Reader Comment – HR 3039

I received an interesting comment from an anonymous reader yesterday about my post on the introduction of HR 3039; well worth reading in its entirety. In passing a comment was made about the “need to be intentionally vague in order to avoid loopholes and military redtape”. Other than having a minor objection to the use of ‘military’ instead of ‘bureaucratic’ as a modifier of ‘red-tape’, I think Anonymous has an interesting point.

In my post I complained about the lack of definition of ‘malicious cyber-enabled activity’ as that definition was key to deciding what countries would/should be included on the list of State Sponsors of Cyberattacks. Lacking a legal definition the President would be given a great deal of leeway as to which countries should be placed on the list.

Anonymous points out that, given recent events, the bill was probably intended to target China and Iran. In fact a press release from the office of Rep. Brooks (R,AL - the bill’s author) specifically mentions reported attacks by China, Iran and North Korea as examples of recent attacks to which the US has not been able to respond.

Now, I am glad that the bill did not specifically mention those three countries (especially since I have not seen compelling evidence that the DPRK was behind the Sony Hack), but it is clear that Brooks (and a very large number of other people) would expect to see these three countries among the first countries placed upon the list.

If this was simply a sanctions bill I would agree that providing the President with a wide degree of latitude in designating countries for a place on the list is good policy. Placement on such a list could be used as a pretty large stick to encourage governments to take actions against cyber thieves working from within their boundaries and that type of stick should be wielded by the President.

But this bill specifically authorizes military action against countries on the list. Did you miss that? See §3(c)(2)(R); the last item on the list of ‘other actions’ that the President is authorized to take is “Ordering a cyber counterattack”. While this may not be a classic military action, there is no doubt that it will be the military that conducts the attack. Likewise, there is little doubt that the targeted country would consider it a military attack and would likely cry to the UN about an act of war perpetrated by the United States.

Now, I have no doubt that there could be cyberattacks that would justify retaliation in kind, or even an expansion of the retaliation to more readily recognizable military attacks. But to give the President blanket authorization to take retaliatory military attacks against countries that might allow bank scammers to operate with impunity seems to me to be a step too far.

If cyber retaliation is going to remain on the list of tools provided to the President (and I could certainly make a whole list of arguments to support that being included) Congress is going to have to do a better job of limiting where that can be employed without coming back for a specific authorization under Article 1, Section 8, Clause 11 of the Constitution (power to declare war). And that is where a definition of the term ‘malicious cyber-enabled activity’ needs to be included in this bill.

In fact, I think that the definition should be structured in such a way as to describe multiple levels of malicious activity that would be keyed to a specific variety of authorized responses. The ultimate level would include ‘any cyber activity that results in, or could reasonably be expected to result in:

∙ ‘The loss of life,

∙ ‘Interference in the operation of the US military aircraft, vessels or spacecraft; or

∙ ‘Interference in the material operation of any critical infrastructure activity.’

The bill should then go on to specify what sort of ‘counter cyberattack’ would be authorized; “A counter cyberattack is authorized to take immediate action to stop the current attack and prevent future attacks by the source of the original cyberattack”.

Again, legislation should probably be written in broad terms to allow for it to continue to fit changing circumstances. But, there are certain activities that should be constrained by law and the power to initiate an attack (even a cyberattack) on a foreign country should be one of those activities.

HR 3039 Introduced – PROTECT Act

Earlier this week Rep. Brooks (R,AL) introduced HR 3039, the Providing Retaliation Options against Those Engaging in Cyberattacks Targeting the United States (PROTECT) Act. The bill would require the establishment of a ‘State Sponsors of Cyberattacks’ program similar to the ‘State Sponsors of Terrorism’ program.

Section 3 of the bill does two things:

∙ Requires the establishment of a “List of State-Sponsors of Cyberattacks”; and

∙ Provides a list of potential penalties that the President is authorized to impose on nations placed on the List.

List of State-Sponsors of Cyberattacks

Section 3(b) requires the President to submit to Congress a list of countries that have been designated as State-Sponsors of Cyberattacks. There are two reasons that are given for a country being put on the list. The first is a determination that:

“(T)he United States or a United States person has been targeted in a malicious cyber-enabled activity originating from, or directed by a person located, in whole or in substantial part, in a foreign country, and such activity is reasonably likely to result in, or have materially contributed to, a threat to the national security or foreign policy of the United States, or harmed the economic health or financial stability of the United States or a United States person” {§3(b)(2)}.

The second is actually a continuation of the first that specifies particular forms that ‘harmed’ may take. These include {§3(b)(2)}:

∙ Harming or otherwise significantly compromising the provision of services by a computer or network of computers that support the United States or a United States person in a critical infrastructure sector;

∙ Significantly compromising the provision of services by the United States or a United States person in a critical infrastructure sector;

∙ Causing significant disruption to the availability of a computer or network of computers owned or operated by the United States or a United States person;

∙ Causing a significant misappropriation of funds or economic resources, trade secrets, personally identifiable information, or financial information of the United States or a United States person.

Once a country is identified as having met any of the above criteria the President is required to place them on the List State-Sponsors of Cyberattacks.

Penalties

Section 3(c) provides an extensive list of penalties that the President is authorized to apply to countries that are on the List. The first allows the President to impose a duty on “any article or service imported directly or indirectly into the United States that is produced in whole or in part in a country that is included on the list of state-sponsors of cyberattacks” {§3(c)(1)}. It includes 18 other sanctions listed in §3(c)(2) culminating in ordering a trade embargo or ordering a cyber counterattack.

Moving Forward

Brooks is only a member of one of the five committees (Foreign Affairs) that have been assigned to consider this bill. He is a mid-ranking member of the Europe, Eurasia, and Emerging Threats Subcommittee that will probably be assigned initial responsibility within the Foreign Affairs Committee for consideration of this bill. So he may have the political pull to get this bill considered in that Committee.

It is not yet clear if there is enough anger in the Congress over the OPM hack to drive consideration of this bill to the floor. I suspect that if the bill were to make it to the floor, the lack of a requirement to take action against the countries ultimately placed on the list would allow enough members to vote in favor of the bill to obtain passage in the House. I am not sure that the same applies to the Senate.

Commentary

This bill casts a very wide net in what countries could be sanctioned by the President under these provisions. The lack of a definition of “malicious cyber-enabled activity” and that term’s key in defining actions that would place a country on the List means that just about any country could be placed on the list, including any number of friendly allied countries.

More importantly, the United States could certainly be found on a similar list in any country in the world since a very large percentage of the non-state originated ‘malicious cyber-enabled activity’ in the world originates from within our borders. Since the bill does not specify that any of the governments of the countries listed would have to actually be involved in the designated activities we wouldn’t have to worry specifically about the Federal governmental malicious activities that have been exposed by people like Snowden, but those would certainly place us high on the ‘state sponsors’ list of many countries in the world.

A lot of definitions are going to have to be significantly tightened up if the sanction regime that Brooks is trying to implement is to have any significant effect on malicious cyber activity that is becoming endemic across the globe. More importantly, we need to determine if we are going to use these big guns to go after Nigerian bank scams or limit their use to countries that are specifically attacking the United States.

Bills Introduced – 07-13-15

There were 22 bills introduced in the House and Senate yesterday. Two of those may be of specific interest to readers of this blog:

HR 3038 To provide an extension of Federal-aid highway, highway safety, motor carrier safety, transit, and other programs funded out of the Highway Trust Fund, and for other purposes. Rep. Ryan, Paul [R-WI-1] 

HR 3039 To impose penalties on state-sponsors of cyberattacks, and for other purposes. Rep. Brooks, Mo [R-AL-5]

The fact that the GPO has already published a copy of HR 3038 indicates that this is on the fast track for consideration. This is another short-term extension (thru December 18^th) of the authorization for various transportation programs. A quick review of the table of contents does not reveal any specific chemical transportation safety or security provisions.

It will be interesting to see what sorts of creative penalties will be proposed by HR 3039 that would not rebound against NSA if imposed by other countries that we are known to have ‘attacked’ by cyber means.