President Barack Obama on Wednesday ordered a new sanctions program that could block assets of US and foreign hackers and of companies that seek to profit from cyberattacks.
Obama said the threat from cyberattacks was a “national emergency” and that the sanctions could help strike back against those involved in attacks on US targets.
“Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit,” Obama said in a blog post on the Medium website.
He added that cyber threats “pose one of the most serious economic and national security challenges to the United States,” and that the sanctions will take aim both at hackers and “against companies that knowingly use stolen trade secrets to undermine our nation’s economic health.”
Obama said in his statement that hackers in China, Russia and Iran were among those attacking US targets and added that “it’s often hard to go after bad actors, in part because of weak or poorly enforced foreign laws, or because some governments are either unwilling or unable to crack down on those responsible.”
The announcement comes after an epidemic of incidents reported in recent months, including a devastating attack against Sony Pictures, and data breaches that stole credit card or health data on tens of millions of Americans.
– Costing US jobs –
Under the order, the US Treasury would be able to freeze or block assets of those involved in attacks on “critical” US computer networks, such as banking systems or electric power, or the theft of data such as credit card information, and of companies that profit from such attacks.
“Cyber intrusions and attacksâ€Š — â€Šmany of them originating overseasâ€Š — â€Šare targeting our businesses, stealing trade secrets, and costing American jobs. Iranian hackers have targeted American banks,” Obama said.
“The North Korean cyberattack on Sony Pictures destroyed data and disabled thousands of computers. In other recent breaches that have made headlines, more than 100 million Americans had their personal data compromised, including credit card and medical information.”
The executive order allows the Treasury and Attorney General’s office to impose sanctions on hackers posing “a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”
This could respond to so-called distributed denial-of-service attacks, theft of trade secrets or credit card numbers or other “sensitive information,” according to a White House statement.
Sanctions could also be imposed on companies that use trade secrets or other stolen data or assist hackers in their efforts.
Officials said there were no immediate plans to use these sanctions but that the additional tool would bolster US efforts using law enforcement, diplomacy or military actions.
“We intend to use this tool judiciously and in extraordinary circumstances,” said John Smith of the Treasury’s Office of Foreign Assets Control, which administers sanctions.
Obama said the new sanctions would “in no way target the unwitting victims of cyberattacks,” such as people whose computers are hijacked, and that the program would not be used against cybersecurity researchers or to curb freedom of online expression.
The sanctions are “not a tool that we will use every day,” US homeland security adviser Lisa Monaco said, adding that “law-abiding companies have absolutely nothing to worry about.”
– Unintended consequences? –
Some privacy activists questioned the broad language in the order, saying it could have unforeseen impacts.
The order could be interpreted to target investigative reporters, said Marcy Wheeler on the privacy blog Empty Wheel.
“Does WikiLeaks’ publication of secret Trans-Pacific Partnership negotiations qualify? Does Guardian’s publication of contractors’ involvement in NSA hacking?” she wrote.
“I’m generally concerned about this (order) because of the way national emergencies have served as the justification for a lot of secret spying decisions,” Wheeler added.
But Paul Rosenzweig of the Chertoff Group, a security consulting firm, said the national emergency language is appropriate.
“The use of ‘national emergency’ is reflective, I think, of the seriousness with which the administration views the problem â€” and that’s a good thing,” Rosenzweig said on the Lawfare blog.
“What is most notable about the order is how strongly the US is flexing its economic muscle. If access to US markets is of value, the administration is signalling, strongly, that continued access may be conditioned on good cyber behavior.”