On Wednesday, President Obama signed an executive order establishing the first sanctions program to allow the administration to impose penalties on individuals overseas who engage in destructive attacks or commercial espionage in cyberspace.The order is aimed primarily at state-sponsored actors and other hackers who are beyond the reach of law enforcement or diplomatic efforts. It gives the government the power to go beyond nation-level actions to target individuals who may be sponsored or supported in some way by a nation.
The sanctions are intended for significant attacks that meet a certain threshold of harm. They must directly hurt the “national security, foreign policy, economic health or financial stability of the United States,” according to the president’s announcement.
This would include attacks that damage critical infrastructure, disrupt computer networks through widespread DDoS efforts, or the stealing of financial data, trade secrets or intellectual property in a way that harms the nation’s economic stability.
The effort to toughen the response to hacking follows indictments of five Chinese military officers and the decision to “name and shame” North Korea for a high-profile attack on Sony. Officials said they hoped U.S. allies would follow suit.
U.S. lawmakers and security and legal experts welcomed the move as an encouraging step after a steady stream of cyber attacks aimed at Target, Home Depot and other retailers, as well as military networks.
Obama said in a statement that harming critical infrastructure, misappropriating funds, using trade secrets for competitive advantage and disrupting computer networks would trigger the penalties.
John Reed Stark, a former head of Internet enforcement for the Securities and Exchange Commission, expressed skepticism, citing the high number of state-sponsored cyber attacks and the difficulty of identifying hackers.
Mark Rasch, a former Justice Department trial attorney and former executive with defense contractor SAIC, said the breadth of the order gave the executive branch vast new powers to respond to even routine criminal hacking.
Dmitri Alperovitch, chief technology officer of Crowdstrike, a cyber security firm, said the order could have a "momentous" effect by preventing cyber criminals from spending the proceeds of their attacks, and closing off companies based in China and elsewhere from the U.S. financial market.
"If ABC Corp has had intellectual property stolen and then it's showing up in products of So and So Co of Shenzhen, you can tell them that it's been misappropriated and that their property in the U.S. is now subject to seizure," Brenner said.
The program could prompt a strong reaction from China, which routinely denies accusations by U.S. investigators that hackers backed by the Chinese government have been behind attacks on U.S. companies.
Senior administration officials said the new program was focused on activities rather than countries or regions.
Obama has moved cyber security toward the top of his 2015 agenda after recent breaches. Last month, the Central Intelligence Agency announced a major overhaul aimed in part at sharpening its focus on cyber operations.
