[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2807 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 2807

    To amend title 10, United States Code, to require congressional 
 notification concerning sensitive military cyber operations and cyber 
                    weapons, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              June 7, 2017

Mr. Thornberry (for himself, Mr. Smith of Washington, Ms. Stefanik, and 
Mr. Langevin) introduced the following bill; which was referred to the 
                      Committee on Armed Services

_______________________________________________________________________

                                 A BILL


 
    To amend title 10, United States Code, to require congressional 
 notification concerning sensitive military cyber operations and cyber 
                    weapons, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. NOTIFICATION REQUIREMENTS FOR SENSITIVE MILITARY CYBER 
              OPERATIONS AND CYBER WEAPONS.

    (a) Notification.--Chapter 3 of title 10, United States Code, is 
amended by adding at the end the following new sections:
``Sec. 130j. Notification requirements for sensitive military cyber 
              operations
    ``(a) In General.--Except as provided in subsection (d), the 
Secretary of Defense shall promptly submit to the congressional defense 
committees notice in writing of any sensitive military cyber operation 
conducted under this title no later than 48 hours following such 
operation.
    ``(b) Procedures.--(1) The Secretary of Defense shall establish and 
submit to the congressional defense committees procedures for complying 
with the requirements of subsection (a) consistent with the national 
security of the United States and the protection of operational 
integrity. The Secretary shall promptly notify the congressional 
defense committees in writing of any changes to such procedures at 
least 14 days prior to the adoption of any such changes.
    ``(2) The congressional defense committees shall ensure that 
committee procedures designed to protect from unauthorized disclosure 
classified information relating to national security of the United 
States are sufficient to protect the information that is submitted to 
the committees pursuant to this section.
    ``(3) In the event of an unauthorized disclosure of a sensitive 
military cyber operation covered by this section, the Secretary shall 
ensure, to the maximum extent practicable, that the congressional 
defense committees are notified immediately of the sensitive military 
cyber operation concerned. The notification under this paragraph may be 
verbal or written, but in the event of a verbal notification a written 
notification shall be provided by not later than 48 hours after the 
provision of the verbal notification.
    ``(c) Sensitive Military Cyber Operation Defined.--(1) In this 
section, the term `sensitive military cyber operation' means an action 
described in paragraph (2) that--
            ``(A) is carried out by the armed forces or by a foreign 
        partner in coordination with the armed forces; and
            ``(B) is intended to cause effects outside a geographic 
        location where United States armed forces are involved in 
        hostilities (as that term is used in section 1543 of title 50, 
        United States Code).
    ``(2) The actions described in this paragraph are the following:
            ``(A) An offensive cyber operation.
            ``(B) A defensive cyber operation outside the Department of 
        Defense Information Networks to defeat an ongoing or imminent 
        threat.
    ``(d) Exceptions.--The notification requirement under subsection 
(a) does not apply--
            ``(1) to a training exercise conducted with the consent of 
        all nations where the intended effects of the exercise will 
        occur; or
            ``(2) to a covert action (as that term is defined in 
        section 3093 of title 50, United States Code).
    ``(e) Rule of Construction.--Nothing in this section shall be 
construed to provide any new authority or to alter or otherwise affect 
the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization 
for Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note), or 
any requirement under the National Security Act of 1947 (50 U.S.C. 3001 
et seq.).
``Sec. 130k. Notification requirements for cyber weapons
    ``(a) In General.--Except as provided in subsection (c), the 
Secretary of Defense shall promptly submit to the congressional defense 
committees notice in writing of the following:
            ``(1) With respect to a cyber capability that is intended 
        for use as a weapon, the results of any review of the 
        capability for legality under international law pursuant to 
        Department of Defense Directive 5000.01 no later than 48 hours 
        after any military department concerned has completed such 
        review.
            ``(2) The use as a weapon of any cyber capability that has 
        been approved for such use under international law by a 
        military department no later than 48 hours following such use.
    ``(b) Procedures.--(1) The Secretary of Defense shall establish and 
submit to the congressional defense committees procedures for complying 
with the requirements of subsection (a) consistent with the national 
security of the United States and the protection of operational 
integrity. The Secretary shall promptly notify the congressional 
defense committees in writing of any changes to such procedures at 
least 14 days prior to the adoption of any such changes.
    ``(2) The congressional defense committees shall ensure that 
committee procedures designed to protect from unauthorized disclosure 
classified information relating to national security of the United 
States are sufficient to protect the information that is submitted to 
the committees pursuant to this section.
    ``(3) In the event of an unauthorized disclosure of a cyber 
capability covered by this section, the Secretary shall ensure, to the 
maximum extent practicable, that the congressional defense committees 
are notified immediately of the cyber capability concerned. The 
notification under this paragraph may be verbal or written, but in the 
event of a verbal notification a written notification shall be provided 
by not later than 48 hours after the provision of the verbal 
notification.
    ``(c) Exceptions.--The notification requirement under subsection 
(a) does not apply--
            ``(1) to a training exercise conducted with the consent of 
        all nations where the intended effects of the exercise will 
        occur; or
            ``(2) to a covert action (as that term is defined in 
        section 3093 of title 50, United States Code).
    ``(d) Rule of Construction.--Nothing in this section shall be 
construed to provide any new authority or to alter or otherwise affect 
the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization 
for Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note), or 
any requirement under the National Security Act of 1947 (50 U.S.C. 3001 
et seq.).''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
such chapter is amended by adding at the end the following new items:

``130j. Notification requirements for sensitive military cyber 
                            operations.
``130k. Notification requirements for cyber weapons.''.
                                 <all>