S 2756 Introduced – Iran Cyber Sanctions

Last week Sen. Rounds (R,SD) introduced S 2756, the Iran Cyber Sanctions Act of 2016. The bill would require the President to periodically report to Congress on significant activities undermining cybersecurity conducted by Iranian persons against the Government of the United States or any United States person.

Identification and Sanctions

The bill defines ‘significant activities undermining cybersecurity’ as activities that include {§2(d)}:

• Significant efforts to deny access to or degrade, disrupt, or destroy an information and communications technology system or network, or exfiltrate information from such a system or network without authorization;

• Significant destructive malware attacks;

• Significant denial of service activities; and

• Such other significant activities as may be described in regulations prescribed to implement this section.

The President would be required to report to Congress on such activities every 180 days. Persons identified in those reports and any Iranian indicted for such activities would be required to be include on the specially designated nationals and blocked persons list maintained by the Office of Foreign Assets Control of the Department of the Treasury.

Moving Forward

Rounds is a very junior member of the Banking, Housing, and Urban Affairs Committee, so he could possibly have the influence to move this bill forward in Committee. I suspect that this bill could pass in Committee with at least some bipartisan support. With the summer recess fast approaching and spending bills being the political priority (to pass or block depending on your view), this bill is probably unlikely to make it to the floor of the Senate before the election. Unless, of course, there is a high-profile attack attributed (at least politically) to the Iranians; then all bets are off.

Commentary

The bill does use a legal definition of person that includes individuals and organizations. So the reporting requirement would apply to individuals like those indicted for their alleged attacks on the dam control system in New York, as well as major government organizations like the Revolutionary Guards or less important, semi-governmental hacking organizations.

Actually, the example I used for individuals is probably not a good one. There is nothing in the language of this bill that would indicate that attacks on control systems would be included in ‘significant activities undermining cybersecurity’. The bill does not provide a definition of “an information and communications technology system or network”, either directly or by reference. Even if the bill used the more standard ‘information system’, we might infer that the drafter was using the newer usage that included control systems.

It is interesting that the Iranian’s are being targeted with this bill. Most people rank the threat from Russian or Chinese cyber-attacks (government, government inspired, or criminal enterprise) much higher than the Iranian threat (though Iran gets credit for advancing quickly). The fact that we don’t need anything from Iran while we need to get along with both Russia and China for any number of international policy reasons, certainly would not have anything to do with targeting just threat #3 (or maybe #4 depending on how one ranks North Korea).

The other side of the game is that there are any number of also ran governments or international criminal organizations that pose nearly as much of a threat as Iran. The failure to include such organizations in the bill does little or nothing to address the threats posed from those organizations.

In the end, this is a political bill, not a cybersecurity bill. It may have some minor security benefits, but it really looks like a bill to score political points.