In an effort to deter and punish hackers and cyberspies who have until now been outside the reach of U.S. law enforcement, President Barack Obama signed an executive order today allowing the government to levy economic sanctions against individuals overseas who engage in destructive cyberattacks or commercial espionage.
The order is aimed primarily at state-sponsored actors and other hackers who are beyond the reach of law enforcement or diplomatic efforts. It gives the government the power to go beyond nation-level actions to target individuals who may be sponsored or supported in some way by a nation.
The sanctions are intended for significant attacks that meet a certain threshold of harm. They must directly hurt the “national security, foreign policy, economic health or financial stability of the United States,” according to the president’s announcement.
The order also allows the government to apply sanctions against individuals and entities who knowingly use and receive data stolen in attacks.
This would include attacks that damage critical infrastructure, disrupt computer networks through widespread DDoS efforts, or the stealing of financial data, trade secrets or intellectual property in a way that harms the nation’s economic stability. The sanctions wouldn’t be applicable only to parties engaging in the cyberattacks and theft, however. The order also allows the government to apply sanctions against individuals and entities who knowingly use and receive data stolen in such attacks. This could apply, for example, to a company that hires hackers to steal data from a competitor to gain a market advantage or purchases stolen data after the fact.
“We don’t want to just deter those with their fingers on the keyboard but those who are funding and enabling those groups to carry out their activity,” said Michael Daniel, the president’s special advisor on cybersecurity and a member of the National Security Council who spoke on Wednesday morning at a news conference. “We want to deter those who are paying for it.”
The move is designed to fill a gap where individuals carrying out significant malicious cyber activity are generally unreachable through other diplomatic and law enforcement means or where a “country has weak cyber security laws, or … turns a blind eye to the activity or where we don’t have good law enforcement relationships,” said Daniel. It would also apply in cases where hackers are being directly supported in some way by their government.
Currently, when hackers undertake significant cyberattacks from countries like Russia or Ukraine that will not extradite suspects, law enforcement waits to nab them when they inevitably leave to go on vacation in places like Thailand or fly through Europe enroute to a vacation destination. U.S. law enforcement agencies often wait until a suspect passes through a country that is more cooperative and will work with the U.S. to arrest an individual. The new order would potentially give the government another tool to punish suspects who carefully avoid traveling to nations that are sympathetic to the U.S.
The order would allow the government to freeze any financial assets held by a targeted individual in U.S. banks and financial institutions and would also prohibit U.S. persons from engaging in business transactions with such an individual—thus preventing them from purchasing U.S. technologies and goods. The government could also place a visa ban on a targeted suspect.
The administration anticipates that other countries and foreign banks might join in the sanctions against such individuals.
Some of these sanctions seem unlikely to directly affect people overseas who do not intend to travel to the U.S. or who do not have money stored in U.S. financial institutions. But John Smith, acting director of the Treasury Department’s Office of Foreign Assets Control, said on the press call Wednesday that a target’s money doesn’t have to be stored in a U.S. financial institution to be affected. Transactions that merely pass through U.S. banks—for example when a foreign currency transaction is converted to U.S. dollars—can also be frozen and prevented from being processed.
Because of the prevalence of the U.S. dollar, “many transactions come through the U.S. that people do not intend,” said Smith. Although foreign contracts and transactions that specify U.S. dollars may be sent from banks that are far from U.S. borders, they “come through the U.S. financial system to be dollarized, so they can have moneys frozen even if they never knew that they had a U.S. footprint in their transaction before.”
Daniel said that the administration anticipates that other countries and foreign banks might join in the sanctions against such individuals, increasing their reach and effectiveness.
When such sanctions are applied, Daniel said the government would do so publicly, distributing a fact sheet outlining the unclassified aspects of the case “so the community knows the reasons we’re taking the action.”
Daniel and Smith were hard-pressed during the call to identify specific examples of attacks that would qualify for these sanctions or explain the criteria for determining when an attack meets the threshold. But they suggested that the recent hack against Sony Pictures Entertainment might have met the criteria, as might have a widespread distributed denial-of-service campaign directed against U.S. banks that the US has attributed to Iran. The ongoing, years-long economic espionage campaign against U.S. companies attributed to China might also fall under this category.
“It’s difficult to speculate whether we would have used this tool with respect to Sony,” Daniel said. “Obviously this will become one of the tools we will have going forward if we face similar incidents. It is something we will consider and whether we have the evidence in a form that we are willing to disclose publicly that we would be willing to consider using this tool.”
“It's difficult to speculate whether we would have used this tool with respect to Sony.”
Last year the government indicted five Chinese hackers alleged to be working for the Chinese military, accusing them of stealing information from six U.S. companies in the energy, metals, and manufacturing industries. The government also levied sanctions against several North Korean officials in response to the hack against Sony Pictures Entertainment. Both of those actions, however, were primarily political; the Chinese hackers are not likely to ever actually be arrested or prosecuted for their actions and in the case of the North Korean officials the individuals were not targeted for sanctions for any direct involvement in the Sony attack and the authority used to sanction them was not specific to cyberactivity. The new order is tailored to address cyberattacks and sanctions applied under them would allow the government to punish individuals who would never otherwise be punished through a court prosecution.
Daniel said the new order would be used judiciously and in extraordinary circumstances. “We will not use this to target free speech or interfere with the open internet or go after innocent victims or people whose computers were taken over and used by malicious” actors, he said.
Any individual or entity who feels they’ve been sanctioned wrongly would have to challenge the move with an administrative petition or file suit in a U.S. district court, though it’s unclear in practical terms how effective this kind of redress would be.