Washington, DC – As the House and Senate Armed Services Committees finalize their U.S. Department of Defense Fiscal Year 2024 authorization bill, the Operational Technology Cybersecurity Coalition is calling on conferees to protect a provision focused on addressing the cybersecurity risks of DoD’s critical infrastructure.
“Over the better part of the decade, Congress has directed DoD to address its ICS/OT cybersecurity risks across multiple NDAAs, with DoD making marginal progress,” the letter states. “Within H.R. 2670, the U.S. House of Representatives included Section 1501, which seeks to consolidate, align, and harmonize DoD’s ICS/OT reporting requirements while also designating roles and responsibilities to be executed by a new program office.”
Further, the OT Cyber Coalition urges conferees to maintain the Section 1501 provision, including the creation of a Strategic Cybersecurity Program, and consider additional steps to ensure accountability for safeguarding mission-critical infrastructure.
In news reports from earlier this year, the Biden Administration, along with “Five Eyes” intelligence partners, revealed that it believes state-sponsored Chinese hackers have installed malware on U.S. networks that could affect military operations such as cutting off power, water, and communications to U.S. military bases.
“Section 1501 takes a thoughtful approach to drive DoD to understand, scope, and triage the risks to its OT infrastructure, including components critical to the reliable operation of critical offensive and defensive systems,” the letter adds.
Full text of the letter:
November 8, 2023 The Honorable Jack Reed 728 Hart Senate Office Building Washington, D.C. 20510 The Honorable Mike Rogers 2469 Rayburn House Office Building Washington, DC 20515 The Honorable Roger Wicker 425 Russell Senate Office Building Washington, D.C. 20510 The Honorable Adam Smith 2264 Rayburn Office Building Washington, D.C. 20515
[Sent via email] RE: FY24 NDAA, “Section 1501. Harmonization and Clarification of Strategic Cybersecurity Program and Related Matters.” Dear Chairman Reed, Ranking Member Wicker, Chairman Rogers, and Ranking Member Smith, The Operational Technology Cybersecurity Coalition (OTCC) is a diverse group of leading industrial control system (ICS) and operational technology (OT) cybersecurity vendors. As a collective of 17 member companies and growing, our visibility spans the full OT lifecycle across all 16 critical infrastructure sectors. With our unique expertise, we advocate for outcome-based policies that leverage a standards-based, interoperable, vendor-neutral approach to strengthen the collective defense and resiliency of our nation’s critical infrastructure. The OTCC recently established a Department of Defense (DoD) Working Group dedicated to working with DoD and Congress as they collectively work to address the myriad challenges in securing DoD’s critical infrastructure. We recognize that the Fiscal Year 2024 National Defense Authorization Act (FY24 NDAA) is deep into the conference but hope that you will still consider our perspectives as you finalize your work. Moving forward, we aim to work with your staff to develop executable ICS/OT policy solutions earlier in the legislative process. The Department of Defense’s (DoD) global footprint includes over 800 installations across 70 countries and territories. On a foundational level, every military installation requires a reliable power supply, telecommunications, medical, water, and sewage treatment support. The rise of cyberattacks over the last decade across critical infrastructure by adversarial nation-states eager to delay or degrade our military’s ability to execute national security objectives requires accountability for safeguarding our mission-critical infrastructure. Ubiquitous vulnerabilities within legacy OT systems that underpin offensive and defensive assets across our global forward operating force require Congress to adopt a new and more robust approach to this problem. Over the better part of the decade, Congress has directed DoD to address its ICS/OT cybersecurity risks across multiple NDAAs, with DoD making marginal progress. Within H.R. 2670, the U.S. House of Representatives included Section 1501, which seeks to consolidate, align, and harmonize DoD’s ICS/OT reporting requirements while also designating roles and responsibilities to be executed by a new program office. The OTCC supports this provision, including the creation of a Strategic Cybersecurity Program, and offers our suggestions as outlined below.
A. Section 1501 focuses heavily on the Program Manager’s responsibilities concerning cyber risks to weapons systems, which we agree are critically important. However, we fear it does not focus sufficiently on military installations and facilities, as addressed through the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 10 U.S.C. 2224). We note that Section 1501 references that prior provision and are pleased that it is not rescinded. We encourage conferees to consider report language that underscores the equally critical need to use the Program Manager’s authorities granted in Section 1501 to ensure adequate attention to securing military facilities from cyber threats. This cannot be overstated: denying the availability of weapon systems in the garrison is as effective as destroying them on the battlefield.
B. The list of participating members in Section 391b (b) should include the remaining regional unified combatant commands, including CENTCOM, AFRICOM, SOUTHCOM, and SOCOM, as this new program isn’t a pilot. Similarly, the program membership should include the Under Secretary of Defense for Intelligence and Security (USD I&S).
C. Further, while Section 1501 does task the Program Manager to oversee and carry out statutory requirements from previous NDAAs, which includes coordinating a range of cybersecurity efforts across the DoD, we believe it would be appropriate for Congress to ensure that OT and critical infrastructure protection requirements remain a key priority within this provision and future legislative text and report language. This request is specifically in reference to:
The requirements laid out in Section 1650 of FY17 NDAA, relating to the evaluation of cyber vulnerabilities of the critical infrastructure of the DoD;
Section 1505 of FY22 NDAA, relating to the operational technology and the mapping of mission-relevant terrain in cyberspace, and
Section 1559 of FY23 NDAA calls for vulnerability and mission risk assessments of radiofrequency-enabled cyber-attacks concerning the operational technology embedded in weapons systems, aircraft, ships, ground vehicles, space systems, sensors, and datalink networks of the DoD.
D. Finally, as this provision is designed to reduce statutory duplication and align policy efforts, we ask you to consider expanding the designation of mission elements for Section 1501 to include satellite command and control, payloads, and ground stations (for critical communication operations). Further, we would ask that you expand the threat scope beyond just vulnerabilities to encompass the broader threat landscape and impending threats.
Section 1501 takes a thoughtful approach to drive DoD to understand, scope, and triage the risks to its OT infrastructure, including components critical to the reliable operation of critical offensive and defensive systems. Therefore, the OTCC urges conferees to maintain this critical provision and asks for your consideration of these points as you draft report language to accompany the bill. We look forward to working with you and your staff to improve the DoD’s ICS/OT cybersecurity posture dramatically. Please do not hesitate to contact me if we can be of assistance. Sincerely, Andrew Howell Executive Director, OTCC ### About the OT Cyber Coalition The Operational Technology Cybersecurity Coalition is a diverse group of leading cybersecurity vendors dedicated to improving the cybersecurity of OT environments. Representing the entire OT lifecycle, the OT Cyber Coalition believes that the strongest, most effective approach to securing our nation’s critical infrastructure is one that is open, vendor-neutral, and allows for diverse solutions and information sharing without compromising cybersecurity defenses. For more information, visit https://www.otcybercoalition.org/.