Senate-passed defense spending bill includes clause giving DHS cyber agency subpoena power

Senate-passed defense spending bill includes clause giving DHS cyber agency subpoena power
© Greg Nash

The Senate version of the annual National Defense Authorization Act (NDAA) approved Thursday included a raft of measures designed to shore up federal cybersecurity, including a clause giving the Department of Homeland Security’s (DHS) cybersecurity agency subpoena power.

The provision, originally introduced by Senate Homeland Security and Governmental Affairs Committee Chairman Ron JohnsonRonald (Ron) Harold JohnsonBlumenthal calls for declassification of materials detailing Russian threat to US elections Democrats try to force Trump to boost medical supplies production GOP chairmen hit back at accusation they are spreading disinformation with Biden probe MORE (R-Wis.) and Sen. Maggie HassanMargaret (Maggie) HassanSenate Democrats demand answers on migrant child trafficking during pandemic Hillicon Valley: Feds warn hackers targeting critical infrastructure | Twitter exploring subscription service | Bill would give DHS cyber agency subpoena power Senate-passed defense spending bill includes clause giving DHS cyber agency subpoena power MORE (D-N.H.) in December, would allow DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to issue subpoenas to internet service providers compelling them to release information on cyber vulnerabilities detected on the networks of critical infrastructure organizations.

“Every day our adversaries target our critical infrastructure, including our electric grids, dams, and airports, and every day, CISA is made aware of vulnerabilities to these systems — some easily fixable — but is powerless to warn the potential victims,” Johnson said in a statement following the NDAA’s passage. 


“This legislation gives CISA the authority necessary to reach out and warn owners of critical infrastructure that they are open and vulnerable to cyberattacks before they become a victim,” he added. “We ask Americans: if you see something, say something. With this legislation we are empowering CISA to do the same.”

Hassan described the subpoena power proposal as “common-sense,” adding in a separate statement that she would “keep working” with Johnson to get the provision signed into law as part of the final version of the fiscal 2021 NDAA that will be conferenced between the House and Senate in coming weeks. 

The legislation was also included in the House version of the NDAA, approved earlier this week, making it likely the provision will stay in the final version eventually sent to President TrumpDonald John TrumpTrump suggests some states may 'pay nothing' as part of unemployment plan Trump denies White House asked about adding him to Mount Rushmore Trump, US face pivotal UN vote on Iran MORE for signature. 

Another key cybersecurity provision included in the Senate version of the annual defense spending bill was one establishing a federally funded cybersecurity coordinator in every state to prepare for and respond to cyberattacks. 

The legislation was introduced in January by Hassan and Sens. John CornynJohn CornynCOVID-19 bill limiting liability would strike the wrong balance From a Republican donor to Senate GOP: Remove marriage penalty or risk alienating voters Skepticism grows over Friday deadline for coronavirus deal MORE (R-Texas), Gary PetersGary Charles PetersTop Democrats say postmaster confirmed changes to mail service amid delays The Hill's Campaign Report: Trump's visit to battleground Ohio overshadowed by coronavirus Senate Democrats demand answers on migrant child trafficking during pandemic MORE (D-Mich.), and Rob PortmanRobert (Rob) Jones PortmanNot a pretty picture: Money laundering and America's art market Pessimism grows as coronavirus talks go down to the wire Senators holding behind-the-scenes talks on breaking coronavirus package stalemate MORE (R-Ohio) after a year of increasing cyberattacks across the nation crippled city governments in New Orleans and Baltimore, among many others. 


“We live in an increasingly interconnected society, and state and local governments need clear lines of communication and an understanding of what federal resources are available to protect them from ever-evolving cyber threats,” Peters, the ranking member of the Senate Homeland Security and Governmental Affairs Committee, said Thursday. “Bad actors will always target the path of least resistance — which is why we must boost cyber-security at all levels of government.

A clause meant to address the threat of “deepfakes,” or media altered by artificial intelligence to show distorted events, was also included in the Senate version of the NDAA. 

The bipartisan measure would require DHS to conduct an annual study on how deepfakes are used by foreign and domestic groups, and ways to fight back against the creation of the videos. 

“Fake content can damage our national security and undermine our democracy,” Sen. Brain Schatz (D-Hawaii), one of the original sponsors of the deepfakes legislation, said in a statement Thursday. “Our amendment directs the federal government to learn more about the scope and impact of deepfake technology. It’s an important step in fighting disinformation.”

One major cybersecurity provision not included was the establishment of a national cyber director at the White House to serve as a coordinating force between federal agencies on cybersecurity issues. The House-passed version of the NDAA established the position, but the Senate version only included language requiring an “assessment” of the “feasibility” of doing so.

It is unclear whether the position will eventually be included in the final version of the NDAA sent to Trump for approval. The bipartisan effort to create a national cyber director comes two years after the White House cybersecurity coordinator position was eliminated by former national security advisor John BoltonJohn BoltonEx-Trump adviser, impeachment witness Fiona Hill gets book deal Hannity's first book in 10 years debuts at No. 1 on Amazon Congress has a shot at correcting Trump's central mistake on cybersecurity MORE in an effort to reduce bureaucracy.