A proposed law would require congressional notification when DOD conducts external cyber operations — offensive or defensive.
Defense Department officials would be required to notify congressional overseers within 48 hours of launching any sensitive cyber operation under legislation introduced Thursday by top lawmakers on the House Armed Services Committee.
The law would apply to both offensive and defensive cyber operations that leave DOD networks and produce effects outside locations where the U.S. is engaged in a hot war.
The law would not apply to covert actions, which are typically conducted by intelligence agencies rather than the uniformed military.
That means the Stuxnet attack against Iran’s nuclear capability, which is among the best-known offensive cyber operations and widely believed to have been launched, in part, by U.S. intelligence agencies, would not fall under the law’s requirements.
The law would also require the Pentagon to notify the House and Senate Armed Services Committees about any reviews of cyber weapons to determine if they can be used under international law.
“While there are programs that must necessarily remain classified to keep the country safe, Congress still has a responsibility to conduct appropriate oversight in order to protect our security and our essential freedoms at the same time,” House Armed Services Chairman Mac Thornberry, R-Texas, said in a statement.
Thornberry sponsored the bill along with committee ranking member Adam Smith, D-Wash., and Reps. Elise Stefanik, R-N.Y., and Jim Langevin, D-R.I., chair and ranking member of the committee’s cyber panel.
The bill comes as U.S. Cyber Command, which launched in 2010, is preparing to become fully operational. CYBERCOM’s mission focuses primarily on securing Defense Department networks and military operations, but the Pentagon has acknowledged CYBERCOM is prepared to launch offensive cyber operations with presidential approval.
Former Defense Secretary Ash Carter stated in 2016 the military had used cyber tools to disrupt communications by the Islamic State, the only time the Pentagon has acknowledged going on digital offense.
Separate legislation, introduced Wednesday by Rep. Lou Correa, D-Calif., would urge DOD to update its current cyber strategy from 2015 to outline a specific strategy for cyber offense.
The bill would also clear a path for the U.S. to help NATO allies develop similar offensive cyber strategies.
The offensive strategy should include specific ways the military could use cyber capabilities to thwart traditional military attacks on land, sea and air by Russia or another adversary, the bill states.