Washington, D.C. – With the growing cost of cybercrime in America and across the globe, U.S. Senators Kirsten Gillibrand (D-NY) and Orrin Hatch (R-UT) today introduced the International Cybercrime Reporting and Cooperation Act – bipartisan legislation that takes aggressive action to combat cybercrime against America and foster cooperation with other countries.
“Cybercrime must be a top priority for our national security,” Senator Gillibrand said. “If we’re going to protect our networks, our infrastructure, our economy and our families, we have to go after cyber criminals wherever they may be – and it must be an international effort. Our legislation requires the president to provide a global assessment, identify threats from abroad, work with other countries to crack down on their own cyber criminals, and urge the president to cut off U.S. assistance and resources for countries that refuse to take responsibility for cybersecurity. Our legislation will make America safer by getting tough on cybercrime globally, and coordinating with our partners in the international community.”
“It’s time to come together to address the serious issue of cybercrime,” Senator Hatch said. “With our legislation, countries that knowingly turn a blind eye to cybercriminals will now know that there will be consequences for not acting.”
For over a decade, reports have described the increasing vulnerability of the U.S. to cyberattacks. A growing array of international criminal organization are targeting U.S. citizens, commerce, and information infrastructure, including the Internet, telecommunications networks, financial systems, embedded processors and controllers in critical industries to steal, exploit, disrupt, or destroy information.
The U.S. Defense Department reported a foreign government was responsible for a March 2011 cyberattack against U.S. military computers that led to the theft of 24,000 files from a defense contractor. The cyberattack targeted files related to missile tracking systems, unmanned aerial vehicles and the Joint Strike Fighter.
Criminals are increasingly going after online financial data – costing businesses and individuals billions. In fact, each data breach costs American businesses an average of $6.6 million. In 2008, U.S. businesses lost $4 billion from online fraud. Every hour, the FBI processes 35 cases through the Internet Crime Complaint Center (IC3). 300,000 cyber crime complaints were filed last year alone, with more than one-third passed on to law enforcement, according to a recent GAO report. Two-thirds of all businesses detected at least one cyber crime, and most crimes caused losses of at least $10,000, according to a 2005 Bureau of Justice Statistics (BJS) survey, and larger businesses face the highest threat.
The Senators’ bipartisan legislation is being supported by American businesses and associations such as the U.S. Chamber of Commerce, American Express, HP, Microsoft, Oracle, PayPal, Symantec, TechAmerica, VeriSign, Visa, Business Software Alliance, and Financial Services Roundtable.
Cyber exploitation activity has grown more sophisticated and targeted over the past year and is expected to increase. Relevant international cybercrime agreements have not been signed by certain key countries that host cyber criminals with apparent impunity.
To boost America’s cybersecurity, improve our coordination with allies, and establish tough new ways to crack down on cyber threats internationally, Senators Gillibrand and Hatch today introduced the International Cybercrime Reporting and Cooperation Act.
Annual Presidential Report
The bill requires the president (or his designee) to annually report to Congress, beginning one year after passage of this bill, on the assessment of the cybercrime fighting efforts of the countries chosen by key federal agencies in consultation with private sector stakeholders. The countries to be reviewed are those with a significant role in efforts to combat cybercrime impacting U.S. Government, entities and persons, or disrupting U.S. electronic commerce or intellectual property interests.
The report would asses:
- the extent and nature of cybercrime that impacts the U.S. and is based in each country;
- the adequacy and effectiveness of each country’s legal, judicial and law enforcement systems in addressing cybercrime; and
- the measures taken by each country to protect consumers online.
The report would also assess U.S. efforts to promote such multilateral efforts.
The report and assessments would be crafted in consultation with relevant federal agencies, including State, DOJ, DHS, Commerce, USTR, and Treasury; industry; and civil society organizations.
The reports may be submitted to Congress in classified form.
The president would also identify as countries of cyber concern those for which:
- there is significant credible evidence of a pattern of incidents of cybercrime on the United States Government, US private entities or persons have been launched repeatedly by persons or property from within such countries’ borders; and
- such countries have demonstrated a pattern of uncooperativeness by failing to:
- conduct reasonable cybercrime investigations, prosecutions, or other proceedings;
- cooperate with bilateral or international investigations or prosecutions, or other proceedings; or
- adopt or implement legislation or other measures consistent with the Council of Europe Cybercrime Convention.
Annual Bilateral Action Plans
One year after issuing the initial report and annually thereafter, the president shall establish a cooperative action plan for each country of cyberconcern designed to assist the government of each such country to improve the capacity of the country to combat cybercrime, with certain benchmarks for the country to address. This plan shall be developed and carried out in consultation with such countries in order to encourage them to reach the benchmarks.
The president will determine which countries no longer need to be reviewed on the report because the cybercrime concerns have been adequately addressed.
The benchmarks in the action plans are such legislative, institutional, enforcement or other actions as the president determines are necessary to improve the capacity of each country, and will be appropriately calibrated for each such country. Benchmarks may include:
- the initiation of credible criminal investigations or proceedings related to the cybercrime incidents that led to the designation of the country as one of cyber concern;
- cooperation with the U.S., another party to the Council of Europe Cybercrime Convention, or INTERPOL in conducting criminal investigations or proceedings; or
- implementation of legislative or other measures consistent with the Council of Europe Cybercrime Convention.
The president may waive the requirement to name a country of cyber concern or develop an action plan for any such country if it is in the national interest to do so, and report such waiver to Congress, in classified form if necessary.
Failure to Meet Action Plan Benchmarks
If one year after developing the action plans, the president determines in consultation with relevant Federal agencies that a country of cyber concern has not complied with the benchmarks in its plan, the president is urged (not mandated) to take one or more of the following measures with respect to such country
- instruct the US director for each multilateral bank to restrict or oppose new financing;
- suspend, limit or withdraw preferential trade programs;
- suspend, restrict or withdraw foreign assistance.
If either of the assistance provisions is utilized, it shall not limit projects related to building capacity or taking actions to combat cybercrime, or otherwise impact humanitarian or disaster assistance.
Benefits will be restored when the president, in consultation with relevant Federal agencies, determines and certifies to Congress that the country has complied with its benchmarks.
The president is required to prioritize foreign assistance programs designed to combat cybercrime to those countries identified in the annual report as having a low ability to combat cybercrime.
The president is also urged to include programs designed to combat cybercrime in bilateral and multilateral foreign aid projects to countries identified as having low ICT penetration in its critical infrastructure, telecommunications, and finance sectors. Such assistance should address the critical infrastructure, telecommunications systems, financial industry, legal or judicial systems, or law enforcement capabilities of that country, and be provided in a sustainable manner.
Department of State International Cybersecurity Focus
The bill requires the Secretary of State to designate a senior official at the State Department to focus on a full range of cybersecurity issues, including activities, policies and opportunities to combat cybercrime internationally.
Embassy Cyber Attaches
The president shall also appoint employees at key embassies to focus on cybercrime policy.
The president shall take into consideration cybercrime fighting efforts of a country before finalizing or modifying a free trade agreement with such country.