On April 1, 2015, President Obama signed Executive Order 13694, creating a new sanctions program to respond to the increasingly disruptive and destructive cyber threats emanating from transnational criminal organizations, terrorist groups, and state and state-sanctioned actors.1
The Executive Order, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to designate for inclusion on the Office of Foreign Assets Control’s (“OFAC”) Specially Designated Nationals List (“SDN List”) two categories of individuals or entities: (1) those determined to be responsible for or complicit in significant cyber attacks or cyber theft, and (2) those benefitting from such activities. No individuals or entities were designated at the time of the issuance of the Executive Order.
The first category includes individuals and entities involved in “cyber-enabled activities” outside the United States that pose “a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of:”
“harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support” a critical infrastructure sector entity;
“significantly compromising” services provided by a critical infrastructure sector entity;
significantly disrupting the availability of a computer or computer network; or
significantly misappropriating “funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”
The second category includes individuals or entities that knowingly received or used—or attempted to receive or use—“trade secrets misappropriated through cyber-enabled means” for “commercial or competitive advantage or private financial gain,” provided that the misappropriation rises to the level of being, resulting in, or materially contributing to a significant threat to U.S. national security, foreign policy, or economic health or financial stability.
As with other sanctions regimes, inclusion on OFAC’s SDN List results in the blocking of all the designated entity or individual’s property, and interests in property, that are in the United States, come within the United States, or are in or come within the possession or control of a U.S. person.
OFAC also issued an FAQ clarifying some aspects of the Executive Order.2 Notably, OFAC anticipates that the regulations implementing the Executive Order “will define ‘cyber-enabled’ activities to include any act that is primarily accomplished through or facilitated by computers or other electronic devices.” The FAQ goes on to note that “[f]or the purposes of the [Executive Order], malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.”
The Administration offered assurances that the new sanctions program is intended to target only the “most significant malicious cyber actors” or the “worst of the worst.”3Indeed, OFAC’s FAQ makes clear that the Executive Order will not be used to “prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities” or legitimate information security activities, nor will it be used to “silence free expression online or curb Internet freedom.”
The new cyber sanctions regime represents a significant attempt on the part of the Obama administration to create a mechanism by which the United States can “deter and impose costs” on individuals and entities that so far have avoided paying any price for engaging in cyber attacks against U.S. businesses and critical infrastructure. The new sanctions program is a potentially valuable and effective means of targeting perpetrators of cyber attacks that remain beyond the reach of the U.S. criminal justice system. For example, the five Chinese military officers indicted in May 2014 for allegedly hacking U.S. companies’ computers to steal trade secrets are unlikely ever to face trial in the United States. The Administration believes that the ability to designate these and other individuals and entities—thus prohibiting U.S. businesses from engaging in transactions with them—will make it more difficult for those who perpetrate and profit from cyber attacks to obtain access to U.S. technology, infrastructure, and financial institutions. The new sanctions regime thus will both greatly hinder the ability of designated persons to engage in or profit from future attacks and theft and deter others from becoming involved in illegal cyber-related activity in the first instance.
The addition of a new category of individuals and entities eligible for inclusion on OFAC’s SDN List and forthcoming regulations implementing the Executive Order provide an important opportunity for U.S. businesses to evaluate their compliance with existing U.S. sanctions regimes. This is especially true for some individuals and companies that do business with potential targets of the new cyber sanctions regime, as they likely have had fewer occasions than financial institutions to wrestle with the challenges of sanctions compliance.