The executive order enables US government agencies to block the assets of any foreign person determined to have engaged in malicious cyber-enabled activities.
On April 1, US President Barack Obama issued Executive Order 13694, which became effective immediately. This new tool to fight foreign-origin cyber warfare allows US agencies to block the assets of any foreign person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to be responsible for or complicit in or to have directly or indirectly engaged in cyber-enabled activities. These activities encompass those that originated from or were directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to US national security, foreign policy, or economic health or financial stability and that have the purpose or effect of
-
harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
-
significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
-
causing a significant disruption to the availability of a computer or network of computers; or
-
causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
The executive order allows any foreign person’s assets to be blocked and such person to be named as a Specially Designated National if the person is found to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described above or any person whose property and interests in property are blocked pursuant to the executive order; or to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property and interests in property are blocked pursuant to the executive order; or to have attempted to engage in any of the activities described.
Section 6(d) of the executive order clarifies that the term ‘‘critical infrastructure sector’’ means any of the designated critical infrastructure sectors identified in Presidential Policy Directive 21.
Presidential Policy Directive 21 defines “critical infrastructure” as having the meaning provided in section 1016(e) of the USA Patriot Act of 2001 (42 U.S.C. 5195c(e)), namely systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating effect on security, national economic security, national public health or safety, or any combination of those matters.
Presidential Policy Directive 21 also defines “critical infrastructure sectors” as including the following economic sectors, with certain further refinements to be added by specified federal agencies:
Chemical; Commercial Facilities; Communications; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare; Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems
The Office of Foreign Assets Control (OFAC) has already stated on its website that significant malicious “cyber-enabled” activities for the purposes of this executive order mean any act that is primarily accomplished through or facilitated by computers or other electronic devices. Therefore, malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by using remote access; circumventing one or more protection measures, such as bypassing a firewall; or compromising the security of hardware or software in the supply chain. These activities are often the means through which the specific harms are achieved, including compromise to critical infrastructure, denial of service attacks, or massive loss of sensitive information, such as trade secrets and personal financial information.
OFAC says that the executive order is tailored to address cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to US national security, foreign policy, or economic health or financial stability. This language is intended to counter the most significant cyber threats, such as those that target critical infrastructure, companies, citizens, or economic health or financial stability.
OFAC will now draft and issue regulations to implement this new executive order. Meanwhile, the order places those who engage in malicious cyber warfare against the United States in the same OFAC league with narco-traffickers and weapons of mass destruction proliferators.