On April 1, President Obama signed an Executive Order (EO 13694) modernizing the American arsenal of sanctions to counter new and evolving types of "cyber-enabled activities" and related threats. EO 13694 expands the United States' ability to effectively combat complex, malicious, and increasingly frequent cybercrime directed against the United States government and "U.S. persons." This new tool authorizes the Treasury Department's Office of Foreign Assets Control (OFAC), in consultation with the Attorney General and Secretary of State, to designate as Specially Designated Nationals (SDNs) individuals and entities determined to be responsible for or complicit in "malicious cyber-enabled activities."
In a written statement, President Obama acknowledged that the new wave of cyber threats "pose one of the most serious economic and national security challenges to the United States." Although no parties have yet been designated under the EO, in its Frequently Asked Questions (FAQs), OFAC provides that EO 13694 is "intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government."
The EO enumerates a broad range of "harms" related to "cyber-enabled activities," which have resulted in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. Implementing regulations issued pursuant to this EO will likely define "cyber-enabled" activities to include any act that is primarily accomplished through, or facilitated by, computers or other electronic devices. For purposes of EO 13694, malicious cyber-enabled activities include:
- Harming or significantly compromising the provision of services by entities in a critical infrastructure sector;
- Significantly disrupting the availability of a computer or network of computers, including through a distributed denial-of-service attack;
- Misappropriating funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;
- Knowingly receiving or using trade secrets that were stolen by cyber-enabled means for commercial or competitive advantage or private financial gain; or
- Attempting, assisting, or providing material support for any of the harms listed above.
As under other OFAC sanctions programs, "U.S. persons" and persons otherwise subject to OFAC jurisdiction are prohibited from dealing with SDNs, and any entities that are 50% or more owned or controlled by SDNs, as well as their property and interests in property, which presents practical challenges when performing due diligence on many international transactions. The Order also provides for a visa and travel ban on such designated persons.
Significantly, the latest move continues a series of steps taken by the Administration and Congress in recent months to raise the profile of cybersecurity issues and bolster the United States' ability to combat cybercrime. As Venable previously reported, the White House imposed new sanctions against North Korea in response to the highly publicized cyber espionage attack on a private company for the first time earlier this year. Last month, the President announced the creation of the Cyber Threat Intelligence Integration Center, a new division within the Office of the Director of National Intelligence, to streamline the compilation of cyber threat data among intelligence agencies. Congress is also considering several pieces of legislation that would strengthen cybersecurity defenses, including voluntary cyber threat information exchanges between the private sector and government.
Cyber attacks are often orchestrated by sophisticated individuals and elements of organized crime. EO 13694 adopts the same tactic used to combat terrorism and narcotics trafficking; namely, the targeting of individuals regardless of their location or affiliation with a governmental entity. Thus, although cyber designations have not been issued in the past, this EO serves as a reminder that all U.S. persons and businesses operating in the U.S – especially those who facilitate on-line commerce – are responsible for screening their commercial transactions to ensure that they are not engaging in transactions, or otherwise dealing, with "blocked" persons named by OFAC or other U.S. Government agencies.
Implementation of the EO should be factored into compliance protocols of U.S. companies. In particular, regular screening of business partners, customers, vendors, and other parties to a transaction is recommended against OFAC's SDN List and the U.S. Government's Consolidated Screening List to help ensure compliance with these laws and regulations.
Venable will continue to monitor OFAC's administration of the new cyber sanctions and the listing of persons and entities under EO 13694. If you have any questions about the application of U.S. sanctions to your business activities or are interested in implementing a compliance program to mitigate your risk, please contact Venable's International Trade or Cybersecurity groups.