Should the President Respond to Foreign States' Cyberattacks Under a Formal Process? (H.R. 5576)

What is H.R. 5576?

(Updated April 17, 2019)

This bill — known as the Cyber Deterrence and Response Act of 2018 — would establish a strategy for the U.S. to respond to attacks by foreign state-sponsored hackers by giving the president the authority to identify, respond to, and deter cyber attackers.

The president, acting through the Secretary of State, would designate the following as critical cyber threats:

• Foreign persons and foreign state agencies that the president deems to be responsible for or complicit in state-sponsored cyber activities that have threatened U.S. national security, foreign policy, economic health, or financial stability;

• Foreign persons that the president has determined to have knowingly materially assisted or provided support for cyber attacks against the U.S. by a foreign person or foreign state agency;

• Foreign state agencies that the president has determined to have materially assisted or supported cyber attacks against the U.S. by a foreign person or agency;

• Foreign persons that the president has determined to have attempted to engage in or support cyber attacks against the U.S.; and

• Foreign agencies that the president has determined to have attempted to engage in or support cyber attacks against the U.S.

This bill would also establish a comprehensive, uniform list of foreign hacking groups to give government agencies common terminology when discussing cyberthreats. This list would be published in the Federal Register, and would include input from various federal agencies.

The president would impose either  travel-related or non-travel-related sanctions (or both) with respect on foreign persons and states designated as critical cyber threats. Non-travel related sanctions include:

• Withdrawal or suspension of non-humanitarian U.S. development assistance or security assistance; U.S. opposition to international financial institutions’ loans to hostile foreign states; directing the Export-Import Bank, the Overseas Private Investment Corporation, or other U.S. agencies not to approve guarantees, insurance, credit, or extension of credit; import restrictions; and export restrictions.

Travel-related sanctions include: making foreign nationals designated as critical cyber threats inadmissible to the U.S., ineligible to receive a visa to enter the U.S., and otherwise ineligible to be admitted or paroled into the U.S.; and revoking vias or other entry documentation issued to foreign persons designated as critical cyber threats.

Foreign states could be subject to additional sanctions from the president, including: banning the export of items on the U.S. Munitions List to the governments of foreign states designed as critical cyber threats; prohibiting transactions in foreign exchange in which the governments of foreign states designated as critical cyber threats have an interest; and prohibit transfers or credit or payments between one or more financial institutions when those transactions are subject to U.S. jurisdiction and involve any interest of the government of the foreign state.

On a case-by-case basis, the president could waive the imposition of sanctions for a period of up to one year, and could then renew that waiver for additional periods of no more than one year. When waivers are granted, the appropriate Congressional committees would have to  receive written determinations from the president attesting to the reason for the waiver.

The president may remove sanctions if the president determines the foreign person or foreign state subject to sanctions has verifiably ceased participation in cyber attacks against the U.S.

The president shall be required to periodically report to Congress about state-sponsored cyber activities against the U.S.

Argument in Favor:

Argument Against:

Impact:

State-sponsored hackers; cyber terrorism; cyber warfare; the President; and the Federal Register

Cost:

The CBO estimates that implementing this bill would cost less than $500,000 over the 2019-2023 period.

In-Depth:

Rep. Ted Yoho (R-FL) introduced this bill to combat state-sponsored cyber threats by creating a three-step process for identifying, deterring, and responding to state-sponsored cyber attacks:

“Not all threats to our national security are kinetic. More and more, countries who wish to weaken the United States and disrupt our way of life are using keyboards and the internet. China, North Korea, Iran, Russia, and other malicious actors have developed sophisticated capabilities that can disrupt our networks, endanger our critical infrastructure, harm our economy, and undermine our elections. These cyber attacks must be stopped. My Cyber Deterrence and Response Act will shine a light on these countries and create a framework that not only deters but provides the proper response for their actions. It is vital that when these attacks happen, they are exposed, pulled out of the shadows, and punished accordingly.”

Writing in The Guardian in 2013, Adam Segal, the Maurice R. Greenberg Senior Fellow for China Studies at the Council on Foreign Relations, argued that cyberattacks are difficult to retaliate against due to the limited — and still-undefined — definitions of what constitutes an attack or legitimate target:

“There are still no mutually agreed upon terms of what types of cyber-attacks would be considered a use of force or what constitutes a legitimate target. A standoff could very easily escalate, producing unintended and disastrous outcomes, if both sides miscommunicate and misperceive red lines… [the U.S. and potential adversaries, such as China] should try and dispel the growing mistrust by explaining their national interests and intentions in cyberspace.”

In 2016, the Justice Department’s top national security official, John Carlin, assistant attorney general for national security, argued that the most successful tools the U.S. federal government has employed to deter cyber attacks against the U.S. have been legal, rather than tit-for-tat counterattacks or retaliation. Carlin pointed to a September 2015 agreement between then-President Barack Obama and President Xi Jinping, which was credited to a ratcheting up of prosecutions and sanctions, as proof of the effectiveness of legal consequences as a deterrent for state-sponsored cyber attacks and a means for defining what is and isn’t acceptable cyber activity under international law:

“This new approach of investigation and attribution showed we can find out who’s doing these things, and that’s because Sony did the right thing and reported it to government... Two, we said it: That’s new. Take it out of the intelligence channels and be public about it, because that’s the only way to change the behavior of the people who are launching these attacks, but also the other countries who are watching them get away with it… The idea is that if you let someone walk across your lawn for long enough, they get the right to walk across your lawn. It’s called an easement, and that’s how international law works. We had a situation where attacking private companies was the day job for uniformed members of the second largest military in the world, and that case was a giant no-trespass sign: ‘Get off our lawn.’”

In a continuation of the Obama administration’s position as stated in Executive Order 13694, the Trump administration deems cyber security a national emergency.

Christopher Painter, who served for six years as the United States’ top cyber diplomat at the State Department, argues that more structure around sanctions for state-sponsored cyber violence is needed:

“[W]e still need to do a better job of actually imposing consequences on those countries that actually make a difference, and I think that requires a lot more strategic thought… I think we're creating a norm of inactivity, that these are acceptable [behaviors] because no one does anything about it."

This legislation passed the House Foreign Affairs Committee with unanimous support and currently has the support of 13 bipartisan cosponsors of this bill, including seven Democrats and six Republicans.

Of Note:

State-sponsored cyberattacks against the U.S. have been an issue in recent years, with Russian interference in U.S. elections and Chinese state-sponsored hackers compromising a U.S. Navy contractor to steal sensitive military intelligence being only two examples of the threat. Government agencies and employees aren’t the only targets of state-sponsored hacks, either: hacks at Sony Pictures Entertainment and the Las Vegas Sands Hotel and Casino have been blamed on North Korea and Iran, respectively.

As of 2017, the Federal Bureau of Investigation is already on a mission to publicly shame cyber criminals after they’ve been caught, as part of an effort to ensure malicious actors can’t count on anonymity. Paul Abbate, the FBI’s executive assistant director of the Criminal, Cyber, Response and Services Branch, told the U.S. Chamber of Commerce, that criminals can depend on the fact that “[they] will be identified pursued, and held to account no matter where you are in the world.”

The FBI’s cyber response team is focused on tracking high-level network and computer intrusion by state-sponsored hackers and global organized crime syndicates, which are often operating from overseas. According to Abate, once it identifies these actors, the FBI seeks to “impose costs on them,” which may include “economic sanctions, prison terms, or battlefield death,” as well as “publicly nam[ing] them, sham[ing] them, and let[ting] everyone know who they are… [so they] don’t feel immune of anonymous.”

In April 2015, then-President Barack Obama signed an executive order giving the executive branch additional authority to punish overseas hackers. Executive Order 13694 gave the Secretary of the Treasury the authority “to impose sanctions on individuals or entities that engage in significant malicious cyber-enabled activities” in those cases that pose “a significant threat to the national security, foreign policy or economic health or financial stability of the United States.”

The Treasury Department has used sanctions to punish state-sponsored cyber terrorism during the Trump administration. In June 2018, the Treasury Department added five Russian companies and three Russian individuals to its sanctions list for providing “material and technological support” to the FSB. Treasury Secretary Steven Mnuchin, in a statement, called the entities designated at that time direct contributors “to improving Russia’s cyber and underwater capabilities through their work with the FSB and therefore jeopardiz[ing] the safety and security of the United States and our allies.”

At present, the President has wide discretion over releasing information about foreign cyber campaigns. Both the Obama and Trump White Houses have been hesitant to take Congressional direction on punishing cyber attacks, with the general feeling being that a strict menu of responses to an attack limits strategic flexibility.

Media:

Sponsoring Rep. Ted Yoho (R-FL) Press Release

CBO Cost Estimate

Summary by Lorelei Yang

Argument in favor

State-sponsored cyberattacks are on the rise, and it’s important to fight them with every tool in the U.S. government’s arsenal. This includes broad sanctions and punishments for individuals and state actors involved in cyberattacks against the U.S. – and this bill is a necessary expansion of the president’s power to impose such consequences.

Argument opposed

The White House and executive branch agencies already have the authority to use all the sanctions and tools in this bill — and there’s no need for a more formalized structure to ensure action is taken.

Impact

Cost of H.R. 5576

Additional Info