HR 5576 Introduced – Cyber Sanctions

Last month Rep. Yoho (R,FL) introduced HR 5567, the Cyber Deterrence and Response Act of 2018. The bill would require the President to identify foreign persons or agencies of a foreign state that are ‘critical cyber threats’ and impose sanctions on such persons or agencies.

Definitions

Section 3(g) of the bill provides a lengthy list of definitions of terms used in the bill. The only ‘cyber’ related definition in that list is “state sponsored cyber activities”. That is defined as any cyber-enabled activities that are carried out by an agency or instrumentality of a foreign state; or are carried out by a foreign person that is aided, abetted, or directed by a foreign state or an agency or instrumentality of a foreign state {§3(g)(9)}.

That definition is expanded in §3(a)(1)(A) by a listing of the types of cyber activities “that are reasonably likely to result in, or have contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States”. They would include events that have the purpose or effect of:

• Causing a significant disruption to the availability of a computer or network of computers;

• Harming, or otherwise significantly compromising the provision of service by, a computer or network of computers that support one or more entities in a critical infrastructure sector;

• Significantly compromising the provision of services by one or more entities in a critical infrastructure sector;

• Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;

• Destabilizing the financial sector of the United States by tampering with, altering, or causing a misappropriation of data; or

• Interfering with or undermining election processes or institutions by tampering with, altering, or causing misappropriation of data.

Sanctions

The President would then be required to impose one or more sanctions from of a lengthy list of travel and non-travel related sanctions on the designated critical cyber threats. The President is allowed to waive the imposition of sanctions if it is certified to Congress that one or more of the following requirements has been met {§3(e)(2)}:

• The waiver is important to the economic or national security interests of the United States.

• The waiver will further the enforcement of this Act or is for an important law enforcement purpose.

• The waiver is for an important humanitarian purpose.

Moving Forward

Yoho is a member of the House Foreign Affairs Committee, one of the four committees to which this bill was assigned for consideration. Cosponsors that are also members of that Committee include:

• Rep. Sherman (D,CA);

• Rep. Royce (R,CA);

• Rep. Engle (D,NY);

• Rep. Chabot (R,OH) (Chair of the Judiciary Committee to which the bill was also assigned);

• Rep. Poe (R,TX);

• Rep. Fitzpatrick (R,PA);

• Rep. Meadows (R,NC) (also on Oversight and Government Reform Committee to which this bill was also assigned);

• Rep. Castro (D,TX); and

• Rep. Lieu (D,CA)

This would seem to indicate that there is a good possibility that the Foreign Affairs Committee, which would be the primary committee of jurisdiction for this bill, will consider the bill. The bill would certainly garner bipartisan support within the Committee and probably before the full House.

Commentary

In many ways this bill can be seen as an expansion of HR 3364, the Countering America’s Adversaries Through Sanctions Act, which passed in both the House and Senate and was ultimately signed by President Trump (PL 115-44, not yet published by GAO). That earlier bill was targeted at cyber operations by three countries; Russia, Iran and North Korea and in many ways codified the provisions of EO 13694. This bill would expand the countries and agencies to which the President could apply sanctions.

The lack of technical definitions in this bill or such terms as ‘computer or network of computers’ or ‘compromising the provisions of service’ is a two-edged sword. A broad interpretation by the President would certainly allow attacks against industrial control systems to be covered by the sanctions requirements of the bill. A narrow interpretation, on the other-hand would allow the President to ignore such attacks with impunity.

This bill has the same deficiency that I noted in my post on the introduction of HR 3364, there are no provisions for moving beyond sanctions or even requiring the President to report on the success of sanctions in preventing additional adverse ‘cyber activities’ by the sanctioned parties. This is a common failing with sanctions legislation. This allows Congress to show that they have ‘taken action’ to prevent cyber attacks (in this case) without ever having to consider the efficacy of those actions.

The bill needs some sort of reporting requirement to ensure that reports on the efficacy of the sanctions are made to Congress. Additionally, there needs to be some sort of escalatory language for subsequent adverse cyber activities by sanctioned parties. At the very least, the President should be required to impose additional sanctions beyond the minimum required (1 of the listed sanctions) in this bill.

One other problem needs to be addressed by this bill. This bill limits the sanction authority to only “state sponsored cyber activities”. The increasing cyber sophistication of non-state actors such as international terrorist or transnational criminal organizations means that these types of groups are becoming a threat to our increasingly cyber-centric society. Adding those organizations to the coverage of this bill would provide the President with additional tools to deal with those emerging threats.