President Obama just used perhaps the most effective tool in his arsenal to strike against the threat of foreign cyberattacks – that’s right, his pen.
Obama signed a new executive order on Wednesday (1 April 2015) authorizing financial sanctions against foreign hackers, and companies that knowingly benefit from cyberattacks against US interests.
In a statement published on Medium, the US president pointed a finger directly at China, Russia, North Korea and Iran as examples of the threat.
Law enforcement, international cooperation and diplomacy aren’t enough to counter foreign nation states and individuals that have targeted the US military, infrastructure, and private companies, Obama said.
An executive order relies on the president’s authority under existing laws to direct the activities of government agencies – in this case, the US Department of the Treasury.
Reflecting just how frequent and severe cyberattacks have become from state-sponsored actors and cybercriminal organizations, the US has grown increasingly bold in calling out other nations for conducting espionage against US companies and government institutions.
Obama mentioned the breach of Sony Pictures in 2014 that the US claims was directed by North Korea in retaliation for the release of The Interview, a satirical movie mocking the country’s leader, Kim Jong Un.
Although the Obama Administration levied sanctions against North Korean individuals in retaliation for the attack on Sony, the White House said those sanctions were authorized specifically to target the North Korean regime.
The new executive order is much more far-reaching, allowing the US to freeze the financial assets of any individual responsible or complicit in cyberattacks that pose a significant threat to US national security, foreign policy and economic stability.
According to a White House statement:
This Executive Order authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on those individuals and entities that he determines to be responsible for or complicit in malicious cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, economic health, or financial stability of the United States.
The order also authorizes sanctions against “a corporation that knowingly profits from stolen trade secrets.”
The US Department of Justice last year took the unprecedented step of indicting five Chinese military officers on charges alleging they were responsible for espionage attacks against US steel and energy companies.
But those indictments will likely never result in the Chinese officers being extradited to the US to face prosecution.
In recent weeks, China has been accused of sponsoring a wave of denial-of-service attacks on GitHub, in an apparent effort to shut down portions of the site that host tools for getting around Chinese internet censorship.
In response to Obama’s new executive order, a spokesperson for the Chinese government indicated that China is opposed – saying international cooperation “based on mutual respect and trust” is necessary to combat cyber threats.
When it comes to prosecuting attackers from nations like China and Russia, US law enforcement is severely limited.
The US hopes the new sanctions regime will be a deterrent against future attacks.
Lisa Monaco, a prosecutor in the US Department of Homeland Security, said the sanctions “increase the costs and reduce the economic benefit from malicious cyber activity.”
The White House assured that the executive order “in no way” targets victims of cyberattacks – such as those whose computers have been exploited to launch attacks on others.
Some critics in the security community have argued that US computer security laws have a chilling affect on security research and could lead to prosecution of researchers.
The White House said the sanctions are not designed to “prevent or interfere with the cybersecurity research community” that identifies vulnerabilities in order to improve security of software and devices.