HR 5222 Introduced – Iran Cyber-Sanctions

Last week Rep. Ratcliffe (R,TX) introduced HR 5222, the Iran Cyber Sanctions Act of 2016. The bill would require reports from the President to Congress on conducted on the United States at the behest of the government of Iran. The bill is similar to S 2756 that was introduced in the Senate last month.

Differences between House and Senate Versions

While both bills would require presidential reports on Iranian cyber-attacks on the United States, there are some significant differences. The first, and probably least significant, is that the Senate bill requires the first report within 180 days of enactment of the bill where this bill requires the first report in 90 days.

The most significant difference is also found in Section 2(a)(1) of the respective bills. Both bills require the reports on “significant activities undermining cybersecurity”. The Senate bill requires reports on activities conducted by “Iranian persons” while the House bill targets “by persons on behalf of or at the direction of the Government of Iran”.

Another difference is found in §2(b). The paragraph requires the President to add persons identified in the periodic reports required in this bill to the “designated nationals and blocked persons list maintained by the Office of Foreign Assets Control [OFAC] of the Department of the Treasury” {§2(b)(1)}. The Senate version of the bill also requires listing of “any Iranian person” under indictment for “significant activities undermining cybersecurity against the Government of the United States or any United States person” {§2(b)(1)(B)}. The House version of the bill only addresses “any person”.

The House version of the bill adds a new §2(c). It requires the President to take property blocking actions under EO 13694 for anyone identified in §2(b).

The final area where there are significant differences between the two bills is in the definitions paragraph {§2(d) in the Senate bill; §2(e) in the House bill}. The House bill does not contain a definition of ‘Iranian person’ since that term is not used in the House bill. Additionally the House bill adds another sub-paragraph to the definition of ‘Unites States person’: “any government (Federal, State, or local) entity” {§2(e)(3)(C)}.

Moving Forward

Ratcliffe is not a member of either the House Foreign Affairs or Judiciary Committees; the two committees to which the bill was referred for consideration. This means that it would be extremely difficult for him to influence either committee to consider the bill. The more likely way that this bill could get considered would be to add it as an amendment to an appropriations or authorization bill.

I do not see anything in the bill that would raise any significant opposition to the bill if it were to be considered on the floor of either the House or Senate.

Commentary

The differences between the two versions of the bill would mean that the House bill would not require (but would allow) the President to include in his listings purely criminal attacks on US businesses that originate in Iran. It would seem to me that limiting these requirements to politically motivated attacks would be a more reasonable application of US sanctions.

I am still concerned that the bill continues to ignore control system security, particularly with the recent conversations about vulnerabilities in the National Grid and press reports of Iranian attacks on physical infrastructure. This concern could be rectified by adding a sub-paragraph §2(e)(2)(A)(ii); “interfere with the operation of an industrial control system at any critical infrastructure facility;”.

If Ratcliffe really wants to see this bill become law, rather than just establish his anti-Iranian credentials, he really needs to work at getting co-sponsors to this bill that serve on either the Foreign Affairs or Judiciary (or both) Committees; the higher ranking the better. That way he would have a champion that could apply the appropriate legislative pressures to have the bill considered in Committee.