President Obama on Wednesday signed an executive order expanding his administration's ability to respond to malicious cyberattacks by allowing financial penalties to be inflicted on foreign actors who engage in such behavior.
"Cyberthreats pose one of the most serious economic and national security challenges to the United States, and my administration is pursuing a comprehensive strategy to confront them," Obama said in a statement. "As we have seen in recent months, these threats can emanate from a range of sources and target our critical infrastructure, our companies, and our citizens. This executive order offers a targeted tool for countering the most significant cyberthreats that we face."
The order allows the secretary of the Treasury, in consultation with the attorney general and secretary of State, to impose financial sanctions—such as freezing of assets or prohibition of commercial trade—on individuals or groups responsible for malicious cyberattacks that "create a significant threat to U.S. national security, foreign policy, or economic health or financial stability of the United States," Obama said.
Administration officials have long indicated a desire to strengthen the government's ability to respond to and penalize those engaging in cyberattacks. The massive hit on Sony Pictures last Thanksgiving—which the White House publicly blamed on North Korea—increased the urgency to bolster the nation's cyberdefenses. In January, Obama signed a separate executive order allowing for further sanctions against North Korean targets, but that action was limited to just that country.
Data breaches in recent years at places like Target, Home Depot, and Anthem Insurance have resulted in the heist of the personal data of millions of consumers, ranging from credit-card information to Social Security numbers and health information. But hundreds if not thousands of cyberattacks are waged daily against the United States, officials have said, and many of them originate overseas. China and Russia have been identified as particularly aggressive and adept at cyberintrusion and cyberespionage.
The order limits the authority of the government to impose sanctions to attacks deemed significant enough to merit such a response. The types of attacks fit for a counterpunch include those that harm or compromise a critical infrastructure sector, disrupt the availability of a computer or network or computers (such as a distributed denial-of-service attack), or cause "significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain," according to a White House fact sheet.
In addition, sanctions can be imposed on those that knowingly receive or use trade secrets acquired via cybertheft, when the theft is "reasonably likely to result" in a threat to the nation's security or economic health.
"I intend to employ the authorities of my office and this administration, including diplomatic engagement, trade policy tools, and law-enforcement mechanisms, to counter the threat posed by malicious cyberactors," Obama said. "This executive order supports the administration's broader strategy by adding a new authority to combat the most serious, malicious cyberthreats that we face."