President Barack Obama signed an executive order Wednesday allowing the use of economic sanctions for the first time against perpetrators of destructive cyber-attacks and online corporate espionage.
That will let the Treasury Department freeze the assets of people, companies or other entities overseas identified as the source of cybercrimes. The federal government also will be able to bar U.S. citizens and companies from doing business with those targeted for sanctions.
“Cyberthreats pose one of the most serious economic and national security challenges to the United States,” Obama said in a statement. “As we have seen in recent months, these threats can emanate from a range of sources and target our critical infrastructure, our companies and our citizens.”
Under the order, sanctions only will be used if a cyber-attack threatens to harm U.S. national security, foreign policy or the broader economy. It’s aimed at cybercriminals who target critical infrastructure, disrupt major computer networks, or are involved in the “significant” theft of trade secrets or intellectual property for competitive advantage or private financial gain.
The administration is using the threat of sanctions to help prevent large-scale data theft after breaches at major U.S. corporations, including retailer Target Corp., health-insurer Anthem Inc. and home-improvement chain Home Depot Inc. It’s also a recognition that companies are facing increasingly destructive attacks, such as the hack against Sony Pictures Entertainment that crippled thousands of computers and delayed release of a comedy movie.
Sanctions imposed under the executive order will help disrupt the operations of hackers who may be in countries outside the reach of U.S. law enforcement, John Carlin, U.S. assistant attorney general for national security, said in a phone interview.
Banks and other companies connected to the U.S. financial system will be required to prohibit sanctioned hackers and entities from using their services, cutting them off from valuable resources, Carlin said.
“It’s a new powerful tool and we intend do to use it,” Carlin said. “It has the capability to significantly raise the cost for those who steal or benefit through cybercrime.”
The unique aspect of the executive order is that it allows the U.S. to impose sanctions on individuals or entities over hacking attacks regardless of where they are located, White House Cybersecurity Coordinator Michael Daniel told reporters on a conference call. While other sanctions are tied to a particular country or group of persons, hacking attacks transcend borders.
“What sets this executive order apart is that it is focused on malicious cyber-activity,” Daniel said. “What we’re trying to do is enable us to have a new way of both deterring and imposing costs on malicious cyber-actors wherever they may be.”
The order is a signal of the administration’s “clear intent to go on offense against the full range of very serious cyberthreats that are out there,” said Peter Harrell, the former principal deputy assistant secretary for sanctions at the State Department.
“This is a message that if folks around the world don’t cut out these activities, they’re going to find themselves cut off from the American banking system,” Harrell said in an interview.
Harrell said there are potential stumbling blocks to effective implementation. For one, hackers work hard to conceal their identity. Even though the U.S. and private companies have improved their ability to trace attacks, attribution can sometimes be difficult.
Daniel acknowledged that determining who is actually behind hacking attacks is still a challenge but said the U.S. is getting better at it.
In other cases, diplomatic considerations may be at play. The administration’s decision in 2014 to file criminal charges against five members of the Chinese military over their role in cyber-espionage strained relations with Beijing.
In January, Obama authorized economic sanctions against 10 North Korean officials and government entities in connection with the Sony attack. The North Korean government has denied any involvement in the Sony case.
Harrell said the use of sanctions can provide leverage as the U.S. registers complaints with governments overseas about cyber-attacks. Targeted use of the new sanctions powers also may help deter criminals.
“A number of these cyber-attacks are organized by fairly significant actors out there -- large hacking collectives, or organized by foreign intelligence agencies,” Harrell said. “They all have real potential costs if they were put on sanctions lists.”
The Obama administration has been under pressure to take action to help companies protect their networks from cyber-attacks. In early March, Premera Blue Cross announced that hackers may have accessed 11 million records, including customer Social Security numbers, bank account data and medical information.
Home Depot in September said 56 million payment cards and 53 million e-mail addresses had been stolen by hackers. And just days earlier, JPMorgan Chase & Co. announced a data breach affecting 76 million households and 7 million small businesses.
The highest-profile breach, however, may have been the hacking of Sony Pictures. The U.S. government said North Korean hackers broke into the studio’s network and then exposed e-mails and private employment and salary records. U.S. authorities said it was in retaliation for plans to release “The Interview,” a satirical film depicting the assassination of leader Kim Jong Un.