Senate-passed defense spending bill includes clause giving DHS cyber agency subpoena power

Senate-passed defense spending bill includes clause giving DHS cyber agency subpoena power
© Greg Nash

The Senate version of the annual National Defense Authorization Act (NDAA) approved Thursday included a raft of measures designed to shore up federal cybersecurity, including a clause giving the Department of Homeland Security’s (DHS) cybersecurity agency subpoena power.

The provision, originally introduced by Senate Homeland Security and Governmental Affairs Committee Chairman Ron JohnsonRonald (Ron) Harold JohnsonRon Johnson grinds Senate to halt, irritating many On The Money: Senate votes to take up COVID-19 relief bill | Stocks sink after Powell fails to appease jittery traders | February jobs report to provide first measure of Biden economy Senate relief package earmarks B for global coronavirus response MORE (R-Wis.) and Sen. Maggie HassanMargaret (Maggie) HassanRosen to lead Senate Democrats' efforts to support female candidates Pro-Choice Caucus asks Biden to remove abortion fund restrictions from 2022 budget Senate Democrats call on GAO to review child care access barriers for disabled parents, kids MORE (D-N.H.) in December, would allow DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to issue subpoenas to internet service providers compelling them to release information on cyber vulnerabilities detected on the networks of critical infrastructure organizations.

“Every day our adversaries target our critical infrastructure, including our electric grids, dams, and airports, and every day, CISA is made aware of vulnerabilities to these systems — some easily fixable — but is powerless to warn the potential victims,” Johnson said in a statement following the NDAA’s passage. 


“This legislation gives CISA the authority necessary to reach out and warn owners of critical infrastructure that they are open and vulnerable to cyberattacks before they become a victim,” he added. “We ask Americans: if you see something, say something. With this legislation we are empowering CISA to do the same.”

Hassan described the subpoena power proposal as “common-sense,” adding in a separate statement that she would “keep working” with Johnson to get the provision signed into law as part of the final version of the fiscal 2021 NDAA that will be conferenced between the House and Senate in coming weeks. 

The legislation was also included in the House version of the NDAA, approved earlier this week, making it likely the provision will stay in the final version eventually sent to President TrumpDonald TrumpTrump State Department appointee arrested in connection with Capitol riot Intelligence community investigating links between lawmakers, Capitol rioters Michelle Obama slams 'partisan actions' to 'curtail access to ballot box' MORE for signature. 

Another key cybersecurity provision included in the Senate version of the annual defense spending bill was one establishing a federally funded cybersecurity coordinator in every state to prepare for and respond to cyberattacks. 

The legislation was introduced in January by Hassan and Sens. John CornynJohn CornynOvernight Defense: Capitol Police may ask National Guard to stay | Biden's Pentagon policy nominee faces criticism | Naval Academy midshipmen moved to hotels Senators introduce bill creating technology partnerships to compete with China Republicans blast Pentagon policy nominee over tweets, Iran nuclear deal MORE (R-Texas), Gary PetersGary PetersAlarming threat prompts early exit, underscoring security fears Five takeaways from dramatic Capitol security hearing Troops defending Capitol sickened by undercooked meat: report MORE (D-Mich.), and Rob PortmanRobert (Rob) Jones PortmanMandel gets Club for Growth nod in Ohio Senate primary Rick Scott caught in middle of opposing GOP factions Five takeaways from dramatic Capitol security hearing MORE (R-Ohio) after a year of increasing cyberattacks across the nation crippled city governments in New Orleans and Baltimore, among many others. 


“We live in an increasingly interconnected society, and state and local governments need clear lines of communication and an understanding of what federal resources are available to protect them from ever-evolving cyber threats,” Peters, the ranking member of the Senate Homeland Security and Governmental Affairs Committee, said Thursday. “Bad actors will always target the path of least resistance — which is why we must boost cyber-security at all levels of government.

A clause meant to address the threat of “deepfakes,” or media altered by artificial intelligence to show distorted events, was also included in the Senate version of the NDAA. 

The bipartisan measure would require DHS to conduct an annual study on how deepfakes are used by foreign and domestic groups, and ways to fight back against the creation of the videos. 

“Fake content can damage our national security and undermine our democracy,” Sen. Brain Schatz (D-Hawaii), one of the original sponsors of the deepfakes legislation, said in a statement Thursday. “Our amendment directs the federal government to learn more about the scope and impact of deepfake technology. It’s an important step in fighting disinformation.”

One major cybersecurity provision not included was the establishment of a national cyber director at the White House to serve as a coordinating force between federal agencies on cybersecurity issues. The House-passed version of the NDAA established the position, but the Senate version only included language requiring an “assessment” of the “feasibility” of doing so.

It is unclear whether the position will eventually be included in the final version of the NDAA sent to Trump for approval. The bipartisan effort to create a national cyber director comes two years after the White House cybersecurity coordinator position was eliminated by former national security advisor John BoltonJohn BoltonTrump offered North Korea's Kim a ride home on Air Force One: report Key impeachment figure Pence sticks to sidelines Bolton lawyer: Trump impeachment trial is constitutional MORE in an effort to reduce bureaucracy.