Apr 22015

New U.S. Sanctions Program Targets Malicious Foreign-Origin Cyber Activities

Sidley Data Matters Contributors
,

Yesterday, the United States established a new sanctions program designed to deter and financially target foreign parties who engage in, support or profit from “significant malicious cyber-enabled activities.” Declaring a national emergency, President Barack Obama issued an executive order authorizing the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, to identify as Specially Designated Nationals and Blocked Persons (SDNs) cyber-actors whose activities significantly harm the national security, foreign policy or economic health or financial stability of the United States. The U.S. government has not yet designated any parties under this new sanctions program. Once parties are so designated, U.S. companies must cease doing business with them and report any blocked property to the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).

In a statement accompanying the executive order, the President identified the targets of these sanctions as “those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American citizens for profit.” Also vulnerable to sanctions under the new program are persons who knowingly use stolen trade secrets to undermine the economic health of the United States. In a “Frequently Asked Questions” document, OFAC, which is responsible for issuing implementing regulations and posting the names of designated parties, states that the program “is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. Government.”

Activities such as the cyber-attack on Sony Pictures, which the Administration attributes to North Korea, the hacking that major retailers experienced in the last year, compromising private consumer information, attacks on U.S. government computer systems, and the hacking of corporate computer systems to obtain trade secrets, if perpetrated from outside the United States, would make those responsible vulnerable to designation. In addition, all property and interests in property that are in the United States, or that are or come within the possession or control of any U.S. person, would be blocked and may not be transferred, paid, exported, withdrawn or otherwise dealt in. By including activities such as the use of trade secrets and financial, material and technological support for hackers, the Order provides a tool to go after the support networks for hackers, as well the hackers themselves.

Specifically, the Order applies to any person outside the United States determined to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside of the United States that have the purpose or effect of:

  1. Harming or otherwise significantly compromising the provision of services by a computer or network of computers that support one or more entities in a critical infrastructure sector;
  2. Significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
  3. Causing a significant disruption to the availability of a computer or network of computers; or
  4. Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.

The Order also permits the Secretary of the Treasury to designate parties who derive commercial or economic gain from trade secrets misappropriated through cyber-enabled means; who have materially assisted, sponsored or provided financial, material or technological support for, or goods or services in support of such activities; or are owned or controlled by parties blocked under the Executive Order. Any business, including banks and online commerce providers, would be liable if it provides services to, received funds from, or fails to block the property of persons designated under the program. In addition, the Order blocks designated individuals from entering the United States.

Significantly, the sanctions are not limited to attacks on the owners or operators of critical infrastructure, or their service providers. In addition, attacks causing “a significant disruption” to computer networks, and attacks involving theft of trade secrets, financial or personal information, will be covered. Nonetheless, White House Cybersecurity Coordinator Michael Daniel and John Smith, the Acting Director of OFAC, indicated in a press conference yesterday that the new tools provided by the Executive Order would be used “judiciously.” Acting Director Smith also stated, as reported by Politico, that the Administration, “would welcome the input from the private sector and others that may have relative [sic] information on trade secret theft that might be covered by the executive order.”

Screening software will have to be updated when the first designations are made under this new sanctions program. It remains to be seen what the reaction will be from countries associated with state-sponsored or state-condoned cyber-attacks, as well as the level of support for sanctions the United States will receive from allies. This aggressive new U.S. cyber initiative will very likely shock the status quo on cybersecurity, and perhaps shift the global focus on this issue from the realm (primarily) of national security toward a more economic and trade-based policy arena.

If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or

Alan Charles Raul
Partner
+1.202.736.8477
araul@sidley.com		 Andrew W. Shoyer
Partner
+1.202.736.8326
ashoyer@sidley.com		 Edward R. McNicholas
Partner
+1.202.736.8010
emcnicholas@sidley.com
 Brenda A. Jacobs
Counsel
+1.202.736.8149
bjacobs@sidley.com		 Cameron F. Kerry
Senior Counsel
+1.202.736.8499
ckerry@sidley.com

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.