Cyber sanctions may temper foreign threats, but cyber crime hurdles remainReprints
The White House is drawing generally favorable reaction to its executive order allowing imposition of sanctions on overseas cyber criminals, but it's not yet the “silver bullet” solution to the ongoing hacking threat against U.S. interests.
Saying that cyber threats “pose one of the most serious economic and national security challenges to the United States,” President Barack Obama signed the executive order April 1 allowing federal authorities to freeze the assets of individuals or entities involved in activities such as intellectual property theft.
“As we have seen in recent months, these threats can emanate from a range of sources and target our critical infrastructure, our companies and our citizens,” President Obama said in a statement. “This executive order offers a targeted tool for countering the most significant cyber threats that we face.”
Mike Rogers, former chairman of the House Intelligence Committee, said the executive order is a good first step.
“It is the starting of the accumulation of tools, and you will need lots of tools to continue this job of pushing back against cyber hackers,” said Mr. Rogers, now a commentator on security issues and a distinguished fellow at the Hudson Institute. “The reason this part is not the silver bullet is that you have that whole process of attribution. You have to go through a process to establish who did it. That's no small matter. It takes highly technical and intellectual resources to deal with that problem.”
Mr. Rogers said last week's revelation that a White House computer system was breached by Russia implicates just one of several foreign governments that have infiltrated U.S. systems.
“I think this is just a public face of what everybody in cyber space already knows — that there's a cyber war going on, and most Americans don't recognize it,” Mr. Rogers said.
The executive order authorizes the treasury secretary, in consultation with the secretary of state and the attorney general, to impose sanctions on individuals or entities overseas that engage in malicious cyber-enabled activities posing a “significant threat to the national security, foreign policy or economic health or financial stability of the United States,” according to a White House fact sheet.
This includes compromising provision of services by entities in a “critical infrastructure sector;” significantly disrupting the availability of a computer or computer network; and “causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.”
People or entities that “knowingly receive or use” or assist in such cyber thefts also would be subject to sanctions.
“The most important part of it is the president is coming out and stating there is a national emergency,” said Raymond O. Aghaian, a partner in the Los Angeles office of McKenna Long & Aldridge L.L.P. and co-chair of the law firm's cyber security practice.
While cyber attacks involving individuals' information such as Target Corp. have been made public, “what we don't hear as much about is the attacks on a daily basis where intellectual property and trade secrets are stolen,” he said.
Although “we don't know yet” how effective the new power will be, it is promising “because it raises the prospect for the first time that we can take our much-improved attribution capabilities and use them to punish people who are breaking the rules,” said Stewart A. Baker, partner in the Washington office of Steptoe & Johnson L.L.P. and a former Department of Homeland Security official.
Basically, he said, this “is a framework for adjudicating in a classified environment who has been breaking into U.S. companies with a view to causing damage or stealing secrets.”
The executive order could deter would-be hackers whose personal assets and travel could be threatened, said Alan Charles Raul, a partner in the Washington office of Sidley Austin L.L.P. and leader of the firm's privacy, data security and information law practice.
“It could be a factor if it's vigorously enforced,” he said.
If a particular actor is sanctioned, all U.S. entities would be prohibited from doing business with it — even if it changes its name, Mr. Aghaian said.
If state-sponsored activities were part of the prohibited conduct, sanctions could be imposed on foreign governments, Mr. Raul said.
He suggested developing a trade strategy to look at products imported into the United States that have been developed using purloined research and development and then enforce sanctions against the imports.
An insurance group hailed the move but also raised concern.
“We are glad to see the administration continuing to take the nation's cyber security seriously, and we hope that the latest executive order will act as the deterrent it is intended to be,” said Jonathan Bergner, federal affairs director in the Washington office of the National Association of Mutual Insurance Cos.
“Unfortunately, the very real problem of attribution — clearly identifying the perpetrator of an attack — remains incredibly difficult,” Mr. Bergner said. “Slapping foreign-based hackers with sanctions is useful, but we need to know who to slap.”