Executive Order Authorizes Economic Sanctions as New Tool for U.S. Cyber Defense

The Treasury Department’s Office of Foreign Assets Control (OFAC) simultaneously released FAQs related to the Order. The White House, in a statement by President Obama and in FAQs on the White House Blog, explained that the Order will be used to impose targeted sanctions against the “worst of the worst” malicious cyber actors, as well as companies that knowingly use stolen trade secrets. 

While no entities or individuals were immediately designated as subject to the new sanctions, and the Order does not impose any immediate compliance obligations on U.S. companies, the addition of this new “tool” to the U.S. government’s cybersecurity capabilities is another sign of how seriously the threat of cyber attacks is being taken at the highest levels of government.

The Order authorizes the Secretary of the Treasury, acting through OFAC, to impose sanctions on individuals or entities that OFAC, in consultation with the Attorney General and the State Department, finds to be responsible for, complicit in, or to have otherwise engaged in or attempted to engage in, malicious cyber-enabled activities that harm a computer or network of computers supporting entities in a critical infrastructure sector, compromise the provision of services by an entity in a critical infrastructure sector, cause a significant disruption to the availability of a computer or network of computers, or cause a significant misappropriation of funds, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain. It also authorizes OFAC to impose sanctions on individuals or entities who knowingly use or receive trade secrets misappropriated through cyber-enabled means where such misappropriation is likely to constitute a significant threat to the national security, foreign policy, or economic health or financial stability of the United States, who have assisted in or attempted to engage in any of these sanctionable activities, or who are controlled by or act on behalf of a designated individual or entity.

The President and OFAC both emphasized that these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems (e.g., penetration testing) or to prevent or interfere with legitimate cybersecurity research or commercial innovation activities. In addition, these measures are not intended to target the victims of cyber attacks. Finally, these measures are not designed to interfere with legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems or systems they are otherwise authorized to manage.

Scope of the Order

The Order requires U.S. persons to block property interests of designated persons or entities when such property is within the United States or within the possession or control of U.S. persons. The Order also grants the legal authority for future designations of persons who engage in certain sanctionable activities. Additionally, the Order suspends entry into the United States by any individuals determined by OFAC to meet the criteria for designation. OFAC did not issue any initial designations simultaneously with the Order.

Companies doing business in the critical infrastructure sectors listed below should monitor any future designations of persons or entities as Specially Designated Nationals (SDNs), and consider developing an initial plan for compliance.

An entity in which an SDN has a 50 percent or greater interest is also blocked. OFAC also advises U.S. persons to act with caution when considering a transaction with a non-blocked entity in which a blocked person has a significant ownership interest, even though it is less than 50 percent. This caution should extend to non-blocked entities over which blocked persons exercise control, but of which they do not own 50 percent or more. For example, OFAC has advised that U.S. persons may not engage in negotiations, enter into contracts, or process transactions involving a blocked individual when that blocked individual is acting on behalf of the non-blocked entity that he or she controls. Thus, if a blocked individual were the executive of a non-blocked entity, such as a corporation, U.S. persons would be prohibited from entering into a contract with that non-blocked SDN-owned or controlled entity if the contract were signed by the blocked individual.

Authority for future designations

The Order grants OFAC the authority to designate individuals or entities determined to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of:

• harming, or otherwise significantly compromising, the provision of services by a computer or network of computers that support one or more entities in a critical infrastructure sector;

• significantly compromising the provision of services by one or more entities in a critical infrastructure sector;

• causing a significant disruption to the availability of a computer or network of computers; or

• causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.

Additionally, the Order grants OFAC the authority to designate individuals or entities found:

• to be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;

• to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described above, or any person whose property and interests in property are blocked pursuant to the Order;

• to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person who property and interests in property are blocked pursuant to the Order;

• to have attempted to engage in any of the activities described above.

The Order defines “misappropriation” to include any taking or obtaining by improper means, without permission or consent, or under false pretenses.

It also defines “critical infrastructure sector” as any of the designated critical infrastructure sectors identified in Presidential Policy Directive 21, namely:

• Chemical;

• Commercial Facilities;

• Communications;

• Critical Manufacturing;

• Dams;

• Defense Industrial Base;

• Emergency Services;

• Energy;

• Financial Services;

• Food and Agriculture;

• Government Facilities;

• Healthcare and Public Health;

• Information Technology;

• Nuclear Reactors, Materials, and Waste;

• Transportation Systems;

• Waste and Wastewater Systems.

Legitimate cybersecurity activities not covered

The President stated that the Order is tailored to address and respond to the harms caused by significant malicious cyber-enabled activities. The Order does not define “cyber enabled activities,” but OFAC stated in its FAQs that regulations to be promulgated will likely define the term to include any act that is primarily accomplished through or facilitated by computers or other electronic devices. OFAC noted that malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.

The Order and accompanying OFAC FAQs take care to highlight limitations on the scope of the Order related to legitimate business activities. For example, the President and OFAC both stated that these sanctions will in no way target the victims of cyber attacks, such as persons whose personal computers or other networked electronic devices are used without their knowledge or consent in malicious cyber-enabled activities (e.g., in denial-of-service attacks). In addition, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems (e.g., penetration testing) or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events. Furthermore, these measures are not designed to interfere with legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems or systems they are otherwise authorized to manage. This would include, for example, denying access to certain services and systems (e.g., retail websites, social media platforms) in order to ensure performance of the network for authorized business activities.

If you have any questions regarding these developments, please contact:

Beth Peters,  Harriet Pearson, Deen Kaplan, Stuart Altman, Anthony Capobianco, Ajay Kuntamukkala, Robert Kyle, Stephen Propst, T. Clark Weymouth, Jeanne Archibald, Aleksandar Dukic, Brian Curran, H.P. Goldfield, and Paul Otto in Washington, D.C.; Patrick Ayad and Falk Schöning  in Munich; Lourdes Catrain in Brussels; Alexei Dudko in Moscow; Louise Lamb and Catherine Robert in London.

This post originally appeared as a Hogan Lovells client alert. To access the client alert, click here.

Authored by the HL Chronicle of Data Protection Team