On April 1, 2015, the White House unveiled Executive Order 13694, which authorizes the Treasury Department to sanction entities outside of the United States that engage in “cyber-enabled activities” that are “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” The Executive Order (“EO”), titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” contemplates sanctions against entities conducting various types of cyber attacks. The EO would enable sanctions against those who conduct attacks against United States’ critical infrastructure sectors (including the energy, financial services, and transportation sectors), attacks that cause “significant disruption to the availability of a computer or network of computers” and attacks involving the “misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.” In a statement regarding the EO, the President announced that “starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American Companies or the personal information of American Citizens for profit.”
Not only does the EO allow for sanctions against entities conducting cyber attacks, it also allows sanctions against any entity that uses “trade secrets misappropriated, through cyber-enabled means, knowing that they have been misappropriated” in order to gain a “commercial or competitive advantage.” President Obama underscored that while the government is “focused on the supply side of this problem – those who engage in these acts – we’ll also go after the demand side – those who profit from them. As of today, there’s a new deterrent because I’m also authorizing sanctions against companies that knowingly use stolen trade secrets to undermine our nation’s economic health.” The President was also clear to point out that the sanctions are not intended to “target the unwitting victims of cyber attacks” nor will sanctions be used to “target the legitimate cybersecurity research community or professionals who help companies improve their cybersecurity.”
The President highlighted that U.S. business and critical infrastructure alike are facing an increased threat from sophisticated, nation-state sponsored attacks, specifically mentioning China, Iran, North Korea and Russia as sources of cyber threats. “The same technologies that help keep our military strong are used by hackers in China and Russia to target our defense contractors and systems that support our troops.” The President also highlighted the recent Sony hack, noting that the “North Korean cyber attack on Sony Pictures destroyed data and disabled thousands of computers.” The Obama administration previously imposed sanctions on North Korea in response to the Sony cyber attack.
The Department of Treasury’s Office of Foreign Assets Control (“OFAC”) will be responsible for implementing the sanctions and will work in consultation with the Attorney General and Secretary of State. OFAC issued an FAQ regarding the new sanctions for cyber-enabled activities that provides guidance on what activities the sanctions will cover. The EO also authorizes Treasury to promulgate rules and regulations regarding the sanctions. Importantly, OFAC’s FAQs regarding the EO note that all persons or entities designated for sanctions will be added to OFAC’s list of Specially Designated Nationals and Blocked Persons (the SDN List), which will prevent any “U.S. persons (and persons otherwise subject to OFAC jurisdiction) [from] engaging in trade or other transactions with persons named” on the SDN list.
The President hailed the EO as a new weapon at the government’s disposal in fighting cyber crime: “As of today, the United States has a new tool to protect our nation, our companies, and our citizens – and in the days and years ahead, we will use it.”