The annual defense bill includes a section on cybersecurity based on recommendations from the Solarium Commission.
Lawmakers are urging President Donald Trump to walk back a threatened veto of the annual defense bill over non-defense policy issues because of the widespread, ongoing and potentially catastrophic hack of U.S. government and private sector systems.
The National Defense Authorization Act has a slate of cybersecurity provisions and its own cybersecurity section drawn from the recommendations of the Cyberspace Solarium Commission, including a measure to established a White House cybersecurity official whose job it would be to coordinate response in the event of emergencies like the SolarWinds hack.
"Given the recently revealed cyber hacks, it is more critical than ever that the President sign this bipartisan bill into law," Sen. Angus King (I-Maine) tweeted on Friday. King co-chairs the Solarium Commission.
Trump has threatened to veto the NDAA because it doesn't revoke liability protections for online platforms – the Section 230 provision of the Communications Decency Act. Trump is also opposed to a measure to rename military bases that honor Confederate military leaders. Lawmakers from defense committees across both parties have urged Trump to sign the bill, which passed by large majorities in the House and Senate.
Separately, Sen. Mark Warner (D-Va.), the vice chairman of the Senate Select Committee on Intelligence, criticized Trump for "not taking this issue seriously enough."
"As we learn about the wider impact of this malign effort -- with the potential for wider compromise of critical global technology vendors and their products-- it is essential that we see an organized and concerted federal response," Warner said in an emailed statement. "It is extremely troubling that the President does not appear to be acknowledging, much less acting upon, the gravity of this situation."
NSA's mitigation guide
The National Security Administration released guidance on how to deny bad actors continued access to compromised systems by hardening identity and credential issuance and management. The Dec. 17 advisory does not mention SolarWinds by name but lays out guidance of how to prevent bad actors from generating tokens to provide access to cloud-based and on-premises systems, and how to detect abuse of credentials.
Microsoft President Brad Smith called the hack and its aftermath a "moment of reckoning" in a Dec. 17 blog post. "The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them," Smith wrote. He said that while espionage is a fact of like, the attacks used in the SolarWinds hack, "has put at risk the technology supply chain for the broader economy."
Smith noted that in terms of governmental response to the burgeoning threat, "one ready-made opportunity is to establish a national cybersecurity director as recommended by the Solarium Commission and provided for in the National Defense Authorization Act."