Executive Order 13694 is the Obama Administration’s latest tool to combat cybersecurity threats. On April 1, 2015, President Obama declared a national emergency to address the “increasing prevalence and severity of malicious cyber-enabled activities” originating from outside the United States that “constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the United States.”
The order authorizes the U.S. Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions, including asset freezes and travel bans, on those persons and entities determined to be responsible for, or complicit in, malicious cyber-enabled activities that have the purpose or effect of:
- Harming or significantly compromising the provision of services by entities in a critical infrastructure sector;
- Significantly disrupting the availability of a computer or network or computers; or
- Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.
Although the order does not define “malicious cyber-enabled activities,” the Department of Treasury, in its online FAQs, anticipates that the order will cover “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.”
This strategic move by the administration is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government. This sanction program does not target nation states, individuals acting on behalf of those nation states, or victims of malicious cyber activities.
Executive Order 13694 in Practice
The Department of Treasury FAQs and the White House Office of the Press Secretary’s Fact Sheet explain how the program will work. According to the literature, the Treasury’s Office of Foreign Assets Control (OFAC), in coordination with other U.S. government agencies, will identify individuals and entities whose conduct meets the criteria set forth in the order. These individuals and entities will then be designated for sanctions and added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).
Once OFAC determines the specific entities and individuals that are subject to sanctions under the order, all U.S. citizens and permanent resident aliens, all persons and entities within the United States, and all U.S.-incorporated entities and their non-U.S. subsidiaries or branches will be prohibited from engaging in trade or any other transactions with these individuals or entities owned by these individuals.
OFAC cautions that individuals or firms that “facilitate or engage in online commerce are responsible for ensuring that they do not engage in unauthorized transactions of dealings with persons named on the sanctions list or operate in jurisdictions targeted by comprehensive sanctions programs.” At this point, it is unclear how the Treasury will enforce the order and what, if any, penalties will be levied against those not in compliance.
Complying with the Order
Because the order was issued without any persons yet in line to be instantly placed on the OFAC list, there are no immediate obligations for U.S. corporations. However, once the Secretary of the Treasury begins to populate the list, organizations and individuals must ensure that they do not engage in unauthorized transactions or dealings with those identified persons. FAQ 446 reminds us that the names and identifying information of all individuals and entities included on OFAC’s sanctions lists may be located at: https://sdnsearch.ofac.treas.gov.
While we wait for more instructions via the forthcoming regulations, organizations that already have a compliance program should confirm that it regularly checks the SDN list before doing business with foreign entities or individuals. For organizations that do not yet have a compliance program, the Department of Treasury suggests a tailored, risk-based compliance program that may include sanctions list screening or other appropriate measures.
We will be watching for the release of the regulations and for names to be added to the SDN list. We will report back on the blog with these developments.