Like Countable?

Install the App
TRY NOW

bill Progress


  • Not enacted
    The President has not signed this bill
  • The senate has not voted
      senate Committees
      Senate Committee on Foreign Relations
  • The house Passed September 5th, 2018
    Passed by Voice Vote
      house Committees
      House Committee on Foreign Affairs
      House Committee on the Judiciary
      House Committee on Oversight and Government Reform
      House Committee on Financial Services
    IntroducedApril 18th, 2018

Log in or create an account to see how your Reps voted!

What is it?

This bill — known as the Cyber Deterrence and Response Act of 2018 — would establish a strategy for the U.S. to respond to attacks by foreign state-sponsored hackers by giving the president the authority to identify, respond to, and deter cyber attackers.

The president, acting through the Secretary of State, would designate the following as critical cyber threats:

  • Foreign persons and foreign state agencies that the president deems to be responsible for or complicit in state-sponsored cyber activities that have threatened U.S. national security, foreign policy, economic health, or financial stability;

  • Foreign persons that the president has determined to have knowingly materially assisted or provided support for cyber attacks against the U.S. by a foreign person or foreign state agency;

  • Foreign state agencies that the president has determined to have materially assisted or supported cyber attacks against the U.S. by a foreign person or agency;

  • Foreign persons that the president has determined to have attempted to engage in or support cyber attacks against the U.S.; and

  • Foreign agencies that the president has determined to have attempted to engage in or support cyber attacks against the U.S.

This bill would also establish a comprehensive, uniform list of foreign hacking groups to give government agencies common terminology when discussing cyberthreats. This list would be published in the Federal Register, and would include input from various federal agencies.

The president would impose either  travel-related or non-travel-related sanctions (or both) with respect on foreign persons and states designated as critical cyber threats. Non-travel related sanctions include:

  • Withdrawal or suspension of non-humanitarian U.S. development assistance or security assistance; U.S. opposition to international financial institutions’ loans to hostile foreign states; directing the Export-Import Bank, the Overseas Private Investment Corporation, or other U.S. agencies not to approve guarantees, insurance, credit, or extension of credit; import restrictions; and export restrictions.

Travel-related sanctions include: making foreign nationals designated as critical cyber threats inadmissible to the U.S., ineligible to receive a visa to enter the U.S., and otherwise ineligible to be admitted or paroled into the U.S.; and revoking vias or other entry documentation issued to foreign persons designated as critical cyber threats.

Foreign states could be subject to additional sanctions from the president, including: banning the export of items on the U.S. Munitions List to the governments of foreign states designed as critical cyber threats; prohibiting transactions in foreign exchange in which the governments of foreign states designated as critical cyber threats have an interest; and prohibit transfers or credit or payments between one or more financial institutions when those transactions are subject to U.S. jurisdiction and involve any interest of the government of the foreign state.

On a case-by-case basis, the president could waive the imposition of sanctions for a period of up to one year, and could then renew that waiver for additional periods of no more than one year. When waivers are granted, the appropriate Congressional committees would have to  receive written determinations from the president attesting to the reason for the waiver.

The president may remove sanctions if the president determines the foreign person or foreign state subject to sanctions has verifiably ceased participation in cyber attacks against the U.S.

The president shall be required to periodically report to Congress about state-sponsored cyber activities against the U.S.


Argument in Favor:



Argument Against:



Impact:

State-sponsored hackers; cyber terrorism; cyber warfare; the President; and the Federal Register


Cost:

The CBO estimates that implementing this bill would cost less than $500,000 over the 2019-2023 period.


In-Depth:

Rep. Ted Yoho (R-FL) introduced this bill to combat state-sponsored cyber threats by creating a three-step process for identifying, deterring, and responding to state-sponsored cyber attacks:


“Not all threats to our national security are kinetic. More and more, countries who wish to weaken the United States and disrupt our way of life are using keyboards and the internet. China, North Korea, Iran, Russia, and other malicious actors have developed sophisticated capabilities that can disrupt our networks, endanger our critical infrastructure, harm our economy, and undermine our elections. These cyber attacks must be stopped. My Cyber Deterrence and Response Act will shine a light on these countries and create a framework that not only deters but provides the proper response for their actions. It is vital that when these attacks happen, they are exposed, pulled out of the shadows, and punished accordingly.”


Writing in The Guardian in 2013, Adam Segal, the Maurice R. Greenberg Senior Fellow for China Studies at the Council on Foreign Relations, argued that cyberattacks are difficult to retaliate against due to the limited — and still-undefined — definitions of what constitutes an attack or legitimate target:


“There are still no mutually agreed upon terms of what types of cyber-attacks would be considered a use of force or what constitutes a legitimate target. A standoff could very easily escalate, producing unintended and disastrous outcomes, if both sides miscommunicate and misperceive red lines… [the U.S. and potential adversaries, such as China] should try and dispel the growing mistrust by explaining their national interests and intentions in cyberspace.”


In 2016, the Justice Department’s top national security official, John Carlin, assistant attorney general for national security, argued that the most successful tools the U.S. federal government has employed to deter cyber attacks against the U.S. have been legal, rather than tit-for-tat counterattacks or retaliation. Carlin pointed to a September 2015 agreement between then-President Barack Obama and President Xi Jinping, which was credited to a ratcheting up of prosecutions and sanctions, as proof of the effectiveness of legal consequences as a deterrent for state-sponsored cyber attacks and a means for defining what is and isn’t acceptable cyber activity under international law:


“This new approach of investigation and attribution showed we can find out who’s doing these things, and that’s because Sony did the right thing and reported it to government... Two, we said it: That’s new. Take it out of the intelligence channels and be public about it, because that’s the only way to change the behavior of the people who are launching these attacks, but also the other countries who are watching them get away with it… The idea is that if you let someone walk across your lawn for long enough, they get the right to walk across your lawn. It’s called an easement, and that’s how international law works. We had a situation where attacking private companies was the day job for uniformed members of the second largest military in the world, and that case was a giant no-trespass sign: ‘Get off our lawn.’”


In a continuation of the Obama administration’s position as stated in Executive Order 13694, the Trump administration deems cyber security a national emergency.


Christopher Painter, who served for six years as the United States’ top cyber diplomat at the State Department, argues that more structure around sanctions for state-sponsored cyber violence is needed:


“[W]e still need to do a better job of actually imposing consequences on those countries that actually make a difference, and I think that requires a lot more strategic thought… I think we're creating a norm of inactivity, that these are acceptable [behaviors] because no one does anything about it."


This legislation passed the House Foreign Affairs Committee with unanimous support and currently has the support of 13 bipartisan cosponsors of this bill, including seven Democrats and six Republicans.


Of Note:

State-sponsored cyberattacks against the U.S. have been an issue in recent years, with Russian interference in U.S. elections and Chinese state-sponsored hackers compromising a U.S. Navy contractor to steal sensitive military intelligence being only two examples of the threat. Government agencies and employees aren’t the only targets of state-sponsored hacks, either: hacks at Sony Pictures Entertainment and the Las Vegas Sands Hotel and Casino have been blamed on North Korea and Iran, respectively.


As of 2017, the Federal Bureau of Investigation is already on a mission to publicly shame cyber criminals after they’ve been caught, as part of an effort to ensure malicious actors can’t count on anonymity. Paul Abbate, the FBI’s executive assistant director of the Criminal, Cyber, Response and Services Branch, told the U.S. Chamber of Commerce, that criminals can depend on the fact that “[they] will be identified pursued, and held to account no matter where you are in the world.”


The FBI’s cyber response team is focused on tracking high-level network and computer intrusion by state-sponsored hackers and global organized crime syndicates, which are often operating from overseas. According to Abate, once it identifies these actors, the FBI seeks to “impose costs on them,” which may include “economic sanctions, prison terms, or battlefield death,” as well as “publicly nam[ing] them, sham[ing] them, and let[ting] everyone know who they are… [so they] don’t feel immune of anonymous.”


In April 2015, then-President Barack Obama signed an executive order giving the executive branch additional authority to punish overseas hackers. Executive Order 13694 gave the Secretary of the Treasury the authority “to impose sanctions on individuals or entities that engage in significant malicious cyber-enabled activities” in those cases that pose “a significant threat to the national security, foreign policy or economic health or financial stability of the United States.”


The Treasury Department has used sanctions to punish state-sponsored cyber terrorism during the Trump administration. In June 2018, the Treasury Department added five Russian companies and three Russian individuals to its sanctions list for providing “material and technological support” to the FSB. Treasury Secretary Steven Mnuchin, in a statement, called the entities designated at that time direct contributors “to improving Russia’s cyber and underwater capabilities through their work with the FSB and therefore jeopardiz[ing] the safety and security of the United States and our allies.”


At present, the President has wide discretion over releasing information about foreign cyber campaigns. Both the Obama and Trump White Houses have been hesitant to take Congressional direction on punishing cyber attacks, with the general feeling being that a strict menu of responses to an attack limits strategic flexibility.


Media:

Sponsoring Rep. Ted Yoho (R-FL) Press Release

CBO Cost Estimate

Summary by Lorelei Yang

(Photo Credit: iStock.com / gorodenkoff)

AKA

Cyber Deterrence and Response Act of 2018

Official Title

To address state-sponsored cyber activities against the United States, and for other purposes.

    The President should not be able to arbitrarily decide on these matters. A formal process should be created.
    Like (16)
    Follow
    Share
    Any other President and I would seriously consider it, but not this one. This one can’t be trusted with anything. Who’s to say he won’t try to steer things for his benefit? He has for everything else.
    Like (45)
    Follow
    Share
    1) We need to draft a piece of legislation that acknowledges cyber attacks are the equivalent of an actual attack on domestic soil. 2) we need to secure our cyber security systems and modernize to prevent any previous bugs 3) #45 is not trust worthy to be in charge of our security. He would keep face with our enemies to prop his own ego before willing to do what’s right for the American public’s safety.
    Like (22)
    Follow
    Share
    The president should not be involved with the topic at all. There are entire departments of various agencies who handle this subject.
    Like (14)
    Follow
    Share
    The White House and executive branch agencies already have the authority to use all the sanctions and tools in this bill — and there’s no need for a more formalized structure to ensure action is taken. I’m also against giving the executive more unilateral power.
    Like (11)
    Follow
    Share
    Absolutely not!! The country can’t afford anymore sustained damage or missteps by the current president. Once someone educated and stable assumes the office then revisit this!
    Like (10)
    Follow
    Share
    Sure! Send out a tweet! Lol. In all seriousness this response would require more than the intellectual capital that we have in the White House and Congress combined at this time.
    Like (9)
    Follow
    Share
    Not THIS President
    Like (8)
    Follow
    Share
    What is a formal process? You mean calling the U.N.?? Hahahaha! The World Criminal Court? Hahahaha! No! You Cyber Attack right back! A lot of our government agencies invest a lot of money into the security of their systems against cyber attacks from foreign entities mostly foreign governments! The United States Air Force and Navy as well as CIA and NSA have small armies that do nothing but look at computer monitors and track stuff!! The big corporations are constantly under cyber attack from all over the world! The taxpayer however must not be held accountable for paying the tab of say there is a government agency helping to protect them except Defense Contractors!
    Like (7)
    Follow
    Share
    Instead of responding to attacks across the Internet, the US should make its systems secure.
    Like (7)
    Follow
    Share
    Giving Trump more unilateral power is exceedingly dangerous.
    Like (6)
    Follow
    Share
    We already have laws to do this. I see the office of President getting too much power with each new law like this one.
    Like (6)
    Follow
    Share
    Timely! In this instance, with current POTUS, and the known and recognized erratic behavior and doubtful reliability of his judgement in many diverse circumstances, No More Unilateral power must be encouraged to be practiced by this POTUS-unless. Indispensable oversight by Congress is asserted with their authorizing or denying his selected course of action.
    Like (5)
    Follow
    Share
    We don’t need any new laws. The ones we have are perfect. All we need is a President that isn’t Compromised and under the control of a foreign state. Ie..Russia!
    Like (4)
    Follow
    Share
    The president can make recommendations on punishment for those countries who commit cyber attacks against the U.S but Congress should have the final authority. We need to quit taking power away from one branch and giving it to another. We have three separate branches for a reason with three separate duties and power.
    Like (4)
    Follow
    Share
    I am tired of hearing of continued cyber attack’s from Russia and others while this Government does nothing.
    Like (3)
    Follow
    Share
    I believe that our computer techs need to design programs that block these attacks. If we leave it to our Treasonous and obstruction of justice President, he will make a mess out of it, and cause more harm to the American people.
    Like (3)
    Follow
    Share
    This president needs to protect the country whether formally or informally!!! Just do it!!!!
    Like (3)
    Follow
    Share
    I don't trust this president and refuse to expand his power. Congress needs to hold the reins on responding to any act of war, including cyber attacks.
    Like (2)
    Follow
    Share
    Of course! The man must get off twitter!
    Like (2)
    Follow
    Share
    MORE