President Obama issued an Executive Order (the “Order”) on April 1, 2015 that authorizes financial sanctions against certain “persons” (including both individuals and entities) designated by the Treasury Secretary to be responsible for or benefit from certain cyber attacks against U.S. interests.1 The Order represents a significant new weapon for the U.S. Government to combat growing threats posed by cyber attackers from around the world. It uses broad language that gives the Treasury Secretary significant interpretive discretion to meet these goals by freezing the assets of, and generally prohibiting any US persons from engaging in any transactions with, any persons targeted under the Order.
Previously, in January 2015, President Obama issued Executive Order 13687, which imposed sanctions against certain North Korean individuals and entities alleged to be involved in the 2014 cyber attacks against Sony Pictures Entertainment. The new April 2015 Order represents a significant expansion of authority under which sanctions can be imposed against any persons involved in malicious cyber attacks against U.S. interests.
New Authority to Sanction
The Order specifically allows for the Treasury Secretary to impose financial sanctions against persons who are responsible for, are complicit in, or have engaged in “cyber-enabled activities” 2 that are “reasonably likely to result in, or have materially contributed to, a significant threat to [United States] national security, foreign policy, or economic health or financial stability,” and whose “cyber-enabled activities” have certain listed “purposes or effects,” including:
- Harming computers or networks that support entities in a “critical infrastructure sector" 3
- Significantly compromising the provision of services by entities in a “critical infrastructure sector”;
- Causing a significant disruption to the availability of computers or networks; or
- Causing a significant misappropriation of “funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”
Significantly, the Order also extends the Treasury Secretary’s designation authority to include other related parties, including:
- Persons who are “responsible for or complicit in, or [who have] engaged in” the receipt of, or certain uses of, trade secrets that have been knowingly misappropriated through cyber-enabled means; 4and
- Persons who have “materially assisted, sponsored, or provided financial, material, or technological support for” the other listed cyber threats.
Potential Sanctions and Compliance Considerations
Individuals and entities who are determined by the U.S. Treasury Department to have engaged in these activities will be added to the U.S. List of Specially Designated Nationals and Blocked Persons (“SDN List”). As a result, any assets under U.S. jurisdiction of such persons would be frozen, and U.S. companies would be prohibited from engaging in any commercial transactions with such SDNs. No individuals or entities have been designated yet under the Order.
Because the Order was issued without an initial set of designations, companies are not obligated to take any immediate steps to comply with this initial order. Similar to other SDN designations, the U.S. Treasury Department will publicly announce when sanctions are imposed against any persons under the Order on its website. Companies therefore should ensure that they have adequate screening and robust compliance procedures in place to identify individuals or entities that may later be added to the SDN List. In particular, companies that engage in a significant number of cross-border transactions on a regular basis should make use of third-party screening tools or similar automated processes to assist in identifying the involvement of sanctioned persons in any transactions.
Likely Targets of the Treasury Secretary’s Designation Authority
Commentary from the Obama administration specifies that this tool will be “used in a targeted and coordinated manner” and reserved for “the worst of the worst of malicious cyber actors.” This includes those involved with attacks that “could threaten the national security, foreign policy, economic health, or financial stability of the United States.” 5 For example, persons involved in cyber attacks on U.S. power grids or U.S. banks and other financial institutions could be targeted under the Order. FAQs provided by the Treasury indicate that sanctions will not be imposed on persons whose computers are commandeered, without their knowledge, for cyber attacks. Similarly, the FAQs note that the measures are not intended to target legitimate activities to ensure and promote information systems (e.g., penetration testing).
Furthermore, the designation criteria regarding misappropriated trade secrets suggest that the U.S. may sanction those who provide support to and benefit from hackers targeting certain aspects of the U.S. economy. Indeed, the Assistant to the President for Homeland Security and Counterterrorism recently noted that “[m]alicious cyber activity . . . is often profit-motivated” and that the new sanctions can “remove a powerful economic motivation for committing these acts in the first place.” 6