Obama Issues Executive Order on Sanctions for Foreign Entities Launching Cyberattacks
President Barack Obama issued an executive order Wednesday authorizing the attorney general and secretaries of State and Treasury to impose sanctions on foreign-based individuals and entities that launch malicious cyberattacks against networks owned by the U.S. government or U.S. companies. Cyberattacks that could result in sanctions would need to significantly disrupt a network’s availability, affect the provision of a critical infrastructure sector company’s services or cause the theft of U.S. economic resources, assets or personal information, the executive order said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The order would also authorize sanctions against individuals or entities that knowingly receive or use trade secrets stolen through a cyberattack if the attack threatened U.S. economic, foreign policy or national security interests, as well as entities that provide material support for cyberattacks, the executive order said. “Targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst,” Obama said in a blog post Wednesday on Medium. "From now on, we have the power to freeze their assets, make it harder for them to do business with U.S. companies, and limit their ability to profit from their misdeeds."
Obama referenced recent cyberattacks, in a statement on the executive order, including the December data breach at Sony Pictures Entertainment, as posing “one of the most serious economic and national security challenges” to the U.S. The FBI has said North Korea organized the data breach. The new executive order builds on earlier Obama administration cybersecurity efforts, including two earlier executive orders, said John Smith, Department of the Treasury Office of Foreign Assets Control acting director, during a conference call with reporters.
A 2013 executive order resulted in the creation of the National Institute of Standards and Technology’s Cybersecurity Framework, while an order issued Feb. 13 centers private sector-to-government information sharing at the Department of Homeland Security and will expand the existing information sharing apparatus by encouraging the development of new information sharing and analysis organizations (see 1502130048).
The executive order “is designed to fill in a gap that we have identified where individuals carrying out significant malicious cyber activity are located in places that it's difficult for our diplomatic and law enforcement tools to reach,” particularly in countries known to endorse cyberattacks against the U.S. and countries with weak cybersecurity laws, White House Cybersecurity Coordinator Michael Daniel said during the call with reporters. The new sanctions aren’t ones “that we are expecting to use every day,” with existing diplomatic and law enforcement actions continuing to be the first options for the U.S., Daniel told reporters. “We will not certainly be using this to target free speech or interfering with the free and open Internet, and we’re not going to be going after the innocent victims of people whose computers were taken over and used by malicious actors.”
Obama’s executive order is “a necessary and positive step,” though the order’s implementation will determine its ultimate effect, said Internet Security Alliance President Larry Clinton in an interview. “It’s clear that we need to substantially upgrade our law enforcement activity with respect to cybersecurity. We’re currently successfully prosecuting maybe 1-2 percent of cyber criminals while they steal hundreds of billions of dollars’ worth of information on a regular basis. We absolutely need to become much more active in this space.” The order attempts to move the U.S. beyond its current “20th century models of law enforcement” and “substantially upgrades our efforts to find these people and put in some deterrents to this behavior,” Clinton said. The order by its very nature will be more flexible than a law enacted by Congress, so “we need to be judicious with how we implement this,” he said.
House Intelligence Committee ranking member Adam Schiff, D-Calif., praised the executive order in a statement as “a necessary part of responding to the proliferation of dangerous and economically devastating cyber attacks facing" the U.S. “Cyber hackers and attackers, and the states that sponsor them, must know there are serious repercussions if they continue to engage in this destructive conduct,” Schiff said. He said the order, when “coupled with cyber legislation moving forward in both houses of Congress,” will help “stop this scourge.” Schiff was among the members of House Intelligence who voted last week to move forward with its version of cybersecurity information sharing legislation, the Protecting Cyber Networks Act (HR-1560).