HR 3364 Introduced – Foreign Sanctions

Earlier this week Rep. Royce (R,CA) introduced HR 3364, the Countering America’s Adversaries Through Sanctions Act. The bill provides for a variety of sanctions in response to actions taken (and future actions that may be taken) by Russia, Iran and North Korea. The bill specifically includes sanctions to be taken against Russia for cybersecurity related actions. These actions are outlined in:

§222. Codification of sanctions relating to the Russian Federation.
§224. Imposition of sanctions with respect to activities of the Russian Federation undermining cybersecurity.
§235. Sanctions described.

Imposing Sanctions

Section 222 of the bill continues in effect existing cybersecurity related sanctions under EO 13694 “relating to blocking the property of certain persons engaging in significant malicious cyber enabled activities), and Executive Order 13757” {§222(a)}.

Section 224 of the bill requires the President to impose sanctions upon any person the President determines that {§224(a)(1)}:

• Knowingly engages in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation; or
• Is owned or controlled by, or acts or purports to act for or on behalf of, directly or indirectly, a person described above.

The required sanctions include {§224(b)}:

• Asset blocking;
• Exclusion from the united states and revocation of visa or other documentation;

Additionally, the President is directed to {§224(a)(2)}:

• Impose 5 or more of the sanctions described in §235 with respect to any person that the President determines knowingly materially assists, sponsors, or provides financial, material, or technological support for, or goods or services (except financial services) in support of, a cybersecurity activity described above; and
• Impose 3 or more of the sanctions described in 22 USC 8923(c) with respect to any person that the President determines knowingly provides financial services in support of a cybersecurity activity described above.

The “significant activities undermining cybersecurity” mentioned in this section include significant efforts to {§224(d)}:

• To deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or
• To exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization for purposes of:
Conducting influence operations; or
Causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive advantage or private financial gain;
• Significant destructive malware attacks; and
• Significant denial of service activities.

New Sanctions

Section 235 of the bill describes a new set of sanctions available to the President for imposition in response to significant activities undermining cybersecurity and other non-cybersecurity regimes described in the bill. Those sanctions include {§235(a)}:

• Export-import bank assistance for exports to sanctioned persons;
• Export sanction;
• Loans from united states financial institutions;
• Loans from international financial institutions;
• Prohibitions on financial institutions;
• Procurement sanction;
• Foreign exchange;
• Banking transactions;
• Property transactions;
• Ban on investment in equity or debt of sanctioned person;
• Exclusion of corporate officers;
• Sanctions on principal executive officers.

Moving Forward

As I mentioned earlier this week, this bill passed in the House on Tuesday with a strongly bipartisan vote. I suspect that it will be taken up quickly in the Senate where it will pass with broad support (possibly under the unanimous consent process).

I have seen one report that the President may veto the bill if/when it gets to his desk. If the vote in the House is any indicator of support in the Senate (and that is never a perfect predictor) then there are probably more than enough votes available to override any veto on this bill.


One of the reasons that this bill is getting bipartisan support is that it provides Democrats an apparent opportunity to hold the President’s feet to the political fire with regards to cyber operations by Russia. While the bill does require the President to impose sanctions, there are two necessary weasel word provisions that provide potential escape hatches.

First the bill only requires the President to impose sanctions when he “determines” that the sanctioned activity has taken place. Given Trump’s public statements about the inability to really know who is responsible for cyber activities (a statement with which, to some extent at least, many cyber professionals would agree), this may be a very substantial loop hole.

The second is a very real recognition of the President’s prerogatives with respect to foreign affairs and national defense. In every instant where the bill requires the President to impose sanctions it specifically provides the President to avoid that requirement by certifying to Congress that an exception is needed due to ‘vital national security interests of the United States’ or that failure to impose sanctions will further enforcement of the provisions of this bill. Interestingly, the crafters of this bill added an additional requirement to these certifications; the President also has to certify that the “that the Government of the Russian Federation has made significant efforts to reduce the number and intensity of cyber intrusions conducted by that Government” {§224(c)(2) for example}.

Neither of these necessary loopholes detracts from the seriousness of the provisions of this bill. While economic sanctions like those outlined in this bill do not have a strong history of success, they are a necessary step to notify opponents (like Russia, Iran and North Korea) that their actions have consequences without the necessity of employing physical (military) or (increasingly more likely) cyber force to get the opponent to modify their behavior.

What might have made this bill more effective in countering the explicated actions of these three adversaries would have been included some sort of reference to possible future application of more expansive responses. It would have been easy to add a requirement for the President to report on the effectiveness of the required sanctions 18 months after they were applied along with a recommendation to Congress as to what escalative measures, up to and including military force if necessary, may be required to stop the sanctioned behavior.

