What Does the NDAA Say About Cyber? (Bonus Feature: The Return of the EMP Commission)

By Robert Chesney
Friday, November 13, 2015, 6:12 PM

With the President supposedly poised to sign the NDAA FY'16 notwithstanding its GTMO transfer restrictions (subject, no doubt, to a signing statement hinting at an override option), it's a good time to take note of other interesting aspects of the bill. Among other things, there are some interesting cyber-provisions, as well as an interesting EMP development.

1. Cyber

Liability Protection for Reporting Certain Cyber Intrusions: Section 1641 adds a pair of liability waivers for certain companies that report network penetrations to DOD. First, this section creates 10 USC 393, which will provide that "No cause of action shall lie or be maintained in any court against any cleared defense contractor..for compliance with this section that is conducted in accordance with the procedures established [below]...". That liability waiver has an exception for wilful misconduct, but to avail itself of that exception a plaintiff bears "the burden of proving by clear and convincing evidence" that such misconduct occurred and that the misconduct itself "proximately caused injury to the plaintiff." Separately, this section also amends existing 10 USC 391 (which creates similar reporting obligations for "operationally critical contractors") to include a similiar liability waiver.

Conducting "Military Cyber Operations"...So Long as They Are Otherwise Authorized: Section 1642 of the bill will create 10 USC 130g ("Authorities Concerning Military Cyber Operations"). At first blush, it sounds important, but I don't think it is. The new section 130g will direct SecDef to take steps to ensure that "all armed forces" are prepared to conduct "military cyber operations in response to malicious cyber activity" against the US or US persons conducted by "a foreign power," but the statute also cautions that such operations should be conducted only "when appropriately authorized". In short, this is not some sort of free-standing AUMF for cyberspace. Indeed, the conferrees wrote that "nothing in this provision shall be construed to limit existing presidential or congressional power to authorize action."

Making the White House Report to Congress on Cyber Deterrence Policy: Several years ago in the NDAA FY'14, Congress required the White House to develop an interagency process to create a cyber deterrence policy. The White House was supposed to report the resulting policy to SASC and HASC in 2014, but still has not done it. And so section 1643 of the bill provides that $10m in certain DOD funds meant for support of the Executive Office of the President shall be withheld until the White House comes up with its overdue report.

Can CYBERCOM Defend Us in 2025? Section 1646 requires CJCS to conduct war games to test CYBERCOM's capability "to prevent large-scale cyber attacks" of the sort that might be available to major cyber powers (e.g., China) by 2020 and 2025, and to report to SASC and HASC within the year on the results.

Could China Shut Down Our Weapon Platforms Via Cyber Attack? Fans of Ghost Fleet will be relieve to know that Section 1647 directs SecDef to determine how vulnerable major weapon systems might be to cyber attack. Except they will be less relieved to know that the deadline for this review is 2019.

2. EMP

If you prefer One Second After to Ghost Fleet, then you will be glad to know that Section 1089 of the bill revives the EMP Commission (the "Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack"), which previously had a run from 2001 to 2008. In this iteration, the EMP Commission's charter will expand to make clear its charge covers non-nuclear EMP weapons, EMP-like effects from natural forces, and study of how potential adversaries might propose to use EMP in their military doctrine.