Bill Trump Is Vowing to Veto Strengthens Hacking Defenses, Lawmakers Say

WASHINGTON — The military spending bill that President Trump is threatening to veto contains provisions that would help protect against the kind of broad Russian hacking discovered in recent days, according to experts and lawmakers.

The annual defense authorization bill, which Mr. Trump as recently as Thursday said he would veto, contains a range of recommendations from a congressionally established bipartisan commission.

The recent hack on numerous federal agencies by Russia’s elite spy service demonstrated the need for new defenses, key lawmakers said.

The military bill contains two dozen provisions to strengthen cyberdefenses. It gives the federal government the ability to actively hunt for foreign hackers trying to penetrate computer networks and establishes of a national cyberdirector who would coordinate the government’s defenses and responses to such attacks.

“This is an incredibly important bill,” said Senator Angus King, a Maine independent who was co-chairman of the bipartisan panel, the Cyberspace Solarium Commission. “This is the most important cyber legislation ever passed by the U.S. Congress.”

Had those provisions been in place this year, the Trump administration might have had a better shot at detecting and stopping the breach more quickly, lawmakers said.

But other commission recommendations that might have also helped discover the Russian hack far sooner, including giving the government the power to search for threats on some private networks, did not make it into this year’s bill.

Representative Mike Gallagher, Republican of Wisconsin and co-chairman of the commission, said it was critical to remember that a private company, FireEye, discovered the Russian hack that exploited vulnerabilities, including in software made by a Texas company called SolarWinds.

“This went undetected for months and months by U.S. government agencies,” Mr. Gallagher said. “I think it shows a weakness of the federal defense.”

Russians have been able to use vulnerabilities in a large number of federal computer networks and private sector companies to gain broad access. The hackers, working for Russia’s elite spy agency, have been inside federal agencies for months, at least since March.

On Thursday, the federal Cybersecurity and Infrastructure Security Agency warned that the hacking was “a grave risk to the federal government.” While the warning contained no details, it confirmed findings by private cybersecurity experts that the hackers had found multiple ways into the computer networks.

While the scope of the intrusion expands each day as investigators have learned more, officials have revealed nothing about what information the Russian spies stole or what they were seeking.

The response from senior Trump administration officials has been muted, but after the announcement by the Cybersecurity and Infrastructure Security Agency, President-elect Joseph R. Biden Jr. said his administration would impose substantial costs on those responsible for the hack of the government systems.

The commission announced its recommendations in March. Congress wrote 23 of them into the annual military bill that passed both houses with veto-proof margins this month. Mr. Gallagher said that none guaranteed the hack would have been stopped but that giving the Department of Homeland Security more power to hunt for threats across the federal government would have provided “a shot” at detecting the intrusion earlier.

“This sort of threat hunting capability is needed, and I think this attack underscores that,” he said.

While the White House viewed some provisions skeptically, including the creation of a Senate-confirmed cyberdirector, Mr. Trump’s veto threat has focused on his demands that Congress roll back legal protections for social media companies.

Vetoing the legislation would be a mistake, especially after the revelations of the SolarWinds hack, Mr. King said.

“If the question is, are their provisions in the bill that might have protected us, the answer is yes,” said Mr. King, who caucuses with the Democrats. “There is no guarantee we could have found it, but this is exactly the kind of thing that we were worried about and motivated the creation of the committee.”

The commission included members of Congress and Trump administration officials and was aimed at coming up with recommendations for shoring up defenses against hacking.

Mr. Trump has until next week to veto the bill, and the longer he waits, the more difficult it could be for Congress to override his decision, which could require bringing lawmakers to Washington after Christmas, or squeezing in a last vote on Jan. 3, just before the next Congress is seated.

Machinations over the fate of the bill come as criticism from Congress is growing over the administration’s disclosures about the Russian hack and the failure of officials to provide detailed briefings.

Pentagon officials have tried to reassure the public that their defenses held and that they have so far found “no evidence of compromise” on their systems. The intrusion exploited a vulnerability in software used across the government and private industry.

But lawmakers and outside experts viewed the declaration skeptically.

“It is far too early to proclaim there was no danger here. I think the operating assumption has to be that the Russians gained access to highly sensitive information,” said Jeremy Bash, a former top Pentagon and C.I.A. official in the Obama administration. “Anyone who stands up after 72 hours and says ‘there is nothing to see here’ is completely ignorant of the way cyberattacks operate. It is dangerous to make such a proclamation.”

Mr. Bash, now a consultant with Beacon Global Strategies, said there was no way of telling in just a few days how widespread the intrusion was. It could take months to learn what information the Russians got.

The hack, Mr. Bash said, demonstrated the need for the kind of cyberdirector the commission has pushed for. Such a director would be well placed to orchestrate a unified federal response and quickly brief Congress and the public about what steps were being taken.

“A national cyberdirector is critical to ensuring all agencies have a very high standard of cyberdefenses,” he said. “If the president vetoes the bill, Congress should swiftly override that veto.”

In addition to the director, the military bill has other provisions aimed at strengthening the Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security whose head was fired by Mr. Trump after proclaiming the election safe. It also would establish more exercises on hacking defenses, mandate a review of the size of U.S. Cyber Command’s forces, require an annual review of vulnerabilities of major weapon systems and make it easier for the government to recruit and retain experts in electronic defenses.

Even if the military bill becomes law, there is more work to do, Mr. Gallagher said. Members of the commission have pressed congressional appropriators to put more funding toward the kind of threat hunting operations authorized by the bill.

Mr. Gallagher also said he hoped legislation next year could expand the threat hunting work beyond government networks, allowing the federal government to conduct proactive searches for foreign intruders on the networks of military contractors, better connecting public and private network defenses.