Cyber threats are one of the U.S.’s top security threats.  In just the past year, there has been a significant increase in the frequency, scale and sophistication of cyber intrusions and attacks – many of them originating overseas – which have targeted U.S. businesses.  On April 1, 2015, the President announced a new tool to combat the most significant cyber threats to the national security, foreign policy and economy of the United States.  

To deter those responsible for significant harmful cyber activity, the President signed Executive Order 13694 (the “EO”) which authorizes the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, to impose sanctions on those individuals and entities located overseas that he determines to be responsible for or complicit in malicious cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, economic health, or financial stability of the United States.

The Executive Order is tailored to address and respond to the harms caused by significant malicious cyber-enabled activities which include:

  • Harming or significantly compromising the provision of services by entities in a critical infrastructure sector;
  • Significantly disrupting the availability of a computer or network of computers, including through a distributed denial-of-service attack;
  • Misappropriating funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;
  • Knowingly receiving or using trade secrets that were stolen by cyber-enabled means for commercial or competitive advantage or private financial gain; and,
  • Attempting, assisting, or providing material support for any of the harms listed above.

By sanctioning malicious cyber actors, the EO aims: (i)  to disrupt the supply side of the problem by limiting malicious cyber actors’ access to U.S. technology supply and infrastructure which they often rely to commit the above listed acts, and (ii) to target the demand side by limiting their access to the U.S. financial system which they often use to transfer their money.

The Administration has stated that this new authority will be used in a targeted and coordinated manner in response to significant cyber threats, and is not a tool that will be used every day.  In particular, it will not be used to go after legitimate cybersecurity researchers or innocent victims whose computers are compromised.  The President remarked:

We’re giving notice to those who pose significant  threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks or stealing the trade secrets of American companies or the personal information of American citizens for profit.  From now on, we have the power to freeze their assets, make it harder for them to do business with U.S. companies, and limit their ability to profit from their misdeeds.