United States Congress, NDAA 2018 Sec. 1621-1630c , September 18 2017. Unclassified.

739 1 Subtitle C—Cyber Warfare, 2 Cybersecurity, and Related Matters 3 SEC. 1621. POLICY OF THE UNITED STATES ON CYBER- 4 SPACE, CYBERSECURITY, AND CYBER WAR- 5 FARE. 6 (a) IN GENERAL.—It shall be the policy of the United 7 States, with respect to matters pertaining to cyberspace, cy- 8 bersecurity, and cyber warfare, that the United States 9 should employ all instruments of national power, including 10 the use of offensive cyber capabilities, to deter if possible, 11 and respond when necessary, to any and all cyber attacks 12 or other malicious cyber activities that target United States 13 interests with the intent to— 14 (1) cause casualties among United States persons 15 or persons of our allies; 16 (2) significantly disrupt the normal functioning 17 of United States democratic society or government 18 (including attacks against critical infrastructure that 19 could damage systems used to provide key services to 20 the public or government); 21 (3) threaten the command and control of the 22 United States Armed Forces, the freedom of maneuver 23 of the United States Armed Forces, or the industrial 24 base or other infrastructure on which the United

† HR 2810 PAP

740 1 States Armed Forces rely to defend United States in- 2 terests and commitments; or 3 (4) achieve an effect, whether individually or in 4 aggregate, comparable to an armed attack or imperil 5 a vital interest of the United States. 6 (b) RESPONSE OPTIONS.—In carrying out the policy 7 set forth in subsection (a), the United States shall plan, de- 8 velop, and demonstrate response options to address the full 9 range of potential cyber attacks on United States interests 10 that could be conducted by potential adversaries of the 11 United States. 12 (c) DENIAL OPTIONS.—In carrying out the policy set 13 forth in subsection (a) through response options developed 14 pursuant to subsection (b), the United States shall, to the 15 greatest extent practicable, prioritize the defensibility and 16 resiliency against cyber attacks and malicious cyber activi- 17 ties described in subsection (a) of infrastructure critical to 18 the political integrity, economic security, and national se- 19 curity of the United States. 20 (d) COST-IMPOSITION OPTIONS.—In carrying out the 21 policy set forth in subsection (a) through response options 22 developed pursuant to subsection (b), the United States shall 23 develop and demonstrate, or otherwise make known to ad- 24 versaries of the existence of, cyber capabilities to impose 25 costs on any foreign power targeting the United States or

† HR 2810 PAP

741 1 United States persons with a cyber attack or malicious 2 cyber activity described in subsection (a). 3 (e) MULTI-PRONG RESPONSE.—In carrying out the 4 policy set forth in subsection (a) through response options 5 developed pursuant to subsection (b), the United States 6 shall— 7 (1) devote immediate and sustained attention to 8 boosting the cyber resilience of critical United States 9 strike systems (including cyber, nuclear, and non-nu- 10 clear systems) in order to ensure the United States 11 can credibly threaten to impose unacceptable costs in 12 response to even the most sophisticated large-scale 13 cyber attack; 14 (2) develop offensive cyber capabilities and spe- 15 cific plans and strategies to put at risk targets most 16 valued by adversaries of the United States and their 17 key decision makers; 18 (3) enhance attribution capabilities to reduce the 19 time required to positively attribute an attack with 20 high confidence; and 21 (4) develop intelligence and offensive cyber capa- 22 bilities to detect, disrupt, and potentially expose mali- 23 cious cyber activities. 24 (f) POLICIES RELATING TO OFFENSIVE CYBER CAPA- 25 BILITIES AND SOVEREIGNTY.—It is the policy of the United † HR 2810 PAP

742

States that, when a cyber attack or malicious cyber activity transits or otherwise relies upon the networks or infrastructure of a third country— (1) the United States shall, to the greatest extent practicable, notify and encourage the government of that country to take action to eliminate the threat; and (2) if the government is unable or unwilling to take action, the United States reserves the right to act unilaterally (with the consent of that government if possible, but without such consent if necessary). (g) AUTHORITY OF SECRETARY OF DEFENSE.— (1) IN GENERAL.—The Secretary of Defense has the authority to develop, prepare, coordinate, and, when appropriately authorized to do so, conduct military cyber operations in response to cyber attacks and malicious cyber activities described in subsection (a) that are carried out against the United States or United States persons by a foreign power. (2) DELEGATION OF ADDITIONAL AUTHORITIES.—The Secretary may delegate to the Commander of the United States Cyber Command such authorities of the Secretaries of the military departments, including authorities relating to manning, training, and equipping, that the Secretary considers appropriate.

† HR 2810 PAP

743 1 (3) USE OF DELEGATED AUTHORITIES.—The use 2 by the Commander of the United States Cyber Com- 3 mand of any authority delegated to the Commander 4 pursuant to this subsection shall be subject to the au- 5 thority, direction, and control of the Secretary. 6 (4) RULE OF CONSTRUCTION.—Nothing in this 7 subsection shall be construed to limit the authority of 8 the President or Congress to authorize the use of mili- 9 tary force. 10 (h) FOREIGN POWER DEFINED.—In this section, the 11 term “foreign power” has the meaning given that term in 12 section 101 of the Foreign Intelligence Surveillance Act of 13 1978 (50 U.S.C. 1801). 14 SEC. 1622. CYBER POSTURE REVIEW. 15 (a) REQUIREMENT FOR COMPREHENSIVE REVIEW.— 16 In order to clarify United States cyber deterrence policy 17 and strategy for the near term, the Secretary of Defense 18 shall conduct a comprehensive review of the cyber posture 19 of the United States for the next 5 to 10 years. The Sec- 20 retary shall conduct the review in consultation with the Di- 21 rector of National Intelligence, the Attorney General, the 22 Secretary of the Department of Homeland Security, and the 23 Secretary of State. 24 (b) ELEMENTS OF REVIEW.—The cyber posture review 25 shall include the following elements:

† HR 2810 PAP

744 1 (1) The role of cyber forces in United States 2 military strategy, planning, and programming. 3 (2) A declaratory policy relating to United 4 States responses to cyber attack and use of offensive 5 cyber capabilities, guidance for the employment of of- 6 fensive cyber capabilities, a public affairs plan, and 7 an engagement plan for adversaries and allies. 8 (3) Proposed norms for the conduct of offensive 9 cyber operations in crisis and conflict. 10 (4) Guidance for the development of cyber deter- 11 rence campaign plans focused on key leadership of 12 Russia, China, Iran, North Korea, and any other 13 country the Secretary determines appropriate. 14 (5) Examination through analysis and gaming 15 of escalation dynamics in various scenarios, as well 16 as the spiral escalatory effects of countries developing 17 increasingly potent offensive cyber capabilities, and 18 what steps should be undertaken to bolster stability in 19 cyberspace and more broadly stability between major 20 powers. 21 (6) A certification of whether sufficient personnel 22 are trained and equipped to meet validated cyber re- 23 quirements. 24 (7) Such other matters as the Secretary considers 25 appropriate.

† HR 2810 PAP

745 1 (c) REPORT TO CONGRESS.—Not later than March 1, 2 2018, the Secretary of Defense shall submit to Congress, in 3 unclassified and classified forms as necessary, a report on 4 the results of the cyber posture review conducted under this 5 section. 6 (d) SENSE OF CONGRESS.—It is the sense of Congress 7 that the United States should respond to all cyber attacks 8 and to all significant cyber intrusions by imposing costs 9 on those responsible that exceed any benefit that the attacker 10 or intruder may have hoped to gain. 11 SEC. 1623. MODIFICATION AND CLARIFICATION OF RE- 12 QUIREMENTS AND AUTHORITIES RELATING 13 TO ESTABLISHMENT OF UNIFIED COMBATANT 14 COMMAND FOR CYBER OPERATIONS. 15 (a) DEADLINE FOR ESTABLISHMENT.—Before the 16 Cyber Mission Force reaches full operational capability, the 17 President shall establish the unified combatant command 18 for cyber operations forces pursuant to section 167b(a) of 19 title 10, United State Code. 20 (b) CLARIFICATION OF FUNCTIONS.—Subsection (a) of 21 section 167b of title 10, United States Code, is amended— 22 (1) by striking the second sentence; 23 (2) by inserting “(1)” before “With the”; and 24 (3) by adding at the end the following new para- 25 graph:

† HR 2810 PAP

746 1 “(2) The principal functions of the cyber command are 2 as follows: 3 “(A) To execute cyber operations. 4 “(B) To prepare cyber operations forces to carry 5 out assigned missions.”. 6 (c) MODIFICATION OF ASSIGNMENT OF FORCES.—Sub- 7 section (b) of such section is amended by striking “stationed 8 in the United States”. 9 (d) MODIFICATION OF COMMAND OF ACTIVITY OR MIS- 10 SION.—Subsection (d) of such section is amended to read 11 as follows: 12 “(d) COMMAND OF ACTIVITY OR MISSION.—The com- 13 mander of the cyber command shall execute and exercise 14 command of cyberspace operations and coordinate with the 15 affected commanders of the unified combatant commands, 16 unless otherwise directed by the President or the Secretary 17 of Defense.”. 18 (e) MODIFICATION OF AUTHORITY OF COMBATANT 19 COMMANDER.—Subsection (e)(2)(A) of such section is 20 amended— 21 (1) in clause (iii)— 22 (A) in subclause (I), by striking “and” at 23 the end; 24 (B) in subclause (II), by striking “assigned 25 to unified combatant commands”;

† HR 2810 PAP

747 (C) by redesignating subclause (II) as subclause (III); and (D) by inserting after subclause (I) the following new subclause (II): “(II) for development and acquisition of joint cyber capabilities; and”; (2) in clause (iv), by striking “joint” and inserting “cyber operations”; and (3) in clause (v), by striking “commissioned and noncommissioned officers” and inserting “cyber operations forces”. SEC. 1624. ANNUAL ASSESSMENT OF CYBER RESILIENCY OF NUCLEAR COMMAND AND CONTROL SYSTEM. (a) IN GENERAL.—Chapter 24 of title 10, United States Code, is amended by adding at the end the following new section: “§ 499. Annual assessment of cyber resiliency of nuclear command and control system “(a) IN GENERAL.—Not less frequently than annually, the Commander of the United States Strategic Command and the Commander of the United States Cyber Command (in this section referred to collectively as the ‘Commanders’) shall jointly conduct an assessment of the cyber resiliency of the nuclear command and control system.

† HR 2810 PAP

748 1 “(b) ELEMENTS.—In conducting the assessment re- 2 quired by subsection (a), the Commanders shall— 3 “(1) conduct an assessment of the sufficiency and 4 resiliency of the nuclear command and control system 5 to operate through a cyber attack from the Russian 6 Federation, the People’s Republic of China, or any 7 other country or entity the Commanders identify as 8 a potential threat; and 9 “(2) develop recommendations for mitigating 10 any concerns of the Commanders resulting from the 11 assessment. 12 “(c) REPORT REQUIRED.—(1) The Commanders shall 13 jointly submit to the Chairman of the Joint Chiefs of Staff, 14 for submission to the Council on Oversight of the National 15 Leadership Command, Control, and Communications Sys- 16 tem established under section 171a of this title (in this sec- 17 tion referred to as the ‘Council’), a report on the assessment 18 required by subsection (a) that includes the following: 19 “(A) The recommendations developed under sub- 20 section (b)(2). 21 “(B) A statement of the degree of confidence of 22 each of the Commanders in the mission assurance of 23 the nuclear deterrent against a top tier cyber threat. 24 “(C) A detailed description of the approach used 25 to conduct the assessment required by subsection (a)

† HR 2810 PAP

749 1 and the technical basis of conclusions reached in con- 2 ducting that assessment. 3 “(D) Any other comments of the Commanders. 4 “(2) The Council shall submit to the Secretary of De- 5 fense the report required by paragraph (1) and any com- 6 ments of the Council on the report. 7 “(3) The Secretary of Defense shall submit to the con- 8 gressional defense committees the report required by para- 9 graph (1), any comments of the Council on the report under 10 paragraph (2), and any comments of the Secretary on the 11 report. 12 “(d) TERMINATION.—This section shall terminate on 13 the date that is 10 years after the date of the enactment 14 of the National Defense Authorization Act for Fiscal Year 15 2018.”. 16 (b) CLERICAL AMENDMENT.—The table of sections for 17 chapter 24 of such title is amended by inserting after the 18 item relating to section 498 the following new item: “499. Annual assessment of cyber resiliency of nuclear command and control sys- tem.”. 19 SEC. 1625. STRATEGIC CYBERSECURITY PROGRAM. 20 (a) IN GENERAL.—The Secretary of Defense shall es- 21 tablish a program to be known as the “Strategic Cybersecu- 22 rity Program” or “SCP” (in this section referred to as the 23 “Program”).

† HR 2810 PAP

750 1 (b) ELEMENTS.—The Program shall be comprised of 2 personnel assigned to the Program by the Secretary from 3 among personnel, including regular and reserve members 4 of the Armed Forces, civilian employees of the Department, 5 and personnel of the research laboratories of the Department 6 of Defense and the Department of Energy, who have par- 7 ticular expertise in the responsibility to be discharged by 8 the Program. Any personnel assigned to the Program from 9 among personnel of the Department of Energy shall be so 10 assigned with the concurrence of the Secretary of Energy. 11 (c) RESPONSIBILITY.— 12 (1) IN GENERAL.—The responsibility of the Pro- 13 gram shall be to carry out activities (commonly re- 14 ferred to as “red-teaming”) to continuously assess the 15 information assurance and improve the overall effec- 16 tiveness of the following of the United States Govern- 17 ment: 18 (A) Offensive cyber systems. 19 (B) Long-range strike systems. 20 (C) Nuclear deterrent systems. 21 (D) National security systems. 22 (E) Critical infrastructure of the Depart- 23 ment of Defense (as that term is defined in sec- 24 tion 1650(f)(1) of the National Defense Author- † HR 2810 PAP

751 1 ization Act for Fiscal Year 2017 (Public Law 2 114–329)). 3 (2) SCOPE OF RESPONSIBILITY.—In carrying out 4 its activities, the Program shall carry out appro- 5 priate reviews of current systems and infrastructure 6 and acquisition plans for proposed systems and infra- 7 structure. The review of an acquisition plan for any 8 proposed system or infrastructure shall be carried out 9 before Milestone B approval for such system or infra- 10 structure. 11 (3) RESULTS OF REVIEWS.—The results of each 12 review carried out by the Program pursuant to para- 13 graph (2), including any remedial action rec- 14 ommended by the Program pursuant to such review, 15 shall be made available to any agencies or organiza- 16 tions of the Department involved in the development, 17 procurement, operation, or maintenance of the system 18 or infrastructure concerned. 19 (d) REPORTS.—The Director of the National Security 20 Agency shall submit to the Secretary of Defense and the con- 21 gressional defense committees on a quarterly basis a report 22 on the activities of the Program during the preceding cal- 23 endar quarter. Each report shall include the following: 24 (1) A description of the activities of the Program 25 during the calendar quarter covered by such report.

† HR 2810 PAP

752 (2) A description of particular challenges encountered in the course of the activities of the Program during such calendar quarter, and of actions taken to address such challenges. (3) A description of the current plans of the Program for additional activities. (e) FUNDING.—Of the amount authorized to be appropriated for fiscal year 2018 for operation and maintenance, Defense-wide, by section 301 and available for the Information Systems Security Program as specified in the funding table in section 4301, up to $100,000,000 may be available for the Strategic Cybersecurity Program and its activities in fiscal year 2018. (f) SENSE OF CONGRESS.—It is the sense of Congress that the activities conducted under the Program should address the most critical systems of the Department of Defense and should supplement, not supplant, the Cyber Protection Teams of the Department of Defense. SEC. 1626. EVALUATION OF AGILE ACQUISITION OF CYBER TOOLS AND APPLICATIONS. (a) EVALUATION REQUIRED.—The Commander of the United States Cyber Command shall conduct an evaluation of alternative methods for developing, acquiring, and maintaining software-based cyber tools and applications for the United States Cyber Command, the Army Cyber Command, † HR 2810 PAP

753 1 the Fleet Cyber Command, the Air Forces Cyber Command, 2 and the Marine Corps Cyberspace Command. 3 (b) GOAL.—The goal of the evaluation required by sub- 4 section (a) is to identify a set of practices that will— 5 (1) increase the speed of development of cyber ca- 6 pabilities of the Armed Forces; 7 (2) provide more effective tools and capabilities 8 for developing, acquiring, and maintaining cyber 9 tools and applications; and 10 (3) create a repeatable, disciplined process for 11 developing, acquiring, and maintaining cyber tools 12 and applications whereby progress and success or 13 failure can be continuously measured. 14 (c) CONSIDERATION OF AGILE SOFTWARE DEVELOP- 15 MENT, AGILE ACQUISITION, AND OTHER BEST PRAC- 16 TICES.— 17 (1) IN GENERAL.—The evaluation required by 18 subsection (a) shall include consideration of agile soft- 19 ware development, agile acquisition, and such other 20 similar best practices of commercial industry. 21 (2) CONSIDERATIONS.—In carrying out the eval- 22 uation required by subsection (a), the Commander 23 shall assess requirements for implementing the prac- 24 tices described in paragraph (1), consider changes

† HR 2810 PAP

754 1 that would be necessary to established acquisition 2 practices, including the following: 3 (A) The requirements process. 4 (B) Contracting. 5 (C) Testing. 6 (D) User involvement in the development 7 process. 8 (E) Program management. 9 (F) Milestone reviews and approvals. 10 (G) The definitions of "research and devel- 11 opment", "procurement", and "sustainment". 12 (H) The constraints of current appropria- 13 tions account definitions. 14 (d) ASSESSMENT OF TRAINING AND EDUCATION RE- 15 QUIREMENTS.—In carrying out the evaluation required by 16 subsection (a), the Commander shall assess training and 17 education requirements for personnel in all areas and at 18 all levels of management relevant to the successful adoption 19 of new acquisition models and methods for developing, ac- 20 quiring, and maintaining cyber tools and applications as 21 described in such subsection. 22 (e) SERVICES AND EXPERTISE.—In conducting the 23 evaluation required by subsection (a), the Commander 24 shall— 25 (1) obtain services and expertise from—

† HR 2810 PAP

755 1 (A) the Defense Digital Service; and 2 (B) federally funded research and develop- 3 ment centers, such as the Software Engineering 4 Institute and the MITRE Corporation; and 5 (2) consult with such commercial software com- 6 panies as the Commander considers appropriate to 7 learn about commercial best practices. 8 (f) RECOMMENDATIONS.— 9 (1) IN GENERAL.—Not later than 120 days after 10 the date of the enactment of this Act, the Commander 11 shall submit to the Secretary of Defense recommenda- 12 tions for experimenting with or adopting new acquisi- 13 tion methods, including all aspects of implementation 14 necessary for the success of the recommended methods. 15 (2) CONGRESSIONAL BRIEFING.—Not later than 16 14 days after submitting recommendations to the Sec- 17 retary under paragraph (1), the Commander shall 18 brief the congressional defense committees on the rec- 19 ommendations the Commander submitted under para- 20 graph (1). 21 (g) PRESERVATION OF EXISTING AUTHORITY.—The 22 evaluation required under subsection (a) is intended to in- 23 form future acquisition approaches. Nothing in this section 24 shall be construed to limit or impede the exercising of the 25 acquisition authority of the Commander of United States

† HR 2810 PAP

756
1 Cyber Command under section 807 of the National Defense
2 Authorization Act for Fiscal Year 2016 (Public Law 114–
3 92; 10 U.S.C. 2224 note).
4 (h) DEFINITIONS.—In this section:
5 (1) The term “agile acquisition” means acquisi-
6 tion pursuant to a methodology for delivering mul-
7 tiple, rapid, incremental capabilities to the user for
8 operational use, evaluation, and feedback. The incre-
9 mental development and fielding of capabilities, com-
10 monly called “spirals”, “spins”, or “sprints”, can be
11 measured in a few weeks or months, and involve con-
12 tinuous participation and collaboration by users, test-
13 ers, and requirements authorities.
14 (2) The term “agile development” means develop-
15 ment pursuant to a set of software development meth-
16 odologies based on iterative development, in which re-
17 quirements and solutions evolve through collaboration
18 between self-organizing cross-functional teams.
19 SEC. 1627. REPORT ON COST IMPLICATIONS OF TERMI-
20 NATING DUAL-HAT ARRANGEMENT FOR COM-
21 MANDER OF UNITED STATES CYBER COM-
22 MAND.
23 Not later than 90 days after the date of the enactment
24 of this Act, the Commander of the United States Cyber
25 Command shall submit to the congressional defense commit-
† HR 2810 PAP

757 1 tees a report that identifies the costs that would be implied 2 cated by meeting the conditions set forth in section 3 1642(b)(2)(C) of the National Defense Authorization Act for 4 Fiscal Year 2017 (Public Law 114–328). 5 SEC. 1628. MODIFICATION OF INFORMATION ASSURANCE 6 SCHOLARSHIP PROGRAM. 7 (a) DESIGNATION OF PROGRAM.—Section 2200a of 8 title 10, United States Code, is amended by adding at the 9 end the following new subsection: 10 “(h) DESIGNATION OF PROGRAM.—A program under 11 which the Secretary provides financial assistance under 12 subsection (a) shall be known as the ‘Department of Defense 13 Cybersecurity Scholarship Program’.”. 14 (b) ALLOCATION OF FUNDING.—Subsection (f) of such 15 section is amended— 16 (1) by inserting “(1)” before “Not less”; and 17 (2) by adding at the end the following new paragraph: 18 “(2) Not less than five percent of the amount available 19 for financial assistance under this section for a fiscal year 20 shall be available for providing financial assistance for the 21 pursuit of an associate degree.”. 22 (c) REINVIGORATION PLAN REQUIRED.—Not later 23 than September 30, 2018, the Secretary of Defense shall sub- 24 mit to the congressional defense committees a plan for rein- †HR 2810 PAP

758 1 vigorating the Department of Defense Cyber Scholarship 2 Program authorized under section 2200a of such title, as 3 amended by subsections (a) and (b). 4 SEC. 1629. MEASURING COMPLIANCE OF COMPONENTS OF 5 DEPARTMENT OF DEFENSE WITH CYBERSE- 6 CURITY REQUIREMENTS FOR SECURING IN- 7 DUSTRIAL CONTROL SYSTEMS. 8 (a) IN GENERAL.—The Secretary of Defense shall 9 make such changes to the scorecard as are necessary to en- 10 sure that the Secretary measures each component of the De- 11 partment of Defense in its progress towards securing the 12 industrial control systems of the Department against cyber 13 threats, including supervisory control and data acquisition 14 systems (SCADA), distributed control systems (DCS), pro- 15 grammable logic controllers (PLC), and platform informa- 16 tion technology (PIT). 17 (b) SCORECARD DEFINED.—In this section, the term 18 “scorecard” means the Department of Defense Cyber Score- 19 card for the measuring of the performance of components 20 of the Department against basic cybersecurity requirements 21 as outlined in the Department of Defense Cybersecurity Dis- 22 cipline Implementation Plan.

† HR 2810 PAP

759 1 SEC. 1630. EXERCISE ON ASSESSING CYBERSECURITY SUP- 2 PORT TO ELECTION SYSTEMS OF STATES. 3 (a) INCLUSION OF CYBER VULNERABILITIES IN ELEC- 4 TION SYSTEMS IN CYBER GUARD EXERCISES.—The Sec- 5 retary of Defense shall incorporate the cybersecurity of elec- 6 tions systems of the States as a component of the Cyber 7 Guard Exercise. 8 (b) REPORT ON BEST PRACTICES.—Not later than 180 9 days after the date of the enactment of this Act, the Sec- 10 retary of Defense shall submit to the congressional defense 11 committees a report on the capabilities, readiness, and best 12 practices of the National Guard to assist the Governors, if 13 called upon, to defend elections systems from cyberattacks. 14 SEC. 1630A. REPORT ON VARIOUS APPROACHES TO CYBER 15 DETERRENCE. 16 (a) IN GENERAL.—Not later than 180 days after the 17 date of the enactment of this Act, the Secretary of Defense 18 shall submit to the congressional defense committees a re- 19 port on various approaches to cyber deterrence. 20 (b) CONTENTS.—The report required by subsection (a) 21 shall include the following: 22 (1) Identification, definition, and explanation of 23 the various theoretical approaches to cyber deterrence. 24 (2) An assessment of the relative strengths and 25 weaknesses of each of such approaches relative to the 26 threat and relative to one another. † HR 2810 PAP

760 (3) A recommendation for a cyber deterrence theory and doctrine for the Armed Forces. (4) An alternative analysis or dissenting view of the recommendation included under paragraph (3) that explains the weaknesses of the recommended theory and doctrine and offers an alternative theory or doctrine. (c) CONSULTATION.—In preparing the report required by subsection (a), the Secretary shall consult with experts from the Government, industry, and academia. SEC. 1630B. PROHIBITION ON USE OF SOFTWARE PLATFORMS DEVELOPED BY KASPERSKY LAB. (a) PROHIBITION.—No department, agency, organization, or other element of the Department of Defense may use, whether directly or through work with or on behalf of another organization or element of the Department or another department or agency of the United States Government, any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership. (b) SEVERANCE OF NETWORK CONNECTIONS.—The Secretary of Defense shall ensure that any network connection between a department, agency, organization, or other element of the Department of Defense and a department or agency of the United States Government that is using or † HR 2810 PAP

761 1 hosting on its networks a software platform described in 2 subsection (a) is immediately severed. 3 (c) EFFECTIVE DATE.—This section shall take effect 4 on October 1, 2018. 5 SEC. 1630C. REPORT ON CYBER APPLICATIONS OF 6 BLOCKCHAIN TECHNOLOGY. 7 (a) REPORT REQUIRED.—Not later than 180 days 8 after the date of the enactment of this Act, the Secretary 9 of Defense, in consultation with the heads of such other 10 agencies and departments as the Secretary considers appro- 11 priate, shall submit to the appropriate committees of Con- 12 gress a report on the potential offensive and defensive cyber 13 applications of blockchain technology and other distributed 14 database technologies and an assessment of efforts by foreign 15 powers, extremist organizations, and criminal networks to 16 utilize these technologies. Such report shall also include an 17 assessment of the use or planned use of blockchain tech- 18 nologies by the United States Government or critical infra- 19 structure networks and the vulnerabilities of such networks 20 to cyber attacks. 21 (b) FORM OF REPORT.—The report required by (a) 22 may be submitted— 23 (1) in classified form; or 24 (2) in unclassified form with a classified annex.

† HR 2810 PAP

NATIONAL SECURITY ARCHIVE

National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu