Senate approves defense bill establishing cyber czar position, subpoena power for cyber agency

The Senate on Friday approved the annual National Defense Authorization Act (NDAA) with clauses that would establish a federal cyber czar, and that would give the nation’s top federal cybersecurity agency subpoena power.

The conferenced version of the 2021 NDAA was approved by the Senate by a vote of 84-13 days after the House approved the same version of the annual defense funding bill. 

The clause establishing the position of a Senate-confirmed national cyber director within the Executive Office of the President was not included in the original 2021 NDAA approved by the Senate earlier this year, but was added during negotiations with the House. 

The position would reestablish and elevate the previous White House cybersecurity coordinator position that was eliminated by former national security advisor John Bolton in 2018. 

A coalition of bipartisan lawmakers in the House and Senate worked together to ensure the clause creating the position was included in the NDAA, with the new position responsible for coordinating cybersecurity policy across the federal government. 

“This position gives the person who holds this spot, this position, more gravitas than just a staff person,” Rep. Jim Langevin (D-R.I.), who spearheaded introducing legislation creating this position, told The Hill last week. “He or she would have sufficient staff. They get their hands around the challenges they face, a whole of government approach to protect the country in cyberspace. This is a major step forward.”

However, a memo put out by the White House Office of Management and Budget (OMB) earlier this week, obtained by Reuters, listed the establishment of the position among the reasons President Trump may choose to veto the bill. 

OMB wrote that NDAA “increases bureaucracy and confuses cybersecurity policymaking by mandating the appointment of a National Cyber Director within the Executive Office of the President, ignoring the mechanisms by which the Government already performs the functions assigned to this new policy position.”

Trump has also threatened to veto the defense funding bill due to a repeal of Section 230 of the Communications Decency Act being left out, and due to the legislation requiring that military installations named after Confederate generals be renamed. 

The legislation was approved with veto-proof majorities, but it’s unclear if enough GOP lawmakers in both chambers would vote to override Trump. A two-thirds vote is required to overturn a veto.

The cyber czar clause was included as part of a raft of other cybersecurity measures, including a clause giving the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) limited subpoena power.

The clause, based on bipartisan legislation introduced last year, would allow CISA to issue subpoenas to internet service providers, compelling them to release information on cyber vulnerabilities detected on the networks of critical infrastructure organizations.

This power, which had had support from leadership on both the House and Senate Homeland Security committees, would give CISA the ability to further secure critical systems. 

Both measures were part of 26 recommendations from the Cyberspace Solarium Commission that were included in the conferenced version of the NDAA.

The group — made up of members of Congress, the federal government and industry — was established in 2018 to provide recommendations to defend the U.S. in cyberspace, with a report rolled out earlier this year.