The United States will implement economic and travel sanctions against foreigners implicated in cyber attacks against U.S.-based targets. U.S. President Barack Obama signed an executive order on Wednesday, titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” that details retaliatory steps against individuals and groups outside the United States that use cyber as their vector of attack against U.S. interests. The executive order covers both government targets as well as those in the private sector.
The executive order comes on the heels of a vast cyber attack against Sony Pictures last year that the U.S. government claimed was carried out by a group backed by the North Korean government. The order also comes eleven months after the U.S. Department of Justice formally charged five senior officers in China’s People’s Liberation Army (PLA) with crimes related to cyber espionage.
The executive order will punish “any person determined … to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States” to a range of sanctions.
Notably, the U.S. Treasury Department will freeze assets and bar financial transactions by those individuals and groups. Additionally, the executive order will lead to the United States barring these same individuals from entering the United States. The Washington Post notes that this executive order has been “in the works for two years.”
That this executive order exists should come as little surprise. The Obama administration is getting serious about cyber. As I noted shortly following the indictment of Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, Gu Chunhui — the five PLA officers charged with cyber espionage by the Department of Justice — a heavy-handed response to cyber crime and cyber espionage sends a positive message to U.S. businesses who need to see that the government will mobilize resources to protect U.S. intellectual property and productivity.
Several attacks, both inside and outside of the United States, have amply demonstrated the potential for cyber attacks to cause massive economic loss. With this executive order, the U.S. government is codifying a punishment for any would-be attackers. It addresses the administration’s critics who suggested that the United States needs to have a clear policy of retaliation against cyber attacks after the allegedly North Korea-backed attack on Sony Pictures.
The order outlines four criteria that would cause an individual or group to face sanctions:
(A) harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
(B) significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
(C) causing a significant disruption to the availability of a computer or network of computers; or
(D) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain
This section is followed by a second set of conditions, implicating anyone found,
(A) to be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;
(B) to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in subsections (a)(i) or (a)(ii)(A) of this section or any person whose property and interests in property are blocked pursuant to this order;
(C) to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property and interests in property are blocked pursuant to this order; or
(D) to have attempted to engage in any of the activities described in subsections (a)(i) and (a)(ii)(A)-(C) of this section.
All of this casts a wide, wide net — which is a good thing as far a U.S. business will be concerned. Still, there are a few ambiguities worth addressing. One wonders if this executive order will require a degree of transparency from the government when it comes to substantiating the source of attacks. After the Sony Pictures hack last year, the Federal Bureau of Investigation was convinced that North Korea was behind the attack without actually releasing any evidence. Additionally, given a savvy and resourceful attacker, it may be difficult for U.S. authorities to conclusively determine the source of a cyber attack. It also isn’t unimaginable that a particularly motivated and cunning attacker could spoof the source of an attack, leading to sanctions against an innocent party.
The executive order is quite broad-sweeping and light on technically specifying what constitutes a cyber attack that would represent “an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.” For example, distributed denial of service (DDoS) attacks, be they as unsophisticated as they are popular among cyber hoodlums, may well count as cyber attacks under the executive order. Is the administration equating a DDoS attack that causes downtime for a popular website to. say, a state-backed attack on U.S. critical energy infrastructure? These are but a few of the concerns that arise from this move.
Obama, in his remarks following the release of the executive order, emphasized its function as a cyber deterrent: “From now on, we have the power to freeze their assets, make it harder for them to do business with U.S. companies, and limit their ability to profit from their misdeeds,” he noted. In the administration’s view, this executive order should, in theory, reduce the reward of cyber attacks while increasing the risks for would-be attackers. If the arithmetic works performs to spec in reality, this should deter attacks against U.S. targets.
What’s interesting here is that this will put the PLA, which is strongly suspected of using its cyber offensive capabilities to provide stolen intellectual property to Chinese corporations, in a tricky position. In theory, if the United States can substantiate that a Chinese firm acquired stolen intellectual property, it could seize any U.S.-based property and funds belonging to that corporation. Cyber remains one of the exposed nerves in U.S.-China diplomacy. There’s no doubt that members of PLA Unit 61938 have taken note of today’s development.
The executive order is a fascinating development in the United States’ evolving response to burgeoning cyber threats. A lot will come down to how and when this program is implemented. The executive order casts a wide enough net and bares just enough teeth to send the message that the United States isn’t afraid to play legal hardball on cyber.