This op-ed by Sen. John Kennedy (R-La.) first appeared in National Review on May 31, 2022.
In 2015, Russian cybercriminals posed as ISIS members and targeted a military wife with a chilling message: “We know everything about you, your husband and your children. We’re much closer than you can even imagine.”
She wasn’t the only victim: The Russians hacked the Twitter page of Military Spouses of Strength, a charity organization dedicated to providing mental-health support to spouses of men and women in uniform. They then threatened other military wives and their families. The hackers also stole personal data, including one victim’s credit-card information. The victim remembers how her “safety net was shattered that day.” Military Spouses of Strength ultimately had to close its doors because the attack made it difficult to find supporters.
Foreign cyberattacks hurt everyday Americans, and those victims need a way to get justice from foreign governments that sponsor the criminal attackers. U.S. law already allows victims of international terrorism to sue foreign states that sponsor terrorist attacks, but the law deprives cyberattack victims of a similar recourse — and America’s enemies know it.
Long before Vladimir Putin invaded Ukraine, he was making Russia a haven for cybercriminals. Not only does the Kremlin provide safe harbor for these criminals, but Russian intelligence agencies sometimes even employ them. This arrangement allows Russian hackers to launch cyberattacks on Americans while the Russian government maintains plausible deniability.
Last May, foreign hackers with likely ties to Russia struck again. They hit the Colonial Pipeline by cutting the company off from its own data until it paid a $4.4 million ransom to restore access.
Less than a month after this attack, a different cybercriminal group — again, likely based in Russia — targeted the world’s largest meat processor. The hack temporarily shut down all of JBS’s beef plants in the U.S. The price to protect meat plants from further attacks and reduce the potential damage to JBS customers was $11 million.
Firms such as the Colonial Pipeline and JBS eventually recovered from these cyberattacks, but small businesses are more vulnerable. Main-street shops don’t have the financial resources or the cybersecurity systems that big companies enjoy. That makes them prime targets for digital terrorists.
While the Foreign Sovereign Immunities Act allows Americans to sue foreign governments in U.S. federal courts for supporting terrorism, this protection does not extend to cybercrime.
Americans need an effective way to seek justice and compensation from the foreign governments that aid cyberterrorists. That’s why Congress should pass the Homeland and Cyber Threat (HACT) Act.
The Foreign Sovereign Immunities Act became law in 1976, long before the days of the Internet, and the HACT Act would bring the Foreign Sovereign Immunities Act in line with modern technology. The HACT Act would give American citizens the right to seek monetary compensation for damages suffered and hold foreign officials, employees, and agents accountable for sponsoring cyberterrorism. Companies and individual Americans who have had their private data hacked would have a path to justice from the people responsible for their pain. By imposing a cost on the foreign regimes that launch these attacks, the bill would help deter future cyberterrorism.
Some are worried that passing the HACT Act would make the U.S. more vulnerable to lawsuits from foreign countries, but those concerns are misplaced. The Foreign Sovereign Immunities Act provision against terrorism has not triggered a flood of retaliatory lawsuits against Washington.
If American citizens are already able to sue foreign governments for contributing to terrorism, why shouldn’t they be able to sue governments that help cyberpredators violate their privacy and steal their data?
The Foreign Sovereign Immunities Act needs an update. Americans have already suffered too much at the hands of foreign cybercriminals.