In brief: President Barack Obama has issued an Executive Order enabling the US Department of Treasury to implement targeted sanctions against foreign individuals or entities whose cyber-enabled activities result in significant threats to the national security, foreign policy, economic health or financial stability of the US, irrespective of their nationality. Partners Rachel Nicolson (view CV) and Gavin Smith (view CV), Associate Andrew Wilcock and Law Graduate Alice Crawford report on the possible implications of this novel measure.

HOW DOES IT AFFECT YOU?

  • The Department of Treasury has not yet designated any individuals or entities for the purposes of the cyber sanctions regime. However, once it does, US companies and foreign companies with certain connections to the US will be precluded from dealing with the property of such individuals and entities.
  • Non-US companies operating in the financial services and information technology sectors may be exposed to the prohibitions of the regime, and may wish to review their operations to ensure that they comply with relevant prohibitions.
  • Companies with connections to the US that are subject to cyberattacks might seek to use the introduction of the regime as a means to constructively engage with the US Government on cybersecurity issues.
  • It remains to be seen whether the Australian Government will implement similar cyber sanctions. This should become clear once the Government's cyber security review reports on its conclusions in mid-2015.

BACKGROUND

In recent years, the US Government has implemented a range of measures to address cyber threats, intrusions and attacks.

In late 2014, the issue of cybersecurity gained international attention when a group with alleged links to the North Korean Government hacked and released confidential information belonging to Sony Pictures Entertainment. Investigating agencies treated the hack as a serious national security matter, and Secretary of Homeland Security Jeh Johnson described the hack as 'not just an attack against a company and its employees [but] also an attack on our freedom of expression and way of life'.1 Subsequently, the US strengthened existing sanctions against North Korea, and President Obama proposed strengthened cybersecurity legislation to Congress.

Most recently, on 1 April 2015, President Obama issued Executive Order 13694 2 establishing a sanctions regime to combat cyber threats whereby the US Department of Treasury may impose targeted sanctions against foreign individuals and entities that engage in malicious cyber activity.

The new cyber sanctions regime is unique in that, though the US Government has previously imposed financial and economic sanctions against states, individuals and entities that engaged in cyberattacks under existing state-specific sanctions regimes (eg against North Korea and North Korean nationals under the existing North Korea sanctions regime), it has not previously had the capacity to sanction foreign individuals and entities that engage in cyberattacks irrespective of their nationality.

THE CYBER SANCTIONS REGIME

The Executive Order prohibits 'United States persons' from dealing with the property of individuals or entities that are designated for the purposes of the cyber sanctions regime. Notably, the definition of 'United States persons' is very broad, such that foreign companies may be subject to the prohibition if they have even a seemingly insignificant connection to the US.

The Executive Order further empowers the Secretary of the Treasury, in consultation with the Attorney-General and the Secretary of State, to designate the following persons for the purposes of the regime.

  • Any individual or entity deemed a threat to US national interests that engages in or attempts to engage in prohibited cyber-enabled activities.
  • Any individual or entity that materially assists, sponsors or provides financial, material or technological support for any prohibited cyber-enabled activities.
  • Any individual or entity who knowingly receives or uses trade secrets stolen through cyber-enabled activities for private financial gain, or for commercial or competitive advantage.
  • Any individual or entity who receives, contributes or uses funds from individuals or entities who have had their assets blocked under the sanctions.

'Prohibited cyber-enabled activities' include activities that:

  • compromise the provision of services by entities in critical infrastructure sectors (eg the communications, energy, financial services and information technology sectors);
  • cause or assist with a significant misappropriation of funds, economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain; or
  • significantly disrupt the availability of a computer or computer network, for example through a distributed denial-of-service attack.
    In order for sanctions to be imposed, the Secretary of the Treasury must be satisfied that such activities are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the US.

The Secretary of the Treasury has not yet designated any individual or entity for the purposes of the cyber sanction regime; however, the White House has indicated that the cyber sanctions regime 'will be used to go after the worst of the worst of malicious cyber actors'3, and is not intended to target individuals and companies whose systems are hijacked.

IMPLICATIONS

Though the implications of the new sanctions will become clearer once the specific persons or entities are designated, possible implications include the following.

  • The US Government may use the regime to encourage foreign companies to be more responsive to take down requests and avoid business with cybercriminals, and in so doing reduce the financial incentives for cybercriminals to engage in malicious cyber-enabled activity.
  • Certain foreign companies operating in the financial services and information technology sectors may be exposed to the prohibitions of the regime, and may wish to review their operations to ensure that they comply with targeted sanctions. Examples of such companies include:
    • companies that host infrastructure used by individuals or entities to engage in cybercrime, particularly if they are unresponsive to takedown requests;
    • software developers whose products may be used for sanctioned cyber-enabled activities;
    • banks and financial institutions which provide financial services to individuals or entities engaged in cyber-enabled activities; and
    • companies and businesses involved in bitcoin exchange.
  • Companies with a nexus to the US that are subject to cyberattacks might seek to use the introduction of the regime as a means to constructively engage with the US Government in respect of cybersecurity.

As the regime is the first of its kind, it may also lead to further dialogues between countries towards establishing a regulatory framework or agreed guidelines for behaviour in cyberspace.

THE AUSTRALIAN GOVERNMENT'S CYBER SECURITY REVIEW

In November 2014, the Federal Government announced that it would undertake a wide-ranging review of the country's cyber security policies and strategies. The review, due to be completed and reported in mid-2015, is being led by the Department of Prime Minister and Cabinet with an expert panel appointed to provide advice to the review. The Federal Government has stated that the review will:

  • update the Government's cyber security priorities;
  • provide a view on the cyber threats and risks Australia faces;
  • clarify the Government's role in cyber security for Australia, including how this contributes to the protection of critical infrastructure;
  • describe how Government and industry can best team up to defend ourselves jointly from those who want to harm us in cyber space;
  • outline an improved approach on Australia's engagement with international cyber security forums, to further Australia's interests and cement our leadership on cyber security; and
  • recommend practical initiatives to improve Australia's cyber security, for Government consideration.

All eyes will be on the conclusions of the review to see whether Australian will implement a similar cyber sanctions regime.