On December 31, 2015, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published a final rule to formally create a new cyber-related sanctions program. The new Cyber-Related Sanctions Regulations implement Executive Order 13694 of April 1, 2015 (“EO 13694”). For further information regarding EO 13694, please see our previous alert. OFAC’s new cyber sanctions program targets persons involved in malicious cyber-enabled activities that create a significant threat to U.S. national security, foreign policy, or economic health or financial stability. The Cyber-Related Sanctions Regulations are being published in an abbreviated form at this time, with only the standard provisions included in all OFAC sanctions programs. However, OFAC has indicated that it intends to publish a more comprehensive set of sanctions regulations at a later date, which may include specific interpretations, definitions, or licensing policy. The current regulations are effective immediately.
Since no persons have yet been designated under EO 13694, these cyber sanctions regulations do not impose any additional compliance burden at this time. However, they may signal that the sanctions program will soon become active, and the Obama Administration may be preparing designations under EO 13694.
The cyber sanctions program is a typical list-based “blocking” regime that targets designated individuals and entities, prohibiting U.S. persons from engaging in any transactions with them. The prohibited transactions described in the cyber sanctions regulations are limited to the prohibitions contained in EO 13694. Although no persons have yet been designated under EO 13694, it may be used to impose an asset freeze on persons determined by the United States:
- to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyberenabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose or effect of:
- harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
- significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
- causing a significant disruption to the availability of a computer or network of computers; or
- causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain; or
- to be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States, of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;
- to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in (i) or (ii), or any person blocked under this Executive Order;
- to be owned or controlled by, or acting on behalf of, any person blocked under this Executive Order; or
- to have attempted to engage in any of the activities described in (i) – (iv) above.
While it was anticipated last year that certain Chinese persons would be designated under EO 13694 in response to cyberattacks and commercial espionage, those designations were not in fact made. It is likely that the planned designations were placed on hold after the United States and China reached an agreement on cybersecurity cooperation during President Xi Jinping’s visit to the United States in September 2015.
Future amendments to these sanctions regulations will likely provide definitions that were previewed by OFAC in FAQs published shortly after EO 13694. For example, OFAC anticipated defining “cyberenabled” activities to include “any act that is primarily accomplished through or facilitated by computers or other electronic devices.” In turn, “malicious cyber-enabled activities” will likely be defined to include “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.”