On April 1, 2015, President Obama issued an Executive Order granting authority to impose economic sanctions on individuals and entities (“Persons”) involved in malicious cyber-enabled activities that create a significant threat to U.S. national security, foreign policy, or economic health or financial stability.1 While the Executive Order does not cite any specific incidents (such as North Korea’s cyber attack on Sony last year), President Obama stated that the Executive Order is a response to several recent cyber threats from outside the United States that have targeted U.S. critical infrastructure, companies, and citizens.2 The Executive Order is not designed to target or interfere with legitimate cyber-enabled activities in the academic, business, or non-profit sectors, including information security functions. This development marks the first time that the U.S. government has targeted overseas hackers—as well as foreign Persons that knowingly benefit from the misappropriation of corporate trade secrets via hacking— with economic sanctions.
The Executive Order does not yet designate any Persons to be subject to sanctions, so it does not result in any additional compliance requirements at this time. While the Administration has indicated that there is no particular timeline for designations to be made under the Executive Order, President Obama signed the order to put this new authority in place as one tool in the Administration’s tool box for dealing with emergent cyber threats.3 Persons that are designated by the Treasury Department under the Executive Order will be subject to an asset freeze and travel ban and will be considered “blocked,” meaning that U.S. persons may not transact with them.
Parameters of the Executive Order
The primary effect of the Executive Order is to impose an asset freeze on Persons determined by the United States:
- to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyberenabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose or effect of:
- harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;4
- significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
- causing a significant disruption to the availability of a computer or network of computers; or
- causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain; or
- to be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;
- to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in (i) or (ii), or any Person blocked under this Executive Order;
- to be owned or controlled by, or acting on behalf of, any person blocked under this Executive Order; or
- to have attempted to engage in any of the activities described in (i) – (iv) above
In addition to authorizing an asset freeze, the Executive Order also imposes a travel ban on Persons meeting the criteria for the blocking sanctions. The Treasury Department intends to promulgate regulations to implement the Executive Order and further define restricted cyber activities.5 Any Persons that are designated in the future will be added to the List of Specially Designated Nationals and Blocked Persons (“SDN List”) that is administered by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”), and must be screened from all transactions by U.S. Persons, as with other SDNs.
The Executive Order does not target all malicious cyber-enabled activities, but more specifically, only activities that cause the harms specified in the Executive Order that are significant enough to affect U.S. national security, foreign policy, or economic health or stability. Senior Administration officials stated that the Executive Order is expected to be used judiciously and that, in most instances, the Administration will first use diplomatic and law enforcement tools to combat cyber threats. Of note, the Executive Order does not target a specific set of countries, so the Administration can use this tool to counter cyber threats from any foreign source.
President Obama stated that “cyber threats pose one of the most serious economic and national security challenges to the United States” and that the Executive Order “supports the Administration’s broader strategy by adding a new authority to combat the most serious malicious cyber threats.”6 In particular, the Executive Order is meant to provide an authority for sanctions “in situations where malicious cyber actors may operate beyond the reach of existing authorities,”7 such as law enforcement, military, economic and intelligence authorities, and diplomatic outreach. While foreign Persons operating wholly outside of the United States may be outside the jurisdictional reach of the U.S. justice system, to the extent such Persons conduct business globally, the imposition of sanctions will cut the actors off from the U.S. financial system (including transacting business in U.S. dollars) and business with U.S. Persons.
The Administration has stated that it hopes that U.S. allies and partners abroad will join the United States in developing similar tools to combat cyber threats, which would increase the financial impact on the malicious cyber attackers. Even without such a coalition, the sanctions will have extra-territorial impact, as foreign financial institutions often voluntarily comply with U.S. sanctions requirements, including screening Persons against the SDN List, out of an abundance of caution, particularly in light of the heavy fines that have been levied against non-U.S. financial institutions in recent years.8
In order to guard against violations of economic sanctions, we recommended that companies adopt and maintain tailored, risk-based, economic sanctions compliance programs, including procedures for screening counterparties against relevant economic sanctions-related restricted party lists, including OFAC’s SDN List. Once designations occur under the Executive Order, this screening will become particularly important for technology companies and those with internet-based businesses. In addition, for non-U.S. companies that may receive information that could be deemed trade secrets, such companies should conduct thorough due diligence to ensure that such trade secrets were not obtained or misappropriated through cyber activities such that they would come within the scope of the Executive Order.