US senators from both sides of the housee have announced a bill that would force the President to act against overseas hackers found targeting the US, or explain why he hadn’t.
Senators Cory Gardner (R-CO) and Chris Coons (D-DE) announced the Cyber Deterrence and Response Act (S.3378) this week.
The text of the bill cites several cybersecurity incidents, including the charging of Chinese military hackers for allegedly attacking a range of US industries, and the indictment of seven Iranians for alleged cyberattacks in the US, including DDoSes against 46 different financial institutions.
The document also pointed to a May 2018 State Department recommendation to the President. That document cited a rising number of cyberattacks that were serious, but not serious enough to warrant a counterattack. That document proposed:
…developing a broader menu of consequences that the United States can swiftly impose following a significant cyber incident, and taking steps to help resolve attribution and policy challenges that limit U.S. flexibility to act.
This bill seems to provide a framework for those consequences. It requires the President to label any foreign individual or agency that knowingly participates in an attack as a ‘critical cyber threat actor’, and publish their identity in the Federal Register.
The President can avoid publishing those details if it is important to national security or law enforcement to do so, but he must tell Congress about it, the bill said. Specifically:
The President shall transmit to the appropriate congressional committees in classified form a report containing any such identification, together with the reasons for exercising such authority.
The President must then impose sanctions on these threat actors, says the bill. These could take the form of removing security assistance, blocking US loans, investments and business purchases, and stopping technology exports. He could also revoke visas.
If he waives those sanctions, he can do so for up to a year but must explain to Congress why he is doing so on economic, national security, law enforcement or humanitarian grounds, the legislation said.
The bill explicitly calls out election tampering, which has become an increasingly critical problem for the US, citing as an infraction:
Interfering with or undermining election processes or institutions by tampering with, altering, or causing misappropriation of data.
Publicly naming and shaming overseas hackers tampering in US elections would complement a new DoJ policy to publicly disclose election tampering schemes.
SS.3378 is a companion bill to H.R.5576, introduced in the House of Representatives in April 2018. To reach the President’s desk, a bill must eventually go through both the House of Representatives and the Senate, but introducing a companion to an existing bill lends support to it.
Senator Gardner said:
This bipartisan legislation is another step that Congress and the Administration can take to deter foreign actors from carrying out cyberattacks against the United States. Our legislation will help provide additional tools for the Administration to impose significant costs against malicious cyber actors, including state-sponsored actors, around the world that aim to endanger U.S national security and our economy.
This proposed legislation punctuates a chaotic period for the White House’s cybersecurity policy. The National Infrastructure Advisory Council (NIAC), which advised the President on cybersecurity issues, quit a year ago, citing “insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process”.
More recently, national security advisor John Bolton removed the position of cybersecurity advisor from the National Security Council, and the President issued an Executive Order rolling back Obama-era guidelines for launching cyberwarfare attacks on other nations.