JOHN S. McCAIN
NATIONAL DEFENSE AUTHORIZATION ACT
FOR FISCAL YEAR 2019
CONFERENCE REPORT TO ACCOMPANY H.R. 5515
SEC. 1642. ACTIVE DEFENSE AGAINST THE RUSSIAN FEDERATION, PEOPLE'S REPUBLIC OF CHINA, DEMOCRATIC PEOPLE'S REPUBLIC OF KOREA, AND ISLAMIC REPUBLIC OF IRAN ATTACKS IN CYBERSPACE.
(a) AUTHORITY TO DISRUPT, DEFEAT, AND DETER CYBER ATTACKS.—
(1) IN GENERAL.—In the event that the National Command Authority determines that the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, or Islamic Republic of Iran is conducting an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes, the National Command Authority may authorize the Secretary of Defense, acting through the Commander of the United States Cyber Command, to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter such attacks under the authority and policy of the Secretary of Defense to conduct cyber operations and information operations as traditional military activities.
(2) NOTIFICATION AND REPORTING.—
(A) NOTIFICATION OF OPERATIONS.—In exercising the authority provided in paragraph (1), the Secretary shall provide notices to the congressional defense committees in accordance with section 395 of title 10, United States Code (as transferred and redesignated pursuant to section 1631).(b) PRIVATE SECTOR COOPERATION.—The Secretary may make arrangements with private sector entities, on a voluntary basis, to share threat information related to malicious cyber actors, and any associated false online personas or compromised infrastructure, associated with a determination under subsection (a)(1), consistent with the protection of sources and methods and classification guidelines, as necessary.
(B) QUARTERLY REPORTS BY COMMANDER OF THE UNITED STATES CYBER COMMAND.—
(i) IN GENERAL.—In any fiscal year in which the Commander of the United States Cyber Command carries out an action under paragraph (1), the Secretary of Defense shall, not less frequently than quarterly, submit to the congressional defense committees a report on the actions of the Commander under such paragraph in such fiscal year.
(ii) MANNER OF REPORTING.—Reports submitted under clause (i) shall be submitted in a manner that is consistent with the recurring quarterly report required by section 484 of title 10, United States Code.
(c) ANNUAL REPORT.—Not less frequently than once each year, the Secretary shall submit to the congressional defense committees, the congressional intelligence committees (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)), the Committee on Foreign Affairs of the House of Representatives, and the Committee on Foreign Relations of the Senate a report on—
(1) the scope and intensity of the information operations and attacks through cyberspace by the countries specified in subsection (a)(1) against the government or people of the United States observed by the cyber mission forces of the United States Cyber Command and the National Security Agency; and(d) RULE OF CONSTRUCTION.—Nothing in this section may be construed to—
(2) adjustments of the Department of Defense in the response directed or recommended by the Seretary with respect to such operations and attacks.
(1) limit the authority of the Secretary to conduct military activities or operations in cyberspace, including clandestine activities or operations in cyberspace; or
(2) affect the War Powers Resolution (Public Law 93–148; 50 U.S.C. 1541 et seq.) or the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note).
Active defense against the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, and Islamic Republic of Iran attacks in cyberspace (sec. 1642)
The Senate amendment contained a provision (sec. 1623) that would authorize the National Command Authority to direct the Commander, U.S. Cyber Command, to take appropriate and proportional action through cyberspace to disrupt, defeat, and deter systematic and ongoing attacks by the Russian Federation in cyberspace. The provision would direct the Secretary of Defense, using the results of the surveillance conducted through CYBERCOM, also authorized in the provision, to work with social media companies on a voluntary basis to assist those companies in identifying accounts created by personnel and organizations engaged at the behest of or in support of the Russian Federation and that violate the companies' terms of service.
The Senate amendment contained another provision (sec. 6601) that would amend section 1623 to narrow the authorization to only apply to foreign cyberspace.
The House bill contained no similar provision.
The House recedes with an amendment that would synthesize the two provisions, add authorizations for action against the People's Republic of China, the Democratic People's Republic of Korea, and the Islamic Republic of Iran, strike the explicit authorization of surveillance, and add a rule of construction governing the authorization.
The conferees have been disappointed with the past responses of the executive branch to adversary cyberattacks and urge the President to respond to the continuous aggression that we see, for example, in Russia's information operations against the United States and European allies in an attempt to undermine democracy. The administration's passivity in combatting this campaign, as documented repeatedly in hearings before the congressional defense committees in the past 2 years, in the judgment of numerous executive branch officials, will encourage rather than dissuade additional aggression. The Congress has worked diligently to ensure that the Department possesses the necessary capabilities and authorities to combat, in particular, these Russian information operations, and this authorization represents further progress toward that objective. The conferees strongly encourage the President to defend the American people and institutions of government from foreign intervention.
The conferees are also cognizant of the significant cyber threats posed by the People's Republic of China, the Democratic Republic of Korea, and the Islamic Republic of Iran and urge the President to take action to disrupt, defeat, and deter the systematic cyber attacks.