Bill Would Eliminate Immunity for Foreign Hackers

A bipartisan group of lawmakers on Monday revived legislation that would allow Americans to take foreign hackers to court. 

The Homeland and Cyber Threat Act, sponsored by Rep. Colin Allred, D-Texas, would amend the Foreign Sovereign Immunities Act to ensure Americans can go to court over harm resulting from cyberattacks perpetrated by foreign states.  

“Cyberattacks against American citizens are only increasing and Congress should give Americans the tools they need to fight back against foreign attacks,” Allred said in the press release. “This legislation does just that by giving Americans the ability to hold foreign governments accountable for damage done by cyberattacks.”

Rep. Jack Bergman, R-Mich., sponsored the legislation in the previous Congress and joins the reintroduction as a co-sponsor. The bill’s other supporters include Reps. Brian Fitzpatrick, R-Pa., Joe Neguse, D-Colo., and Andy Kim, D-N.J, and Jaime Herrrera Beutler, R-Wash.

Foreign states could be sued for activities that include unauthorized access to a computer or confidential, electronic stored information located in the U.S., transmission of a program, information, command or code to a U.S. computer which results in damage, and the use, dissemination or disclosure of information obtained by the unauthorized activities, according to the bill. 

The massive hacking intrusion generally known as the SolarWinds incident, which the government stated was likely Russian in origin, as well as other recent exploitative activity discovered by Microsoft, which the tech giant said is believed to originate in China, have highlighted the need to shore up cyber defense and deter adversaries. Lawmakers in recent hearings have pressed experts and officials testifying for guidance on how to do so. States—or their officials, employees, or agents—providing material support for these activities would also lose immunity if the legislation succeeds. 

But one cybersecurity industry official raised questions about how much of a difference this legislation will make. Paul Martini, chief executive of cloud cybersecurity company iboss, told Nextgov in an email statement the legislation could be a useful accountability tool. 

"The question, however, remains whether this will be effective or if attackers from foreign regimes will continue to act with impunity,” Martini said. “That's why we also need to see significant government and private sector investment in technology to keep American entities secure by leveraging the advanced cloud security and zero trust policies."