SASC Approves Defense Authorization Bill with Cyber Warfare and ICT Provisions

June 4, 2012. Sen. Carl Levin (D-MI), the Chairman of the Senate Armed Services Committee (SASC), introduced S 3254 [LOC | WW], the "National Defense Authorization Act for Fiscal Year 2013" on June 4, 2012. The SASC approved it on June 4. See, Senate Report No. 112-173. It contains numerous provisions that relate to cyber warfare and information and communications technology.

Offensive Cyber Warfare. This bill, at Section 923(b), authorizes "offensive cyber operations". It also provides for the reassignment of "network operations" personnel to the "United States Cyber Command" for this purpose, and further authorizes the Cyber Command to "take appropriate actions to ensure the availability to the United States Cyber Command of appropriate numbers of personnel qualified to undertake tasks related to offensive operations".

Sen. John McCain (R-AZ), the ranking Republican on the SASC, wrote in his statement for the committee report that "I believe that cyber warfare will be the key battlefield of the 21st century, and I am concerned about our ability to fight and win in this new domain."

Sen. John McCainSen. McCain (at right) wrote that "I authored a provision in the bill that requires the commander of U.S. Cyber Command to provide a strategy for the development and deployment of offensive cyber capabilities. I am very concerned that our strategy is too reliant on defensive measures in cyber space, and believe we need to develop the capability to go on the offense as well. This provision to craft a comprehensive strategy should spur U.S. Cyber Command to develop this offensive capability effectively and at a reasonable cost to the taxpayer."

Huawei and Supply Chain Threats. This bill states, at Section 924, that "Cybersecurity threats are pervasive and serious, including through the supply chain of information technology equipment and software." And, it specifically references Huawei, which has a relationship with the government of the People's Republic of China (PRC).

This bill states that "Semiconductor manufacturing is already dominated by foreign producers, presenting supply chain risk management challenges."  Also, "foreign manufacturers of telecommunications equipment, including advanced wireless technology, are gaining global market share due to high quality and low prices. Competitive market forces ensure that commercial providers of consumer, business, and government systems and services will choose equipment and associated software from these manufacturers."

It adds that "In some cases, like Huawei Industries, this competitive position stems in part from inappropriate government subsidies and other forms of assistance."

See also, story titled "US China Commission Reports that PRC Uses Foreign Assistance to Promote Its Telecom Sector" in TLJ Daily E-Mail Alert No. 2,300, September 13, 2011. That report covered PRC support for ZTE as well as Huawei.

Moreover, the bill states that "Some of these companies also present clear cybersecurity supply chain risks that the Government must address."

However, the bill also notes that "Blocking sales from providers of information technology systems and services due to concerns about cybersecurity risks, while maintaining our commitment to free trade and fair and transparent competition, poses difficult policy challenges."

In 2007-2008, the Committee on Foreign Investment in the United States (CFIUS) reviewed Huawei's attempt to acquire 3Com. See, story titled "3Com Huawei Transaction to be Reviewed by CFIUS" in TLJ Daily E-Mail Alert No. 1,652, October 9, 2007, and story titled "Bain Drops Bid to Acquire 3Com in Face of CFIUS Review" in TLJ Daily E-Mail Alert No. 1,722, February 25, 2008.

See also, stories titled:

PRC's Cyber Warfare Capabilities. The bill, at Section 1232, amends the current requirement that the Department of Defense (DOD) prepare an annual report titled "Annual Report on Military and Security Developments Involving the People’s Republic of China". See, 10 U.S.C. § 113 notes.

Currently, the statute's requires the DOD to report on "Developments in China's asymmetric capabilities, including efforts to acquire, develop, and deploy cyberwarfare capabilities."

The bill expands this requirement. It requires that the report cover "cyberwarfare and electronic warfare capabilities, and associated activities originating or suspected of originating from China", including "the nature of China's cyber activities directed against the Department of Defense and an assessment of the damage inflicted on the Department of Defense by reason thereof, and the potential harms; ... a description of China's strategy for use and potential targets of offensive cyberwarfare and electronic warfare capabilities; ... details on the number of malicious cyber incidents emanating from Internet Protocol addresses in China, including a comparison of the number of incidents during the reporting period to previous years; and ... details regarding the specific People's Liberation Army; state security; research and academic; state-owned, associated, or other commercial enterprises; and other relevant actors involved in supporting or conducting cyberwarfare and electronic warfare activities and capabilities".

PRC's EMP Attack Capability. Section 1232 also requires that the DOD's annual report on the PRC cover other areas of activity, including "An analysis of China's efforts to use electromagnetic pulse".

An EMP weapon is a nuclear bomb, detonated at high altitude, and at a great distance from the intended targets, for the purpose of generating a huge electromagnetic pulse that would disrupt or damage unshielded computer systems and other electronics. Such a detonation, to achieve disruption in the US, would not have to take place in the US, or have any degree of accuracy.

The House Armed Services Committee (HASC) held a hearing on EMP attacks on July 10, 2008. See also, stories titled "House Republicans Seek DNI Study of EMP Attacks" in TLJ Daily E-Mail Alert No. 2,169, December 5, 2010, and "House Committee to Hold Hearing on EMP Attacks" in TLJ Daily E-Mail Alert No. 939, July 16, 2004.

Other Provisions. Section 1232 also requires that the DOD's annual report on the PRC contain "A description of China's command, control, communications, computers, intelligence, surveillance, and reconnaissance modernization program and its applications for China's precision guided weapons".

The bill requires, at Section 923, that the DOD "shall take appropriate actions to substantially reduce the number of sub-networks and network enclaves across the Department of Defense, and the associated security and access management controls, in order to increase the security of DOD networks, network equipment, and computers."

The bill provides, at Section 929, that no DOD component "may utilize the cloud computing database developed by the National Security Agency (NSA) called Accumulo after September 30, 2013, unless" the DOD certifies that "there are no viable commercial open source databases with extensive industry support (such as the Apache Foundation HBase and Cassandra databases) that have security features comparable to the Accumulo database that are considered essential" and "the Accumulo database has become a successful Apache Foundation open source database with adequate industry support and diversification". (Parentheses in original.) See, Apache Accumulo web site.