[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 602 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                 S. 602

To address state-sponsored cyber activities against the United States, 
                        and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           February 28, 2019

Mr. Gardner (for himself and Mr. Coons) introduced the following bill; 
which was read twice and referred to the Committee on Foreign Relations

_______________________________________________________________________

                                 A BILL


 
To address state-sponsored cyber activities against the United States, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Deterrence and Response Act of 
2019''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) On February 13, 2018, the Director of National 
        Intelligence stated in his testimony before the Select 
        Committee on Intelligence of the Senate that ``Russia, China, 
        Iran, and North Korea will pose the greatest cyber threats to 
        the United States during the next year'' through the use of 
        cyber operations as low-cost tools of statecraft, and assessed 
        that these countries would ``work to use cyber operations to 
        achieve strategic objectives unless they face clear 
        repercussions for their cyber operations''.
            (2) The 2017 Worldwide Threat Assessment of the United 
        States Intelligence Community stated that ``The potential for 
        surprise in the cyber realm will increase in the next year and 
        beyond as billions more digital devices are connected, with 
        relatively little built-in security, and both nation states and 
        malign actors become more emboldened and better equipped in the 
        use of increasingly widespread cyber toolkits. The risk is 
        growing that some adversaries will conduct cyber attacks, such 
        as data deletion or localized and temporary disruptions of 
        critical infrastructure, against the United States in a crisis 
        short of war.''.
            (3) On March 29, 2017, President Donald J. Trump considered 
        it necessary to continue the national emergency declared in 
        Executive Order 13694 (50 U.S.C. 1701 note; relating to 
        blocking the property of certain persons engaging in 
        significant malicious cyber-enabled activities) as 
        ``Significant malicious cyber-enabled activities originating 
        from, or directed by persons located, in whole or in 
        substantial part, outside the United States, continue to pose 
        an unusual and extraordinary threat to the national security, 
        foreign policy, and economy of the United States.''.
            (4) On January 5, 2017, former Director of National 
        Intelligence, James Clapper, former Under Secretary of Defense 
        for Intelligence, Marcel Lettre, and the Commander of the 
        United States Cyber Command, Admiral Michael Rogers, submitted 
        joint testimony to the Committee on Armed Services of the 
        Senate that stated that ``as of late 2016 more than 30 nations 
        are developing offensive cyber attack capabilities'' and that 
        ``Protecting critical infrastructure, such as crucial energy, 
        financial, manufacturing, transportation, communication, and 
        health systems, will become an increasingly complex national 
        security challenge.''.
            (5) There is significant evidence that hackers affiliated 
        with foreign governments have conducted cyber operations 
        targeting companies and critical infrastructure sectors in the 
        United States as the Department of Justice and the Department 
        of the Treasury have announced that--
                    (A) on March 15, 2018, 5 Russian entities and 19 
                Russian individuals were designated under the 
                Countering America's Adversaries Through Sanctions Act 
                (Public Law 115-44; 131 Stat. 886), as well as pursuant 
                to Executive Order 13694, for interference in the 
                United States elections in 2016 and other malicious 
                cyber-enabled activities;
                    (B) on March 24, 2016, 7 Iranians working for 
                entities affiliated with Iran's Revolutionary Guard 
                Corps were indicted for conducting distributed denial 
                of service attacks against the financial sector in the 
                United States from 2012 to 2013; and
                    (C) on May 19, 2014, 5 Chinese military hackers 
                were charged for hacking United States companies in the 
                nuclear power, metals, and solar products industries, 
                and engaging in economic espionage.
            (6) In May 2017, North Korea released the WannaCry pseudo-
        ransomware, which posed a significant risk to the economy, 
        national security, and the citizens of the United States and 
        the world, as it resulted in the infection of more than 300,000 
        computer systems in more than 150 countries, including in the 
        healthcare sector of the United Kingdom, demonstrating the 
        global reach and cost of cyber-enabled malicious activity.
            (7) In June 2017, Russia carried out the most destructive 
        cyber-enabled operation in history, releasing the NotPetya 
        malware that caused billions of dollars' worth of damage within 
        Ukraine and across Europe, Asia, and the Americas.
            (8) In May 2018, the Department of State, pursuant to 
        section 3(b) of Executive Order 13800 (6 U.S.C. 1501 note 
        prec.; relating to strengthening the cybersecurity of Federal 
        networks and critical infrastructure), prepared recommendations 
        to the President on deterring adversaries and better protecting 
        the people of the United States from cyber threats, which 
        stated ``With respect to activities below the threshold of the 
        use of force, the United States should, working with likeminded 
        partners when possible, adopt an approach of imposing swift, 
        costly, and transparent consequences on foreign governments 
        responsible for significant malicious cyber activities aimed at 
        harming U.S. national interests.''.

SEC. 3. ACTIONS TO ADDRESS STATE-SPONSORED CYBER ACTIVITIES AGAINST THE 
              UNITED STATES.

    (a) Designation as a Critical Cyber Threat Actor.--
            (1) In general.--The President, acting through the 
        Secretary of State, and in coordination with the heads of other 
        relevant Federal agencies, shall designate as a critical cyber 
        threat actor--
                    (A) each foreign person and each agency or 
                instrumentality of a foreign state that the President 
                determines to be knowingly responsible for or complicit 
                in, or to have engaged in, directly or indirectly, 
                state-sponsored cyber activities that are reasonably 
                likely to result in, or have contributed to, a 
                significant threat to the national security, foreign 
                policy, economic health, or financial stability of the 
                United States and that have the purpose or effect of--
                            (i) causing a significant disruption to the 
                        availability of a computer or network of 
                        computers;
                            (ii) harming, or otherwise significantly 
                        compromising the provision of service by, a 
                        computer or network of computers that support 
                        one or more entities in a critical 
                        infrastructure sector;
                            (iii) significantly compromising the 
                        provision of services by one or more entities 
                        in a critical infrastructure sector;
                            (iv) causing a significant misappropriation 
                        of funds or economic resources, trade secrets, 
                        personal identifiers, or financial information 
                        for commercial or competitive advantage or 
                        private financial gain;
                            (v) destabilizing the financial sector of 
                        the United States by tampering with, altering, 
                        or causing a misappropriation of data; or
                            (vi) interfering with or undermining 
                        election processes or institutions by tampering 
                        with, altering, or causing a misappropriation 
                        of data;
                    (B) each foreign person that the President has 
                determined to have knowingly, significantly, and 
                materially assisted, sponsored, or provided financial, 
                material, or technological support for, or goods or 
                services to or in support of, any activities described 
                in subparagraph (A) by a foreign person or agency or 
                instrumentality of a foreign state designated as a 
                critical cyber threat actor under subparagraph (A); and
                    (C) each agency or instrumentality of a foreign 
                state that the President has determined to have 
                significantly and materially assisted, sponsored, or 
                provided financial, material, or technological support 
                for, or goods or services to or in support of, any 
                activities described in subparagraph (A) by a foreign 
                person or agency or instrumentality of a foreign state 
                designated as a critical cyber threat actor under 
                subparagraph (A).
            (2) Transmission to congress.--Not later than 7 days after 
        designating a foreign person or agency or instrumentality of a 
        foreign state as a critical cyber threat actor under paragraph 
        (1), the President shall transmit to the appropriate 
        congressional committees in classified or unclassified form a 
        report identifying the designee.
    (b) Non-Travel-Related Sanctions.--
            (1) In general.--The President shall impose one or more of 
        the sanctions described in paragraph (2) with respect to each 
        foreign person and each agency or instrumentality of a foreign 
        state designated as a critical cyber threat actor under 
        subsection (a).
            (2) Sanctions described.--The sanctions described in this 
        paragraph to be imposed on a foreign person and agency or 
        instrumentality of a foreign state designated as a critical 
        cyber threat actor under subsection (a) are the following:
                    (A) With respect to an agency or instrumentality of 
                a foreign state, the President may provide for the 
                withdrawal, limitation, or suspension of non-
                humanitarian development assistance from the United 
                States to the foreign state under chapter 1 of part I 
                of the Foreign Assistance Act of 1961 (22 U.S.C. 2151 
                et seq.).
                    (B) With respect to an agency or instrumentality of 
                a foreign state, the President may provide for the 
                withdrawal, limitation, or suspension of security 
                assistance from the United States to the foreign state 
                under part II of the Foreign Assistance Act of 1961 (22 
                U.S.C. 2301 et seq.).
                    (C) The President may direct the United States 
                executive director to each international financial 
                institution to use the voice and vote of the United 
                States to oppose any loan from the international 
                financial institution that would benefit the foreign 
                person or agency or instrumentality of a foreign state.
                    (D) The President may direct the Overseas Private 
                Investment Corporation, the United States International 
                Development Finance Corporation, or any other Federal 
                agency not to approve the issuance of any (or to issue 
                a specified number of) guarantees, insurance, 
                extensions of credit, or participations in the 
                extension of credit that would benefit the foreign 
                person or agency or instrumentality of a foreign state.
                    (E) With respect to a foreign person, the President 
                may, pursuant to such regulations or guidelines as the 
                President may prescribe, prohibit any United States 
                person from investing in or purchasing significant 
                amounts of equity or debt instruments of that would 
                benefit the foreign person.
                    (F) The President may, pursuant to procedures the 
                President shall prescribe, which shall include the 
                opportunity to appeal actions under this subparagraph, 
                prohibit any Federal agency from procuring, or entering 
                into any contract for the procurement of, any goods, 
                technology, or services, or classes of goods, 
                technology, or services, from the foreign person or 
                agency or instrumentality of a foreign state.
                    (G) The President may order the heads of the 
                appropriate Federal agencies to not issue any (or to 
                issue a specified number of) specific licenses, and to 
                not grant any other specific authority (or to grant a 
                specified number of authorities), to export any goods 
                or technology to the foreign person or agency or 
                instrumentality of a foreign state under--
                            (i) the Export Control Reform Act of 2018 
                        (50 U.S.C. 4801 et seq.);
                            (ii) the Arms Export Control Act (22 U.S.C. 
                        2751 et seq.);
                            (iii) the Atomic Energy Act of 1954 (42 
                        U.S.C. 2011 et seq.); or
                            (iv) any other statute that requires the 
                        prior review and approval of the United States 
                        Government as a condition for the export or 
                        reexport of goods or services.
                    (H) With respect to a foreign person, the President 
                may exercise all of the powers granted to the President 
                under the International Emergency Economic Powers Act 
                (50 U.S.C. 1701 et seq.) (except that the requirements 
                of section 202 of such Act (50 U.S.C. 1701) shall not 
                apply) to the extent necessary to block and prohibit 
                all transactions in property and interests in property 
                of the foreign person if such property and interests in 
                property are in the United States, come within the 
                United States, or are or come within the possession or 
                control of a United States person.
                    (I) With respect to a foreign person, the President 
                may, pursuant to such regulations as the President may 
                prescribe, prohibit any transfers of credit or payments 
                between one or more financial institutions or by, 
                through, or to any financial institution, to the extent 
                that such transfers or payments are subject to the 
                jurisdiction of the United States and involve any 
                interest of the foreign person.
    (c) Travel-Related Sanctions.--
            (1) Aliens ineligible for visas, admission, or parole.--An 
        alien who is designated as a critical cyber threat actor under 
        subsection (a) is--
                    (A) inadmissible to the United States;
                    (B) ineligible to receive a visa or other 
                documentation to enter the United States; and
                    (C) otherwise ineligible to be admitted or paroled 
                into the United States or to receive any other benefit 
                under the Immigration and Nationality Act (8 U.S.C. 
                1101 et seq.).
            (2) Current visas revoked.--
                    (A) In general.--The issuing consular officer, the 
                Secretary of State, or the Secretary of Homeland 
                Security (or a designee of either such Secretary) shall 
                revoke any visa or other entry documentation issued to 
                a foreign person who is a designated as a critical 
                cyber threat actor under subsection (a) regardless of 
                when issued.
                    (B) Effect.--A revocation under subparagraph (A) 
                with respect to a foreign person shall take effect 
                immediately and shall automatically cancel any other 
                valid visa or entry documentation that is in the 
                possession of the foreign person.
    (d) Additional Sanctions With Respect to Foreign States.--
            (1) In general.--The President may impose any of the 
        sanctions described in paragraph (2) with respect to the 
        government of a foreign state that the President has determined 
        aided, abetted, or directed a foreign person or agency or 
        instrumentality of a foreign state that is designated as a 
        critical cyber threat actor under subsection (a).
            (2) Sanctions described.--The sanctions described in this 
        paragraph with respect to the government of a foreign state are 
        the following:
                    (A) The President may provide for the withdrawal, 
                limitation, or suspension of non-humanitarian or non-
                trade-related development assistance from the United 
                States to the foreign state under chapter 1 of part I 
                of the Foreign Assistance Act of 1961 (22 U.S.C. 2151 
                et seq.).
                    (B) The President may provide for the withdrawal, 
                limitation, or suspension of security assistance from 
                the United States to the foreign state under part II of 
                the Foreign Assistance Act of 1961 (22 U.S.C. 2301 et 
                seq.).
                    (C) The President may direct the United States 
                executive director to each international financial 
                institution to use the voice and vote of the United 
                States to oppose the extension by such institution of 
                any loan or financial assistance to the government of 
                the foreign state.
                    (D) No item on the United States Munitions List 
                under section 38(a)(1) of the Arms Export Control Act 
                (22 U.S.C. 2778(a)(1)) or the Commerce Control List set 
                forth in Supplement No. 1 to part 774 of the Export 
                Administration Regulations under subchapter C of 
                chapter VII of title 15, Code of Federal Regulations 
                (or any successor list established pursuant to section 
                1754(a)(1) of the Export Control Reform Act of 2018 (50 
                U.S.C. 4813(a)(1))), may be exported to the government 
                of the foreign state.
    (e) Implementation.--The President may exercise all authorities 
provided under sections 203 and 205 of the International Emergency 
Economic Powers Act (50 U.S.C. 1702 and 1704) to carry out this 
section.
    (f) Penalties.--The penalties provided for in subsections (b) and 
(c) of section 206 of the International Emergency Economic Powers Act 
(50 U.S.C. 1705) shall apply to a person that violates, attempts to 
violate, conspires to violate, or causes a violation of subsection 
(b)(2)(H) or regulations prescribed under subsection (b)(2)(H) to the 
same extent that such penalties apply to a person that commits an 
unlawful act described in subsection (a) of such section 206.
    (g) Coordination.--To the extent practicable--
            (1) actions taken by the President pursuant to this section 
        should be coordinated with allies and partners of the United 
        States; and
            (2) the Secretary of State should work with allies and 
        partners of the United States, on a voluntary basis, to lead an 
        international diplomatic initiative to--
                    (A) deter critical cyber threat actors and state-
                sponsored cyber activities; and
                    (B) provide mutual support to such allies and 
                partners participating in such initiative to respond to 
                such state-sponsored cyber activities.
    (h) Exemptions, Waivers, and Removals of Sanctions and 
Designations.--
            (1) Mandatory exemptions.--The following activities shall 
        be exempt from sanctions under subsections (b), (c), and (d):
                    (A) Activities subject to the reporting 
                requirements of title V of the National Security Act of 
                1947 (50 U.S.C. 3091 et seq.) or to any authorized 
                intelligence activities of the United States.
                    (B) Any transaction necessary to comply with the 
                Agreement regarding the Headquarters of the United 
                Nations, signed at Lake Success June 26, 1947, and 
                entered into force November 21, 1947, between the 
                United Nations and the United States, the Convention on 
                Consular Relations, done at Vienna April 24, 1963, and 
                entered into force March 19, 1967, or other applicable 
                international obligations.
            (2) Waiver.--The President may waive the imposition of 
        sanctions described in this section for a period of not more 
        than one year, and may renew such waiver for additional periods 
        of not more than one year, if the President submits to the 
        appropriate congressional committees a written determination 
        that such waiver meets one or more of the following 
        requirements:
                    (A) Such waiver is in the national interests of the 
                United States.
                    (B) Such waiver will further the enforcement of 
                this section or is for an important law enforcement 
                purpose.
                    (C) Such waiver is for an important humanitarian 
                purpose.
            (3) Removals of sanctions and designations.--The President 
        may prescribe rules and regulations for the removal of 
        sanctions under subsections (b), (c), and (d) and the removal 
        of designations under subsection (a) if the President 
        determines that a foreign person, agency or instrumentality of 
        a foreign state, or government of a foreign state subject to 
        such sanctions or designation, as the case may be, has 
        verifiably ceased its participation in any of the conduct with 
        respect to which such foreign person, agency or instrumentality 
        of a foreign state, or government of a foreign state was 
        subject to such sanctions or designation, as the case may be, 
        under this section, and has given assurances that such foreign 
        person, agency or instrumentality of a foreign state, or 
        government of a foreign state, as the case may be, will no 
        longer participate in such conduct.
            (4) Exception to comply with united nations headquarters 
        agreement.--Sanctions under subsection (c) shall not apply to a 
        foreign person if admitting such foreign person into the United 
        States is necessary to permit the United States to comply with 
        the Agreement regarding the Headquarters of the United Nations, 
        signed at Lake Success June 26, 1947, and entered into force 
        November 21, 1947, between the United Nations and the United 
        States, or other applicable international obligations.
    (i) Rule of Construction.--Nothing in this section may be construed 
to limit the authority of the President under the International 
Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) or any other 
provision of law to impose sanctions to address critical cyber threat 
actors and malicious state-sponsored cyber activities.
    (j) Definitions.--In this section:
            (1) Admitted; alien.--The terms ``admitted'' and ``alien'' 
        have the meanings given those terms in section 101 of the 
        Immigration and Nationality Act (8 U.S.C. 1101).
            (2) Agency or instrumentality of a foreign state.--The term 
        ``agency or instrumentality of a foreign state'' has the 
        meaning given that term in section 1603(b) of title 28, United 
        States Code.
            (3) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Foreign Relations, the 
                Committee on Banking, Housing, and Urban Affairs, the 
                Committee on the Judiciary, and the Committee on 
                Homeland Security and Governmental Affairs of the 
                Senate; and
                    (B) the Committee on Foreign Affairs, the Committee 
                on Financial Services, the Committee on the Judiciary, 
                the Committee on Oversight and Reform, and the 
                Committee on Homeland Security of the House of 
                Representatives.
            (4) Critical infrastructure sector.--The term ``critical 
        infrastructure sector'' means any of the designated critical 
        infrastructure sectors identified in the Presidential Policy 
        Directive entitled ``Critical Infrastructure Security and 
        Resilience'', numbered 21, and dated February 12, 2013.
            (5) Foreign person.--The term ``foreign person'' means a 
        person that is not a United States person.
            (6) Foreign state.--The term ``foreign state'' has the 
        meaning given that term in section 1603(a) of title 28, United 
        States Code.
            (7) Knowingly.--The term ``knowingly'', with respect to 
        conduct, a circumstance, or a result, means that a person has 
        actual knowledge, or should have known, of the conduct, the 
        circumstance, or the result.
            (8) Misappropriation.--The term ``misappropriation'' means 
        taking or obtaining by improper means, without permission or 
        consent, or under false pretenses.
            (9) State-sponsored cyber activities.--The term ``state-
        sponsored cyber activities'' means any malicious cyber-enabled 
        activities that--
                    (A) are carried out by a government of a foreign 
                state or an agency or instrumentality of a foreign 
                state; or
                    (B) are carried out by a foreign person that is 
                aided, abetted, or directed by a government of a 
                foreign state or an agency or instrumentality of a 
                foreign state.
            (10) United states person.--The term ``United States 
        person'' means--
                    (A) a United States citizen or an alien lawfully 
                admitted for permanent residence to the United States; 
                or
                    (B) an entity organized under the laws of the 
                United States or of any jurisdiction within the United 
                States, including a foreign branch of such an entity.

SEC. 4. SENSE OF CONGRESS ON IMPLEMENTATION OF CYBERSECURITY 
              COOPERATION BETWEEN THE UNITED STATES AND NATIONS IN THE 
              INDO-PACIFIC REGION.

    It is the sense of Congress that the President is encouraged to 
fully implement robust cybersecurity cooperation between the United 
States and nations in the Indo-Pacific region as described in section 
215 of the Asia Reassurance Initiative Act of 2018 (Public Law 115-
409).
                                 <all>