THOMSON REUTERS

Important cyber provisions now law under the 2019 NDAA By Megan L. Brown, Esq., Jon W. Burd, Esq., and Michael L. Diakiwski, Esq., Rein LLP*

SEPTEMBER 24, 2018

The John S. McCain National Defense Authorization Act for Fiscal ESTABLISHING U.S. POLICIES ON CYBERSPACE, Year 2019 (NDAA or the Act) (H.R. 5515)1 was signed into law on CYBERSECURITY, CYBER WARFARE, AND CYBER August 13, 2018. The appropriations law authorizes a $716 billion DETERRENCE national defense budget and includes wide-ranging provisions on Section 1636 outlines the “Policy of the on cybersecurity, touching everything from enhancing the military’s cyberspace, cybersecurity, cyber warfare, and cyber deterrence.” ability to respond to cyber attacks to protecting the IT supply The policy signifies a more aggressive posture, bringing greater chain and encouraging greater public-private collaboration. resources to bear in preventing, deterring, and responding to Below, we outline key elements of the law, which will impact how cyber threats — including through offensive cyber operations. private industry engages with the U.S. Department of Defense (DOD) on cybersecurity issues. The NDAA exemplifies a government-wide Wiley Rein further addresses other important aspects of the 2019 NDAA, including sections reforming the Committee on trend of increased expectations on the Foreign Investment in the United States (CFIUS)2 and provisions private sector, for greater collaboration and impacting government contractors3. scrutiny of security in IT products and services.

KEY TAKEAWAYS FOR THE PRIVATE SECTOR • The Act establishes a more aggressive posture on U.S. ”[T]he United States should employ all instruments of national cybersecurity policy, stating that “all instruments of national power, including the use of offensive cyber capabilities, to deter power” will be used to defend, deter, and respond to if possible, and respond to when necessary, all cyber attacks or significant cyber threats. other malicious cyber activities of foreign powers that target United States interests[.]” • The NDAA exemplifies a government-wide trend of increased expectations on the private sector, for greater collaboration This includes cyber threats to private sector systems, covering and scrutiny of security in IT products and services; but activities which “significantly disrupt the normal functioning this is coupled with enhanced government assistance and of United States democratic society or government (including commitments to defend U.S. networks, systems, and critical attacks against critical infrastructure that could damage systems infrastructure. Further, the law requires more thorough used to provide key services to the public or government).” collaboration between civil authorities (such as the U.S. The section calls for the development of a plan for “response Department of Homeland Security) and the military, in options to address the full range of potential cyber attacks on managing and responding to cyber threats and incidents. United States interests that could be conducted by potential • The law prohibits federal government agencies from using or adversaries[.]” Within 180 days of the law’s passage, classified procuring certain covered , with some exceptions. and unclassified reports on U.S. cyber policy are to be delivered • Several provisions require consultation with and reference to relevant congressional committees. Among other things, this frameworks produced by the National Institute of Standards report would cover: and (NIST). NIST’s cybersecurity frameworks, • ”Information relating to the Administration’s plans, standards, and guidelines are typically drafted for use by the including specific planned actions, regulations, and federal government. Increasingly, however, these documents legislative action required [for]: are cited in pending legislation and by sector-specific agencies for use by industry.

Thomson Reuters is a commercial publisher of content that is general and educational in nature, may not reflect all recent legal developments and may not apply to the specific facts and circumstances of individual transactions and cases. Users should consult with qualified legal counsel before acting on any information published by Thomson Reuters online or in print. Thomson Reuters, its affiliates and their editorial staff are not a law firm, do not represent or advise clients in any matter and are not bound by the professional responsibilities and duties of a legal practitioner. Nothing in this publication should be construed as legal advice or creating an attorney-client relationship. The views expressed in this publication by any contributor are not necessarily those of the publisher. THOMSON REUTERS EXPERT

- advancing technologies in attribution, inherently equipment produced by Huawei Technologies Company secure technology, and artificial intelligence or ZTE Corporation (or any subsidiary or affiliate of such society-wide; entities); certain uses of video surveillance technology and equipment produced by Hytera Communications - improving cybersecurity in and cooperation with Corporation, Hangzhou Hikvision Digital Technology the private sector; [and] Company, or Dahua Technology Company (or any subsidiary -  improving international cybersecurity or affiliate of such entities); of video cooperation[.]” surveillance services provided by such entities or using such equipment; and such equipment and services that the ESTABLISHING THE ‘CYBERSPACE SOLARIUM Secretary of Defense “reasonably believes to be an entity COMMISSION’ owned or controlled by, or otherwise connected to, the Aligned with the general policy pronouncements outlined government of a covered foreign country.” above, Section 1652 allocates $4 million to establish Under Section 889 executive agency heads may not “a commission to develop a consensus on a strategic “procure or obtain or extend or renew a contract to procure approach to defending the United States in cyberspace or obtain any equipment, system, or service that uses against cyber attacks of significant consequences.” covered telecommunications equipment or services as a The Cyberspace Solarium Commission would be formed substantial or essential component of any system, or as within 45 days of enactment. Members include senior critical technology as part of any system.” This prohibition is leaders from the Office of the Direction of National effective August 13, 2019. Intelligence, Homeland Security, the Federal Bureau of Investigation, and DOD, as well as 10 additional members “[T]he United States should employ all selected by Congress. instruments of national power, including the use The Commission would be able to hold hearings, request of offensive cyber capabilities, to deter if possible, information, and subpoena witnesses. Among others, core and respond to when necessary, all cyber attacks objectives are to: or other malicious cyber activities of foreign • Develop a consensus on a strategic approach to powers that target United States interests[.]” defending the United States in cyberspace.

• Weigh the costs and benefits, and evaluate the means, The law further prohibits executive agency heads from for executing various strategic options, including for the “enter[ing] into a contract (or extend[ing] or renew[ing] a political system, the national security industrial sector, contract) with an entity that uses any equipment, system, or and the innovation base. Options to be assessed include service that uses covered telecommunications equipment deterrence, norms-based regimes, and active disruption or services as a substantial or essential component of any of adversary attacks through persistent engagement. system, or as critical technology as part of any system.” This prohibition is effective August 13, 2020. • Review and make determinations on norms-based regimes and how the United States should enforce such Section 889 also prohibits the use of federal loan or grant norms. funds to procure or obtain covered telecommunications equipment or services. This prohibition is effective August 13, • Review adversarial strategies and intentions. 2020.

• Evaluate the effectiveness of the current national cyber In implementing this prohibition certain agency heads policy and consider possible structures and authorities — including the Chair of the Federal Communications that need to be established, revised, or augmented Commission and Secretaries of Commerce and Homeland within the federal government. Security, among others — “shall prioritize available funding and technical support to assist affected businesses, A final report with the Commission’s findings is due institutions and organizations as is reasonably necessary September 1, 2019. for those affected entities to transition from covered communications equipment and services, to procure PROHIBITION ON CERTAIN TELECOMMUNICATIONS replacement equipment and services, and to ensure EQUIPMENT that communications service to users and customers is Section 889 prohibits the use of federal funds to acquire sustained.” “covered telecommunications equipment or services.” This Certain exceptions apply for entities that “provide a service term is defined generally to include: telecommunications that connects to the facilities of a third-party, such as

2 | SEPTEMBER 24, 2018 Thomson Reuters THOMSON REUTERS EXPERT ANALYSIS backhaul, roaming, or interconnection arrangements; or of the Department,” the Secretary shall take appropriate cover telecommunications equipment that cannot route mitigation actions, including “conditioning any agreement or redirect user data or permit visibility into any user for the use, procurement, or acquisition of the product, data or packets that such equipment transmits or otherwise system, or service on the inclusion of enforceable conditions handles.” Further one-time waivers may be available to or requirements that would mitigate such risks.” companies, if approved by an agency. Within two years of the NDAA’s passage, DOD shall develop a third-party testing standard “acceptable for commercial off MITIGATING CYBERSECURITY AND IT SUPPLY the shelf (COTS) products, systems, or services to use when CHAIN RISKS dealing with foreign governments.” Supply chain IT risk is addressed in Section 1655. Subject to forthcoming regulations, DOD “may not use a product, Further, Section 881 contains a provision that permanently service, or system procured or acquired … relating to extends the authority provided in Section 806 of the Ike information or operational technology, cybersecurity, an Skelton National Defense Authorization Act for Fiscal Year industrial control system, or weapons system,” unless the 2011 (Public Law 111–383) regarding the management of certain information is disclosed to the Secretary of Defense, supply chain risk, and would clarify the Secretary of Defense’s including: ability to make determinations under that authority to apply throughout DOD. • Whether an organization or person has allowed, or is under an obligation to allow, a foreign government to review the code of a noncommercial product, system, Section 1643 states that, within or service developed for DOD. This provision covers 180 days of enactment, one official will be conduct up to five years before the enactment of the designated to be responsible for matters NDAA. relating to integrating cybersecurity and • Whether an organization or person has allowed, or is industrial control systems for DOD. under an obligation to allow, a foreign government or person from the countries listed in Section 1654 to review the source code of a product, system, or service INCREASED COLLABORATION BETWEEN that DOD is using or intends to use. This provision covers CIVIL AUTHORITIES AND THE PRIVATE SECTOR conduct up to five years before the enactment of the Several sections encourage greater collaboration between NDAA. DOD, civil authorities, and the private sector. For example, Section 1650 establishes a pilot program, coordinated by • Whether a person holds or has sought a license the Secretaries of DOD and Homeland Security. Technical pursuant to Export Administration Regulations under cybersecurity professionals from DOD will be detailed to the Subchapter C of Chapter VII of Title 15, Code of Department of Homeland Security, including the National Federal Regulations, the International Traffic in Arms Cybersecurity and Communications Integration Center Regulations under Subchapter M of Chapter I of (NCCIC), in order to “enhance cybersecurity and resilience of Title 22, Code of Federal Regulations, or successor critical infrastructure.” regulations, for information technology products, components, software, or services that contain code Section 1648 outlines U.S. Cyber Command involvement custom developed for the noncommercial product, in “tier 1 exercise[s]” including coordination with “the system, or service the Department is using or intends Department of Homeland Security, the Federal Bureau to use. of Investigation, and elements across Federal and State governments and the private sector.” The Secretary of Defense is directed to issue regulations And Section 1649 establishes another pilot program to implementing these supply chain disclosure requirements. “assess defense critical infrastructure vulnerabilities and Within a year, a registry is to be created to collect and interdependencies to improve military resiliency” and maintain information disclosed, which can be made available “foster collaboration and learning between and among to any agency conducting a procurement pursuant to the departments and agencies of the Federal Government, State Federal Acquisition Regulations or the Defense Federal and local governments, and private entities responsible for Acquisition Regulations. critical infrastructure,” among other things. The program If the Secretary determines such disclosures reveal “a risk will model cyber attacks on critical infrastructure in order to to the national security infrastructure or data of the United identify and develop means of improving DOD responses to States, or any national security system under the control requests for support to civil authorities.

Thomson Reuters SEPTEMBER 24, 2018 | 3 THOMSON REUTERS EXPERT ANALYSIS

SOFTWARE & CLOUD SECURITY RELATED as a limited partner on an advisory board or committee of TO CRITICAL SYSTEMS the fund are excluded from this provision as long as certain Section 1657 of the Act calls for a study of the costs, criteria are met. benefits, technical merits, and other merits of the following technologies related to vulnerability assessments of nuclear OTHER NOTEWORTHY CYBER PROVISIONS systems, a critical subset of conventional power projection Authority to conduct military activities in cyberspace. capabilities, and cyber command and control. This study Section 1632 affirms the authority of the Secretary of Defense will cover: to direct “military cyber activities or operations in cyberspace, • Technology acquired, developed, and used by Combat including clandestine military activities or operations in Support Agencies of the DOD to discover flaws and cyberspace[.]” These clandestine activities or operations will weaknesses in software code. be considered “traditional military activity,” as defined in the National Security Act of 1947. • Cloud-based software fuzzing-as-a-service to continuously test the security of DOD software Avoidance of the ‘lowest price technically acceptable’ repositories at large scale. selection criteria with certain tech. Section 880 states, “the use of lowest price technically • Formal programming and protocol language for acceptable source selection criteria shall be avoided software code development and other methods and in the case of a procurement that is predominately tools developed under various programs. for the acquisition of information technology services, cybersecurity services, systems engineering and technical • The binary analysis and symbolic execution software assistance services, advanced electronic testing, audit security tools developed under the Defense Advanced or audit readiness services, health care services and Research Projects Agency (DARPA) program. records, telecommunications devices and services, or other • Any other advanced or immature technologies with knowledge-based professional services[.]” respect to which DOD determines there is particular The House Report notes that the U.S. Government Account- potential for application to the vulnerability assessment ability Office is expected to develop a methodological ap- and remediation of the systems. proach that will provide insight into the extent to which low- est price technically acceptable source selection criteria are DESIGNATION OF A DOD OFFICIAL FOR CYBER used by executive agencies. INTEGRATION AND INDUSTRIAL CONTROL SYSTEMS Applying DHS binding operational directives. Section 1643 states that, within 180 days of enactment, Section 1645 directs the Secretary to implement Binding one official will be designated to be responsible for matters Operational Directive 18-015 on email and security relating to integrating cybersecurity and industrial control issued by the Secretary of Homeland Security. Further, systems for DOD. That official shall be responsible for regarding future DHS cybersecurity Directives, the CIO of “developing Department-wide certification standards for DOD shall notify relevant committees “whether [DOD] will integration of industrial control systems and taking into comply with the Directive or how [it] plans to meet or exceed consideration frameworks set forth by the NIST for the the security objectives of the Directive.” cybersecurity of such systems.” DOD reporting requirements on cyber breaches INVESTMENTS IN CRITICAL TECHNOLOGY, CRITICAL and loss of PII and CUI. INFRASTRUCTURE, AND SENSITIVE PERSONAL DATA In the case of “a significant loss of personally identifiable COMPANIES MAY BE SUBJECT TO CFIUS REVIEW information [PII] [or] controlled unclassified information As outlined in Wiley Rein’s review4 of CFIUS reforms, certain [CUI] by a cleared defense contractor,” the Secretary “shall investments in critical technology and critical infrastructure promptly submit to the congressional defense committees companies and companies that maintain or collect sensitive notice in writing of such loss.” Whether or how this provision personal data of U.S. citizens will be subject to CFIUS will impact notification requirements for contractors and jurisdiction if the investment could afford a foreign person vendors remains to be seen. access to material nonpublic technical information, board Increased assistance for small manufacturers & universities. membership or observer rights or the right to nominate a board member, or certain substantive decision-making In consultation with NIST, DOD shall take actions to involvement (other than through voting of shares). “enhance awareness of cybersecurity threats among small manufacturers and universities” working on DOD programs Indirect investments by a foreign person through an and activities. This is aimed at enhancing security in the investment fund that affords the foreign person membership Defense Industrial supply chain. Outreach activities include

4 | SEPTEMBER 24, 2018 Thomson Reuters THOMSON REUTERS EXPERT ANALYSIS training, courses, and self-certification to help these parties ABOUT THE AUTHORS improve cybersecurity. Transferring the SHARKSEER cybersecurity program. The SHARKSEER cybersecurity program, which identifies and mitigates Zero Day malware and Advanced Persistent Threats using commercial technology, is to be transferred from the to the Defense Information Systems Agency. Identification of countries posing risks to U.S. cybersecurity. Megan L. Brown (L) is a partner in the telecom, media Within 180 days of enactment, the Secretary of Defense and technology and privacy and cybersecurity practices at “shall create a list of countries that pose a risk to the Wiley Rein LLP in Washington, D.C. She is former counsel cybersecurity of United States defense and national security to the attorney general at the U.S. Department of Justice, systems and infrastructure. Such list shall reflect the level of serves on the U.S. Chamber of Commerce Cybersecurity threat posed by each country included on such list.” Leadership Council and is a 2018 fellow at George Mason Another section, grants authority to “disrupt, defeat, and University’s National Security Institute. She is co-author deter cyber attacks” originating from the Russian Federation, of a pivotal IoT Security Report by the U.S. Chamber of People’s Republic of China, Democratic People’s Republic Commerce. She can be reached at [email protected]. of Korea, or Islamic Republic of Iran, including attempts in Jon W. Burd (C) is a partner in the government contracts and influence American elections and democratic processes. privacy and cybersecurity practices in the firm’s Washington, D.C., office. He counsels government contractors and PROMOTING CYBERSECURITY EDUCATION subcontractors on a range of legal matters, and has handled some of the most complex government contracts disputes DOD has greater authority for cyber-related grants and in the defense, aerospace and intelligence industries in the scholarships and the Secretary will establish a Cyber past decade. He can be reached at [email protected]. Institute. Further, within 240 days a report shall be Michael L. Diakiwski (R) is an attorney in the firm’s telecom, submitted to congressional committees on the feasibility of media and technology and privacy and cybersecurity establishing a Cybersecurity Apprentice Program to support practices in Washington, D.C. He is former counsel to the on-the-job training for certain cybersecurity positions and secretary and the general counsel of the U.S. Department facilitate the acquisition of cybersecurity certifications. of Homeland Security. He can be reached at mdiakiwski@ wileyrein.com. This expert analysis originally appeared on NOTES the firm’s website Aug. 14. Republished with permission. 1 https://www.congress.gov/115/bills/hr5515/BILLS-115hr5515enr.pdf 2 https://www.wileyrein.com/newsroom-articles-Trade_Alert-CFIUS_ Reform_Legislation_Signed_into_Law-Important_Changes_Become_ Thomson Reuters develops and delivers intelligent Effective_Immediately.html information and solutions for professionals, connecting 3 https://www.wileyrein.com/newsroom-articles-National-Defense- and empowering global markets. We enable professionals Authorization-Act-for-Fiscal-Year-2019-Includes-Numerous-Acquisition- to make the decisions that matter most, all powered by the Reforms-That-Could-Result-in-Significant-Changes-to-Federal- world’s most trusted news organization. Procurement-Procedures.html 4 https://www.wileyrein.com/newsroom-articles-4847.html 5 https://cyber.dhs.gov/bod/18-01/ This article first appeared in the September 24, 2018, edition of Westlaw Journal Government Contract.

* © 2018 Megan L. Brown, Esq., Jon W. Burd, Esq., and Michael L. Diakiwski, Esq., Wiley Rein LLP

This publication was created to provide you with accurate and authoritative information concerning the subject matter covered, however it may not necessarily have been prepared by persons licensed to practice law in a particular jurisdiction. The publisher is not engaged in rendering legal or other professional advice, and this publication is not a substitute for the advice of an attorney. If you require legal or other expert advice, you should seek the services of a competent attorney or other professional. For subscription information, please visit legalsolutions.thomsonreuters.com.

Thomson Reuters SEPTEMBER 24, 2018 | 5