- President Barack Obama used the Cybersecurity Executive Order (EO) 13964 for the first time ever and amended it to include the U.S. electoral system as part of critical infrastructure.
- The EO was issued in response to intelligence community findings that the Russian government engaged in malicious cyber activity with respect to the U.S. electoral system.
- Under the new provisions, the President sanctioned nine Russian entities and individuals: two Russian intelligence services, four individual officers of the intelligence services and three Russian companies that provided "material support."
- U.S. companies and persons doing business in Russia will need to carefully review the underlying parameters of the original and amended EO to ensure that any business with the sanctioned entities and individuals ceases.
President Barack Obama amended Executive Order (EO) 13964 on December 29, 2016, in response to intelligence community findings that the Russian government engaged in malicious cyber activity with respect to the U.S. electoral system. The original EO, which was issued in April 2015, focused on 16 critical infrastructure sectors but did not cover the electoral system. Under the new provisions, the President sanctioned nine Russian entities and individuals: two Russian intelligence services, four individual officers of the intelligence services and three Russian companies that provided "material support."
The White House announced that the sanctions were also in response to the Russian government's "aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election in 2016," which were intended to "erode faith in U.S. democratic institutions, sow doubt about the integrity of our electoral process, and undermine confidence in the institutions of the U.S. government." The entities and individuals sanctioned include:
- The GRU and the FSB: The GRU, Russia's foreign military intelligence service, was designated for its involvement in the tampering, altering or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election process. Similarly, the FSB, Russia's primary security agency, was designated for assisting in the GRU's interference with the 2016 U.S. election process.
- Four top-level GRU personnel: The current Chief of the GRU, the Deputy Chief of the GRU and two First Deputy Chiefs of the GRU have been designated on the Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons list (SDN list).
- Three companies that provided "material support" to the GRU: The President has designated the 1) Special Technology Center (STLC Ltd. Special Technology Center St. Petersburg) for assisting the GRU in conducting signals intelligence operations, 2) Zorsecurity (Esage Lab) for providing the GRU with technical research and development, and 3) the Autonomous Noncommercial Organization "Professional Association of Designers of Data Processing Systems" (ANO PO KSI) for providing the GRU with "specialized training."
Implications of Using Cybersecurity EO 13964
An important issue to note is the actual use of cybersecurity-related sanctions, which have a potentially broad impact on all global companies. As a reminder, the underlying EO authorizes the imposition of sanctions against persons who "are responsible for or complicit in, or have engaged in, directly or indirectly, cyber-enabled activities ... that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy or economic health or financial stability of the United States" and that have the purpose or effect of:
- harming or significantly compromising computers or organizations supporting one or more entities in any of the 16 identified critical U.S. infrastructure sectors
- significantly compromising the ability of critical infrastructure sectors to provide their services
- significantly disrupting the availability of a computer or network of computers
- engaging in or benefiting from economic espionage
The EO also authorizes the imposition of sanctions against any person who aids and abets the person responsible for significant malicious, cyber-related activities, whether through "financial, material or technological support for or goods and services in support of" this activity.
The analysis of whether a company has knowingly or unknowingly provided this assistance was relatively unclear after the issuance of the initial EO. Global corporations often have a tangled web of contracts and consultants, and this EO has broader implications of which corporations need to be aware. The EO authorizes the U.S. Secretary of the Treasury, in consultation with the U.S. Attorney General and the U.S. Secretary of State, to impose sanctions.
Consequences of Being Sanctioned by OFAC
Once designated for sanctions, persons are added to OFAC's SDN list. The effects of such designation are significant. All U.S. assets of SDNs are automatically frozen, U.S. individuals and entities are prohibited from doing business with SDNs, and SDNs cannot engage in dollar-denominated transactions. Sanctioned individuals are also prohibited from entering the U.S.
U.S. companies and persons doing business in Russia will need to ensure that any business with the entities and individuals above ceases. Extra diligence may be required in certain circumstances as it may not be clear that a company or individual is associated with the GRU or FSB. The SDN list was updated to include cyber-specific individuals and categories immediately after the issuance of EO 13964 in 2015.
OFAC Revises FAQs Regarding EO 13964
OFAC has revised its Frequently Asked Questions (FAQs) to help clarify the amended EO's application going forward. The FAQs highlight the following information:
- The amended EO continues to be intended to address situations in which, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government.
- U.S. persons, and specifically online commerce and technology companies, are responsible for ensuring they do not engage in unauthorized transactions or dealings with the sanctioned entities.
- The amended provisions of the EO are not meant to target American whistleblower or constitutionally protected activity but instead meant to sanction individuals who take or obtain "by improper means, without permission or consent or under false pretenses" information with the purpose or effect of interfering or undermining election processes or institutions.
Related Actions Taken by the White House and Executive Branch
- In addition to the sanctions, the Obama Administration declared 35 Russian government officials in the U.S. as persona non grata in response to the harassment of U.S. diplomatic personnel in Russia by Russian security personnel and police. The Russian officials and their families were given 72 hours to depart the U.S. On January 1, 2017, the U.S. Department of State confirmed that all 35 government officials had left the U.S.
- Under a pre-existing portion of EO 13964, the U.S. Department of the Treasury designated two Russian individuals, Evgeniy Bogachev and Aleksey Belan, as using cyber-enabled means to cause misappropriation of funds and personal identifying information.
- The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a joint analysis report providing unclassified information on the type of malware called GRIZZLY STEPPE used by Russia to compromise the U.S. election system and indicated that companies should analyze their respective systems to ensure the malware was not present.