NDAA includes cyber czar, CISA subpoenas

Lawmakers are poised to vote on a defense policy bill that would advance dozens of recommendations made by a cyberspace commission.

NOTE: This article first appeared on FCW.com.

Lawmakers on Thursday unveiled their bicameral version of the fiscal year 2021 annual defense policy bill that includes more than two dozen recommendations from a congressional cyberspace commission such as establishing a White House cybersecurity czar and granting new authorities to the Cybersecurity and Infrastructure Security Agency.

The 26 provisions were included in the 2021 National Defense Authorization Act and are based on recommendations from the Cyberspace Solarium Commission, which is chaired by Sen. Angus King (I-Maine) and Rep. Matthew Gallagher (R-Wis.).

The bill would establish a national cyber director, a Senate-confirmed individual who would act as a principal advisor to the president on cybersecurity issues.

The bill also "grants [CISA] administrative subpoena authority… in order to identify vulnerable systems and notify public and private system owners," according to a statement from King and Gallagher.

Brandon Wales, CISA's acting director, said on Dec. 3 that this measure has been his agency's top priority for new legislation.

"Today, CISA cannot make contact with a company that has a vulnerable piece of infrastructure on the internet," Wales said an Aspen Institute event.

"But again, we don't have the ability to compel that company to make a change," he continued. Wales added that given the complexity of cybersecurity, he sees the "voluntary approach" as the best way to work with private entities.

Among other recommendations, the NDAA would also direct a "federal government cyber exercise to be conducted every two years" for the next 10 years, mandate the Government Accountability Office to study ways to improve cybersecurity insurance and reauthorize the Cyberspace Solarium Commission to continue providing assessments and recommendations through "late December 2021," according to the lawmakers' statement.

One notable exclusion from the bill was the repeal of Section 230, which provides liability protections for content published by social media companies on their platforms. President Donald Trump in recent days has threatened to veto the NDAA if a repeal was not included.

"Very sadly for our Nation, it looks like [Senate Armed Services Committee Chairman Jim Inhofe (R-OK)] will not be putting the Section 230 termination clause into the Defense Bill," Trump tweeted hours after lawmakers published the bill.

"So bad for our National Security and Election Integrity. Last chance to ever get it done. I will VETO!" the tweet continued.

A two-thirds supermajority in the House and Senate is required to override a presidential veto.