There’s an oversight bill in the works that would compel the Defense Department to notify Congress when the military is engaged in sensitive cyber operations.
The bipartisan legislation, as it’s currently written, would require congressional notification when the Defense Department takes action in cyberspace under U.S. Code Title 10, which supervises operations led by Army, Navy, Air Force, Marine Corps, and Coast Guard, as well as the Reserves. Title 10 is unrelated to the U.S. government’s intelligence gathering mission set, which is led by federal organizations like the National Security Agency.
Sponsored by top House Armed Services Committee Reps. Elise Stefanik, R-N.Y., Mac Thornberry, R-Texas, Jim Langevin, D-R.I., and Adam Smith, D-Wash., the bill does not provide Congress with any additional authorization authority, but rather codifies an informal disclosure process that exists between the Defense Department and relevant congressional committees. There is no mention of a public disclosure element in the legislation, as much of the information discussed in these briefings would be presumably classified.
U.S. defense officials already notify lawmakers about such operations, but do so at their own discretion as there is no specific law currently in place to guide these private discussions.
Individuals with knowledge of the legislation say the bill’s introduction is motivated by the realization that conventional warfare is continuously changing and shifting to incorporate computer network operators. In addition, the expected elevation of U.S. Cyber Command, a nascent but growing force currently attached to the NSA, is prompting a response by lawmakers who look to streamline future communications and collaboration.
Stefanik first mentioned her intention to introduce this legislation during an opening statement at a House Armed Service Committee hearing Tuesday that hosted NSA Director Adm. Mike Rogers. The hearing was focused on U.S. Cyber Command’s 2018 budget request.
Architects of the bill plan to work directly with both U.S. Cyber Command and the Pentagon to finalize the legislation, “to ensure such notifications are responsive to our needs, but without adding undue reporting burdens on the Department of Defense,” Stefanik said Tuesday.
A timeline for the bill’s introduction remains unknown.