HR 3039 Introduced – PROTECT Act

Earlier this week Rep. Brooks (R,AL) introduced HR 3039, the Providing Retaliation Options against Those Engaging in Cyberattacks Targeting the United States (PROTECT) Act. The bill would require the establishment of a ‘State Sponsors of Cyberattacks’ program similar to the ‘State Sponsors of Terrorism’ program.

Section 3 of the bill does two things:

∙ Requires the establishment of a “List of State-Sponsors of Cyberattacks”; and

∙ Provides a list of potential penalties that the President is authorized to impose on nations placed on the List.

List of State-Sponsors of Cyberattacks

Section 3(b) requires the President to submit to Congress a list of countries that have been designated as State-Sponsors of Cyberattacks. There are two reasons that are given for a country being put on the list. The first is a determination that:

“(T)he United States or a United States person has been targeted in a malicious cyber-enabled activity originating from, or directed by a person located, in whole or in substantial part, in a foreign country, and such activity is reasonably likely to result in, or have materially contributed to, a threat to the national security or foreign policy of the United States, or harmed the economic health or financial stability of the United States or a United States person” {§3(b)(2)}.

The second is actually a continuation of the first that specifies particular forms that ‘harmed’ may take. These include {§3(b)(2)}:

∙ Harming or otherwise significantly compromising the provision of services by a computer or network of computers that support the United States or a United States person in a critical infrastructure sector;

∙ Significantly compromising the provision of services by the United States or a United States person in a critical infrastructure sector;

∙ Causing significant disruption to the availability of a computer or network of computers owned or operated by the United States or a United States person;

∙ Causing a significant misappropriation of funds or economic resources, trade secrets, personally identifiable information, or financial information of the United States or a United States person.

Once a country is identified as having met any of the above criteria the President is required to place them on the List State-Sponsors of Cyberattacks.

Penalties

Section 3(c) provides an extensive list of penalties that the President is authorized to apply to countries that are on the List. The first allows the President to impose a duty on “any article or service imported directly or indirectly into the United States that is produced in whole or in part in a country that is included on the list of state-sponsors of cyberattacks” {§3(c)(1)}. It includes 18 other sanctions listed in §3(c)(2) culminating in ordering a trade embargo or ordering a cyber counterattack.

Moving Forward

Brooks is only a member of one of the five committees (Foreign Affairs) that have been assigned to consider this bill. He is a mid-ranking member of the Europe, Eurasia, and Emerging Threats Subcommittee that will probably be assigned initial responsibility within the Foreign Affairs Committee for consideration of this bill. So he may have the political pull to get this bill considered in that Committee.

It is not yet clear if there is enough anger in the Congress over the OPM hack to drive consideration of this bill to the floor. I suspect that if the bill were to make it to the floor, the lack of a requirement to take action against the countries ultimately placed on the list would allow enough members to vote in favor of the bill to obtain passage in the House. I am not sure that the same applies to the Senate.

Commentary

This bill casts a very wide net in what countries could be sanctioned by the President under these provisions. The lack of a definition of “malicious cyber-enabled activity” and that term’s key in defining actions that would place a country on the List means that just about any country could be placed on the list, including any number of friendly allied countries.

More importantly, the United States could certainly be found on a similar list in any country in the world since a very large percentage of the non-state originated ‘malicious cyber-enabled activity’ in the world originates from within our borders. Since the bill does not specify that any of the governments of the countries listed would have to actually be involved in the designated activities we wouldn’t have to worry specifically about the Federal governmental malicious activities that have been exposed by people like Snowden, but those would certainly place us high on the ‘state sponsors’ list of many countries in the world.

A lot of definitions are going to have to be significantly tightened up if the sanction regime that Brooks is trying to implement is to have any significant effect on malicious cyber activity that is becoming endemic across the globe. More importantly, we need to determine if we are going to use these big guns to go after Nigerian bank scams or limit their use to countries that are specifically attacking the United States.