HR 1607 Introduced – HACT Act

Back in early March Rep Allred (D,TX) introduced HR 1607, the Homeland And Cyber Threat (HACT) Act. The bill would remove foreign state immunity from lawsuits brought for injuries incurred from computer intrusions by a foreign state.

NOTE: GPO finally published the language for this bill last Friday, almost two months after it was introduced. COVID has had an impact on the operations of the GPO, that is understood. I think this, however, is more than just work from home issues. We saw many government organizations loose workers during the Trump Administration. I am beginning to think that may be part of the issue here.

The Language

The bill would amend 28 USC Chapter 27, Jurisdictional Immunities of Foreign States, by adding a new §1605C. Subsection 1605C(a) would allow law suits to proceed for any of the following activities, whether occurring in the United States or a foreign state:

• Unauthorized access to or access exceeding authorization to a computer located in the United States.

• Unauthorized access to confidential, electronic stored information located in the United States.

• The transmission of a program, information, code, or command to a computer located in the United States, which, as a result of such conduct, causes damage without authorization.

• The use, dissemination, or disclosure, without consent, of any information obtained by means of any activity described in paragraph (1), (2), or (3).

• The provision of material support or resources for any activity described above, including by an official, employee, or agent of such foreign state.

Subsection 1605C(b) would limit the application of this removal of immunity “to any action pending on or filed on or after the date of the enactment of this Act.”

Moving Forward

Allred is not a member of the House Judiciary Committee, the Committee to which this bill was assigned for consideration, but five of his 26 cosponsors {Rep Correa, J. Luis (D,CA), Rep Neguse, Joe (D,CO), Rep Demings, Val Butler (D,FL), Rep Garcia, Sylvia R. (D,TX), and Rep Chabot, Steve (R,OH)} are. This means that there may be enough influence to have this bill considered in Committee.

There will be bipartisan support for this measure, but I suspect that there will also be bipartisan opposition. That opposition will be from those who would be reluctant to advance any additional changes to the Foreign Sovereign Immunities Act of 1976 which forms the basis of Chapter 27. Sovereign immunity is a staple of international law and Congress has been very careful about authorizing exceptions to that concept. How much that will affect support for this bill remains to be seen.

Commentary

The crafters of this bill have avoided most of the technical terms that have drawn my ire over the years. So, we do not have the normal concerns about terms like ‘information system’ or ‘cybersecurity risk’ or ‘control system’. They have been able to do this by focusing more on the outcome of a cyber attack than the means of the attack.

While the bill continues to use some IT focused language related to unauthorized access, there is the one paragraph that could be considered to specifically address attacks related to industrial control systems:

“The transmission of a program, information, code, or command to a computer located in the United States, which, as a result of such conduct, causes damage without authorization.”

A strict interpretation of ‘to a computer’ would, however, not seem to apply to an attack on the component levels of industrial control systems. Thus, for instance, a Stuxnet type attack on centrifuges would not technically be covered under this language. The fix would be relatively simple; change ‘command to a computer’ to read ‘command to or thru a computer’. This would tend to leave devices that could be contacted directly through a wireless communications system connection, but there would probably still be a ‘computer’ connection somewhere in the data network that would allow the definition to be used by a talented lawyer.

Arguably, the most important part of the bill is found in the new §1605C(a)(5), the ‘material support or resources’ provision. This is due to the difficulty in proving that a foreign State was the perpetrator of an attack. This allows the petitioner to make the somewhat easier proof that the State provided ‘material support’ to the organization perpetrating the attack rather than having to prove that the State directed the attack.

This bill makes no attempt to address the issue of attribution for attacks. Instead, it allows the courts unfettered authority to establish the acceptable standards for attribution. Since the bill limits the sovereign immunity exemption to civil suits, courts would be using the ‘reasonable man’ standard rather than the ‘beyond reasonable doubt’ standard used in criminal cases. Thus, we could expect to see many more civil actions than the government could be bringing in criminal cases.

No one should expect that this legislation, if passed, would have any great impact on the support in foreign capitals for cyber attacks on the United States. Some adversaries, North Korea comes immediately to mind, have little or no assets in the US that would be attachable in favorable judgements. Other countries like Iran (and probably Russia) would see such judgements as an acceptable cost of pursuing these types of attacks (as they have done with their support of terrorist organizations). But it would allow injured parties to seek and obtain some level of redress to their losses in these attacks.