Alert
Alert
04.22.15
On April 1, 2015, President Obama issued a groundbreaking Executive Order (E.O.) enabling the United States to sanction persons that have (1) participated in malicious cyber-enabled activities constituting a “significant threat to the national security, foreign policy, or economic health or financial stability of the United States,” or (2) misappropriated trade secrets for commercial or financial gain outside the United States. No sanctions have yet been imposed and it is unclear how the U.S. government will deploy this new regime. Nonetheless, applying economic sanctions to the U.S. cybersecurity response is a potentially powerful tool that can fill gaps in law enforcement and deterrence. It also is a tool that could be leveraged by companies that have fallen victim to damaging cyber-attacks or competitors using stolen trade secrets. Further, companies outside the United States will need to consider compliance measures to manage exposure to sanctions under these new rules.
Overview of the Executive Order
Executive Order 13694 targets significant, malicious “cyber-enabled” activities that have the purpose or effect of causing specific harms to security, infrastructure and business interests. It intends to enable the U.S. government to address malicious cyber actors outside of the United States who have traditionally hidden beyond the reach of other enforcement tools.
Specifically, the E.O. allows the Secretary of Treasury, in consultation with the Attorney General and the Secretary of State, to designate persons for certain activities wholly or substantially outside the United States which result in or contribute to “a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” This includes two categories of activities:
(1) Cyber-attacks that have the purpose or effect of:
(2) Cyber-crime and commercial benefit from such crime, specifically:
Sanctions also may be applied to persons who materially assist, sponsor, or provide material financial, technological, or goods-and-services support for any of the activities described above or for any party blocked under the E.O. Thus, this order threatens not only primary actors but anyone operating within the global cyber ecosystem that may support or supply cyber-attackers, terrorists or thieves.
A sanctions designation by the Office of Foreign Assets Control (OFAC) under this E.O. blocks the parties’ assets, likely via listing as a Specially Designated National or “SDN,” which freezes the property and interests in property of the listed person that are or come within the United States, or the possession of a U.S. person, and bans the person from traveling to the United States. No designations have been made at this time.
OFAC issued frequently asked questions numbers 444 to 452 together with the E.O. which provide important definitions and clarify some limitations of the intended application of the sanctions:
Download: New Executive Order Allows for Sanctions Related to Cybersecurity