A new bipartisan companion bill that requires the President to act against foreign hackers targeting the U.S. again implicates the Trump administration’s lack of clearly defined responses to cyber attacks.
U.S. Senators Cory Gardner (R-CO) and Chris Coons (D-DE) last week announced the Senate's version of the Cyber Deterrence and Response Act (S.3378), which has been shuttled over to the Committee on Foreign Relations before it can be considered by the full House and Senate. The proposed legislation complements the similarly named House of Representatives-originated legislation (H.R.5576), introduced last April by Senator Ted Yoho (R-FL) that outlines how the President may choose to act in the wake of a nation-state cyber attack.
The bills demand that should the President choose not to enact one or more of a number of specific responses, an explanation must be made to Congress.
Similar to the House bill, S.3378 frames both cyber actions, culpable entities and U.S. responses. Here’s a partial list of what the President can or must do under the proposed legislation:
- Public notice. Must label as a critical cyber threat actor “each foreign person and each agency or instrumentality of a foreign state” determined to be responsible for state-sponsored cyber activities that threaten U.S. national security, foreign policy, or economic health or financial stability. Must publish names or agencies in the Federal Register and designate them as a critical cyber threat actor. The Register must be updated no later than seven days following any changes.
- Security. Can withdraw, limit or suspend U.S. security assistance to or involving the foreign person or agency.
- International finance. Can oppose any loan from the international financial institution that would benefit the foreign person or agency. Can prohibit any U.S. person from investing in or purchasing significant amounts of equity or debt instruments of the foreign person or agency.
- Procurement. May bar any U.S. agency from procuring, or entering into any contract for the procurement of any goods, technology, or services, or classes of goods, technology, or services, from the foreign person or agency.
- Trade. May order the heads of the appropriate U.S. agencies to not issue any licenses to export, re-export, or transfer any goods or technology originating in the U.S. to the foreign person or agency.
- Travel. A person designated as a critical cyber threat actor won’t be granted a visa or other documentation to enter the U.S. or any other immigration benefit. A current visa will be revoked.
Under the bill’s stipulations, the President must impose sanctions on the threat actors or waive any action for up to a year. If no action is taken, the President must explain to Congress why not based on economic, national security, law enforcement or humanitarian grounds.
The bill explicitly calls out meddling in U.S. elections, citing as an infraction “interfering with or undermining election processes or institutions by tampering with, altering, or causing misappropriation of data.”
Senator Gardner called the bill “another step that Congress and the Administration can take to deter foreign actors from carrying out cyberattacks against the United States.”
It’s difficult to say at this point if the Administration will approve the framework both bills suggest, although a stream of similarly intended measures are in play. For example, top brass at the U.S. State Department, Treasury and Defense are reportedly prepping a sharp offensive to fight back against state-sponsored cyber hackers (read Russia) attacking the country’s critical infrastructure facilities. Penalties being weighed include more indictments against hackers, detaining suspects apprehended in other countries, and more asset seizures and sanctions.
In addition, President Trump last month reversed an existing Obama-era mandate that required multi-agency buy-in ahead of retaliatory cyber strikes. Trump’s order is intended to enable the country to rapidly deliver a harsh reply should a nation-state again interfere in the country’s elections or to free up a military response, reports said.
And, last week legislators accused Trump of going too easy on Russia for cyber meddling in the 2016 elections and new hacks directed at the 2018 mid-terms, pushing for more, harsher sanctions.