Source: https://docs.house.gov/billsthisweek/20180723/CRPT-115hrpt863.pdf

JOHN S. McCAIN
NATIONAL DEFENSE AUTHORIZATION ACT
FOR FISCAL YEAR 2019
CONFERENCE REPORT TO ACCOMPANY H.R. 5515

[...]

SEC. 1642. ACTIVE DEFENSE AGAINST THE RUSSIAN FEDERATION, PEOPLE'S REPUBLIC OF CHINA, DEMOCRATIC PEOPLE'S REPUBLIC OF KOREA, AND ISLAMIC REPUBLIC OF IRAN ATTACKS IN CYBERSPACE.

(a) AUTHORITY TO DISRUPT, DEFEAT, AND DETER CYBER ATTACKS.—
(1) IN GENERAL.—In the event that the National Command Authority determines that the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, or Islamic Republic of Iran is conducting an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes, the National Command Authority may authorize the Secretary of Defense, acting through the Commander of the United States Cyber Command, to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter such attacks under the authority and policy of the Secretary of Defense to conduct cyber operations and information operations as traditional military activities.
(2) NOTIFICATION AND REPORTING.—

(b) PRIVATE SECTOR COOPERATION.—The Secretary may make arrangements with private sector entities, on a voluntary basis, to share threat information related to malicious cyber actors, and any associated false online personas or compromised infrastructure, associated with a determination under subsection (a)(1), consistent with the protection of sources and methods and classification guidelines, as necessary.
(c) ANNUAL REPORT.—Not less frequently than once each year, the Secretary shall submit to the congressional defense committees, the congressional intelligence committees (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)), the Committee on Foreign Affairs of the House of Representatives, and the Committee on Foreign Relations of the Senate a report on—
(d) RULE OF CONSTRUCTION.—Nothing in this section may be construed to—

[...]

Active defense against the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, and Islamic Republic of Iran attacks in cyberspace (sec. 1642)

The Senate amendment contained a provision (sec. 1623) that would authorize the National Command Authority to direct the Commander, U.S. Cyber Command, to take appropriate and proportional action through cyberspace to disrupt, defeat, and deter systematic and ongoing attacks by the Russian Federation in cyberspace. The provision would direct the Secretary of Defense, using the results of the surveillance conducted through CYBERCOM, also authorized in the provision, to work with social media companies on a voluntary basis to assist those companies in identifying accounts created by personnel and organizations engaged at the behest of or in support of the Russian Federation and that violate the companies' terms of service.

The Senate amendment contained another provision (sec. 6601) that would amend section 1623 to narrow the authorization to only apply to foreign cyberspace.

The House bill contained no similar provision.

The House recedes with an amendment that would synthesize the two provisions, add authorizations for action against the People's Republic of China, the Democratic People's Republic of Korea, and the Islamic Republic of Iran, strike the explicit authorization of surveillance, and add a rule of construction governing the authorization.

The conferees have been disappointed with the past responses of the executive branch to adversary cyberattacks and urge the President to respond to the continuous aggression that we see, for example, in Russia's information operations against the United States and European allies in an attempt to undermine democracy. The administration's passivity in combatting this campaign, as documented repeatedly in hearings before the congressional defense committees in the past 2 years, in the judgment of numerous executive branch officials, will encourage rather than dissuade additional aggression. The Congress has worked diligently to ensure that the Department possesses the necessary capabilities and authorities to combat, in particular, these Russian information operations, and this authorization represents further progress toward that objective. The conferees strongly encourage the President to defend the American people and institutions of government from foreign intervention.

The conferees are also cognizant of the significant cyber threats posed by the People's Republic of China, the Democratic Republic of Korea, and the Islamic Republic of Iran and urge the President to take action to disrupt, defeat, and deter the systematic cyber attacks.