Cyber Deterrence and Response Act of 2025

The President, acting through the National Cyber Director, and in coordination with the heads of other relevant Federal departments and agencies, shall designate pursuant to the National Attribution Framework under paragraph (2) as a critical cyber threat actor—

(A) each foreign person and each agency or instrumentality of a foreign state that the President determines to be knowingly responsible for or complicit in, or have engaged in, directly or indirectly, state-sponsored cyber activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of—

(i) causing a significant disruption to the availability of a computer or network of computers;

(ii) harming, or otherwise significantly compromising the provision of service by, a computer or network of computers that support one or more entities in a critical infrastructure sector;

(iii) significantly compromising the provision of services by one or more entities in a critical infrastructure sector;

(iv) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, health or financial information for commercial or competitive advantage or private financial gain;

(v) destabilizing the financial sector of the United States by tampering with, altering, or causing a misappropriation of data;

(vi) causing a significant disruption to the energy sector of the United States by tampering with or altering data or equipment necessary for the operation of the energy sector in the United States; or

(vii) interfering with or undermining election processes or government institutions by tampering with, altering, or causing misappropriation of data;

(B) each foreign person that the President has determined to have knowingly, significantly, and materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any activities described in subparagraph (A) by a foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat actor under subparagraph (A);

(C) each agency or instrumentality of a foreign state that the President has determined to have significantly and materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any activities described in subparagraph (A) by a foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat actor under subparagraph (A); and

(D) any person determined by the President to be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of data or information, including trade secrets, misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States or personal safety of American citizens.

Not later than 180 days after the date of the enactment of this Act, the Director, in consultation with the Secretary of Homeland Security, the Secretary of Defense, the Director of National Intelligence, the Secretary of State, the Attorney General, and the head of any other Federal agency the Director determines appropriate, shall submit to the appropriate congressional committees a framework, to be known as the National Attribution Framework to carry out the following:

(A) Establish a uniform, criteria-based process for evaluating and determining attribution of state-sponsored cyber activities.

(B) Define technical, operational, and strategic evidentiary standards, including thresholds for reliability, corroboration, and technical verification, that must be satisfied for such an attribution determination.

(C) Require assessments based on the quality of available evidence to assign a confidence level with respect to such an attribution determination.

(D) Provide for the consideration of private sector threat intelligence if such intelligence satisfies such evidentiary standards.

(E) Establish procedures for coordination with allied and partner countries, including regarding processes for information sharing, validation of evidence, and efforts to develop consistent public attribution statements to enhance international consensus relating to determining attribution of state-sponsored cyber activities.

(F) Establish timelines and reporting thresholds to ensure that attribution determinations are conducted promptly after the detection of any state-sponsored cyber activity.

(G) Ensure the National Attribution Framework is consistent with the National Cyber Incident Response Plan under section 2210 of the Homeland Security Act of 2002 (6 U.S.C. 660) and other relevant policies governing cyber attribution and response processes of the following:

(i) The Department of Homeland Security.

(ii) The Office of the National Cyber Director.

(iii) The Department of Defense.

(iv) The Department of State.

(v) Any other appropriate Federal department or agency.

(H) Ensure attribution determinations account for exemptions, waivers, and removals described in subsection (g), including mandatory exemptions for United States intelligence activities and case-by-case waivers granted in the national interest of the United States, for law enforcement purposes, or for humanitarian reasons.

(I) Establish procedures for the designation of a foreign person and each agency or instrumentality of a foreign state as a critical cyber threat actor under paragraph (1) to provide for a reassignment of such designation if the original designee is subject to an exception described in subsection (g)(4) to the next operationally responsible foreign person and each agency or instrumentality of a foreign state materially involved in the state-sponsored cyber activity at issue.

Not later than seven calendar days after designating a foreign person or agency or instrumentality of a foreign state as a critical cyber threat actor under paragraph (1), the President shall transmit to the appropriate congressional committees in classified or unclassified form a report identifying the designee.

The President shall impose one or more of the applicable sanctions described in paragraph (2) with respect to each foreign person and each agency or instrumentality of a foreign state designated as a critical cyber threat actor under subsection (a).

The sanctions described in this paragraph are the following:

(A) The President may provide for the withdrawal, limitation, or suspension of non-humanitarian United States development assistance under chapter 1 of part I of the Foreign Assistance Act of 1961 (22 U.S.C. 2151 et seq.).

(B) The President may provide for the withdrawal, limitation, or suspension of United States security assistance under part II of the Foreign Assistance Act of 1961 (22 U.S.C. 2301 et seq.).

(C) The President may direct the United States executive director to each international financial institution to use the voice and vote of the United States to oppose any loan from the international financial institution that would benefit the designated foreign person or the designated agency or instrumentality of a foreign state.

(D) The President may direct the United States International Development Finance Corporation, or any other United States Government agency not to approve the issuance of any (or a specified number of) guarantees, insurance, extensions of credit, or participation in the extension of credit.

(E) The President may, pursuant to such regulations or guidelines as the President may prescribe, prohibit any United States person from purchasing or selling any publicly traded securities, or any publicly traded securities that are derivative of such securities or are designed to provide investment exposure to such securities or investing in or purchasing significant amounts of equity or debt instruments of the designated foreign person.

(F) The President may, pursuant to procedures the President shall prescribe, which shall include the opportunity to appeal actions under this subparagraph, prohibit any United States agency or instrumentality from procuring, or entering into any contract for the procurement of, any goods, technology, or services, or classes of goods, technology, or services, from the designated foreign person or the designated agency or instrumentality of a foreign state.

(G) The President may terminate—

(i) sales to that country under the Arms Export Control Act (22 U.S.C. 2751 et seq.) of any defense articles, defense services, or design and construction services; and

(ii) sales to that country of any item on the United States Munitions List maintained pursuant to part 121 of title 22, Code of Federal Regulations.

(H) The President may prohibit the entity and, when acting for or on the entity’s behalf, its successors, assigns, directors, officers, employees, representatives, or agents, from directly or indirectly participating in transactions involving any commodity, software, or technology subject to United States jurisdiction under the Export Administration Regulations (EAR) or any other activity subject to the EAR, including—

(i) applying for, obtaining, or using any license, license exception, or export control document;

(ii) carrying out negotiations concerning, ordering, buying, receiving, using, selling, delivering, storing, disposing of, forwarding, transporting, financing, or servicing in any way any item exported or to be exported from the United States that is subject to the EAR; and

(iii) benefitting in any way from any transaction involving any item exported or to be exported from the United States that is subject to the EAR.

(I) The President may prohibit any person, whether a United States or non-United States person, from engaging in the following activities, either directly or indirectly, with the entity:

(i) Exporting or reexporting to or on behalf of the entity any item subject to the EAR.

(ii) Facilitating the acquisition or attempted acquisition by the entity of the ownership, possession, or control of any item subject to the EAR that has been or will be exported from the United States, including financing or other support activities related to a transaction whereby the entity acquires or attempts to acquire such ownership, possession or control.

(iii) Acquiring from or facilitating the acquisition or attempted acquisition from the entity or any item subject to the EAR that has been exported from the United States.

(iv) Obtaining from the entity in the United States any item subject to the EAR with knowledge or reason to know that the item will be, or is intended to be, exported from the United States.

(v) Engaging in any transaction to service any item subject to the EAR that has been or will be exported from the United States and which is owned, possessed, or controlled by the entity if such service involves the use of any item subject to the EAR that has been or will be exported from the United States (for purposes of this paragraph service means installation, maintenance, repair, modification, or testing).

(i) The President may exercise all of the powers granted to the President under the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (except that the requirements of section 202 of such Act (50 U.S.C. 1701) shall not apply) to the extent necessary to block and prohibit all transactions in property and interests in property of the designated foreign person if such property and interests in property are in the United States, come within the United States, or are or come within the possession or control of a United States person.

(ii) The penalties provided for in subsections (b) and (c) of section 206 of the International Emergency Economic Powers Act (50 U.S.C. 1705) shall apply to a person that violates, attempts to violate, conspires to violate, or causes a violation of regulations prescribed under clause (i) to the same extent that such penalties apply to a person that commits an unlawful act described in subsection (a) of such section 206.

(K) The President may, pursuant to such regulations as the President may prescribe, prohibit any transfers of credit or payments between one or more financial institutions or by, through, or to any financial institution, to the extent that such transfers or payments are subject to the jurisdiction of the United States and involve any interest of the designated foreign person.

An alien who is designated as a critical cyber threat actor under subsection (a) is—

(A) inadmissible to the United States;

(B) ineligible to receive a visa or other documentation to enter the United States; and

(C) otherwise ineligible to be admitted or paroled into the United States or to receive any other benefit under the Immigration and Nationality Act (8 U.S.C. 1101 et seq.).

The issuing consular officer, the Secretary of State, or the Secretary of Homeland Security (or a designee of either such Secretaries) shall revoke any visa or other entry documentation issued to the foreign person designated as a critical cyber threat actor under subsection (a) regardless of when issued. A revocation under this clause shall take effect immediately and shall automatically cancel any other valid visa or entry documentation that is in the possession of such foreign person.

The President may impose any of the sanctions described in paragraph (2) with respect to the government of each country that the President has determined aided, abetted, or directed a foreign person or agency or instrumentality of a foreign state designated as a critical cyber threat actor under subsection (a).

The sanctions referred to in paragraph (1) are the following:

(A) The President may provide for the withdrawal, limitation, or suspension of non-humanitarian or non-trade-related assistance United States development assistance under chapter 1 of part I of the Foreign Assistance Act of 1961 (22 U.S.C. 2151 et seq.).

(B) The President may provide for the withdrawal, limitation, or suspension of United States security assistance under part II of the Foreign Assistance Act of 1961 (22 U.S.C. 2301 et seq.).

(C) The President may instruct the United States Executive Director to each appropriate international financial institution to oppose, and vote against the extension by such institution of any loan or financial assistance to the government of the country.

(D) No item on the United States Munitions List (maintained pursuant to part 121 of title 22, Code of Federal Regulations) or the Commerce Control List set forth in Supplement No. 1 to part 774 of title 15, Code of Federal Regulations, may be exported to the government of the country or any entity under its influence, control, or ownership.

(i) No intrusion software or IP network communications surveillance systems or related items that are subject to the Export Administration Regulations, whether or not enumerated on the Commerce Control List, may be exported, reexported, or transferred, directly or indirectly, to the government of the country or any entity under its influence, control, or ownership.

(ii) For purposes of this subparagraph, the terms intrusion software and IP network communications mean any—

(I) systems, equipment, or components specially designed for the generation, operation or delivery of, or communication with, with intrusion software;

(II) software specially designed or modified for the development or production of such systems, equipment or components;

(III) software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; and

(IV) internet protocol network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor.

The President may exercise all authorities provided under sections 203 and 205 of the International Emergency Economic Powers Act (50 U.S.C. 1702 and 1704) to carry out this section.

To the extent practicable—

(1) actions taken by the President pursuant to this section should be coordinated with United States allies and partners; and

(2) the Secretary of State should work with United States allies and partners, on a voluntary basis, to lead an international diplomatic initiative to—

(A) deter critical cyber threat actors and state-sponsored cyber activities; and

(B) provide mutual support to such allies and partners participating in such initiative to respond to such state-sponsored cyber activities.

Activities subject to the reporting requirements of title V of the National Security Act of 1947 (50 U.S.C. 413 et seq.), and any authorized intelligence activities of the United States, shall be exempt from the imposition of sanctions under this section.

The President may waive, on a case-by-case basis, the imposition of sanctions described in this section for a period of not more than one year, and may renew such waiver for additional periods of not more than one year, if the President transmits to the appropriate congressional committees a written determination that such waiver meets one or more of the following requirements:

(A) Such waiver is in the national interests of the United States.

(B) Such waiver will further the enforcement of this Act or is for an important law enforcement purpose.

(C) Such waiver is for an important humanitarian purpose.

The President may prescribe rules and regulations for the removal of sanctions under subsections (b), (c), and (d) and the removal of designations under subsection (a) if the President determines that a foreign person, agency or instrumentality of a foreign state, or government of a country subject to such sanctions or such designations, as the case may be, has verifiably ceased its participation in any of the conduct with respect to which such foreign person, agency or instrumentality of a foreign state, or government was subject to such sanctions or designation, as the case may be, under this section, and has given assurances that such foreign person, agency or instrumentality of a foreign state, or government, as the case may be, will no longer participate in such conduct.

Sanctions under subsection (c) shall not apply to a foreign person if admitting such foreign person into the United States is necessary to permit the United States to comply with the Agreement regarding the Headquarters of the United Nations, signed at Lake Success June 26, 1947, and entered into force November 21, 1947, between the United Nations and the United States, or other applicable international obligations.

Nothing in this section may be construed to limit the authority of the President under the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) or any other provision of law to impose sanctions to address critical cyber threat actors and malicious state-sponsored cyber activities.

In this section:

The terms admitted and alien have the meanings given such terms in section 101 of the Immigration and Nationality Act (8 U.S.C. 1101).

The term appropriate congressional committees means—

(A) the Committee on Foreign Affairs, the Committee on Financial Services, the Committee on the Judiciary, the Committee on Oversight and Reform, and the Committee on Homeland Security of the House of Representatives; and

(B) the Committee on Foreign Relations, the Committee on Banking, Housing, and Urban Affairs, the Committee on the Judiciary, and the Committee on Homeland Security and Governmental Affairs of the Senate.

The term agency or instrumentality of a foreign state has the meaning given such term in section 1603(b) of title 28, United States Code.

The term critical infrastructure sector means any of the designated critical infrastructure sectors identified in the Presidential Policy Directive entitled Critical Infrastructure Security and Resilience, numbered 21, and dated February 12, 2013.

The term Director means the National Cyber Director.

The term foreign person means a person that is not a United States person.

The term foreign state has the meaning given such term in section 1603(a) of title 28, United States Code.

The term knowingly, with respect to conduct, a circumstance, or a result, means that a person has actual knowledge, or should have known, of the conduct, the circumstance, or the result.

The term misappropriation means taking or obtaining by improper means, without permission or consent, or under false pretenses.

The term state-sponsored cyber activities means any malicious cyber-enabled activities that—

(A) are carried out by a government of a foreign country or an agency or instrumentality of a foreign state; or

(B) are carried out by a foreign person that is aided, abetted, or directed by a government of a foreign country or an agency or instrumentality of a foreign state.

The term United States person means—

(A) a United States citizen or an alien lawfully admitted for permanent residence to the United States; or

(B) an entity organized under the laws of the United States or of any jurisdiction within the United States, including a foreign branch of such an entity.