Obama's cyber sanctions order adds punch to fight against foreign hackers
In a move with broad ramifications, President Obama issued an executive order Wednesday that authorizes US government sanctions against individuals or entities engaged in "cyber-enabled" activities deemed harmful to American interests.
The gives the Treasury Secretary targeted authority to seize property and to freeze assets belonging to people that are found engaged in such electronic attacks. It is targeted primarily at overseas actors operating out of countries that are unable or unwilling to take action against entities carrying out hacking from within their borders.
Mr. Obama鈥檚 latest use of executive authority appears to be a response to growing calls for the US to have a strong policy for deterring attacks against its interests in cyberspace.
Over the past few years, criminal gangs and state-sponsored groups outside the US have launched countless attacks against the American government, military, and commercial networks. The attacks have resulted in what security experts say is massive theft of US intellectual property, trade secrets, financial, and personally identifiable data, and hundreds of millions of dollars from individual and commercial bank accounts. Many say that foreign threat actors have the technical ability and the resources needed to seriously disrupt and degrade U.S critical infrastructure services.
鈥淭here does need to be more potential downside for cybercriminals outside the US when they attack the US,鈥 said听John Pescatore, director of emerging security threats at the SANS Institute, a cybersecurity training organization.听
What's more, he said, the executive order听is an overdue recognition that the vast majority of attacks against US interests are financially motivated and criminal in nature rather than being acts of cyberwar.
Activities covered under the order include attacks that significantly disrupt services in a critical infrastructure sector or disrupt the availability of a computer or network for a significant length of time. Individuals or entities responsible for attacks that result in major financial loss or the theft of intellectual property, trade secrets, personal identifiers, and information that would give someone an unfair market advantage, could also face sanctions under the new authority.
The order serves notice on those seeking to harm US interests in cyberspace, Mr. Obama said in a . 鈥淭argeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst.鈥
Obama鈥檚 statement pointed to the recent attacks on Sony Pictures that were ascribed to North Korea and attacks by Iranian hackers against multiple American banks as examples of the kind of activity the new authority seeks to deter.
鈥淔rom now on, we have the power to freeze their assets, make it harder for them to do business with US companies, and limit their ability to profit from their misdeeds,鈥 he noted
Administration officials on Wednesday stressed the new authority would only be used in a limited and highly targeted fashion to go after cyber actors who pose an extraordinary threat to US national security, foreign policy, economic health, or financial stability.
In imposing sanctions on an individual or entity under the authority of the executive order, the government will publicly make available all unclassified information pertaining to the decision, officials noted in a press briefing.
Sanctioning threat actors will limit their access to the US financial system, technology, and infrastructure, said Michael Daniel, the White House cybersecurity coordinator. The executive oder "enables us to have a new way of both deterring and imposing costs on malicious cyber actors wherever they may be,鈥 said Mr. Daniel.
It is too soon to say how effective sanctions are really going to be against the threat actors responsible for such attacks. Attribution continues to be a huge problem in cyber space. Because attackers often use proxy servers, compromised systems, and other techniques to hide their tracks, it is often impossible to track an online attack back to its source with any degree of certainty.
Also, some worry that the order could have unintended consequences when it comes to cybersecurity research.听鈥淔or听example, could the executive order be used to issue sanctions,听without due process, against security researchers who make or听distribute penetration testing tools,鈥 said Kurt Opsahl, general counsel at the Electronic Frontier Foundation, a digital rights advocacy group.
鈥淭he tools that could be used听for attacks are also vital for defense," notes Mr. Opsahl, "and security researchers who听use them should not have to worry that they may face sanctions from听the Secretary of the Treasury.'
听
