In an Executive Order issued yesterday, the White House established a new sanctions regime for “significant malicious cyber-enabled activities,” including harming or impeding critical infrastructure, disrupting the availability of computer networks (as in a DDOS attack), and misappropriation of trade secrets. The Order is the latest in a two-year-long series of executive branch actions trying to address cybersecurity threats to U.S. businesses and other entities, and it further cements the important role of the Treasury Department, which also administers the sanctions imposed against North Korea in January in response to the Sony hack.
The issuance of the Order is an important development because it signals how serious the Obama Administration believes the threat from malicious cyber activities has become and it shows that the Administration is deploying a diverse range of tools to address the threat. But many questions remain, including two overriding—perhaps even totalizing—ones: how will the sanctions be deployed, and will they work where other tactics have failed?
Overview of the Cyber-Sanctions Regime
The Order, issued pursuant to the International Emergency Economic Powers Act, among other authorities, declares a “national emergency” due to the “increasing prevalence and severity” of cyber threats originating outside the United States. It authorizes the Secretary of the Treasury to freeze the assets of persons or entities that have engaged in malicious cyber activities that cross a significance threshold. In particular, the cyber activities must be “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”
Cyber activities that meet the significance threshold must also have one of four specified purposes or effects:
(A) harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
(B) significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
(C) causing a significant disruption to the availability of a computer or network of computers; or
(D) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;
Significantly, the Order also authorizes sanctions against individuals and entities that have assisted or benefitted from the above-listed actions. In particular, the Secretary of the Treasury can sanction any person (or entity) he determines is responsible for, complicit in, or engaged in receipt of trade secrets stolen through cyber means if the party knows the trade secret was stolen and the theft of the trade secret meets the significance threshold set out above.
A separate provision of the Order denies entry into the United States to individuals that meet the sanctions criteria.
The Order raises a number of interesting questions, but I’ll focus here on just two important ones.
1. How will the Order be applied?
On the same day the White House issued the North Korea sanctions Executive Order in January, the Treasury Department released a list of individuals and organizations sanctioned under the new Order. For yesterday’s Order, however, no designations were released, so it remains to be seen how and how often the Treasury Department will use its new sanctions authority.
In a blog post, President Obama suggested that the sanctions would be “used judiciously” to “go after the worst of the worst.” In a separate post, White House Cybersecurity Coordinator Michael Daniel echoed the “worst of the worst” language and explained that the targets of the sanctions would be “[t]hose whose cyber activities—whether directed against our critical infrastructure, our companies, or our citizens—could threaten the national security, foreign policy, economic health, or financial stability of the United States.”
The Order’s provisions regarding theft of intellectual property may be most directed to China, as others have suggested (see here), but at least one provision appears aimed at past Iranian actions, namely DDOS attacks against U.S. financial institutions. The Order refers to actions that “(C) caus[e] a significant disruption to the availability of a computer or network of computers,” and the White House fact sheet lists a DDOS attack as an example for that provision. This provision seems very broad—covering “significant disruption to the availability” of even a single computer, with no requirement that the computer even be in a critical infrastructure sector. But it becomes more commensurate with the other provisions of the Order if it is understood as a response to the massive DDOS attacks on U.S. financial institutions in 2012 and 2013 that have been attributed to Iran. Indeed, President Obama’s post on the sanctions specifically alludes to “Iranian hackers” targeting U.S. banks. Iran, of course, is already subject to heavy sanctions, but if those sanctions were to be loosened as part of a nuclear deal, the new cyber sanctions might have more bite. (Details on the results of the nuclear negotiations remain pending.)
Daniel said during a press call that the Administration does not have a timeline for announcing designations, so it may be a while until the full enforcement picture emerges.
2. Will the sanctions succeed in decreasing the cyber-threats they target?
Maybe. The sanctions target not only hackers themselves, but those who are complicit in or benefit from trade secrets they know to be stolen. The Order thus presumably reaches businesses, including some that want to access the U.S. market and may be willing to change their behavior to maintain such market access.
The issuance of the Order itself, even without imposition of sanctions, may have some deterrent effect. In fact, the Administration may be waiting to gauge the effect of the Order acting alone before issuing any designations pursuant to it. Daniel came close to suggesting this strategy in a press call, where he explained, “we want to have this tool available as a deterrent . . . So it’s not just actually composing the sanctions where we hope to have the effect.” Such a ratcheting up over time would be consistent with the Administration’s patterns over the past two years of moving from, for example, naming China as a source of cyberattacks to indicting Chinese officials for cybercrimes more than a year later.
The Order may also cast a broad shadow. Acting Director of Treasury’s Office of Foreign Assets Control John Smith noted in a press call that a sanctions designation not only freezes the assets of the person or entity designated but also “prevents U.S. persons from engaging in any transactions with those named” under the Executive Order. The Order may cause businesses to more closely examine their supply chains for entities that benefit from stolen trade secrets and to avoid relationships with entities that are or even might become subject to U.S. sanctions. In fact, ambiguity about how exactly the order will be applied could contribute to its deterrent effect if the uncertainty causes businesses to avoid a larger swath of suppliers as a prophylactic measure than they would if they could confidently predict who would be sanctioned. If the Order makes business more difficult and less profitable for entities that benefit from stolen intellectual property, it will have accomplished at least part of its goal of decreasing the rewards of cybercrime.