Retaliation for Cyber Attacks; A new Executive Order

Today President Barack Obama signed his latest executive order on cybersecurity issues; this time outlining at least one method by which the Administration intends to respond to significant cyber attacks. This executive order (the number will be made available when the order is officially published in the Federal Register on Friday or Monday) is entitled: “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”.

Declaration of National Emergency

This Executive Order is an exercise of presidential authority granted under 50 USC 1701. That authorizes the President to react to a declared national emergency. The preamble to this Executive Order is a declaration that “the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States”. While not as expansive as many other declarations, this should satisfy the requirements of §1701.

Authorization for use of Economic Sanctions

In this exercise of presidential authority the president is allowed {§1702(a)} to investigate, regulate or prohibit:

∙ Any transactions in foreign exchange;

∙ Transfers of credit or payments between, by, through, or to any banking institution, to the extent that such transfers or payments involve any interest of any foreign country or a national thereof; and

∙ The importation or exportation of currency or securities.

This authorization extends to any person or property subject to the jurisdiction of the United States.

Defining the People Affected

The EO provides a fairly comprehensive description of the people and organizations that will be affected by these sanctions. Section 1 of the EO provides that the Secretary of the Treasury is responsible for identifying people that are “responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States”.

The activities are further described as being “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States”. Specifically identified are activities that {§1(a)(i)}:

∙ Harm, or otherwise significantly compromise the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;

∙ Significantly compromise the provision of services by one or more entities in a critical infrastructure sector;

∙ Cause a significant disruption to the availability of a computer or network of computers; or

∙ Cause a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.

Additionally, the President intends to take action against anyone that {§1(a)(i)}:

∙ Receives or uses for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means;

∙ Has materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in this order;

∙ Is owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property and interests in property are blocked pursuant to this order; or

∙ Has attempted to engage in any of the activities described in this order.

Maximizing the Sanctions

Normally 50 USC 1702 prohibits sanctions from affecting “donations, by persons subject to the jurisdiction of the United States, of articles, such as food, clothing, and medicine, intended to be used to relieve human suffering” {§1702(b)(2)}. The President, however, evoked the exception to that rule by declaring {§2} that allowing those types of donations “would seriously impair my ability to deal with the national emergency declared in this order”. Thus, strictly humanitarian may also be restricted from being provided to the persons or organizations identified by the Secretary of the Treasury.

Additionally, the President has opted to {§4} “suspend entry into the United States, as immigrants or nonimmigrants” for any of the people designated by the Secretary.

The remainder of the EO is essentially housekeeping; providing authorization for various federal agencies to undertake the necessary work to make this order effective.

Commentary

This EO is largely targeted at economically inspired cyber-attacks on the United States. This was at least partially clarified by Lisa Monaco, the chief counterterrorism advisor to the President; who said in a National Security Council blog post today:

Malicious cyber activity — whether it be stealing sensitive information, including personal identifiers, or trade secrets — is often profit-motivated. Because those responsible want to enjoy the ill-gotten proceeds of their activities, sanctions can have a significant impact. By freezing assets of those subject to sanctions and making it more difficult for them to do business with U.S. entities, we can remove a powerful economic motivation for committing these acts in the first place. With this new tool, malicious cyber actors who would target our critical infrastructure or seek to take down Internet services would be subject to these costs when designated for sanctions.

These types of tools have not been enormously successful in countering drug cartels, for instance. And their utility against foreign governments has been almost completely inconsequential (except for the residents of those nations). It is hard to understand how anyone expects this to have any serious consequence in reducing, much less stopping foreign based cyber-attacks against this country.

It does provide the government with the ability to ‘take action’ short of direct counter-attacks by cyber, cyber-physical or conventional military forces. The fact that this action can be corrected in kind if the attribution about the source of the original attack turns out to be mistaken will allow actions to be taken with less thought of consequences of mis-attribution. To that extent this is probably a good (if ineffective) tool to have available; it will allow for political cover while further investigation takes place.