Update on the "Military Activities in Cyberspace" Provision in the HASC NDAA Bill
[UPDATE: If one looks at the draft NDAA provisions approved by the HASC Emerging Threats Subcomittee (Chairman Mac Thornberry, Hook 'Em), there is at section 942 a provision calling for quarterly reporting to SASC and HASC of DOD's significant cyberspace activities (as well as a section calling for DOD to report by March next year on whether there are remaining issues surrounding DOD authorities to engage in cyber operations). I am told that all the HASC marks will be co
Published by The Lawfare Institute
in Cooperation With
[UPDATE: If one looks at the draft NDAA provisions approved by the HASC Emerging Threats Subcomittee (Chairman Mac Thornberry, Hook 'Em), there is at section 942 a provision calling for quarterly reporting to SASC and HASC of DOD's significant cyberspace activities (as well as a section calling for DOD to report by March next year on whether there are remaining issues surrounding DOD authorities to engage in cyber operations). I am told that all the HASC marks will be consolidated in some fashion when the bill moves to the floor, in which case the confusion I noted below will drop out. Thanks to readers for this clarification!]
Earlier I noted that the "military activities in cyberspace" provision in this year's HASC NDAA bill is the same as last year's, which passed the House but was replaced with other language during the conference process. But there actually is an interesting change, one I certainly should have noticed the first time through. Or at least there appears to be such a change. Here's the deal:
Last year's HASC bill included, at section 962, a Congressional notification requirement:
c) BRIEFINGS ON ACTIVITIES.—Not later than 120 days after the date of the enactment of this Act, and quarterly thereafter, the Secretary of Defense shall provide a briefing to the Committees on Armed Services of the House of Representatives and the Senate on covered military cyberspace activities that the Department of Defense carried out during the preceding quarter.The accompanying committee report explained:
To be clear, that did not remain in the final version of the NDAA FY'12 (as I said, the House version on this issue gave way to a different version at Conference). In any event, this year's HASC bill is indeed identical to last year's HASC bill in most respects as I said before, but...the "Briefings on Activities" subsection has been dropped. Or at least it is not in the proposed statutory text (see here, under section 941). On the other hand, the summary statement acompanying that text (it's all one document) still includes the language quoted above as to why such reporting is important. So one of two things has happened. Either it was a mistake to delete the Briefings on Activities subsection from the proposed text, or it was a mistake to leave the reference to it in the explanatory language in the summary. I'm guessing the latter, as it is more likely that someone would fail to delete this accidentally than that someone would accidentally affirmatively delete the Briefings subsection from the text itself. In any event, it is certainly interesting that there may be an effort to drop this element of the provision. I will update on this issue if and when I get clarification as to what was intended.Because of the sensitivities associated with such military activities and the need for more rigorous oversight, this section would require quarterly briefings to the congressional defense committees on covered military activities in cyberspace.
Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.