A few years ago, the threat of cyber warfare seemed remote to most Americans, although certainly not those involved in national security. These days, though, fronts have opened up at local Target and Home Depot retail stores, Americans have seen widespread identity theft hit income-tax return processes, and even stripping the privacy away from a major entertainment corporation in an attempt to humiliate and extort executives. No one’s thinking of it as science fiction or hyperbolic fortune-telling any longer. In response, Barack Obama issued an executive order today that creates sanctions against foreign hackers — assuming we can find them:
Cyber-attacks against the U.S. have become so bad that President Obama today declared it a “national emergency” and announced the first ever sanctions program designed specifically to go after foreign hackers.
In an executive order signed today and released by the White House, Obama said the “the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
The order calls for a sanctions program not unlike those used in counter-proliferation or counter-terrorism programs that can target “individuals or entities that engage in significant malicious cyber-enabled activities” that harm the U.S. – including attacks on critical infrastructure, denial of service attacks or cyber espionage, according to the White House. …
Some cyber security experts have long lobbied for sanctions to be added to America’s tools to counter prolific cyber-attacks –- in addition to public condemnation and the filing of criminal charges. As Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator told reporters today, the sanctions program is meant to “fill a gap” and reach malicious actors who are “difficult for diplomatic and law enforcement tools to reach.”
ABC reminds readers that Obama did issue sanctions against North Korea over the Sony hack, but that’s within his purview on foreign policy, and followed a specific identification. That may be possible in some case — for instance, China has aggressively pursued cyber espionage on both commercial and government assets for years — but not so much in the case of criminal gangs without state affiliation. Some of those are suspected of working on behalf of foreign governments like Russia and Iran, but then again, the US reportedly has its own hacker groups working on the front lines of the cyber war.
The idea is to make theft of material so cost-heavy as to discourage the activity from taking place at all. The White House announcement makes it clear that the new program intends to target commercial activity specifically:
Malicious cyber activity — whether it be stealing sensitive information, including personal identifiers, or trade secrets — is often profit-motivated. Because those responsible want to enjoy the ill-gotten proceeds of their activities, sanctions can have a significant impact. By freezing assets of those subject to sanctions and making it more difficult for them to do business with U.S. entities, we can remove a powerful economic motivation for committing these acts in the first place. With this new tool, malicious cyber actors who would target our critical infrastructure or seek to take down Internet services would be subject to these costs when designated for sanctions.
This new executive order is specifically designed to be used to go after the most significant malicious cyber actors we face. It is not a tool that we will use every day. Law-abiding companies have absolutely nothing to worry about; for them, it’s business as usual. We will never use it to try to silence free expression online or curb Internet freedom. Nor will this authority be used to go after legitimate cybersecurity researchers or innocent victims whose computers are compromised. It is designed to be used in conjunction with our other authorities — including law enforcement and diplomatic efforts — to help deter and disrupt the worst of the cyber threats that we face.
Question: Does this apply within the US? The announcement doesn’t make that clear; it notes that Obama has authorized Treasury, State, and Justice “to sanction malicious cyber actors whose actions threaten the national security, foreign policy, or economic health or financial stability of the United States.” ABC News reports this as targeting “foreign hackers,” but the announcement itself doesn’t make that distinction. The use of sanctions such as seizing assets of “US persons,” using the legal term associated with FISA law, should require due process of criminal law. One would also think that Congress would have to authorize it. Perhaps the EO itself takes more care to distinguish this point, but the assuaging of concerns over “free expression online” and “Internet freedom” makes me wonder just how wide the White House sees the scope of the EO.