President Barack Obama has announced a new sanctions program that authorises the sanctioning of malicious cyber actors whose actions threaten the national security, foreign policy, or economic health or financial stability of the United States.
Stating that cyber threats are at the top of the President’s list of security concerns and “at a transformational moment” in how we approach cyber security, the statement by Lisa Monaco, assistant to the President for Homeland Security and Counterterrorism, said that among the many actions in the cyber arena, this will allow the freezing of assets of those subject to sanctions and making it more difficult for them to do business with US entities and be subject to costs.
Monaco said: “This new executive order is specifically designed to be used to go after the most significant malicious cyber actors we face. It is not a tool that we will use every day. Law-abiding companies have absolutely nothing to worry about; for them, it’s business as usual.”
She said that the tool is designed to be used in conjunction with law enforcement and diplomatic efforts to help deter and disrupt the worst of the cyber threats that we face, and said it will not be used to try to silence free expression online or curb internet freedom. “Nor will this authority be used to go after legitimate cyber security researchers or innocent victims whose computers are compromised,” she said.
The executive order signed by the President passes authorisation to the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to take such actions, including the promulgation of rules and regulations and to employ all powers granted to the President by IEEPA as may be necessary to carry out the purposes of this order.
“The Secretary of the Treasury may redelegate any of these functions to other officers and agencies of the United States Government consistent with applicable law,” Obama said. “All agencies of the United States Government are hereby directed to take all appropriate measures within their authority to carry out the provisions of this order.”
Corey Thomas, President and CEO of Rapid7, said: “The President’s Executive Order is intended to provide a means for the US Government to penalise and deter criminal acts that can’t easily be meaningfully addressed otherwise. Only time will tell whether it’s able to do this successfully, but at first blush the framework looks pretty reasonable.
“We particularly applaud the thresholds for harm. It’s key that acts must both cause significant negative impact, for example to national security or economic health, AND that this must manifest through specifically identified acts, such as the widespread theft of trade secrets, or disruption of the availability of computing systems. It’s also critical that the Department of Treasury has stated that it doesn’t intend to pursue security researchers under this order.
“Security research is essential for understanding how cyber attackers operate, and identifying issues that provide them with opportunities for exploitation. The findings help businesses and consumers protect themselves, yet in order to do this, researchers have to behave like attackers, and this can lead to legal complications and uncertainty.”
Bob West, chief trust officer at CipherCloud, said: “President Obama’s latest executive order makes good, common sense. It goes towards what is commercially responsible and draws a line in the sand. If we can discover who the people or groups are behind cyber attacks, we now have the legal right to take action.
“While attribution is challenging, technology evolves at a fast pace. We should have much more advanced forensics tools in the near future that will allow us to determine with certainty who is responsible for a specific attack. As challenging as attribution is, there needs to be balance between bringing criminals to justice and protecting a citizen’s right to privacy.
“Protecting information takes a concerted, coordinated approach between the private and public sector. Technology vendors need to design their products with security built in and companies need to practice good security hygiene. Finally, Congress must do its part to protect the public with sound legislation.”