The executive order allowing the President to impose OFAC sanctions on hackers is good news. I’ve been calling on the government for several years to go beyond attribution to retribution. See, for example this post from 2012, this Foreign Policy article, and this recent podcast with Juan Zarate. Similar sentiments were expressed in a 2013 report by the American Bar Association.
The good news from the Sony case is how much better and faster we’ve gotten at attributing network espionage and network attacks. But that won’t do much good until we can also punish those we identify.
This order offers a real possibility that we can. Even the hackers don’t want to work for government forever; they hope to run startups just like everybody else, but that will be hard with an OFAC sanction hanging over their heads.
And the companies that benefit from stolen trade secrets could also find themselves sanctioned, since the order extends to them as well. Sanctions can be applied to any company that is:
responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.
The program is a bit of an empty shell right now: it authorizes but doesn’t apply sanctions to any hackers. But if it’s used wisely it could be a game changer — the first real deterrent to cyberspying and cyberattacks.