Bill SponsorBILLSPONSOR
Bill Sponsor
Politicians
Bills
House Bill 5576
115th Congress(2017-2018)
Cyber Deterrence and Response Act of 2018
Active
Active
Passed House on Sep 5, 2018
Overview
Text
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
Jump To
H. R. 5576 (Introduced-in-House)


115th CONGRESS
2d Session
H. R. 5576


To address state-sponsored cyber activities against the United States, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

April 18, 2018

Mr. Yoho (for himself, Mr. Royce of California, Mr. Engel, Mr. Sherman, Mr. Langevin, Mr. Chabot, Mr. Poe of Texas, Mr. Fitzpatrick, Mr. Meadows, and Mr. Castro of Texas) introduced the following bill; which was referred to the Committee on Foreign Affairs, and in addition to the Committees on Financial Services, Oversight and Government Reform, and the Judiciary, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

A BILL

To address state-sponsored cyber activities against the United States, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Cyber Deterrence and Response Act of 2018”.

SEC. 2. Findings.

Congress finds the following:

(1) On February 13, 2018, the Director of National Intelligence stated in his testimony before the Senate Select Committee on Intelligence that “Russia, China, Iran, and North Korea will pose the greatest cyber threats to the United States during the next year” through the use of cyber operations as low-cost tools of statecraft, and assessed that these states would “work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations”.

(2) The 2017 Worldwide Threat Assessment of the United States Intelligence Community stated that “The potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected—with relatively little built-in security—and both nation states and malign actors become more emboldened and better equipped in the use of increasingly widespread cyber toolkits. The risk is growing that some adversaries will conduct cyber attacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the United States in a crisis short of war.”.

(3) On March 29, 2017, President Donald J. Trump deemed it necessary to continue the national emergency declared in Executive Order 13694 as “Significant malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States, continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”.

(4) On January 5, 2017, former Director of National Intelligence, James Clapper, former Undersecretary of Defense for Intelligence, Marcel Lettre, and the Commander of the United States Cyber Command, Admiral Michael Rogers, submitted joint testimony to the Committee on Armed Services of the Senate that stated “As of late 2016 more than 30 nations are developing offensive cyber attack capabilities” and that “Protecting critical infrastructure, such as crucial energy, financial, manufacturing, transportation, communication, and health systems, will become an increasingly complex national security challenge.”.

(5) There is significant evidence that hackers affiliated with foreign governments have conducted cyber operations targeting companies and critical infrastructure sectors in the United States as the Department of Justice has announced that—

(A) on March 24, 2016, seven Iranians working for Iran’s Revolutionary Guard Corps-affiliated entities were indicted for conducting distributed denial of service attacks against the financial sector in the United States from 2012 to 2013; and

(B) on May 19, 2014, five Chinese military hackers were charged for hacking United States companies in the nuclear power, metals, and solar products industries, and engaging in economic espionage.

(6) In May 2017, North Korea released “WannaCry” pseudo-ransomware, which posed a significant risk to the economy, national security, and the citizens of the United States and the world, as it resulted in the infection of over 300,000 computer systems in more than 150 countries, including in the healthcare sector of the United Kingdom, demonstrating the global reach and cost of cyber-enabled malicious activity.

(7) In June 2017, Russia carried out the most destructive cyber-enabled operation in history, releasing the NotPetya malware that caused billions of dollars’ worth of damage within Ukraine and across Europe, Asia, and the Americas.

SEC. 3. Actions to address state-sponsored cyber activities against the United States.

(a) Designation as a critical cyber threat.—

(1) IN GENERAL.—The President, acting through the Secretary of State, shall designate as a critical cyber threat—

(A) each foreign person and each agency or instrumentality of a foreign state that the President determines to be responsible for or complicit in, or have engaged in, directly or indirectly, state-sponsored cyber activities that are reasonably likely to result in, or have contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of—

(i) causing a significant disruption to the availability of a computer or network of computers;

(ii) harming, or otherwise significantly compromising the provision of service by, a computer or network of computers that support one or more entities in a critical infrastructure sector;

(iii) significantly compromising the provision of services by one or more entities in a critical infrastructure sector;

(iv) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;

(v) destabilizing the financial sector of the United States by tampering with, altering, or causing a misappropriation of data; or

(vi) interfering with or undermining election processes or institutions by tampering with, altering, or causing misappropriation of data;

(B) each foreign person that the President has determined to have knowingly materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any activities described in subparagraph (A) by a foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat under subparagraph (A);

(C) each agency or instrumentality of a foreign state that the President has determined to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any activities described in subparagraph (A) by a foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat under subparagraph (A);

(D) each foreign person that the President has determined to have attempted to engage in any of the activities described in subparagraph (A) or (B); or

(E) each agency or instrumentality of a foreign state that the President has determined to have attempted to engage in any of the activities described in subparagraph (A) or (C).

(2) PUBLICATION IN FEDERAL REGISTER.—The President shall—

(A) publish in the Federal Register a list of each foreign person and each agency or instrumentality of a foreign state designated as a critical cyber threat under this subsection; and

(B) regularly update such list not later than seven days after making any changes to the list.

(b) Non-Travel-Related sanctions.—

(1) IN GENERAL.—The President shall impose one or more of the applicable sanctions described in paragraph (2) with respect to each foreign person and each agency or instrumentality of a foreign state designated as a critical cyber threat under subsection (a).

(2) SANCTIONS DESCRIBED.—The sanctions described in this paragraph are the following:

(A) The President may provide for the withdrawal, limitation, or suspension of non-humanitarian United States development assistance under chapter 1 of part I of the Foreign Assistance Act of 1961.

(B) The President may provide for the withdrawal, limitation, or suspension of United States security assistance under part II of the Foreign Assistance Act of 1961.

(C) The President may direct the United States executive director to each international financial institution to use the voice and vote of the United States to oppose any loan from the international financial institution that would benefit the designated foreign person or the designated agency or instrumentality of a foreign state.

(D) The President may direct the Export-Import Bank of the United States, the Overseas Private Investment Corporation, or any other United States Government agency not to approve the issuance of any (or a specified number of) guarantees, insurance, extensions of credit, or participations in the extension of credit.

(E) The President may, pursuant to such regulations or guidelines as the President may prescribe, prohibit any United States person from investing in or purchasing significant amounts of equity or debt instruments of the designated foreign person or the designated agency or instrumentality of a foreign state.

(F) The President may, pursuant to such regulations or guidelines as the President may prescribe, prohibit any United States agency or instrumentality from procuring, or entering into any contract for the procurement of, any goods, technology, or services, or classes of goods, technology, or services, from the designated foreign person or the designated agency or instrumentality of a foreign state.

(G) The President may order the heads of the appropriate United States agencies to not issue any (or a specified number of) specific licenses, and to not grant any other specific authority (or a specified number of authorities), to export any goods or technology to the designated foreign person or the designated agency or instrumentality of a foreign state under—

(i) the Export Administration Act of 1979 (as continued in effect pursuant the International Emergency Economic Powers Act);

(ii) the Arms Export Control Act;

(iii) the Atomic Energy Act of 1954; or

(iv) any other statute that requires the prior review and approval of the United States Government as a condition for the export or re-export of goods or services.

(H) (i) The President may exercise all of the powers granted to the President under the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (except that the requirements of section 202 of such Act (50 U.S.C. 1701) shall not apply) to the extent necessary to block and prohibit all transactions in property and interests in property of the designated foreign person if such property and interests in property are in the United States, come within the United States, or are or come within the possession or control of a United States person.

(ii) The penalties provided for in subsections (b) and (c) of section 206 of the International Emergency Economic Powers Act (50 U.S.C. 1705) shall apply to a person that violates, attempts to violate, conspires to violate, or causes a violation of regulations prescribed under clause (i) to the same extent that such penalties apply to a person that commits an unlawful act described in subsection (a) of such section 206.

(I) The President may, pursuant to such regulations as the President may prescribe, prohibit any transfers of credit or payments between one or more financial institutions or by, through, or to any financial institution, to the extent that such transfers or payments are subject to the jurisdiction of the United States and involve any interest of the designated foreign person.

(c) Travel-Related sanctions.—

(1) ALIENS INELIGIBLE FOR VISAS, ADMISSION, OR PAROLE.—An alien who is designated as a critical cyber threat under subsection (a) is—

(A) inadmissible to the United States;

(B) ineligible to receive a visa or other documentation to enter the United States; and

(C) otherwise ineligible to be admitted or paroled into the United States or to receive any other benefit under the Immigration and Nationality Act (8 U.S.C. 1101 et seq.).

(2) CURRENT VISAS REVOKED.—The issuing consular officer, the Secretary of State, or the Secretary of Homeland Security (or a designee of either such Secretaries) shall revoke any visa or other entry documentation issued to the foreign person designated as a critical cyber threat under subsection (a) regardless of when issued. A revocation under this clause shall take effect immediately and shall automatically cancel any other valid visa or entry documentation that is in the possession of such foreign person.

(d) Additional sanctions with respect to foreign states.—

(1) IN GENERAL.—The President may impose any of the sanctions described in paragraph (2) with respect to the government of each foreign state that the President has determined aided, abetted, or directed a foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat under subsection (a).

(2) SANCTIONS DESCRIBED.—The sanctions referred to in paragraph (1) are the following:

(A) The President may provide for the withdrawal, limitation, or suspension of non-humanitarian or non-trade-related assistance United States development assistance under chapter 1 of part I of the Foreign Assistance Act of 1961.

(B) The President may provide for the withdrawal, limitation, or suspension of United States security assistance under part II of the Foreign Assistance Act of 1961.

(C) The President may instruct the United States Executive Director to each appropriate international financial institution to oppose, and vote against the extension by such institution of any loan or financial or technical assistance to the government of the foreign state.

(D) No item on the United States Munitions List (established pursuant to section 38 of the Arms Export Control Act (22 U.S.C. 2778)) or the Commerce Control List set forth in Supplement No. 1 to part 774 of title 15, Code of Federal Regulations, may be exported to the government of the foreign state.

(E) The President may, pursuant to such regulations as the President may prescribe, prohibit any transactions in foreign exchange that are subject to the jurisdiction of the United States and in which the government of the foreign state has any interest.

(F) The President may, pursuant to such regulations as the President may prescribe, prohibit any transfers of credit or payments between one or more financial institutions or by, through, or to any financial institution, to the extent that such transfers or payments are subject to the jurisdiction of the United States and involve any interest of the government of the foreign state.

(e) Exemptions, waivers, and removals of sanctions and designations.—

(1) EXEMPTIONS.—

(A) MANDATORY EXEMPTIONS.—The following activities shall be exempt from sanctions under subsections (b), (c), and (d):

(i) Activities subject to the reporting requirements of title V of the National Security Act of 1947 (50 U.S.C. 413 et seq.), or to any authorized intelligence activities of the United States.

(ii) Any transaction necessary to comply with United States obligations under the Agreement between the United Nations and the United States of America regarding the Headquarters of the United Nations, signed June 26, 1947, and entered into force on November 21, 1947, or under the Vienna Convention on Consular Relations, signed April 24, 1963, and entered into force on March 19, 1967, or under other international agreements.

(2) WAIVER.—The President may waive, on a case-by-case basis, the imposition of sanctions for a period of not more than one year, and may renew that waiver for additional periods of not more than one year, any sanction or penalty under this section if the President submits to the appropriate congressional committees a written determination that the waiver meets one or more of the following requirements:

(A) The waiver is important to the economic or national security interests of the United States.

(B) The waiver will further the enforcement of this Act or is for an important law enforcement purpose.

(C) The waiver is for an important humanitarian purpose.

(3) REMOVALS OF SANCTIONS AND DESIGNATIONS.—The President may prescribe rules and regulations for the removal of sanctions under subsections (b), (c), and (d) and the removal of designations under subsection (a) if the President determines that a foreign person, agency or instrumentality of a foreign state, or government of a foreign state subject to such sanctions, as the case may be, has verifiably ceased its participation in any of the conduct with respect to which the foreign person, agency or instrumentality of a foreign state, or government of a foreign state, as the case may be, was subject to sanctions under this section and has given assurances that it will no longer participate in such conduct.

(4) EXCEPTION TO COMPLY WITH UNITED NATIONS HEADQUARTERS AGREEMENT.—Sanctions under subsection (c) shall not apply to a foreign person if admitting the foreign person into the United States is necessary to permit the United States to comply with the Agreement regarding the Headquarters of the United Nations, signed at Lake Success June 26, 1947, and entered into force November 21, 1947, between the United Nations and the United States, or other applicable international obligations.

(f) Briefing to Congress.—

(1) IN GENERAL.—Not later than 180 days after the date of the enactment of this section, and periodically thereafter, the President shall provide to the appropriate congressional committees a briefing on state-sponsored cyber activities against the United States.

(2) MATTERS TO BE INCLUDED.—The briefing required by paragraph (1) shall, include the following, to the extent the information is available:

(A) A list of foreign states that continue to aid, abet, or direct any foreign person or agency or instrumentality of a foreign state to carry out state-sponsored cyber activities against the United States, including—

(i) a list of entities within the United States critical infrastructure that are believed to have been, or are currently still, subject to state-sponsored cyber activities by each such foreign state; and

(ii) a list of such foreign persons and agencies and instrumentalities of foreign states that the President has reason to believe are engaging, or have engaged in, state-sponsored cyber activities against the United States but are not currently designated under subsection (b).

(B) A list of the foreign persons and agencies and instrumentalities of foreign states with respect to which the imposition of sanctions were waived or removed under subsection (f).

(C) A summary of any efforts made by the Government of the United States to resolve and bring an immediate end to state-sponsored cyber activities against the United States that could result in the designation as a critical cyber threat under subsection (a).

(g) Definitions.—In this section:

(1) ADMITTED; ALIEN.—The terms “admitted” and “alien” have the meanings given such terms in section 101 of the Immigration and Nationality Act (8 U.S.C. 1101).

(2) APPROPRIATE CONGRESSIONAL COMMITTEES.—The term “appropriate congressional committees” means—

(A) the Committee on Foreign Affairs, the Committee on Financial Services, the Committee on the Judiciary, the Committee on Oversight and Government Reform, and the Committee on Homeland Security of the House of Representatives; and

(B) the Committee on Foreign Relations, the Committee on Banking, Housing, and Urban Affairs, the Committee on the Judiciary, and the Committee on Homeland Security and Governmental Affairs of the Senate.

(3) AGENCY OR INSTRUMENTALITY OF A FOREIGN STATE.—The term “agency or instrumentality of a foreign state” has the meaning given such term in section 1603(b) of title 28, United States Code.

(4) CRITICAL INFRASTRUCTURE SECTOR.—The term “critical infrastructure sector” means any of the designated critical infrastructure sectors identified in the Presidential Policy Directive entitled “Critical Infrastructure Security and Resilience”, numbered 21, and dated February 12, 2013.

(5) FOREIGN PERSON.—The term “foreign person” means—

(A) an individual who is not a United States citizen or an alien lawfully admitted for permanent residence to the United States; or

(B) an entity that is not a United States person.

(6) FOREIGN STATE.—The term “foreign state” has the meaning given such term in section 1603(a) of title 28, United States Code.

(7) KNOWINGLY.—The term “knowingly”, with respect to conduct, a circumstance, or a result, means that a person has actual knowledge, or should have known, of the conduct, the circumstance, or the result.

(8) MISAPPROPRIATION.—The term “misappropriation” means taking or obtaining by improper means, without permission or consent, or under false pretenses.

(9) STATE-SPONSORED CYBER ACTIVITIES.—The term “state-sponsored cyber activities” means any cyber-enabled activities that—

(A) are carried out by an agency or instrumentality of a foreign state; or

(B) are carried out by a foreign person that is aided, abetted, or directed by a foreign state or an agency or instrumentality of a foreign state.

(10) UNITED STATES PERSON.—The term “United States person” means—

(A) a United States citizen or an alien lawfully admitted for permanent residence to the United States; or

(B) an entity organized under the laws of the United States or of any jurisdiction within the United States, including a foreign branch of such an entity.