New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Proposed Homeland and Cyber Threat Act Would Allow Claims Against Foreign State Actors

In August of 2019, US Representatives Jack Bergman and Andy Kim introduced a new bill in Congress that would combat the growing threat of cyberattacks from foreign governments. The bill, named the Homeland and Cyber Threat (HACT) Act, would allow for US citizens and corporations to make claims in federal and state courts against foreign government entities engaging in or sponsoring cyberattacks against them. Under current law, US citizens are unable to file such claims because foreign state actors are protected by the Foreign Sovereignty Immunities Act (FSIA). The HACT Act has gained momentum, adding 63 co-sponsors to the bill in August 2020. The rising threat of cyberattacks, especially during the COVID-19 pandemic, may make the HACT Act a reality.

HACT ACT

In the first version of the HACT Act, the bill proposes amendments to Chapter 97, Title 28, US Code, Jurisdictional Immunities of Foreign States, by removing immunity from US courts to prosecute foreign state actors involved in cybercrimes against US nationals. The bill applies to any US national seeking monetary damages from foreign state actors and entities for personal injury, harm to reputation or damage to property resulting from criminal cyber activities. The bill outlines these activities as the following:

  1. Unauthorized access to or access exceeding authorization to a computer located in the United States.
  2. Unauthorized access to confidential, electronic stored information located in the United States.
  3. The transmission of a program, information, code, or command to a computer located in the United States, which, as a result of such conduct, causes damage without authorization.
  4. The use, dissemination, or disclosure, without consent, of any information obtained by means of any activity described in the first three activities.
  5. The provision of material support or resources for any activity described in the above 4 paragraphs. [1]

The bipartisan bill was re-introduced by Congressman Colin Allred on March 8, 2021. The supporters of the bill call it a commonsense tool to help victims of cybercrime fight back against foreign state actors. Although several members of Congress have shown support for the bill, there are repercussions to the HACT Act that should also be examined and weighed against the benefits.

HACT ACT PITFALLS

The HACT Act, in principle, seems like a great way to combat the growing threat of cyberattacks, but there are also some glaring issues. First and foremost is how this will affect US intelligence gathering operations. Allowing US nationals and companies to sue foreign state actors and governments and removing their immunity from FSIA could open the door for foreign governments to do the same, filing lawsuits against US intelligence agencies. The US government uses cyber operations as a means to collect intelligence. It is widely known that every major government organization uses cyber operations to some extent, the biggest difference being that other governments use them to steal intellectual property as well as to gather intelligence. With the broad definitions of the HACT Act, the US government could open themselves up to litigation issues.

Additionally, attribution becomes a major issue when talking about lawsuits for cybercrimes. For example, in Russia, it is understood that cyber threat actors are allowed to act freely within the country as long as they do not attack Russian companies or citizens. To demonstrate that this constitutes support from a state actor would be extremely difficult. Even if it is reported that threat actors are state sponsored, the state can deny any involvement because the criminal acts were officially carried out by cyber gangs not directly affiliated with any government entity.

A deterrent against cyber threats to the US

With that said, adding the ability for US nationals to engage in lawsuits with foreign governments would make for a volatile environment for cyberthreat actors, and may be enough of a deterrent to force them to shift their focus elsewhere. The question becomes, is this deterrent worth the time, money and resources needed to carry out such litigation? Binary Defense analysts will continue to monitor the HACT Act to see if any revisions are made and how it is received by US politicians.


[1] H.R. 4189, To amend title 28, United States Code, to allow claims against foreign states for unlawful computer intrusion, and for other purposes.