On Wednesday, September 5, 2018, the House of Representatives unanimously passed H.R. 5576, the Cyber Deterrence and Response Act of 2018, by a voice vote. The bipartisan legislation was introduced by Representative Ted Yoho (R-FL) in April 2018 and would establish a three-step process for identifying, deterring and responding to malicious, foreign cyber espionage intrusions, also known as state-sponsored cyber-attacks.
First, the legislation would require the President of the United States, in coordination with the Secretary of State and other relevant agency heads, to identify state-sponsored cyber criminals who attempt to initiate a cyber-intrusion that is likely to cause a significant threat to United States national security, foreign policy, economic health or financial stability.
Second, the legislation requires the President to formally designate these malicious actors as “critical cyber threat actors” by publishing their identities in the Federal Register, which is intended to deter cyber criminals from attacking U.S. systems.
Third, the legislation would require the President to impose sanctions on cyber threat actors. Sanctions may include restrictions, such as withholding foreign security assistance, a prohibition on investments in U.S. organizations, prohibiting travel to the United States and denying export licenses. However, the bill gives the President the ability to waive sanctions for up to one year.
The House passed the legislation amid increasing concerns related to state-sponsored cyber-attacks on critical infrastructure sectors and U.S. companies. In late July 2018, the National Counterintelligence and Security Center (“NCSC”) published a report describing current and future cyber threats and trends in foreign intelligence espionage efforts to steal U.S. trade secrets and intellectual property. NCSC’s July 2018 report describes alarming trends in foreign cyber espionage efforts, including attempts to infiltrate the software supply chain and exploit network infrastructure devices, such as company and household internet routers.
Following the bill’s approval in the House, and consistent with the NCSC report, Rep. Yoho stated that “companies at risk of state-sponsored or state-organized malicious cyber activities should benefit from the deterrent effects of a more mature U.S. mechanism for cyber response.”
House Foreign Affairs Committee Chairman Ed Royce (R-CA) also commented that “foreign adversaries have developed sophisticated cyber capabilities that can disrupt our networks, threaten our critical infrastructure, harm our economy and undermine our elections.” Royce further noted that “[m]alicious cyber activity topped the Director of National Intelligence’s list of worldwide threats in 2018 – ahead of terrorism and weapons of mass destruction.”
The legislation is intended to codify an executive order issued by President Obama in 2015 and a related executive order that he issued in December 2016. The 2015 order endeavors to align the efforts of private companies and the federal government in order to promote public-private cooperation to combat cyber threats. The 2016 order outlines tools that the federal government may deploy to combat “the increasing prevalence and severity of malicious cyber-enabled activities.”
Senator Cory Gardner (R-CO) has introduced companion legislation in the U.S. Senate; however, that bill, S. 3378, has not yet been scheduled for legislative markup.
