New Executive Order Authorizes Sanctions On Yet Unnamed Perpetrators of Malicious Cyber Threats

President Obama recently issued the first executive order establishing a sanctions framework to target perpetrators of cyber attacks posing a "significant threat to the national security, foreign policy, or economic health or financial stability of the United States."¹ Executive Order (EO) 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, grants the Department of Treasury's Office of Foreign Assets Control (OFAC) sweeping authority to designate persons determined, in consultation with the Attorney General and the State Department, to have engaged in certain malicious cyber activities. The White House characterized this executive order as "a new tool to combat the most significant cyber threats to our national security, foreign policy, or economy."²

The sanctions have been authorized under the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. § 1701 et seq., which gives the President broad authority to regulate transactions subject to US jurisdiction in response to "unusual and extraordinary threat[s]" to national security, foreign policy, or the US economy. Once the President invokes the IEEPA authority to impose sanctions, OFAC administers the sanctions program. Most economic sanctions imposed by the President and administered by OFAC are authorized under IEEPA.  Although an initial list of sanctioned entities often accompanies an executive order outlining new sanctions, no initial designations were announced alongside the executive order.

Despite guidance provided in both the executive order and in Frequently Asked Questions (FAQs) posted by OFAC the same day as the order,³ the sanctions framework outlined by the order contains a number of significant open questions related to the scope of the new cyber-enforcement power and how the sanctions will be implemented. Among these questions is how OFAC will determine what constitutes a "significant malicious cyber-enabled activity," such that OFAC could impose sanctions upon the purported bad actors. Further, OFAC has not yet clearly identified how in designating sanctioned persons OFAC will address the inherent difficulty in attributing a particular cyber incident to a particular bad actor, especially where a sophisticated bad actor may present false information that could lead to misattribution. Nevertheless, because sanctions designations can be made at any time and without prior notice, US companies and individuals must remain vigilant of developments in this area as the US government contemplates using this tool to take powerful and swift action in response to both alleged cyber threats and their financial supporters and/or beneficiaries.

The Challenge in Defining "Cyber Threats"

Official statements regarding the executive order suggest that the executive order is intended to encompass a broad and flexible category of cyber threats. Homeland Security Advisor Lisa Monaco notes "a significant increase in the frequency, scale, and sophistication of cyber incidents targeting the American people, including everything from large data breaches and significant intrusions to destructive and coercive cyber attacks intended to influence the way ordinary Americans exercise their constitutional rights."⁴ OFAC's FAQs on the executive order suggest that targeted cyber threats could include everything from an attack on a power plant or dam in the United States, to the theft of personal financial information stored by a commercial entity, to a distributed denial-of-service attack.⁵

The executive order itself includes a broad array of "cyber-enabled activities" that could lead to sanctions. The executive order does not define "cyber-enabled activities," but OFAC has stated it anticipates its future regulations to define cyber-enabled activities to include "any act that is primarily accomplished through or facilitated by computers or other electronic devices."⁶ OFAC further stated that the "cyber-enabled activities" covered by the executive order will likely include "deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain."⁷ However, because OFAC has not yet promulgated these regulations, these should be considered only working definitions.

While "cyber-enabled activity" has not been well-defined yet, the executive order does provide particular requirements to distinguish what activities the executive order will cover. Specifically, the executive order authorizes designations of any persons that the Secretary of the Treasury determines were responsible for, complicit in, or has engaged in, directly or indirectly, cyber-enabled activities, where such cyber-enabled activities satisfy all of the following requirements:

The cyber-enabled activity must originate from, or be directed by persons located in whole or in substantial part, outside the United States. This requirement suggests that the sanctions framework is intended to address primarily cyber incidents initiated or caused by foreign actors, as the government has a broader array of authorities to target domestic actors. This comports with OFAC's statements within the FAQs that the executive order is "intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the US government."

The cyber-enabled activity is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. While the extremes may be easy to identify—stealing a single consumer's social security number from his or her laptop would likely not result in sanctions, while hacking the control system of a nuclear power plant likely could—the line between "significant" and insignificant threats is unclear. The only substantive example of a significant threat mentioned by the White House in its discussion of the new sanctions is the "destructive and coercive cyber attack against Sony Pictures Entertainment and threats against movie theaters and moviegoers."⁸

The cyber-enabled activity has "the purpose or effect of (a) harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical ⁹ infrastructure sector; (b) significantly compromising the provision of services by one or more entities in a critical infrastructure sector; (c) causing a significant disruption to the availability of a computer or network of computers; or (d) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain. These covered activities are broad. For example, the disruption of a single computer, even outside of a "critical infrastructure" sector, would be covered under (c).

The executive order also authorizes the designation of any persons who are complicit or have engaged in the receipt or use of misappropriated trade secrets, knowing they were misappropriated.

Finally, the executive order authorizes the designation of any person who is found "to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of" any of the activities described above.

The Challenge of Designating Cyber Targets

OFAC has stated that it will not impose sanctions on persons who are "the unwitting owners of compromised computers" that are used in cyber attacks¹⁰ and that the executive order is not "designed to prevent or interfere with legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems, or systems they are otherwise authorized to manage."¹¹ Nonetheless, it is unclear when and how a computer or network owner might be found "complicit in" a cyber attack once such owner has discovered that its systems are compromised. Likewise, it is unclear what responsibility an information technology or Internet services provider—such as a company that rents server time or transports network traffic—has to inquire into the identity and intended use of such resources by its customers before such provider could be found "to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of," sanctionable malicious cyber activity. In other sanctions contexts, OFAC typically applies a "knew or should have known" standard in enforcing sanctions but under some sanctions programs it applies a strict liability standard.

Moreover, attribution of cyber attacks to particular geographies or networks, let alone specific persons, is difficult and subject to considerable uncertainty. It remains to be seen how effective sanctions will be in this area, given the challenges that exist in successfully tracing attacks (or the spoils that flow from them) to persons identifiable enough to be designated. Such difficulties in attribution also raise the corollary risk that persons will be designated for activities wrongly attributed to them.

The Effect of a Sanctions Designation

Once OFAC begins to designate specific persons pursuant to the executive order, the names of designated persons will be placed on OFAC's existing Specially Designated Nationals (SDN) List. Designations may be made under the executive order without prior notice. Under other sanctions programs, it has taken months or years for persons to successfully challenge a wrongful designation and have their name removed from the SDN List.

Persons placed on the SDN List will have their property and interests in property "blocked." OFAC maintains a searchable electronic version of the SDN List on its website, available at sdnsearch.ofac.treas.gov. Unless licensed through OFAC, US persons are prohibited from dealing with blocked persons, and any property of such designated persons that comes within the jurisdiction of the US or under the control or possession of a US person will be frozen. Additionally, like many sanctions programs, the executive order restricts not only all economic transactions with persons on the SDN List, but also "the making of donations" even of humanitarian items (such as food clothing, and medicine) to such persons, and the executive order contains prohibitions against evading, avoiding, causing, attempting, or conspiring to violate the prohibitions of the order. Violations of the sanctions program can lead to both criminal and civil penalties under IEEPA.

Although no designations for this new cyber sanctions program have been made, US persons should heed OFAC’s recommendation to "develop a tailored, risk-based compliance program" to address this new sanctions program.¹² In particular, OFAC notes that "US persons, including firms that facilitate or engage in online commerce, are responsible for ensuring that they do not engage in unauthorized transactions or dealings with persons named on any of OFAC's sanctions lists."