On December 29, 2016, the US government announced several measures in response to the Russian government’s alleged “aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election.” The measures impose sanctions against nine Russian parties, including the Russian Federal Security Service (“FSS” or “FSB”). In addition, the US government announced the expulsion of 35 Russian diplomats from the United States and the closing of two US properties for their alleged intelligence operations. As a result of the sanctions, US companies will now likely require US government authorization prior to dealing with the FSB, which can include submissions to or the receipt of approvals from the FSB to market or distribute certain encryption products in Russia or participation in certain other regulatory actions before the FSB.
New US Sanctions:
The sanctions were imposed under a new Executive Order (“Cyber EO 2”) issued by President Obama to expand the sanctions authorities previously available under Executive Order 13694 (April 1, 2015), the so-called “Cyber EO” that targets certain “malicious cyber-enabled activities.” Cyber EO 2 additionally allows sanctions against:
- any persons listed in an Annex to the amended Cyber EO; and
- any persons found to be involved in certain cyber-enabled activities originating or directed from outside the United States that have purpose or effect of “tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.”
The nine Russian entities and individuals listed in the Annex of the amended Cyber EO have been added to the List of Specially Designated Nationals and Blocked Persons (“SDN List”) maintained by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As a result, “US Persons” (i.e., (i) US citizens and permanent residents, (ii) entities organized under the laws of the United States and their foreign branches, and (iii) any individual or entity located in the United States) are now barred from dealing with the SDNs in almost all circumstances. Any property of such SDNs must be blocked (or “frozen”) if it comes within the United States or the possession/control of a US Person.
In addition to the FSB, the Russian Main Intelligence Directorate (“GRU”), and four of their high-ranking officials, three entities were sanctioned that provided “material support” to the GRU:
- The Special Technology Center (a.k.a. STLC, Ltd. Special Technology Center St. Petersburg);
- Zorsecurity (a.k.a. Esage Lab); and
- The Autonomous Noncommercial Organization “Professional Association of Designers of Data Processing Systems” (a.k.a. ANO PO KSI).
Furthermore, two additional Russian individuals were sanctioned under a pre-existing portion of the Cyber EO for using cyber-enabled means to cause misappropriation of funds and personal identifying information. No persons had previously been sanctioned under the prior version of the Cyber EO.
Complete identifying information for all of the sanctioned entities and individuals may be found at: https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20161229.aspx. A White House Statement and Fact Sheet are also available, which outline additional actions taken by the US government in response to the Russian government’s alleged activities.
Potential Regulatory Burdens:
Because the FSB performs certain administrative functions, such as review and approval of commercial encryption products for import and distribution in Russia, the effect on certain US companies and individuals doing business in Russian could be significant. Given the broad prohibitions on US Person involvement with the FSB, US technology companies may be required to obtain an OFAC authorization prior to making submissions to and requesting approval from the FSB to market and sell new encryption products in Russia. In addition, given that the FSB can play a wide range of roles opposite companies, other regulatory interactions by US Persons with the FSB may also require OFAC authorization.
A similar situation resulted when OFAC imposed sanctions under the Crimea program on FAU Glavgosekspertiza Rossii (“GGE”), a Russian state-owned-entity responsible for issuing certain project design reviews and permits required by Russian law. The designation of GGE prevented US Persons from obtaining the required reviews and permits for a wide variety of projects, until OFAC issued a general license authorizing US Persons to obtain the necessary approvals from GGE for projects in Russia without further authorization by OFAC. To date, the US Commerce Department has not issued any similar authorization for companies requesting permits from GGE. As a result, those that wish to provide goods, software, or technology (including technical data) that are of US origin or otherwise subject to the Export Administration Regulations in connection with the permitting process through GGE are still required to obtain US Commerce Department approval before doing so.
Companies doing business in or with Russia should be prepared for potentially fast-moving developments that could include:
- Changes by the US Commerce Department’s Bureau of Industry and Security under the Export Administration Regulations: As of the date and time of the posting of this blog, there has been no formal action by this agency to implement Cyber EO 2, but corresponding additions of the SDNs to the various lists maintained by the Bureau of Industry and Security are anticipated. Such action would expand the reach of Cyber EO 2 beyond US Persons by prohibiting non-US Persons from supplying the SDNs with certain US-origin items or non-US made items with controlled US content exceeding 25%.
- Changes by incoming Trump administration: The incoming administration has indicated an interest in improving relations with Russia and will have the legal authority to reverse these new sanctions without delay or input from the US Congress.
- Congressional action: News reports suggest that some Senate Republicans may push for even stricter sanctions against Russia or enact legislation to constrain the Trump administration’s authority to reverse the new sanction.
- Retaliation by Russia: Russia may decide to take retaliatory measures against the United States in response to these actions. On December 30, President Putin rejected recommendations to expel US diplomats from Russia, while “reserving the right” to impose such measures in the future, depending upon the incoming administration’s approach.
- Increasing focus on cybersecurity issues: In connection with Thursday’s announcements, the Department of Homeland Security and FBI issued a Joint Analysis Report (“JAR”), which details the cyber operation tactics used by Russian intelligence actors and recommends several actions that organizations can take to mitigate cybersecurity risks.