Protecting Critical Infrastructure Act
- Bill Number
- H.R. 3278
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Crime and Law Enforcement
- Status
- Introduced
- Latest Action
- 2025-05-08: Referred to the Committee on the Judiciary, and in addition to the Committee on Foreign Affairs, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- Last Updated
- 2025-05-22T18:07:41Z
AI-Generated Summary
Purpose
The Protecting Critical Infrastructure Act (H.R. 3278) aims to strengthen protections for essential U.S. systems like power grids, water supplies, and transportation networks (collectively called "critical infrastructure") by increasing criminal penalties for unauthorized computer access that targets them and by authorizing economic sanctions against foreign individuals or entities that knowingly engage in such harmful activities. The goal is to deter cyber threats that could endanger national security or public safety.
Key Provisions
- Increased Criminal Penalties (Section 2): Amends the federal computer fraud law (18 U.S.C. § 1030, part of the Computer Fraud and Abuse Act) to impose harsher punishments for offenses involving critical infrastructure. Offenders face a mandatory minimum of 30 years in prison or life imprisonment, plus fines, if their actions target these systems.
- Sanctions on Foreign Actors (Section 3):
- The President must impose sanctions on any foreign person (individual or entity not based in the U.S.) who knowingly accesses or tries to access critical infrastructure with intent to harm U.S. national security/defense or the safety of U.S. citizens or lawful permanent residents.
- Types of Sanctions:
- Asset Blocking: Freezes and prohibits U.S.-related assets and transactions under the International Emergency Economic Powers Act (IEEPA), a law allowing the President to control economic dealings during emergencies.
- Immigration Restrictions (for individuals): Bars entry to the U.S., revokes visas immediately (canceling any related travel documents), and denies immigration benefits under the Immigration and Nationality Act.
- Violations of these sanctions carry civil and criminal penalties, similar to IEEPA standards (fines up to $1 million and imprisonment up to 20 years for willful violations).
- Exceptions and Flexibility: Sanctions do not apply if needed to honor U.S. obligations under the UN Headquarters Agreement (allowing UN diplomats entry). The President can waive sanctions for up to 180 days if vital to U.S. national security, with congressional notification.
- Implementation: The President must issue regulations within 90 days of enactment, notify Congress in advance, and use IEEPA authorities to enforce. Defines key terms like "foreign person" (non-U.S. individuals/entities), "knowingly" (actual or should-have-known awareness), and "U.S. person" (citizens, permanent residents, or U.S.-based entities).
Significant Changes to Existing Law
- Elevates penalties under the Computer Fraud and Abuse Act from maximums of 10–20 years (depending on prior offenses) to a minimum of 30 years or life specifically for critical infrastructure cases, treating them as among the most serious cybercrimes.
- Introduces a new sanctions framework tailored to foreign cyber intruders, expanding beyond existing IEEPA uses (typically for broader threats like terrorism) to target specific unauthorized access to infrastructure. This builds on but does not alter definitions of critical infrastructure from the USA PATRIOT Act (42 U.S.C. 5195c(e)), which covers systems vital to national security, economy, or public health/safety.
Potential Impacts
- On Government Agencies: Enhances enforcement roles for the Department of Justice (prosecuting crimes), Treasury Department (administering asset blocks via the Office of Foreign Assets Control), State Department (handling visas), and Department of Homeland Security (identifying critical infrastructure). Requires quick regulatory action and congressional reporting, increasing administrative workload.
- On Citizens: Improves safeguards against cyber disruptions to essential services (e.g., power outages or transportation hacks), potentially reducing risks to public safety and daily life.
- On International Relations: Could deter foreign adversaries (e.g., state-sponsored hackers) by imposing financial and travel barriers, but may strain diplomatic ties with nations whose citizens or companies are targeted, leading to retaliatory measures or trade disputes.
Main Stakeholders Affected
- U.S. Government Agencies: Prosecutors, sanctions enforcers, and infrastructure protectors (e.g., DHS, FBI).
- Critical Infrastructure Owners/Operators: Utilities, transportation firms, and other sectors (e.g., energy, finance) that must secure systems against heightened threats.
- Foreign Persons/Entities: Individuals or groups abroad engaging in cyber activities, facing asset freezes, travel bans, or prosecutions if extradited.
- U.S. Citizens and Residents: Beneficiaries of stronger protections, but potentially affected if sanctions disrupt international business or travel.
- Congressional Committees: Foreign Affairs/Relations, Judiciary, Ways and Means/Finance, Financial Services/Banking (involved in oversight and notifications).
Notable Legal, Constitutional, or Political Implications
- Legal: Strengthens the Computer Fraud and Abuse Act by prioritizing infrastructure cases, potentially leading to more federal prosecutions and international cooperation on extraditions. Sanctions leverage established IEEPA mechanisms but introduce specific triggers for cyber threats, which courts have generally upheld as long as procedures (e.g., waivers) are followed.
- Constitutional: Raises due process concerns for sanctioned individuals (e.g., limited appeal rights under IEEPA), but aligns with precedents allowing executive discretion in national security. Visa revocations could face challenges under immigration law, though immediate effect is standard for security-based actions.
- Political: Bipartisan introduction (sponsors from both parties) signals broad support for cybersecurity amid rising threats; referral to Judiciary and Foreign Affairs committees suggests focus on domestic enforcement and global deterrence, without major partisan divides evident in the text.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (3)
Rep. Moskowitz, Jared [D-FL-23], Rep. Luna, Anna Paulina [R-FL-13], Del. Moylan, James C. [R-GU-At Large]
Recent Actions
- 2025-05-08: Referred to the Committee on the Judiciary, and in addition to the Committee on Foreign Affairs, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2025-05-08: Referred to the Committee on the Judiciary, and in addition to the Committee on Foreign Affairs, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2025-05-08: Introduced in House
- 2025-05-08: Introduced in House
Bill Versions
- Protecting Critical Infrastructure Act — issued 2025-05-08 — PDF (8 pages)