United States Creates a New Sanctions Program Designed to Deter Cyber Attacks

On April 1, 2015 the President issued Executive Order 13694: Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.  Like many sanctions programs before it, the authority for this program is derived from the International Emergency Economic Powers Act (IEEPA).  The format is familiar: the President declares a national emergency and then imposes a sanctions program to deal with that national emergency.

As indicated in the executive order, “the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”  The United States has been pursuing a “comprehensive strategy” to deal with this threat, and with the issuance of Exec. Order 13694, a targeted sanctions program is now part of that comprehensive strategy.  According to the President, the United States will also employ “diplomatic engagement, trade policy tools, and law enforcement mechanisms to counter the threat posed by malicious cyber actors.”

Interestingly, according to the Washington Post, this sanctions program has been in the works for about two years.  This seems like a very long time, especially given the growing concern of cyber-attacks over the past decade.  Although the Exec. Order was set to be released last week, President Obama delayed it because of concerns related to the language of the Order.  President Obama may have thought the language was too vague. Several people familiar with the matter told the Post that the President wanted “the language to convey that the program was aimed at significant malicious cyberactivity,” and not designed to sweep up relatively minor cyber-criminals as sanctions targets.

To address the President’s concerns, the Exec. Order was designed to target those involved in malicious cyber activities that compromise or harm “a critical infrastructure sector” or disrupt the availability of a computer or network of computers. A critical infrastructure sector is defined in Presidential Policy Directive 21 as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Covered sectors include, but are not limited to, chemical, dams, defense industrial base, energy, public health, and nuclear.

The Exec. Order also authorizes the Treasury Department to target persons who cause a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.  An example of eligible targets under this targeting authority would have probably included the five indicted Chinese military hackers who stole trade secrets from a Pennsylvania company back in 2014.  During his remarks at the Brookings Institute regarding that case, John Carlin (the Asst. Attorney General of the National Security Division (NSD)) stated that economic sanctions may soon be implemented against such actors.

Although the President’s concerns appear to have been at least facially addressed, the Exec. Order does broadly authorize the Treasury to designate those who are “complicit” in such sanctionable activities or who have “materially assisted” the commission of such sanctionable activities.  Both means of designation are vague enough that someone with limited involvement or minimal culpability can still be added to the SDN List.  Add to that the general lack of understanding amongst people on how the internet actually works, and I think it is safe to assume that some less-than-deserving people will end up being designated.

Disclaimer: Blog posts should not be relied upon as legal advice and are only provided for informational purposes.  Information contained in blog posts may also become outdated with the passage of time as laws change and U.S. foreign policy and national security objectives evolve.