Friday, December 30, 2016

President Amends EO 13694 and Sanctions Russians

Yesterday the President signed a new executive order (number to be published) that amends the existing EO 13694, Blocking the Property of Certain Persons Engaging in Significant
Malicious Cyber-Enabled Activities, that was originally published in April, 2015. This action was taken in response to actions taken by Russian intelligence agencies during the 2016 presidential election cycle.

Amended EO 13694

The amendment of the so called cyber response executive order does three things. It adds an annex {Annex A} to the Executive Order providing a list of specific people to whom the sanctions provided for in the order will apply. Second, it provides a new ‘offense’ for which sanction activities may be applied in the future {1(a)(ii)(E)}. Finally, it provides the Secretary of the Treasury with the authority to remove names from Annex A when “circumstances no longer warrant the blocking of the property and interests in property of a person listed in the Annex to this order” {new Section 10}.

The new annex includes four ranking members of the Russian Main Intelligence Department [GRU], the GRU and the Russian Federal Security Service, as well as two affiliated civilian organizations. Coincidentally, the Treasury Department also named two Russian individuals to the Specially Designated Nationals List (SDN) (the same list to which the persons and organizations in the Annex were added, see pages 356 thru 360 for all of the additions made yesterday) for cybersecurity fraud related issues not related to the election.

The new offense was added as paragraph 1(a)(ii)(E):

Tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions;

Other Russian Sanctions

The White House also announced two other sets of sanctions against the Russian Government yesterday. First it is expelling 35 Russian diplomats (intelligence officers), giving them and their families 72 hours to leave the country. It is also denying remaining Russian diplomatic personnel access to two Russian owned properties in Maryland and New York.

Officially this action is not related to the reported Russian ‘interference’ in the 2016 election, but it is rather being taken because over the last two years “harassment of our diplomatic personnel in Russia by security personnel and police has increased significantly and gone far beyond international diplomatic norms of behavior”.

Russian reaction to these ‘other sanctions’ is already being reported. CNN reports that the Russians have “ordered the closure of the Anglo-American School of Moscow” (school for the children of English speaking diplomats) and closed “access to the US embassy vacation house in Serebryany Bor, near Moscow”.

Joint Analysis Report

Also yesterday the FBI and US-CERT issued a joint analysis report (JAR-16-20296A) on the election security compromises, code named GRIZZLY STEPPE. This report is supposed to provide the technical support for the claim of Russian intelligence involvement in the hacks of the email systems of the Clinton Campaign and the Democratic National Committee.

While it does not provide any direct evidence of Russian involvement (that information almost certainly remains classified), the report does provide the indicators of compromise that are associated with those hacks. Those indicators include the YARA signature (in the report) and CSV and STIX format files of the indicators available on the GRIZZLY STEPPE web page.

The bulk of the JAR is a listing of mitigation measures that individuals and organizations can take to prevent similar attacks in the future. Unfortunately, there is nothing new here. All of the mitigation techniques should have been well known by the IT people responsible for the systems involved.


The other sanctions being directed at diplomats here in the United States is a fairly common game played in the diplomatic community. The people being expelled are known intelligence personnel, almost certainly responsible for classic spying type operations here in the United States. Their expulsion will have some delaying effects on those spying efforts, but no effects of any long-term consequence. The US personnel that will be expelled from Moscow in retaliation will be responsible for similar efforts against the Russians.

It is very likely that the expulsions have nothing to do specifically with the election fiasco. Announcing them on the same day as the EO 13694 actions allows the press to conflate the two-separate sanctions, making the EO 13694 sanctions seem more effective. The freezing of assets under EO 13694 may have some effect on the individuals and organizations listed, but only if they have clearly identified assets in the United States. Even that effect will be minimized, if/when the individuals are ultimately removed from the Annex A list.

Congressional leaders on both sides of the fence are saying essentially; about time, but too little too late. I’m not sure what the politicians want (other than blood?). I guess the CIA and NSA could hack the political emails of Putin cronies and leak them to the Russian press. I don’t suspect, however, that they would get the same play in Russia as we saw in the US press during the election.

That is the big point that is being lost here. There is nothing really new here in the hacks of the political emails; that is espionage, pure and simple. Intelligence agencies sharing that information with the press is unusual, but not unprecedented. Of course, if it had been ‘Deep Throat’ sharing the emails it would not have caused nearly the stir.

What was unprecedented was the huge amount of play that the American press gave the leaked emails, even when it was patently clear that it was a foreign intelligence agency responsible for the leak. If the press had not spent so much time talking about the petty squabbles and indiscretions of the party and campaign officials (and there was nothing new there in the level of squabbles or seriousness of indiscretions) then this whole thing would have been a non-issue that these sanctions would have been more than appropriate to deal with.

Unfortunately, we have not heard the last of this.

No comments:

/* Use this with templates/template-twocol.html */