Office of Foreign Assets Control: Making or Facilitating Ransomware Payments May Violate U.S. Sanctions
On October 1, 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory that highlights the risk of potential U.S. sanctions law violations if U.S. individuals and businesses comply with ransomware payment demands.1
Ransomware attacks use malware, often injected through phishing schemes, to encrypt a victim’s data files or programs, followed by a ransom demand by the threat actor that offers the decryption key in exchange for payment. Payment is often demanded in bitcoin, and thus third-party services are often used to make such payments. Increasingly, ransomware attacks not only lock data up but steal data from the victim and threaten to publish sensitive files belonging to victims. According to OFAC, ransomware attacks have been increasing over the last two years and are a special risk during the COVID-19 pandemic, with cybercriminals targeting not only large corporations but also small to medium enterprises, hospitals, schools, and local government agencies.2
BIS Issues Long-Awaited Notice on Controls on Foundational Technologies, Adds New Entities to Entity List
The U.S. Department of Commerce, Bureau of Industry and Security (BIS) published an advance notice of proposed rulemaking (ANPRM) soliciting comments to identify foundational technologies essential to U.S. national security by October 26, 2020 (the Foundational Technologies ANPRM). The ANPRM is only one step in a multiyear process through which the U.S. government transforms the regulations restricting the availability of U.S.-sourced technology in the global marketplace.
This long-awaited ANPRM launches an intra-agency review process required under Section 1758 of the Export Control Reform Act of 2018 (ECRA), which Congress passed in the National Defense Authorization Act for Fiscal Year 2019 (2019 NDAA). ECRA directed BIS to identify and establish controls on the export, reexport, or transfer (in country) of emerging and foundational technologies essential to the national security of the United States. On November 19, 2018, BIS issued an ANPRM on identification of emerging technologies (the Emerging Technologies ANPRM), indicating that a separate notice for foundational technologies was forthcoming.
Today’s Foundational Technologies ANPRM can be found here. Sidley’s prior updates on ECRA and the Emerging Technologies ANPRM can be found here.1 Here we summarize five key takeaways from today’s notice.
U.S. Launches Review of Export Controls on Emerging Technologies: Five Key Takeaways
The U.S. Department of Commerce, Bureau of Industry and Security (BIS) has published an advance notice of proposed rulemaking (ANPRM) initiating a 30-day public comment process regarding export controls for certain emerging technologies. The notice launches the implementation of a key provision of the Export Control Reform Act of 2018 (ECRA), part of the National Defense Authorization Act for fiscal year 2019 (NDAA). In the ECRA, Congress authorized BIS to establish controls on the export, reexport and transfer (in country) of “emerging and foundational technologies.” The ANPRM, including a list of the 14 proposed representative technology categories and subcategories subject to review, can be found here. Our prior updates on the NDAA and ECRA can be found here.
Fate Unclear for Obama Administration Cyber Sanctions
On December 28, 2016, former President Obama issued Executive Order 13757, Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (E.O. 13757). E.O. 13757 amends an earlier Executive Order 13694 (E.O. 13694) of April 1, 2015[1], under which the President declared a “national emergency” to deal with the “unusual and extraordinary threat” to U.S. national security, foreign policy and the economy posed by malicious cyber-enabled activities conducted by persons outside the United States in relation to the November 2016 election. Through the December 2016 amendment, President Obama took “additional steps” to deal with such malicious cyber activities in view of their increasing use “to undermine democratic processes or institutions.”