On December 28, 2016, former President Obama issued Executive Order 13757, Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (E.O. 13757).1 E.O. 13757 amends an earlier Executive Order 13694 (E.O. 13694) of April 1, 20152, under which the President declared a "national emergency" to deal with the "unusual and extraordinary threat" to U.S. national security, foreign policy and the economy posed by malicious cyber-enabled activities conducted by persons outside the United States in relation to the November 2016 election. Through the December 2016 amendment, President Obama took "additional steps" to deal with such malicious cyber activities in view of their increasing use "to undermine democratic processes or institutions."
It remains unclear whether President Trump will retain these latest cyber sanctions. During his first days in office, President Trump has overridden a number of former President Obama's executive actions, although not yet in the sanctions arena. In addition, President Trump had in the days leading up to his inauguration expressed skepticism regarding the nature and national origin of cyber-enabled activities during the election."
The newly amended E.O. 13694 directs the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose economic sanctions on those persons determined to be responsible for, or complicit in, activities leading to specific harms caused by significant malicious cyber-enabled activities. The amendment now also allows for the imposition of sanctions on individuals and entities found to be responsible for tampering, altering or causing the misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.
Acting pursuant to delegated authority, the Department of Treasury's Office of Foreign Assets Control (OFAC) works in coordination with other U.S. government agencies to identify individuals and entities whose conduct meets the criteria set forth in E.O. 13694, as amended, and designates them for sanctions. Persons designated under this authority are added to OFAC's list of Specially Designated Nationals and Blocked Persons (SDN List). The amendment includes a list of blocked entities and individuals in an Annex.
Original Executive Order 13694
E.O. 13694 prohibits dealing in the property, or interests in property, that come within the United States, of "blocked persons." Under E.O. 13694, any party may be blocked if the U.S. government determines that the party is responsible for, complicit in or has directly or indirectly engaged in cyber-enabled activities. These activities may have originated from, or been directed by, persons located outside of the United States that:
- Harm or otherwise significantly compromise the provision of services by a computer or network of computers that supports one or more entities in a critical infrastructure sector;
- Significantly compromise the provision of services by one or more entities in a critical infrastructure sector
- Cause a significant disruption to the availability of a computer or network of computers or
- Cause a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain
E.O. 13694 also permits the Secretary of the Treasury to designate parties who:
- Derive commercial or economic gain from trade secrets misappropriated through cyber-enabled means;
- Have materially assisted, sponsored or provided financial, material or technological support for, or goods or services in support of such activities; or
- Are owned or controlled by parties blocked under that Executive Order.
The Amendments Under Executive Order 13757
Substantively, E.O. 13757 amends E.O. 13694 in three main ways:
- While E.O. 13694 authorized the imposition of sanctions for malicious cyber-enabled activities that result in the enumerated harms, the U.S. government had not designated any parties to that new sanctions program. E.O. 13757 adds a designated list of blocked persons in an Annex to the Order. The list comprises five entities and four individuals of Russian origin which OFAC has now added to its SDN List.3
- The authority has been amended to specifically allow for the imposition of sanctions on individuals and entities determined to be responsible for "tampering with, altering, or causing the misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions."
- A new section has been added to allow the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to determine that circumstances no longer warrant the blocking of the property and interests in property of a person listed in the Annex, and to take necessary action to give effect to that determination.
The Consequence of Designation on the Specially Designated Nationals and Blocked Persons (SDN) List4
The regulatory regime under the E.O. 13694, as amended, resembles the counter-terrorism, counter-proliferation and counter-narcotics sanctions already administered by OFAC. As with those regimes, the sanctions to be imposed against malicious cyber attacks are individual- or entity-specific, rather than against whole countries.
After designation, the blocked persons are added to the SDN List administered by OFAC. U.S. persons are prohibited from conducting business or otherwise transacting with blocked persons. Those that do so may be subject to an investigation and/or enforcement action by OFAC. The civil penalties for violations of OFAC's cyber-related sanctions vary from $284,582 per violation to twice the value of the underlying transaction. Criminal penalties for willful violations can be as high as $1 million or 20 years' imprisonment.
As with many of the sanctions programs that Treasury administers, U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC's SDN List pursuant to E.O. 13694, as amended, or any entity owned 50 percent or more by such persons.
As a general matter, U.S. persons, including firms that facilitate or engage in online commerce, are responsible for ensuring that they do not engage in unauthorized transactions or dealings with persons named on any of OFAC's sanctions lists or operate in jurisdictions targeted by comprehensive sanctions programs. As a result, such persons, including technology companies, are encouraged to develop a tailored, risk-based compliance program, which may include sanctions-list screening or other appropriate measures. An adequate compliance solution will depend on a variety of factors, including the type of business involved. There is no single compliance program or solution suitable for every circumstance.