Some thoughts, sorry for the long quotes. Start with the second-to-last quote for what I personally find to be the most worrying.<p><pre><code> As a result of these changes, cyberSpace has emerged
as a new domain of engagement, comparable in
signi?cance to land, sea, air, and space, and its
signi?cance will increase in the years ahead.
</code></pre>
This raises the possibility of hacking being treated as an act of war, and the resulting actions. I'm not sure if that's the current status quo – I know there was discussion about it a few months ago.<p><pre><code> The term ?critical infrastructure? means
systems and assets, whether physical or virtual,
so vital to the United States that the incapacity
or destruction of such systems would have a
debilitating impact on security, national economic
security, national public health or safety, or
any combination of those matters.
</code></pre>
This does notably seem to exclude anything related to elections.<p><pre><code> The term ?national security system? means any
telecommunications or information system
Operated by the Federal Government or any contractor
on its behalf, the function, operation, or use of which:
[...]
is critical to the direct fulfillment of military or intelligence
missions (but does not include a system used for routine
administrative and business applications, including payroll, finance,
logistics, and personnel management applications).
</code></pre>
This seems to go out of its way to exclude "personnel management applications", which is curious considering exactly such a system was at center of the second-largest hacking scandal involving the government last year.<p><pre><code> Review Participants. The Secretary of Defense
shall co?chair the Vulnerabilities Review with
the Secretary of Homeland Security, the Director of
National Intelligence, the Assistant to the
President for National Security Affairs, and the
Assistant to the President for Homeland Security
and Counterterrorism.
</code></pre>
The last three are Dan Coats, Michael Flynn, and Tom Bossert, respectively. It's a bit heavy on the military brass and leans towards the political side to the exclusion of anybody with technical credentials (I'd think someone from the NSA or even the private sector could possibly be useful). But I've always been critical when, for example, judges have been accused to be inadequate to adjudicate technical issue – smart people can and will get the information they need to make right decisions. So let's give them the benefit of the doubt.<p>Possibly relevant: it's two cabinet members vs three people reporting directly to the president. I don't know if these committees ever vote on anything, but that could be intentional to allow the President to keep full control over the direction of the investigation (Cabinet Secretaries being traditionally more independent than anyone in the West Wing)<p><pre><code> [..]the Secretary of Defense and Secretary
of Homeland Security shall
also gather and review information from the
Department of Education regarding computer
science, mathematics, and cyber security
education from primary through higher education
to understand the ?ll] scope of US. efforts to
educate and train the workforce of the future. Th
Secretary of Defense shall make recommendations
as he sees ?t in order to best position the US.
educational system to maintain its competitive
advantage into the future.
</code></pre>
I feel a bit uneasy about Secretary of Defense being authorized to change the primary school curriculum, especially considering the basically limitless scope of "maintain[ing] its competitive advantage into the future". It sounds like they want more math in school. But what if he concludes that the US has plenty of hackers, but they're just not patriotic enough and rather work for Apple (which is actually somewhat true)?<p><pre><code> [A review shall find ways to incentivice
private enterprises to] invest in cyber
enterprise risk management tools and services; and
adopt best practices with respect to processes and
technologies necessary for the increased
sharing of and response to real-time
cyber threat information.
</code></pre>
This is once again pretty broad, but I thought it warrants inclusion because any sharing of data collected by private entities with government agencies has the potential to violate individuals' privacy.<p>Overall this isn't really specific enough to scare me, yet. The bit about education is what most effectively raises my blood pressure, while the focus on military systems at the exclusion of anything election-related is somewhat curious.