The Senate Armed Services Committee’s version of the annual defense policy bill would authorize plus-ups in funding for several U.S. Cyber Command programs and concepts.
The committee passed its version of the fiscal 2023 National Defense Authorization Act on Thursday morning behind closed doors and released a summary of the bill. The legislation will now go to the Senate floor for consideration.
The summary notes several programs received increases in authorized funding, which can be thought of as a tacit endorsement of many of these concepts, despite concerns raised in prior years and requests for reports and briefings on some of them.
The NDAA only provides an authorization to spend funds, it does not actually provide funding. That is done by the appropriation committees. The annual policy bill must go through a complex legislative process before it becomes law.
The provisions in the SASC version of the policy bill reflect the growing capabilities and requirements on Cyber Command to meet a rise in malicious activity, according to the committee.
The committee authorized an increase of $44 million to support so-called hunt-forward operations. These involve physically sending defensively oriented protection teams from the Cyber National Mission Force to foreign nations to hunt for threats on their networks at the invitation of host nations.
Officials have long lauded these operations as critical because they help bolster the security of partner nations and provide Cyber Command advanced notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats. However, Congress has previously sought more information on these operations, asking DOD to develop a formal framework for them to enhance consistency, execution and effectiveness.
Officials have also said hunt-forward ops have been beneficial in defending malicious cyber activity in domestic elections. The Department of Defense has added election defense as an enduring mission, and the SASC bill calls for a biennial unclassified report through the 2032 election cycle on Cyber Command’s efforts related to election security.
The bill would also authorize an increase of $56.4 million in funding for the Joint Cyber Warfighting Architecture development. JCWA was created in 2019 to help guide the Pentagon’s acquisition priorities and programs.
The architecture includes four main programs: the Persistent Cyber Training Environment for conducting training and mission rehearsal; Unified Platform — considered the centerpiece where data is ingested, analyzed and shared; Joint Cyber Command and Control to command cyber forces and the larger cyber environment; and the Joint Common Access Platform for executing offensive operations.
The SASC bill would require the establishment of a program executive office to manage and provide oversight of the implementation and integration of JCWA.
In past legislation, Congress expressed concern that Cybercom’s vision lacks a governance strategy to connect systems together, and ordered the Department of Defense to report to lawmakers on its governance strategy.
Previously, in the face of criticism from the Government Accountability Office, the command created an overarching management office called the Joint Capability Management Office, which looks at the strategic vision and concepts needed for integration and what the big picture architecture must look like holistically. The Joint Integration Office focuses on other aspects such as how the individual service program offices work together.
Cyber Command has also created a Program Executive Office Cyber within its J-9 advanced concepts and technology directorate, which oversees programs using command dollars as it seeks to build out its acquisition shop.
However, the GAO in a March report in response to a Senate mandated study, still found Cyber Command has not developed an outcome-based metric to support assessments of programs and staffing issues for acquisitions.
Cybercom is on the precipice of gaining enhanced budget authority, which gives the commander responsibility for direct control and management of planning, programming, budgeting and execution of the resources to maintain the cyber mission force The Senate Armed Services Committee included in its legislation this week an assessment of the implementation and transition of these responsibilities.
Meanwhile, the committee aims to require a strategy for converged cyber and electronic warfare capabilities. While somewhat distinct, each are related and the DOD is looking to more closely tie the two together, especially in the tactical battlefield sphere, exemplified by the Army’s approach toward cyber and electromagnetic activities (CEMA).
Tactical forces the Army and Marine Corps are building seek to utilize cyber on the battlefield thorough radio-frequency enabled cyber, which is a convergence of electromagnetic operations and cyber targeting wireless systems in some cases.
Officials have noted that in the future, these proximal tactical forces can provide the remote strategic operators at Cyber Command access to targets as they develop more advanced capabilities and tactics. Cybercom has been requesting funds for electronic warfare capabilities under a program called cyber-enabled activities. In fiscal 2023, the command requested $16.7 million for the effort.
Maturing Cyber Command and the DOD cyber enterprise
The Senate committee also included provisions aimed at maturing Cyber Command and its forces.
One such provision requires a study on the military services’ responsibilities for organizing, training and presenting forces to Cybercom, and recommendations on future force generation models.
In the DOD, the services are generally responsible for manning, training and equipping forces that are provided to combatant commands, which are responsible for warfighting. Under the forthcoming enhanced budget authority, Cyber Command will take over the advanced training of cyber warriors while the services will still be responsible for providing basic cyber training.
Another provision in the policy bill would require a plan and implementation of any subsequent recommendations to correct readiness shortfalls in the cyber mission forces.
Cyber Command’s top civilian said this week that readiness is a top priority.
“In terms of our priorities this year and going into next, a major priority that [Cybercom commander Gen. Paul Nakasone] has set for us is our force readiness — how do we look at our cyber mission teams and ensure that our operators and our analysts are the best qualified, most lethal cyber force in the world,” Dave Frederick, the command’s executive director, said Tuesday during the Defense One Tech Summit. “Readiness is a big focus for us.”
In recent years, the command has sought various approaches to improve readiness and readiness oversight.
The House Armed Services Committee’s version of the NDAA will be marked up before the full committee on June 22. The House and Senate will eventually have to reconcile their respective versions of the bill in what’s known as conference.