Americans are increasingly concerned, with good reason, about the security of their personal information. In the age of electronic data, Americans spend tens of billions of dollars per year on cybersecurity in the United States.
Recent news stories about misuse of personal data and unauthorized monitoring on the part of large U.S. companies have provoked outrage, as well as a call for legal restraints on corporate snooping. So most American citizens would probably be shocked to learn that if a foreign nation or foreign agent hacked into their personal data or conducted a cyberattack against them for any reason whatsoever—including retaliation for political opposition—they would have no legal recourse in a U.S. court. Indeed, because of the Foreign Sovereign Immunities Act (FSIA), agents of foreign governments are shielded from U.S. laws and can essentially target Americans with impunity.
To date, there is no protection in the United States for citizens or entities that have been the victim of foreign-backed cyberattack. U.S. courts have often ruled that foreign governments are immune from legal action on the part of American plaintiffs as a result of FSIA, which was first signed in to law long before the Internet existed. In effect, a legal loophole in U.S. law provides foreign nations with blanket immunity for their hacking activity.
Whether its Russian-backed cyberattacks against American military spouses or the Democratic National Committee, North Korean hacks and blackmail against Sony Pictures, or China’s cyberattack on the Office of Personnel Management (which entailed the theft of the personal data of over 22 million people), the increasing threat of foreign-sponsored cyberattack leaves Americans vulnerable to foreign sponsored cyber-espionage.
That’s why we have introduced H.R. 4189, the Homeland and Cyber Threat Act. This bill carves out a cyberattack exception to the blanket immunity of foreign governments– including foreign officials, employees, or agents– provided by FSIA with regard to money damages sought by a national of the United States for personal injury, harm to reputation, or damage to or loss of property resulting from cyberattacks. This legislation would go a long way towards providing much-needed legal protection to victims of foreign-sponsored cyberattacks. Foreign governments have been hacking into private data systems to influence politics and policy in the United States for a long time; it is time for Congress to enact a cyberattack exception to FSIA that protects the privacy and property of Americans. The bill would give victims of foreign-sponsored cyberattacks effective recourse to the courts for the first time, and it will hold foreign governments and their agents responsible for these harmful activities.
The issue transcends party lines: Republicans and Democrats have been victims to foreign cyberattacks and hacking, and it’s imperative Congress enact a FSIA exception. There is a clear precedent for action: Since the 1990s, Congress has enacted several laws that limit sovereign immunity for states sponsors of terrorism and provide a cause of action to certain victims of terror attacks. As a result, FSIA now allows terrorism victims to sue foreign governments in federal courts under a “terrorism exception”; a “cyberattack exception” would extend the same protections to hacking victims. Without revision of FSIA, foreign governments can continue to intimidate and silence Americans, invading their privacy and disrupting our democracy. Republicans and Democrats need to come together to take measures that will effectively protect Americans from cyberattacks sponsored or conducted by foreign governments who want to see our voices silenced.
Bergman represents Michigan’s 1st District and is a member of the House Armed Services Committee. Kim represents New Jersey’s 3rd District and a member of the Armed Services Committee.