skip to main content

H.R. 3776: Cyber Diplomacy Act of 2017

The text of the bill below is as of Jun 28, 2018 (Reported by Senate Committee).


II

Calendar No. 495

115th CONGRESS

2d Session

H. R. 3776

IN THE SENATE OF THE UNITED STATES

January 18, 2018

Received; read twice and referred to the Committee on Foreign Relations

June 28, 2018

Reported by , with an amendment

Strike out all after the enacting clause and insert the part printed in italic

AN ACT

To support United States international cyber diplomacy, and for other purposes.

1.

Short title

This Act may be cited as the Cyber Diplomacy Act of 2017.

2.

Findings

Congress finds the following:

(1)

The stated goal of the United States International Strategy for Cyberspace, launched on May 16, 2011, is to work internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation * * * in which norms of responsible behavior guide States’ actions, sustain partnerships, and support the rule of law in cyberspace..

(2)

The Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security, established by the United Nations General Assembly, concluded in its June 24, 2013, report that State sovereignty and the international norms and principles that flow from it apply to States’ conduct of [information and communications technology or ICT] related activities and to their jurisdiction over ICT infrastructure with their territory..

(3)

On January 13, 2015, China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan proposed a troubling international code of conduct for information security which defines responsible State behavior in cyberspace to include curbing the dissemination of information and the right to independent control of information and communications technology when a country’s political security is threatened.

(4)

The July 22, 2015, GGE consensus report found that, norms of responsible State behavior can reduce risks to international peace, security and stability..

(5)

On September 25, 2015, the United States and China announced a commitment that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors..

(6)

At the Antalya Summit from November 15–16, 2015, the Group of 20 (G20) Leaders’ Communique affirmed the applicability of international law to State behavior in cyberspace, called on States to refrain from cyber-enabled theft of intellectual property for commercial gain, and endorsed the view that all States should abide by norms of responsible behavior.

(7)

The March 2016 Department of State International Cyberspace Policy Strategy noted that, the Department of State anticipates a continued increase and expansion of our cyber-focused diplomatic efforts for the foreseeable future..

(8)

On December 1, 2016, the Commission on Enhancing National Cybersecurity established within the Department of Commerce recommended the President should appoint an Ambassador for Cybersecurity to lead U.S. engagement with the international community on cybersecurity strategies, standards, and practices..

(9)

The 2017 Group of 7 (G7) Declaration on Responsible States Behavior in Cyberspace recognized on April 11, 2017, the urgent necessity of increased international cooperation to promote security and stability in cyberspace * * * consisting of the applicability of existing international law to State behavior in cyberspace, the promotion of voluntary, non-binding norms of responsible State behavior during peacetime and reaffirmed that the same rights that people have offline must also be protected online..

(10)

In testimony before the Select Committee on Intelligence of the Senate on May 11, 2017, the Director of National Intelligence identified six cyber threat actors, including Russia for efforts to influence the 2016 US election; China, for actively targeting the US Government, its allies, and US companies for cyber espionage; Iran for leverage[ing] cyber espionage, propaganda, and attacks to support its security priorities, influence events and foreign perceptions, and counter threats; North Korea for previously conduct[ing] cyber-attacks against US commercial entities—specifically, Sony Pictures Entertainment in 2014; terrorists, who use the Internet to organize, recruit, spread propaganda, raise funds, collect intelligence, inspire action by followers, and coordinate operations; and criminals who are also developing and using sophisticated cyber tools for a variety of purposes including theft, extortion, and facilitation of other criminal activities.

(11)

On May 11, 2017, President Trump issued Presidential Executive Order No. 13800 on Strengthening the Cybersecurity of Federal Networks and Infrastructure which designated the Secretary of State to lead an interagency effort to develop strategic options for the President to deter adversaries from cyber threats and an engagement strategy for international cooperation in cybersecurity, noting that the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against deception, fraud, and theft..

3.

United States international cyberspace policy

(a)

In general

Congress declares that it is the policy of the United States to work internationally with allies and other partners to promote an open, interoperable, reliable, unfettered, and secure internet governed by the multistakeholder model which promotes human rights, democracy, and rule of law, including freedom of expression, innovation, communication, and economic prosperity, while respecting privacy and guarding against deception, fraud, and theft.

(b)

Implementation

In implementing the policy described in subsection (a), the President, in consultation with outside actors, including technology companies, nongovernmental organizations, security researchers, and other relevant stakeholders, shall pursue the following objectives in the conduct of bilateral and multilateral relations:

(1)

Clarifying the applicability of international laws and norms, including the law of armed conflict, to the use of ICT.

(2)

Clarifying that countries that fall victim to malicious cyber activities have the right to take proportionate countermeasures under international law, provided such measures do not violate a fundamental human right or peremptory norm.

(3)

Reducing and limiting the risk of escalation and retaliation in cyberspace, such as massive denial-of-service attacks, damage to critical infrastructure, or other malicious cyber activity that impairs the use and operation of critical infrastructure that provides services to the public.

(4)

Cooperating with like-minded democratic countries that share common values and cyberspace policies with the United States, including respect for human rights, democracy, and rule of law, to advance such values and policies internationally.

(5)

Securing and implementing commitments on responsible country behavior in cyberspace based upon accepted norms, including the following:

(A)

Countries should not conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.

(B)

Countries should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security.

(C)

Countries should take all appropriate and reasonable efforts to keep their territories clear of intentionally wrongful acts using ICTs in violation of international commitments.

(D)

Countries should not conduct or knowingly support ICT activity that, contrary to international law, intentionally damages or otherwise impairs the use and operation of critical infrastructure, and should take appropriate measures to protect their critical infrastructure from ICT threats.

(E)

Countries should not conduct or knowingly support malicious international activity that, contrary to international law, harms the information systems of authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) or related private sector companies of another country.

(F)

Countries should identify economic drivers and incentives to promote securely-designed ICT products and to develop policy and legal frameworks to promote the development of secure internet architecture.

(G)

Countries should respond to appropriate requests for assistance to mitigate malicious ICT activity aimed at the critical infrastructure of another country emanating from their territory.

(H)

Countries should not restrict cross-border data flows or require local storage or processing of data.

(I)

Countries should protect the exercise of human rights and fundamental freedoms on the Internet and commit to the principle that the human rights that people have offline enjoy the same protections online.

4.

Department of State responsibilities

(a)

Office of Cyber Issues

Section 1 of the State Department Basic Authorities Act of 1956 (22 U.S.C. 2651a) is amended—

(1)

by redesignating subsection (g) as subsection (h); and

(2)

by inserting after subsection (f) the following new subsection:

(g)

Office of Cyber Issues

(1)

In general

There is established an Office of Cyber Issues (in this subsection referred to as the Office). The head of the Office shall have the rank and status of ambassador and be appointed by the President, by and with the advice and consent of the Senate.

(2)

Duties

(A)

In general

The head of the Office shall perform such duties and exercise such powers as the Secretary of State shall prescribe, including implementing the policy of the United States described in section 3 of the Cyber Diplomacy Act of 2017.

(B)

Duties described

The principal duties of the head of the Office shall be to—

(i)

serve as the principal cyber-policy official within the senior management of the Department of State and advisor to the Secretary of State for cyber issues;

(ii)

lead the Department of State’s diplomatic cyberspace efforts generally, including relating to international cybersecurity, internet access, internet freedom, digital economy, cybercrime, deterrence and international responses to cyber threats;

(iii)

promote an open, interoperable, reliable, unfettered, and secure information and communications technology infrastructure globally;

(iv)

represent the Secretary of State in interagency efforts to develop and advance the United States international cyberspace policy;

(v)

coordinate within the Department of State and with other components of the United States Government cyberspace efforts and other relevant functions, including countering terrorists’ use of cyberspace; and

(vi)

act as liaison to public and private sector entities on relevant cyberspace issues.

(3)

Qualifications

The head of the Office should be an individual of demonstrated competency in the field of—

(A)

cybersecurity and other relevant cyber issues; and

(B)

international diplomacy.

(4)

Organizational placement

The head of the Office shall report to the Under Secretary for Political Affairs or official holding a higher position in the Department of State.

(5)

Rule of construction

Nothing in this subsection may be construed as precluding—

(A)

the Office from being elevated to a Bureau of the Department of State; and

(B)

the head of the Office from being elevated to an Assistant Secretary, if such an Assistant Secretary position does not increase the number of Assistant Secretary positions at the Department above the number authorized under subsection (c)(1).

.

(b)

Sense of Congress

It is the sense of Congress that the Office of Cyber Issues established under section 1(g) of the State Department Basic Authorities Act of 1956 (as amended by subsection (a) of this section) should be a Bureau of the Department of State headed by an Assistant Secretary, subject to the rule of construction specified in paragraph (5)(B) of such section 1(g).

(c)

United Nations

The Permanent Representative of the United States to the United Nations shall use the voice, vote, and influence of the United States to oppose any measure that is inconsistent with the United States international cyberspace policy described in section 3.

5.

International cyberspace executive arrangements

(a)

In general

The President is encouraged to enter into executive arrangements with foreign governments that support the United States international cyberspace policy described in section 3.

(b)

Transmission to Congress

The text of any executive arrangement (including the text of any oral arrangement, which shall be reduced to writing) entered into by the United States under subsection (a) shall be transmitted to the Committee on Foreign Affairs of the House of Representatives and the Committee on Foreign Relations of the Senate not later than 5 days after such arrangement is signed or otherwise agreed to, together with an explanation of such arrangement, its purpose, how such arrangement is consistent with the United States international cyberspace policy described in section 3, and how such arrangement will be implemented.

(c)

Status report

Not later than 1 year after the text of an executive arrangement is transmitted to Congress pursuant to subsection (b) and annually thereafter for 7 years, or until such an arrangement has been discontinued, the President shall report to the Committee on Foreign Affairs of the House of Representatives and the Committee on Foreign Relations of the Senate on the status of such arrangement, including an evidence-based assessment of whether all parties to such arrangement have fulfilled their commitments under such arrangement and if not, what steps the United States has taken or plans to take to ensure all such commitments are fulfilled, whether the stated purpose of such arrangement is being achieved, and whether such arrangement positively impacts building of cyber norms internationally. Each such report shall include metrics to support its findings.

(d)

Existing executive arrangements

Not later than 60 days after the date of the enactment of this Act, the President shall satisfy the requirements of subsection (c) for the following executive arrangements already in effect:

(1)

The arrangement announced between the United States and Japan on April 25, 2014.

(2)

The arrangement announced between the United States and the United Kingdom on January 16, 2015.

(3)

The arrangement announced between the United States and China on September 25, 2015.

(4)

The arrangement announced between the United States and Korea on October 16, 2015.

(5)

The arrangement announced between the United States and Australia on January 19, 2016.

(6)

The arrangement announced between the United States and India on June 7, 2016.

(7)

The arrangement announced between the United States and Argentina on April 27, 2017.

(8)

The arrangement announced between the United States and Kenya on June 22, 2017.

(9)

The arrangement announced between the United States and Israel on June 26, 2017.

(10)

Any other similar bilateral or multilateral arrangement announced before the date of the enactment of this Act.

6.

International strategy for cyberspace

(a)

Strategy required

Not later than 1 year after the date of the enactment of this Act, the Secretary of State, in coordination with the heads of other relevant Federal departments and agencies, shall produce a strategy relating to United States international policy with regard to cyberspace.

(b)

Elements

The strategy required under subsection (a) shall include the following:

(1)

A review of actions and activities undertaken to support the United States international cyberspace policy described in section 3.

(2)

A plan of action to guide the diplomacy of the Department of State with regard to foreign countries, including conducting bilateral and multilateral activities to develop the norms of responsible international behavior in cyberspace, and status review of existing efforts in multilateral fora to obtain agreements on international norms in cyberspace.

(3)

A review of alternative concepts with regard to international norms in cyberspace offered by foreign countries.

(4)

A detailed description of new and evolving threats to United States national security in cyberspace from foreign countries, State-sponsored actors, and private actors to Federal and private sector infrastructure of the United States, intellectual property in the United States, and the privacy of citizens of the United States.

(5)

A review of policy tools available to the President to deter and de-escalate tensions with foreign countries, State-sponsored actors, and private actors regarding threats in cyberspace, and to what degree such tools have been used and whether or not such tools have been effective.

(6)

A review of resources required to conduct activities to build responsible norms of international cyber behavior.

(7)

A clarification of the applicability of international laws and norms, including the law of armed conflict, to the use of ICT.

(8)

A clarification that countries that fall victim to malicious cyber activities have the right to take proportionate countermeasures under international law, including exercising the right to collective and individual self-defense.

(9)

A plan of action to guide the diplomacy of the Department of State with regard to existing mutual defense agreements, including the inclusion in such agreements of information relating to the applicability of malicious cyber activities in triggering mutual defense obligations.

(c)

Form of strategy

(1)

Public availability

The strategy required under subsection (a) shall be available to the public in unclassified form, including through publication in the Federal Register.

(2)

Classified annex

(A)

In general

If the Secretary of State determines that such is appropriate, the strategy required under subsection (a) may include a classified annex consistent with United States national security interests.

(B)

Rule of construction

Nothing in this subsection may be construed as authorizing the public disclosure of an unclassified annex under subparagraph (A).

(d)

Briefing

Not later than 30 days after the production of the strategy required under subsection (a), the Secretary of State shall brief the Committee on Foreign Affairs of the House of Representatives and the Committee on Foreign Relations of the Senate on such strategy, including any material contained in a classified annex.

(e)

Updates

The strategy required under subsection (a) shall be updated—

(1)

not later than 90 days after there has been any material change to United States policy as described in such strategy; and

(2)

not later than 1 year after each inauguration of a new President.

(f)

Preexisting requirement

Upon the production and publication of the report required under section 3(c) of the Presidential Executive Order No. 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure on May 11, 2017, such report shall be considered as satisfying the requirement under subsection (a) of this section.

7.

Annual country reports on human rights practices

(a)

Report relating to economic assistance

Section 116 of the Foreign Assistance Act of 1961 (22 U.S.C. 2151n) is amended by adding at the end the following new subsection:

(h)
(1)

The report required by subsection (d) shall include an assessment of freedom of expression with respect to electronic information in each foreign country. Such assessment shall consist of the following:

(A)

An assessment of the extent to which government authorities in each country inappropriately attempt to filter, censor, or otherwise block or remove nonviolent expression of political or religious opinion or belief via the internet, including electronic mail, as well as a description of the means by which such authorities attempt to block or remove such expression.

(B)

An assessment of the extent to which government authorities in each country have persecuted or otherwise punished an individual or group for the nonviolent expression of political, religious, or ideological opinion or belief via the internet, including electronic mail.

(C)

An assessment of the extent to which government authorities in each country have sought to inappropriately collect, request, obtain, or disclose personally identifiable information of a person in connection with such person’s nonviolent expression of political, religious, or ideological opinion or belief, including expression that would be protected by the International Covenant on Civil and Political Rights.

(D)

An assessment of the extent to which wire communications and electronic communications are monitored without regard to the principles of privacy, human rights, democracy, and rule of law.

(2)

In compiling data and making assessments for the purposes of paragraph (1), United States diplomatic personnel shall consult with human rights organizations, technology and internet companies, and other appropriate nongovernmental organizations.

(3)

In this subsection—

(A)

the term electronic communication has the meaning given such term in section 2510 of title 18, United States Code;

(B)

the term internet has the meaning given such term in section 231(e)(3) of the Communications Act of 1934 (47 U.S.C. 231(e)(3));

(C)

the term personally identifiable information means data in a form that identifies a particular person; and

(D)

the term wire communication has the meaning given such term in section 2510 of title 18, United States Code.

.

(b)

Report relating to security assistance

Section 502B of the Foreign Assistance Act of 1961 (22 U.S.C. 2304) is amended—

(1)

by redesignating the second subsection (i) (relating to child marriage status) as subsection (j); and

(2)

by adding at the end the following new subsection:

(k)
(1)

The report required by subsection (b) shall include an assessment of freedom of expression with respect to electronic information in each foreign country. Such assessment shall consist of the following:

(A)

An assessment of the extent to which government authorities in each country inappropriately attempt to filter, censor, or otherwise block or remove nonviolent expression of political or religious opinion or belief via the internet, including electronic mail, as well as a description of the means by which such authorities attempt to block or remove such expression.

(B)

An assessment of the extent to which government authorities in each country have persecuted or otherwise punished an individual or group for the nonviolent expression of political, religious, or ideological opinion or belief via the internet, including electronic mail.

(C)

An assessment of the extent to which government authorities in each country have sought to inappropriately collect, request, obtain, or disclose personally identifiable information of a person in connection with such person’s nonviolent expression of political, religious, or ideological opinion or belief, including expression that would be protected by the International Covenant on Civil and Political Rights.

(D)

An assessment of the extent to which wire communications and electronic communications are monitored without regard to the principles of privacy, human rights, democracy, and rule of law.

(2)

In compiling data and making assessments for the purposes of paragraph (1), United States diplomatic personnel shall consult with human rights organizations, technology and internet companies, and other appropriate nongovernmental organizations.

(3)

In this subsection—

(A)

the term electronic communication has the meaning given such term in section 2510 of title 18, United States Code;

(B)

the term internet has the meaning given such term in section 231(e)(3) of the Communications Act of 1934 (47 U.S.C. 231(e)(3));

(C)

the term personally identifiable information means data in a form that identifies a particular person; and

(D)

the term wire communication has the meaning given such term in section 2510 of title 18, United States Code.

.

1.

Short title; table of contents

(a)

Short title

This Act may be cited as the Cyber Diplomacy Act of 2018.

(b)

Table of contents

The table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.

Sec. 2. Findings.

Sec. 3. Definitions.

Sec. 4. United States International Cyberspace Policy.

Sec. 5. Department of State responsibilities.

Sec. 6. International cyberspace executive arrangements.

Sec. 7. International strategy for cyberspace.

Sec. 8. Annual country reports on human rights practices.

Sec. 9. GAO report on cyber threats and data misuse.

Sec. 10. Sense of Congress on cybersecurity sanctions against North Korea and cybersecurity legislation in Vietnam.

2.

Findings

Congress makes the following findings:

(1)

The stated goal of the United States International Strategy for Cyberspace, launched on May 16, 2011, is to work internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation … in which norms of responsible behavior guide states' actions, sustain partnerships, and support the rule of law in cyberspace.

(2)

In its June 24, 2013 report, the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (referred to in this section as GGE), established by the United Nations General Assembly, concluded that State sovereignty and the international norms and principles that flow from it apply to States' conduct of [information and communications technology] ICT-related activities and to their jurisdiction over ICT infrastructure with their territory.

(3)

In January 2015, China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan proposed a troubling international code of conduct for information security, which could be used as a pretext for restricting political dissent, and includes curbing the dissemination of information that incites terrorism, separatism or extremism or that inflames hatred on ethnic, racial or religious grounds.

(4)

In its July 22, 2015 consensus report, GGE found that norms of responsible State behavior can reduce risks to international peace, security and stability.

(5)

On September 25, 2015, the United States and China announced a commitment that neither country's government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.

(6)

At the Antalya Summit on November 15 and 16, 2015, the Group of 20 Leaders’ communiqué—

(A)

affirmed the applicability of international law to state behavior in cyberspace;

(B)

called on states to refrain from cyber-enabled theft of intellectual property for commercial gain; and

(C)

endorsed the view that all states should abide by norms of responsible behavior.

(7)

The March 2016 Department of State International Cyberspace Policy Strategy noted that the Department of State anticipates a continued increase and expansion of our cyber-focused diplomatic efforts for the foreseeable future.

(8)

On December 1, 2016, the Commission on Enhancing National Cybersecurity, which was established within the Department of Commerce by Executive Order 13718 (81 Fed. Reg. 7441), recommended that the President should appoint an Ambassador for Cybersecurity to lead U.S. engagement with the international community on cybersecurity strategies, standards, and practices.

(9)

On April 11, 2017, the 2017 Group of 7 Declaration on Responsible States Behavior in Cyberspace—

(A)

recognized the urgent necessity of increased international cooperation to promote security and stability in cyberspace;

(B)

expressed commitment to promoting a strategic framework for conflict prevention, cooperation and stability in cyberspace, consisting of the recognition of the applicability of existing international law to State behavior in cyberspace, the promotion of voluntary, non-binding norms of responsible State behavior during peacetime, and the development and the implementation of practical cyber confidence building measures (CBMs) between States; and

(C)

reaffirmed that the same rights that people have offline must also be protected online.

(10)

In testimony before the Select Committee on Intelligence of the Senate on May 11, 2017, Director of National Intelligence Daniel R. Coats identified 6 cyber threat actors, including—

(A)

Russia, for efforts to influence the 2016 US election;

(B)

China, for actively targeting the US Government, its allies, and US companies for cyber espionage;

(C)

Iran, for leverag[ing] cyber espionage, propaganda, and attacks to support its security priorities, influence events and foreign perceptions, and counter threats;

(D)

North Korea, for previously conduct[ing] cyber-attacks against US commercial entities—specifically, Sony Pictures Entertainment in 2014;

(E)

terrorists, who use the Internet to organize, recruit, spread propaganda, raise funds, collect intelligence, inspire action by followers, and coordinate operations; and

(F)

criminals, who are also developing and using sophisticated cyber tools for a variety of purposes including theft, extortion, and facilitation of other criminal activities.

(11)

On May 11, 2017, President Donald J. Trump issued Executive Order 13800 (82 Fed. Reg. 22391), entitled Strengthening the Cybersecurity of Federal Networks and Infrastructure, which—

(A)

designates the Secretary of State to lead an interagency effort to develop an engagement strategy for international cooperation in cybersecurity; and

(B)

notes that the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining ... the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.

3.

Definitions

In this Act:

(1)

Appropriate congressional committees

The term appropriate congressional committees means the Committee on Foreign Relations of the Senate and the Committee on Foreign Affairs of the House of Representatives.

(2)

Information and communications technology; ICT

The terms information and communications technology and ICT include hardware, software, and other products or services primarily intended to fulfill or enable the function of information processing and communication by electronic means, including transmission and display, including via the Internet.

4.

United States International Cyberspace Policy

(a)

In general

It is the policy of the United States to work internationally to promote an open, interoperable, reliable, unfettered, and secure Internet governed by the multi-stakeholder model, which—

(1)

promotes human rights, democracy, and rule of law, including freedom of expression, innovation, communication, and economic prosperity; and

(2)

respects privacy and guards against deception, fraud, and theft.

(b)

Implementation

In implementing the policy described in subsection (a), the President, in consultation with outside actors, including private sector companies, nongovernmental organizations, security researchers, and other relevant stakeholders, in the conduct of bilateral and multilateral relations, shall pursue the following objectives:

(1)

Clarifying the applicability of international laws and norms to the use of ICT.

(2)

Reducing and limiting the risk of escalation and retaliation in cyberspace, damage to critical infrastructure, and other malicious cyber activity that impairs the use and operation of critical infrastructure that provides services to the public.

(3)

Cooperating with like-minded democratic countries that share common values and cyberspace policies with the United States, including respect for human rights, democracy, and the rule of law, to advance such values and policies internationally.

(4)

Encouraging the responsible development of new, innovative technologies and ICT products that strengthen a secure Internet architecture that is accessible to all.

(5)

Securing and implementing commitments on responsible country behavior in cyberspace based upon accepted norms, including the following:

(A)

Countries should not conduct, or knowingly support, cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.

(B)

Countries should take all appropriate and reasonable efforts to keep their territories clear of intentionally wrongful acts using ICTs in violation of international commitments.

(C)

Countries should not conduct or knowingly support ICT activity that, contrary to international law, intentionally damages or otherwise impairs the use and operation of critical infrastructure providing services to the public, and should take appropriate measures to protect their critical infrastructure from ICT threats.

(D)

Countries should not conduct or knowingly support malicious international activity that, contrary to international law, harms the information systems of authorized emergency response teams (also known as computer emergency response teams or cybersecurity incident response teams) of another country or authorize emergency response teams to engage in malicious international activity.

(E)

Countries should respond to appropriate requests for assistance to mitigate malicious ICT activity emanating from their territory and aimed at the critical infrastructure of another country.

(F)

Countries should not restrict cross-border data flows or require local storage or processing of data.

(G)

Countries should protect the exercise of human rights and fundamental freedoms on the Internet and commit to the principle that the human rights that people have offline should also be protected online.

(6)

Advancing, encouraging, and supporting the development and adoption of internationally recognized technical standards and best practices.

5.

Department of State responsibilities

(a)

Office of Cyberspace and the Digital Economy

Section 1 of the State Department Basic Authorities Act of 1956 (22 U.S.C. 2651a) is amended—

(1)

by redesignating subsection (g) as subsection (h); and

(2)

by inserting after subsection (f) the following:

(g)

Office of Cyberspace and the Digital Economy

(1)

In general

There is established, within the Department of State, an Office of Cyberspace and the Digital Economy (referred to in this subsection as the Office). The head of the Office shall have the rank and status of ambassador and shall be appointed by the President, by and with the advice and consent of the Senate.

(2)

Duties

(A)

In general

The head of the Office shall perform such duties and exercise such powers as the Secretary of State shall prescribe, including implementing the policy of the United States described in section 4 of the Cyber Diplomacy Act of 2018.

(B)

Duties described

The principal duties and responsibilities of the head of the Office shall be—

(i)

to serve as the principal cyber policy official within the senior management of the Department of State and as the advisor to the Secretary of State for cyber issues;

(ii)

to lead the Department of State’s diplomatic cyberspace efforts, including efforts relating to international cybersecurity, Internet access, Internet freedom, digital economy, cybercrime, deterrence and international responses to cyber threats, and other issues that the Secretary assigns to the Office;

(iii)

to promote an open, interoperable, reliable, unfettered, and secure information and communications technology infrastructure globally;

(iv)

to represent the Secretary of State in interagency efforts to develop and advance the policy described in section 4 of the Cyber Diplomacy Act of 2018;

(v)

to coordinate cyberspace efforts and other relevant functions, including countering terrorists' use of cyberspace, within the Department of State and with other components of the United States Government;

(vi)

to act as a liaison to public and private sector entities on relevant cyberspace issues;

(vii)

to lead United States Government efforts to establish a global deterrence framework;

(viii)

to develop and execute adversary-specific strategies to influence adversary decisionmaking through the imposition of costs and deterrence strategies;

(ix)

to advise the Secretary and coordinate with foreign governments on external responses to national-security-level cyber incidents, including coordination on diplomatic response efforts to support allies threatened by malicious cyber activity, in conjunction with members of the North Atlantic Treaty Organization and other like-minded countries;

(x)

to promote the adoption of national processes and programs that enable threat detection, prevention, and response to malicious cyber activity emanating from the territory of a foreign country, including as such activity relates to the United States’ European allies, as appropriate;

(xi)

to promote the building of foreign capacity to protect the global network with the goal of enabling like-minded participation in deterrence frameworks;

(xii)

to promote the maintenance of an open and interoperable Internet governed by the multi-stakeholder model, instead of by centralized government control;

(xiii)

to promote an international regulatory environment for technology investments and the Internet that benefits United States economic and national security interests;

(xiv)

to promote cross-border flow of data and combat international initiatives seeking to impose unreasonable requirements on United States businesses;

(xv)

to promote international policies to protect the integrity of United States and international telecommunications infrastructure from foreign-based, cyber-enabled threats;

(xvi)

to serve as the interagency coordinator for the United States Government on engagement with foreign governments on cyberspace and digital economy issues as described in the Cyber Diplomacy Act of 2018;

(xvii)

to promote international policies to secure radio frequency spectrum for United States businesses and national security needs;

(xviii)

to promote and protect the exercise of human rights, including freedom of speech and religion, through the Internet;

(xix)

to build capacity of United States diplomatic officials to engage on cyber issues;

(xx)

to encourage the development and adoption by foreign countries of internationally recognized standards, policies, and best practices; and

(xxi)

to promote and advance international policies that protect individuals’ private data.

(3)

Qualifications

The head of the Office should be an individual of demonstrated competency in the fields of—

(A)

cybersecurity and other relevant cyber issues; and

(B)

international diplomacy.

(4)

Organizational placement

During the 4-year period beginning on the date of the enactment of the Cyber Diplomacy Act of 2018, the head of the Office shall report to the Under Secretary for Political Affairs or to an official holding a higher position than the Under Secretary for Political Affairs in the Department of State. After the conclusion of such period, the head of the Office shall report to an appropriate Under Secretary or to an official holding a higher position than Under Secretary.

(5)

Rule of construction

Nothing in this subsection may be construed to preclude—

(A)

the Office from being elevated to a Bureau within the Department of State; or

(B)

the head of the Office from being elevated to an Assistant Secretary, if such an Assistant Secretary position does not increase the number of Assistant Secretary positions at the Department above the number authorized under subsection (c)(1).

.

(b)

Sense of Congress

It is the sense of Congress that the Office of Cyberspace and the Digital Economy established under section 1(g) of the State Department Basic Authorities Act of 1956, as added by subsection (a), should be a Bureau of the Department of State headed by an Assistant Secretary, subject to the rule of construction specified in paragraph (5)(B) of such section 1(g).

(c)

United Nations

The Permanent Representative of the United States to the United Nations should use the voice, vote, and influence of the United States to oppose any measure that is inconsistent with the policy described in section 4.

6.

International cyberspace executive arrangements

(a)

In general

The President is encouraged to enter into executive arrangements with foreign governments that support the policy described in section 4.

(b)

Transmission to Congress

Section 112b of title 1, United States Code, is amended—

(1)

in subsection (a) by striking International Relations and inserting Foreign Affairs;

(2)

in subsection (e)(2)(B), by adding at the end the following:

(iii)

A bilateral or multilateral cyberspace agreement.

;

(3)

by redesignating subsection (f) as subsection (g); and

(4)

by inserting after subsection (e) the following:

(f)

With respect to any bilateral or multilateral cyberspace agreement under subsection (e)(2)(B)(iii) and the information required to be transmitted to Congress under subsection (a), or with respect to any arrangement that seeks to secure commitments on responsible country behavior in cyberspace consistent with section 4(b)(5) of the Cyber Diplomacy Act of 2018, the Secretary of State shall provide an explanation of such arrangement, including—

(1)

the purpose of such arrangement;

(2)

how such arrangement is consistent with the policy described in section 4 of such Act; and

(3)

how such arrangement will be implemented.

.

(c)

Status report

During the 5-year period immediately following the transmittal to Congress of an agreement described in section 112b(e)(2)(B)(iii) of title 1, United States Code, as added by subsection (b)(2), or until such agreement has been discontinued, if discontinued within 5 years, the President shall—

(1)

notify the appropriate congressional committees if another country fails to meet the commitments contained in such agreement; and

(2)

describe the steps that the United States has taken or plans to take to ensure that all such commitments are fulfilled.

(d)

Existing executive arrangements

Not later than 180 days after the date of the enactment of this Act, the Secretary of State shall brief the appropriate congressional committees regarding any executive bilateral or multilateral cyberspace arrangement in effect before the date of enactment of this Act, including—

(1)

the arrangement announced between the United States and Japan on April 25, 2014;

(2)

the arrangement announced between the United States and the United Kingdom on January 16, 2015;

(3)

the arrangement announced between the United States and China on September 25, 2015;

(4)

the arrangement announced between the United States and Korea on October 16, 2015;

(5)

the arrangement announced between the United States and Australia on January 19, 2016;

(6)

the arrangement announced between the United States and India on June 7, 2016;

(7)

the arrangement announced between the United States and Argentina on April 27, 2017;

(8)

the arrangement announced between the United States and Kenya on June 22, 2017;

(9)

the arrangement announced between the United States and Israel on June 26, 2017;

(10)

the arrangement announced between the United States and France on February 9, 2018;

(11)

the arrangement announced between the United States and Brazil on May 14, 2018; and

(12)

any other similar bilateral or multilateral arrangement announced before such date of enactment.

7.

International strategy for cyberspace

(a)

Strategy required

Not later than 1 year after the date of the enactment of this Act, the President, acting through the Secretary of State, and in coordination with the heads of other relevant Federal departments and agencies, shall develop a strategy relating to United States engagement with foreign governments on international norms with respect to responsible state behavior in cyberspace.

(b)

Elements

The strategy required under subsection (a) shall include the following:

(1)

A review of actions and activities undertaken to support the policy described in section 4.

(2)

A plan of action to guide the diplomacy of the Department of State with regard to foreign countries, including—

(A)

conducting bilateral and multilateral activities to develop norms of responsible country behavior in cyberspace consistent with the objectives under section 4(b)(5); and

(B)

reviewing the status of existing efforts in relevant multilateral fora, as appropriate, to obtain commitments on international norms in cyberspace.

(3)

A review of alternative concepts with regard to international norms in cyberspace offered by foreign countries.

(4)

A detailed description of new and evolving threats in cyberspace from foreign adversaries, state-sponsored actors, and private actors to—

(A)

United States national security;

(B)

Federal and private sector cyberspace infrastructure of the United States;

(C)

intellectual property in the United States; and

(D)

the privacy of citizens of the United States.

(5)

A review of policy tools available to the President to deter and de-escalate tensions with foreign countries, state-sponsored actors, and private actors regarding threats in cyberspace, the degree to which such tools have been used, and whether such tools have been effective deterrents.

(6)

A review of resources required to conduct activities to build responsible norms of international cyber behavior.

(7)

A plan of action, developed in consultation with relevant Federal departments and agencies as the President may direct, to guide the diplomacy of the Department of State with regard to inclusion of cyber issues in mutual defense agreements.

(c)

Form of strategy

(1)

Public availability

The strategy required under subsection (a) shall be available to the public in unclassified form, including through publication in the Federal Register.

(2)

Classified annex

The strategy required under subsection (a) may include a classified annex, consistent with United States national security interests, if the Secretary of State determines that such annex is appropriate.

(d)

Briefing

Not later than 30 days after the completion of the strategy required under subsection (a), the Secretary of State shall brief the appropriate congressional committees on the strategy, including any material contained in a classified annex.

(e)

Updates

The strategy required under subsection (a) shall be updated—

(1)

not later than 90 days after any material change to United States policy described in such strategy; and

(2)

not later than 1 year after the inauguration of each new President.

(f)

Preexisting requirement

The Recommendations to the President on Protecting American Cyber Interests through International Engagement, prepared by the Office of the Coordinator for Cyber Issues on May 31, 2018, pursuant to section 3(c) of Executive Order 13800 (82 Fed. Reg. 22391), shall be deemed to satisfy the requirement under subsection (a).

8.

Annual country reports on human rights practices

Section 116 of the Foreign Assistance Act of 1961 (22 U.S.C. 2151n) is amended by adding at the end the following:

(h)
(1)

The report required under subsection (d) shall include an assessment of freedom of expression with respect to electronic information in each foreign country that includes the following:

(A)

An assessment of the extent to which government authorities in the country inappropriately attempt to filter, censor, or otherwise block or remove nonviolent expression of political or religious opinion or belief through the Internet, including electronic mail, and a description of the means by which such authorities attempt to inappropriately block or remove such expression.

(B)

An assessment of the extent to which government authorities in the country have persecuted or otherwise punished, arbitrarily and without due process, an individual or group for the nonviolent expression of political, religious, or ideological opinion or belief through the Internet, including electronic mail.

(C)

An assessment of the extent to which government authorities in the country have sought, inappropriately and with malicious intent, to collect, request, obtain, or disclose without due process personally identifiable information of a person in connection with that person’s nonviolent expression of political, religious, or ideological opinion or belief, including expression that would be protected by the International Covenant on Civil and Political Rights, adopted at New York December 16, 1966, and entered into force March 23, 1976, as interpreted by the United States.

(D)

An assessment of the extent to which wire communications and electronic communications are monitored without due process and in contravention to United States policy with respect to the principles of privacy, human rights, democracy, and rule of law.

(2)

In compiling data and making assessments under paragraph (1), United States diplomatic personnel should consult with relevant entities, including human rights organizations, the private sector, the governments of like-minded countries, technology and Internet companies, and other appropriate nongovernmental organizations or entities.

(3)

In this subsection—

(A)

the term electronic communication has the meaning given the term in section 2510 of title 18, United States Code;

(B)

the term Internet has the meaning given the term in section 231(e)(3) of the Communications Act of 1934 (47 U.S.C. 231(e)(3));

(C)

the term personally identifiable information means data in a form that identifies a particular person; and

(D)

the term wire communication has the meaning given the term in section 2510 of title 18, United States Code.

.

9.

GAO report on cyber threats and data misuse

Not later than 1 year after the date of the enactment of this Act, the Comptroller General of the United States shall submit a report and provide a briefing to the appropriate congressional committees that includes—

(1)

a description of the primary threats to the personal information of United States citizens from international actors within the cyberspace domain;

(2)

an assessment of the extent to which United States diplomatic processes and other efforts with foreign countries, including through multilateral fora, bilateral engagements, and negotiated cyberspace agreements, strengthen the protections of United States citizens’ personal information;

(3)

an assessment of the Department of State’s report in response to Executive Order 13800 (82 Fed. Reg. 22391), which documents an engagement strategy for international cooperation in cybersecurity and the extent to which this strategy addresses protections of United States citizens’ personal information;

(4)

recommendations for United States policymakers on methods to properly address and strengthen the protections of United States citizens’ personal information from misuse by international actors; and

(5)

any other matters deemed relevant by the Comptroller General.

10.

Sense of Congress on cybersecurity sanctions against North Korea and cybersecurity legislation in Vietnam

It is the sense of Congress that—

(1)

the President should designate all entities that knowingly engage in significant activities undermining cybersecurity through the use of computer networks or systems against foreign persons, governments, or other entities on behalf of the Government of North Korea, consistent with section 209(b) of the North Korea Sanctions and Policy Enhancement Act of 2016 (22 U.S.C. 9229(b));

(2)

the cybersecurity legislation approved by the National Assembly of Vietnam on June 12, 2018—

(A)

may not be consistent with international trade standards; and

(B)

may endanger the privacy of citizens of Vietnam; and

(3)

the Government of Vietnam should—

(A)

delay the implementation of the legislation referred to in paragraph (2); and

(B)

work with the United States and other countries to ensure that such law meets all relevant international standards.

June 28, 2018

Reported with an amendment