On April 1, 2015, President Obama signed an executive order establishing a new sanctions program targeting individuals and entities responsible for, or complicit in, cyber-enabled activities that threaten the national security, foreign policy, economic health or financial stability of the United States. This establishes a new sanctions program in the tradition of other U.S. “policy-based” sanctions regimes such as U.S. sanctions against international terrorist organizations and narcotics traffickers, which are not specific to any one country. President Obama’s statement on the executive order explains that while the government will use every tool at its disposal to prevent and respond to cyber attacks, it is often difficult to pursue bad actors due to weak or poorly enforced foreign laws, or because some foreign governments are unwilling or unable to stop those responsible. The executive order is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government.
The executive order is directed against persons who engage in malicious cyber-enabled activities that have the purpose or effect of causing any of the following problems:
- harming or significantly compromising the provision of services by entities in a critical infrastructure sector (e.g., power grids or financial systems)
- causing a significant disruption to the availability of computers or networks, including through a distributed denial-of-service attack
- causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.
The executive order also targets those who (i) knowingly receive or use trade secrets that were misappropriated by cyber-enabled means for commercial or competitive advantage or private financial gain, or (ii) attempt, assist, sponsor or provide financial, material or technological support for any of the targeted harms listed above.
While relevant regulations have not yet been promulgated, the Treasury Department’s Office of Foreign Assets Control (OFAC) anticipates that “cyber-enabled” activities will include acts that are primarily accomplished through, or facilitated by, computers or other electronic devices. For purposes of the executive order, malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.
OFAC will work in coordination with other U.S. government agencies to identify individuals and entities that are responsible for or complicit in, or have directly or indirectly engaged in, the targeted activities discussed above that are a significant threat to the national security, foreign policy, economic health or financial stability of the United States. These individuals and entities will be added to OFAC’s Specially Designated Nationals (SDN) list.
OFAC notes that the sanctions are not designed to prevent or interfere with legitimate cyber-enabled academic, business or non-profit activities, or to target persons engaged in legitimate activities to ensure and promote the security of information systems (e.g., efforts by researchers, cybersecurity experts and network defense specialists to identify, respond to and repair vulnerabilities that could be exploited by malicious actors or to otherwise help companies improve their cybersecurity).
Also, the sanctions will not target victims of cyber attacks, including persons whose personal computers or other networked electronic devices are hijacked to be used in malicious cyber-enabled activities without the person’s knowledge or consent (e.g., in denial-of-service attacks against U.S. financial institutions).
Implications for U.S. Persons
There are no specific steps that U.S. persons need to take right now in order to comply with this executive order, as it was issued without an initial set of designations.
However, once OFAC designates individuals and entities pursuant to this executive order, U.S. persons and persons otherwise subject to OFAC jurisdiction must ensure that they do not engage in trade or other transactions with persons designated on OFAC’s SDN List or any entity owned or controlled by such persons.
U.S. persons, including technology companies or other firms that facilitate or engage in online commerce, should be particularly mindful of unauthorized transactions or dealings with persons named on the SDN List, and should develop a tailored, risk-based compliance program, which includes sanctions list screening and other appropriate measures.