Many cybersecurity experts have warned that the United States is already engaged in covert cyber warfare against hostile actors around the world. The latest cybersecurity Executive Order reflects formal recognition that, regardless of whether we call it war, cyber threat activity directed at U.S. critical infrastructure has created a national emergency.
Exercising authority granted by the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.) (among other statutes), President Obama issued an order on April 1, 2015, titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”. The Executive Order authorizes the Secretary of the Treasury – in consultation with the Attorney General and the Secretary of State – to impose sanctions on individuals or entities that engage in cyber-enabled activities from outside of the United States that create a “significant threat to the national security, foreign policy or economic health or financial stability of the United States.”
While the Executive Order does not define “significant,” it says sanctions can be imposed for a variety of reasons, for example, in response to attacks that target critical infrastructure, which disrupt networks – via distributed denial-of-service attacks, for instance – as well as for targeting or stealing trade secrets or personally identifiable information, and for computer crime in general.
This Executive Order can be best understood as an effort to fill in a gap in current enforcement tools that exists where individuals carrying out significant malicious cyber attacks are located in places that are difficult for U.S. diplomatic and law enforcement tools to reach. These individuals may be carrying out attacks with impunity because they operate behind the borders of a country that has weak cybersecurity laws, or the government is complicit in or turning a blind eye to the activity that is happening. In these situations, the U.S. cannot rely on good law enforcement or diplomatic relationships.
The Executive Order addresses this situation by empowering the Treasury to freeze any assets of those who participate in or support such activities. The sanctions provided for here are analogous to sanctions that have been issued in other international conflicts, such as the dispute with Russia over Ukraine.
While the United States is adding a weapon to its arsenal in the fight against cyber threats, private companies should not expect to see any immediate reduction in the number of cyber threats that they face. At best, this Executive Order is one additional weapon intended for use in a long battle.
This Executive Order, however, should serve as a wake-up call to any critical infrastructure companies that are not treating cyber threats as a serious and fundamental risk. The administration is recognizing cyber threats as a “national emergency” precisely because of the risks that cyber attacks pose to critical infrastructure industries, such as energy, transportation, finance, healthcare, and manufacturing. In developing a cyber risk management strategy, every critical infrastructure company must ask: Is our cyber risk management strategy premised on an understanding that cyber threats are a national emergency? If not, why not?