New Executive Order Authorizes OFAC to Impose Sanctions on Perpetrators of Malicious Cyber Threats | Practical Law

New Executive Order Authorizes OFAC to Impose Sanctions on Perpetrators of Malicious Cyber Threats | Practical Law

President Obama has issued an executive order that creates the framework for imposing sanctions on perpetrators of significant malicious cyber activity aimed at the US or its citizens. The sanctions are authorized under the International Emergency Economic Powers Act (IEEPA) and allow the US Department of Treasury's Office of Foreign Asset Control, in consultation with the US Attorney General and Department of State, to impose economic sanctions on perpetrators of cyber attacks.

New Executive Order Authorizes OFAC to Impose Sanctions on Perpetrators of Malicious Cyber Threats

by Practical Law Commercial
President Obama has issued an executive order that creates the framework for imposing sanctions on perpetrators of significant malicious cyber activity aimed at the US or its citizens. The sanctions are authorized under the International Emergency Economic Powers Act (IEEPA) and allow the US Department of Treasury's Office of Foreign Asset Control, in consultation with the US Attorney General and Department of State, to impose economic sanctions on perpetrators of cyber attacks.
On April 2, 2015, President Obama issued an executive order, Blocking the Property of Certain Persons Engaging in Significant Cyber-Enabled Activities (Executive Order), authorized under the International Emergency Economic Powers Act. The Executive Order allows the US Department of Treasury's Office of Foreign Assets Control (OFAC), in consultation with the Attorney General and State Department, to impose economic sanctions on perpetrators of significant malicious cyber activity, commonly known as cyber attacks, aimed at the US or its citizens. Unlike other sanction regimes, no persons were blocked under this program at the time it was announced. This is the first US sanction regime specifically aimed at those who assist in or commit cyber attacks on the US or its citizens.
(Exec. Order No. 13694, 80 Fed. Reg. 180772015 (April 1, 2015)).

The Executive Order

The Executive Order authorizes OFAC to block all property of persons that, as determined by the Secretary of the Treasury in consultation with the Attorney General and the Secretary of State:
  • Are directly or indirectly involved in cyber-enabled activities originating from, or directed by persons located, in whole or substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy or economic health or financial stability of the United States and that has the purpose or effect of:
    • harming or significantly compromising the provision of services by a computer or network of computers that support one or more entities in a critical infrastructure sector;
    • significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
    • causing a significant disruption to the availability of a computer or network of computers; or
    • causing a significant misappropriation of funds, economic resources, trade secrets, personal identifiers or financial information for commercial, competitive or private advantage or financial gain.
  • Are responsible for, complicit in or have engaged in the knowing receipt or use of the trade secrets of a US commercial interest that were misappropriated through cyber-enabled means by a person or entity outside the US for commercial or competitive advantage or private financial gain.
  • Materially assisted, sponsored or provided financial, material or technological support for those perpetrating cyber attacks or those blocked by this Executive Order.
  • Directly or indirectly are owned, controlled or act on behalf of any person blocked under this Executive Order. On August 15, 2014, OFAC issued revised guidance for entities that own 50% or more of persons or entities that are already blocked by an Executive Order or OFAC. For more information on OFAC's 50 percent rule, see Legal Update, OFAC Now to Aggregate Ownership Interests for the "50 Percent" Rule.
  • Attempted to engage in any of the activities prohibited by this Executive Order.

Malicious Cyber-enabled Activities

The Executive Order refers to, prohibits and prohibits supporting, but does not define, "malicious cyber-enabled activities." How OFAC defines malicious cyber-enabled activities will determine the scope of the order. According to OFAC, in its FAQs on the executive order, the definition is anticipated to be released in subsequent regulations and is expected to include:
  • Any deliberate act accomplished through unauthorized access to a computer system, including by remote access.
  • Circumventing one or more protection measures, including by bypassing a firewall.
  • Compromising the security of hardware or software in the supply chain.

Practical Implications

The President and OFAC have created a broad, sanction-imposing cyber security framework. However, much of the substantive detail needed to evaluate the risk of possible sanctions has yet to be released. No person was initially blocked under this sanction regime, unlike other similar sanction regimes that blocked persons when announced.
Counsel should prepare to update their policies, procedures and standards for selecting business partners to comply with the related OFAC regulations when the regulations are released.