The new sanctions in President Barack Obama’s Executive Order 13694 of April 1, 2015, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” target individuals and organizations overseas who engage in cyberattacks or commercial espionage outside the US that are likely to result in a threat to national security or financial stability of the US.
Specifically, EO 13694 expands the US government’s arsenal of authorities to reach cybercriminals and those that steal intellectual property, trade secrets and sensitive information by imposing blocking sanctions on them.
Sanctions are a particularly important tool in this context because cyberattacks are often committed remotely from countries without extradition treaties with the US. For US law enforcement authorities ability to bring enforcement actions against perpetrators or pursue other legal remedies, this has been a formidable hurdle.
To help implement these new sanctions and facilitate designation, the US government has encouraged US companies to share with it information on theft of IP and other trade secrets. However, the EO also raises issues for US companies about how to comply so as to avoid potential exposure.
I. TARGETED ACTIVITIES UNDER EO 13694
EO 13694 targets persons engaged in “cyber-enabled activities reasonably likely to result in, or [that] have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” Among these are the following:
- Those “responsible for or complicit in or [who] have engaged in, directly or indirectly, cyber-enabled activities” that originate or are directed from outside the United States and that have the purpose or effect of:
- harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector
- significantly compromising the provision of services by one or more entities in a critical infrastructure sector
- causing a significant disruption to the availability of a computer or network of computers or
- causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain
- Those “responsible for or complicit in or [who] have engaged in . . . the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated”
- Those who have “materially” supported parties blocked pursuant EO 13694
- Those who are owned or controlled by, or acting or purporting to act on behalf of those blocked parties and
- Those that have attempted to engage in the targeted activities.
Critical infrastructure is defined under EO 13694 by reference to the Presidential Policy Directive – Critical Infrastructure Security and Resilience, which designated 16 critical infrastructure sectors (chemical, commercial facilities, communications, critical manufacturing; dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors/materials/waste, transportation systems, and water and wastewater systems). Other important terms in EO 13694 are yet to be defined, so OFAC has issued guidance in its Frequently Asked Questions 444–452 to assist companies in understanding the scope of the Order.
II. OFAC GUIDANCE – COMPLIANCE ISSUES FOR US COMPANIES
US persons, including firms that facilitate or engage in online commerce, are responsible for ensuring that they do not 1) operate in any jurisdictions targeted by comprehensive sanctions programs or 2) engage in unauthorized transactions or dealings with persons named on any of OFAC’s sanctions lists. Moreover, all transactions by US persons, wherever located, with entities on the Specially Designated National (SDN) list (including any entity in which such named persons own a 50 percent or greater interest) are prohibited, and property and property interests of an SDN within the United States or in the possession or control of US persons, wherever located, must be blocked.
While no individuals or entities have yet been added to the list of SDNs under this authority, the United State Treasury has encouraged all potentially injured companies, including, “technology companies,” to evaluate their current policies before listing occurs and, where necessary, “develop a tailored, risk-based compliance program, which may include sanctions list screening or other appropriate measures.” See FAQ 446.
Recognizing that legitimate activities could be misunderstood to be targeted by the language of EO 13694, OFAC’s FAQs provide preliminary definitions of “cyber-enabled activities and “malicious cyber-enabled activities,” as well as examples of legitimate activities not covered by the Order. OFAC anticipates that future regulations will define “cyber-enabled activities” as “any act that is primarily accomplished through or facilitated by computers or other electronic devices,” and “malicious cyber-enabled activities” as “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.” See FAQ 447. OFAC’s FAQs indicate that the following types of “legitimate” cyber-enabled activities are not targeted by EO 13694:
- Legitimate network defense, maintenance or other authorized activities performed by security experts that ensure and promote the security of information systems
- The legitimate and authorized use of penetration testing and other methodologies to test the security of information systems
- Activities to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions or competitions
- Other similar good faith events and
- Persons whose personal computers (or other networked electronic devices) are, without their knowledge or consent, used in malicious cyber-enabled activities (e.g., in denial-of-service attacks against US financial institutions).
See the President’s EO 13694 here.