Search PillsburyLaw.com
  • All
  • Lawyers
  • Capabilities
  • Insights

Alert

New Executive Order Allows for Sanctions Related to Cybersecurity

By Brian E. Finch, Aaron R. Hutman, Aimee P. Ghosh, Stephanie J. Rohrer, Nancy A. Fischer

Alert

By Brian E. Finch, Aaron R. Hutman, Aimee P. Ghosh, Stephanie J. Rohrer, Nancy A. Fischer

04.22.15

On April 1, 2015, President Obama issued a groundbreaking Executive Order (E.O.) enabling the United States to sanction persons that have (1) participated in malicious cyber-enabled activities constituting a “significant threat to the national security, foreign policy, or economic health or financial stability of the United States,” or (2) misappropriated trade secrets for commercial or financial gain outside the United States. No sanctions have yet been imposed and it is unclear how the U.S. government will deploy this new regime. Nonetheless, applying economic sanctions to the U.S. cybersecurity response is a potentially powerful tool that can fill gaps in law enforcement and deterrence. It also is a tool that could be leveraged by companies that have fallen victim to damaging cyber-attacks or competitors using stolen trade secrets. Further, companies outside the United States will need to consider compliance measures to manage exposure to sanctions under these new rules.

Overview of the Executive Order

Executive Order 13694 targets significant, malicious “cyber-enabled” activities that have the purpose or effect of causing specific harms to security, infrastructure and business interests. It intends to enable the U.S. government to address malicious cyber actors outside of the United States who have traditionally hidden beyond the reach of other enforcement tools.

Specifically, the E.O. allows the Secretary of Treasury, in consultation with the Attorney General and the Secretary of State, to designate persons for certain activities wholly or substantially outside the United States which result in or contribute to “a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” This includes two categories of activities:

(1) Cyber-attacks that have the purpose or effect of:

  • Harming or compromising computers/computer networks supporting critical infrastructure entities;
  • Compromising the provision of services by critical infrastructure entities; or
  • Disrupting the availability of a computer/computer network (e.g., denial of service attacks).

(2) Cyber-crime and commercial benefit from such crime, specifically:

  • Misappropriating funds, trade secrets, personal or financial information for commercial advantage or private financial gain; and
  • Responsibility for, complicity in or engaging in the receipt or use of trade secrets for commercial or competitive advantage, private financial gain, or receipt/use by a commercial entity outside the United States which were misappropriated through cyber-enabled means, where knowing they were misappropriated.

Sanctions also may be applied to persons who materially assist, sponsor, or provide material financial, technological, or goods-and-services support for any of the activities described above or for any party blocked under the E.O. Thus, this order threatens not only primary actors but anyone operating within the global cyber ecosystem that may support or supply cyber-attackers, terrorists or thieves.

A sanctions designation by the Office of Foreign Assets Control (OFAC) under this E.O. blocks the parties’ assets, likely via listing as a Specially Designated National or “SDN,” which freezes the property and interests in property of the listed person that are or come within the United States, or the possession of a U.S. person, and bans the person from traveling to the United States. No designations have been made at this time.

OFAC issued frequently asked questions numbers 444 to 452 together with the E.O. which provide important definitions and clarify some limitations of the intended application of the sanctions:

  • The anticipated definition of “cyber-enabled” includes “any act that is primarily accomplished through or facilitated by computers or other electronic devices.” The “malicious cyber-enabled activities” targeted by the E.O. include “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.” (FAQ 447)
  • “Critical infrastructure sector” means any of the following sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems. (E.O. Section 6(d), Presidential Policy Directive 21 and FAQ 447)
  • This E.O. does not target cyber-related activities for legitimate educational, network defense, or research purposes. Similarly, legitimate network defense or maintenance activities performed by computer security experts and companies as part of their normal business operations are also not targeted by the E.O. (FAQs 448-450)

Download: New Executive Order Allows for Sanctions Related to Cybersecurity

Tags
Government Law & Strategies, International Trade, Cybersecurity, Data Protection & Privacy
These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.