On April 1, 2015, President Obama issued an Executive Order entitled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” (the Executive Order). Modeled after sanctions programs proving to be increasingly effective in the anti-terror and anti-proliferation realms, the Executive Order authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to sanction foreign persons or entities that engage in “malicious cyber-enabled activities.”
In the absence of comprehensive federal legislation addressing cyber and data privacy issues – and a growing divide between Congress and the White House as to what such legislation should consist of – the Executive Order marks another unilateral effort by the President to push his cybersecurity agenda forward. By cutting off their access to the US financial system, technology supply and infrastructure, the Executive Order aims to deter hackers who, by virtue of their foreign status, may otherwise be beyond the reach of traditional law enforcement measures. The Office of Foreign Assets Control will now draft and issue regulations to implement the Executive Order.
Impact of the Executive Order
Given the potentially far-reaching impact of the cybersanctions, the threshold for their application is appropriately high: the Executive Order covers only cyberactivities that present “a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” Further, such activities must cause, or materially contribute to, one of four specified harms, namely:
- a significant compromise of services by entities in a critical infrastructure sector (for example, by downing a power grid);
- a significant disruption of major computer networks (for example, through a denial-of-service attack);
- the misappropriation of funds, intellectual property, trade secrets, personal identifiers, or financial information for a competitive advantage or financial gain (for example, by stealing large quantities of credit card information, trade secrets, or sensitive information); or
- the receipt or use of stolen information.
Accordingly, cyberattacks or espionage that, for example, threaten major players in the US economy or companies that engage in businesses linked to national security interests are covered.
Notably, prior to the announcement of this cybersanctions program, the United States has not had an appropriate mechanism for targeted retaliation against cybercriminals who cause major disruptions in the United States. Even when the US government sanctioned organizations and persons in response to the cyberattack on Sony Pictures Entertainment, none of the individuals or entities were themselves hackers or even accused of playing any part in the cyberattack.
The cybersanctions program may prove to be difficult to enforce; it is unlikely the US government will always be able quickly and definitively to identify the perpetrator of a cybercrime, particularly the specific individual or entity. Hackers from nation-states with the most aggressive backers of cyberattacks and spying on US companies have proven particularly adept at hiding their tracks. The ability to evade detection may mean that, on balance, the low probability of sanctions may not outweigh the rewards for stealing US trade secrets and business intelligence for many cybercriminals.
Perhaps anticipating such challenges, the Executive Order expressly authorizes OFAC to sanction not just foreign hackers, but also any company or individual that uses or profits from the information such hackers steal. Targeting the users of stolen technology obviates the need to identify the perpetrator of the underlying cyberattack, and may well prove to be both easier to enforce and a more powerful deterrent. The prospect that sellers and users of stolen technology could themselves be denied access to the US financial system may go far to combat the prevalent practice of stealing trade secrets from US companies.
The new cybersanctions program reflects the President’s goal of addressing cybersecurity threats in the absence of federal cybersecurity legislation. The effectiveness of the Executive Order in deterring cybercrime, however, remains to be seen.
The authors would like to thank Mia Havel for her assistance in the preparation of this alert.