Proposal Comes as SolarWinds, Microsoft Exchange Hacks Are Investigated
Legislation introduced in the House would allow U.S. citizens to file lawsuits against foreign governments – and employees and agents of those countries – to hold them liable if a cybersecurity incident causes damages.
The Homeland and Cyber Threat Act, introduced Monday, would eliminate immunity afforded to foreign states, including foreign officials, employees or agents, in both state and federal courts and would allow Americans to collect monetary damages related to personal injury, damage or loss of property resulting from a cyber incident with foreign origins.
The bill is a reintroduction of similar legislation introduced in the House in August 2019 by Rep. Jack Bergman, R-Mich., who says the legislation is needed in light of the rising number of cyber incidents that stem from other nations and affect U.S. citizens.
“As we continue to address the rise in cyberattacks, the time is now to make this critical update to the Foreign Sovereign Immunities Act to ensure we are holding foreign states and their agents accountable for attacks against Americans,” Bergman says.
While the 2019 version of the legislation attracted more than 65 co-sponsors in the House, the bill never left the Judiciary Committee, so it needed to be reintroduced for the new Congress to consider it.
Rep. Colin Allred, D-Texas, who is one of the co-sponsors, notes that victims of cyber incidents, such as the SolarWinds supply chain attack and the nation-state hacking of Microsoft Exchange servers, need additional ways to hold foreign governments that sponsor these attacks responsible.
“Cyberattacks against American citizens are only increasing, and Congress should give Americans the tools they need to fight back against foreign attacks,” Allred says. “This legislation does just that by giving Americans the ability to hold foreign governments accountable for damage done by cyberattacks.”
Other co-sponsors of the 2021 version of the legislation include Democratic Reps. Joe Neguse of Colorado and Andy Kim of New Jersey, and Republican Reps. Brian Fitzpatrick of Pennsylvania and Jamie Herrera Beutler of Washington.
SolarWinds and Exchange
The unveiling of the updated version of the legislation comes as the Senate and House continue to probe the origins of the SolarWinds attack.
At two recent House hearings on the SolarWinds incident, several lawmakers noted that they were open to creating laws governing the type of intelligence organizations can share with federal agencies, such as the Cybersecurity and Infrastructure Security Agency (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).
Now, some of the focus has shifted to exploits by a Chinese hacking group of the four vulnerabilities Microsoft disclosed in Exchange server (see: Exchange Server Attacks Spread After Disclosure of Flaws).
Meanwhile, federal prosecutors have been taking action in an effort to crack down on other hacking campaigns originating overseas.
In February, three North Koreans were indicted by the U.S. Justice Department for allegedly taking part in a criminal conspiracy that attempted to steal or extort $1.3 billion in cryptocurrency and cash from banks and other organizations around the world. The three men are reportedly members of the Lazarus Group, which has ties to the North Korea government (see: 3 North Koreans Indicted for Conspiring to Steal $1.3 Billion).
As part of the effort, the Justice Department and FBI are seizing nearly $2 million worth of cryptocurrency from various exchanges to return the funds to a victimized bank in New York.
Mark Rasch, an attorney with the law firm Kohrman, Jackson & Krantz, notes that U.S. citizens who suffer financial losses or organizations that sustain IT infrastructure damages as a result of foreign cyberattacks should have the ability to seek restitution in courts. But he expresses concern that removing exemptions found in the Foreign Sovereign Immunities Act that shield government agencies and their employees from lawsuits could open the door to U.S. officials facing lawsuits from other nations.
“A law like this would interfere with criminal investigations and it would interfere with diplomatic relations. It would also interfere with foreign policy,” Rasch says. “Also, when you look at these situations, we think of countries like Russia or China. But what if the country that caused the damage was England or Israel or Germany?”
Rasch also notes that proving a foreign government sponsored or directed a particular attack is difficult.
“What level of proof would be needed to prove it was state-sponsored?” Rasch asks. “Will you be able to get evidence from the U.S. government or the intelligence community in support of civil lawsuits? What kinds of discoveries would the court accept at the end of the day? How are you going to enforce those judgments?”