On December 29, 2016, President Obama issued an executive order to authorize several actions in response to cyber activities of the Russian government that were related to the 2016 US election.1 The action receiving the most public attention was the imposition of primary economic sanctions on nine persons found to be responsible for or complicit in malicious cyberattacks designed to interfere with the election.2 The imposition of these sanctions marks the first time that the president has used his wide-ranging authority to sanction companies and individuals for engaging in or supporting cybercrime. All US persons and many non-US persons who are contractually or otherwise required to comply with US sanctions laws are now prohibited from directly or indirectly doing business with the sanctioned persons.
Cyber Executive Order
The new executive order amends Executive Order 13694 (the “Cyber-Related Sanctions EO”), signed in April 2015, which declared that the “increasing prevalence and severity of malicious cyber-enabled activities” constitute “an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.” Although conventional wisdom at the time was that the executive order was focused on cybercrimes coming from China and Russia, the executive order does not identify countries or regions but instead applies to a broad range of activities not limited to a specific country.
There are two separate activities targeted by the Cyber-Related Sanctions EO. The first is “malicious cyber-enabled activity” that contributes to a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that must cause one of the following effects:
(A) Harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
(B) Significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
(C) Causing a significant disruption to the availability of a computer or network of computers; or
(D) Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
In December 2015, the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) promulgated initial regulations implementing the Cyber-Related Sanctions EO3 and explained that “malicious cyber-enabled activities” in the executive order include “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.”4
The second activity targeted by the Cyber-Related Sanctions EO is activity that engages, receives or uses trade secrets that have been knowingly misappropriated through cyber-enabled means for commercial advantage or private financial gain and is reasonably likely to result in or materially contribute to a significant threat to the national security, foreign policy, economic health or financial stability of the United States. This second category also covers any material assistance or support for, or any attempts to engage in, any of the activities listed above. The executive order therefore touches not only cybercriminals but also those who benefit from cybertheft even if they do not directly engage in it themselves.
One of the actions the president undertook last week was to append to the list of effects of “malicious cyber-enabled activity” listed in the executive order a category (E) for “tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.” Pursuant to this executive order, the president then directly sanctioned two Russian intelligence services, four Russian individuals and three Russian companies that supported the Russian government’s cyber activities to influence the 2016 US election5 and instructed the US Department of the Treasury to designate as Specially Designated Nationals (“SDNs”) two Russian individuals who used cyber-enabled means to cause misappropriation of funds and personally identifiable information that apparently were unrelated to the election.6
Sharing Attribution Information Regarding Russian Interference
In October 2016, the US Department of Homeland Security and the Office of the Director of National Intelligence released a statement that the US Intelligence Community (“IC”) had assessed with confidence that the “recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona . . . are intended to interfere with the US election process . . . [and] that only Russia's senior-most officials could have authorized these activities.”7 The US actions taken on December 29, 2016, reflect a carefully calculated response to the allegedly unprecedented nature of the Russian government’s reported interference in the election.
In particular, the US Department of Homeland Security and Federal Bureau of Investigation released a Joint Analysis Report (“JAR”) describing technical information related to Russian cyber activities.8 The JAR states that two Kremlin-backed espionage groups, Advanced Persistent Threat (“APT”) 28 and APT 29, infiltrated a US political party’s infrastructure using a variety of spear-phishing attacks (i.e., tricking an employee into clicking a link that downloaded malware onto the political party’s computers). For example, “APT 29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.”9 These groups then publicly disclosed the exfiltrated emails in a manner that the IC assessed as designed to interfere with the ongoing election.
President Obama stated that the US actions announced on December 29 are the first in what may be a number of public and covert US actions to respond to the Russian government’s cyber activities while opposing Russia’s attempts to “undermine established international norms of behavior, and interfere with democratic governance.”10
The immediate consequences of President Obama’s actions are that US persons are prohibited from doing business with the 11 newly designated SDNs and must block any property belonging to those persons. This prohibition includes companies in which one or more SDNs have a 50 percent or greater ownership interest. The actions also prohibit entry into the United States for natural person SDNs and have caused the US Department of Commerce to list the new entity SDNs on the Entity List for purposes of export control regulations.11
Accordingly, US companies should (i) review the JAR and consider incorporating its technical findings into their ongoing cybersecurity activities and (ii) ensure that they do not do business with, or hold property belonging to, persons subject to OFAC sanctions. Non-US companies should also consider if they (i) should adopt best practices in the JAR and (ii) are contractually or otherwise required to comply with OFAC sanctions with respect to the newly designated SDNs. US financial institutions and non-US financial institutions that clear US dollar transactions should review the new SDN designations to ensure that their transaction interdiction systems reflect the most current sanctions lists.