The Washington PostDemocracy Dies in Darkness

U.S. establishes sanctions program to combat cyberattacks, cyberspying

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. (KACPER PEMPEL/REUTERS)

President Obama on Wednesday signed an executive order establishing the first sanctions program to allow the administration to impose penalties on individuals overseas who engage in destructive attacks or commercial espionage in cyberspace.

In the works for two years, the order declares “significant malicious cyber-enabled activities” a “national emergency” and enables the treasury secretary to target foreign individuals and entities that take part in the illicit cyberactivity for sanctions that could include freezing their financial assets and barring commercial transactions with them.

Read the full executive order

The move expands the set of legal tools available to the administration to punish and deter activities including the theft of large quantities of credit card data, espionage conducted for commercial gain and cyberattacks aimed at damaging critical computer systems.

In a statement, Obama said the executive order would help to counter cyberthreats that “can emanate from a range of sources and target our critical infrastructure, our companies, and our citizens.”

The new sanctions regime is modeled in part after regimes that have been used effectively in the past for counterterrorism and counterproliferation purposes. A senior administration official said the new order puts people on notice “that we’re not going to just stand by while these threats grow.”

“Part of the message it will send is if you think you can just hide behind borders and leap laws and carry out your activities, that’s just not going to be the case,” said the official, who spoke on the condition of anonymity because he was not authorized to speak on the record. “We have other ways of getting at you, and we can hit where it hurts in terms of a financial impact.”

The order was set to be issued last week, but Obama wanted the language clarified to convey that the program was aimed at significant malicious cyberactivity, according to several people familiar with the process.

To meet the threshold for sanctions, a malicious activity will have to be harmful to national security or the nation’s economic health of foreign policy. And it will have to meet one of four “harms”: attacking critical infrastructure such as a power grid; disrupting major computer networks; stealing intellectual property or trade secrets; or benefiting from the stolen secrets and property.

Read: Text of Obama’s letter declaring the executive order

“You can’t use it to go after Joe Schmo the petty criminal,” the official said. “You’ve got to be able to demonstrate [the activity] is on a scale that’s harmful to the United States as a whole.”

Analysts said the executive order is a significant step by the administration.

“This is a problem that we clearly as a nation have struggled to wrap our arms around. The more tools we have at our disposal, the better,” said Zachary Goldman, a former policy adviser at the Treasury Department’s Office of Terrorism and Financial Intelligence who now is the executive director of New York University’s Center on Law and Security.

In January, after U.S. officials faulted North Korea for a cyberattack on Sony Pictures, Obama issued an executive order allowing the government to impose financial sanctions targeting officials and government enterprises in that country. But the individuals were not designated for their direct involvement in the attack, and the sanctions authority was not specific to cyberactivity, senior administration officials said.

A handful of other episodes probably were serious enough to have merited consideration ­under the new sanctions program if it had existed at the time, officials said, including massive ­denial-of-service disruptions waged by Iran against U.S. banks in 2012.

The executive order is grounded in a 1977 law, the International Emergency Economic Powers Act, that permits the president to declare a “national emergency” with respect to threats that originate outside the United States and to impose financial sanctions on the source of those threats.

The executive order authorizes the treasury secretary, in consultation with the attorney general and the secretary of state, to designate foreign individuals or entities who have been found to have engaged in the malicious activity. Any case must be supported by evidence that could withstand a court challenge. A visa ban may also be imposed.

Officials said the administration has not identified possible targets under the new program. It could be used to sanction Chinese military hackers who have waged industrial espionage as well as the state-owned enterprises that benefit from their campaigns, the official said. It is particularly useful in cases where law enforcement tools won’t work, he said.

The program’s effectiveness will depend on its implementation, said Bruce Klingner, senior research fellow for Northeast Asia at the Heritage Foundation. On North Korea, for instance, he said that the administration “has pursued a policy of timid incrementalism — of talking a tough game, but not following through on its rhetoric.”

But James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, said the new program is promising — especially as a tool to combat one of the nation’s top cyberthreats: economic espionage by China.

“You have to create a process to change the behavior of people who do cyber-economic espionage,” he said. “Some of that is to create a way to say it’s not penalty free. This is an effective penalty. So it moves them in the right direction.”