More Teeth, No Bytes: OFAC Issues Regulations For Its Yet Unexercised Cyber-Related Sanctions Authority

On New Year's Eve, OFAC promulgated cyber-related sanctions regulations¹ implementing President Obama's April 2015 Executive Order (the Cyber EO), which authorizes sanctions to be imposed on perpetrators of cyber-attacks posing a "significant threat to the national security, foreign policy, or economic health or financial stability of the United States."² Perhaps reflecting the inherent difficulty in attributing a particular cyber incident to a particular bad actor, however, no sanctions have actually been imposed on anyone under the cyber-related sanctions executive order. The issuance of these regulations is not even necessary before sanctions could be imposed; for example, OFAC did not promulgate Ukraine-related sanctions regulations until months after many individuals and entities became subject to sanctions under President Obama's Ukraine-related sanctions executive orders. So determining whether the issuance of the regulations signals that the US government intends to exercise this authority soon is not possible. The regulations arrive as the Director of National Intelligence continues to establish the Cyber Threat Intelligence Integration Center (CTIIC).³

The regulations themselves do not deviate from the regulations that typically accompany OFAC sanctions regimes. OFAC has stated that it intends to supplement the regulations "with a more comprehensive set of regulations, which may include additional interpretive and definitional guidance and additional general licenses and statements of licensing policy." For the moment, however, the regulations reflect the usual way OFAC sanctions operate: they include provisions prohibiting US persons (an OFAC-defined term explained below) from generally transacting with any persons designated under the Cyber EO; they provide for the blocking (i.e. freezing) of property interests of designated persons that come within the jurisdiction of the United States; and they provide a few licenses for US persons to, for example, provide certain legal services or emergency medical services in the United States to designated persons.

The Challenge of Designating Cyber Targets

The Cyber EO provides OFAC sweeping authority to designate persons determined, in consultation with the Attorney General and the State Department, to have engaged in certain malicious cyber activities. OFAC stated at that time that it would not impose sanctions on persons who are "the unwitting owners of compromised computers" that are used in cyber-attacks, and that the executive order is not "designed to prevent or interfere with legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems, or systems they are otherwise authorized to manage."

Nonetheless, it is unclear when and how a computer or network owner might be found "complicit in" a cyber-attack—one of the bases upon which OFAC may impose sanctions—once such owner has discovered that its systems are compromised.

Likewise, it is unclear what responsibility an information technology or Internet services provider—such as a company that rents server time or transports network traffic—has to inquire into the identity and intended use of such resources by its customers before such provider could be found "to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of," sanctionable malicious cyber activity (which can also subject such person to designation). In other sanctions contexts, OFAC typically applies a "knew or should have known" standard in enforcing sanctions but under some sanctions programs it applies a strict liability standard.

Moreover, attribution of cyber-attacks to particular geographies or networks, let alone specific persons, is difficult. It remains to be seen how effective sanctions will be in this area, given the challenges that exist in successfully tracing attacks (or the fruits of attacks) to identifiable persons. Such difficulties in attribution also raise the corollary risk that persons will be designated for activities wrongly attributed to them.

The Effect of a Sanctions Designation

Once OFAC begins to designate specific persons pursuant to the executive order, the names of designated persons will be placed on OFAC's existing Specially Designated Nationals (SDN) List. Designations may be made under the executive order and new regulations without prior notice. Persons placed on the SDN List will have their property and interests in property "blocked." OFAC maintains a searchable electronic version of the SDN List on its website, available at sdnsearch.ofac.treas.gov.

The term "US persons" is defined under the regulations, as under most OFAC sanctions regulations, to mean:

• any United States citizen or permanent resident (i.e. "green card" holder);
• any entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches); or
• any person physically in the United States (for example, a UK citizen on a ski vacation in Utah).⁴

Unless licensed through OFAC, US persons are prohibited from dealing with blocked persons, save for a few general authorizations that OFAC has promulgated under the new regulations that permit, among other activities, US persons to provide legal services and emergency legal services to designated persons. Any property or property interest of such designated persons that come within the jurisdiction of the US (typically, transactions in US dollars are cleared through US banks and are subject to US jurisdiction) or under the control or possession of a US person will be frozen. The regulations also define the terms "property" and "transfer" extremely broadly, underscoring that once a person is designated it is virtually excluded from any direct or indirect economic activity with persons in the United States.⁵

Additionally, like many sanctions programs, the executive order restricts not only all economic transactions with persons on the SDN List, but also "the making of donations," even of humanitarian items (such as food clothing, and medicine), to such persons, and the executive order contains prohibitions against evading, avoiding, causing, attempting, or conspiring to violate the prohibitions of the order. Violations of the sanctions program can lead to both criminal and civil penalties under IEEPA.

Although no designations for this new cyber sanctions program have been made, US persons should continue to heed OFAC's April recommendation to "develop a tailored, risk-based compliance program" to address this new sanctions program.⁶ In particular, OFAC notes that "US persons, including firms that facilitate or engage in online commerce, are responsible for ensuring that they do not engage in unauthorized transactions or dealings with persons named on any of OFAC's sanctions lists."

Persons who are wrongfully designated under this or any other sanctions program face an uphill battle to have the designation removed. Under other sanctions programs, even those persons who successfully challenge a wrongful designation and have their name removed from the SDN List do so only after months or years of effort.