References in Text

The War Powers Resolution, referred to in subsecs. (b) and (e), is Pub. L. 93–148, Nov. 7, 1973, 87 Stat. 555, which is classified generally to chapter 33 (§1541 et seq.) of Title 50, War and National Defense. For complete classification of this Resolution to the Code, see Short Title note set out under section 1541 of Title 50 and Tables.

The Authorization for Use of Military Force, referred to in subsec. (e), is Pub. L. 107–40, Sept. 18, 2001, 115 Stat. 224, which is set out as a note under section 1541 of Title 50, War and National Defense.

Amendments

2018—Pub. L. 115–232, §1632, designated existing provisions as subsec. (a), inserted heading, substituted "conduct, military cyber activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies, including in response" for "conduct, a military cyber operation in response", struck out "(as such terms are defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801))" after "foreign power", and added subsecs. (b) to (f).

Pub. L. 115–232, §1631(a), renumbered section 130g of this title as this section.

Notification of Delegation of Authorities to the Secretary of Defense for Military Operations in Cyberspace

Pub. L. 116–92, div. A, title XVI, §1642, Dec. 20, 2019, 133 Stat. 1751, provided that:

"(a) In General.—The Secretary of Defense shall provide written notification to the Committee on Armed Services of the House of Representatives and the Committee on Armed Services of the Senate of the following:

"(1) Authorities delegated to the Secretary by the President for military operations in cyberspace that are otherwise held by the National Command Authority, not later than 15 days after any such delegation. A notification under this paragraph shall include a description of the authorities delegated to the Secretary.

"(2) Concepts of operations approved by the Secretary pursuant to delegated authorities described in paragraph (1), not later than 15 days after any such approval. A notification under this paragraph shall include the following:

"(A) A description of authorized activities to be conducted or planned to be conducted pursuant to such authorities.

"(B) The defined military objectives relating to such authorities.

"(C) A list of countries in which such authorities may be exercised.

"(D) A description of relevant orders issued by the Secretary in accordance with such authorities.

"(b) Procedures.—

"(1) In general.—The Secretary of Defense shall establish and submit to the Committee on Armed Services of the House of Representatives and the Committee on Armed Services of the Senate procedures for complying with the requirements of subsection (a), consistent with the national security of the United States and the protection of operational integrity. The Secretary shall promptly notify such committees in writing of any changes to such procedures at least 14 days prior to the adoption of any such changes.

"(2) Sufficiency.—The Committee on Armed Services of the House of Representatives and the Committee on Armed Services of the Senate shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to such committees pursuant to this section.

"(3) Notification in event of unauthorized disclosure.—In the event of an unauthorized disclosure of authorities covered by this section, the Secretary of Defense shall ensure, to the maximum extent practicable, that the Committee on Armed Services of the House of Representatives and the Committee on Armed Services of the Senate are notified immediately. Notification under this paragraph may be verbal or written, but in the event of a verbal notification, a written notification signed by the Secretary shall be provided by not later than 48 hours after the provision of such verbal notification."

Annual Military Cyberspace Operations Report

Pub. L. 116–92, div. A, title XVI, §1644, Dec. 20, 2019, 133 Stat. 1752, provided that:

"(a) In General.—Not later than March 1 of each year, the Secretary of Defense shall provide to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a written report summarizing all named military cyberspace operations conducted in the previous calendar year, including cyber effects, operations, cyber effects enabling operations, and cyber operations conducted as defensive operations. Each such summary should be organized by adversarial country and should include the following for each named operation:

"(1) An identification of the objective and purpose.

"(2) Descriptions of the impacted countries, organizations, or forces, and nature of the impact.

"(3) A description of methodologies used for the cyber effects operation or cyber effects enabling operation.

"(4) An identification of the Cyber Mission Force teams, or other Department of Defense entity or units, that conducted such operation, and supporting teams, entities, or units.

"(5) An identification of the infrastructures on which such operations occurred.

"(6) A description of relevant legal, operational, and funding authorities.

"(7) Additional costs beyond baseline operations and maintenance and personnel costs directly associated with the conduct of the cyber effects operation or cyber effects enabling operation.

"(8) Any other matters the Secretary determines relevant.

"(b) Classification.—The Secretary of Defense shall provide each report required under subsection (a) at a classification level the Secretary determines appropriate.

"(c) Limitation.—This section does not apply to cyber-enabled military information support operations or military deception operations."

Policy of the United States on Cyberspace, Cybersecurity, Cyber Warfare, and Cyber Deterrence

Pub. L. 115–232, div. A, title XVI, §1636, Aug. 13, 2018, 132 Stat. 2126, provided that:

"(a) In General.—It shall be the policy of the United States, with respect to matters pertaining to cyberspace, cybersecurity, and cyber warfare, that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target United States interests with the intent to—

"(1) cause casualties among United States persons or persons of United States allies;

"(2) significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government);

"(3) threaten the command and control of the Armed Forces, the freedom of maneuver of the Armed Forces, or the industrial base or other infrastructure on which the United States Armed Forces rely to defend United States interests and commitments; or

"(4) achieve an effect, whether individually or in aggregate, comparable to an armed attack or imperil a vital interest of the United States.

"(b) Response Options.—In carrying out the policy set forth in subsection (a), the United States shall plan, develop, and, when appropriate, demonstrate response options to address the full range of potential cyber attacks on United States interests that could be conducted by potential adversaries of the United States.

"(c) Denial Options.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall, to the greatest extent practicable, prioritize the defensibility and resiliency against cyber attacks and malicious cyber activities described in subsection (a) of infrastructure critical to the political integrity, economic security, and national security of the United States.

"(d) Cost-imposition Options.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall develop and, when appropriate, demonstrate, or otherwise make known to adversaries the existence of, cyber capabilities to impose costs on any foreign power targeting the United States or United States persons with a cyber attack or malicious cyber activity described in subsection (a).

"(e) Multi-prong Response.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall leverage all instruments of national power.

"(f) Update on Presidential Policy.—

"(1) In general.—Not later than 180 days after the date of the enactment of this Act [Aug. 13, 2018], the President shall transmit, in unclassified and classified forms, as appropriate, to the appropriate congressional committees a report containing an update to the report provided to the Congress on the policy of the United States on cyberspace, cybersecurity, and cyber warfare pursuant to section 1633 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 10 U.S.C. 130g note) [now 10 U.S.C. 394 note].

"(2) Contents.—The report required under paragraph (1) shall include the following:

"(A) An assessment of the current posture in cyberspace, including assessments of—

"(i) whether past responses to major cyber attacks have had the desired deterrent effect; and

"(ii) how adversaries have responded to past United States responses.

"(B) Updates on the Administration's efforts in the development of—

"(i) cost imposition strategies;

"(ii) varying levels of cyber incursion and steps taken to date to prepare for the imposition of the consequences referred to in clause (i); and

"(iii) the Cyber Deterrence Initiative.

"(C) Information relating to the Administration's plans, including specific planned actions, regulations, and legislative action required, for—

"(i) advancing technologies in attribution, inherently secure technology, and artificial intelligence society-wide;

"(ii) improving cybersecurity in and cooperation with the private sector;

"(iii) improving international cybersecurity cooperation; and

"(iv) implementing the policy referred to in paragraph (1), including any realignment of government or government responsibilities required, writ large.

"(f) [probably should be "(g)"] Rule of Construction.—Nothing in this subsection may be construed to limit the authority of the President or Congress to authorize the use of military force.

"(g) [probably should be "(h)"] Definitions.—In this section:

"(1) Appropriate congressional committees.—The term 'appropriate congressional committees' means—

"(A) the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives];

"(B) the Permanent Select Committee on Intelligence of the House of Representatives;

"(C) the Select Committee on Intelligence of the Senate;

"(D) the Committee on Foreign Affairs, the Committee on Homeland Security, and the Committee on the Judiciary of the House of Representatives; and

"(E) the Committee on Foreign Relations, the Committee on Homeland Security and Governmental Affairs, and the Committee on the Judiciary of the Senate.

"(2) Foreign power.—The term 'foreign power' has the meaning given such term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801)."

Pub. L. 115–91, div. A, title XVI, §1633, Dec. 12, 2017, 131 Stat. 1738, provided that:

"(a) In General.—The President shall—

"(1) develop a national policy for the United States relating to cyberspace, cybersecurity, and cyber warfare; and

"(2) submit to the appropriate congressional committees a report on the policy.

"(b) Elements.—The national policy required under subsection (a) shall include the following elements:

"(1) Delineation of the instruments of national power available to deter or respond to cyber attacks or other malicious cyber activities by a foreign power or actor that targets United States interests.

"(2) Available or planned response options to address the full range of potential cyber attacks on United States interests that could be conducted by potential adversaries of the United States.

"(3) Available or planned denial options that prioritize the defensibility and resiliency against cyber attacks and malicious cyber activities that are carried out against infrastructure critical to the political integrity, economic security, and national security of the United States.

"(4) Available or planned cyber capabilities that may be used to impose costs on any foreign power targeting the United States or United States persons with a cyber attack or malicious cyber activity.

"(5) Development of multi-prong response options, such as—

"(A) boosting the cyber resilience of critical United States strike systems (including cyber, nuclear, and non-nuclear systems) in order to ensure the United States can credibly threaten to impose unacceptable costs in response to even the most sophisticated large-scale cyber attack;

"(B) developing offensive cyber capabilities and specific plans and strategies to put at risk targets most valued by adversaries of the United States and their key decision makers; and

"(C) enhancing attribution capabilities and developing intelligence and offensive cyber capabilities to detect, disrupt, and potentially expose malicious cyber activities.

"(c) Limitation on Availability of Funds.—

"(1) In general.—Of the funds authorized to be appropriated by this Act [see Tables for classification] or otherwise made available for fiscal year 2018 for procurement, research, development, test and evaluation, and operations and maintenance, for the covered activities of the Defense Information Systems Agency, not more than 60 percent may be obligated or expended until the date on which the President submits to the appropriate congressional committees the report under subsection (a)(2).

"(2) Covered activities described.—The covered activities referred to in paragraph (1) are the activities of the Defense Information Systems Agency in support of—

"(A) the White House Communication Agency; and

"(B) the White House Situation Support Staff.

"(d) Definitions.—In this section:

"(1) The term 'foreign power' has the meaning given that term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

"(2) The term 'appropriate congressional committees' means—

"(A) the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives];

"(B) the Committee on Foreign Affairs, the Committee on Homeland Security, and the Committee on the Judiciary of the House of Representatives; and

"(C) the Committee on Foreign Relations, the Committee on Homeland Security and Governmental Affairs, and the Committee on the Judiciary of the Senate."

Active Defense Against the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, and Islamic Republic of Iran Attacks in Cyberspace

Pub. L. 115–232, div. A, title XVI, §1642, Aug. 13, 2018, 132 Stat. 2132, provided that:

"(a) Authority to Disrupt, Defeat, and Deter Cyber Attacks.—

"(1) In general.—In the event that the National Command Authority determines that the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, or Islamic Republic of Iran is conducting an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes, the National Command Authority may authorize the Secretary of Defense, acting through the Commander of the United States Cyber Command, to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter such attacks under the authority and policy of the Secretary of Defense to conduct cyber operations and information operations as traditional military activities.

"(2) Notification and reporting.—

"(A) Notification of operations.—In exercising the authority provided in paragraph (1), the Secretary shall provide notices to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] in accordance with section 395 of title 10, United States Code (as transferred and redesignated pursuant to section 1631).

"(B) Quarterly reports by commander of the united states cyber command.—

"(i) In general.—In any fiscal year in which the Commander of the United States Cyber Command carries out an action under paragraph (1), the Secretary of Defense shall, not less frequently than quarterly, submit to the congressional defense committees a report on the actions of the Commander under such paragraph in such fiscal year.

"(ii) Manner of reporting.—Reports submitted under clause (i) shall be submitted in a manner that is consistent with the recurring quarterly report required by section 484 of title 10, United States Code.

"(b) Private Sector Cooperation.—The Secretary may make arrangements with private sector entities, on a voluntary basis, to share threat information related to malicious cyber actors, and any associated false online personas or compromised infrastructure, associated with a determination under subsection (a)(1), consistent with the protection of sources and methods and classification guidelines, as necessary.

"(c) Annual Report.—Not less frequently than once each year, the Secretary shall submit to the congressional defense committees, the congressional intelligence committees (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)), the Committee on Foreign Affairs of the House of Representatives, and the Committee on Foreign Relations of the Senate a report on—

"(1) the scope and intensity of the information operations and attacks through cyberspace by the countries specified in subsection (a)(1) against the government or people of the United States observed by the cyber mission forces of the United States Cyber Command and the National Security Agency; and

"(2) adjustments of the Department of Defense in the response directed or recommended by the Secretary with respect to such operations and attacks.

"(d) Rule of Construction.—Nothing in this section may be construed to—

"(1) limit the authority of the Secretary to conduct military activities or operations in cyberspace, including clandestine activities or operations in cyberspace; or

"(2) affect the War Powers Resolution (Public Law 93–148; 50 U.S.C. 1541 et seq.) or the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note)."

Pilot Program To Model Cyber Attacks on Critical Infrastructure

Pub. L. 115–232, div. A, title XVI, §1649, Aug. 13, 2018, 132 Stat. 2137, provided that:

"(a) Pilot Program Required.—

"(1) In general.—The Assistant Secretary of Defense for Homeland Defense and Global Security shall carry out a pilot program to model cyber attacks on critical infrastructure in order to identify and develop means of improving Department of Defense responses to requests for defense support to civil authorities for such attacks.

"(2) Research exercises.—The pilot program shall source data from and include consideration of the 'Jack Voltaic' research exercises conducted by the Army Cyber Institute, industry partners of the Institute, and the cities of New York, New York, and Houston, Texas.

"(b) Purpose.—The purpose of the pilot program shall be to accomplish the following:

"(1) The development and demonstration of risk analysis methodologies, and the application of commercial simulation and modeling capabilities, based on artificial intelligence and hyperscale cloud computing technologies, as applicable—

"(A) to assess defense critical infrastructure vulnerabilities and interdependencies to improve military resiliency;

"(B) to determine the likely effectiveness of attacks described in subsection (a)(1), and countermeasures, tactics, and tools supporting responsive military homeland defense operations;

"(C) to train personnel in incident response;

"(D) to conduct exercises and test scenarios;

"(E) to foster collaboration and learning between and among departments and agencies of the Federal Government, State and local governments, and private entities responsible for critical infrastructure; and

"(F) improve intra-agency and inter-agency coordination for consideration and approval of requests for defense support to civil authorities.

"(2) The development and demonstration of the foundations for establishing and maintaining a program of record for a shared high-fidelity, interactive, affordable, cloud-based modeling and simulation of critical infrastructure systems and incident response capabilities that can simulate complex cyber and physical attacks and disruptions on individual and multiple sectors on national, regional, State, and local scales.

"(c) Report.—

"(1) In general.—At the same time the budget of the President for fiscal year 2021 is submitted to Congress pursuant to section 1105(a) of title 31, United States Code, the Assistant Secretary shall, in consultation with the Secretary of Homeland Security, submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the pilot program.

"(2) Contents.—The report required by paragraph (1) shall include the following:

"(A) A description of the results of the pilot program as of the date of the report.

"(B) A description of the risk analysis methodologies and modeling and simulation capabilities developed and demonstrated pursuant to the pilot program, and an assessment of the potential for future growth of commercial technology in support of the homeland defense mission of the Department of Defense.

"(C) Such recommendations as the Secretary considers appropriate regarding the establishment of a program of record for the Department on further development and sustainment of risk analysis methodologies and advanced, large-scale modeling and simulation on critical infrastructure and cyber warfare.

"(D) Lessons learned from the use of novel risk analysis methodologies and large-scale modeling and simulation carried out under the pilot program regarding vulnerabilities, required capabilities, and reconfigured force structure, coordination practices, and policy.

"(E) Planned steps for implementing the lessons described in subparagraph (D).

"(F) Any other matters the Secretary determines appropriate."

Identification of Countries of Concern Regarding Cybersecurity

Pub. L. 115–232, div. A, title XVI, §1654, Aug. 13, 2018, 132 Stat. 2148, provided that:

"(a) Identification of Countries of Concern.—Not later than 180 days after the date of the enactment of this Act [Aug. 13, 2018], the Secretary of Defense shall create a list of countries that pose a risk to the cybersecurity of United States defense and national security systems and infrastructure. Such list shall reflect the level of threat posed by each country included on such list. In creating such list, the Secretary shall take in to account the following:

"(1) A foreign government's activities that pose force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.

"(2) A foreign government's willingness and record of providing financing, logistics, training or intelligence to other persons, countries or entities posing a force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.

"(3) A foreign government's engagement in foreign intelligence activities against the United States for the purpose of undermining United States national security.

"(4) A foreign government's knowing participation in transnational organized crime or criminal activity.

"(5) A foreign government's cyber activities and operations to affect the supply chain of the United States Government.

"(6) A foreign government's use of cyber means to unlawfully or inappropriately obtain intellectual property from the United States Government or United States persons.

"(b) Updates.—The Secretary shall continuously update and maintain the list under subsection (a) to preempt obsolescence.

"(c) Report to Congress.—Not later than one year after the date of the enactment of this Act, the Secretary shall submit to the appropriate committees of Congress the list created pursuant to subsection (a) and any accompanying analysis that contributed to the creation of the list."

Quadrennial Comprehensive Cyber Posture Review

Pub. L. 115–91, div. A, title XVI, §1644, Dec. 12, 2017, 131 Stat. 1748, as amended by Pub. L. 116–92, div. A, title XVI, §1635, Dec. 20, 2019, 133 Stat. 1748, provided that:

"(a) Requirement for Comprehensive Review.—In order to clarify the near-term policy and strategy of the United States with respect to cyber deterrence, the Secretary of Defense shall, not later than December 31, 2022, and quadrennially thereafter, conduct a comprehensive review of the cyber posture of the United States over the posture review period.

"(b) Consultation.—The Secretary of Defense shall conduct each review under subsection (a) in consultation with the Director of National Intelligence, the Attorney General, the Secretary of Homeland Security, and the Secretary of State, as appropriate.

"(c) Elements of Review.—Each review conducted under subsection (a) shall include, for the posture review period, the following elements:

"(1) The role of cyber forces in the military strategy, planning, and programming of the United States.

"(2) Review of the role of cyber operations in combatant commander operational planning, the ability of combatant commanders to respond to hostile acts by adversaries, and the ability of combatant commanders to engage and build capacity with allies.

"(3) A review of the law, policies, and authorities relating to, and necessary for the United States to maintain, a safe, reliable, and credible cyber posture for responding to cyber attacks and for deterrence in cyberspace.

"(4) A declaratory policy relating to the responses of the United States to cyber attacks of significant consequence.

"(5) Proposed norms for the conduct of offensive cyber operations for deterrence and in crisis and conflict.

"(6) Guidance for the development of a cyber deterrence strategy (which may include activities, capability efforts, and operations other than cyber activities, cyber capability efforts, and cyber operations), including—

"(A) a review and assessment of various approaches to cyber deterrence, determined in consultation with experts from Government, academia, and industry;

"(B) a comparison of the strengths and weaknesses of the approaches identified under subparagraph (A) relative to the threat and to each other; and

"(C) an explanation of how the cyber deterrence strategy will inform country-specific deterrence campaign plans focused on key leadership of Russia, China, Iran, North Korea, and any other country the Secretary considers appropriate.

"(7) Identification of the steps that should be taken to bolster stability in cyberspace and, more broadly, stability between major powers, taking into account—

"(A) the analysis and gaming of escalation dynamics in various scenarios; and

"(B) consideration of the spiral escalatory effects of countries developing increasingly potent offensive cyber capabilities.

"(8) A determination of whether sufficient personnel are trained and equipped to meet validated cyber requirements.

"(9) An assessment of the potential costs, benefits, and value, if any, of establishing a cyber force as a separate uniformed service.

"(10) Any recurrent problems or capability gaps that remain unaddressed since the previous posture review.

"(11) Such other matters as the Secretary considers appropriate.

"(d) Report.—

"(1) In general.—The Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the results of each cyber posture review conducted under subsection (a).

"(2) Form of report.—Each report under paragraph (1) may be submitted in unclassified form or classified form, as necessary.

"(e) Posture Review Period Defined.—In this section, the term 'posture review period' means the eight-year period that begins on the date of each review conducted under subsection (a)."