On April 1, 2015, President Obama issued Executive Order 13694, creating a new sanctions program that targets the growing and evolving threat posed by cyber-attacks. The Order authorizes sanctions against those who seek to use cyber-attacks to harm critical infrastructure, target network availability, and steal sensitive information, such as trade secrets and personal financial information.
The Order requires the freezing of assets of designated cyber-attackers in the United States or in the control or possession of US persons. It also prohibits US individuals and organizations from engaging in any transactions with those on the sanctions list or any entities they own.
Designation of Cyber-Attackers for Sanctions
More specifically, Executive Order 13694 authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on individuals or entities that engage in what the Order terms “significant malicious cyber-enabled activities” originating from or directed by persons outside the United States that are reasonably likely to result in, or have materially contributed to, a “significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”
In FAQs released with this Order, the US Department of the Treasury, Office of Foreign Assets Control (“OFAC”) stated that it anticipates the accompanying regulations will define “cyber-enabled” activities to include any act that is primarily accomplished through or facilitated by computers or other electronic devices. OFAC further clarified that “malicious cyber-enabled activities” include deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.
The types of cyber-attacks that would subject perpetrators to sanctions include:
- Harming or significantly compromising the provision of services by entities in a critical infrastructure sector (or a computer or network of computers that support such entities);
- Significantly disrupting the availability of a computer or network of computers (for example, through a distributed denial-of-service attack);
- Causing a significant misappropriation of funds or economic resources; or
- Causing a significant misappropriation of trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain (for example, by stealing large quantities of credit card information, trade secrets, or sensitive information).
The individuals or entities that may be designated for sanctions are those that:
- Attempt, assist in, or provide material support for cyber-attacks;
- Are owned or controlled by or act on behalf of individuals or entities designated for sanctions; or
- Benefit from cyber-attacks by receiving or using trade secrets that were acquired via cyber-attacks for commercial or competitive advantage or private financial gain, or where the underlying theft of the trade secrets may lead to a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.
Next Steps
Those designated will be added to OFAC’s List of Specially Designated Nationals and Blocked Persons (“SDN List”). Once OFAC makes these designations, US individuals and entities (and those otherwise subject to OFAC jurisdiction) must ensure that they do not engage in any transactions with the sanctioned individuals or entities.
OFAC has cautioned that individuals or entities that facilitate or engage in online commerce (such as technology companies) are responsible for ensuring that they do not engage in unauthorized transactions with the designated persons.
OFAC advises businesses companies to develop tailored, risk-based compliance programs, which may include sanctions list screening or other appropriate measures.
The White House has released a Fact Sheet and blog post related to these developments.
Although no individuals or organizations have yet been designated for sanctions under the new program, companies should be prepared to take steps to comply with the Order.
