[Congressional Record Volume 164, Number 147 (Wednesday, September 5, 2018)]
[House]
[Pages H7843-H7848]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




               CYBER DETERRENCE AND RESPONSE ACT OF 2018

  Mr. ROYCE of California. Mr. Speaker, I move to suspend the rules and 
pass the bill (H.R. 5576) to address state-sponsored cyber activities 
against the United States, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 5576

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Cyber Deterrence and 
     Response Act of 2018''.

     SEC. 2. FINDINGS.

       Congress finds the following:
       (1) On February 13, 2018, the Director of National 
     Intelligence stated in his testimony before the Senate Select 
     Committee on Intelligence that ``Russia, China, Iran, and 
     North Korea will pose the greatest cyber threats to the 
     United States during the next year'' through the use of cyber 
     operations as low-cost tools of statecraft, and assessed that 
     these states would ``work to use cyber operations to achieve 
     strategic objectives unless they face clear repercussions for 
     their cyber operations''.
       (2) The 2017 Worldwide Threat Assessment of the United 
     States Intelligence Community stated that ``The potential for 
     surprise in the cyber realm will increase in the next year 
     and beyond as billions more digital devices are connected--
     with relatively little built-in security--and both nation 
     states and malign actors become more emboldened and better 
     equipped in the use of increasingly widespread cyber 
     toolkits. The risk is growing that some adversaries will 
     conduct cyber attacks--such as data deletion or localized and 
     temporary disruptions of critical infrastructure--against the 
     United States in a crisis short of war.''.
       (3) On March 29, 2017, President Donald J. Trump deemed it 
     necessary to continue the national emergency declared in 
     Executive Order 13694 as ``Significant malicious cyber-
     enabled activities originating from, or directed by persons 
     located, in whole or in substantial part, outside the United 
     States, continue to pose an unusual and extraordinary threat 
     to the national security, foreign policy, and economy of the 
     United States.''.
       (4) On January 5, 2017, former Director of National 
     Intelligence, James Clapper, former Undersecretary of Defense 
     for Intelligence, Marcel Lettre, and the Commander of the 
     United States Cyber Command, Admiral Michael Rogers, 
     submitted joint testimony to the Committee on Armed Services 
     of the Senate that stated ``As of late 2016 more than 30 
     nations are developing offensive cyber attack capabilities'' 
     and that ``Protecting critical infrastructure, such as 
     crucial energy, financial, manufacturing, transportation, 
     communication, and health systems, will become an 
     increasingly complex national security challenge.''.
       (5) There is significant evidence that hackers affiliated 
     with foreign governments have conducted cyber operations 
     targeting companies and critical infrastructure sectors in 
     the United States as the Department of Justice and the 
     Department of the Treasury have announced that--
       (A) on March 15, 2018, five Russian entities and 19 Russian 
     individuals were designated under the Countering America's 
     Adversaries Through Sanctions Act, as well as pursuant to 
     Executive Order 13694, for interference in the 2016 United 
     States elections and other malicious cyber-enabled 
     activities;
       (B) on March 24, 2016, seven Iranians working for Iran's 
     Revolutionary Guard Corps-affiliated entities were indicted 
     for conducting distributed denial of service attacks against 
     the financial sector in the United States from 2012 to 2013; 
     and
       (C) on May 19, 2014, five Chinese military hackers were 
     charged for hacking United States companies in the nuclear 
     power, metals, and solar products industries, and engaging in 
     economic espionage.
       (6) In May 2017, North Korea released ``WannaCry'' pseudo-
     ransomware, which posed a significant risk to the economy, 
     national security, and the citizens of the United States and 
     the world, as it resulted in the infection of over 300,000 
     computer systems in more than 150 countries, including in the 
     healthcare sector of the United Kingdom, demonstrating the 
     global reach and cost of cyber-enabled malicious activity.
       (7) In June 2017, Russia carried out the most destructive 
     cyber-enabled operation in history, releasing the NotPetya 
     malware that caused billions of dollars' worth of damage 
     within Ukraine and across Europe, Asia, and the Americas.
       (8) In May 2018, the Department of State, pursuant to 
     section 3(b) of Executive Order 13800, prepared 
     recommendations to the President on Deterring Adversaries and 
     Better Protecting the American People From Cyber Threats, 
     which stated ``With respect to activities below the threshold 
     of the use of force, the United States should, working with 
     likeminded partners when possible, adopt an approach of 
     imposing swift, costly, and transparent consequences on 
     foreign governments responsible for significant malicious 
     cyber activities aimed at harming U.S. national interests.''.

     SEC. 3. ACTIONS TO ADDRESS STATE-SPONSORED CYBER ACTIVITIES 
                   AGAINST THE UNITED STATES.

       (a) Designation as a Critical Cyber Threat Actor.--
       (1) In general.--The President, acting through the 
     Secretary of State, and in coordination with other relevant 
     Federal agency heads, shall designate as a critical cyber 
     threat actor--
       (A) each foreign person and each agency or instrumentality 
     of a foreign state that the President determines to be 
     knowingly responsible for or complicit in, or have engaged 
     in, directly or indirectly, state-sponsored cyber activities 
     that are reasonably likely to result in, or have contributed 
     to, a significant threat to the national security, foreign 
     policy, or economic health or financial stability of the 
     United States and that have the purpose or effect of--
       (i) causing a significant disruption to the availability of 
     a computer or network of computers;
       (ii) harming, or otherwise significantly compromising the 
     provision of service by, a computer or network of computers 
     that support one or more entities in a critical 
     infrastructure sector;
       (iii) significantly compromising the provision of services 
     by one or more entities in a critical infrastructure sector;

[[Page H7844]]

       (iv) causing a significant misappropriation of funds or 
     economic resources, trade secrets, personal identifiers, or 
     financial information for commercial or competitive advantage 
     or private financial gain;
       (v) destabilizing the financial sector of the United States 
     by tampering with, altering, or causing a misappropriation of 
     data; or
       (vi) interfering with or undermining election processes or 
     institutions by tampering with, altering, or causing 
     misappropriation of data;
       (B) each foreign person that the President has determined 
     to have knowingly, significantly, and materially assisted, 
     sponsored, or provided financial, material, or technological 
     support for, or goods or services to or in support of, any 
     activities described in subparagraph (A) by a foreign person 
     or agency or instrumentality of a foreign state designated as 
     a critical cyber threat actor under subparagraph (A); and
       (C) each agency or instrumentality of a foreign state that 
     the President has determined to have significantly and 
     materially assisted, sponsored, or provided financial, 
     material, or technological support for, or goods or services 
     to or in support of, any activities described in subparagraph 
     (A) by a foreign person or agency or instrumentality of a 
     foreign state designated as a critical cyber threat actor 
     under subparagraph (A).
       (2) Publication in federal register.--
       (A) In general.--The President shall--
       (i) publish in the Federal Register a list of each foreign 
     person and each agency or instrumentality of a foreign state 
     designated as a critical cyber threat actor under this 
     subsection; and
       (ii) regularly update such list not later than seven days 
     after making any changes to such list, and publish in the 
     Federal Register such updates.
       (B) Exception.--
       (i) In general.--The President may withhold from 
     publication in the Federal Register under subparagraph (A) 
     the identification of any foreign person or agency or 
     instrumentality of a foreign state designated as a critical 
     cyber threat actor under this subsection if the President 
     determines that withholding such identification--

       (I) in the national interests of the United States; or
       (II) is for an important law enforcement purpose.

       (ii) Transmission.--If the President exercises the 
     authority under this subparagraph to withhold from 
     publication in the Federal Register the identification of a 
     foreign person or agency or instrumentality of a foreign 
     state designated as a critical cyber threat actor under this 
     subsection, the President shall transmit to the appropriate 
     congressional committees in classified form a report 
     containing any such identification, together with the reasons 
     for such exercise.
       (b) Non-travel-related Sanctions.--
       (1) In general.--The President shall impose one or more of 
     the applicable sanctions described in paragraph (2) with 
     respect to each foreign person and each agency or 
     instrumentality of a foreign state designated as a critical 
     cyber threat actor under subsection (a).
       (2) Sanctions described.--The sanctions described in this 
     paragraph are the following:
       (A) The President may provide for the withdrawal, 
     limitation, or suspension of non-humanitarian United States 
     development assistance under chapter 1 of part I of the 
     Foreign Assistance Act of 1961.
       (B) The President may provide for the withdrawal, 
     limitation, or suspension of United States security 
     assistance under part II of the Foreign Assistance Act of 
     1961.
       (C) The President may direct the United States executive 
     director to each international financial institution to use 
     the voice and vote of the United States to oppose any loan 
     from the international financial institution that would 
     benefit the designated foreign person or the designated 
     agency or instrumentality of a foreign state.
       (D) The President may direct the Overseas Private 
     Investment Corporation, or any other United States Government 
     agency not to approve the issuance of any (or a specified 
     number of) guarantees, insurance, extensions of credit, or 
     participations in the extension of credit.
       (E) The President may, pursuant to such regulations or 
     guidelines as the President may prescribe, prohibit any 
     United States person from investing in or purchasing 
     significant amounts of equity or debt instruments of the 
     designated foreign person.
       (F) The President may, pursuant to procedures the President 
     shall prescribe, which shall include the opportunity to 
     appeal actions under this subparagraph, prohibit any United 
     States agency or instrumentality from procuring, or entering 
     into any contract for the procurement of, any goods, 
     technology, or services, or classes of goods, technology, or 
     services, from the designated foreign person or the 
     designated agency or instrumentality of a foreign state.
       (G) The President may order the heads of the appropriate 
     United States agencies to not issue any (or a specified 
     number of) specific licenses, and to not grant any other 
     specific authority (or a specified number of authorities), to 
     export any goods or technology to the designated foreign 
     person or the designated agency or instrumentality of a 
     foreign state under--
       (i) the Export Administration Act of 1979 (as continued in 
     effect pursuant the International Emergency Economic Powers 
     Act);
       (ii) the Arms Export Control Act;
       (iii) the Atomic Energy Act of 1954; or
       (iv) any other statute that requires the prior review and 
     approval of the United States Government as a condition for 
     the export or re-export of goods or services.
       (H)(i) The President may exercise all of the powers granted 
     to the President under the International Emergency Economic 
     Powers Act (50 U.S.C. 1701 et seq.) (except that the 
     requirements of section 202 of such Act (50 U.S.C. 1701) 
     shall not apply) to the extent necessary to block and 
     prohibit all transactions in property and interests in 
     property of the designated foreign person if such property 
     and interests in property are in the United States, come 
     within the United States, or are or come within the 
     possession or control of a United States person.
       (ii) The penalties provided for in subsections (b) and (c) 
     of section 206 of the International Emergency Economic Powers 
     Act (50 U.S.C. 1705) shall apply to a person that violates, 
     attempts to violate, conspires to violate, or causes a 
     violation of regulations prescribed under clause (i) to the 
     same extent that such penalties apply to a person that 
     commits an unlawful act described in subsection (a) of such 
     section 206.
       (I) The President may, pursuant to such regulations as the 
     President may prescribe, prohibit any transfers of credit or 
     payments between one or more financial institutions or by, 
     through, or to any financial institution, to the extent that 
     such transfers or payments are subject to the jurisdiction of 
     the United States and involve any interest of the designated 
     foreign person.
       (c) Travel-related Sanctions.--
       (1) Aliens ineligible for visas, admission, or parole.--An 
     alien who is designated as a critical cyber threat actor 
     under subsection (a) is--
       (A) inadmissible to the United States;
       (B) ineligible to receive a visa or other documentation to 
     enter the United States; and
       (C) otherwise ineligible to be admitted or paroled into the 
     United States or to receive any other benefit under the 
     Immigration and Nationality Act (8 U.S.C. 1101 et seq.).
       (2) Current visas revoked.--The issuing consular officer, 
     the Secretary of State, or the Secretary of Homeland Security 
     (or a designee of either such Secretaries) shall revoke any 
     visa or other entry documentation issued to the foreign 
     person designated as a critical cyber threat actor under 
     subsection (a) regardless of when issued. A revocation under 
     this clause shall take effect immediately and shall 
     automatically cancel any other valid visa or entry 
     documentation that is in the possession of such foreign 
     person.
       (d) Additional Sanctions With Respect to Foreign States.--
       (1) In general.--The President may impose any of the 
     sanctions described in paragraph (2) with respect to the 
     government of each foreign state that the President has 
     determined aided, abetted, or directed a foreign person or 
     agency or instrumentality of a foreign state designated as a 
     critical cyber threat actor under subsection (a).
       (2) Sanctions described.--The sanctions referred to in 
     paragraph (1) are the following:
       (A) The President may provide for the withdrawal, 
     limitation, or suspension of non-humanitarian or non-trade-
     related assistance United States development assistance under 
     chapter 1 of part I of the Foreign Assistance Act of 1961.
       (B) The President may provide for the withdrawal, 
     limitation, or suspension of United States security 
     assistance under part II of the Foreign Assistance Act of 
     1961.
       (C) The President may instruct the United States Executive 
     Director to each appropriate international financial 
     institution to oppose, and vote against the extension by such 
     institution of any loan or financial assistance to the 
     government of the foreign state.
       (D) No item on the United States Munitions List 
     (established pursuant to section 38 of the Arms Export 
     Control Act (22 U.S.C. 2778)) or the Commerce Control List 
     set forth in Supplement No. 1 to part 774 of title 15, Code 
     of Federal Regulations, may be exported to the government of 
     the foreign state.
       (e) Implementation.--The President may exercise all 
     authorities provided under sections 203 and 205 of the 
     International Emergency Economic Powers Act (50 U.S.C. 1702 
     and 1704) to carry out this section.
       (f) Coordination.--To the extent practicable--
       (1) actions taken by the President pursuant to this section 
     should be coordinated with United States allies and partners; 
     and
       (2) the Secretary of State should work with United States 
     allies and partners, on a voluntary basis, to lead an 
     international diplomatic initiative to--
       (A) deter critical cyber threat actors and state-sponsored 
     cyber activities; and
       (B) provide mutual support to such allies and partners 
     participating in such initiative to respond to such state-
     sponsored cyber activities.
       (g) Exemptions, Waivers, and Removals of Sanctions and 
     Designations.--
       (1) Mandatory exemptions.--The following activities shall 
     be exempt from sanctions under subsections (b), (c), and (d):
       (A) Activities subject to the reporting requirements of 
     title V of the National Security Act of 1947 (50 U.S.C. 413 
     et seq.), or to any authorized intelligence activities of the 
     United States.
       (B) Any transaction necessary to comply with United States 
     obligations under the Agreement between the United Nations 
     and

[[Page H7845]]

     the United States of America regarding the Headquarters of 
     the United Nations, signed June 26, 1947, and entered into 
     force on November 21, 1947, or under the Vienna Convention on 
     Consular Relations, signed April 24, 1963, and entered into 
     force on March 19, 1967, or under other international 
     obligations.
       (2) Waiver.--The President may waive the imposition of 
     sanctions described in this section for a period of not more 
     than one year, and may renew such waiver for additional 
     periods of not more than one year, if the President transmits 
     to the appropriate congressional committees a written 
     determination that such waiver meets one or more of the 
     following requirements:
       (A) Such waiver is in the national interests of the United 
     States.
       (B) Such waiver will further the enforcement of this Act or 
     is for an important law enforcement purpose.
       (C) Such waiver is for an important humanitarian purpose.
       (3) Removals of sanctions and designations.--The President 
     may prescribe rules and regulations for the removal of 
     sanctions under subsections (b), (c), and (d) and the removal 
     of designations under subsection (a) if the President 
     determines that a foreign person, agency or instrumentality 
     of a foreign state, or government of a foreign state subject 
     to such sanctions or such designations, as the case may be, 
     has verifiably ceased its participation in any of the conduct 
     with respect to which such foreign person, agency or 
     instrumentality of a foreign state, or government of a 
     foreign state was subject to such sanctions or designation, 
     as the case may be, under this section, and has given 
     assurances that such foreign person, agency or 
     instrumentality of a foreign state, or government of a 
     foreign state, as the case may be, will no longer participate 
     in such conduct.
       (4) Exception to comply with united nations headquarters 
     agreement.--Sanctions under subsection (c) shall not apply to 
     a foreign person if admitting such foreign person into the 
     United States is necessary to permit the United States to 
     comply with the Agreement regarding the Headquarters of the 
     United Nations, signed at Lake Success June 26, 1947, and 
     entered into force November 21, 1947, between the United 
     Nations and the United States, or other applicable 
     international obligations.
       (h) Rule of Construction.--Nothing in this section may be 
     construed to limit the authority of the President under the 
     International Emergency Economic Powers Act (50 U.S.C. 1701 
     et seq.) or any other provision of law to impose sanctions to 
     address critical cyber threat actors and malicious state-
     sponsored cyber activities.
       (i) Definitions.--In this section:
       (1) Admitted; alien.--The terms ``admitted'' and ``alien'' 
     have the meanings given such terms in section 101 of the 
     Immigration and Nationality Act (8 U.S.C. 1101).
       (2) Appropriate congressional committees.--The term 
     ``appropriate congressional committees'' means--
       (A) the Committee on Foreign Affairs, the Committee on 
     Financial Services, the Committee on the Judiciary, the 
     Committee on Oversight and Government Reform, and the 
     Committee on Homeland Security of the House of 
     Representatives; and
       (B) the Committee on Foreign Relations, the Committee on 
     Banking, Housing, and Urban Affairs, the Committee on the 
     Judiciary, and the Committee on Homeland Security and 
     Governmental Affairs of the Senate.
       (3) Agency or instrumentality of a foreign state.--The term 
     ``agency or instrumentality of a foreign state'' has the 
     meaning given such term in section 1603(b) of title 28, 
     United States Code.
       (4) Critical infrastructure sector.--The term ``critical 
     infrastructure sector'' means any of the designated critical 
     infrastructure sectors identified in the Presidential Policy 
     Directive entitled ``Critical Infrastructure Security and 
     Resilience'', numbered 21, and dated February 12, 2013.
       (5) Foreign person.--The term ``foreign person'' means a 
     person that is not a United States person.
       (6) Foreign state.--The term ``foreign state'' has the 
     meaning given such term in section 1603(a) of title 28, 
     United States Code.
       (7) Knowingly.--The term ``knowingly'', with respect to 
     conduct, a circumstance, or a result, means that a person has 
     actual knowledge, or should have known, of the conduct, the 
     circumstance, or the result.
       (8) Misappropriation.--The term ``misappropriation'' means 
     taking or obtaining by improper means, without permission or 
     consent, or under false pretenses.
       (9) State-sponsored cyber activities.--The term ``state-
     sponsored cyber activities'' means any malicious cyber-
     enabled activities that--
       (A) are carried out by a government of a foreign state or 
     an agency or instrumentality of a foreign state; or
       (B) are carried out by a foreign person that is aided, 
     abetted, or directed by a government of a foreign state or an 
     agency or instrumentality of a foreign state.
       (10) United states person.--The term ``United States 
     person'' means--
       (A) a United States citizen or an alien lawfully admitted 
     for permanent residence to the United States; or
       (B) an entity organized under the laws of the United States 
     or of any jurisdiction within the United States, including a 
     foreign branch of such an entity.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
California (Mr. Royce) and the gentleman from New York (Mr. Engel) each 
will control 20 minutes.
  The Chair recognizes the gentleman from California.


                             General Leave

  Mr. ROYCE of California. Mr. Speaker, I ask unanimous consent that 
all Members may have 5 legislative days in which to revise and extend 
their remarks and to include any extraneous material.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from California?
  There was no objection.
  Mr. ROYCE of California. Mr. Speaker, I yield myself such time as I 
may consume.
  Mr. Speaker, in recent years, foreign adversaries have developed 
sophisticated cyber capabilities that can disrupt our network, that can 
threaten our critical infrastructure, and that harm our economy and 
undermine our elections.
  Malicious cyber activity topped the Director of National 
Intelligence's list of worldwide threats in 2018--topped it--ahead of 
terrorism and weapons of mass destruction; and in testimony before this 
Congress, Director Coats stated: ``Frankly, the United States is under 
attack.''
  A report by the White House Council of Economic Advisers estimates 
that malicious cyber activity cost the U.S. economy between $57 billion 
and over $100 billion in 2016 alone. But it is not just the economic 
cost of cyber incidents that we should worry about. There are real 
physical costs to these online attacks as well.
  Last year's WannaCry cyberattack by the North Korea regime 
compromised the U.K.'s healthcare sector, if you will recall. In 2016, 
Russian cyber actors attempted to interfere in our election--an assault 
on our very democracy--and these attacks by Russia continue today. 
Despite the gravity of this threat, the U.S. continues to lack a 
unified framework to deter and respond to state-sponsored cyber 
activities.
  I applaud Representative Yoho and Ranking Member Engel for 
introducing the Cyber Deterrence and Response Act, which establishes a 
framework for deterring and responding to state-sponsored malicious 
cyber activity against this country.
  Consistent with the State Department's recommendation to the 
President on deterrence in cyberspace, this bill will ensure swift, 
powerful, and transparent consequences against bad actors online.
  Specifically, this bill requires the President to designate as a 
critical cyber threat actor each foreign person or each foreign agency 
of a foreign state that the President determines is responsible for 
state-sponsored cyber activities that pose a significant threat to the 
national security, foreign policy, economic health, or financial 
stability of the United States. In effect, this would codify America's 
longstanding unofficial policy of naming and shaming bad actors in 
cyberspace.
  Further, this bill would require the President to impose sanctions 
from a menu of options against any critical cyber threat actor.
  Finally, the bill calls on the President to coordinate designations 
and sanctions with our allies and partners to maximize their 
effectiveness. The Secretary of State is to lead an international 
diplomatic initiative to deter state-sponsored cyber activities and 
promote mutual support to our allies and partners to respond to 
malicious cyber incidents.
  This legislation will put countries like Iran, North Korea, and 
Russia on notice that the United States is prepared to impose tough 
consequences for cyber attacks.
  Mr. Speaker, I urge my colleagues to support this measure, and I 
reserve the balance of my time.
                                         House of Representatives,


                              Committee on Financial Services,

                                    Washington, DC, July 20, 2018.
     Hon. Ed Royce,
     Chairman, Committee on Foreign Affairs,
     Washington, DC.
       Dear Chairman Royce: I am writing concerning H.R. 5576, the 
     Cyber Deterrence and Response Act of 2018.
       As a result of your having consulted with the Committee on 
     Financial Services concerning provisions in the bill that 
     fall within our Rule X jurisdiction, I agree to forgo action 
     on the bill so that it may proceed expeditiously to the House 
     Floor. The Committee

[[Page H7846]]

     on Financial Services takes this action with our mutual 
     understanding that, by foregoing consideration of H.R. 5576, 
     at this time, we do not waive any jurisdiction over the 
     subject matter contained in this or similar legislation, and 
     that our Committee will be appropriately consulted and 
     involved as this or similar legislation moves forward so that 
     we may address any remaining issues that fall within our Rule 
     X jurisdiction. Our Committee also reserves the right to seek 
     appointment of an appropriate number of conferees to any 
     House-Senate conference involving this or similar 
     legislation, and requests your support for any such request.
       Finally, I would appreciate your response to this letter 
     confirming this understanding with respect to H.R. 5576 and 
     would ask that a copy of our exchange of letters on this 
     matter be included in the Congressional Record during floor 
     consideration thereof.
           Sincerely,
                                                   Jeb Hensarling,
     Chairman.
                                  ____

                                         House of Representatives,


                                 Committee on Foreign Affairs,

                                    Washington, DC, July 20, 2018.
     Hon. Jeb Hensarling,
     Chairman, Committee on Financial Services,
     Washington, DC.
       Dear Chairman Hensarling: Thank you for consulting with the 
     Foreign Affairs Committee and agreeing to be discharged from 
     further consideration of H.R. 5576, the Cyber Deterrence and 
     Response Act of 2018, so that the bill may proceed 
     expeditiously to the House floor.
       I agree that your forgoing further action on this measure 
     does not in any way diminish or alter the jurisdiction of 
     your committee, or prejudice its jurisdictional prerogatives 
     on this resolution or similar legislation in the future. I 
     would support your effort to seek appointment of an 
     appropriate number of conferees from your committee to any 
     House-Senate conference on this legislation.
       I will seek to place our letters on H.R. 5576 into the 
     Congressional Record during floor consideration of the bill. 
     I appreciate your cooperation regarding this legislation and 
     look forward to continuing to work together as this measure 
     moves through the legislative process.
           Sincerely,
                                                  Edward R. Royce,
     Chairman.
                                  ____

         House of Representatives, Committee on Oversight and 
           Government Reform,
                                    Washington, DC, July 20, 2018.
     Hon. Edward R. Royce,
     Chairman, Committee on Foreign Affairs, House of 
         Representatives, Washington, DC.
       Dear Mr. Chairman: Thank you for your letter regarding H.R. 
     5576, the Cyber Deterrence and Response Act of 2018. As you 
     know, certain provisions of the bill fall within the 
     jurisdiction of Committee on Oversight and Government Reform.
       Based on your consultation with the Committee on Oversight 
     and Government Reform and so the bill may proceed 
     expeditiously to the House Floor, I agree to discharging the 
     Committee on Oversight and Government Reform from further 
     consideration of H.R. 5576. I agree that forgoing formal 
     consideration of the bill will not prejudice the Committee on 
     Oversight and Government Reform with respect to any future 
     jurisdictional claim, and I appreciate your agreement to 
     support appointment of members of the Committee on Oversight 
     and Government Reform as conferees in any House-Senate 
     conference on this or related legislation. In addition, I 
     request the Committee be consulted and involved as the bill 
     or similar legislation moves forward so we may address any 
     remaining issues within our jurisdiction.
       Finally, I request you include your letter and this 
     response in the bill report filed by the Committee on Foreign 
     Affairs, as well as in the Congressional Record during 
     consideration of the bill on the floor.
           Sincerely,
     Trey Gowdy.
                                  ____

                                         House of Representatives,


                                 Committee on Foreign Affairs,

                                    Washington, DC, July 20, 2018.
     Hon. Trey Gowdy,
     Chairman, Committee on Oversight and Government Reform, 
         Washington, DC.
       Dear Chairman Gowdy: Thank you for consulting with the 
     Foreign Affairs Committee and agreeing to be discharged from 
     further consideration of H.R. 5576, the Cyber Deterrence and 
     Response Act of 2018, so that the bill may proceed 
     expeditiously to the House floor.
       I agree that your forgoing further action on this measure 
     does not in any way diminish or alter the jurisdiction of 
     your committee, or prejudice its jurisdictional prerogatives 
     on this resolution or similar legislation in the future. I 
     would support your effort to seek appointment of an 
     appropriate number of conferees from your committee to any 
     House-Senate conference on this legislation.
       I will seek to place our letters on H.R. 5576 into the 
     Congressional Record during floor consideration of the bill. 
     I appreciate your cooperation regarding this legislation and 
     look forward to continuing to work together as it moves 
     through the legislative process.
           Sincerely,
                                                  Edward R. Royce,
     Chairman.
                                  ____

                                         House of Representatives,


                                 Committee on Foreign Affairs,

                                    Washington, DC, July 20, 2018.
     Hon. Bob Goodlatte,
     Chairman, Committee on the Judiciary, Washington, DC.
       Dear Chairman Goodlatte: Thank you for consulting with the 
     Foreign Affairs Committee and agreeing to be discharged from 
     further consideration of H.R. 5576, the Cyber Deterrence and 
     Response Act of 2018, so that the bill may proceed 
     expeditiously to the House floor.
       I agree that your forgoing further action on this measure 
     does not in any way diminish or alter the jurisdiction of 
     your committee, or prejudice its jurisdictional prerogatives 
     on this bill or similar legislation in the future. I would 
     support your effort to seek appointment of an appropriate 
     number of conferees from your committee to any House-Senate 
     conference on this legislation.
       I will seek to place our letters on this measure into the 
     Congressional Record during floor consideration of the bill. 
     I appreciate your cooperation regarding this legislation and 
     look forward to continuing to work together as it moves 
     through the legislative process.
           Sincerely,
                                                  Edward R. Royce,
                                                         Chairman.

                              {time}  1400

  Mr. ENGEL. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise in strong support of H.R. 5576, the Cyber 
Deterrence and Response Act of 2018. I am proud to be an original 
cosponsor of this legislation authored by Congressman Yoho, who did 
great work with this bill, along with Chairman Royce and other members 
of our committee.
  Mr. Speaker, every day, America faces cyber threats from around the 
world. Countries, including Russia, China, Iran, and North Korea, have 
attacked our companies, our infrastructure, our government, and even 
the very heart of our democracy, our elections.
  The Cyber Deterrence and Response Act is a step in responding to 
these threats. This bill requires the President to impose sanctions on 
those who participate in a state-sponsored cyber attack against the 
United States.
  These far-reaching sanctions could be targeted to individuals, 
entities, and states themselves that perpetrate these attacks. These 
include attacks against critical infrastructure, public and private 
computer networks, and any sector that would jeopardize America's 
national security, foreign policy, economic health, or financial 
stability.
  This is a bipartisan, good bill, and I urge all Members to support 
it. But let me be clear: This bill does not do nearly enough to respond 
to Putin's attack on our democracy. We must continue to do this, but 
this is an important step and a very good step, and is indicative of 
the bipartisan cooperation that we have in the Foreign Affairs 
Committee, which is very, very important when we are dealing with 
foreign affairs.
  Our adversaries need to know that we are united, and that is what a 
bill like this does. So I congratulate Mr. Yoho for his hard work on 
this bill. It is a welcome effort to enhance our response to cyber 
attacks, but it is a Band-Aid on a bullet wound, if we don't do 
anything else.
  We need to keep doing these kinds of things. Those countries that 
would wish us ill, we have to let them know that we are not going to 
just stand idly by and be a target.
  In 2016, our Nation was attacked. The very core of our democratic 
process was hit by Russian cyber forces, and our government has been 
woefully negligent to adequately respond.
  I thank Republican leadership for bringing this bill forward, but we 
really need to address the critical issue of our vulnerability to these 
cyber attacks. If we do that, they will bring forward one of the many 
other stronger bills on this matter as well, for example, my bill that 
I introduced with Mr. Connolly, the SECURE Our Democracy Act; or the 
Secure America from Russian Interference Act, which includes my bill; 
and more than a dozen others. These bills constitute a strong, decisive 
response that matches the gravity of the threat we face.
  These bills would require the President to impose sanctions on those 
who attacked our elections in 2016 and would do much, much more to 
shore up our election system. For over a year, I have been pushing and 
pleading that the bill moves forward. I hope it will move forward as 
well.
  We need to go on record now and say whether we will do everything in 
our power to stop another attack on American democracy, or whether we 
will

[[Page H7847]]

just step to the side with rhetoric and let it happen again. That is, 
again, why I am so happy to support this bill, because it shows that we 
are working together.
  But the point I want to make in collaboration with that is that we 
still have much more work to do. I know the committee, in a couple of 
weeks, is going to hold a very important hearing on Russia, and I think 
it is very important that we do that.
  Mr. Speaker, I again urge my colleagues to support this very good 
piece of legislation, and I reserve the balance of my time.
  Mr. ROYCE of California. Mr. Speaker, I yield 4 minutes to the 
gentleman from Florida (Mr. Yoho), the chairman of the Foreign Affairs 
Subcommittee on Asia and the Pacific, and the author of this bill.
  Mr. YOHO. Mr. Speaker, I rise in support of H.R. 5576, the Cyber 
Deterrence and Response Act. I thank Chairman Royce and Ranking Member 
Engel and his staff for helping usher this bill through the Foreign 
Affairs Committee.
  The threats of cyber attacks on our country and the American people 
are growing in their sophistication and frequency by the minute. 
Targeted attacks against the Federal Government, private businesses, 
and individual Americans continue to pose escalating threats to our 
Nation.
  Foreign adversaries like Iran, North Korea, Russia, and China have 
developed sophisticated cyber capabilities that can disrupt our 
networks, threaten our critical infrastructure, harm our economy, and 
undermine our elections.
  As Members of Congress, we must work to deter and respond to these 
state-sponsored cyber attacks against the United States.
  This is why I stand here today to urge support for H.R. 5576, the 
Cyber Deterrence and Response Act. This legislation codifies and 
enhances the substance of the cyber executive orders that are currently 
the foundation of the United States cyber policy.
  This bill will enhance cybersecurity by defining state-sponsored 
attacks and establishing strong penalties for would-be attackers. It 
will deter bad players from attacking the U.S. Government and our 
businesses.
  H.R. 5576 establishes a three-step process for the U.S. strategy to 
respond to cyber threats.
  The first step will require the President to identify and designate 
individuals and groups who are responsible for and are complicit in 
state-sponsored cyber attacks as critical cyber threat actors.
  This name-and-shame tactic will expose current hackers and deter 
future threats, making U.S. sanctions more consistent with other 
successful sanction procedures, like the SDN, which is a Specially 
Designated National list. The administration would then be taske with 
imposing appropriate actions and sanctions on the designated actors.

  A third step would include imposing additional sanctions against the 
foreign governments that are behind these attacks. In this way, like 
our State Sponsors of Terrorism list and the Trafficking in Persons 
watch list, my legislation goes to the governments that are at the root 
of the threat, not stopping at the agents that carry out the attacks.
  As chairman of the House Foreign Affairs Subcommittee on Asia and the 
Pacific, I understand the importance of protecting our Nation from 
malicious cyber attackers. Some of the worst offenders fall inside my 
jurisdiction. It is vital that we improve our ability to thwart these 
potential devastating cyber attacks.
  Understand this: An attack on just one government agency or any 
individual business is an attack on all Americans. To adequately 
protect our national security from advancing threats, we must put 
politics aside and put our country first.
  The Cyber Deterrence and Response Act will do just that, and I 
encourage all my colleagues to support this bill.
  Mr. ENGEL. Mr. Speaker, I yield 3 minutes to the gentleman from Rhode 
Island (Mr. Langevin), an original cosponsor of this legislation and a 
strong leader on cyber policy in Congress.
  Mr. LANGEVIN. Mr. Speaker, I thank the gentleman for yielding, and I 
would like to begin by thanking my colleague, the gentleman from 
Florida (Mr. Yoho), for his leadership on this very important issue. I 
am very proud to have helped shape this strong bill, and I appreciate 
the gentleman's bipartisan collaboration.
  Mr. Speaker, the international community has reached consensus on 
many norms of responsible state behavior in cyberspace. One key 
agreement reached by the joint 2015 Group of Governmental Experts is 
that responsible states do not use cyber means to damage or impair the 
operation of critical infrastructure that provides services to the 
public. Yet states regularly flaunt these international rules of the 
road.
  The North Koreans spread the WannaCry pseudo-ransomware last May. The 
Russians have targeted the electric grid in Ukraine and were behind 
NotPetya, the most devastating cyber incident in history. Closest to 
home, Russia launched an assault on our elections with the goal of 
undermining citizens' faith in our democracy.
  President Obama recognized that protecting the Nation's cyberspace 
has three components: improving our defenses to prevent hackers from 
getting in; increasing resilience to minimize the damage when they do 
get in; and imposing costs on states that act against our national 
interest.
  His executive orders, particularly 13694 and 13757, focused on this 
last point, holding nations accountable through sanctions when they or 
their agents target our critical infrastructure. Mr. Yoho's bill 
codifies large portions of these executive orders, and it goes further 
by requiring the President to both designate critical cyber threats and 
to sanction them.
  I strongly support the underlying policy and the enhancements made by 
my friend from Florida.
  Mr. Speaker, I think we also need to go further. The September 2015 
Obama-Xi accord on Chinese economic espionage, which remains one of the 
most successful examples of cyber deterrence, relied on the threat of 
sanctions targeting the beneficiaries of China's spying, not just PLA 
members. We must continue to work together in a bipartisan fashion to 
maximize the efficacy of sanctions, which are intended not to punish 
but to shape behavior.
  Most importantly, though, I hope the President takes more aggressive 
actions to protect American interests in cyberspace. I criticized 
President Obama's response to Russia's election interference as too 
little, too late, and, unfortunately, President Trump has been reticent 
to act against Russia.
  The norms we talk about are norms of behavior, and I remain deeply 
concerned that our absence of action in response to malign state 
activity is developing into a norm in and of itself. Actions, as they 
say, speak louder than words.
  However, all told, Mr. Speaker, this bill is an important first step 
in recognizing that cyber threats are the new weapon of choice for 
states that seek to sow discord and engage in conflict below the level 
of the threshold of war.
  I again thank Congressman Yoho for introducing the bill and Chairman 
Royce and Ranking Member Engel for supporting it. I strongly support 
H.R. 5576, and I urge my colleagues to do the same.
  Mr. ROYCE of California. Mr. Speaker, I yield 2 minutes to the 
gentleman from Pennsylvania (Mr. Fitzpatrick). He is a member of the 
Committee on Foreign Affairs. He is a cosponsor of this legislation. He 
has formerly worked for the FBI on cyber issues, and we very much 
appreciate his expertise in this area.
  Mr. FITZPATRICK. Mr. Speaker, I rise today in strong support of H.R. 
5576, the Cyber Deterrence and Response Act of 2018.
  Mr. Speaker, our adversaries continually engage in sophisticated 
cyber attacks designed to disrupt our critical infrastructure, harm our 
economy, and undermine our elections. As has been said time and time 
again, our Nation's electoral process is sacred, and it must be 
protected at all costs from interference from all hostile foreign 
actors.
  In February, the Director of National Intelligence stated that 
Russia, China, Iran, and North Korea will pose the greatest cyber 
threats to the United States during the course of the next year.
  We have seen continued hostility from state actors like Russia to 
undermine our democratic institutions and

[[Page H7848]]

trigger instability in Europe by weakening key partners like Ukraine 
and Georgia.
  Mr. Speaker, I saw this firsthand during my time as an FBI agent 
working both here domestically and overseas. We must make it clear to 
these hostile states that they will face harsh consequences for their 
cyber attacks.
  That is exactly what this bipartisan bill accomplishes. The Cyber 
Deterrence and Response Act establishes a clear framework to deter and 
respond to state-sponsored cyber threats. It provides harsh sanctions 
through suspension of developmental assistance and credit allotment to 
nations engaged in malicious state-sponsored cyber activities against 
our United States.

  We must hold these foreign actors accountable while strengthening the 
integrity of our intelligence community. I commend my colleague from 
Florida (Mr. Yoho) for introducing this bill, along with Chairman Royce 
and Ranking Member Engel for bringing this vital matter to the floor. I 
urge my colleagues, Democrat and Republican alike, to support this 
critical legislation that is necessary to protect our national 
security.
  Mr. ENGEL. Mr. Speaker, I reserve the balance of my time to close.
  Mr. ROYCE of California. Mr. Speaker, I yield 2 minutes to the 
gentleman from Utah (Mr. Curtis). He is a member of the Committee on 
Foreign Affairs and a cosponsor of this legislation as well.
  Mr. CURTIS. Mr. Speaker, I am pleased to join my friend and 
colleague, Mr. Yoho, on the floor today with others to speak in support 
of this bipartisan bill, H.R. 5576, the Cyber Deterrence and Response 
Act. I would also like to give a special thanks to Foreign Affairs 
Committee Chairman Royce and Ranking Member Engel for their support of 
the bill and moving it through the committee process.
  Mr. Speaker, more than 30 nations are currently developing offensive 
cyber attack capabilities. Earlier this year, the Director of National 
Intelligence testified before Congress that Russia, China, Iran, and 
North Korea posed the greatest cyber threats to the United States. He 
continued and said work to use cyber operations to achieve strategic 
objectives will continue ``unless they face clear repercussions for 
their cyber operations.''
  This bill puts in place those clear repercussions for nations that 
have and seek to continue to use cyber attacks against the U.S. 
Specifically, the legislation authorizes the President, acting through 
the Secretary of State, to designate, where appropriate, foreign 
persons or agencies as critical cyber threats.
  The bill also authorizes both travel and financial sanctions of 
individuals and agencies designated as critical cyber threats, and the 
legislation requires Congress to be briefed periodically on state-
sponsored cyber activities against the United States.
  This bill will help us better protect America's critical 
infrastructure, national security, healthcare, energy, financial, 
transportation, and communication systems from hostile state-sponsored 
cyber attacks.
  Additionally, the legislation is important to help us better protect 
American companies and manufacturers from hackers and cyber intruders.

                              {time}  1415

  And maybe most importantly, H.R. 5576 will provide more tools for the 
U.S. to deter state-sponsored efforts to attack our democratic 
institutions and electoral systems.
  I urge my colleagues to support me in voting in support of the Cyber 
Deterrence and Response Act of 2018.
  Mr. ENGEL. Mr. Speaker, I am prepared to close. I yield myself such 
time as I may consume.
  In closing, I urge all my colleagues once again to support this 
measure. The scope of the cyber threat that we are facing is immense. 
This is a good bill, and moves us in the right direction, and I urge 
all our colleagues to support it.
  I want to thank Chairman Royce. As usual, I want to thank Chairman 
Royce and Congressman Yoho for their friendship and their hard work on 
this critical issue.
  I yield back the balance of my time.
  Mr. ROYCE of California. Mr. Speaker, I yield myself such time as I 
may consume.
  Mr. Speaker, in closing, I would really like to thank our colleagues 
here, especially Representative Ted Yoho, the chairman of the 
Subcommittee on Asia and the Pacific, and the ranking member of the 
Foreign Affairs Committee, Mr. Eliot Engel of New York.
  I also want to thank the Financial Services Committee that worked 
with us on this legislation. We want to thank, in addition, the 
Judiciary Committee. We had the Oversight and Government Reform 
Committee that worked with us as well in support of this bill.
  I think, as Mr. Yoho would share with you, the bill is truly a 
bipartisan endeavor that has been improved by contributions from 
multiple committees, government agencies, and the business community. 
And with the passage of this bill, Congress sends a strong message to 
our adversaries, that cyberattacks against the United States and 
against our allies will not be tolerated.
  Mr. Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from California (Mr. Royce) that the House suspend the rules 
and pass the bill, H.R. 5576, as amended.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________