The president’s executive order authorizes sanctions on those deemed a threat to U.S. economic or national security.
President Barack Obama issued an executive order April 1 declaring foreign cyber threats to U.S. economic and national security a "national emergency." The order authorizes the Treasury secretary to levy sanctions on individuals or groups whose "significant, malicious cyber-enabled activities" threaten American national security, foreign policy, economic prosperity or financial stability.
Four categories of cyber behavior could trigger sanctions under the executive order, according to a White House summary:
- "Harming or significantly compromising" critical infrastructure services.
- "Significantly disrupting" a computer network via, for example, a distributed denial-of-service attack.
- "Causing a significant misappropriation of funds or economic resources" by, for example, stealing credit card information or trade secrets.
- Receiving or using such trade secrets for commercial gain.
The executive order is "both targeted in a sense [that] it has to be very significant and meet those four harms, but it's also very broad in that those harms cut across a wide swath of activity," top White House cybersecurity adviser Michael Daniel told reporters.
The broad directive expands the administration's toolset to punish those it deems bad actors in cyberspace. The order is a more flexible tool than indicting alleged cyber criminals, as the Justice Department has done twice to Chinese nationals, in that the president can adjust sanctions already in place.
"This authority will be used in a targeted manner against the most significant cyber threats that we face, whether they are directed against our critical infrastructure, our companies, or our citizens," a White House statement said.
The executive order "is significant because you need to get penalties in here to make this work," said James Lewis, a senior fellow at the Center for Strategic and International Studies. "You need to have it not be cost-free, which has been the case now since the dawn of the Internet."
But while Lewis praised the executive order as "an essential tool for better cybersecurity," he said he worried the administration might have set too high a threshold for malicious cyber behavior to trigger sanctions.
The high threshold was the result of considerable deliberation on the part of the White House. As the order was being prepared last week, advisers debated how high that threshold should be, dwelling on what a "significant" compromise of computer security would entail, according to an administration official. They ended up opting for a high bar. "The idea is to not use this tool willy-nilly," the official said.
Though Daniel declined to speculate on when the new sanctions tool might have been used in past cyberattacks on U.S. assets, he said his search for the "proportional response" that Obama called for after the November hack of Sony Pictures Entertainment "highlighted the need for us to have" the new sanctioning authority.
"We would also hope that some of our allies … would consider joining us in creating these kind of regimes," Daniel added. But it could be how non-U.S.-allies react to the new sanctions tool that determines its broader impact.
Assistant Attorney General for National Security John Carlin has argued that, though their extradition is unlikely, indicting Chinese hackers still serves some value in deterring future hacking. The Obama administration is banking on the new sanctions tool having greater deterrent value than the indictments, and Adam Segal, a senior fellow at the Council on Foreign Relations, said it very well could.
Were the administration to use the new authority to sanction the state-owned enterprises that China draws on for economic growth, "that, in China's view, [would] be a significant escalation," Segal said.