Executive order authorizes economic sanctions to combat malicious cyberactivity

May 28, 2015

Westlaw Journals Commentary thumbPresident Barack Obama recently declared a national emergency relating to cyberthreats, calling them “one of the most serious economic and national security challenges to the United States.”  He issued an executive order titled “blocking the property of certain persons engaging in significant malicious cyber-enabled activities.”

The order is part of the U.S. government’s effort to combat widespread cybertheft from the networks of public and private organizations.  Former National Security Agency Director Keith Alexander previously stated that these widespread cyberthefts “represent the greatest transfer of wealth in human history.”

A broad, flexible tool

The president’s order authorizes sanctions on individuals or entities that are responsible for, are complicit in or engage in malicious cyber-enabled activities originating or directed from abroad.  The cyber-enabled activities must significantly threaten the national security, foreign policy, economic health or financial stability of the United States.

In addition, the cyber-enabled activities must have the purpose or effect of:

  • Harming or significantly compromising the provision of services by an entity in a critical infrastructure sector.
  • Causing significant disruption to the availability of a computer or network of computers (for example, through a denial-of-service attack).
  • Causing significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.
  • Knowingly receiving or using trade secrets misappropriated through cyber-enabled means for commercial or competitive advantage or private financial gain (for example, a corporation that knowingly profits from stolen trade secrets).
  • Materially assisting, sponsoring or providing financial, material or technological support for any of the above activities.

The order sanctions both the “supply side” of cybertheft — hackers and their sponsors — as well as the “demand side” — the recipients or beneficiaries of stolen information.

President Obama issued the order primarily on the basis of his authority under the International Emergency Economic Powers Act, 50 U.S.C. § 1701, and the National Emergencies Act, 0 U.S.C. § 1601.  Under these statutes, the president may authorize a variety of regulatory actions to address foreign threats.

The order delegates to the secretary of the U.S. Department of the Treasury, in consultation with the U.S. attorney general and secretary of state, the authority to promulgate rules and regulations and to take any other action required to implement the order.  Finally, the order authorizes a ban on visas for those persons who are targeted by the sanctions.

What to know about combating cyberthreats

The order is the first to directly address malicious cyberthreats without targeting a particular country or group.  Significant issues might arise when implementing the order, and the resolution of those issues will drive the long-term effectiveness of the new sanctions regime.  Below is our list of the most significant issues.

What sanctions and when?

The sanctions authorized by this order would freeze the assets of individuals and entities specifically named by the Treasury Department, in consultation with the U.S. attorney general and secretary of state.   As of publication, the administration has not yet used this new authority.

Unlike several other sanctions programs, no designations were issued with the order to sanction any individuals or entities, and the administration has not yet named such parties.  In late April it was reported that the administration was “preparing to order the first round of sanctions.”  Deputy Assistant Attorney General for National Security Luke Dembosky indicated the administration has had potential targets in mind since before it released the order, but the agencies are, according to this report, working in coordination and are “being very deliberate” about who to target and when.

The Office of Foreign Assets Control, which is within U.S. Department of the Treasury, has the authority to coordinate with other agencies and determine which parties should be targeted under the order.  The OFAC will then add any designated entities to its list of “specially designated nationals.”

Under the order, the OFAC also has authority to issue any rules and regulations necessary to implement the program, although it is unclear when the OFAC plans to issue such regulations.  OFAC acting Director John Smith said anyone sanctioned under the executive order will be able to challenge his or her designation through an administrative petition or by filing suit in federal court.

Some have already inquired as to how this new authority will relate to other sanctions regimes.  In January, after the attack on Sony Pictures, President Obama issued an executive order imposing targeted sanctions on North Korean entities, in part on the basis of the “coercive cyber-related actions during November and December 2014[.]”

The OFAC’s Smith clarified that the April 1 order serves a different purpose.  Whereas the January sanctions target the government of North Korea and the Workers’ Party of Korea, the authority under the new executive order is global and would target parties on the basis of their activities.  Like current counter-narcotics and counterterrorism sanctions, the new executive order will enable the United States to target illicit foreign activity “wherever it arises.”

Smith indicated that although the new sanctions tool is “powerful,” it is intended to be used “judiciously and in extraordinary circumstances.”  It remains to be seen just what circumstances will motivate the administration to take that step.

Although the administration has not yet sanctioned any parties under the new executive order, the OFAC has encouraged “firms that facilitate or engage in online commerce” as a general practice to develop “tailored, risk-based  compliance program[s].”  If designations are issued under this program, “U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC’s [specially designated nationals list] pursuant to [the order] or any entity owned by such persons.”

What activities will trigger the sanctions?

Determining which cyberactivities the sanctions will target will be difficult.  It is well accepted that malicious cyberactivity occurs daily.  The executive order suggests that the targeted cyberactivities could be measured in terms of harm to consumer privacy, commercial competitive advantage or certain sectors, particularly in the critical infrastructure sector, but it is unclear what degree will be considered significant.

For example, the order does not describe the size of economic damages or the type of misappropriated trade secrets that would be sufficient to trigger sanctions.  As of yet, few guidelines or precedents provide counsel on the use of this new authority.

Given that the executive order intends to create a high bar for the type of malicious cyberactivities that are sanctionable, and the sanctions only address malicious activities after they cause harm, businesses and legal practitioners should continue to review data- security policies and ensure that they have in place reasonable security measures to protect sensitive information.

Who are the likely targets?

Determining which individuals or entities will be targeted with sanctions will also be difficult.  The executive order authorizes sanctions on individuals or entities that are “responsible for, complicit in or have engaged in, directly or indirectly, malicious cyber-enabled activities” that significantly threaten “the national security, foreign policy, or economic health or financial stability of the United States.”

This scope appears to be exceedingly expansive, authorizing sanctions in areas that are not traditionally thought of as national security, such as the economic competitiveness of private organizations.  However, the executive order does not define the key terms, although the administration has indicated that those terms will be broadly defined.

For example, the OFAC has hinted at forthcoming definitions, stating that “malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by remote access, circumventing one or more protection measures (including by bypassing a firewall), or compromising the security of hardware or software in the supply chain.”

Moreover, malicious cyberactivities are exceptionally difficult to attribute.  Hackers, for example, have rapidly evolving technology arsenals, purposefully obscure their identities and create numerous fingerprints that are difficult to track.

Recognizing these concerns, the administration said it will target only the “worst of the worst,” that sanctions will not “target free speech or interfere[] with the free and open Internet,” are “not designed to police the Internet or stifle technological innovations” and are “not meant to protect any one individual U.S. company.”

In addition, Smith stated that the standard of evidence will be a “reasonable basis to believe or reasonable cause to believe,” which is the “basic standard of evidence that administrative agencies across the government use under the Administrative Procedure Act.”  It is unclear how this standard will be applied to evidence attributing malicious cyber-enabled activities to particular actors.

King & Spalding will continue to monitor developments with regard to the new executive order and will provide updates if new regulations or guidelines are implemented.  We invite consultation with us further regarding the implications of this new authority.