JOHN S. McCAIN
NATIONAL DEFENSE AUTHORIZATION ACT
FOR FISCAL YEAR 2019
CONFERENCE REPORT TO ACCOMPANY H.R. 5515
SEC. 1636. POLICY OF THE UNITED STATES ON CYBERSPACE, CYBERSECURITY, CYBER WARFARE, AND CYBER DETERRENCE.
(a) IN GENERAL.—It shall be the policy of the United States, with respect to matters pertaining to cyberspace, cybersecurity, and cyber warfare, that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target United States interests with the intent to—
(1) cause casualties among United States persons or persons of United States allies;(b) RESPONSE OPTIONS.—In carrying out the policy set forth in subsection (a), the United States shall plan, develop, and, when appropriate, demonstrate response options to address the full range of potential cyber attacks on United States interests that could be conducted by potential adversaries of the United States.
(2) significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government);
(3) threaten the command and control of the Armed Forces, the freedom of maneuver of the Armed Forces, or the industrial base or other infrastructure on which the United States Armed Forces rely to defend United States interests and commitments; or
(4) achieve an effect, whether individually or in aggregate, comparable to an armed attack or imperil a vital interest of the United States.
(c) DENIAL OPTIONS.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall, to the greatest extent practicable, prioritize the defensibility and resiliency against cyber attacks and malicious cyber activities described in subsection (a) of infrastructure critical to the political integrity, economic security, and national security of the United States.
(d) COST-IMPOSITION OPTIONS.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall develop and, when appropriate, demonstrate, or otherwise make known to adversaries the existence of, cyber capabilities to impose costs on any foreign power targeting the United States or United States persons with a cyber attack or malicious cyber activity described in subsection (a).
(e) MULTI-PRONG RESPONSE.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall leverage all instruments of national power.
(f) UPDATE ON PRESIDENTIAL POLICY.—
(1) IN GENERAL.—Not later than 180 days after the date of the enactment of this Act, the President shall transmit, in unclassified and classified forms, as appropriate, to the appropriate congressional committees a report containing an update to the report provided to the Congress on the policy of the United States on cyberspace, cybersecurity, and cyber warfare pursuant to section 1633 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 10 U.S.C. 130g note).
(2) CONTENTS.—The report required under paragraph (1) shall include the following:
(A) An assessment of the current posture in cyberspace, including assessments of—(f) RULE OF CONSTRUCTION.—Nothing in this subsection may be construed to limit the authority of the President or Congress to authorize the use of military force.
(i) whether past responses to major cyber attacks have had the desired deterrent effect; and(B) Updates on the Administration's efforts in the development of—
(ii) how adversaries have responded to past United States responses.
(i) cost imposition strategies;(C) Information relating to the Administration's plans, including specific planned actions, regulations, and legislative action required, for—
(ii) varying levels of cyber incursion and steps taken to date to prepare for the imposition of the consequences referred to in clause (i); and
(iii) the Cyber Deterrence Initiative.
(i) advancing technologies in attribution, inherently secure technology, and artificial intelligence society-wide;
(ii) improving cybersecurity in and cooperation with the private sector;
(iii) improving international cybersecurity cooperation; and
(iv) implementing the policy referred to in paragraph (1), including any realignment of government or government responsibilities required, writ large.
(g) DEFINITIONS.—In this section:
(1) APPROPRIATE CONGRESSIONAL COMMITTEES.—The term "appropriate congressional committees" means—
(A) the congressional defense committees;(2) FOREIGN POWER.—The term "foreign power" has the meaning given such term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
(B) the Permanent Select Committee on Intelligence of the House of Representatives;
(C) the Select Committee on Intelligence of the Senate;
(D) the Committee on Foreign Affairs, the Committee on Homeland Security, and the Committee on the Judiciary of the House of Representatives; and
(E) the Committee on Foreign Relations;
the Committee on Homeland Security and Governmental Affairs; and the Committee on the Judiciary of the Senate.
Policy of the United States on cyberspace, cybersecurity, cyber warfare, and cyber deterrence (sec. 1636)
The Senate amendment contained a provision (sec. 1621) that would establish the policy of the United States with respect to cyberspace, cybersecurity, and cyber warfare. The Senate amendment contained another provision (sec. 6601) that would amend section 1621 to narrow the policy's prescriptions to only apply to cyber attacks and malicious cyber activities by a foreign power.
The House bill contained no similar provision.
The House recedes with an amendment that would integrate both provisions and would make minor changes to the statement of policy, striking the priorities of the United States in carrying out the policy and the policy on sovereignty in cyberspace. The amendment would also require an update on the Presidential Policy submitted to the Congress pursuant to section 1633 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91).
The conferees note that the policy submitted to the Congress was incomplete. The 6-page memorandum, written in response to the reporting requirement of the National Defense Authorization Act, introduced a 63-page report written in response to Executive Order 13800. The conferees were disappointed with the former's brevity and the latter's significant number of items to be resolved. The report in sum evinced little consideration of the difficult choices intrinsic to the policy-making process, instead recommending further working groups, task forces, and deliberation for the creation and implementation of a national strategy in cyberspace.
The conferees therefore seek an update on the progress of the core initiatives recommended by report: the establishment of a policy for cost imposition, a menu for consequences, policy- planning guidance, and the Cyber Deterrence Initiative.
In reporting the status of these initiatives, the conferees urge the President to include, to the extent possible and protected by classification, as necessary: (1) the administration's plans, including specific planned actions, regulations, and legislative action required for their development; (2) steps taken to date to prepare for the imposition of consequences against the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, and the Islamic Republic of Iran in cyberspace (e.g., zero-day discovery, tool-development, and preposition of malware) and through other instruments of national power; and (3) criteria for use of particular consequences, including criteria as to when responsive cyber attacks are likely to be particularly escalatory, as to when, and specifically against which adversaries, responsive cyber attacks are likely to be particularly effective as means of deterrence, and as to when the risk and consequences of escalation due to responsive action outweigh the risk and cost of non-action or action by financial, law enforcement, and diplomatic means alone.
The conferees also urge the President to include the administration's considerations and determinations surrounding: (1) whether all cyber attacks of significant consequence below the threshold of war demand response; (2) whether significant attacks on private sector companies outside of critical infrastructure demand response, including examples of attacks on companies that might beget response; (3) whether, in certain circumstances, the United States should privilege immediacy in response to achieving full technical attribution; (4) under what circumstances the United States should attempt to blunt, render useless, or defeat detected attacks through offensive cyber action in real-time, including examples of such circumstances; (5) how the United States can balance the establishment of stable norms in cyberspace and responsive offensive action, including through diplomatic means; (6) how the United States balances the sovereignty and equities of third-party countries whose infrastructure hosts or accommodates transit of adversary malware, including examples of feasible and infeasible actions; and (7) how the United States balances privacy, freedom of action, and values implicit to a market economy in imposing cybersecurity and disclosure requirements on the private sector, including an assessment of the adequacy of current law and regulations.