US senators from both sides of the housee have announced a bill that would force the President to act against overseas hackers found targeting the US, or explain why he hadn’t.
Senators Cory Gardner (R-CO) and Chris Coons (D-DE) announced the Cyber Deterrence and Response Act (S.3378) this week.
The text of the bill cites several cybersecurity incidents, including the charging of Chinese military hackers for allegedly attacking a range of US industries, and the indictment of seven Iranians for alleged cyberattacks in the US, including DDoSes against 46 different financial institutions.
The document also pointed to a May 2018 State Department recommendation to the President. That document cited a rising number of cyberattacks that were serious, but not serious enough to warrant a counterattack. That document proposed:
…developing a broader menu of consequences that the United States can swiftly impose following a significant cyber incident, and taking steps to help resolve attribution and policy challenges that limit U.S. flexibility to act.
This bill seems to provide a framework for those consequences. It requires the President to label any foreign individual or agency that knowingly participates in an attack as a ‘critical cyber threat actor’, and publish their identity in the Federal Register.
The President can avoid publishing those details if it is important to national security or law enforcement to do so, but he must tell Congress about it, the bill said. Specifically:
The President shall transmit to the appropriate congressional committees in classified form a report containing any such identification, together with the reasons for exercising such authority.
The President must then impose sanctions on these threat actors, says the bill. These could take the form of removing security assistance, blocking US loans, investments and business purchases, and stopping technology exports. He could also revoke visas.
If he waives those sanctions, he can do so for up to a year but must explain to Congress why he is doing so on economic, national security, law enforcement or humanitarian grounds, the legislation said.
The bill explicitly calls out election tampering, which has become an increasingly critical problem for the US, citing as an infraction:
Interfering with or undermining election processes or institutions by tampering with, altering, or causing misappropriation of data.
Publicly naming and shaming overseas hackers tampering in US elections would complement a new DoJ policy to publicly disclose election tampering schemes.
SS.3378 is a companion bill to H.R.5576, introduced in the House of Representatives in April 2018. To reach the President’s desk, a bill must eventually go through both the House of Representatives and the Senate, but introducing a companion to an existing bill lends support to it.
Senator Gardner said:
This bipartisan legislation is another step that Congress and the Administration can take to deter foreign actors from carrying out cyberattacks against the United States. Our legislation will help provide additional tools for the Administration to impose significant costs against malicious cyber actors, including state-sponsored actors, around the world that aim to endanger U.S national security and our economy.
This proposed legislation punctuates a chaotic period for the White House’s cybersecurity policy. The National Infrastructure Advisory Council (NIAC), which advised the President on cybersecurity issues, quit a year ago, citing “insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process”.
More recently, national security advisor John Bolton removed the position of cybersecurity advisor from the National Security Council, and the President issued an Executive Order rolling back Obama-era guidelines for launching cyberwarfare attacks on other nations.
G-Man
Another feel good bill that waste a lot of US taxpayer’s money and basically accomplishes nothing.
Rob
Yeah, we need separate branches of government so they can try to control each other. That makes perfect sense brainiacs!
Mahhn
I read the bill. (its not long)
It’s cute that the NSA is imprisoning anyone that exposes foreign hackers. While the Bill calls to at the least publicly shame the hackers. (Sec 3 part 2, A, i.)
Line 6 of that bill says “North Korea released “WannaCry”” wait what??, the primary component to WannaCry is Eternal Blue developed by the NSA, sold off by the Shadow Brokers (corrupt NSA agents), but they have arrested and charged British Marcus Hutchins with creating part of it, (the kid that disabled it). So they are going to let Marcus go? lol
If this bill was written more responsibly it would be a good thing, what’s poor about it is that it requires the president to micromanage IT security items that entire departments are for. These politicians are more worried about pointing fingers at each other than doing things. Funny how nothing has changed in politics for over 50 years.
Paul Ducklin
An observation: Hutchins does not, AFAIK, face any charges related to WannaCry or the ETERNALBLUE exploit that the virus used.
In fact, the whole WannaCry thing is a red herring in respect of Hutchins’s legal issues. He’s charged with offences relating to the creation and sale of banking malware. FWIW, that malware predates WannaCry by quite some time, and isn’t ransomware.
Mahhn
(I trust you to have facts, and a better detailed memory than I), I don’t disagree with you at all, particularly that the Wannacry was used as inappropriately by agencies to grab Hutchins. Which then gave them the opportunity to pursue what they were really after. (warrants, questioning)
Paul Ducklin
But you *are* disagreeing with me :-) I can’t see where “Wannacry was used inappropriately by agencies to grab Hutchins”, which you state as a fact. It is widely trotted out as a fact, to be sure, but I suspect that is because some people in the cybersecurity community jumped to the conclusion, when he was arrested in Las Vegas, that the charges must have had something to do with WannaCry, because of his role in that story.
But AFAIR Hutchins was arrested by *an* agency (not “agencies”) on charges that are entirely unrelated to WannaCry, based on an investigation that preceded the appearance of WannaCry by a year or more.
I am guessing that, were it not for Hutchins’s fame on account of his anti-malware work when WannaCry showed up, he would never have got the funding to attend Vegas for DEF CON, so the FBI would have had to apply to have him arrested in the UK and then made an application for extradition. History suggests that would have ended rather differently.
Please note that I am not taking sides here – I’m not trying to make Hutchins look worse or the FBI look better. I think the truth is fairly simple: he was already a “person of interest” to cybersecurity investigators at the FBI, but he was living 1000s of kilometres away in the UK and perhaps not high enough on their radar to warrant a place on their “let’s try for extradition” list.
But when fate and fame conspired to lure Hutchins enter the USA of his own accord (and to draw attention to the fact by tweeting pics of himself in Vegas), the FBI surely couldn’t believe its luck. Once he’d made the trip, all the Feds needed to do was get the paperwork done and show up at the airport just before his flight left. A sitting duck, so to speak.
Mahhn
You are correcting/clarify my inaccuracy, I’m good with that. :) And I thank you for doing it in the manner you do (polite and accurate).
John
“It requires the President to label any foreign individual or agency that knowingly participates in an attack as a ‘critical cyber threat actor’, and publish their identity in the Federal Register.”
That would be the Federal Register Twitter feed, I guess, where the President can use his usual toddler-speak to insult anyone with a bigger codebase than his. Which is most everyone.
brianc6234
The US Congress blew it. When they opened up our Internet to the rest of the world they should have had laws that say we can go after anyone in your country if they break US law. Hard to do it now.
c.curtis
“Our internet”? Do you mean the consortium of US, UK, and French laboratories that first proposed the idea of wide area networking in the 60s?
True, the first networked message was sent over the US ARPANET, and that was where the US spent most of its development dollars, but the British NPL Network and the French CYCLADES project pioneered packet switching. And of course, Tim Berners-Lee, who is credited with inventing the World Wide Web, is British. The US has had international partners from the start.
Bryan
That closed-minded approach would have brought about an entirely new (but still similar) set of problems–and most likely some incompatibility issues. Because eventually the segregated networks would be joined anyway.
BoredOfItAll
I would suggest the solution to eliminating (The majority) of attacks on government / elections and military networks would entail designing custom hardware / satellites / communication & security protocols and custom encryption that is unique to those branches of government. It would be scaled out so as to have no connectivity to the internet of any kind whatsoever and the only points of access would be through highly secured facilities. Starting from the ground up would be a significant cost but in the long term it would likely be worth it. Even with those efforts there would still be ways to circumvent stuff but it would become incredibly difficult with the right barriers in place.
BoredOfItAll
Since hackers are usually anonymous hidden behind multiple VPN’s which makes them difficult if not impossible to identify or track down (Never the less being able to associate a hacker or team of hackers as appointed by government backing)…. IE “Russian election hacking interference” which was mostly a bunch of spear fishing emails (Which nearly 100% of all businesses on the planet have to deal with regardless of political affiliation) — how do they expect to point blame at anyone without any ability to produce any REAL evidence that the attacks they identified are the same exact attacks that any other business or country on the planet receives on a daily basis OR where they originated from? How do they know John Doe did it if he is anonymous and hidden? How do they know they weren’t just attacked for petty financial gain? Still waiting on this supposed evidence. Spear phishing IMO is not anything new. It isn’t evidence. If an election system was randomly (intentionally or unintentionally targeted and information was obtained as a result) then how do we know it wasn’t just some hacker thinking “Oh I can sell this…I don’t know what it is… but I can sell it….” Still waiting on some real evidence that isn’t incredibly obfuscated. I am sure that the US hacks every other country out there just as much as these foreign country’s hack us. There is no way these silly attacks influenced the election enough to make much of a difference at all even if some of them were successful. This is a pointless bill that says.. oh we saw traffic from your country that was malicious so lets add you to a list. Better be ready that list is going to be REALLY long and we might as well add the US to the top of it as well.
Max
“The National Infrastructure Advisory Council…quit a year ago” “…removed the position of cybersecurity advisor from the National Security Council” What? An entire council of security advisers quit? And they just removed the position of a cybersecurity advisor alltogether? That seems like a really good idea.