739 2 Subtitle C--Cyber Warfare Cybersecurity and Related Matters 3 SEC 1621 POLICY OF THE UNITED STATES ON CYBER- 4 SPACE CYBERSECURITY AND CYBER WAR- 5 FARE 1 6 a IN GENERAL --It shall be the policy of the United 7 States with respect to matters pertaining to cyberspace cy8 bersecurity and cyber warfare that the United States 9 should employ all instruments of national power including 10 the use of offensive cyber capabilities to deter if possible 11 and respond when necessary to any and all cyber attacks 12 or other malicious cyber activities that target United States 13 interests with the intent to-- 14 15 1 cause casualties among United States persons or persons of our allies 16 2 significantly disrupt the normal functioning 17 of United States democratic society or government 18 including attacks against critical infrastructure that 19 could damage systems used to provide key services to 20 the public or government 21 3 threaten the command and control of the 22 United States Armed Forces the freedom of maneuver 23 of the United States Armed Forces or the industrial 24 base or other infrastructure on which the United HR 2810 PAP 740 1 States Armed Forces rely to defend United States in- 2 terests and commitments or 3 4 achieve an effect whether individually or in 4 aggregate comparable to an armed attack or imperil 5 a vital interest of the United States 6 b RESPONSE OPTIONS --In carrying out the policy 7 set forth in subsection a the United States shall plan de8 velop and demonstrate response options to address the full 9 range of potential cyber attacks on United States interests 10 that could be conducted by potential adversaries of the 11 United States 12 c DENIAL OPTIONS --In carrying out the policy set 13 forth in subsection a through response options developed 14 pursuant to subsection b the United States shall to the 15 greatest extent practicable prioritize the defensibility and 16 resiliency against cyber attacks and malicious cyber activi17 ties described in subsection a of infrastructure critical to 18 the political integrity economic security and national se19 curity of the United States 20 d COST-IMPOSITION OPTIONS --In carrying out the 21 policy set forth in subsection a through response options 22 developed pursuant to subsection b the United States shall 23 develop and demonstrate or otherwise make known to ad24 versaries of the existence of cyber capabilities to impose 25 costs on any foreign power targeting the United States or HR 2810 PAP 741 1 United States persons with a cyber attack or malicious 2 cyber activity described in subsection a 3 e MULTI-PRONG RESPONSE --In carrying out the 4 policy set forth in subsection a through response options 5 developed pursuant to subsection b the United States 6 shall-- 7 1 devote immediate and sustained attention to 8 boosting the cyber resilience of critical United States 9 strike systems including cyber nuclear and non-nu- 10 clear systems in order to ensure the United States 11 can credibly threaten to impose unacceptable costs in 12 response to even the most sophisticated large-scale 13 cyber attack 14 2 develop offensive cyber capabilities and spe- 15 cific plans and strategies to put at risk targets most 16 valued by adversaries of the United States and their 17 key decision makers 18 3 enhance attribution capabilities to reduce the 19 time required to positively attribute an attack with 20 high confidence and 21 4 develop intelligence and offensive cyber capa- 22 bilities to detect disrupt and potentially expose mali- 23 cious cyber activities 24 f POLICIES RELATING 25 BILITIES AND HR 2810 PAP TO OFFENSIVE CYBER CAPA- SOVEREIGNTY --It is the policy of the United 742 1 States that when a cyber attack or malicious cyber activity 2 transits or otherwise relies upon the networks or infrastruc3 ture of a third country-- 4 1 the United States shall to the greatest extent 5 practicable notify and encourage the government of 6 that country to take action to eliminate the threat 7 and 8 2 if the government is unable or unwilling to 9 take action the United States reserves the right to act 10 unilaterally with the consent of that government if 11 possible but without such consent if necessary 12 g AUTHORITY OF SECRETARY OF DEFENSE -- 13 1 IN GENERAL --The Secretary of Defense has 14 the authority to develop prepare coordinate and 15 when appropriately authorized to do so conduct mili- 16 tary cyber operations in response to cyber attacks and 17 malicious cyber activities described in subsection a 18 that are carried out against the United States or 19 United States persons by a foreign power 20 2 DELEGATION OF ADDITIONAL AUTHORI- 21 TIES --The 22 of the United States Cyber Command such authorities 23 of the Secretaries of the military departments includ- 24 ing authorities relating to manning training and 25 equipping that the Secretary considers appropriate HR 2810 PAP Secretary may delegate to the Commander 743 1 3 USE OF DELEGATED AUTHORITIES --The use 2 by the Commander of the United States Cyber Com- 3 mand of any authority delegated to the Commander 4 pursuant to this subsection shall be subject to the au- 5 thority direction and control of the Secretary 6 4 RULE OF CONSTRUCTION --Nothing in this 7 subsection shall be construed to limit the authority of 8 the President or Congress to authorize the use of mili- 9 tary force 10 h FOREIGN POWER DEFINED --In this section the 11 term ''foreign power'' has the meaning given that term in 12 section 101 of the Foreign Intelligence Surveillance Act of 13 1978 50 U S C 1801 14 15 SEC 1622 CYBER POSTURE REVIEW a REQUIREMENT FOR COMPREHENSIVE REVIEW -- 16 In order to clarify United States cyber deterrence policy 17 and strategy for the near term the Secretary of Defense 18 shall conduct a comprehensive review of the cyber posture 19 of the United States for the next 5 to 10 years The Sec20 retary shall conduct the review in consultation with the Di21 rector of National Intelligence the Attorney General the 22 Secretary of the Department of Homeland Security and the 23 Secretary of State 24 b ELEMENTS OF REVIEW --The cyber posture review 25 shall include the following elements HR 2810 PAP 744 1 2 1 The role of cyber forces in United States military strategy planning and programming 3 2 A declaratory policy relating to United 4 States responses to cyber attack and use of offensive 5 cyber capabilities guidance for the employment of of- 6 fensive cyber capabilities a public affairs plan and 7 an engagement plan for adversaries and allies 8 9 3 Proposed norms for the conduct of offensive cyber operations in crisis and conflict 10 4 Guidance for the development of cyber deter- 11 rence campaign plans focused on key leadership of 12 Russia China Iran North Korea and any other 13 country the Secretary determines appropriate 14 5 Examination through analysis and gaming 15 of escalation dynamics in various scenarios as well 16 as the spiral escalatory effects of countries developing 17 increasingly potent offensive cyber capabilities and 18 what steps should be undertaken to bolster stability in 19 cyberspace and more broadly stability between major 20 powers 21 6 A certification of whether sufficient personnel 22 are trained and equipped to meet validated cyber re- 23 quirements 24 25 7 Such other matters as the Secretary considers appropriate HR 2810 PAP 745 1 c REPORT TO CONGRESS --Not later than March 1 2 2018 the Secretary of Defense shall submit to Congress in 3 unclassified and classified forms as necessary a report on 4 the results of the cyber posture review conducted under this 5 section 6 d SENSE OF CONGRESS --It is the sense of Congress 7 that the United States should respond to all cyber attacks 8 and to all significant cyber intrusions by imposing costs 9 on those responsible that exceed any benefit that the attacker 10 or intruder may have hoped to gain 11 SEC 1623 MODIFICATION AND CLARIFICATION OF RE- 12 QUIREMENTS AND AUTHORITIES RELATING 13 TO ESTABLISHMENT OF UNIFIED COMBATANT 14 COMMAND FOR CYBER OPERATIONS 15 a DEADLINE FOR ESTABLISHMENT --Before the 16 Cyber Mission Force reaches full operational capability the 17 President shall establish the unified combatant command 18 for cyber operations forces pursuant to section 167b a of 19 title 10 United State Code 20 b CLARIFICATION OF FUNCTIONS --Subsection a of 21 section 167b of title 10 United States Code is amended-- 22 1 by striking the second sentence 23 2 by inserting '' 1 '' before ''With the'' and 24 3 by adding at the end the following new para- 25 graph HR 2810 PAP 746 1 '' 2 The principal functions of the cyber command are 2 as follows 3 '' A To execute cyber operations 4 '' B To prepare cyber operations forces to carry 5 out assigned missions '' 6 c MODIFICATION OF ASSIGNMENT OF FORCES --Sub- 7 section b of such section is amended by striking ''stationed 8 in the United States'' 9 10 d MODIFICATION SION --Subsection OF COMMAND OF ACTIVITY OR MIS- d of such section is amended to read 11 as follows 12 '' d COMMAND OF ACTIVITY OR MISSION --The com- 13 mander of the cyber command shall execute and exercise 14 command of cyberspace operations and coordinate with the 15 affected commanders of the unified combatant commands 16 unless otherwise directed by the President or the Secretary 17 of Defense '' 18 e MODIFICATION OF AUTHORITY OF COMBATANT 19 COMMANDER --Subsection e 2 A of such section is 20 amended-- 21 1 in clause iii -- 22 23 A in subclause I by striking ''and'' at the end 24 25 B in subclause II by striking ''assigned to unified combatant commands'' HR 2810 PAP 747 1 2 C by redesignating subclause II as subclause III and 3 4 D by inserting after subclause I the following new subclause II 5 '' II for development and acquisition of 6 joint cyber capabilities and'' 7 2 in clause iv by striking ''joint'' and insert- 8 ing ''cyber operations'' and 9 3 in clause v by striking ''commissioned and 10 noncommissioned officers'' and inserting ''cyber oper- 11 ations forces'' 12 SEC 1624 ANNUAL ASSESSMENT OF CYBER RESILIENCY OF 13 NUCLEAR COMMAND AND CONTROL SYSTEM 14 a IN GENERAL --Chapter 24 of title 10 United 15 States Code is amended by adding at the end the following 16 new section 17 '' 499 Annual assessment of cyber resiliency of nu18 clear command and control system 19 '' a IN GENERAL --Not less frequently than annually 20 the Commander of the United States Strategic Command 21 and the Commander of the United States Cyber Command 22 in this section referred to collectively as the 'Commanders' 23 shall jointly conduct an assessment of the cyber resiliency 24 of the nuclear command and control system HR 2810 PAP 748 1 '' b ELEMENTS --In conducting the assessment re- 2 quired by subsection a the Commanders shall-- 3 '' 1 conduct an assessment of the sufficiency and 4 resiliency of the nuclear command and control system 5 to operate through a cyber attack from the Russian 6 Federation the People's Republic of China or any 7 other country or entity the Commanders identify as 8 a potential threat and 9 '' 2 develop recommendations for mitigating 10 any concerns of the Commanders resulting from the 11 assessment 12 '' c REPORT REQUIRED -- 1 The Commanders shall 13 jointly submit to the Chairman of the Joint Chiefs of Staff 14 for submission to the Council on Oversight of the National 15 Leadership Command Control and Communications Sys16 tem established under section 171a of this title in this sec17 tion referred to as the 'Council' a report on the assessment 18 required by subsection a that includes the following 19 20 '' A The recommendations developed under subsection b 2 21 '' B A statement of the degree of confidence of 22 each of the Commanders in the mission assurance of 23 the nuclear deterrent against a top tier cyber threat 24 '' C A detailed description of the approach used 25 to conduct the assessment required by subsection a HR 2810 PAP 749 1 and the technical basis of conclusions reached in con- 2 ducting that assessment 3 4 '' D Any other comments of the Commanders '' 2 The Council shall submit to the Secretary of De- 5 fense the report required by paragraph 1 and any com6 ments of the Council on the report 7 '' 3 The Secretary of Defense shall submit to the con- 8 gressional defense committees the report required by para9 graph 1 any comments of the Council on the report under 10 paragraph 2 and any comments of the Secretary on the 11 report 12 '' d TERMINATION --This section shall terminate on 13 the date that is 10 years after the date of the enactment 14 of the National Defense Authorization Act for Fiscal Year 15 2018 '' 16 b CLERICAL AMENDMENT --The table of sections for 17 chapter 24 of such title is amended by inserting after the 18 item relating to section 498 the following new item ''499 Annual assessment of cyber resiliency of nuclear command and control system '' 19 20 SEC 1625 STRATEGIC CYBERSECURITY PROGRAM a IN GENERAL --The Secretary of Defense shall es- 21 tablish a program to be known as the ''Strategic Cybersecu22 rity Program'' or ''SCP'' in this section referred to as the 23 ''Program'' HR 2810 PAP 750 1 b ELEMENTS --The Program shall be comprised of 2 personnel assigned to the Program by the Secretary from 3 among personnel including regular and reserve members 4 of the Armed Forces civilian employees of the Department 5 and personnel of the research laboratories of the Department 6 of Defense and the Department of Energy who have par7 ticular expertise in the responsibility to be discharged by 8 the Program Any personnel assigned to the Program from 9 among personnel of the Department of Energy shall be so 10 assigned with the concurrence of the Secretary of Energy 11 12 c RESPONSIBILITY -- 1 IN GENERAL --The responsibility of the Pro- 13 gram shall be to carry out activities commonly re- 14 ferred to as ''red-teaming'' to continuously assess the 15 information assurance and improve the overall effec- 16 tiveness of the following of the United States Govern- 17 ment 18 A Offensive cyber systems 19 B Long-range strike systems 20 C Nuclear deterrent systems 21 D National security systems 22 E Critical infrastructure of the Depart- 23 ment of Defense as that term is defined in sec- 24 tion 1650 f 1 of the National Defense Author- HR 2810 PAP 751 1 ization Act for Fiscal Year 2017 Public Law 2 114-329 3 2 SCOPE OF RESPONSIBILITY --In carrying out 4 its activities the Program shall carry out appro- 5 priate reviews of current systems and infrastructure 6 and acquisition plans for proposed systems and infra- 7 structure The review of an acquisition plan for any 8 proposed system or infrastructure shall be carried out 9 before Milestone B approval for such system or infra- 10 11 structure 3 RESULTS OF REVIEWS --The results of each 12 review carried out by the Program pursuant to para- 13 graph 2 including any remedial action rec- 14 ommended by the Program pursuant to such review 15 shall be made available to any agencies or organiza- 16 tions of the Department involved in the development 17 procurement operation or maintenance of the system 18 or infrastructure concerned 19 d REPORTS --The Director of the National Security 20 Agency shall submit to the Secretary of Defense and the con21 gressional defense committees on a quarterly basis a report 22 on the activities of the Program during the preceding cal23 endar quarter Each report shall include the following 24 25 1 A description of the activities of the Program during the calendar quarter covered by such report HR 2810 PAP 752 1 2 A description of particular challenges en- 2 countered in the course of the activities of the Pro- 3 gram during such calendar quarter and of actions 4 taken to address such challenges 5 3 A description of the current plans of the Pro- 6 gram for additional activities 7 e FUNDING --Of the amount authorized to be appro- 8 priated for fiscal year 2018 for operation and maintenance 9 Defense-wide by section 301 and available for the Informa10 tion Systems Security Program as specified in the funding 11 table in section 4301 up to $100 000 000 may be available 12 for the Strategic Cybersecurity Program and its activities 13 in fiscal year 2018 14 f SENSE OF CONGRESS --It is the sense of Congress 15 that the activities conducted under the Program should ad16 dress the most critical systems of the Department of Defense 17 and should supplement not supplant the Cyber Protection 18 Teams of the Department of Defense 19 SEC 1626 EVALUATION OF AGILE ACQUISITION OF CYBER 20 21 TOOLS AND APPLICATIONS a EVALUATION REQUIRED --The Commander of the 22 United States Cyber Command shall conduct an evaluation 23 of alternative methods for developing acquiring and main24 taining software-based cyber tools and applications for the 25 United States Cyber Command the Army Cyber Command HR 2810 PAP 753 1 the Fleet Cyber Command the Air Forces Cyber Command 2 and the Marine Corps Cyberspace Command 3 b GOAL --The goal of the evaluation required by sub- 4 section a is to identify a set of practices that will-- 5 6 1 increase the speed of development of cyber capabilities of the Armed Forces 7 2 provide more effective tools and capabilities 8 for developing acquiring and maintaining cyber 9 tools and applications and 10 3 create a repeatable disciplined process for 11 developing acquiring and maintaining cyber tools 12 and applications whereby progress and success or 13 failure can be continuously measured 14 c CONSIDERATION 15 MENT 16 TICES -- 17 OF AGILE ACQUISITION 1 IN AGILE SOFTWARE DEVELOPAND GENERAL --The OTHER BEST PRAC- evaluation required by 18 subsection a shall include consideration of agile soft- 19 ware development agile acquisition and such other 20 similar best practices of commercial industry 21 2 CONSIDERATIONS --In carrying out the eval- 22 uation required by subsection a the Commander 23 shall assess requirements for implementing the prac- 24 tices described in paragraph 1 consider changes HR 2810 PAP 754 1 that would be necessary to established acquisition 2 practices including the following 3 A The requirements process 4 B Contracting 5 C Testing 6 D User involvement in the development 7 process 8 E Program management 9 F Milestone reviews and approvals 10 G The definitions of ''research and devel- 11 opment'' ''procurement'' and ''sustainment'' 12 H The constraints of current appropria- 13 14 15 tions account definitions d ASSESSMENT QUIREMENTS --In OF TRAINING AND EDUCATION RE- carrying out the evaluation required by 16 subsection a the Commander shall assess training and 17 education requirements for personnel in all areas and at 18 all levels of management relevant to the successful adoption 19 of new acquisition models and methods for developing ac20 quiring and maintaining cyber tools and applications as 21 described in such subsection 22 e SERVICES AND EXPERTISE --In conducting the 23 evaluation required by subsection a the Commander 24 shall-- 25 1 obtain services and expertise from-- HR 2810 PAP 755 1 A the Defense Digital Service and 2 B federally funded research and develop- 3 ment centers such as the Software Engineering 4 Institute and the MITRE Corporation and 5 2 consult with such commercial software com- 6 panies as the Commander considers appropriate to 7 learn about commercial best practices 8 f RECOMMENDATIONS -- 9 1 IN GENERAL --Not later than 120 days after 10 the date of the enactment of this Act the Commander 11 shall submit to the Secretary of Defense recommenda- 12 tions for experimenting with or adopting new acquisi- 13 tion methods including all aspects of implementation 14 necessary for the success of the recommended methods 15 2 CONGRESSIONAL BRIEFING --Not later than 16 14 days after submitting recommendations to the Sec- 17 retary under paragraph 1 the Commander shall 18 brief the congressional defense committees on the rec- 19 ommendations the Commander submitted under para- 20 graph 1 21 g PRESERVATION OF EXISTING AUTHORITY --The 22 evaluation required under subsection a is intended to in23 form future acquisition approaches Nothing in this section 24 shall be construed to limit or impede the exercising of the 25 acquisition authority of the Commander of United States HR 2810 PAP 756 1 Cyber Command under section 807 of the National Defense 2 Authorization Act for Fiscal Year 2016 Public Law 114- 3 92 10 U S C 2224 note 4 h DEFINITIONS --In this section 5 1 The term ''agile acquisition'' means acquisi- 6 tion pursuant to a methodology for delivering mul- 7 tiple rapid incremental capabilities to the user for 8 operational use evaluation and feedback The incre- 9 mental development and fielding of capabilities com- 10 monly called ''spirals'' ''spins'' or ''sprints'' can be 11 measured in a few weeks or months and involve con- 12 tinuous participation and collaboration by users test- 13 ers and requirements authorities 14 2 The term ''agile development'' means develop- 15 ment pursuant to a set of software development meth- 16 odologies based on iterative development in which re- 17 quirements and solutions evolve through collaboration 18 between self-organizing cross-functional teams 19 SEC 1627 REPORT ON COST IMPLICATIONS OF TERMI- 20 NATING DUAL-HAT ARRANGEMENT FOR COM- 21 MANDER OF UNITED STATES CYBER COM- 22 MAND 23 Not later than 90 days after the date of the enactment 24 of this Act the Commander of the United States Cyber 25 Command shall submit to the congressional defense commit- HR 2810 PAP 757 1 tees a report that identifies the costs that would be impli2 cated by meeting the conditions set forth in section 3 1642 b 2 C of the National Defense Authorization Act for 4 Fiscal Year 2017 Public Law 114-328 5 SEC 1628 MODIFICATION OF INFORMATION ASSURANCE 6 7 SCHOLARSHIP PROGRAM a DESIGNATION OF PROGRAM --Section 2200a of 8 title 10 United States Code is amended by adding at the 9 end the following new subsection 10 '' h DESIGNATION OF PROGRAM --A program under 11 which the Secretary provides financial assistance under 12 subsection a shall be known as the 'Department of Defense 13 Cybersecurity Scholarship Program' '' 14 b ALLOCATION OF FUNDING --Subsection f of such 15 section is amended-- 16 1 by inserting '' 1 '' before ''Not less'' and 17 2 by adding at the end the following new para- 18 graph 19 '' 2 Not less than five percent of the amount available 20 for financial assistance under this section for a fiscal year 21 shall be available for providing financial assistance for the 22 pursuit of an associate degree '' 23 c REINVIGORATION PLAN REQUIRED --Not later 24 than September 30 2018 the Secretary of Defense shall sub25 mit to the congressional defense committees a plan for rein- HR 2810 PAP 758 1 vigorating the Department of Defense Cyber Scholarship 2 Program authorized under section 2200a of such title as 3 amended by subsections a and b 4 SEC 1629 MEASURING COMPLIANCE OF COMPONENTS OF 5 DEPARTMENT OF DEFENSE WITH CYBERSE- 6 CURITY REQUIREMENTS FOR SECURING IN- 7 DUSTRIAL CONTROL SYSTEMS 8 a IN GENERAL --The Secretary of Defense shall 9 make such changes to the scorecard as are necessary to en10 sure that the Secretary measures each component of the De11 partment of Defense in its progress towards securing the 12 industrial control systems of the Department against cyber 13 threats including supervisory control and data acquisition 14 systems SCADA distributed control systems DCS pro15 grammable logic controllers PLC and platform informa16 tion technology PIT 17 b SCORECARD DEFINED --In this section the term 18 ''scorecard'' means the Department of Defense Cyber Score19 card for the measuring of the performance of components 20 of the Department against basic cybersecurity requirements 21 as outlined in the Department of Defense Cybersecurity Dis22 cipline Implementation Plan HR 2810 PAP 759 1 SEC 1630 EXERCISE ON ASSESSING CYBERSECURITY SUP- 2 PORT TO ELECTION SYSTEMS OF STATES 3 4 a INCLUSION TION SYSTEMS IN OF CYBER VULNERABILITIES IN ELEC- CYBER GUARD EXERCISES --The Sec- 5 retary of Defense shall incorporate the cybersecurity of elec6 tions systems of the States as a component of the Cyber 7 Guard Exercise 8 b REPORT ON BEST PRACTICES --Not later than 180 9 days after the date of the enactment of this Act the Sec10 retary of Defense shall submit to the congressional defense 11 committees a report on the capabilities readiness and best 12 practices of the National Guard to assist the Governors if 13 called upon to defend elections systems from cyberattacks 14 SEC 1630A REPORT ON VARIOUS APPROACHES TO CYBER 15 16 DETERRENCE a IN GENERAL --Not later than 180 days after the 17 date of the enactment of this Act the Secretary of Defense 18 shall submit to the congressional defense committees a re19 port on various approaches to cyber deterrence 20 b CONTENTS --The report required by subsection a 21 shall include the following 22 1 Identification definition and explanation of 23 the various theoretical approaches to cyber deterrence 24 2 An assessment of the relative strengths and 25 weaknesses of each of such approaches relative to the 26 threat and relative to one another HR 2810 PAP 760 1 2 3 A recommendation for a cyber deterrence theory and doctrine for the Armed Forces 3 4 An alternative analysis or dissenting view of 4 the recommendation included under paragraph 3 5 that explains the weaknesses of the recommended the- 6 ory and doctrine and offers an alternative theory or 7 doctrine 8 c CONSULTATION --In preparing the report required 9 by subsection a the Secretary shall consult with experts 10 from the Government industry and academia 11 SEC 1630B PROHIBITION ON USE OF SOFTWARE PLAT- 12 13 FORMS DEVELOPED BY KASPERSKY LAB a PROHIBITION --No department agency organiza- 14 tion or other element of the Department of Defense may 15 use whether directly or through work with or on behalf of 16 another organization or element of the Department or an17 other department or agency of the United States Govern18 ment any software platform developed in whole or in part 19 by Kaspersky Lab or any entity of which Kaspersky Lab 20 has a majority ownership 21 b SEVERANCE OF NETWORK CONNECTIONS --The 22 Secretary of Defense shall ensure that any network connec23 tion between a department agency organization or other 24 element of the Department of Defense and a department or 25 agency of the United States Government that is using or HR 2810 PAP 761 1 hosting on its networks a software platform described in 2 subsection a is immediately severed 3 c EFFECTIVE DATE --This section shall take effect 4 on October 1 2018 5 SEC 1630C 6 7 REPORT ON CYBER APPLICATIONS OF BLOCKCHAIN TECHNOLOGY a REPORT REQUIRED --Not later than 180 days 8 after the date of the enactment of this Act the Secretary 9 of Defense in consultation with the heads of such other 10 agencies and departments as the Secretary considers appro11 priate shall submit to the appropriate committees of Con12 gress a report on the potential offensive and defensive cyber 13 applications of blockchain technology and other distributed 14 database technologies and an assessment of efforts by foreign 15 powers extremist organizations and criminal networks to 16 utilize these technologies Such report shall also include an 17 assessment of the use or planned use of blockchain tech18 nologies by the United States Government or critical infra19 structure networks and the vulnerabilities of such networks 20 to cyber attacks 21 b FORM OF REPORT --The report required by a 22 may be submitted-- 23 1 in classified form or 24 2 in unclassified form with a classified annex HR 2810 PAP                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu