In the aftermath of the cyber attack on the Office of Personnel Management and the significant loss of corporate intellectual property, the U.S. government has announced new tools to respond to and to deter such harmful attacks. On December 31, 2015, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued new U.S. Cyber-Related Sanctions Regulations, set forth in 31 C.F.R. § 578 (“Cyber-Related Sanctions Regulations”). The Cyber-Related Sanctions Regulations are designed to implement Executive Order 13694, which targets perpetrators of malicious cyber-activities (e.g., hacking and Distributed Denial of Service (DDoS) attacks) as well as those who support such activities and certain recipients and users of stolen trade secrets.
In its December 31 publication of the Cyber-Related Sanctions Regulations, OFAC stated that it was publishing the regulations in an abbreviated form and expressed its intention to supplement the regulations with a more comprehensive set of regulations. The regulations, as currently published, largely mirror OFAC’s standard abbreviated regulations for programs involving blocked persons.
The U.S. government has not yet designated any parties under this new sanctions program. Therefore, for the time being, companies need not take any action. However, once parties are blocked for cyber-related sanctions purposes, their names will be added to the OFAC Specially Designated Nationals List, which must be checked and complied with. Finally, while OFAC has not provided any specific channel for companies to identify possible cyber-related sanctions targets to the U.S. government (i.e., foreign hackers), we believe that OFAC and other agencies would be receptive to receiving such information from companies with potentially relevant information.
The Cyber-Related Sanctions Regulations, currently without elaboration, prohibit all transactions prohibited under E.O. 13694, including dealing in the property or interests in property, that come within the United States, of blocked persons. Under E.O. 13694, any party may be blocked if the U.S. government determines that the party is responsible for or complicit in, or has engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside of the United States that have the purpose or effect of:
- Harming or otherwise significantly compromising the provision of services by a computer or network of computers that supports one or more entities in a critical infrastructure sector;
- Significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
- Causing a significant disruption to the availability of a computer or network of computers; or
- Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.
The Order also permits the Secretary of the Treasury to designate parties who derive commercial or economic gain from trade secrets misappropriated through cyber-enabled means; who have materially assisted, sponsored or provided financial, material or technological support for, or goods or services in support of such activities; or are owned or controlled by parties blocked under the Executive Order. OFAC defined “financial, material, or technological support” as any property, tangible or intangible, including, but not limited to, currency, securities, weapons, false documentation, communications equipment, electronic devices, lodging, transportation, goods, or technologies. In addition, the Order blocks designated individuals from entering the United States.
Similar to other regulations concerning blocked persons, the Cyber-Related Sanctions Regulations require any U.S. persons holding blocked funds to place them in interest bearing accounts outside of the control of the blocked person.
In addition to the definitions included in other sanctions regulations concerning blocked persons, OFAC has provided a definition of “technologies” as “specific information necessary for the development, production, or use of a product.” OFAC also stated that it may provide a definition of “cyber-enabled” activities in the more comprehensive regulations that it will publish later. OFAC currently anticipates that the definition will include “any act that is primarily accomplished through or facilitated by computers or other electronic devices.”