[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 3378 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  2d Session
                                S. 3378

 To impose sanctions with respect to state-sponsored cyber activities 
           against the United States, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            August 23, 2018

Mr. Gardner (for himself and Mr. Coons) introduced the following bill; 
which was read twice and referred to the Committee on Foreign Relations

_______________________________________________________________________

                                 A BILL


 
 To impose sanctions with respect to state-sponsored cyber activities 
           against the United States, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Deterrence and Response Act of 
2018''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) On February 13, 2018, the Director of National 
        Intelligence stated in his testimony before the Select 
        Committee on Intelligence of the Senate that ``Russia, China, 
        Iran, and North Korea will pose the greatest cyber threats to 
        the United States during the next year'' through the use of 
        cyber operations as low-cost tools of statecraft, and assessed 
        that those countries would ``work to use cyber operations to 
        achieve strategic objectives unless they face clear 
        repercussions for their cyber operations''.
            (2) The 2017 Worldwide Threat Assessment of the United 
        States intelligence community stated, ``The potential for 
        surprise in the cyber realm will increase in the next year and 
        beyond as billions more digital devices are connected--with 
        relatively little built-in security--and both nation states and 
        malign actors become more emboldened and better equipped in the 
        use of increasingly widespread cyber toolkits. The risk is 
        growing that some adversaries will conduct cyber attacks--such 
        as data deletion or localized and temporary disruptions of 
        critical infrastructure--against the United States in a crisis 
        short of war.''.
            (3) On March 29, 2017, President Donald J. Trump deemed it 
        necessary to continue the national emergency declared in 
        Executive Order 13694 (50 U.S.C. 1701 note; relating to 
        blocking the property of certain persons engaging in 
        significant malicious cyber-enabled activities) as 
        ``[s]ignificant malicious cyber-enabled activities originating 
        from, or directed by persons located, in whole or in 
        substantial part, outside the United States, continue to pose 
        an unusual and extraordinary threat to the national security, 
        foreign policy, and economy of the United States''.
            (4) On January 5, 2017, former Director of National 
        Intelligence James Clapper, former Under Secretary of Defense 
        for Intelligence Marcel Lettre, and Commander of the United 
        States Cyber Command Admiral Michael Rogers, submitted joint 
        testimony to the Committee on Armed Services of the Senate that 
        stated that ``[a]s of late 2016 more than 30 nations are 
        developing offensive cyber attack capabilities'' and that 
        ``[p]rotecting critical infrastructure, such as crucial energy, 
        financial, manufacturing, transportation, communication, and 
        health systems, will become an increasingly complex national 
        security challenge''.
            (5) There is significant evidence that hackers affiliated 
        with foreign governments have conducted cyber operations 
        targeting entities and critical infrastructure sectors in the 
        United States as the Department of Justice has announced that--
                    (A) on March 24, 2016, 7 Iranians working for 
                entities affiliated with Iran's Revolutionary Guard 
                Corps were indicted for conducting distributed denial 
                of service attacks against the financial sector in the 
                United States from 2012 to 2013; and
                    (B) on May 19, 2014, 5 Chinese military hackers 
                were charged for hacking United States entities in the 
                nuclear power, metals, and solar products industries 
                and engaging in economic espionage.
            (6) In May 2017, North Korea released ``WannaCry'' pseudo-
        ransomware, which posed a significant risk to the economy, 
        national security, and the citizens of the United States and 
        the world, as it resulted in the infection of more than 300,000 
        computer systems in more than 150 countries, including in the 
        healthcare sector of the United Kingdom, demonstrating the 
        global reach and cost of cyber-enabled malicious activity.
            (7) In June 2017, the Russian Federation carried out the 
        most destructive cyber-enabled operation in history, releasing 
        the NotPetya malware that caused billions of dollars' worth of 
        damage within Ukraine and across Europe, Asia, and the 
        Americas.
            (8) On May 31, 2018, the Department of State, pursuant to 
        section 3(b) of Executive Order 13800 (82 Fed. Reg. 22391; 
        relating to strengthening the cybersecurity of Federal networks 
        and critical infrastructure), issued a document entitled 
        ``Recommendations to the President on Deterring Adversaries and 
        Better Protecting the American People From Cyber Threats'', 
        which stated, ``With respect to activities below the threshold 
        of the use of force, the United States should, working with 
        likeminded partners when possible, adopt an approach of 
        imposing swift, costly, and transparent consequences on foreign 
        governments responsible for significant malicious cyber 
        activities aimed at harming U.S. national interests.''.

SEC. 3. ACTIONS TO ADDRESS STATE-SPONSORED CYBER ACTIVITIES AGAINST THE 
              UNITED STATES.

    (a) Designation as a Critical Cyber Threat Actor.--
            (1) In general.--The President, acting through the 
        Secretary of State, and in coordination with the heads of other 
        relevant Federal agencies, shall designate as a critical cyber 
        threat actor--
                    (A) each foreign person and each agency or 
                instrumentality of a foreign state that the President 
                determines to be knowingly responsible for or complicit 
                in, or to have knowingly engaged in, directly or 
                indirectly, state-sponsored cyber activities that are 
                reasonably likely to result in, or have contributed to, 
                a significant threat to the national security, foreign 
                policy, or economic health or financial stability of 
                the United States and that have the purpose or effect 
                of--
                            (i) causing a significant disruption to the 
                        availability of a computer or network of 
                        computers;
                            (ii) harming, or otherwise significantly 
                        compromising the provision of service by, a 
                        computer or network of computers that support 
                        one or more entities in a critical 
                        infrastructure sector;
                            (iii) significantly compromising the 
                        provision of services by one or more entities 
                        in a critical infrastructure sector;
                            (iv) causing a significant misappropriation 
                        of funds or economic resources, trade secrets, 
                        personal identifiers, or financial information 
                        for commercial or competitive advantage or 
                        private financial gain;
                            (v) destabilizing the financial sector of 
                        the United States by tampering with, altering, 
                        or causing a misappropriation of data; or
                            (vi) interfering with or undermining 
                        election processes or institutions by tampering 
                        with, altering, or causing misappropriation of 
                        data;
                    (B) each foreign person that the President 
                determines to have knowingly, significantly, and 
                materially assisted, sponsored, or provided financial, 
                material, or technological support for, or goods or 
                services to or in support of, any activities described 
                in subparagraph (A) by a foreign person or agency or 
                instrumentality of a foreign state designated as a 
                critical cyber threat actor under subparagraph (A); and
                    (C) each agency or instrumentality of a foreign 
                state that the President determines to have 
                significantly and materially assisted, sponsored, or 
                provided financial, material, or technological support 
                for, or goods or services to or in support of, any 
                activities described in subparagraph (A) by a foreign 
                person or agency or instrumentality of a foreign state 
                designated as a critical cyber threat actor under 
                subparagraph (A).
            (2) Publication in federal register.--
                    (A) In general.--The President shall--
                            (i) publish in the Federal Register a list 
                        of each foreign person and each agency or 
                        instrumentality of a foreign state designated 
                        as a critical cyber threat actor under this 
                        subsection; and
                            (ii) regularly update the list not later 
                        than 7 days after making any changes to the 
                        list, and publish in the Federal Register such 
                        updates.
                    (B) Exception.--
                            (i) In general.--The President may withhold 
                        from publication in the Federal Register under 
                        subparagraph (A) the identification of any 
                        foreign person or agency or instrumentality of 
                        a foreign state designated as a critical cyber 
                        threat actor under this subsection if the 
                        President determines that withholding such 
                        identification--
                                    (I) is important to the national 
                                security interests of the United 
                                States; or
                                    (II) is for an important law 
                                enforcement purpose.
                            (ii) Transmission.--If the President 
                        exercises the authority under this subparagraph 
                        to withhold from publication in the Federal 
                        Register the identification of a foreign person 
                        or agency or instrumentality of a foreign state 
                        designated as a critical cyber threat actor 
                        under this subsection, the President shall 
                        transmit to the appropriate congressional 
                        committees in classified form a report 
                        containing any such identification, together 
                        with the reasons for exercising such authority.
    (b) Non-Travel-Related Sanctions.--
            (1) In general.--The President shall impose one or more of 
        the applicable sanctions described in paragraph (2) with 
        respect to each foreign person and each agency or 
        instrumentality of a foreign state designated as a critical 
        cyber threat actor under subsection (a).
            (2) Sanctions described.--The sanctions to be imposed under 
        paragraph (1) with respect to a foreign person or an agency or 
        instrumentality of a foreign state designated as a critical 
        cyber threat actor under subsection (a) are the following:
                    (A) The President may provide for the withdrawal, 
                limitation, or suspension of United States security 
                assistance under part II of the Foreign Assistance Act 
                of 1961 (22 U.S.C. 2301 et seq.) to or involving the 
                foreign person or agency or instrumentality.
                    (B) The President may direct the United States 
                executive director to each international financial 
                institution to use the voice and vote of the United 
                States to oppose any loan from the international 
                financial institution that would benefit the foreign 
                person or agency or instrumentality.
                    (C) The President may, pursuant to such regulations 
                or guidelines as the President may prescribe, prohibit 
                any United States person from investing in or 
                purchasing significant amounts of equity or debt 
                instruments of the foreign person or agency or 
                instrumentality.
                    (D) The President may, pursuant to such regulations 
                or guidelines as the President shall prescribe (which 
                shall include the opportunity to appeal actions under 
                this subparagraph), prohibit any United States agency 
                or instrumentality from procuring, or entering into any 
                contract for the procurement of, any goods, technology, 
                or services, or classes of goods, technology, or 
                services, from the foreign person or agency or 
                instrumentality.
                    (E) The President may order the heads of the 
                appropriate United States agencies to not issue any (or 
                a specified number of) specific licenses, and to not 
                grant any other specific authority (or a specified 
                number of authorities), to export, reexport, or 
                transfer any goods or technology originating in the 
                United States to the foreign person or agency or 
                instrumentality under--
                            (i) the Export Administration Act of 1979 
                        (50 U.S.C. 4601 et seq.) (as continued in 
                        effect pursuant the International Emergency 
                        Economic Powers Act (50 U.S.C. 1701 et seq.)) 
                        (or any successor Act);
                            (ii) the Arms Export Control Act (22 U.S.C. 
                        2751 et seq.);
                            (iii) the Atomic Energy Act of 1954 (42 
                        U.S.C. 2011 et seq.); or
                            (iv) any other statute that requires the 
                        prior review and approval of the United States 
                        Government as a condition for the export, 
                        reexport, or transfer of goods or services 
                        originating in the United States.
                    (F)(i) The President may exercise all of the powers 
                granted to the President under the International 
                Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) 
                (except that the requirements of section 202 of such 
                Act (50 U.S.C. 1701) shall not apply) to the extent 
                necessary to block and prohibit all transactions in 
                property and interests in property of the foreign 
                person or agency or instrumentality if such property 
                and interests in property are in the United States, 
                come within the United States, or are or come within 
                the possession or control of a United States person.
                    (ii) The penalties provided for in subsections (b) 
                and (c) of section 206 of the International Emergency 
                Economic Powers Act (50 U.S.C. 1705) shall apply to a 
                person that violates, attempts to violate, conspires to 
                violate, or causes a violation of regulations 
                prescribed under clause (i) to the same extent that 
                such penalties apply to a person that commits an 
                unlawful act described in subsection (a) of such 
                section 206.
                    (G) The President may, pursuant to such regulations 
                as the President may prescribe, prohibit any transfers 
                of credit or payments between one or more financial 
                institutions or by, through, or to any financial 
                institution, to the extent that such transfers or 
                payments are subject to the jurisdiction of the United 
                States and involve any interest of the foreign person 
                or agency or instrumentality.
    (c) Travel-Related Sanctions.--
            (1) Aliens ineligible for visas, admission, or parole.--An 
        alien who is designated as a critical cyber threat actor under 
        subsection (a) is--
                    (A) inadmissible to the United States;
                    (B) ineligible to receive a visa or other 
                documentation to enter the United States; and
                    (C) otherwise ineligible to be admitted or paroled 
                into the United States or to receive any other benefit 
                under the Immigration and Nationality Act (8 U.S.C. 
                1101 et seq.).
            (2) Current visas revoked.--The issuing consular officer, 
        the Secretary of State, or the Secretary of Homeland Security 
        (or a designee of either such Secretary) shall revoke any visa 
        or other entry documentation issued to an alien designated as a 
        critical cyber threat actor under subsection (a) regardless of 
        when the visa or other documentation is issued. A revocation 
        under this paragraph shall take effect immediately and shall 
        automatically cancel any other valid visa or entry 
        documentation that is in the possession of the alien.
    (d) Additional Sanctions With Respect to Foreign States.--
            (1) In general.--The President may impose any of the 
        sanctions described in paragraph (2) with respect to a foreign 
        state if the President determines that the government of the 
        foreign state aided, abetted, or directed a foreign person or 
        agency or instrumentality of a foreign state designated as a 
        critical cyber threat actor under subsection (a).
            (2) Sanctions described.--The sanctions that may be imposed 
        under paragraph (1) with respect to a foreign state are the 
        following:
                    (A) The President may provide for the withdrawal, 
                limitation, or suspension of non-humanitarian or non-
                trade-related assistance United States development 
                assistance under chapter 1 of part I of the Foreign 
                Assistance Act of 1961 (22 U.S.C. 2151 et seq.) to the 
                foreign state.
                    (B) The President may provide for the withdrawal, 
                limitation, or suspension of United States security 
                assistance under part II of the Foreign Assistance Act 
                of 1961 (22 U.S.C. 2301 et seq.) to the foreign state.
                    (C) The President may instruct the United States 
                Executive Director to each appropriate international 
                financial institution to use the voice and vote of the 
                United States to oppose the extension by the 
                institution of any loan or financial assistance to the 
                foreign state.
                    (D) The President may prohibit the exportation to 
                the foreign state of any item on the United States 
                Munitions List established pursuant to section 38 of 
                the Arms Export Control Act (22 U.S.C. 2778) or the 
                Commerce Control List set forth in Supplement No. 1 to 
                part 774 of title 15, Code of Federal Regulations.
    (e) Implementation.--The President may exercise all authorities 
provided under sections 203 and 205 of the International Emergency 
Economic Powers Act (50 U.S.C. 1702 and 1704) to carry out this 
section.
    (f) Exemptions, Waivers, and Removals of Sanctions and 
Designations.--
            (1) Exemptions.--
                    (A) Mandatory exemptions.--The following activities 
                shall be exempt from sanctions under subsections (b), 
                (c), and (d):
                            (i) Activities subject to the reporting 
                        requirements of title V of the National 
                        Security Act of 1947 (50 U.S.C. 3091 et seq.), 
                        or to any authorized intelligence activities of 
                        the United States.
                            (ii) Any transaction necessary to comply 
                        with--
                                    (I) United States obligations 
                                under--
                                            (aa) the Agreement between 
                                        the United Nations and the 
                                        United States of America 
                                        regarding the Headquarters of 
                                        the United Nations, signed June 
                                        26, 1947, and entered into 
                                        force on November 21, 1947; or
                                            (bb) the Vienna Convention 
                                        on Consular Relations, signed 
                                        April 24, 1963, and entered 
                                        into force on March 19, 1967; 
                                        or
                                    (II) other international 
                                commitments of the United States.
            (2) Waiver.--The President may waive the imposition of 
        sanctions under this section for a period of not more than one 
        year, and may renew such waiver for additional periods of not 
        more than one year, if the President submits to the appropriate 
        congressional committees a written determination that such 
        waiver meets one or more of the following requirements:
                    (A) Such waiver is important to the economic or 
                national security interests of the United States.
                    (B) Such waiver will further the enforcement of 
                this Act or is for an important law enforcement 
                purpose.
                    (C) Such waiver is for an important humanitarian 
                purpose.
            (3) Removals of sanctions and designations.--The President 
        may prescribe rules and regulations for the removal of 
        sanctions under subsections (b), (c), and (d) and the removal 
        of designations under subsection (a) if the President 
        determines that a foreign person, agency or instrumentality of 
        a foreign state, or foreign state subject to such sanctions or 
        designation, as the case may be, has--
                    (A) verifiably ceased its participation in any of 
                the conduct with respect to which such foreign person, 
                agency or instrumentality, or foreign state was subject 
                to such sanctions or designation, as the case may be, 
                under this section; and
                    (B) has given assurances that such foreign person, 
                agency or instrumentality, or foreign state, as the 
                case may be, will no longer participate in such 
                conduct.
    (g) Rule of Construction.--Nothing in this section may be construed 
to limit the authority of the President under the International 
Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) or any other 
provision of law to impose sanctions to address critical cyber threat 
actors and malicious state-sponsored cyber activities.
    (h) Definitions.--In this section:
            (1) Admitted; alien.--The terms ``admitted'' and ``alien'' 
        have the meanings given such terms in section 101 of the 
        Immigration and Nationality Act (8 U.S.C. 1101).
            (2) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Foreign Affairs, the Committee 
                on Financial Services, the Committee on the Judiciary, 
                the Committee on Oversight and Government Reform, and 
                the Committee on Homeland Security of the House of 
                Representatives; and
                    (B) the Committee on Foreign Relations, the 
                Committee on Banking, Housing, and Urban Affairs, the 
                Committee on the Judiciary, and the Committee on 
                Homeland Security and Governmental Affairs of the 
                Senate.
            (3) Agency or instrumentality of a foreign state.--The term 
        ``agency or instrumentality of a foreign state'' has the 
        meaning given such term in section 1603(b) of title 28, United 
        States Code.
            (4) Critical infrastructure sector.--The term ``critical 
        infrastructure sector'' means any of the critical 
        infrastructure sectors identified in Presidential Policy 
        Directive No. 21, entitled ``Critical Infrastructure Security 
        and Resilience'' and dated February 12, 2013.
            (5) Foreign person.--The term ``foreign person'' means a 
        person that is not a United States person.
            (6) Foreign state.--The term ``foreign state'' has the 
        meaning given such term in section 1603(a) of title 28, United 
        States Code.
            (7) Knowingly.--The term ``knowingly'', with respect to 
        conduct, a circumstance, or a result, means that a person has 
        actual knowledge, or should have known, of the conduct, the 
        circumstance, or the result.
            (8) Misappropriation.--The term ``misappropriation'' means 
        taking or obtaining by improper means, without permission or 
        consent, or under false pretenses.
            (9) State-sponsored cyber activities.--The term ``state-
        sponsored cyber activities'' means any malicious cyber-enabled 
        activities that--
                    (A) are carried out by a government of a foreign 
                state or an agency or instrumentality of a foreign 
                state; or
                    (B) are carried out by a foreign person that is 
                aided, abetted, or directed by a government of a 
                foreign state or an agency or instrumentality of a 
                foreign state.
            (10) United states person.--The term ``United States 
        person'' means--
                    (A) a United States citizen or an alien lawfully 
                admitted for permanent residence to the United States; 
                or
                    (B) an entity organized under the laws of the 
                United States or of any jurisdiction within the United 
                States, including a foreign branch of such an entity.
                                 <all>