May 18, 2016

Memo: Congress Moves to Impose Cyber-Related Sanctions on Iran

On April 6, 2016, Sen. Mike Rounds introduced S.2756 – the Iran Cyber Sanctions Act of 2016.  (A House companion bill – H.R. 5222 – was introduced on May 12, 2016.) 

This bill would needlessly limit the President’s options for targeting Iranian activities that undermine U.S. cyber-security by forcing the President to impose blocking sanctions on each Iranian individual determined to have engaged in malicious cyber-activities.  Instead of the reflexive inclusion of such persons onto U.S. sanctions lists, we believe Congress should permit the President to consider the diplomatic and security implications of any response to such Iranian activities and respond appropriately. 

The bill would:

  • Institute a reporting requirement for the President regarding Iran’s cyber-activities.  Under this requirement, the President must provide a report to Congress every 180 days regarding significant activities undertaken by Iranian persons against the U.S. or U.S. persons that undermine cyber-security.  This report should identify the Iranian persons involved and provide a strategy to counter Iran’s efforts to undermine U.S. cyber-security. 
  • Require the President to include on the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) Specially Designated Nationals and Blocked Persons List (“SDN List”) all Iranian persons identified in such reports, as well as any Iranian persons who are indicted by the U.S. Department of Justice in connection with activities that undermine U.S. cyber-security.  This particular provision targets those Iranian individuals who were indicted in the Southern District of New York in March 2016. 

By requiring the President to impose blocking sanctions on each Iranian person identified in the report sent to Congress, the bill would limit the President’s discretion to impose sanctions or to use other U.S. authorities to target Iranian persons involved in malicious cyber-related activities.  In certain cases, for instance, it may behoove the United States to refrain from taking immediate action in order to procure more information as to the intents of Iranian cyber-hackers.  Indeed, sensitive U.S. operations could be compromised by public exposure of Iranian individuals involved in cyber-hacking activities.

Most of the bill’s provisions are superfluous, insofar as the President has current authorities to sanction Iranian individuals and entities involved in activities that undermine U.S. cyber-security.  For instance, EO 13694 permits the President to impose blocking sanctions on Iranian persons and entities engaged in significant malicious cyber-enabled activities.  Moreover, federal law permits the President and his agencies to indict Iranian persons for their cyber-related activities, as was the case in March 2016 when the U.S. Department of Justice indicted seven Iranian individuals for their alleged involvement in cyber-attacks against the U.S. financial sector.

Back to top