Yesterday, the United States established a new sanctions program designed to deter and financially target foreign parties who engage in, support or profit from “significant malicious cyber-enabled activities.” Declaring a national emergency, President Barack Obama issued an executive orderauthorizing the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, to identify as Specially Designated Nationals and Blocked Persons (SDNs) cyber-actors whose activities significantly harm the national security, foreign policy or economic health or financial stability of the United States. The U.S. government has not yet designated any parties under this new sanctions program. Once parties are so designated, U.S. companies must cease doing business with them and report any blocked property to the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
In a statement accompanying the executive order, the President identified the targets of these sanctions as “those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American citizens for profit.” Also vulnerable to sanctions under the new program are persons who knowingly use stolen trade secrets to undermine the economic health of the United States. In a “Frequently Asked Questions” document, OFAC, which is responsible for issuing implementing regulations and posting the names of designated parties, states that the program “is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. Government.”
Activities such as the cyber-attack on Sony Pictures, which the Administration attributes to North Korea, the hacking that major retailers experienced in the last year, compromising private consumer information, attacks on U.S. government computer systems, and the hacking of corporate computer systems to obtain trade secrets, if perpetrated from outside the United States, would make those responsible vulnerable to designation. In addition, all property and interests in property that are in the United States, or that are or come within the possession or control of any U.S. person, would be blocked and may not be transferred, paid, exported, withdrawn or otherwise dealt in. By including activities such as the use of trade secrets and financial, material and technological support for hackers, the Order provides a tool to go after the support networks for hackers, as well the hackers themselves.
Specifically, the Order applies to any person outside the United States determined to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside of the United States that have the purpose or effect of:
- Harming or otherwise significantly compromising the provision of services by a computer or network of computers that support one or more entities in a critical infrastructure sector;
- Significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
- Causing a significant disruption to the availability of a computer or network of computers; or
- Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.
The Order also permits the Secretary of the Treasury to designate parties who derive commercial or economic gain from trade secrets misappropriated through cyber-enabled means; who have materially assisted, sponsored or provided financial, material or technological support for, or goods or services in support of such activities; or are owned or controlled by parties blocked under the Executive Order. Any business, including banks and online commerce providers, would be liable if it provides services to, received funds from, or fails to block the property of persons designated under the program. In addition, the Order blocks designated individuals from entering the United States.
Significantly, the sanctions are not limited to attacks on the owners or operators of critical infrastructure, or their service providers. In addition, attacks causing “a significant disruption” to computer networks, and attacks involving theft of trade secrets, financial or personal information, will be covered. Nonetheless, White House Cybersecurity Coordinator Michael Daniel and John Smith, the Acting Director of OFAC, indicated in a press conference yesterday that the new tools provided by the Executive Order would be used “judiciously.” Acting Director Smith also stated, as reported byPolitico, that the Administration, “would welcome the input from the private sector and others that may have relative [sic] information on trade secret theft that might be covered by the executive order.”
Screening software will have to be updated when the first designations are made under this new sanctions program. It remains to be seen what the reaction will be from countries associated with state-sponsored or state-condoned cyber-attacks, as well as the level of support for sanctions the United States will receive from allies. This aggressive new U.S. cyber initiative will very likely shock the status quo on cybersecurity, and perhaps shift the global focus on this issue from the realm (primarily) of national security toward a more economic and trade-based policy arena.