In a move with broad ramifications, President Obama issued an executive order Wednesday that authorizes US government sanctions against individuals or entities engaged in "cyber-enabled" activities deemed harmful to American interests.
The executive order gives the Treasury Secretary targeted authority to seize property and to freeze assets belonging to people that are found engaged in such electronic attacks. It is targeted primarily at overseas actors operating out of countries that are unable or unwilling to take action against entities carrying out hacking from within their borders.
Mr. Obama’s latest use of executive authority appears to be a response to growing calls for the US to have a strong policy for deterring attacks against its interests in cyberspace.
Over the past few years, criminal gangs and state-sponsored groups outside the US have launched countless attacks against the American government, military, and commercial networks. The attacks have resulted in what security experts say is massive theft of US intellectual property, trade secrets, financial, and personally identifiable data, and hundreds of millions of dollars from individual and commercial bank accounts. Many say that foreign threat actors have the technical ability and the resources needed to seriously disrupt and degrade U.S critical infrastructure services.
“There does need to be more potential downside for cybercriminals outside the US when they attack the US,” said John Pescatore, director of emerging security threats at the SANS Institute, a cybersecurity training organization.
What's more, he said, the executive order is an overdue recognition that the vast majority of attacks against US interests are financially motivated and criminal in nature rather than being acts of cyberwar.
Activities covered under the order include attacks that significantly disrupt services in a critical infrastructure sector or disrupt the availability of a computer or network for a significant length of time. Individuals or entities responsible for attacks that result in major financial loss or the theft of intellectual property, trade secrets, personal identifiers, and information that would give someone an unfair market advantage, could also face sanctions under the new authority.
The order serves notice on those seeking to harm US interests in cyberspace, Mr. Obama said in a statement. “Targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst.”
Obama’s statement pointed to the recent attacks on Sony Pictures that were ascribed to North Korea and attacks by Iranian hackers against multiple American banks as examples of the kind of activity the new authority seeks to deter.
“From now on, we have the power to freeze their assets, make it harder for them to do business with US companies, and limit their ability to profit from their misdeeds,” he noted
Administration officials on Wednesday stressed the new authority would only be used in a limited and highly targeted fashion to go after cyber actors who pose an extraordinary threat to US national security, foreign policy, economic health, or financial stability.
In imposing sanctions on an individual or entity under the authority of the executive order, the government will publicly make available all unclassified information pertaining to the decision, officials noted in a press briefing.
Sanctioning threat actors will limit their access to the US financial system, technology, and infrastructure, said Michael Daniel, the White House cybersecurity coordinator. The executive oder "enables us to have a new way of both deterring and imposing costs on malicious cyber actors wherever they may be,” said Mr. Daniel.
It is too soon to say how effective sanctions are really going to be against the threat actors responsible for such attacks. Attribution continues to be a huge problem in cyber space. Because attackers often use proxy servers, compromised systems, and other techniques to hide their tracks, it is often impossible to track an online attack back to its source with any degree of certainty.
Also, some worry that the order could have unintended consequences when it comes to cybersecurity research. “For example, could the executive order be used to issue sanctions, without due process, against security researchers who make or distribute penetration testing tools,” said Kurt Opsahl, general counsel at the Electronic Frontier Foundation, a digital rights advocacy group.
“The tools that could be used for attacks are also vital for defense," notes Mr. Opsahl, "and security researchers who use them should not have to worry that they may face sanctions from the Secretary of the Treasury.'