President Obama has signed an executive order paving the way for sanctions against groups that carry out digital attacks on the US. The news was reported by The Washington Post last night and officially announced this morning in a press release. "I'm, for the first time, authorizing targeted sanctions against individuals or entities whose actions in cyberspace result in significant threats to the national security, foreign policy, or economic health or financial stability of the United States," Obama said. "From now on, we have the power to freeze their assets, make it harder for them to do business with US companies, and limit their ability to profit from their misdeeds."
Order will avoid sanctioning "legitimate" cybersecurity research
The new authority will focus on overseas threats, the statement says, and it will primarily affect participants in attacks. It will also, however, allow sanctions against companies that "knowingly use stolen trade secrets to undermine our nation's economic health." And it will avoid taking action against people whose machines are hijacked for botnets or against the "legitimate cybersecurity research community," including people helping companies test and improve cybersecurity. According to the Post, attacks will have to meet one of four criteria: "attacking critical infrastructure such as a power grid; disrupting major computer networks; stealing intellectual property or trade secrets; or benefiting from the stolen secrets and property."
Obama cited several incidents that have affected American companies. The US has blamed Iran for a series of denial-of-service attacks on banks in 2012, potentially as retaliation for the Stuxnet virus that targeted Iran's nuclear program. Attacks on companies like Target and Home Depot have led to significant leaks of customer payment information. Most notably, North Korea is believed to have orchestrated a crippling attack against Sony in 2014, releasing troves of company data, correspondence, and personal information about employees. The United States already issued sanctions against North Korea in January, targeting the country's intelligence agency, local defense corporations, and a number of individuals. But officials told the Post that the authority for these sanctions wasn't specifically related to cybersecurity. In the future, they said, the new order could allow them to file sanctions against Chinese hackers and state-owned companies that allegedly benefit from stolen trade secrets.
Obama promised to focus on cybersecurity in his State of the Union address earlier this year. Among other things, he has outlined an executive order urging companies to share digital threat data and created a centralized cybersecurity agency. Congress is also considering its own legislation for encouraging companies and security agencies to work together against digital threats, resurrecting a bill that has long raised the hackles of privacy advocates. While all these are attempts to help prevent or mitigate the harm of hacks, though, these sanctions create a framework for punishing the countries and people behind successful attacks.