WASHINGTON -- President Barack Obama signed an executive order Wednesday allowing the use of economic sanctions for the first time against perpetrators of destructive cyberattacks and online corporate espionage.
That will let the Treasury Department freeze the assets of people, companies or other entities overseas identified as the source of cybercrimes. The federal government also will be able to bar U.S. citizens and companies from doing business with those targeted for sanctions.
"Cyberthreats pose one of the most serious economic and national security challenges to the United States," Obama said in a statement. "As we have seen in recent months, these threats can emanate from a range of sources and target our critical infrastructure, our companies and our citizens."
Under the order, sanctions will be used only if a cyberattack threatens to harm U.S. national security, foreign policy or the broader economy. It's aimed at cybercriminals who target critical infrastructure, disrupt major computer networks or are involved in the "significant" theft of trade secrets or intellectual property for competitive advantage or private financial gain.
The administration is using the threat of sanctions to help prevent large-scale data theft after breaches at major U.S. corporations, including retailer Target Corp., health-insurer Anthem Inc. and home-improvement chain Home Depot Inc. It's also a recognition that companies are facing increasingly destructive attacks, such as the hack against Sony Pictures Entertainment that crippled thousands of computers and delayed release of a comedy movie.
Sanctions imposed under the executive order will disrupt the operations of hackers who may be in countries outside the reach of U.S. law enforcement, said John Carlin, U.S. assistant attorney general for national security.
Banks and other companies connected to the U.S. financial system will be required to prohibit sanctioned hackers and entities from using their services, cutting them off from valuable resources, Carlin said.
"It's a new, powerful tool, and we intend to use it," Carlin said. "It has the capability to significantly raise the cost for those who steal or benefit through cybercrime."
The executive order allows the U.S. to impose sanctions on individuals or entities over hacking attacks regardless of where they are located, White House Cybersecurity Coordinator Michael Daniel said. While other sanctions are tied to a particular country or group of persons, hacking attacks transcend borders.
"What sets this executive order apart is that it is focused on malicious cyberactivity," Daniel said. "What we're trying to do is enable us to have a new way of both deterring and imposing costs on malicious cyberactors wherever they may be."
The order is a signal of the administration's "clear intent to go on offense against the full range of very serious cyberthreats that are out there," said Peter Harrell, the former principal deputy assistant secretary for sanctions at the State Department.
"This is a message that if folks around the world don't cut out these activities, they're going to find themselves cut off from the American banking system," Harrell said.
Harrell said there are potential stumbling blocks to effective implementation. For one, hackers work hard to conceal their identities. Even though the U.S. and private companies have improved their ability to trace attacks, attribution can sometimes be difficult.
Daniel acknowledged that determining who is actually behind hacking attacks is still a challenge but said the U.S. is getting better at it.
In other cases, diplomatic considerations may be at play. The administration's decision in 2014 to file criminal charges against five members of the Chinese military over their role in cyberespionage strained relations with Beijing.
In January, Obama authorized economic sanctions against 10 North Korean officials and government entities in connection with the Sony attack. The North Korean government has denied any involvement in the Sony case.
Harrell said the use of sanctions can provide leverage as the U.S. registers complaints with governments overseas about cyberattacks. Targeted use of the new sanctions power also may deter criminals.
"A number of these cyberattacks are organized by fairly significant actors out there -- large hacking collectives, or organized by foreign intelligence agencies," Harrell said. "They all have real potential costs if they were put on sanctions lists."
A Section on 04/02/2015
Print Headline: Obama signs order to slap sanctions on hackers