[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5576 Referred in Senate (RFS)]

<DOC>
115th CONGRESS
  2d Session
                                H. R. 5576


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 6, 2018

Received; read twice and referred to the Committee on Foreign Relations

_______________________________________________________________________

                                 AN ACT


 
To address state-sponsored cyber activities against the United States, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Deterrence and Response Act of 
2018''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) On February 13, 2018, the Director of National 
        Intelligence stated in his testimony before the Senate Select 
        Committee on Intelligence that ``Russia, China, Iran, and North 
        Korea will pose the greatest cyber threats to the United States 
        during the next year'' through the use of cyber operations as 
        low-cost tools of statecraft, and assessed that these states 
        would ``work to use cyber operations to achieve strategic 
        objectives unless they face clear repercussions for their cyber 
        operations''.
            (2) The 2017 Worldwide Threat Assessment of the United 
        States Intelligence Community stated that ``The potential for 
        surprise in the cyber realm will increase in the next year and 
        beyond as billions more digital devices are connected--with 
        relatively little built-in security--and both nation states and 
        malign actors become more emboldened and better equipped in the 
        use of increasingly widespread cyber toolkits. The risk is 
        growing that some adversaries will conduct cyber attacks--such 
        as data deletion or localized and temporary disruptions of 
        critical infrastructure--against the United States in a crisis 
        short of war.''.
            (3) On March 29, 2017, President Donald J. Trump deemed it 
        necessary to continue the national emergency declared in 
        Executive Order No. 13694 as ``Significant malicious cyber-
        enabled activities originating from, or directed by persons 
        located, in whole or in substantial part, outside the United 
        States, continue to pose an unusual and extraordinary threat to 
        the national security, foreign policy, and economy of the 
        United States.''.
            (4) On January 5, 2017, former Director of National 
        Intelligence, James Clapper, former Undersecretary of Defense 
        for Intelligence, Marcel Lettre, and the Commander of the 
        United States Cyber Command, Admiral Michael Rogers, submitted 
        joint testimony to the Committee on Armed Services of the 
        Senate that stated ``As of late 2016 more than 30 nations are 
        developing offensive cyber attack capabilities'' and that 
        ``Protecting critical infrastructure, such as crucial energy, 
        financial, manufacturing, transportation, communication, and 
        health systems, will become an increasingly complex national 
        security challenge.''.
            (5) There is significant evidence that hackers affiliated 
        with foreign governments have conducted cyber operations 
        targeting companies and critical infrastructure sectors in the 
        United States as the Department of Justice and the Department 
        of the Treasury have announced that--
                    (A) on March 15, 2018, five Russian entities and 19 
                Russian individuals were designated under the 
                Countering America's Adversaries Through Sanctions Act, 
                as well as pursuant to Executive Order No. 13694, for 
                interference in the 2016 United States elections and 
                other malicious cyber-enabled activities;
                    (B) on March 24, 2016, seven Iranians working for 
                Iran's Revolutionary Guard Corps-affiliated entities 
                were indicted for conducting distributed denial of 
                service attacks against the financial sector in the 
                United States from 2012 to 2013; and
                    (C) on May 19, 2014, five Chinese military hackers 
                were charged for hacking United States companies in the 
                nuclear power, metals, and solar products industries, 
                and engaging in economic espionage.
            (6) In May 2017, North Korea released ``WannaCry'' pseudo-
        ransomware, which posed a significant risk to the economy, 
        national security, and the citizens of the United States and 
        the world, as it resulted in the infection of over 300,000 
        computer systems in more than 150 countries, including in the 
        healthcare sector of the United Kingdom, demonstrating the 
        global reach and cost of cyber-enabled malicious activity.
            (7) In June 2017, Russia carried out the most destructive 
        cyber-enabled operation in history, releasing the NotPetya 
        malware that caused billions of dollars' worth of damage within 
        Ukraine and across Europe, Asia, and the Americas.
            (8) In May 2018, the Department of State, pursuant to 
        section 3(b) of Executive Order No. 13800, prepared 
        recommendations to the President on Deterring Adversaries and 
        Better Protecting the American People From Cyber Threats, which 
        stated ``With respect to activities below the threshold of the 
        use of force, the United States should, working with likeminded 
        partners when possible, adopt an approach of imposing swift, 
        costly, and transparent consequences on foreign governments 
        responsible for significant malicious cyber activities aimed at 
        harming U.S. national interests.''.

SEC. 3. ACTIONS TO ADDRESS STATE-SPONSORED CYBER ACTIVITIES AGAINST THE 
              UNITED STATES.

    (a) Designation as a Critical Cyber Threat Actor.--
            (1) In general.--The President, acting through the 
        Secretary of State, and in coordination with other relevant 
        Federal agency heads, shall designate as a critical cyber 
        threat actor--
                    (A) each foreign person and each agency or 
                instrumentality of a foreign state that the President 
                determines to be knowingly responsible for or complicit 
                in, or have engaged in, directly or indirectly, state-
                sponsored cyber activities that are reasonably likely 
                to result in, or have contributed to, a significant 
                threat to the national security, foreign policy, or 
                economic health or financial stability of the United 
                States and that have the purpose or effect of--
                            (i) causing a significant disruption to the 
                        availability of a computer or network of 
                        computers;
                            (ii) harming, or otherwise significantly 
                        compromising the provision of service by, a 
                        computer or network of computers that support 
                        one or more entities in a critical 
                        infrastructure sector;
                            (iii) significantly compromising the 
                        provision of services by one or more entities 
                        in a critical infrastructure sector;
                            (iv) causing a significant misappropriation 
                        of funds or economic resources, trade secrets, 
                        personal identifiers, or financial information 
                        for commercial or competitive advantage or 
                        private financial gain;
                            (v) destabilizing the financial sector of 
                        the United States by tampering with, altering, 
                        or causing a misappropriation of data; or
                            (vi) interfering with or undermining 
                        election processes or institutions by tampering 
                        with, altering, or causing misappropriation of 
                        data;
                    (B) each foreign person that the President has 
                determined to have knowingly, significantly, and 
                materially assisted, sponsored, or provided financial, 
                material, or technological support for, or goods or 
                services to or in support of, any activities described 
                in subparagraph (A) by a foreign person or agency or 
                instrumentality of a foreign state designated as a 
                critical cyber threat actor under subparagraph (A); and
                    (C) each agency or instrumentality of a foreign 
                state that the President has determined to have 
                significantly and materially assisted, sponsored, or 
                provided financial, material, or technological support 
                for, or goods or services to or in support of, any 
                activities described in subparagraph (A) by a foreign 
                person or agency or instrumentality of a foreign state 
                designated as a critical cyber threat actor under 
                subparagraph (A).
            (2) Publication in federal register.--
                    (A) In general.--The President shall--
                            (i) publish in the Federal Register a list 
                        of each foreign person and each agency or 
                        instrumentality of a foreign state designated 
                        as a critical cyber threat actor under this 
                        subsection; and
                            (ii) regularly update such list not later 
                        than 7 days after making any changes to such 
                        list, and publish in the Federal Register such 
                        updates.
                    (B) Exception.--
                            (i) In general.--The President may withhold 
                        from publication in the Federal Register under 
                        subparagraph (A) the identification of any 
                        foreign person or agency or instrumentality of 
                        a foreign state designated as a critical cyber 
                        threat actor under this subsection if the 
                        President determines that withholding such 
                        identification--
                                    (I) in the national interests of 
                                the United States; or
                                    (II) is for an important law 
                                enforcement purpose.
                            (ii) Transmission.--If the President 
                        exercises the authority under this subparagraph 
                        to withhold from publication in the Federal 
                        Register the identification of a foreign person 
                        or agency or instrumentality of a foreign state 
                        designated as a critical cyber threat actor 
                        under this subsection, the President shall 
                        transmit to the appropriate congressional 
                        committees in classified form a report 
                        containing any such identification, together 
                        with the reasons for such exercise.
    (b) Non-Travel-Related Sanctions.--
            (1) In general.--The President shall impose one or more of 
        the applicable sanctions described in paragraph (2) with 
        respect to each foreign person and each agency or 
        instrumentality of a foreign state designated as a critical 
        cyber threat actor under subsection (a).
            (2) Sanctions described.--The sanctions described in this 
        paragraph are the following:
                    (A) The President may provide for the withdrawal, 
                limitation, or suspension of non-humanitarian United 
                States development assistance under chapter 1 of part I 
                of the Foreign Assistance Act of 1961.
                    (B) The President may provide for the withdrawal, 
                limitation, or suspension of United States security 
                assistance under part II of the Foreign Assistance Act 
                of 1961.
                    (C) The President may direct the United States 
                executive director to each international financial 
                institution to use the voice and vote of the United 
                States to oppose any loan from the international 
                financial institution that would benefit the designated 
                foreign person or the designated agency or 
                instrumentality of a foreign state.
                    (D) The President may direct the Overseas Private 
                Investment Corporation, or any other United States 
                Government agency not to approve the issuance of any 
                (or a specified number of) guarantees, insurance, 
                extensions of credit, or participations in the 
                extension of credit.
                    (E) The President may, pursuant to such regulations 
                or guidelines as the President may prescribe, prohibit 
                any United States person from investing in or 
                purchasing significant amounts of equity or debt 
                instruments of the designated foreign person.
                    (F) The President may, pursuant to procedures the 
                President shall prescribe, which shall include the 
                opportunity to appeal actions under this subparagraph, 
                prohibit any United States agency or instrumentality 
                from procuring, or entering into any contract for the 
                procurement of, any goods, technology, or services, or 
                classes of goods, technology, or services, from the 
                designated foreign person or the designated agency or 
                instrumentality of a foreign state.
                    (G) The President may order the heads of the 
                appropriate United States agencies to not issue any (or 
                a specified number of) specific licenses, and to not 
                grant any other specific authority (or a specified 
                number of authorities), to export any goods or 
                technology to the designated foreign person or the 
                designated agency or instrumentality of a foreign state 
                under--
                            (i) the Export Administration Act of 1979 
                        (as continued in effect pursuant the 
                        International Emergency Economic Powers Act);
                            (ii) the Arms Export Control Act;
                            (iii) the Atomic Energy Act of 1954; or
                            (iv) any other statute that requires the 
                        prior review and approval of the United States 
                        Government as a condition for the export or re-
                        export of goods or services.
                    (H)(i) The President may exercise all of the powers 
                granted to the President under the International 
                Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) 
                (except that the requirements of section 202 of such 
                Act (50 U.S.C. 1701) shall not apply) to the extent 
                necessary to block and prohibit all transactions in 
                property and interests in property of the designated 
                foreign person if such property and interests in 
                property are in the United States, come within the 
                United States, or are or come within the possession or 
                control of a United States person.
                    (ii) The penalties provided for in subsections (b) 
                and (c) of section 206 of the International Emergency 
                Economic Powers Act (50 U.S.C. 1705) shall apply to a 
                person that violates, attempts to violate, conspires to 
                violate, or causes a violation of regulations 
                prescribed under clause (i) to the same extent that 
                such penalties apply to a person that commits an 
                unlawful act described in subsection (a) of such 
                section 206.
                    (I) The President may, pursuant to such regulations 
                as the President may prescribe, prohibit any transfers 
                of credit or payments between one or more financial 
                institutions or by, through, or to any financial 
                institution, to the extent that such transfers or 
                payments are subject to the jurisdiction of the United 
                States and involve any interest of the designated 
                foreign person.
    (c) Travel-Related Sanctions.--
            (1) Aliens ineligible for visas, admission, or parole.--An 
        alien who is designated as a critical cyber threat actor under 
        subsection (a) is--
                    (A) inadmissible to the United States;
                    (B) ineligible to receive a visa or other 
                documentation to enter the United States; and
                    (C) otherwise ineligible to be admitted or paroled 
                into the United States or to receive any other benefit 
                under the Immigration and Nationality Act (8 U.S.C. 
                1101 et seq.).
            (2) Current visas revoked.--The issuing consular officer, 
        the Secretary of State, or the Secretary of Homeland Security 
        (or a designee of either such Secretaries) shall revoke any 
        visa or other entry documentation issued to the foreign person 
        designated as a critical cyber threat actor under subsection 
        (a) regardless of when issued. A revocation under this clause 
        shall take effect immediately and shall automatically cancel 
        any other valid visa or entry documentation that is in the 
        possession of such foreign person.
    (d) Additional Sanctions With Respect to Foreign States.--
            (1) In general.--The President may impose any of the 
        sanctions described in paragraph (2) with respect to the 
        government of each foreign state that the President has 
        determined aided, abetted, or directed a foreign person or 
        agency or instrumentality of a foreign state designated as a 
        critical cyber threat actor under subsection (a).
            (2) Sanctions described.--The sanctions referred to in 
        paragraph (1) are the following:
                    (A) The President may provide for the withdrawal, 
                limitation, or suspension of non-humanitarian or non-
                trade-related assistance United States development 
                assistance under chapter 1 of part I of the Foreign 
                Assistance Act of 1961.
                    (B) The President may provide for the withdrawal, 
                limitation, or suspension of United States security 
                assistance under part II of the Foreign Assistance Act 
                of 1961.
                    (C) The President may instruct the United States 
                Executive Director to each appropriate international 
                financial institution to oppose, and vote against the 
                extension by such institution of any loan or financial 
                assistance to the government of the foreign state.
                    (D) No item on the United States Munitions List 
                (established pursuant to section 38 of the Arms Export 
                Control Act (22 U.S.C. 2778)) or the Commerce Control 
                List set forth in Supplement No. 1 to part 774 of title 
                15, Code of Federal Regulations, may be exported to the 
                government of the foreign state.
    (e) Implementation.--The President may exercise all authorities 
provided under sections 203 and 205 of the International Emergency 
Economic Powers Act (50 U.S.C. 1702 and 1704) to carry out this 
section.
    (f) Coordination.--To the extent practicable--
            (1) actions taken by the President pursuant to this section 
        should be coordinated with United States allies and partners; 
        and
            (2) the Secretary of State should work with United States 
        allies and partners, on a voluntary basis, to lead an 
        international diplomatic initiative to--
                    (A) deter critical cyber threat actors and state-
                sponsored cyber activities; and
                    (B) provide mutual support to such allies and 
                partners participating in such initiative to respond to 
                such state-sponsored cyber activities.
    (g) Exemptions, Waivers, and Removals of Sanctions and 
Designations.--
            (1) Mandatory exemptions.--The following activities shall 
        be exempt from sanctions under subsections (b), (c), and (d):
                    (A) Activities subject to the reporting 
                requirements of title V of the National Security Act of 
                1947 (50 U.S.C. 413 et seq.), or to any authorized 
                intelligence activities of the United States.
                    (B) Any transaction necessary to comply with United 
                States obligations under the Agreement between the 
                United Nations and the United States of America 
                regarding the Headquarters of the United Nations, 
                signed June 26, 1947, and entered into force on 
                November 21, 1947, or under the Vienna Convention on 
                Consular Relations, signed April 24, 1963, and entered 
                into force on March 19, 1967, or under other 
                international obligations.
            (2) Waiver.--The President may waive the imposition of 
        sanctions described in this section for a period of not more 
        than 1 year, and may renew such waiver for additional periods 
        of not more than 1 year, if the President transmits to the 
        appropriate congressional committees a written determination 
        that such waiver meets one or more of the following 
        requirements:
                    (A) Such waiver is in the national interests of the 
                United States.
                    (B) Such waiver will further the enforcement of 
                this Act or is for an important law enforcement 
                purpose.
                    (C) Such waiver is for an important humanitarian 
                purpose.
            (3) Removals of sanctions and designations.--The President 
        may prescribe rules and regulations for the removal of 
        sanctions under subsections (b), (c), and (d) and the removal 
        of designations under subsection (a) if the President 
        determines that a foreign person, agency or instrumentality of 
        a foreign state, or government of a foreign state subject to 
        such sanctions or such designations, as the case may be, has 
        verifiably ceased its participation in any of the conduct with 
        respect to which such foreign person, agency or instrumentality 
        of a foreign state, or government of a foreign state was 
        subject to such sanctions or designation, as the case may be, 
        under this section, and has given assurances that such foreign 
        person, agency or instrumentality of a foreign state, or 
        government of a foreign state, as the case may be, will no 
        longer participate in such conduct.
            (4) Exception to comply with united nations headquarters 
        agreement.--Sanctions under subsection (c) shall not apply to a 
        foreign person if admitting such foreign person into the United 
        States is necessary to permit the United States to comply with 
        the Agreement regarding the Headquarters of the United Nations, 
        signed at Lake Success June 26, 1947, and entered into force 
        November 21, 1947, between the United Nations and the United 
        States, or other applicable international obligations.
    (h) Rule of Construction.--Nothing in this section may be construed 
to limit the authority of the President under the International 
Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) or any other 
provision of law to impose sanctions to address critical cyber threat 
actors and malicious state-sponsored cyber activities.
    (i) Definitions.--In this section:
            (1) Admitted; alien.--The terms ``admitted'' and ``alien'' 
        have the meanings given such terms in section 101 of the 
        Immigration and Nationality Act (8 U.S.C. 1101).
            (2) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Foreign Affairs, the Committee 
                on Financial Services, the Committee on the Judiciary, 
                the Committee on Oversight and Government Reform, and 
                the Committee on Homeland Security of the House of 
                Representatives; and
                    (B) the Committee on Foreign Relations, the 
                Committee on Banking, Housing, and Urban Affairs, the 
                Committee on the Judiciary, and the Committee on 
                Homeland Security and Governmental Affairs of the 
                Senate.
            (3) Agency or instrumentality of a foreign state.--The term 
        ``agency or instrumentality of a foreign state'' has the 
        meaning given such term in section 1603(b) of title 28, United 
        States Code.
            (4) Critical infrastructure sector.--The term ``critical 
        infrastructure sector'' means any of the designated critical 
        infrastructure sectors identified in the Presidential Policy 
        Directive entitled ``Critical Infrastructure Security and 
        Resilience'', numbered 21, and dated February 12, 2013.
            (5) Foreign person.--The term ``foreign person'' means a 
        person that is not a United States person.
            (6) Foreign state.--The term ``foreign state'' has the 
        meaning given such term in section 1603(a) of title 28, United 
        States Code.
            (7) Knowingly.--The term ``knowingly'', with respect to 
        conduct, a circumstance, or a result, means that a person has 
        actual knowledge, or should have known, of the conduct, the 
        circumstance, or the result.
            (8) Misappropriation.--The term ``misappropriation'' means 
        taking or obtaining by improper means, without permission or 
        consent, or under false pretenses.
            (9) State-sponsored cyber activities.--The term ``state-
        sponsored cyber activities'' means any malicious cyber-enabled 
        activities that--
                    (A) are carried out by a government of a foreign 
                state or an agency or instrumentality of a foreign 
                state; or
                    (B) are carried out by a foreign person that is 
                aided, abetted, or directed by a government of a 
                foreign state or an agency or instrumentality of a 
                foreign state.
            (10) United states person.--The term ``United States 
        person'' means--
                    (A) a United States citizen or an alien lawfully 
                admitted for permanent residence to the United States; 
                or
                    (B) an entity organized under the laws of the 
                United States or of any jurisdiction within the United 
                States, including a foreign branch of such an entity.

            Passed the House of Representatives September 5, 2018.

            Attest:

                                                 KAREN L. HAAS,

                                                                 Clerk.