Source: https://docs.house.gov/billsthisweek/20180723/CRPT-115hrpt863.pdf

JOHN S. McCAIN
NATIONAL DEFENSE AUTHORIZATION ACT
FOR FISCAL YEAR 2019
CONFERENCE REPORT TO ACCOMPANY H.R. 5515

[...]

Affirming the authority of the Secretary of Defense to conduct military activities and operations in cyberspace (sec. 1632)

The Senate amendment contained a provision (sec. 1622) that would affirm the authority of the Secretary of Defense to conduct military activities and operations in cyberspace, including clandestine military activities and operations, to defend the United States, its allies, and its interests, in anticipation of and in response to malicious cyber activities carried out against the United States or a United States person by a foreign power and would clarify that clandestine military activities or operations in cyberspace are traditional military activities for the purposes of section 503(e)(2) of the National Security Act of 1947 (Public Law 80-253).

The House bill contained no similar provision.

The House recedes with an amendment that would clarify that the affirmation does not itself authorize any specific military activities or operations and should not be treated as an authorization for use of military force.

The conferees note that the Department of Defense faces difficulties within the interagency in obtaining mission approval. One of the challenges routinely confronted by the Department is the perceived ambiguity as to whether clandestine military activities and operations, even those short of cyber attacks, qualify as traditional military activities as distinct from covert actions requiring a Presidential Finding. As a result, with respect to actions that produce effects on information systems outside of areas of active hostilities, the Department of Defense has been limited to proposing actions that could be conducted overtly on attributable infrastructure without deniability—an operational space that is far too narrow to defend national interests. The conferees see no logical, legal, or practical reason for allowing extensive clandestine traditional military activities in all other operational domains (air, sea, ground, and space) but not in cyberspace. It is unfortunate that the executive branch has squandered years in interagency deliberations that failed to recognize this basic fact and that this legislative action has proven necessary.

The conferees, in this affirmation, specify that military activities and operations, or associated preparatory actions, conducted in cyberspace, marked by, held in, or conducted with secrecy, and carried out, (1) as part of a military operation plan approved by the President or the Secretary in anticipation of hostilities or as directed by the President or the Secretary, (2) to deter, safeguard, or defend against attacks or malicious cyber activities against the United States or Department of Defense information, networks, systems, installations, facilities, or other assets, or (3) in support of information related capabilities, indeed qualify as traditional military activities. Such activities include those conducted for the purpose of preparation of the environment, force protection, deterrence of hostilities, advancing counterterrorism operations, and in support of information operations or information-related capabilities. Information-related capabilities may include, when appropriate and approved, military deception and psychological operations.

The conferees do not intend or expect that this provision will result in the Department's unnecessarily or routinely conducting clandestine cyber attacks, especially those outside of areas in which hostilities are occurring, but nonetheless recognize that it is important that the Department have the ability to respond to and prepare for hostilities in cyberspace. The conferees urge the Department to pursue more active engagement with and deterrence of adversaries in cyberspace. The conferees also urge the administration to reconfigure its interagency processes as necessary to ensure that the Department's operations are approved in an appropriately efficient and effective manner.

The conferees intend to conduct rigorous oversight of Department of Defense clandestine operations in cyberspace and expect the Department to keep the congressional defense committees apprised of activities and operations and informed regarding operational authorities and associated execute orders.

Finally, the conferees recognize that information operations are particularly contested and controversial. While the conferees agree that the Department should conduct aggressive information operations to deter adversaries, as is recommended by the Defense Science Board's Task Force on Cyber Deterrence in its February 2017 report, the conferees do not intend this affirmation as an authorization of clandestine activities against the American people or of activities that could result in any significant exposure of the American people and media to U.S. government-created information.

[...]