The White House announced today a new program of sanctions to combat the worst cyberattacks.
According to a blog by Lisa Monaco, President Obama's adviser for homeland security, the new executive order “authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to sanction malicious cyber actors whose actions threaten the national security, foreign policy, or economic health or financial stability of the United States.”
Ms. Monaco was clear that sanctions are “not a tool that we will use every day” but just to “deter and disrupt the worst of the cyberthreats that we face.”
The White House move is best seen as the next shoe dropping after last year’s Department of Justice indictment of five Chinese military officers. They were indicted for stealing commercial secrets and with this new order, the president giving authority to target the Chinese companies that paid those officers to spy on their behalf.
It had been a mystery why the Justice Department took a relatively bold step to indict serving military officers on espionage charges, then fail to target the unindicted coconspirators or the Chinese state-owned enterprises that gained the actual commercial advantage. Likely, the administration was distracted by other priorities such as responding to the North Korean attack on Sony Pictures – a response that required China’s cooperation.
Sanctions are a much-needed step to vilify stealing commercial secrets, so that it is seen on par as payment by companies to corrupt officials, something that used to be widespread but is increasingly subject to strong negative norms.
Hopefully, the sanctions will include noneconomic penalties such as denying visas to executives who support the theft of commercial secrets, as well as to their spouses and children who want to study in US universities. Such targeted penalties affect those most responsible for the worst excesses without painting China guilty as an entire nation.
This new order from Mr. Obama will be seen correctly as a response to China’s commercial spying, however it is meant to help deter other attacks, too.
If the Iranians try a new chapter of attacking America’s finance sector, as they have in the past, not only is the US military likely to counterattack, now the Secretary of Treasury can authorize sanctions as well.
The government can use sanctions against cyber actors who target US foreign policy – an interesting category and choice of words. This probably wasn’t meant to include WikiLeaks-style “malicious cyber actors” but future administrations might interpret this more broadly.
For this policy to succeed, American companies – and the government itself – will need to step forward with more information. The US government has not even named the Chinese companies that funded the military spies and few companies are willing to come forward to say they have been harmed by commercial espionage.
Other nations faced with Chinese espionage should follow suit with sanctions of their own, but even with diminished economic growth, China is still strong enough that most governments will continue to meekly complain behind closed doors and with open wallets.
When it comes to cybersecurity, the Obama administration has gone from success to success lately, including major policies on cyberthreat information sharing, a presidential summit on security in Silicon Valley, and a good-enough response to the Sony attack.
This new policy on sanctions is the most innovative, and perhaps is the only truly new idea to combat cyberattacks during the entire Obama presidency. It could easily be the most successful, so long as the Chinese (or Brazilians or Europeans) don’t sanction companies known to have helped the National Security Agency spy on them.
Jason Healey is the Director of the Cyber Statecraft Initiative of the Atlantic Council and editor of the first history of cyberconflict, "A Fierce Domain: Cyber Conflict, 1986 to 2012." You can follow his thoughts and analysis on cyberissues at @Jason_Healey.