Cybersecurity: Legislation

Proposed Russia Sanctions Legislation

By Ed Stein
Friday, March 3, 2017, 11:06 AM

Though there may be plenty of topics about which President Trump and congressional Republicans agree, Russia does not appear to be one of them. The , where there is bipartisan and bicameral support for preventing any lessening of sanctions on Russia. Notably, both and House have voiced opposition to lifting any sanctions.

The opposition goes beyond just words; Russia sanctions legislation has been introduced in both houses of Congress. Since it doesn’t look like concerns regarding Russia are likely to disappear anytime soon—especially given —it’s worth looking at what the two leading bills would do.

 

Russia Sanctions Review Act (/)

The Russia Sanctions Review Act was introduced on February 8 by Sen Lindsey Graham (R-SC); a was subsequently introduced by Rep. Steny Hoyer (D-MD), the minority whip, on February 15. Both bills have bipartisan support. According to a put out by Rep. Hoyer’s office, the legislation was “based on the , which allowed Congress to vote on the lifting of Iran-related sanctions prior to implementation of the Joint Comprehensive Plan of Action.” And, according to the text of the Senate version, it appears the legislation would do that (in addition to codifying some relevant executive orders). If enacted, the bill would require that, before lifting any Russia sanctions, the president certify to Congress that Russia has ceased:

  1. ordering, controlling, or otherwise directing, supporting, or financing, significant acts intended to undermine the peace, security, stability, sovereignty, or territorial integrity of Ukraine, including through an agreement between the appropriate parties; and

(B) cyberattacks against the United States Government and United States persons.

Congress would then have 120 days—twice the time it had with respect to the Iran Deal—to evaluate the president’s proposed actions. The president would be prohibited from lifting any Russia sanctions during that time. This time would allow both houses, under expedited rules, to pass a joint resolution of disapproval. The president could, of course, veto any congressional action; but should he do so, the bill would impose an additional 10-day waiting period before he could lift any sanctions, presumably to allow for the passage of veto-proof legislation.

In short, the bill would impose a 4-month pause button on any presidential action to lift sanctions. As Jack discussed in the Iran context ( and , for example), this should be comforting to those who believe such a review period will facilitate productive debate and accountability. But those who believe sanctions on Russia should be lifted, period, may recall and view the Russia Sanctions Review Act with skepticism.

 

Counteracting Russian Hostilities Act ()

This bill—for which there is also bipartisan support, but as of yet no House companion—is a different beast entirely. And it is quite a beast. Though the bill includes waiver provisions (discussed below) which would allow the president to avoid imposing sanctions in certain circumstances, it would pave the way for a very robust sanctions regime, targeting numerous sectors of the Russian economy (“”) as well as . It’s also worth mentioning that though the bill has not moved very much since it was introduced, its current cosponsors include both Sen. John Cornyn (R-TX) and Sen. Dick Durbin (D-IL), the majority and minority whips, respectively.

I should also mention that there is some non-sanctions stuff in the bill, including some provisions regarding restrictions on actions that could signify recognition of Russian sovereignty over parts of Ukraine. Though these might raise some interesting questions in light of , they are beyond the purview of this post which is intended to give a brief overview of the sanctions provisions, which are potentially quite expansive.

Menu Model of Sanctions. To a large degree, the bill follows the menu model of sanctions legislation whereby the president is required to impose some number of potential sanctions measures on those who fit certain designation criteria. (The Treasury Department briefly discussed this model of sanctions in footnote 22 of some .) There are a number of recent examples of this model, but the following three Iran bills are especially instructive:

(ISA)

(CISADA)

(TRA)

Each law is an iteration in the progression of the Iran sanctions regime. And—to draw a very narrow analytical conclusion from what is an extremely complicated area of law—each partially builds off the previous one. For example, both CISADA and TRA added new menu options and CISADA required the president to impose a greater number. (For a chart tracking some of this evolution—and an amazing wealth of information on Iran sanctions issues more broadly—see ). It’s not hard to see why this is appealing: Congress gets to weigh in, change the menu of options, and force the president’s hand if it wishes. But the president is still given some flexibility.

Sanctions Measures. Aside from the sanctions on cyber actors (discussed below), each sanctions provision requires the president to impose five out of twelve potential sanctions measures, ranging from restrictions on Export-Import Bank assistance to major restrictions on financial transactions and access to the U.S. financial system. Nearly all of these appear to map onto the sanctions measures contained in the ; here, however, there appears to be the addition of a measure to oppose loans from international financial institutions. With one exception (noted below), the bill seems to impose a negligence standard with respect to designation by defining “knowingly . . . with respect to conduct, a circumstance, or a result” to include both persons with actual knowledge as well as persons who “should have known.” With respect to penalties, the bill imposes the same penalties as would apply for a violation of the International Emergency Economic Powers Act (IEEPA) (), which carries significant civil and criminal penalties.

Exemptions and Waivers. The bill also gives the President general waiver authority, but exercising it requires a written submission to Congress that Russia has made progress on the relevant concerning conduct and that a waiver is either “vital to the national security interests of the United States,” and/or (depending on the specific provision) “will further the enforcement of this title.” Waivers are certainly closer to the rule rather than the exception in sanctions bills, and (and others, such as ) have noted that Congress should not include them if it wants to constrain the president. (Jack has also considered the that congressional restrictions on the president’s sanctions could run afoul of the president’s Article II powers .) As a practical matter—as became irrefutably clear in the Iran context—waivers can certainly have consequences, so it’s worth noting their presence in this bill. There are two interesting variations here, though. First, Congress chose to use the word “vital.” The Iran bills linked above show an evolution in waiver standards from “,” to “,” to “.” Though the waivers are obviously more complicated than one word could convey, there seems to be a trend here, and one wonders whether “vital” is supposed to signify a stricter standard than “essential.” Second, in a departure from the , the bill explicitly states that the potential sanctions measures “shall not include the authority to impose sanctions on the importation of goods.”

Title I: Russian Cyber Intrusions Sanctions Act

Cyber Actors. This portion of the bill broadly targets cyber actors (or their facilitators) who threaten the infrastructure or democratic institutions of the U.S. or a U.S. ally. Specifically, the bill requires that the president impose sanctions on “any person that the President determines—”

(1) knowingly engages, on behalf of the Government of the Russian Federation, in significant activities undermining cybersecurity, through the use of computer networks or systems against persons or governments, that—

(A) have a detrimental effect on public or private infrastructure of the United States or an ally of the United States; or

(B) result in the compromise of democratic institutions of the United States or an ally of the United States;

(2) materially assists, sponsors, or provides financial, material, or technological support for, or goods or services in support of, an activity described in paragraph (1); or

(3) is owned or controlled by, or acts or purports to act for or on behalf of, directly or indirectly, a person described in paragraph (1).

This provision seems to be a fairly targeted, conduct-based provision, in the sense that it is aimed pretty specifically at major state actors who target democratic processes or state interests. For example, compare it to the broad, status-based criteria of , or the broader designation prong of , which targets North Korean cyber activities and more simply permits sanctions against:

any person determined by the Secretary of the Treasury, in consultation with the Secretary of State . . . to have engaged in significant activities undermining cybersecurity through the use of computer networks or systems against targets outside of North Korea on behalf of the Government of North Korea or the Workers’ Party of Korea.

In about , Acting OFAC Director John Smith spoke to the practical significance of designation criteria:

While the [] focuses on human rights abuses specifically related to last year’s protests, [] expands our targeting authority to more broadly cover any significant acts of violence or serious violations of human rights in relation to Venezuela, and restrictions on the exercise of freedom of expression or peaceful assembly in Venezuela, allowing us to deter and address repression as it may arise. The Order also includes designation criteria related to the undermining of democracy in Venezuela and to public corruption by senior Venezuelan government officials. Finally, the E.O. gives us the discretionary authority to designate current or former Venezuelan government officials. As we have learned from experience across a number of sanctions programs, this type of “status-based” authority is a useful tool that allows us to go after targets of concern for which there may be limitations to our ability to designate under “conduct-based” authorities.

The provision also covers actions against U.S. allies, and like the material assistance prong expands the scope of the actors who could be captured under the sanctions regime. I don’t know enough about cyber issues to say conclusively, but given the lack of a knowledge or intent requirement, could the material assistance prong capture internet service providers?

Unlike other parts of the bill, this provision does not mandate the imposition of any particular sanctions measures. Rather, it invokes the president’s broad asset-blocking powers under IEEPA, as well as visa-related powers under the Immigration and Nationality Act (INA) (). This portion of the bill also included a pretty unique provision that allows members of Congress to submit specific potential designees and requires the president to respond within 120 days indicating whether the person would meet the designation criteria; I am not aware of any similar provisions included in past sanctions bills. And this would seem to allow Congress to play a significant role in the actual targeting process.

Defense/Intelligence Sector. This portion of the bill targets the Russian intelligence sector. Specifically, the bill requires that the president impose sanctions on “each person that knowingly . . . engages in a significant transaction with a person that is part of, or operates for or on behalf of, the defense or intelligence sectors of the Government of the Russian Federation.” Unlike the sanctions against cyber actors, this provision requires the president to pick five out of twelve measures from the larger menu of options.

Title II: Countering Russian Aggression Act of 2017

Energy Sector Sanctions. This provision of the bill—which looks to be modeled on relevant provisions of the —would impose sanctions on those who, above a certain monetary threshold, invest in or provide support to the Russian energy sector. One provision would require the president to sanction anyone who knowingly makes a qualifying “investment that directly and significantly contributes to the enhancement of the ability of the Russian Federation to develop petroleum or natural gas resources,” or “sells, leases, or provides to the Russian Federation [qualifying] goods, services, technology, information, or support . . . that could directly and significantly facilitate the maintenance or expansion of the production of petroleum products or natural gas in the Russian Federation, including any direct and significant assistance with respect to the construction, modernization, or repair of petroleum refineries and natural gas infrastructure.” Other provisions would impose similar sanctions with respect to investments or provision of goods that help Russia construct energy export pipelines or develop civil nuclear power projects. In terms of specific sanctions measures, the president would be required to pick at least five out of the twelve available in the larger menu of options.

Sovereign Debt Sanctions. This provision of the bill would impose sanctions on anyone who “knowingly . . . purchases, subscribes to, or facilitates the issuance of . . . sovereign debt of the Government of the Russian Federation [or] debt of any entity owned or controlled by the Government of the Russian Federation . . . including bonds.” Interestingly, there is no dollar value threshold here, so presumably even small transactions would qualify. Additionally, in what appears to be a measure intended to combat evasion of this provision, the bill instructs the president to impose sanctions on anyone who “with actual knowledge,” makes or facilitates a high-value investment that “directly and significantly contributes to the ability of the Russian Federation to privatize state-owned assets.” So, no transactions involving sovereign debt, and no big transactions that enable Russia to privatize state-owned assets. The actual knowledge requirement may be designed to prevent the imposition of liability on downstream investors who do not actually know of the prohibited transaction. In terms of specific sanctions measures, again, the President would be required to pick at least five out of the twelve available in the larger menu of options.

Human Rights Sanctions. This provision of the bill would impose sanctions on foreign persons if the president determines that, “based on credible information,” the person:

(1) is responsible for, complicit in, or responsible for ordering, controlling, or otherwise directing, the commission of serious human rights abuses in any territory forcibly occupied or otherwise controlled by the Government of the Russian Federation;

(2) has materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to, a foreign person that is responsible for, complicit in, or responsible for ordering, controlling, or otherwise directing, the commission of serious human rights abuses in any territory forcibly occupied or otherwise controlled by the Government of the Russian Federation; or

(3) is owned or controlled by a foreign person, or has acted or purported to act for or on behalf of, directly or indirectly, a foreign person, that is responsible for, complicit in, or responsible for ordering, controlling, or otherwise directing, the commission of serious human rights abuses in any territory forcibly occupied or otherwise controlled by the Government of the Russian Federation.

So, essentially, the president must sanction a foreign person in any way involved in “the commission of serious human rights abuses” on any territory that Russia controls. Interestingly, this is the only provision in the bill that explicitly targets only “foreign persons.” Like the sanctions against cyber actors, this provision includes a prong. And—again, like the sanctions against cyber actors—this provision does not mandate the imposition of any particular sanctions measures. Rather, it invokes the president’s broad asset-blocking powers under the IEEPA as well as visa-related powers under the INA. Perhaps not coincidentally, these measures look identical to the human rights provisions that were included in Rep Eliot Engel’s (D-NY) bipartisan , which . Of course, one major difference between that bill and this one is the notable use of “shall.” Whereas the STAND Act “authorized” the president to impose sanctions, the current bill would require him to.