NDAA Is 'Must-Sign' Legislation in Wake of SolarWinds Hack: Ex-Trump Security Adviser

The National Defense Authorization Act (NDAA), which President Donald Trump has vowed to veto, is "must-sign" legislation in the wake of the massive SolarWinds software hack, the president's former homeland security adviser warned.

The Democratic-controlled House of Representatives and the Republican-controlled Senate both passed the NDAA with veto-proof majorities last week—meaning they have enough votes to override Trump's decision if he follows through on his threat. Now, some security experts and lawmakers are pointing to provisions in the NDAA that would shore up the country's defenses against cyberattacks.

"Among other important provisions, the act would authorize the Department of Homeland Security to perform network hunting in federal networks," Thomas Bossert, who served as homeland security adviser to Trump from January 2017 until April 2018, wrote in a New York Times op-ed published Wednesday. "If it wasn't already, it is now a must-sign piece of legislation, and it will not be the last congressional action needed before this is resolved."

Hacker
In this photo illustration, a hacker types on a laptop. President Donald Trump's former homeland security adviser and lawmakers are urging him to sign the National Defense Authorization Act after the massive SolarWinds hack that targeted top government agencies. Joe Raedle/Getty

Senator Angus King, a Maine independent, made a similar point on Thursday morning in an interview with CNN. King described the SolarWinds hack, and potential future hacks from other sources, as "the most serious external risk this country faces."

"We gotta get this defense bill passed because there's so much in it to help us defend ourselves," King said. "Ironically, the bill is sitting on the president's desk at the moment of this most recent attack," King said.

Newsweek reached out to the White House for comment but did not receive a response before publication. Trump tweeted again on Thursday morning that he plans to veto the bill.

"I will Veto the Defense Bill, which will make China very unhappy. They love it. Must have Section 230 termination, protect our National Monuments and allow for removal of military from far away, and very unappreciative, lands. Thank you!" the president wrote.

News of the SolarWinds hack broke over the weekend, after it was discovered that hackers had managed to install malware in an update to the company's Orion IT software. That SolarWinds product was then downloaded by thousands of users, with the company admitting in a Securities and Exchange Commission filing on Monday that nearly 18,000 users could have been affected.

SolarWinds clients include top federal government agencies and more than 400 of Fortune 500 companies. The Treasury Department, the Department of Homeland Security and the Commerce Department reportedly had compromised computer systems as a result of the breach.

Although the perpetrator has not been confirmed, the prime suspect is Russia. That nation's embassy in Washington, D.C., and a spokesperson for Russian President Vladimir Putin have denied any involvement. Such denials are typical when nation-states carry out cyberattacks.

King, who sits on the Senate's Armed Services and Intelligence Committees, told CNN he could not confirm who carried out the attack. But the senator asserted that the hackers are "in these networks," raising concerns about the potential for future attacks that could target major infrastructure, such as the electrical grid.

The White House issued a statement ahead of the House vote on the NDAA last week, "strongly" opposing the bill's passage.

"The Administration recognizes the importance of the National Defense Authorization Act (NDAA) to our national security. Unfortunately, this conference report fails to include critical national security measures, includes provisions that fail to respect our veterans and our military's history, and contradicts efforts by this Administration to put America first in our national security and foreign policy actions," the statement said.

Trump has called for the NDAA to include repealing Section 230 of the Communications Decency Act, which was passed in 1996. Section 230 has faced substantial bipartisan criticism over the past couple of years, as it is widely seen as giving online platforms too many protections and not enough regulation. However, lawmakers from both parties were largely uninterested in tackling Section 230 in the NDAA bill.

CNN reported Wednesday that congressional leaders are already working to schedule an override vote—possibly early in January—if Trump follows through on his veto threat. "He does still plan to veto the NDAA. I don't have a timeline for you on that. But he does plan to veto it," White House press secretary Kayleigh McEnany told reporters on Tuesday.

In addition to Trump, some progressive lawmakers oppose the NDAA, albeit for different reasons.

"I will be voting against the Defense Appropriations bill. We need to get our priorities right. At a time when we have enormous unmet needs in our country we should not be spending $740 billion on the military—more than the next 10 nations combined," Senator Bernie Sanders, a Vermont independent, tweeted ahead of the Senate vote.

Representative Alexandria Ocasio-Cortez, a progressive Democrat from New York, voted against the bill as well, as did 36 other Democrats.

This story was updated at 10:55 a.m. ET with a tweet from President Donald Trump.