provided statutory backing for other DoD cyber initiatives. And in addition to authority, these statutes have often imposed reporting requirements on the DoD.

Stephanie Pell: So, in addition to building upon existing law, you also note in your piece that this particular provision fits into two broader trends. One that you mention involves the suggestion by U.S. political figures that the U.S. should be using its military to combat the drug cartels in Mexico, especially those that have infiltrated Mexican security agencies. Can you explain the connection here?

Matt Gluck: Sure. So this really starts back in 2020, when former President Trump privately spoke to aides about firing missiles into drug labs in Mexico, a fact which became public in Mark Esper's, former Defense Secretary, Mark Esper's memoir. Since then, many Republicans have taken up this general idea of using large-scale force against Mexican drug cartels, and we saw significant support for this during one Republican debate when several candidates expressed a willingness to take this kind of military action against Mexican drug cartels. And on the Hill, Republican members of Congress have actually drafted an Authorization for the Use of Military Force, like the 2001 AUMF, but this one is directed at Mexican drug cartels. And some have advocated for designating these drug cartels as foreign terrorist organizations.

What I would say about this is I think lawmakers across the political spectrum agree that drugs flowing into the U.S. is a national security threat and should be countered vigorously. And I would say that the surveillance authorities that are provided in this NDAA against these drug cartels could fit into this large-scale, and what many would view and what I view as overly aggressive military action against the cartels, but they don't necessarily have to. These can also be smaller scale operations that help to target these very specific threats, national security threats that face the United States. So I would say we don't really know whether this provision fits into this narrative of using large-scale force against the drug cartels or whether it is separate and more specific.

Stephanie Pell: So, let's assume for the moment that it is separate and more specific, and as you mentioned before, this provision with respect to potential cyber operations it may enable really only requires consultation, not consent with the Mexican government, and then consultation only, quote, "as appropriate." But when the U.S. is contemplating conducting cyber operations in another country, especially when it may or may not consult that other country, are there rules of international law that must be considered?

Jonathan Cedarbaum: Yes, there are. And the U.S. government does think about those international law issues when it undertakes cyber activities and indeed other kinds of military activities as well. I would highlight two types of international law rules. The first are those that govern the use of force. As Matt just mentioned, there are some in Congress who have suggested we should use more conventional military force against the drug cartels. So, one question that arises with respect to cyber activities is, do they constitute uses of force? And if so, are they subject to those special rules? The UN Charter generally prohibits the use of force, but it allows the use of force in certain narrow circumstances, principally in self-defense or when authorized by the UN Security Council.

But, the vast majority of cyber operations, even military cyber operations, do not reach the level of what is generally considered a use of force under international law. There's no precise definition, but the U.S. and many other countries understand for these purposes that a cyber operation would only count as a use of force if it had some of the similar physical effects that typical uses of force like sending a missile, like the missiles we're sending against the Houthis and the Iranian-backed militias in Iraq and Syria, causing that level of physical damage and casualties. It takes that kind of a destructive force, as it were, to constitute a use of force [inaudible] international law. And cyber operations very, very rarely get to that level. So the first category, use of force, we have to think about, but it probably doesn't come into play a lot.

The more frequently consulted international law rules have to do with principles of sovereignty. And those are principles that provide protection for each country to control what happens within its own borders. And again, there, historically debates about sovereignty have typically been about not cyber activities but physical activities, when, for example, one country might send law enforcement agents across the border of another country to arrest somebody who's a fugitive from that sending country. And there has been a very vigorous debate in the last few years that we've seen both by scholars and by former government officials about how to apply those traditional rules of sovereignty to the new domain of cyber. Some have taken a very--and by pronouncements by other country's governments; there are more and more public statements by officials from other governments giving their views on these issues of sovereignty as well. And some, among the scholars and the different government officials, have taken a fairly restrictive view.

There's a very important document that was put together by a group of scholars called the "Tallinn Manual," which is a very detailed and careful effort to apply the traditional rules of sovereignty and use of force and so on to the cyber domain. And in the "Tallinn Manual," and those who support its position, they interpret sovereignty quite strictly. And they say that many kinds of cyber activities that cross into another country's territory, another country's infrastructure, another country's computer servers, will often violate that country's sovereignty if they cause really significant effects of any kind, not even close to the kind of use of force, big effects we talked about before. And because those cyber operations involve intrusions into another country's sovereignty, the default rule should be that you cannot undertake those activities without getting the consent of that other state.

And so that's why we were talking a little bit about the issue of seeking the Mexican government's views about these activities. But as you noted, the statute doesn't require consent. It only requires consultation and it doesn't even require consultation in all cases. It leaves to DoD to determine when is it appropriate to undertake those consultations.

Stephanie Pell: Before we talk about the rule of non-intervention, I think we're gonna get there.

Jonathan Cedarbaum: Yes, we are.

Stephanie Pell: I wanna tease out some vocabulary you used. You started the answer, at least the part talking about sovereignty, with the term "principles of sovereignty." You also then talked about "rules of sovereignty." And at least as I understand part of this debate, there is a real tension over whether sovereignty is simply a principle upon which other international rules of law flow, or whether it is in and of itself a primary rule of international law. And that very much then shapes the way that countries may look at what kinds of cyber activities would be permitted. Because if you're not violating a rule of international law, then you presumably have more leeway to conduct certain kinds of cyber operations.

Jonathan Cedarbaum: Yes, very nicely said. And I think to draw on the distinction you highlighted, the folks I was just describing, like the drafters of the Tallinn Manual who take the more restrictive view, their view is that, as you said, sovereignty is an independent rule of international law. And so, if a cyber operation causes certain relatively limited effects inside the territory of another country, like effects on a server by manipulating the data on the server, that itself is a violation of international law, or may be a violation of international law. And, of course, if one country violates international law, that allows the country whose rights have been violated to respond in various. So there are consequences to international law violations. And, also of course, the United States prides itself on being compliant with international law, in part because we strive to be a rule-bound society and in part because we want to encourage other nations to abide by those rules as well. So yes, I think it's very important to understand the distinction you identified.

On the other side is the group that doesn't see sovereignty as itself a binding rule of international law, but sees sovereignty as a principle that informs various, other more specific rules of international law, but is not itself a rule. And therefore, those folks take the view-- I think there are many probably U.S. government officials, certainly some of the people who have defended this view are former U.S. government officials--taken the view that because sovereignty is just a principle but not a binding rule, when the United States or another country engages in cyber operations that cause some of the typical kinds of effects that cyber operations do--that is changing data on a server, maybe even, copying data from a server, perhaps even at a higher level interfering with the operation of a server, but only for a brief time. Let's say, as we sometimes read about in the papers, maybe a country wants to incapacitate a certain computer system for an hour or two while something else is going on in the physical world. Those kinds of activities, this "sovereignty as principles" group would say, doesn't necessarily violate international law, and so we don't have to worry about the consequences that would flow from an international law violation.

As you mentioned, even the folks in the sovereignty as principles camp, though, recognize that there are certain related rules that do place a limit on the kinds of intrusions, even under their more lenient view, that one country can undertake in another country's territory. And one of those rules is the one you mentioned, the rule of non-intervention. There are certain kinds of intrusions that even on this view would cross international law, the binding rules of international law. And so, prohibited interventions under that rule would be things like interfering in the very most fundamental governmental functions of another country, like say, holding an election. That's the paradigm case. And of course, we in the United States have been victims of just that kind of interference and protested it very vigorously, and for good reason. I'm referring to the Russian interference in the 2016 presidential election. And so, even under the sovereignty as principles view, certain kinds of intrusions that we've seen may well be carried out through cyber operations, would still violate an international law rule, but it would not be the rule of sovereignty. It would be a more specific rule, like the rule on prohibited interventions.

Stephanie Pell: So I wanna now turn to another significant provision that you identify in your piece, which responds to the risk of China invading Taiwan. Matt, can you talk about what this provision entails?

Matt Gluck: Sure, so this is Section 1518 of the bill, and it directs the secretary of defense to engage with Taiwanese officials to coordinate with the Taiwanese military on defensive cyber security activities. And as laid out in the NDAA, this cooperation includes three primary components. The first is the defense of Taiwanese military networks, infrastructure, and systems, including using U.S. commercial and military technology to bolster those systems. The second is defending against malicious cyber activity, which is related to the first. And the third is conducting joint cyber security training and exercises with the U.S. and Taiwanese militaries. And the secretary has six months to move on these initiatives before reporting to Congress on the department's progress.

Stephanie Pell: And how does this provision relate to DoD's own cyber strategy that was released in 2023?

Matt Gluck: Sure, so first I'll discuss some of the more general concerns that this responds to and then get into some of the specifics of the cyber strategy. So the first thing is if you've been watching the Chinese government, we've seen these more and more aggressive statements by Xi Jinping and others that appear more and more belligerent toward Taiwan. And also we saw during the Taiwanese January 13th election a significant number of Chinese cyber attacks against Taiwanese networks. And the last kind of general point is both the cyber strategy and this provision in the NDAA reflects an understanding that any invasion of Taiwan is very likely to include large-scale Chinese cyber attacks. Maybe we'll be a bit surprised like we were in the Ukraine war, but it's very likely that we'll see these cyber attacks in a potential invasion of Taiwan.

Now, more specifically, the cyber strategy sets forth four general categories. The one that's most relevant here is the third one, which is protecting the cyber domain with allies and partners. And specifically, that component of the cyber strategy discusses illuminating adversary actions in cyberspace and preventing those actions from disrupting important partner systems. And so we see in the NDAA and the cyber strategy this focus on using U.S. resources and expertise to bolster our partners and allies systems and specifically Taiwan. It's interesting, the cyber strategy doesn't actually call out Taiwan in particular, likely for political reasons. But we do see this very concerted focus on protecting Taiwanese systems in the NDAA and the cyber strategy.

Stephanie Pell: Now, another provision that you discuss in your piece, and this should come as no surprise to anyone, is defending U.S. critical infrastructure. Can you talk about how the NDAA expands the military's role in protecting critical infrastructure and perhaps start with the electric power system?

Matt Gluck: Sure. So I think a good place to start is 2018. So in 2018, the DoD initiated an effort called MOSAICS, which is More Situational Awareness for Industrial Control Systems. And the goal of MOSAICS was to promote better security for these critical infrastructure systems, like those that facilitate power, water, and fuel. And the effort was designed to improve monitoring and response to malicious cyber activities that were seeking to undermine the U.S. systems. But the problem was that while MOSAICS allow the DoD or enable the DoD to work with private industry to develop technology to advance these initiatives. It didn't actually allow the DoD to provide that technology to the private sector which was a significant goal of MOSAICS. And so the NDAA Section 1514 of the new NDAA fills that statutory gap by providing authorization for the transfer of technology from the DoD to the private sector.

And then two other sections command the DoD to coordinate with the private sector to secure critical infrastructure. And those are Sections 1513 and 1517, both of which establish pilot programs. So Section 1513 establishes a program at the NSA's Cybersecurity Collaboration Center, which seeks to bolster the security of the U.S. microelectronics supply chain. Section 1517 orders the secretary of defense to establish a pilot program that will examine how to prioritize securing the critical infrastructure at military installations in the case of a large-scale cyber attack. So, what's the first move who is making these decisions those types of things. And the secretary must report on the status of these programs within one year to Congress, within one year of the passage of the NDAA.

Stephanie Pell: And the sharing of technology that you mentioned, that is across sectors? Critical infrastructure sectors?

Matt Gluck: That's right, yes. So I would say there's a particular focus on electricity here, but we do see it across several critical infrastructure sectors, yes. Power, water, fuel, yes.

Stephanie Pell: So it also should come as no surprise that the NDAA contains provisions pertaining to artificial intelligence or AI. And in your piece, you explain how it seeks to bolster DoD's use of AI systems and its ability to defend against them. Can you talk a bit about that?

Matt Gluck: Sure. So there are several of these provisions in the NDAA. I'll discuss four. So the first is--and I'll try to do it briefly. The first is Section 1542, which requires the Defense Department's Chief Data and Artificial Intelligence Officer to establish a bug bounty program for foundational AI models that are being integrated into the DoD's operations. And these programs consist of AI experts, seeking to find vulnerabilities in the AI programs--the AI models that are being used in the DoD with the goal of patching these gaps. So that's the first one. The second is Section 1543, which requires the secretary to establish a prize competition for the creation of technology that can detect and watermark generative AI to distinguish it from human-created content. And the participants in that program who are eligible include members of the private sector, members of the federal government and from academia, too. And then Section 1544 tasks the secretary with a whole set of directives. These include, among others, reviewing the latest DoD AI strategy. It was first established in 2018 and there have been subsequent ones since then. It also includes issuing DoD-wide guidance on the adoption of ethical AI principles. And finally, Section 1545 requires the secretary within one year to complete a study on the operational capacity of AI within the DoD's mission. So those are the four primary AI-related provisions in the NDAA.

Stephanie Pell: So we've also seen relatively recently a new executive order on artificial intelligence come out of the Biden administration. How do the AI provisions in the NDAA supplement this executive order?

Jonathan Cedarbaum: Great question. Let me give you one example in which the executive order provisions and the NDAA provisions intersect or supplement each other. The, I should say, the executive order is 75 pages long, so as folks who've looked at it know it covers the waterfront when it comes to AI. And the NDAA is also an enormous piece of legislation. The NDAA as a whole runs more than 3,000 pages, though the cyber provisions are not that long. But the one example I wanted to give of crossover has to do with one of the subjects that Matt mentioned as he was running through the four principle AI provisions in the NDAA. And that is this issue about watermarking, which is to say trying to find ways to identify content that has been generated by AI rather than by humans because we're worried about the malicious uses of that AI content, that it may be false, that it may be misleading. And of course, there's a big concern about that in the 2024 election, how manipulation of AI tools may be used to mislead voters, for example.

And so, in the AI executive order there's a provision that assigns to the Commerce Department the responsibility of developing standards for this labeling or watermarking of AI-generated content. The Commerce Department, of course, includes within it the National Institute of Standards and Technology, NIST, which is an expert on things like artificial intelligence and other aspects of technology development, and so I suspect NIST will play a central role in the Commerce Department's carrying out of that standards setting effort for the watermarking of AI-generated content. And then the White House, even before the executive order, the White House had brought together tech executives to discuss this problem. And just I think in the last day or two, we've seen Anne Neuberger, who's the Deputy National security Advisor for Cyber and Emerging Technologies address this issue again and say that the administration is urgently moving forward on efforts to develop, in collaboration with the private sector presumably, methods for this watermarking of AI-generated content. And then, as you just heard from Matt, the NDAA too, in the context of an assignment to DoD also requires investigation and development of tools that can identify AI-generated content. So how the DoD- directed process and the Commerce Department-directed process and the White House-overseen process will intersect or overlap is yet to be seen. Of course, it's not unusual that a subject of such great importance like this one may be a subject for activity in different parts of the government at the same time. We hope that they will coordinate their efforts in appropriate ways and come up with great solutions.

Stephanie Pell: Coordination is key, I take it. As you noted before, though, the NDAA doesn't just limit its focus to the Defense Department. There are also a number of provisions, for example, directed at the State Department. And you explain in your piece that some of them mimic the four goals it pursues for defense. Can you talk a little bit about that?

Jonathan Cedarbaum: So, yes. The cyber section of the NDAA has a number of directives for the State Department, and the four goals that the NDAA pursues for the State Department that are similar to the ones that it pursues for DoD, are expanding bilateral partnerships, improving AI capabilities, getting the departments or agencies in this case, State as well as DoD to handle and use data in decision-making more effectively, and to improve the security of the systems used by priority programs and personnel. Because those systems in both the case of the State Department and the Defense Department have been subjected to extensive cyber attacks, and in the case of the State Department, some quite successful cyber attacks, unfortunately, by our adversaries. And so, the NDAA gives directives to the State Department on these subjects that are quite similar to the ones that it gives to the DoD.

Stephanie Pell: And there are also a couple of provisions you discuss in your piece that focus on intelligence collection and declassification. Can you talk a bit about those?

Matt Gluck: Yes, sure. There are two relevant provisions here. The first requires the director of the NSA to report to Congress within 30 days of making a change to intelligence-collection policy that is likely to result in a significant loss of intelligence. And the second tasks the administrator of the Office of Electronic Government, which is within the Office of Management and Budget to come up with recommendations for technological solutions to produce more efficient and effective classification and declassification processes. And the president must report on this effort to Congress within six months.

Stephanie Pell: And I want to talk about, then finally, some thoughts on what future NDAAs should address. And I want to talk about those issues, but initially, can you explain how, for better or worse, the NDAA has come to function as the only reliable vehicle for national cyber policy-making. Why is that?

Jonathan Cedarbaum: Well, I think it goes back to some of the points we discussed at the beginning of our conversation about why the NDAA has become one of the very few so-called must-pass pieces of legislation. When it comes to cybersecurity, as with many other areas of national lawmaking, Congress has struggled to come to agreement and pass standalone laws. We have seen some important pieces of cybersecurity legislation from the Congress. We had a very important law passed back in 2015, the Cybersecurity and Information Security Act. We had a more recent law in 2022 that gave some new authorities to the Cybersecurity and Infrastructure Security Agency, CISA, which is a component of the Department of Homeland Security. But overall, we've seen a pattern of failed efforts when it comes to cybersecurity legislation, as we've seen in other areas of legislation. And so that's why the NDAA, because it is must-pass, has increasingly been an attractive vehicle for packing in cybersecurity or cyber provisions, because it's not only security, it's offensive and other kinds of cyber activities as well, just as in other areas.

Stephanie Pell: And so if the NDAA is going to continue to serve this function of allowing for national cyber policy-making, what would you like to see future NDAAs address?

Jonathan Cedarbaum: Well, I think two basic answers. One of the weaknesses of making national policy in this way, that is by adding in scattered provisions to a larger bill, rather than acting through standalone pieces of legislation, is that the committees that are most expert in these issues and that can hold hearings to get all the information they need and work methodically to respond to that information in building legislation, they don't play a central role in the construction of a bill like the National Defense Authorization Act. And so, we miss the bigger picture approach that would be very helpful to have when it comes to cyber policy-making. Instead, we get these collections of important, but often somewhat unrelated, cyber provisions in the NDAA, and they may not add up in total to the best overall national cyber policy. Some of them may even be in tension. Some of them may overlap or duplicate from year to year. And so, we get, unfortunately, what we've seen with our national cybersecurity legal framework, a fairly piecemeal collection of laws and regulations rather than a more systematic collection of laws. So that's one thing we miss. If we could somehow build a more systematic approach to the cyber provisions that we know in the end are going to wind up in the NDAA, that would be very helpful, but it's hard to see how Congress would achieve that.

The second thing I wanted to mention, though, has to do with providing additional legal authorities to fill gaps that the government and the affected private parties have recognized for many years. And we've seen some of those gaps exposed recently when we've seen major cyber attacks in sectors of the economy where the relevant federal agencies are uncertain about their legal authority to impose cyber security requirements that might have protected against those cyber attacks. So, for example, early on in the first year of the Biden administration, there was a very significant attack that some may remember on Colonial Pipeline, which was a big pipeline system on the East Coast that carried gas and oil. As a result of that attack, oil supplies were dramatically affected, gas stations were affected, and so on. And to many people's surprise, it turned out that although we have laws and regulations, for example, that impose cybersecurity requirements on financial institutions. We have other ones that impose them on nuclear energy facilities. We have yet further ones that impose them on operators electric grid. Turned out we didn't have any requirements in place for pipeline operators. Why is that? Well, there was no clear legal authority for it, or so the Transportation Security Administration, which is one of the agencies with principal responsibility for pipelines, thought. In response, the Transportation Security Administration went back to its legal authorities and looked for one it could use. And the administrator of that agency found one, but it was not a cybersecurity specific legal authority. It was a more general emergency authority to protect the security of the pipelines altogether. And the administrator reasoned, I think sensibly, that this kind of attack showed that this was a major facet of pipeline security more generally. And so, the administrator issued an emergency directive under that legal authority to improve the cybersecurity of pipelines. That's one example where there was uncertainty about whether there was adequate legal authority for government agencies to take actions needed to bolster cybersecurity.

A second, maybe even more dramatic example, has appeared more recently when we've seen reports about Iranian, Iran-linked cyber operatives infiltrating water systems in the United States. The local systems that make sure our water is clean. And that was not just reported in the press, it was recognized by the government itself. CISA, the expert agency for cyber defense, along with some others, put out a technical advisory warning about a particular vulnerability that those Iran-linked hackers had used in their infiltration of these water systems, and in order to try to caution the operators of those systems to fix the vulnerability. So we know Iran is trying to get into those systems, for what exact purpose we don't know. Again, it's a clear threat. So you might think well, why don't we have cybersecurity requirements for those water systems? And the Environmental Protection Agency, which has some authority when it comes to clean water, much like the Transportation Security Administration in response to the Colonial Pipeline problem, issued a memorandum under its more general clean water authorities to try to push these local water systems to do better when it comes to cyber security, but as with the TSA, but even more so, EPA was not so sure about whether these general emergency authorities, or in this case, clean water authorities, were enough to provide a solid legal foundation for this new water system cybersecurity memorandum. And not only was the EPA not sure, but they were quite promptly sued by a group of states who were not happy about the federal government trying to impose new federal cybersecurity requirements, even though it was in response to this widely publicized significant national security threat from a country that I think we all see as an adversary and a dangerous adversary. They sued the EPA and the result of that law, initially the government defended the EPA's action and then they realized, maybe we don't want to fight this after all. And instead the EPA withdrew the memorandum.

So because of these kinds of gaps and uncertainties in the legal basis for cybersecurit-specific actions by regulatory agencies, there are these holes in our cybersecurity legal framework. And so, I think it would be great if the government, perhaps the Office of the National Cyber Director or CISA, some part of the government that has overall responsibility for cybersecurity affairs could draw up a map or a list of these legal gaps and go to Congress and say, "Look, here are the holes. We need them filled. Don't just pick here and there from year to year. Here's a more systematic plan of the legal gaps we need filled and we would urge you, lawmakers, to fill them." That's what I would love to see in a future NDAA.

I would just add one final point to my plea for the overall granting of needed cybersecurity legal authorities. This problem is one that has been recognized for many, many years. I am hardly the first or the hundredth to, or Matt and I are hardly the first two or the first 200th to urge this kind of approach. In fact, if you go back all the way at least to President Obama in the beginning of his administration, he issued a very important cybersecurity executive order as well that was in 2012 that did many important things, like directed the creation of what came to be known as the NIST cybersecurity framework that many people are familiar with today. One of the lesser known provisions in that cybersecurity executive order from more than a decade ago now, instructed all the federal departments and agencies to look at their legal authorities when cybersecurity defensive regulation and to identify exactly these kinds of legal gaps, if there were any, to report them to a White House official who was then colloquially known as the "cybersecurity czar," so that that central official could collect all these legal gaps in a systematic way and then presumably go to the legislature and say, "Here are the gaps we need filled." The agencies dutifully wrote their reports, sent them into the White House, but alas, that final step of collecting them together and going to Congress with them to get them filled never happened. So we're really urging something, the picking up of an effort that started at least more than a decade ago.

Stephanie Pell: So that's very interesting because your answer suggests we know where the gaps are.

Jonathan Cedarbaum: Someone in the government has tracked them, yes, and I think clearly it wouldn't take that much effort to put together that kind of gap. I suspect the Office of the National Cyber Director or CISA either has that kind of list or could put one together quite promptly and send it over to Congress.

Stephanie Pell: I won't make you answer the question why that list has not been put together and sent over, but it is an interesting question. So with that, we'll leave it there for today. Thank you both so much for joining me.

Jonathan Cedarbaum: Thank you.

Matt Gluck: Thank you.

Stephanie Pell: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Chatter, Allies, and the Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja. Your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our music is performed by Sophia Yan.

As always, thank you for listening.


Jonathan G. Cedarbaum is a professor of practice at George Washington University Law School, affiliated with the program in national security, cybersecurity, and foreign relations law. During the first year of the Biden Administration he served as Deputy Counsel to the President and National Security Council Legal Advisor.
Matt Gluck is a former research fellow at Lawfare. He holds a BA in government from Dartmouth College.
Stephanie Pell is a Fellow in Governance Studies at the Brookings Institution and a Senior Editor at Lawfare. Prior to joining Brookings, she was an Associate Professor and Cyber Ethics Fellow at West Point’s Army Cyber Institute, with a joint appointment to the Department of English and Philosophy. Prior to joining West Point’s faculty, Stephanie served as a Majority Counsel to the House Judiciary Committee. She was also a federal prosecutor for over fourteen years, working as a Senior Counsel to the Deputy Attorney General, as a Counsel to the Assistant Attorney General of the National Security Division, and as an Assistant U.S. Attorney in the U.S. Attorney’s Office for the Southern District of Florida.
Jen Patja is the editor and producer of the Lawfare Podcast and Rational Security. She currently serves as the Co-Executive Director of Virginia Civics, a nonprofit organization that empowers the next generation of leaders in Virginia by promoting constitutional literacy, critical thinking, and civic engagement. She is the former Deputy Director of the Robert H. Smith Center for the Constitution at James Madison's Montpelier and has been a freelance editor for over 20 years.

Subscribe to Lawfare