THOMSON REUTERS Important cyber provisions now law under the 2019 NDAA By Megan L. Brown, Esq., Jon W. Burd, Esq., and Michael L. Diakiwski, Esq., Wiley Rein LLP* SEPTEMBER 24, 2018 The John S. McCain National Defense Authorization Act for Fiscal ESTABLISHING U.S. POLICIES ON CYBERSPACE, Year 2019 (NDAA or the Act) (H.R. 5515)1 was signed into law on CYBERSECURITY, CYBER WARFARE, AND CYBER August 13, 2018. The appropriations law authorizes a $716 billion DETERRENCE national defense budget and includes wide-ranging provisions on Section 1636 outlines the “Policy of the United States on cybersecurity, touching everything from enhancing the military’s cyberspace, cybersecurity, cyber warfare, and cyber deterrence.” ability to respond to cyber attacks to protecting the IT supply The policy signifies a more aggressive posture, bringing greater chain and encouraging greater public-private collaboration. resources to bear in preventing, deterring, and responding to Below, we outline key elements of the law, which will impact how cyber threats — including through offensive cyber operations. private industry engages with the U.S. Department of Defense (DOD) on cybersecurity issues. The NDAA exemplifies a government-wide Wiley Rein further addresses other important aspects of the 2019 NDAA, including sections reforming the Committee on trend of increased expectations on the Foreign Investment in the United States (CFIUS)2 and provisions private sector, for greater collaboration and impacting government contractors3. scrutiny of security in IT products and services. KEY TAKEAWAYS FOR THE PRIVATE SECTOR • The Act establishes a more aggressive posture on U.S. ”[T]he United States should employ all instruments of national cybersecurity policy, stating that “all instruments of national power, including the use of offensive cyber capabilities, to deter power” will be used to defend, deter, and respond to if possible, and respond to when necessary, all cyber attacks or significant cyber threats. other malicious cyber activities of foreign powers that target United States interests[.]” • The NDAA exemplifies a government-wide trend of increased expectations on the private sector, for greater collaboration This includes cyber threats to private sector systems, covering and scrutiny of security in IT products and services; but activities which “significantly disrupt the normal functioning this is coupled with enhanced government assistance and of United States democratic society or government (including commitments to defend U.S. networks, systems, and critical attacks against critical infrastructure that could damage systems infrastructure. Further, the law requires more thorough used to provide key services to the public or government).” collaboration between civil authorities (such as the U.S. The section calls for the development of a plan for “response Department of Homeland Security) and the military, in options to address the full range of potential cyber attacks on managing and responding to cyber threats and incidents. United States interests that could be conducted by potential • The law prohibits federal government agencies from using or adversaries[.]” Within 180 days of the law’s passage, classified procuring certain covered technologies, with some exceptions. and unclassified reports on U.S. cyber policy are to be delivered • Several provisions require consultation with and reference to relevant congressional committees. Among other things, this frameworks produced by the National Institute of Standards report would cover: and Technology (NIST). NIST’s cybersecurity frameworks, • ”Information relating to the Administration’s plans, standards, and guidelines are typically drafted for use by the including specific planned actions, regulations, and federal government. Increasingly, however, these documents legislative action required [for]: are cited in pending legislation and by sector-specific agencies for use by industry. Thomson Reuters is a commercial publisher of content that is general and educational in nature, may not reflect all recent legal developments and may not apply to the specific facts and circumstances of individual transactions and cases. Users should consult with qualified legal counsel before acting on any information published by Thomson Reuters online or in print. Thomson Reuters, its affiliates and their editorial staff are not a law firm, do not represent or advise clients in any matter and are not bound by the professional responsibilities and duties of a legal practitioner. Nothing in this publication should be construed as legal advice or creating an attorney-client relationship. The views expressed in this publication by any contributor are not necessarily those of the publisher. THOMSON REUTERS EXPERT ANALYSIS - advancing technologies in attribution, inherently equipment produced by Huawei Technologies Company secure technology, and artificial intelligence or ZTE Corporation (or any subsidiary or affiliate of such society-wide; entities); certain uses of video surveillance technology and equipment produced by Hytera Communications - improving cybersecurity in and cooperation with Corporation, Hangzhou Hikvision Digital Technology the private sector; [and] Company, or Dahua Technology Company (or any subsidiary - improving international cybersecurity or affiliate of such entities); telecommunications of video cooperation[.]” surveillance services provided by such entities or using such equipment; and such equipment and services that the ESTABLISHING THE ‘CYBERSPACE SOLARIUM Secretary of Defense “reasonably believes to be an entity COMMISSION’ owned or controlled by, or otherwise connected to, the Aligned with the general policy pronouncements outlined government of a covered foreign country.” above, Section 1652 allocates $4 million to establish Under Section 889 executive agency heads may not “a commission to develop a consensus on a strategic “procure or obtain or extend or renew a contract to procure approach to defending the United States in cyberspace or obtain any equipment, system, or service that uses against cyber attacks of significant consequences.” covered telecommunications equipment or services as a The Cyberspace Solarium Commission would be formed substantial or essential component of any system, or as within 45 days of enactment. Members include senior critical technology as part of any system.” This prohibition is leaders from the Office of the Direction of National effective August 13, 2019. Intelligence, Homeland Security, the Federal Bureau of Investigation, and DOD, as well as 10 additional members “[T]he United States should employ all selected by Congress. instruments of national power, including the use The Commission would be able to hold hearings, request of offensive cyber capabilities, to deter if possible, information, and subpoena witnesses. Among others, core and respond to when necessary, all cyber attacks objectives are to: or other malicious cyber activities of foreign • Develop a consensus on a strategic approach to powers that target United States interests[.]” defending the United States in cyberspace. • Weigh the costs and benefits, and evaluate the means, The law further prohibits executive agency heads from for executing various strategic options, including for the “enter[ing] into a contract (or extend[ing] or renew[ing] a political system, the national security industrial sector, contract) with an entity that uses any equipment, system, or and the innovation base. Options to be assessed include service that uses covered telecommunications equipment deterrence, norms-based regimes, and active disruption or services as a substantial or essential component of any of adversary attacks through persistent engagement. system, or as critical technology as part of any system.” This prohibition is effective August 13, 2020. • Review and make determinations on norms-based regimes and how the United States should enforce such Section 889 also prohibits the use of federal loan or grant norms. funds to procure or obtain covered telecommunications equipment or services. This prohibition is effective August 13, • Review adversarial strategies and intentions. 2020. • Evaluate the effectiveness of the current national cyber In implementing this prohibition certain agency heads policy and consider possible structures and authorities — including the Chair of the Federal Communications that need to be established, revised, or augmented Commission and Secretaries of Commerce and Homeland within the federal government. Security, among others — “shall prioritize available funding and technical support to assist affected businesses, A final report with the Commission’s findings is due institutions and organizations as is reasonably necessary September 1, 2019. for those affected entities to transition from covered communications equipment and services, to procure PROHIBITION ON CERTAIN TELECOMMUNICATIONS replacement equipment and services, and to ensure EQUIPMENT that communications service to users and customers is Section 889 prohibits the use of federal funds to acquire sustained.” “covered telecommunications equipment or services.” This Certain exceptions apply for entities that “provide a service term is defined generally to include: telecommunications that connects to the facilities of a third-party, such as 2 | SEPTEMBER 24, 2018 Thomson Reuters THOMSON REUTERS EXPERT ANALYSIS backhaul, roaming, or interconnection arrangements; or of the Department,” the Secretary shall take