On April 1, 2015, President Obama issued Executive Order (EO) 13694, which for the first time imposes sanctions on persons engaged in “significant malicious cyber-enabled activities” that harm US interests. The EO states that President Obama has declared a national emergency under the International Emergency Economic Powers Act to deal with this threat in light of increasing instances of cyber attacks and cyber espionage against the United States. Concurrent with issuance of the EO, the US Treasury Department, Office of Foreign Assets Control (OFAC) issued Frequently Asked Questions (FAQ) providing interpretative guidance.
The EO is notable in that the US Government, for the first time, is using the lever of economic sanctions to address cyber attacks and threats. The new sanctions can be imposed against any person involved in the activity specified in the EO, which could include both US and non-US persons. Persons can be blocked for activities outside the United States that do not directly involve the United States, but rather pose a threat to certain specified US interests.
Blocking Property of Persons Engaged in Malicious Cyber-Enabled Activities
The EO authorizes OFAC, in consultation with the Attorney General and the Secretary of State, to sanction any person that engages in “cyber-enabled activities” (not defined in the EO) that pose a significant threat to US national security, foreign policy, economic health, or financial stability where the purpose or effect of those activities is to:
- harm computers or computer networks that support the “critical infrastructure sector;”
- significantly compromise the provision of service in the “critical infrastructure sector;
- cause a significant disruption to the availability of a computer or computer network; or
- cause a significant misappropriation of funds, trade secrets, personal identifiers, or financial information for commercial advantage or private financial gain.
The EO defines “critical infrastructure sector” to have the same meaning as under Presidential Policy Directive 21 of February 12, 2013. The term includes the following sectors: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials, and waste, transportation systems, and water and wastewater systems.
In order to trigger sanctions, the “cyber-enabled activities” described above must originate from, or be directed by persons located, outside the United States.
Interestingly, this activity need not be directed at the United States or a US person in order to be sanctionable, but rather it must pose a significant threat to US national security, foreign policy, economic health, or financial stability. Arguably, this can be interpreted broadly. In fact, the OFAC FAQ provide that the EO “is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the US government.”
In addition to the acts listed above, the EO also authorizes OFAC to designate persons determined to:
- knowingly receive or use trade secrets misappropriated through cyber-enabled means;
- provide material support for the activity described above or persons sanctioned under the EO;
- be owned or controlled by a person sanctioned under the EO; and
- have attempted to engage in any of the activities described above.
The EO authorizes OFAC to block the property and interests in property of designated persons. Where a person is blocked, the person’s assets in the United States or in the possession or control of “US persons” anywhere worldwide are frozen, and “US persons,” wherever located, are restricted from engaging in transactions or dealings with the person. The same restrictions apply to entities owned fifty percent or greater by such sanctioned persons or any combination of such persons and other Specially Designated Nationals (SDNs) designated by OFAC. The EO defines “US person” to include US citizens, lawful permanent residents, persons in the United States, and entities organized under the law of the United States (including foreign branches), but not foreign-incorporated subsidiaries of US persons.
The EO does not designate any sanctioned persons, nor has OFAC designated any person under this sanctions program to date. Sanctioned persons will be listed on OFAC’s List of Specially Designated Nationals and Blocked Persons.
The OFAC FAQ provide interpretative guidance regarding the EO, including the following:
- Definition of “cyber-enabled activities.” OFAC anticipates that regulations will be promulgated defining this term to include “any act that is primarily accomplished through or facilitated by computers or other electronic devices.”
- Definition of “malicious cyber-enabled activities.” OFAC anticipates that the forthcoming regulations will define this term to include “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.”
- Non-malicious cyber-enabled activities. The FAQ provide that the EO is not designed to interfere with legitimate cyber-enabled academic, business, or non-profit activities or legitimate network defense or maintenance activities.
- Use of computers without a person’s knowledge. The FAQ state that sanctions will not be imposed on persons whose computers were used to perpetrate a malicious cyber-enabled activity without their knowledge.
Coordination Between Agencies
The EO authorizes OFAC to designate sanctioned persons in consultation with the Attorney General and the Secretary of State. Therefore, the Department of Justice (DOJ) and the State Department can be expected to have significant roles in terms of information sharing and designation decisions.
It is possible that broader information sharing within the US Government could factor into monitoring of cyber activity by OFAC, DOJ, and the State Department. With respect to government contractors, for example, there are several programs that facilitate the provision of information from the private sector to the government. Such programs include the Defense Acquisition Regulations System (DFARS) “cyber reporting” rule, as well as the “Defense Industrial Base Cyber Security/Information Assurance (DIB CS/IA) Voluntary Information Sharing” program for certain companies that have applied to the Department of Defense to participate in this program.
The EO marks an effort by the United States to impose economic sanctions on persons abroad involved in cyber activity harmful to US interests. As with other perceived threats to US interests – such as organized crime, narcotics traffickers, corrupt officials, weapons proliferators, and terrorist organizations – economic sanctions are being used as a tool to isolate such actors from the US, and perhaps broader international, economy. The effectiveness of this regime will depend in part on the ability to identify malicious cyber actors, and keep their identities current, which in turn will enable key US players (such as banks and companies) to freeze assets and cut-off economic opportunities. US intelligence will be crucial in attributing cyber incidents to the attackers who perpetrate them. As we have seen in other instances, being identified on the OFAC SDN List can also have a chilling effect on non-US person interaction with such designated entities and persons. As noted in the OFAC FAQ, it is likely that OFAC will issue regulations implementing the EO.