A new bipartisan piece of legislation, the Homeland and Cyber Threat Act, seeks to amend the Foreign Sovereign Immunities Act (FSIA) to allow U.S. citizens to sue foreign governments for injuries sustained from foreign government-sponsored cyberattacks. As explained yesterday in an op-ed in The Hill from the bill’s sponsors, Reps. Jack Bergman (R-MI) and Andy Kim (D-NJ), the bill “carves out a cyberattack exception to the blanket immunity of foreign governments — including foreign officials, employees, or agents — provided by FSIA with regard to money damages sought by a national of the United States for personal injury, harm to reputation, or damage to or loss of property resulting from cyberattacks.”
The congressmen point out how, under extant law and federal courts’ interpretation of that law, foreign governments are generally immune from U.S. plaintiffs’ legal actions. Accordingly, the Homeland and Cyber Threat Act would close this legal safe harbor and endeavor to hold hostile foreign governments accountable for their destructive actions against American citizens. The congressmen argue that times have sufficiently changed since the passage of the FSIA so as to make necessary such a legislative tweak:
This legislation would go a long way towards providing much-needed legal protection to victims of foreign-sponsored cyberattacks. Foreign governments have been hacking into private data systems to influence politics and policy in the United States for a long time; it is time for Congress to enact a cyberattack exception to FSIA that protects the privacy and property of Americans. The bill would give victims of foreign-sponsored cyberattacks effective recourse to the courts for the first time, and it will hold foreign governments and their agents responsible for these harmful activities.
As of now, the bill has 10 cosponsors: Five Democrats and five Republicans apiece. The cosponsors include some notable far-left progressives, such as Rep. Sheila Jackson Lee (D-TX), and some notable hard-right conservatives, such as Rep. Matt Gaetz (R-FL).
The FSIA was passed in 1976, which was well before the commercial and popular rise of the Internet.
The new bill lists each of the following as foreign government-sponsored activities that could potentially justify a lawsuit, assuming also that a U.S. citizen has sustained “personal injury, harm to reputation, or damage to or loss of property”:
(1) Unauthorized access to or access exceeding authorization to a computer located in the United States.
(2) Unauthorized access to confidential, electronic stored information located in the United States.
(3) The transmission of a program, information, code, or command to a computer located in the United States, which, as a result of such conduct, causes damage without authorization.
(4) The use, dissemination, or disclosure, without consent, of any information obtained by means of any activity described in paragraph (1), (2), or (3).
(5) The provision of material support or resources for any activity described in paragraph (1), (2), (3), or (4), including by an official, employee, or agent of such foreign state.
Truly bipartisan pieces of legislation are undoubtedly rare, in today’s Congress. But much like the issue of holding Big Tech accountable, it seems that the issue of holding hostile foreign governments accountable for cyberattacks could be another issue that gains bipartisan acclaim.