Executive Order on Cyber Sanctions
President Obama has, today, issued an executive order entitled, "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities." On first glance it looks like a strong step in the right direction.
The EO is notable not just for what it does, but for how it characterizes the malicious cyber activity. It is particularly welcome that assaults are now a "national emergency." It is worth reflecting tha
Published by The Lawfare Institute
in Cooperation With
President Obama has, today, issued an executive order entitled, "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities." On first glance it looks like a strong step in the right direction.
The EO is notable not just for what it does, but for how it characterizes the malicious cyber activity. It is particularly welcome that assaults are now a "national emergency." It is worth reflecting that this precise language is an essential trigger for the laws invoked -- happily, it does not mean that the infrastructure of the United States is about to crumble. Some may complain that in using this phrase the President is overstating the case somewhat -- and that may be a fair criticism, on its own terms. But within the legal context in which the EO arises, the use of "national emergency" is reflective, I think, of the seriousness with the Administration views the problem -- and that's a good thing.
The other good, meta-thing that is going on here is that the Administration is reinforcing the view that its response to cyber maliciousness is not constrained to the cyber domain. Cyber events require a "whole of government" response -- and this EO builds on that concept by invoking the property-blocking authority of the Department of the Treasury.
The order itself has several useful components to it:
- First, the order requires the blocking of property for any person (either an individual or entity) that does significant cyber damage to critical infrastructure;
- It also blocks the property of anyone using cyber capabilities to cause "a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain."
- Notably, these two provisions, working together, would seem to NOT directly address the Sony hack, as Sony would not be critical infrastructure; nor was the hack for competitive advantage or private gain ... or at least it would seem not to be so;
- Second, the order also blocks property of those found to "be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means."
- This portion of the order, if seriously implemented, would have huge implications -- it, in effect is an order to freeze the assets of any foreign (i.e. Chinese) company found here in the US that uses stolen American intellectual property for commercial advantage. Taken to its logical conclusion, we might see the seizure of Alibaba's new data center in Silicon Valley.
- Third, the order uses immigration authority to restrict the entry into the United States of any individual engaged in or having contributed to the malicious cyber attack. Again, if used aggressively this could have far reaching implications for many foreign executives who will no longer be able to travel to the US.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.