Text: S.3378 — 115th Congress (2017-2018)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in Senate (08/23/2018)


115th CONGRESS
2d Session
S. 3378


To impose sanctions with respect to state-sponsored cyber activities against the United States, and for other purposes.


IN THE SENATE OF THE UNITED STATES

August 23, 2018

Mr. Gardner (for himself and Mr. Coons) introduced the following bill; which was read twice and referred to the Committee on Foreign Relations


A BILL

To impose sanctions with respect to state-sponsored cyber activities against the United States, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Cyber Deterrence and Response Act of 2018”.

SEC. 2. Findings.

Congress finds the following:

(1) On February 13, 2018, the Director of National Intelligence stated in his testimony before the Select Committee on Intelligence of the Senate that “Russia, China, Iran, and North Korea will pose the greatest cyber threats to the United States during the next year” through the use of cyber operations as low-cost tools of statecraft, and assessed that those countries would “work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations”.

(2) The 2017 Worldwide Threat Assessment of the United States intelligence community stated, “The potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected—with relatively little built-in security—and both nation states and malign actors become more emboldened and better equipped in the use of increasingly widespread cyber toolkits. The risk is growing that some adversaries will conduct cyber attacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the United States in a crisis short of war.”.

(3) On March 29, 2017, President Donald J. Trump deemed it necessary to continue the national emergency declared in Executive Order 13694 (50 U.S.C. 1701 note; relating to blocking the property of certain persons engaging in significant malicious cyber-enabled activities) as “[s]ignificant malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States, continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States”.

(4) On January 5, 2017, former Director of National Intelligence James Clapper, former Under Secretary of Defense for Intelligence Marcel Lettre, and Commander of the United States Cyber Command Admiral Michael Rogers, submitted joint testimony to the Committee on Armed Services of the Senate that stated that “[a]s of late 2016 more than 30 nations are developing offensive cyber attack capabilities” and that “[p]rotecting critical infrastructure, such as crucial energy, financial, manufacturing, transportation, communication, and health systems, will become an increasingly complex national security challenge”.

(5) There is significant evidence that hackers affiliated with foreign governments have conducted cyber operations targeting entities and critical infrastructure sectors in the United States as the Department of Justice has announced that—

(A) on March 24, 2016, 7 Iranians working for entities affiliated with Iran’s Revolutionary Guard Corps were indicted for conducting distributed denial of service attacks against the financial sector in the United States from 2012 to 2013; and

(B) on May 19, 2014, 5 Chinese military hackers were charged for hacking United States entities in the nuclear power, metals, and solar products industries and engaging in economic espionage.

(6) In May 2017, North Korea released “WannaCry” pseudo-ransomware, which posed a significant risk to the economy, national security, and the citizens of the United States and the world, as it resulted in the infection of more than 300,000 computer systems in more than 150 countries, including in the healthcare sector of the United Kingdom, demonstrating the global reach and cost of cyber-enabled malicious activity.

(7) In June 2017, the Russian Federation carried out the most destructive cyber-enabled operation in history, releasing the NotPetya malware that caused billions of dollars’ worth of damage within Ukraine and across Europe, Asia, and the Americas.

(8) On May 31, 2018, the Department of State, pursuant to section 3(b) of Executive Order 13800 (82 Fed. Reg. 22391; relating to strengthening the cybersecurity of Federal networks and critical infrastructure), issued a document entitled “Recommendations to the President on Deterring Adversaries and Better Protecting the American People From Cyber Threats”, which stated, “With respect to activities below the threshold of the use of force, the United States should, working with likeminded partners when possible, adopt an approach of imposing swift, costly, and transparent consequences on foreign governments responsible for significant malicious cyber activities aimed at harming U.S. national interests.”.

SEC. 3. Actions to address state-sponsored cyber activities against the United States.

(a) Designation as a critical cyber threat actor.—

(1) IN GENERAL.—The President, acting through the Secretary of State, and in coordination with the heads of other relevant Federal agencies, shall designate as a critical cyber threat actor—

(A) each foreign person and each agency or instrumentality of a foreign state that the President determines to be knowingly responsible for or complicit in, or to have knowingly engaged in, directly or indirectly, state-sponsored cyber activities that are reasonably likely to result in, or have contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of—

(i) causing a significant disruption to the availability of a computer or network of computers;

(ii) harming, or otherwise significantly compromising the provision of service by, a computer or network of computers that support one or more entities in a critical infrastructure sector;

(iii) significantly compromising the provision of services by one or more entities in a critical infrastructure sector;

(iv) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;

(v) destabilizing the financial sector of the United States by tampering with, altering, or causing a misappropriation of data; or

(vi) interfering with or undermining election processes or institutions by tampering with, altering, or causing misappropriation of data;

(B) each foreign person that the President determines to have knowingly, significantly, and materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any activities described in subparagraph (A) by a foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat actor under subparagraph (A); and

(C) each agency or instrumentality of a foreign state that the President determines to have significantly and materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any activities described in subparagraph (A) by a foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat actor under subparagraph (A).

(2) PUBLICATION IN FEDERAL REGISTER.—

(A) IN GENERAL.—The President shall—

(i) publish in the Federal Register a list of each foreign person and each agency or instrumentality of a foreign state designated as a critical cyber threat actor under this subsection; and

(ii) regularly update the list not later than 7 days after making any changes to the list, and publish in the Federal Register such updates.

(B) EXCEPTION.—

(i) IN GENERAL.—The President may withhold from publication in the Federal Register under subparagraph (A) the identification of any foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat actor under this subsection if the President determines that withholding such identification—

(I) is important to the national security interests of the United States; or

(II) is for an important law enforcement purpose.

(ii) TRANSMISSION.—If the President exercises the authority under this subparagraph to withhold from publication in the Federal Register the identification of a foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat actor under this subsection, the President shall transmit to the appropriate congressional committees in classified form a report containing any such identification, together with the reasons for exercising such authority.

(b) Non-Travel-Related sanctions.—

(1) IN GENERAL.—The President shall impose one or more of the applicable sanctions described in paragraph (2) with respect to each foreign person and each agency or instrumentality of a foreign state designated as a critical cyber threat actor under subsection (a).

(2) SANCTIONS DESCRIBED.—The sanctions to be imposed under paragraph (1) with respect to a foreign person or an agency or instrumentality of a foreign state designated as a critical cyber threat actor under subsection (a) are the following:

(A) The President may provide for the withdrawal, limitation, or suspension of United States security assistance under part II of the Foreign Assistance Act of 1961 (22 U.S.C. 2301 et seq.) to or involving the foreign person or agency or instrumentality.

(B) The President may direct the United States executive director to each international financial institution to use the voice and vote of the United States to oppose any loan from the international financial institution that would benefit the foreign person or agency or instrumentality.

(C) The President may, pursuant to such regulations or guidelines as the President may prescribe, prohibit any United States person from investing in or purchasing significant amounts of equity or debt instruments of the foreign person or agency or instrumentality.

(D) The President may, pursuant to such regulations or guidelines as the President shall prescribe (which shall include the opportunity to appeal actions under this subparagraph), prohibit any United States agency or instrumentality from procuring, or entering into any contract for the procurement of, any goods, technology, or services, or classes of goods, technology, or services, from the foreign person or agency or instrumentality.

(E) The President may order the heads of the appropriate United States agencies to not issue any (or a specified number of) specific licenses, and to not grant any other specific authority (or a specified number of authorities), to export, reexport, or transfer any goods or technology originating in the United States to the foreign person or agency or instrumentality under—

(i) the Export Administration Act of 1979 (50 U.S.C. 4601 et seq.) (as continued in effect pursuant the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.)) (or any successor Act);

(ii) the Arms Export Control Act (22 U.S.C. 2751 et seq.);

(iii) the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.); or

(iv) any other statute that requires the prior review and approval of the United States Government as a condition for the export, reexport, or transfer of goods or services originating in the United States.

(F) (i) The President may exercise all of the powers granted to the President under the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (except that the requirements of section 202 of such Act (50 U.S.C. 1701) shall not apply) to the extent necessary to block and prohibit all transactions in property and interests in property of the foreign person or agency or instrumentality if such property and interests in property are in the United States, come within the United States, or are or come within the possession or control of a United States person.

(ii) The penalties provided for in subsections (b) and (c) of section 206 of the International Emergency Economic Powers Act (50 U.S.C. 1705) shall apply to a person that violates, attempts to violate, conspires to violate, or causes a violation of regulations prescribed under clause (i) to the same extent that such penalties apply to a person that commits an unlawful act described in subsection (a) of such section 206.

(G) The President may, pursuant to such regulations as the President may prescribe, prohibit any transfers of credit or payments between one or more financial institutions or by, through, or to any financial institution, to the extent that such transfers or payments are subject to the jurisdiction of the United States and involve any interest of the foreign person or agency or instrumentality.

(c) Travel-Related sanctions.—

(1) ALIENS INELIGIBLE FOR VISAS, ADMISSION, OR PAROLE.—An alien who is designated as a critical cyber threat actor under subsection (a) is—

(A) inadmissible to the United States;

(B) ineligible to receive a visa or other documentation to enter the United States; and

(C) otherwise ineligible to be admitted or paroled into the United States or to receive any other benefit under the Immigration and Nationality Act (8 U.S.C. 1101 et seq.).

(2) CURRENT VISAS REVOKED.—The issuing consular officer, the Secretary of State, or the Secretary of Homeland Security (or a designee of either such Secretary) shall revoke any visa or other entry documentation issued to an alien designated as a critical cyber threat actor under subsection (a) regardless of when the visa or other documentation is issued. A revocation under this paragraph shall take effect immediately and shall automatically cancel any other valid visa or entry documentation that is in the possession of the alien.

(d) Additional sanctions with respect to foreign states.—

(1) IN GENERAL.—The President may impose any of the sanctions described in paragraph (2) with respect to a foreign state if the President determines that the government of the foreign state aided, abetted, or directed a foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat actor under subsection (a).

(2) SANCTIONS DESCRIBED.—The sanctions that may be imposed under paragraph (1) with respect to a foreign state are the following:

(A) The President may provide for the withdrawal, limitation, or suspension of non-humanitarian or non-trade-related assistance United States development assistance under chapter 1 of part I of the Foreign Assistance Act of 1961 (22 U.S.C. 2151 et seq.) to the foreign state.

(B) The President may provide for the withdrawal, limitation, or suspension of United States security assistance under part II of the Foreign Assistance Act of 1961 (22 U.S.C. 2301 et seq.) to the foreign state.

(C) The President may instruct the United States Executive Director to each appropriate international financial institution to use the voice and vote of the United States to oppose the extension by the institution of any loan or financial assistance to the foreign state.

(D) The President may prohibit the exportation to the foreign state of any item on the United States Munitions List established pursuant to section 38 of the Arms Export Control Act (22 U.S.C. 2778) or the Commerce Control List set forth in Supplement No. 1 to part 774 of title 15, Code of Federal Regulations.

(e) Implementation.—The President may exercise all authorities provided under sections 203 and 205 of the International Emergency Economic Powers Act (50 U.S.C. 1702 and 1704) to carry out this section.

(f) Exemptions, waivers, and removals of sanctions and designations.—

(1) EXEMPTIONS.—

(A) MANDATORY EXEMPTIONS.—The following activities shall be exempt from sanctions under subsections (b), (c), and (d):

(i) Activities subject to the reporting requirements of title V of the National Security Act of 1947 (50 U.S.C. 3091 et seq.), or to any authorized intelligence activities of the United States.

(ii) Any transaction necessary to comply with—

(I) United States obligations under—

(aa) the Agreement between the United Nations and the United States of America regarding the Headquarters of the United Nations, signed June 26, 1947, and entered into force on November 21, 1947; or

(bb) the Vienna Convention on Consular Relations, signed April 24, 1963, and entered into force on March 19, 1967; or

(II) other international commitments of the United States.

(2) WAIVER.—The President may waive the imposition of sanctions under this section for a period of not more than one year, and may renew such waiver for additional periods of not more than one year, if the President submits to the appropriate congressional committees a written determination that such waiver meets one or more of the following requirements:

(A) Such waiver is important to the economic or national security interests of the United States.

(B) Such waiver will further the enforcement of this Act or is for an important law enforcement purpose.

(C) Such waiver is for an important humanitarian purpose.

(3) REMOVALS OF SANCTIONS AND DESIGNATIONS.—The President may prescribe rules and regulations for the removal of sanctions under subsections (b), (c), and (d) and the removal of designations under subsection (a) if the President determines that a foreign person, agency or instrumentality of a foreign state, or foreign state subject to such sanctions or designation, as the case may be, has—

(A) verifiably ceased its participation in any of the conduct with respect to which such foreign person, agency or instrumentality, or foreign state was subject to such sanctions or designation, as the case may be, under this section; and

(B) has given assurances that such foreign person, agency or instrumentality, or foreign state, as the case may be, will no longer participate in such conduct.

(g) Rule of construction.—Nothing in this section may be construed to limit the authority of the President under the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) or any other provision of law to impose sanctions to address critical cyber threat actors and malicious state-sponsored cyber activities.

(h) Definitions.—In this section:

(1) ADMITTED; ALIEN.—The terms “admitted” and “alien” have the meanings given such terms in section 101 of the Immigration and Nationality Act (8 U.S.C. 1101).

(2) APPROPRIATE CONGRESSIONAL COMMITTEES.—The term “appropriate congressional committees” means—

(A) the Committee on Foreign Affairs, the Committee on Financial Services, the Committee on the Judiciary, the Committee on Oversight and Government Reform, and the Committee on Homeland Security of the House of Representatives; and

(B) the Committee on Foreign Relations, the Committee on Banking, Housing, and Urban Affairs, the Committee on the Judiciary, and the Committee on Homeland Security and Governmental Affairs of the Senate.

(3) AGENCY OR INSTRUMENTALITY OF A FOREIGN STATE.—The term “agency or instrumentality of a foreign state” has the meaning given such term in section 1603(b) of title 28, United States Code.

(4) CRITICAL INFRASTRUCTURE SECTOR.—The term “critical infrastructure sector” means any of the critical infrastructure sectors identified in Presidential Policy Directive No. 21, entitled “Critical Infrastructure Security and Resilience” and dated February 12, 2013.

(5) FOREIGN PERSON.—The term “foreign person” means a person that is not a United States person.

(6) FOREIGN STATE.—The term “foreign state” has the meaning given such term in section 1603(a) of title 28, United States Code.

(7) KNOWINGLY.—The term “knowingly”, with respect to conduct, a circumstance, or a result, means that a person has actual knowledge, or should have known, of the conduct, the circumstance, or the result.

(8) MISAPPROPRIATION.—The term “misappropriation” means taking or obtaining by improper means, without permission or consent, or under false pretenses.

(9) STATE-SPONSORED CYBER ACTIVITIES.—The term “state-sponsored cyber activities” means any malicious cyber-enabled activities that—

(A) are carried out by a government of a foreign state or an agency or instrumentality of a foreign state; or

(B) are carried out by a foreign person that is aided, abetted, or directed by a government of a foreign state or an agency or instrumentality of a foreign state.

(10) UNITED STATES PERSON.—The term “United States person” means—

(A) a United States citizen or an alien lawfully admitted for permanent residence to the United States; or

(B) an entity organized under the laws of the United States or of any jurisdiction within the United States, including a foreign branch of such an entity.