Cybersecurity & Tech

Congress Has Already Authorized the President to Require Reporting of Foreign Cyberattacks

Devin DeBacker
Monday, June 14, 2021, 11:09 AM

Congress long ago gave the president broad authority under the International Emergency Economic Powers Act to require record-keeping and reporting on foreign cyberattacks.

President Joe Biden prepares remarks regarding the Colonial Pipeline cyberattack and resumption of operations, Thursday, May 13, 2021, in the Oval Office of the White House. (White House/Adam Schultz, https://flic.kr/p/2m3CwfB)

Published by The Lawfare Institute
in Cooperation With
Brookings

Currently, there is no single federal requirement and no uniform process for private companies to report cyberattacks and incidents to the federal government. Companies face only a patchwork of vague disclosure requirements imposed by state privacy laws, the Federal Trade Commission, securities laws, and industry-specific regulatory bodies. And even when companies do report attacks to the federal government, the appropriate government agencies do not always have the information needed to protect others in the affected industry, to assess vulnerabilities, or to figure out the national security consequences. For example, Colonial Pipeline notified the FBI of the May 7 ransomware attack but did not notify the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which did not have technical information on the attack even five days afterward.

Much of the focus has been on bipartisan congressional efforts to overcome unsuccessful past attempts to enact comprehensive cybersecurity reporting requirements. And the executive branch is apparently waiting on this slow and uncertain legislative process—so far taking only limited action to add discrete reporting requirements for government contractors and for specific industries by relying on vague wording in agencies’ organic statutes, like the Transportation Security Administration’s (TSA) Pipeline Security Guidelines. But the executive branch need not wait for Congress. Congress long ago gave the president broad authority under the International Emergency Economic Powers Act (IEEPA) to require record-keeping and reporting on foreign cyberattacks.

The International Emergency Economic Powers Act

The IEEPA grants the president certain authorities “to deal with any unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security, foreign policy, or economy of the United States, if the President declares a national emergency with respect to such threat.” The president’s “broad authority” allows him to take virtually any action with respect to practically any act or transaction involving “any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States.” For example, the president can “investigate,” “regulate,” “nullify,” “prevent,” or “prohibit” “any acquisition,” “use,” or “transfer” of, or the exercise of “any right, power, or privilege with respect to,” any property in which a foreign country or national has an interest. In addition, when the United States “has been attacked by a foreign country or foreign nationals,” the president can also “confiscate any property” subject to U.S. jurisdiction of any foreign person or country involved in the attack. The foreign country or national targeted by these authorities need not even be the source of the foreign threat; the IEEPA’s breadth allows the president to target the property of foreign third parties with a nexus to the source.

These substantive IEEPA authorities are familiar. The IEEPA has been the legal basis for, among other things, most U.S. economic sanctions programs, the Department of Commerce’s review and licensing program for the global hardware and software supply chain, President Trump’s and President Biden’s bans on U.S. securities investments that finance certain Chinese companies, and export controls.

Less well known, but also important, is the president’s broad IEEPA authority to impose record-keeping and reporting requirements. Under 50 U.S.C. § 1702(a)(2):

In exercising the authorities granted by paragraph (1), the President may require any person to keep a full record of, and to furnish under oath, in the form of reports or otherwise, complete information relative to any act or transaction referred to in paragraph (1) either before, during, or after the completion thereof, or relative to any interest in foreign property, or relative to any property in which any foreign country or any national thereof has or has had any interest, or as may be otherwise necessary to enforce the provisions of such paragraph.

The IEEPA’s record-keeping and reporting authority explicitly includes the power to subpoena relevant documents. The president may “require the production of any books of account, records, contracts, letters, memoranda, or other papers, in the custody or control” of any person subject to the record-keeping and reporting authority.

Although the IEEPA was enacted in 1977 when cybersecurity was at best a nascent concern, cybersecurity is easily covered by the IEEPA’s broad applicability to “any unusual and extraordinary” foreign threat to U.S. national security, foreign policy, or economy. A separate section of the IEEPA added in 2014 to address “economic or industrial espionage in cyberspace” confirms as much with respect to the theft of proprietary information. This section affirms that the president “may, pursuant to [IEEPA], block and prohibit all transactions in all property and interests in property” within U.S. jurisdiction of any “foreign person the President determines knowingly requests, engages in, supports, facilitates, or benefits from the significant appropriation, through economic or industrial espionage in cyberspace, of technologies or proprietary information developed by United States persons.” Section 1708 makes clear that “[t]he President may exercise all authorities provided under sections 203 and 205 of the International Emergency Economic Powers Act (50 U.S.C. 1702 and 1704)”—including the record-keeping and reporting authority in § 1702(a)(2)—“to carry out this subsection.” And courts have been deferential to presidents in this arena, both in declining to review the president’s fact-finding and motives for exercising statutory authority vested in him, and in generally deferring to the president’s judgment concerning national security and foreign affairs.

How the IEEPA Authorizes a National Cyberattack Reporting Requirement

The president could use his authority under 50 U.S.C. § 1702(a)(2) to require companies to collect and report information on foreign cyberattacks on U.S. companies and property.

To unlock this authority, the president would first need to invoke the IEEPA to deal with foreign cyberattacks and declare a national emergency with respect to that threat. That has already happened. In 2015, President Obama issued Executive Order 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”), finding “that the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States” and “declaring a national emergency to deal with this threat.” This executive order, as amended in 2016, broadly blocked the property of any person “responsible for or complicit in, or to have engaged in, directly or indirectly,” certain malicious and significant “cyber-enabled activities originating from, or directed by persons located” outside the United States. President Trump continued the national emergency each year and also expanded the program’s scope to require identity verification of anyone obtaining certain cloud-computing (“Infrastructure as a Service”) accounts and to limit certain foreign actors’ access to these products. And on March 29, President Biden continued the national emergency and kept his predecessors’ executive orders in place.

Having been unlocked, the IEEPA’s record-keeping and reporting authority is expansive enough to require U.S. companies to collect and report information on foreign cyberattacks, including ransomware attacks like the one on Colonial Pipeline. As noted above, the IEEPA authorizes record-keeping and reporting requirements for four categories of information:

  • “[C]omplete information relative to any act or transaction referred to in paragraph (1) either before, during, or after the completion thereof”
  • “[C]omplete information … relative to any interest in foreign property”
  • “[C]omplete information … relative to any property in which any foreign country or any national thereof has or has had any interest”
  • “[C]omplete information … as may be otherwise necessary to enforce the provisions of” paragraph (1)

These four categories together allow the federal government to capture a broad swath of information that could be used to identify foreign cyber threats; analyze vulnerabilities in particular attacks and in the broader hardware, software, and services supply chain; and assess current and future consequences to national security, the economy and foreign policy. Consider a ransomware attack like the one on Colonial Pipeline. The attack itself may be a prohibited act under the IEEPA. The attack involves the “use” of “any property in which any foreign country or national thereof has any interest” (such as the attackers’ computers, networks, and software) with respect to “any property” subject to U.S. jurisdiction (like Colonial Pipeline’s information technology [IT] systems) under paragraph (1)(B). And it may also be an “attack[] by a foreign country or foreign nationals” under paragraph (1)(C).

Using this framing, under the first category of information, the executive branch could require “complete information” relating to the attack itself, including technical details about the attack, the company’s IT systems, and the suppliers and vendors for those systems.

The second category—information relating to “any interest in foreign property”—could include any information available to the company about the hardware, software, and services used to conduct the attack. Additionally, this category could encompass information from other companies about the flow of technology goods and services relevant to the attack to help identify vulnerabilities and license suppliers in the global information and communications technology and services (ICTS) supply chain.

The third category—information about property in which a foreign country or national has an interest—could include detailed information about the company’s systems that were held hostage or breached (on the theory that the foreign attackers had property interests insofar as they had at least some possession of the company’s systems and were exercising the right to exclude others by denying the company access). It could also include information from suppliers, vendors, importers, and exporters about the flow of technology goods and services used by the attackers, and information from financial institutions involved in the payment of any ransom, the payment and facilitation of which may violate U.S. sanctions.

And the fourth category is a broad catch-all. Among other things, it could permit the federal government to capture any information about the attack or attackers needed to determine whether the attackers or others are (or should be) designated under the cyber, ICTS, or other sanctions programs; whether payment of the ransom violated sanctions and, if so, who facilitated the payment, whether they are liable, and whether to pursue penalties or other enforcement actions; whether the scope of the sanctions programs need to be changed; or whether to modify or revoke licenses under the ICTS program.

Advantages of Using the IEEPA

As these examples show, one advantage of the IEEPA is its scalability and flexibility. Precisely because of its breadth, the executive branch could tailor record-keeping and reporting requirements by sector and incident type, with different reporting thresholds, timelines, and information required for different types of attacks in different industries. For example, President Trump exercised the IEEPA record-keeping and reporting authority in a limited way when he expanded the cyber sanctions program to restrict foreign access to certain cloud-computing products. Under the expanded program, certain cloud-computing providers engaged with foreign persons are required to keep and verify records of, among other things, the person’s identity, national identification number, address, means and source of payment, contact information, and IP addresses and logs of access and administration of the account.

Another advantage is the IEEPA’s ability to largely overcome existing information-sharing problems and delays. Because the IEEPA is a presidential authority and not vested with any single agency, the president could require companies to notify key agencies simultaneously or create a centralized reporting mechanism that would notify all key agencies. While the IEEPA is a presidential authority, under 3 U.S.C. § 301, the president may still delegate functions and authorities vested in him—including IEEPA authorities—to “the head of any department or agency in the executive branch, or any official thereof who is required to be appointed by and with the advice and consent of the Senate.” For example, the president could delegate his authority to promulgate rules establishing record-keeping and reporting requirements to the secretary of the treasury (the usual delegee in the IEEPA and sanctions context), the Senate-confirmed national cyber director, the Senate-confirmed CISA director, or the secretary of commerce (who has been delegated IEEPA authority to secure the ICTS supply chain).

Practically, though, it would probably make the most sense for CISA or the national cyber director to take the lead in issuing regulations and receiving reports. While it would be the first time that IEEPA authority is delegated to either of these officials, both have advantages that the Department of Treasury’s Office of Foreign Assets Control (OFAC) and the secretary of commerce do not have. During or in the aftermath of a foreign cyberattack, the first priority should be to minimize the damage to the victim’s systems, restore the victim’s operations, and protect other companies from being similarly exploited by the same vulnerabilities. Those efforts require technical expertise concentrated in CISA (and, to a lesser extent, the Office of the National Cyber Director). CISA also already works closely with the private sector; state, local, and tribal governments; international organizations; and other federal government agencies in identifying cybersecurity risks and sharing information. While both the OFAC and the Commerce Department have experience implementing sanctions programs, broader policy ramifications like identifying particular foreign attackers to designate them under sanctions programs, altering the scope of sanctions programs, assessing compliance with existing sanctions prohibitions, and reviewing broader supply chain vulnerabilities are longer-fuse operations and not the first priority following an attack. It would also make sense for these policy decisions to be made after receiving CISA’s own analysis.

Cyber reporting requirements under the IEEPA would also automatically come with potential criminal and civil consequences to encourage compliance. Failure to comply with an IEEPA record-keeping and reporting requirement could expose a company and its officers to civil and criminal consequences. These include the possibility of civil penalties up to $250,000 or twice the value of the act (whichever is greater), criminal fines up to $1,000,000, and 20 years’ imprisonment. On the flip side, § 1702(a)(3) immunizes “good faith” compliance with an IEEPA directive—which would encourage companies to err on the side of complying with an IEEPA reporting obligation.

Despite the good-faith safe harbor, the severity of the IEEPA’s criminal and civil consequences for noncompliance would make it even more important for companies to have clarity about what triggers reporting obligations. The details of those reporting thresholds are a complicated topic for another discussion, but two points are worth noting here. First, it would be critical to have clear triggers distinguishing significant cyberattacks and incidents that require reporting from insignificant ones that do not. Similarly, it would be important to choose clear triggers that an attack or incident had a nexus to foreign persons or property. Although conclusively attributing cyberattacks to particular actors or governments may be difficult and laden with technical, legal, and policy judgments, a conclusive judgment that an attack involved foreign persons or property would not be needed. The IEEPA permits the government to compel “complete information … as may be otherwise necessary to enforce the” substantive IEEPA authority. So the IEEPA would allow for some overbreadth in defining classes of cyberattacks that have to be reported to the government (even if particular incidents turn out to lack a foreign nexus) if necessary for the government to assess and identify the ones involving foreign persons or property. The reporting obligations could thus rely on rough proxies for foreign involvement. These proxies may include evidence of unauthorized access coming from a foreign IP address or source, a demand that ransom be paid to a foreign recipient or account, the use of specific vulnerabilities known to be common exploits of foreign cyber criminal groups, and so on. And the private sector has increasingly sophisticated threat intelligence capabilities when it comes to cybersecurity. Especially in ransomware attacks, the demand for a ransom makes it relatively easy for victims like Colonial Pipeline and the meat processing company JBS to quickly determine that the attacks have a foreign nexus.

Second, any requirements should be developed through an interagency process, regardless of the specific legal authority invoked. The National Security Council, the intelligence community, the Department of Justice and the FBI, the Department of the Treasury, the Department of Commerce, and the Department of Homeland Security, at a minimum, all have stakes and relevant expertise in gathering information about, assessing, and responding to foreign cyberattacks. For that reason, one sensible solution would be to delegate the president’s IEEPA rule-making authority to the national cyber director, who could develop and issue the requirements through an interagency policy process with all of the relevant government stakeholders.

Some Caveats and Limits

There are a few caveats and limits. First, because the IEEPA authorizes record-keeping and reporting requirements only “in exercising the authorities granted by paragraph (1),” there must be some nexus between the requirements and the exercise of the investigating, blocking, licensing, and other substantive IEEPA authorities under paragraph (1). Thus, the IEEPA does not provide free-standing record-keeping and reporting authority; it provides this authority only to ensure that the president can obtain information needed in exercising the underlying IEEPA authorities. But that caveat would be of little concern here. As explained above, the underlying IEEPA authorities are broad, and the executive branch is already exercising them as part of the cyber sanctions program and the new licensing program for the ICTS supply chain. Information about foreign cyberattacks and incidents may be needed to investigate the attacks, ransomware payments, and hardware, software, and services used or exploited in the attack; sanction those involved; shut down the attackers’ financial and other support networks; and confiscate financial accounts and other property within U.S. jurisdiction.

Second, the IEEPA’s record-keeping and reporting authority would not extend to purely domestic cyber incidents without any nexus to foreign actors or property, or whose reporting is not “otherwise necessary to enforce” the IEEPA. If a U.S. person uses a computer in the U.S. to steal data from the U.S. network of a U.S. company or hold that company’s services hostage, and that attack has no link to any foreign property, attackers, or support, that act would generally be outside the IEEPA’s scope. So, too, if a U.S. company has a purely localized data exposure, such as if a U.S. employee steals a USB drive of proprietary U.S. information that is never released on the internet or beyond the U.S. But given the global nature of business, data, customers, and the hardware and software supply chain, this caveat is unlikely to translate into a meaningful limit in practice. A cyber incident significant enough to require reporting to the federal government would probably also have a nexus to foreign property or persons. Still, Congress could establish broader or separate disclosure requirements that encompass purely domestic cyber incidents.

Third, establishing reporting requirements under the IEEPA would not eliminate the patchwork of existing federal and state disclosure requirements. Although the president could establish a national reporting requirement using the IEEPA, that requirement would add to—not replace—the disclosure requirements imposed by state privacy laws, securities laws, the Federal Trade Commission and industry-specific federal regulators. The Biden administration’s recent “Executive Order on Improving the Nation’s Cybersecurity” would add another discrete reporting obligation to this patchwork by relying on non-IEEPA authority to require government contractors to report certain cyber incidents to their customers. Companies would still have to navigate and comply with all of these requirements. Only Congress, through legislation preempting state requirements and altering existing federal disclosure requirements, could potentially eliminate the patchwork with a more centralized system.

Fourth, the IEEPA’s grant of subpoena authority for relevant documents is limited to “the production of any books of account, records, contracts, letters, memoranda, or other papers.” While this list would capture electronic versions of these records, this authority’s focus on physical documents is an awkward fit for the digital age. And this limited subpoena authority would not be broad enough to compel a company to give the federal government direct access to its systems.

But overall, these are minor caveats that should not meaningfully hinder the executive branch from establishing national cyber incident reporting requirements now rather than waiting on Congress.


Devin DeBacker was is the chief of the Foreign Investment Review Section in the National Security Division at the Department of Justice.

Subscribe to Lawfare