§ 394. Authorities concerning military cyber operations

§ 394. Authorities concerning military cyber operations

(a) In General.— The Secretary of Defense shall develop, prepare, and coordinate; make ready all armed forces for purposes of; and, when appropriately authorized to do so, conduct, military cyber activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies, including in response to malicious cyber activity carried out against the United States or a United States person by a foreign power.

(b) Affirmation of Authority.— Congress affirms that the activities or operations referred to in subsection (a), when appropriately authorized, include the conduct of military activities or operations in cyberspace short of hostilities (as such term is used in the War Powers Resolution (Public Law 93–148; 50 U.S.C. 1541 et seq.)) or in areas in which hostilities are not occurring, including for the purpose of preparation of the environment, information operations, force protection, and deterrence of hostilities, or counterterrorism operations involving the Armed Forces of the United States.

(c) Clandestine Activities or Operations.— A clandestine military activity or operation in cyberspace shall be considered a traditional military activity for the purposes of section 503(e)(2) of the National Security Act of 1947 (50 U.S.C. 3093(e)(2)).

(d) Congressional Oversight.— The Secretary shall brief the congressional defense committees about any military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, occurring during the previous quarter during the quarterly briefing required by section 484 of this title.

(e) Rule of Construction.— Nothing in this section may be construed to limit the authority of the Secretary to conduct military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to authorize specific military activities or operations, or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or reporting of sensitive military cyber activities or operations required by section 395 of this title.

(f) Definitions.— In this section:

(1) The term “clandestine military activity or operation in cyberspace” means a military activity or military operation carried out in cyberspace, or associated preparatory actions, authorized by the President or the Secretary that—

(A) is marked by, held in, or conducted with secrecy, where the intent is that the activity or operation will not be apparent or acknowledged publicly; and

(B) is to be carried out—

(i) as part of a military operation plan approved by the President or the Secretary in anticipation of hostilities or as directed by the President or the Secretary;

(ii) to deter, safeguard, or defend against attacks or malicious cyber activities against the United States or Department of Defense information, networks, systems, installations, facilities, or other assets; or

(iii) in support of information related capabilities.

(2) The term “foreign power” has the meaning given such term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

(3) The term “United States person” has the meaning given such term in such section.

(Added Pub. L. 114–92, div. A, title XVI, § 1642(a), Nov. 25, 2015, 129 Stat. 1116, § 130g; renumbered § 394 and amended Pub. L. 115–232, div. A, title XVI, §§ 1631(a), 1632, Aug. 13, 2018, 132 Stat. 2123.)

Editorial Notes

References in Text

The War Powers Resolution, referred to in subsecs. (b) and (e), is Pub. L. 93–148, Nov. 7, 1973, 87 Stat. 555, which is classified generally to chapter 33 (§ 1541 et seq.) of Title 50, War and National Defense. For complete classification of this Resolution to the Code, see Short Title note set out under section 1541 of Title 50 and Tables.

The Authorization for Use of Military Force, referred to in subsec. (e), is Pub. L. 107–40, Sept. 18, 2001, 115 Stat. 224, which is set out as a note under section 1541 of Title 50, War and National Defense.

Amendments

2018—Pub. L. 115–232, § 1632, designated existing provisions as subsec. (a), inserted heading, substituted “conduct, military cyber activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies, including in response” for “conduct, a military cyber operation in response”, struck out “(as such terms are defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801))” after “foreign power”, and added subsecs. (b) to (f).

Pub. L. 115–232, § 1631(a), renumbered section 130g of this title as this section.

Statutory Notes and Related Subsidiaries

Prohibition on the Elimination of Certain Cyber Assessment Capabilities for Test and Evaluation

Pub. L. 119–60, div. A, title XV, § 1507, Dec. 18, 2025, 139 Stat. 1145, provided that: “(a) Prohibition.—The Secretary of Defense may not take any action to divest, consolidate, or curtail any current cyber assessment capabilities or red teams certified by the National Security Agency supporting operational test and evaluation for programs of the Department of Defense unless, prior to taking such action, the Secretary submits to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] the certification described in subsection (b) with respect to such action. “(b) Certification.— The certification described in this subsection with respect to an action described in subsection (a) is a certification that the decision to take such action and the analysis related to operational effects on users of cyber assessment capabilities provided by the Director of Operational Test and Evaluation of such action comply with the applicable requirements under section 4173(c)(1)(B) of title 10, United States Code, and which includes the following:“(1) The analytic basis for making the decision to take such action, including any cost, workload, and workforce requirements, as well as any analysis related to operational effects on users of cyber assessment capabilities provided by the Director of Operational Test and Evaluation of such action. “(2) An independent review by the Director of Cost Assessment and Program Evaluation of all the analysis included in the certification under paragraph (1). “(3) A comprehensive plan to sustain the critical cyber assessment capabilities for test and evaluation currently managed by the Director of Operational Test and Evaluation while transitioning such capabilities to another element of the Department of Defense or, if supporting analyses identify the elements of the Department to which such capabilities are proposed to be transferred, a plan for the transition of such capabilities to such elements, including a timeline for such transfer and measures to ensure no reductions in such capabilities during such transition. “(4) A detailed assessment of the funding requirements for maintaining and enhancing cyber assessment capabilities for test and evaluation of the Department of Defense, including how these funding requirements will be incorporated into annual budget request documents of the Department of Defense. “(5) A review of staffing, tools, and specialized resources required to support cyber operational test and evaluation across major defense acquisition programs (as defined in section 4201 of title 10, United States Code) and information technology programs of the Department of Defense . [sic] “(6) A summary of the efforts of the Department of Defense to integrate intelligence-informed threat data into operational cyber testing, including any legal or technical barriers to such integration and proposed solutions to such barriers. “(7) A plan to improve coordination and information-sharing between cyber operational test and evaluation stakeholders, the United States Cyber Command, and the intelligence community (as defined in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4))) following the transition described in paragraph (3). “(8) Proposed metrics for evaluating mission effects in contested cyber environments that are in accordance with guidance issued by the Director of Operational Test and Evaluation, titled ‘Cyber Operational Test and Evaluation Guidebook’ and dated January 31, 2025. “(9) An assessment of the effectiveness and future needs of cyber assessment programs of the Department of Defense, including an identification of any current or future requirements of such programs for resources that are or are projected to not be met.”

Artificial Intelligence and Machine Learning Security in the Department of Defense

Pub. L. 119–60, div. A, title XV, § 1512, Dec. 18, 2025, 139 Stat. 1147, provided that: “(a) Cybersecurity Policy for Artificial Intelligence and Machine Learning Use.—Not later than 180 days after the date of enactment of this Act [Dec. 18, 2025], the Secretary of Defense, in consultation with other appropriate Federal agencies, shall develop and implement a Department of Defense-wide policy for the cybersecurity and associated governance of artificial intelligence and machine learning systems and applications, as well as the models for artificial intelligence and machine learning used in national defense applications. “(b) Policy Elements.—The policy required under subsection (a) shall address the following:“(1) Protection against security threats specific to artificial intelligence and machine learning, including model serialization attacks, model tampering, data leakage, adversarial prompt injection, model extraction, model jailbreaks, and supply chain attacks. “(2) Use of cybersecurity measures throughout the life cycle of systems using artificial intelligence or machine learning. “(3) Adoption of industry-recognized frameworks to guide the development and implementation of artificial intelligence and machine learning security best practices. “(4) Standards for governance, testing, auditing, and monitoring of systems using artificial intelligence and machine learning to ensure the integrity and resilience of such systems against corruption and unauthorized manipulation. “(5) Training requirements for the workforce of the Department of Defense to ensure personnel are prepared to identify and mitigate vulnerabilities that are specific to artificial intelligence and machine learning. “(c) Review and Report.—“(1) Review.—The Secretary of Defense shall conduct a comprehensive review to identify and assess the effectiveness of the artificial intelligence and machine learning cybersecurity and associated governance practices of the Department of Defense. “(2) Report.—“(A) In general.—Not later than August 31, 2026, the Secretary of Defense shall submit to the Committees on Armed Services of the House of Representatives and the Senate a report on the findings of the review conducted under paragraph (1). “(B) Contents.—The report required under subparagraph (A) shall include—“(i) an assessment of the current security practices for artificial intelligence and machine learning across the Department of Defense; “(ii) an assessment of the cybersecurity risks posed by the use of authorized and unauthorized artificial intelligence software, including models developed by companies headquartered in or operating from foreign countries of concern, by the Department; “(iii) an identification of gaps in the existing security measures of the Department related to threats specific to the use of artificial intelligence and machine learning; “(iv) an analysis of the potential of security management, access, and runtime capabilities for artificial intelligence in the commercial sector for use by the Department to defend systems using artificial intelligence from threats, minimize data exposure resulting from the use of such systems, and maintain the trustworthiness of applications of the Department that use artificial intelligence; “(v) an evaluation of the alignment of the policies of the Department with industry frameworks; “(vi) recommend actions to enhance the security, integrity, and governance of artificial intelligence and machine learning models used by the Department; and “(vii) an identification of any additional authorities, resources, or legislative actions required for the Department to effectively implement artificial intelligence and machine learning model security policy required by subsection (a). “(d) Definitions.—In this section:“(1) [no par. (2) has been enacted] The terms ‘artificial intelligence’ and ‘machine learning’ have the meanings given such terms, respectively, in section 5001 [probably should be “5002”] of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401).”

Support for Cyber Threat Tabletop Exercise Program With the Defense Industrial Base

Pub. L. 118–159, div. A, title XV, § 1504, Dec. 23, 2024, 138 Stat. 2133, provided that: “(a) Development of Cyber Threat Tabletop Exercise Program.—“(1) In general.— Not later than one year after the date of the enactment of this Act [Dec. 23, 2024], the Secretary of Defense, acting through the Assistant Secretary of Defense for Cyber Policy, shall establish a program (to be known as the ‘Cyber Threat Tabletop Exercise Program’) to prepare the Department of Defense and the defense industrial base for cyber attacks preceding or during times of conflict or wars through the use of tabletop exercises. “(2) Participation.—“(A) In general.—In carrying out the program, the Secretary of Defense, acting through the Assistant Secretary of Defense for Cyber Policy, shall consult and coordinate with the following:“(i) The Chief Information Officer of the Department of Defense. “(ii) The Under Secretary of Defense for Acquisition and Sustainment. “(iii) The Commander of the United States Cyber Command. “(iv) The Commander of the United States Northern Command. “(v) The Commander of the Army Interagency Training and Education Center. “(vi) The Director of the Defense Cyber Crime Center. “(vii) Such other individuals and entities as the Assistant Secretary of Defense for Cyber Policy determines appropriate. “(B) Solicitation.—The Assistant Secretary of Defense for Cyber Policy may solicit such individuals and entities in the Department of Defense and the defense industrial base as the Assistant Secretary determines appropriate to participate in the program. “(3) Cyber threat tabletop exercise program.——“(A) In general.—The program shall consist of the following:“(i) A series of tabletop exercises that simulate cyber attack scenarios affecting the defense industrial base, which the Assistant Secretary of Defense for Cyber Policy shall carry out on a biannual basis beginning not later than one year after the date of the enactment of this Act until December 30, 2030, and in which the Department of Defense and entities in the defense industrial base shall participate. “(ii) A series of tabletop exercises for use by individual entities or collections of entities in the defense industrial base that simulate cyber attack scenarios affecting the defense industrial base and which are designed to test and improve the responses and plans of such entities to such scenarios. “(B) Tabletop exercise development.—“(i) In general.—The Assistant Secretary of Defense for Cyber Policy shall develop and update the tabletop exercises described in subparagraph (A). “(ii) Realistic attacks.—The Assistant Secretary of Defense for Cyber Policy shall ensure that the cyber attacks simulated by the tabletop exercises described in subparagraph (A) are based on the cyber attack capabilities and activities of current and potential adversaries of the United States. “(4) Procedures for identification of vulnerabilities and lessons learned.—Not later than one year after the date of the enactment of this Act, the Assistant Secretary of Defense for Cyber Policy shall establish procedures to—“(A) identify vulnerabilities in the cybersecurity of the Department of Defense and the defense industrial base pursuant to the tabletop exercises carried out under the program; and “(B) identify other lessons learned that can improve national security or the quality of such tabletop exercises. “(b) Annual Report.—Not later than September 30, 2025, and annually thereafter until the [sic] October 1, 2029, the Secretary of Defense, acting through the Assistant Secretary of Defense for Cyber Policy, shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report describing the activities of the Department of Defense pursuant to this section during the preceding year. “(c) Program Defined.—In this section, the term ‘program’ means the program established under subsection (a).”

Authority for Countering Illegal Trafficking by Mexican Transnational Criminal Organizations in Cyberspace