SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and

(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.

‘‘(a) AFFIRMATION.—Congress affirms that the Secretary of Defense is authorized to conduct military activities in cyberspace.

‘‘(b) AUTHORITY DESCRIBED.—The authority referred to in subsection (a) includes the authority to carry out a clandestine operation in cyberspace—

‘‘(1) in support of a military operation pursuant to the Authorization for Use of Military Force (50 U.S.C. 1541 note; Public Law 107-40) against a target located outside of the United States; or

‘‘(2) to defend against a cyber attack against an asset of the Department of Defense.

‘‘(c) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the authority of the Secretary of Defense to conduct military activities in cyberspace.’"

We must deliver and we must act quickly. It’s time to be bold. The troubling side of spending a week with some of the experts in the cybersecurity world is that when we compare notes on our views of the threat, we all agree that despite the firewalls and layered defenses, we are not always keeping intruders out. We need to continue to sharpen our response tactics and move even faster when an intruder gets inside to limit the damage and protect our information. That requires a fast, unified response between federal agencies and our private partners – which is where Congress can help.

The NSA’s claims are premised on the dual assumptions that the private sector is not actively defending its systems and that only the NSA has the skills and the technology to do effective cybersecurity. The first is demonstrably wrong. The Internet and telecommunications companies are already doing active defense (not to be confused with offensive measures). The Tier 1 providers have been doing active defense for years – stopping the threats before they do damage – and the companies have been steadily increasing the scope and intensity of their efforts.

The second assumption (that only the NSA has the necessary skills and insight) is very hard for an outsider to assess. But given the centrality of the Internet to commerce, democratic participation, health care, education and multiple other activities, it does not seem that we should continue to invest a disproportionate percentage of our cybersecurity resources in a military agency. Instead, we should be seeking to improve the civilian government and private sector capabilities.

To suggest that this bill should move directly to the Senate Floor because it has ‘been around’ since 2009 is outrageous," McCain said. "First, the bill was introduced two days ago. Secondly, where do Senate Rules state that a bill’s progress in a previous congress can supplant the necessary work on that bill in the present one?"

Sen. Jay Rockefeller (D-W. Va.), Sen. Dianne Feinstein (D-Calif.) and Homeland Security Secretary Janet Napolitano warned the committee there could be grave consequences if Congress does not act to protect cybersecurity.

"Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another," Rockefeller said. "Or if rail switching networks were hacked—causing trains carrying people—or hazardous materials—to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington."