At first glance, the cyber attack against SolarWinds, a major U.S. information technology company, seemed like just one more hack targeting U.S. companies and government entities. But it quickly became apparent that the breach, undetected for months and believed by many cybersecurity experts to be directed by the Russian intelligence service, was a massive and alarming cyberattack against America.
Multiple government agencies — the Department of Energy, the Pentagon, the State Department, the National Nuclear Security Administration and the Treasury — were targeted. So were many state and city government entities, health care organizations, educational institutions, Fortune 500 companies and other private firms. It was a major breach of national security that revealed significant gaps in U.S. cyber defenses.
Later came the Colonial Pipeline ransomware attack, which affected a 5,500-mile segment of the U.S. petroleum infrastructure that carries about half of the East Coast’s fuel supply. Instead of likely originating with the Russian government as with SolarWinds, private-sector Russian hackers were believed to be responsible for this ransomware attack.
In the aftermath of these two large-scale and devastating attacks, it’s apparent that something needs to be done to both help prevent large-scale attacks against the United States and to provide legal recourse to those affected. But there’s no clear path to accomplish either objective, even as members of Congress have proposed an amendment to the Foreign Sovereign Immunities Act designed to provide Americans legal recourse for damages caused by foreign hackers. The Homeland and Cyber Threat (HACT) Act would eliminate the immunity of foreign nations (and their employees or agents) that have engaged in cyberattacks against U.S. nationals.
“Cyberattacks against American citizens are only increasing and Congress should give Americans the tools they need to fight back against foreign attacks,” U.S. Rep. Colin Allred, D-Dallas said in a statement. “This legislation does just that by giving Americans the ability to hold foreign governments accountable for damage done by cyberattacks.”
But many in the legal and cybersecurity world aren’t optimistic the measure — even if it passes — would have a significant effect on either curbing cyber attacks or providing compensation for victims. That’s because the likelihood of success litigating against foreign governments — let alone foreign hackers — for their role in orchestrating cyberattacks would still be extremely small. Additionally, the Supreme Court earlier this year warned against the negative ramifications of broadening or amending the Foreign Sovereign Immunities Act (FSIA), warning of “the international discord that can result when the US law is applied to conduct in foreign nations.” Others say HACT is written in ambiguous language that makes it virtually unenforceable.
Cybersecurity experts say the slim chance of a successful outcome in the courts, even with HACT, would give hackers a green light to continue business as usual. “The question … remains whether this will be effective or if attackers from foreign regimes will continue to act with impunity,” Paul Martini, CEO of iboss, a cloud cybersecurity company, told Nextgov.com.
Instead of amending the Foreign Sovereign Immunities Act, technology experts believe that U.S. government entities and companies would probably be better served by an investment in technology that would shore up our defenses against future cyber attacks. What do you think? Interested in following this issue? Track developments in the HACT Act here.