On 29 December 2016, President Obama signed an Executive Order entitled "Taking Additional Steps To Address The National Emergency With Respect To Significant Malicious Cyber-Enabled Activities". In an official statement, President Obama said that the Executive Order was issued "in response to the Russian government's aggressive harassment of U.S. officials and cyber operations aimed at the U.S. Election".
The Executive Order amends the previously adopted sanctions regime against foreign individuals and entities engaged in malicious cyber-enabled activities, expanding its scope to include cyber activity targeting U.S. election processes and institutions and adding nine Russian entities and individuals to the Specially Designated Nationals and Blocked Persons (the "SDN List") of the Office of Foreign Assets Control ("OFAC") within the Department of Treasury.
The sanctioned entities include two Russian intelligence services (the GRU and the FSB), and three companies that have allegedly provided material support to the GRU’s cyber operations (Autonomous Noncommercial Organization Professional Association of Designers of Data Processing Systems, Special Technology Center, and Zorsecurity). The four sanctioned individuals include senior members of the GRU: Vladimir Stepanovich Alexeyev, Sergey Guzinov, Igor Korobov and Igor Kostyukov.
OFAC has identified two additional individuals to be added to the SDN List, Evgeniy Mikhaylovich Bogachev and Aleksey Alekseyevich Belan, under a pre-existing portion of the Executive Order for engaging in cyber-enabled activity to cause misappropriation of funds and of personal identifying information.
The cybersecurity sanctions regime was established on April 1, 2015 by President Obama in an effort to counter cyber threats to national security, foreign policy, economic health and financial stability of the United States. The "national emergency" concerning cybersecurity of the United States, which forms the basis of this particular sanctions regime, was renewed on March 29, 2016.
Prior to yesterday's amendment, the application of the cybersecurity sanctions regime was limited to cyber-enabled activities with the purpose or effect of (i) significantly harming or compromising critical infrastructure; (ii) misappropriating funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain; (iii) knowingly receiving or using trade secrets that were stolen by cyber-enabled means for commercial or competitive advantage or private financial gain; (iv) disrupting the availability of a computer or network of computers; and (v) attempting, assisting or providing material support for any of the above activities.
In response to the Obama administration's announcement of cybersecurity related sanctions against Russia, President-elect Trump has stated that while he believes it is "time for the country to move on to bigger and better things," he will nevertheless "meet with leaders of the intelligence community [this] week in order to be updated on the facts of this situation." It will be important to follow any developments with regard to the scope and application of the cybersecurity sanctions regime as Mr. Trump takes office on January 20, 2017 and the direction of U.S. foreign policy with respect to Russia becomes clearer.