Obama Expands Cyber Sanctions to Cover Election Hacking, Then Uses it to Sanction Russian Intelligence Agencies and Others

On December 29, 2016, the President amended Executive Order 13964, which was originally issued in April 2015, to explicitly authorize sanctions on those found to be “tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.” See our earlier advisories, here and here, for more information about the original executive order and the related regulations.

At the same time, the President used this newly expanded authority to sanction a number of Russian individuals and entities. Notably, the President sanctioned the two primary intelligence agencies of the Russian Federation, the GRU and the FSB. This is the first time the U.S. Government has used the cyber-related sanctions authority in that executive order.

A White House fact sheet and statement describe the full scope of these actions, which it says were taken “in response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election in 2016. Russia’s cyber activities were intended to influence the election, erode faith in U.S. democratic institutions, sow doubt about the integrity of our electoral process, and undermine confidence in the institutions of the U.S. government.” The designation of the GRU and the FSB, along with senior officials of the GRU and related entities, will block any property belonging to those entities within U.S. jurisdiction and prohibit any transactions or dealings by U.S. persons with them or any entity owned by them. While the GRU and FSB are unlikely to conduct a significant amount of overt commerce (and may not conduct any), these designations will call for additional due diligence in some circumstances when doing business in Russia. The technology sector should be particularly watchful of any commerce involving Russia that could be diverted to benefit the Russian intelligence community, as that type of activity will likely be a focus for enforcement.

In this action, the GRU was “designated for tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election processes.” The FSB was designated for assisting the GRU in conducting these activities. An entity called the Special Technology Center was sanctioned for assisting the GRU in conducting signals intelligence operations, Zorsecurity was listed for providing the GRU with technical research and development support; and the Autonomous Noncommercial Organization “Professional Association of Designers of Data Processing Systems” was sanctioned for providing specialized training to the GRU. Also sanctioned were the current Chief, Deputy Chief and two First Deputy Chiefs of the GRU.

In a related action, OFAC designated two Russian individuals under the pre-existing authority of this executive order for misappropriating funds and personal identifying information. One is said to have been responsible for the theft of over $100 million from U.S. financial institutions, Fortune 500 firms, universities, and government agencies, and the other to have compromised the computer networks of at least three major U.S.-based e-commerce companies. An OFAC press release and sanctions announcement provide more detail.

The U.S. Government has also taken non-sanctions measures against Russia, including expelling 35 Russian diplomatic personnel from the United States and denying Russia access to two Russian government-owned compounds said to have been used by Russian personnel for intelligence-related purposes. Perhaps most remarkably, the Department of Homeland Security and FBI released a Joint Analysis Report (JAR) that contains newly declassified technical information on the Russian intelligence services’ cyber activity, in order to help cybersecurity providers identify, detect, and disrupt Russian hacking. The JAR includes information on computers around the world that Russian intelligence services reportedly co-opted without the knowledge of their owners in order to conduct malicious activity, and data to allow the identification of certain malware that the Russian intelligence services use, which the White House says will force the Russian intelligence services to re-engineer their malware.

The U.S. Government may take additional actions against Russia in the coming weeks or months, although the incoming Trump administration would have the authority to undo this and other executive actions by President Obama. President Obama’s statement notes that “these actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized.” The day prior, Senator Lindsay Graham said that “there will be bipartisan sanctions coming that will hit Russia hard, particularly Putin as an individual.”