Modern field guide to security and privacy

Obama's cyber sanctions order adds punch to fight against foreign hackers

The president's executive order paves the way for economic action against criminal hackers and foreign entities that finance corporate spying operations.

Reuters/File
President Obama spoke at the Summit on Cybersecurity and Consumer Protection at Stanford University in February.

In a move with broad ramifications, President Obama issued an executive order Wednesday that authorizes US government sanctions against individuals or entities engaged in "cyber-enabled" activities deemed harmful to American interests.

The executive order gives the Treasury Secretary targeted authority to seize property and to freeze assets belonging to people that are found engaged in such electronic attacks. It is targeted primarily at overseas actors operating out of countries that are unable or unwilling to take action against entities carrying out hacking from within their borders.

Mr. Obama’s latest use of executive authority appears to be a response to growing calls for the US to have a strong policy for deterring attacks against its interests in cyberspace.

Over the past few years, criminal gangs and state-sponsored groups outside the US have launched countless attacks against the American government, military, and commercial networks. The attacks have resulted in what security experts say is massive theft of US intellectual property, trade secrets, financial, and personally identifiable data, and hundreds of millions of dollars from individual and commercial bank accounts. Many say that foreign threat actors have the technical ability and the resources needed to seriously disrupt and degrade U.S critical infrastructure services.

“There does need to be more potential downside for cybercriminals outside the US when they attack the US,” said John Pescatore, director of emerging security threats at the SANS Institute, a cybersecurity training organization. 

What's more, he said, the executive order is an overdue recognition that the vast majority of attacks against US interests are financially motivated and criminal in nature rather than being acts of cyberwar.

Activities covered under the order include attacks that significantly disrupt services in a critical infrastructure sector or disrupt the availability of a computer or network for a significant length of time. Individuals or entities responsible for attacks that result in major financial loss or the theft of intellectual property, trade secrets, personal identifiers, and information that would give someone an unfair market advantage, could also face sanctions under the new authority.

The order serves notice on those seeking to harm US interests in cyberspace, Mr. Obama said in a statement. “Targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst.”

Obama’s statement pointed to the recent attacks on Sony Pictures that were ascribed to North Korea and attacks by Iranian hackers against multiple American banks as examples of the kind of activity the new authority seeks to deter.

“From now on, we have the power to freeze their assets, make it harder for them to do business with US companies, and limit their ability to profit from their misdeeds,” he noted

Administration officials on Wednesday stressed the new authority would only be used in a limited and highly targeted fashion to go after cyber actors who pose an extraordinary threat to US national security, foreign policy, economic health, or financial stability.

In imposing sanctions on an individual or entity under the authority of the executive order, the government will publicly make available all unclassified information pertaining to the decision, officials noted in a press briefing.

Sanctioning threat actors will limit their access to the US financial system, technology, and infrastructure, said Michael Daniel, the White House cybersecurity coordinator. The executive oder "enables us to have a new way of both deterring and imposing costs on malicious cyber actors wherever they may be,” said Mr. Daniel.

It is too soon to say how effective sanctions are really going to be against the threat actors responsible for such attacks. Attribution continues to be a huge problem in cyber space. Because attackers often use proxy servers, compromised systems, and other techniques to hide their tracks, it is often impossible to track an online attack back to its source with any degree of certainty.

Also, some worry that the order could have unintended consequences when it comes to cybersecurity research. “For example, could the executive order be used to issue sanctions, without due process, against security researchers who make or distribute penetration testing tools,” said Kurt Opsahl, general counsel at the Electronic Frontier Foundation, a digital rights advocacy group.

“The tools that could be used for attacks are also vital for defense," notes Mr. Opsahl, "and security researchers who use them should not have to worry that they may face sanctions from the Secretary of the Treasury.'

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.