HR 1493 Introduced – Cyber Sanctions

Earlier this month Rep. Yoho (R,FL) introduced HR 1493, the Cyber Deterrence and Response Act of 2019. The bill is very similar to S 602 introduced last month in the Senate and less similar to HR 5567 introduced last session by Yoho; which was passed by the House, but not taken up by the Senate.

Differences

This bill contains the same additions to HR 5567 that I mentioned were seen in S 602. The Senate bill did contain a reference {§3(d)(2)(D)} to Export Control Reform Act of 2018 {50 USC 4813(a)(1))} that could not have been included in HR 5567 since the Act had not been passed when the bill was introduced. That reference is not included in this bill. This means that any successor munitions control list created in accordance with §4813 provisions would not automatically be included in the sanctions applicable under this bill.

Paragraph (f) from S 602 that provided for the applicability of penalties under the Emergency Economic Powers Act {50 USC 1705(b) and (c)} to violations of §3(b)(2)(H) of this bill was not included in S 602. This may be because Yoho’s staff considered those provisions to be included by reference in §3(b)(2)(H). Or, it may just have been an oversight.

Moving Forward

As with last year with HR 5567, Yoho and his cosponsors are influential, bipartisan members of the committees to which this bill was assigned for consideration. Last session this influence was enough to ensure consideration in a Republican controlled House, both in the Foreign Affairs Committee and on the floor of the House. In both places it received strong bipartisan support.

Similar bipartisan support would be expected this year, but it remains to be seen if the priorities of the Democratic leadership will allow for the same consideration of this bill.

Commentary

I still have the same problems with this bill that I had with S 602; the lack of definition of the term ‘cyber activities’ that could trigger the designation of ‘a critical cyber threat’. While I understand that a certain amount of latitude should be allowed for in that definition as cyber technologies and attack methodologies evolve, but I do think that a definition is required to constrain actions of the President.

Having said that, it is probably incumbent upon me to provide a suggested definition. I would suggest the following changes to the definition of ‘state sponsored cyber activities’:

“The term ‘‘state-sponsored cyber activities’’ means any malicious cyber-enabled activities incident (as defined in 6 USC 659(a) [proposed here]) that directly affected government information systems, a critical infrastructure information system or a control system that affected public safety and was caused by  —

“(A) are carried out by a government of a foreign state or an agency or instrumentality of a foreign state; or

“(B) are carried out by a foreign person that is aided, abetted, or directed by a government of a foreign state or an agency or instrumentality of a foreign state.