Sponsors
Introduced November 25, 2025 by August Pfluger · Last progress November 25, 2025
The bill strengthens tools to deter cyber threats and protect U.S. financial stability and critical infrastructure, but does so at the cost of added compliance burdens for businesses, broader executive authority with reduced oversight, and potential immigration and due-process risks.
Taxpayers, state and local governments benefit from stronger national defenses because new designation and sanctions authorities can deter state-sponsored cyberattacks that would disrupt services or steal personal and financial data.
Financial institutions and taxpayers could see improved financial stability because authorities could block transactions and use international financial influence to prevent funding or support for malicious actors.
Financial institutions and critical infrastructure operators (e.g., utilities and energy companies) may gain better threat information and resilience if vetted private-sector threat intelligence is permitted to inform attribution.
Financial institutions, utilities, and other businesses could face new compliance burdens and restrictions on trade with designated entities, raising costs or limiting market access.
Taxpayers and the public may see reduced procedural safeguards and congressional oversight because the bill broadly delegates sanction and IEEPA authorities and can exempt normal IEEPA procedures.
Immigrants could be barred from entry through designation-based immigration bans without granular due-process protections, potentially affecting dual-use actors or individuals wrongly targeted.
Based on analysis of 2 sections of legislative text.
Requires coordinated designation of foreign state and non-state actors as "critical cyber threat actors" for serious state-sponsored cyber harms and mandates a uniform National Attribution Framework within 180 days.
Requires the President, acting through the National Cyber Director and coordinating with relevant agencies, to identify and label foreign state actors, state agencies/instrumentalities, and foreign persons who knowingly carry out or materially support state-sponsored cyber operations that pose significant threats to U.S. national security, economic stability, critical infrastructure, or elections as "critical cyber threat actors." It also mandates creation and delivery of a uniform National Attribution Framework within 180 days that sets evidentiary standards, confidence-level assessments, and interagency procedures for attributing state-sponsored cyber activity and that can incorporate private-sector intelligence if it meets the standards. The measure establishes who must make designations, what harms trigger designation (for example severe network disruption, theft of funds or sensitive data, destabilizing financial or energy sectors, or election interference), and requires coordinated development of attribution criteria and processes in consultation with major national security and law enforcement agencies.