New Executive Order establishes cyber sanctions regime
The White House today issued an Executive Order on “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” The full text of the EO is at this link. The White House website also has a fact sheet, a statement by the President, and a letter to Congress on the order.
The Executive Order would take the toolkit that the Department of the Treasury has developed and refined over the past dozen years to address counterterrorism and counter-proliferation threats (a story well-told in Juan Zarate’s recent book, Treasury’s War) and leverage it against the most significant cybersecurity threats to U.S. national and economic security. The fact sheet describes the specific types of foreign cyber threats to which this Executive Order will apply:
- Harming or significantly compromising the provision of services by entities in a critical infrastructure sector;
- Significantly disrupting the availability of a computer or network of computers (for example, through a distributed denial-of-service attack); or
- Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain (for example, by stealing large quantities of credit card information, trade secrets, or sensitive information).
In addition, the Executive Order would allow entities or individuals who have knowing benefited from “trade secrets misappropriated through cyber-enabled means” to be sanctioned – a significant additional measure that will hopefully cause many foreign firms to be extremely circumspect about the prospect of illicitly acquiring intellectual property.
Overall, the EO is likely to provide the U.S. government with a significant new tool to counter and deter cyber threats. But the announcement today leaves several key questions unanswered, which will have an impact on its overall effectiveness:
1. Will the US government be able to identify the individuals and entities responsible for relevant cyber threats with the same (or greater) degree of accuracy and legal certainty that it currently does for counterterrorism and counterproliferation-related sanctions? Or is the attribution challenge more difficult in the cyber domain?
2. Are such individuals and entities connected to the global economy to a degree that they in fact will be disrupted or deterred by sanctions with respect to ongoing malicious cyber activity?
3. What additional resources (e.g. more intelligence analysts) does the Department of the Treasury need to implement this EO effectively, and how soon will the Department receive them? And at what level of priority will Treasury be able to task the IC (within the scope of the National Intelligence Priorities Framework) to support their efforts? What will be Treasury’s role in the new Cyber Threat Intelligence Integration Center?
4. How will foreign governments respond to this EO? Will they refuse to do business with listed entities and individuals? What is the U.S. government planning to do to encourage other countries to adopt similar policies?
All these questions will need to be addressed by senior leaders at Treasury and other Departments in the coming weeks and months as this is implemented. But overall this is a significant initiative by the Administration, one that if carried out effectively is likely to have a greater impact on the cyber threat than any other policy initiative announced in the past couple of years.