More on the Next NDAA: Military Activities in Cyberspace

[UPDATE 5/10/12: Whoops.  Careful readers will note that the new bill omits the congressional-notification language from last year's bill...at least in the text of the statute, though not in the explanatory statement.  I explain here.] Another item of interest in the draft NDAA FY13 released by Chairman McKeon today concerns military activities in cyberspace.  Readers may recall that last year's HASC bill had a section 962 on this topic (described here), but that during the conference process this proposal gave way to the language that became law as section 954 of the NDAA FY'12.  Well, the new McKeon bill released yesterday revisits the issue by proposing to reinstate the original language HASC proposed last year (i.e., the language from HASC's section 962).  Put simply (sort of), section 941 of McKeon's draft of the NDAA FY'13 would replace section 954 of the NDAA FY'12 with the language originally proposed in section 962 from HASC's version of the NDAA FY'12.  Got it?  Good.  Let's look at the provisions themselves: Current law (section 954 of the NDAA FY'12):

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE. Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to— (1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

Proposed change (section 941 of McKeon's bill in re NDAA FY'13, same as section 962 of the HASC bill last year):

 SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.

(a) AFFIRMATION.—Congress affirms that the Secretary of Defense is authorized to conduct military activities in cyberspace.

(b) AUTHORITY DESCRIBED.—The authority referred to in subsection (a) includes the authority to carry out a clandestine operation in cyberspace—

     (1) in support of a military operation pursuant to the Authorization for Use of Military Force (50 U.S.C. 1541 note; Public Law 107-40) against a target located outside of the United States; or

     (2) to defend against a cyber attack against an asset of the Department of Defense.

(c) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the authority of the Secretary of Defense to conduct military activities in cyberspace.

Note that the explanatory statement for the revision also is the same as it was last year:

Section 941—Military Activities in Cyberspace

This section would affirm that the Secretary of Defense has the authority to conduct military activities in cyberspace. The committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace.

In particular, this section would clarify that the Secretary of Defense has the authority to conduct clandestine cyberspace activities in support of military operations pursuant to a congressionally authorized use of force outside of the United States, or to defend against a cyber attack on an asset of the Department of Defense.

The committee notes that Al Qaeda, the Taliban, and associated forces are increasingly using the internet to exercise command and control as well as to spread technical information enabling attacks on U.S. and coalition forces in areas of ongoing hostilities. Terrorists often rely on the global reach of the internet to communicate and plan from distributed sanctuaries throughout the world. As a result, military activities may not be confined to a physical battlefield, and the use of military cyber activities has become a critical part of the effort to protect U.S. and coalition forces and combat terrorism globally. In certain instances, the most effective way to neutralize threats is to undertake military cyber activities in a clandestine manner. While this section is not meant to identify all or in any way limit other possible military activities in cyberspace, the Secretary of Defense’s authority includes the authority to conduct clandestine military activities in cyberspace in support of military operations pursuant to an armed conflict for which Congress has authorized the use of all necessary and appropriate force or to defend against a cyber attack on a Department of Defense asset.

Because of the sensitivities associated with such military activities and the need for more rigorous oversight, this section would require quarterly briefings to the congressional defense committees on covered military activities in cyberspace.

I've nothing to add at this point, beyond what I said in commenting on these same provisions last year.  It will be interesting to see how things unfold this time round.