Infrastructure Protection Bill Mandates 30-Year Minimum for Fraud, Freezes Assets of Foreign Cyber Attackers

The “Protecting Critical Infrastructure Act” is here to make sure no one messes with the essential systems that keep the country running—think power grids, water treatment plants, and the internet backbone. This bill tackles security from two directions: domestic penalties and international sanctions. If you’re busy and need to know what the fine print says, here’s the breakdown.

The Price Tag for Domestic Fraud Just Got Astronomical

Section 2 of this Act significantly raises the stakes for anyone committing fraud or related crimes against critical infrastructure. Right now, if someone commits a financial crime, they face standard penalties. Under this new bill, if that crime involves critical infrastructure—say, a contractor submits fraudulent safety reports for a major dam, or an employee defrauds a utility company—the punishment jumps to a mandatory minimum of 30 years in prison, or even life. This isn't just a slap on the wrist; this is a permanent life change for anyone convicted under this section. The idea is clearly to deter any kind of malicious or even negligent activity that could compromise essential services, but applying a mandatory life sentence to a fraud charge is an extremely severe measure.

Freezing the Foreign Threat

Section 3 targets foreign actors who try to compromise U.S. infrastructure. If a foreign individual or group—meaning anyone who isn’t a U.S. citizen or permanent resident—knowingly accesses or attempts to access critical infrastructure with the intent to harm national security or citizen safety, the President must impose sanctions. This isn't optional; the President is required to act. The term “knowingly” is key here, meaning they had actual knowledge or should have known their actions would have this effect.

What the Sanctions Look Like

These sanctions hit foreign actors where it hurts: their wallets and their travel plans. First, the President must use the International Emergency Economic Powers Act (IEEPA) to freeze all property and assets belonging to that person that are within the U.S. or controlled by a U.S. person. This effectively cuts them off from the U.S. financial system. Second, the individual is immediately banned from entering the U.S., their visa is revoked, and they are deemed inadmissible. For foreign individuals connected to hostile state actors or cybercrime groups, this is a major consequence that limits their ability to operate globally.

The Executive Power and the Fine Print

The bill grants the President broad authority under IEEPA to implement these sanctions, and they must issue the necessary rules within 90 days of the bill becoming law. While the sanctions are mandatory, there is a small escape clause: the President can waive the sanctions for up to 180 days if they certify to Congress that the waiver is vital to U.S. national security interests. This is a necessary safety valve, but it also centralizes a lot of power in the executive branch to decide who gets sanctioned and when. Importantly, U.S. people who violate the asset-blocking rules—by trying to help a sanctioned entity move money, for example—face the same severe penalties under IEEPA, meaning anyone dealing with international finance or trade needs to pay close attention to the sanctions list this bill creates.