On April 1, 2015, President Obama issued an executive order declaring “cyber-enabled malicious activities” a national emergency due to the “increasing prevalence and severity” of such attacks originating from or directed by persons outside the United States.1 The executive order gives the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, the power to impose economic sanctions on certain designated individuals and entities that have been directly or indirectly involved in malicious cyberattacks against U.S. networks, critical infrastructure, as well as those involving the theft of economic resources or personal and financial information, or the misappropriation of trade secrets.
Though the executive order did not contain a list of designated individuals, it does outline and provide a framework for the use of the Department of the Treasury’s economic sanctions regime to combat significant cyberthreats. Any individuals or entities designated by the Treasury Department under the executive order will be subject to a travel ban and “blocked,” meaning that any of their property or interests in the United States will be frozen, and U.S. persons may be prohibited from conducting business or otherwise transacting with that person and their property (hereinafter “blocked person”). The types of cyber-enabled activities, individuals, and entities targeted by the executive order are discussed below, along with the U.S. government’s enforcement philosophy and key takeaways from this presidential action.
Cyber-Enabled Activities Targeted
The executive order authorizes the Department of the Treasury to impose sanctions on individuals and entities that engage in specific types of malicious cyber-enabled activities. To be subject to sanctions, the underlying cyber-enabled activity must meet a two-pronged standard. First, the cyber-enabled threat must be “reasonably likely to result in” or have “materially contributed to” a “significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”2 Second, the designated individual or entity must be “responsible for or complicit in” or have engaged in at least one of the following categories of cyber-enabled conduct:
- Harming or significantly compromising a computer or network of computers belonging to or supporting an entity in a critical infrastructure sector, or the provision of services by an entity in a critical infrastructure sector;3
- Significantly disrupting computer or network availability;
- Causing a significant misappropriation of economic materials including funds, trade secrets, personal information, or financial information for the purpose of commercial or competitive advantage or private financial gain;
- The receipt or use of misappropriated trade secrets, knowing they have been misappropriated, for a commercial or competitive advantage or private financial gain or use by a commercial entity;
- Materially assisting, sponsoring, or providing of financial, material, or technological support for, or goods or services in support of, any activity described in any of the aforementioned conduct or any person blocked under this Order;
- To be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person blocked under this order; or
- Attempting any of the conduct listed above.
As is clear from this standard, the executive order does not target all malicious cyber-enabled activities originating outside the U.S. Rather, these sanctions will only target those malicious cyber-enabled activities that may have a significant threat to U.S. national security interests, foreign policy, or economic health and financial stability.
Section 1 of the executive order emphasizes that the administration is willing to impose severe financial sanctions against the perpetrators and supporters of malicious cyberattacks against the United States. While it is not yet clear how this executive order will be implemented, the regulatory regime will likely be similar to the counter-terrorism, counter-proliferation, and counter-narcotics sanctions already administered by the Department of the Treasury. As with those regimes, the sanctions to be imposed against malicious cyberattacks will be individual or entity-specific rather than against whole countries.
After designation, the blocked person will likely be added to the List of Specially Designated Nationals and Blocked Persons (SDN List) administered by the Department of the Treasury’s Office of Foreign Assets Control (OFAC). U.S. persons are prohibited from conducting business or otherwise transacting with Blocked Persons. Those that do so may be subject to an investigation and/or enforcement action by OFAC. The civil penalties for violations range from $250,000 per violation or twice the value of the underlying transaction. Criminal penalties for willful violations can be as high as $1 million or 20 years imprisonment.
In signing the executive order, the president stated that the United States was “giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit.”4 The executive order serves as a new tool to battle malicious cyberattacks “that may be beyond the reach of our existing capabilities.”5
Additionally, one of the critical goals of this new sanction regime is to remove the financial motivation underlying many cyberattacks. Lisa Monaco, Assistant to the President for Homeland Security and Counterterrorism, recently stated that “freezing assets of those subject to sanctions and making it more difficult to do business with U.S. entities . . . [will] remove a powerful economic motivation for committing these acts in the first place.”6 The executive order will provide the Secretary of the Treasury with the authority to punish those who use cyberattacks to threaten the United States and to deter those considering potential future attacks.
Though the authority granted by the executive order is broad, the Obama administration has stated that it will be utilized in a “targeted manner against the most significant cyberthreats we face.”7 The sanctions should be reserved for the “worst of the worst of malicious cyber actors.”8
While the executive order provides the government with a powerful tool to address malicious cyber-enabled activities, the extent to which such measures will be effective in the overall deterrence of cyberattacks is not yet known. What is known, however, is that non-compliance with economic sanctions may result in costly investigations and enforcement penalties. To ensure compliance with economic sanctions, companies should adopt written policies and implement procedures to screen their customers, employees, and third-party business partners against the prohibited party lists maintained by the Departments of Commerce, State, and the Treasury, which includes the SDN List administered by OFAC. If a process is already in place, companies should confirm that their screening mechanism includes the most recent updates to prohibited party lists to ensure newly added entries based on the executive order are captured.
Additionally, companies should adopt policies and procedures designed to handle cyber incidents including the adoption of best practices related to the detection, categorization, containment, and remediation of cyber events. Companies that detect malicious cyber-enabled activities may consider reporting such activities to the U.S. government (and may be required to do so in some instances). Such information sharing may result in the addition of certain individuals or entities to a prohibited party list on the authority provided in this executive order. In fact, the administration encourages such information sharing as evidenced by President Obama’s February 12, 2015, executive order designed to “promote sharing of cybersecurity threat information within the private sector and between the private sector and government.”9
The bottom line is that companies should be considering both cyber incident response and economic sanctions from a compliance perspective in order to confront the effect of and minimize the legal risk presented by cyberattacks.
1 Executive Order No. 13,694, 80 Fed. Reg. 18077 (April 2, 2015).
3 Critical infrastructure sectors include energy, emergency services, financial services, healthcare, defense, transportation, information technology, food and agriculture, nuclear resources, water and wastewater systems, critical manufacturing, chemical, dams, and communications as well as the government facilities sector. See http://www.dhs.gov/critical-infrastructure-sectors.
4 The White House Blog, “Our Latest Tool to Combat Cyber Attacks: What You Need to Know,” (April 1, 2015) (quoting President Barack Obama).
6 Expanding Our Ability to Combat Cyber Threats, National Security Council , (April 1, 2015).
7 Fact Sheet, The White House Office of the Press Secretary, “Executive Order Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” (April 1, 2015).
8 See Supra, fn 4.
9 Fact Sheet, The White House Office of the Press Secretary, “Executive Order Promoting Private Sector Cybersecurity Information Sharing,” (February 12, 2015).