On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory alert that serves as a warning to entities who have been or will be the victim of a ransomware attack. As such, the crucial decision of whether to pay a ransom now comes with the additional risk of legal scrutiny by a powerful federal agency and the possibility of steep fines.
Cybersecurity Update: U.S. Sanctions on the Horizon for Malicious Cyber-Attackers
Executive Order 13694 is the Obama Administration’s latest tool to combat cybersecurity threats. On April 1, 2015, President Obama declared a national emergency to address the “increasing prevalence and severity of malicious cyber-enabled activities” originating from outside the United States that “constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the United States.”
The order authorizes the U.S. Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions, including asset freezes and travel bans, on those persons and entities determined to be responsible for, or complicit in, malicious cyber-enabled activities that have the purpose or effect of:
- Harming or significantly compromising the provision of services by entities in a critical infrastructure sector;
- Significantly disrupting the availability of a computer or network or computers; or
- Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.
Although the order does not define “malicious cyber-enabled activities,” the Department of Treasury, in its online FAQs, anticipates that the order will cover “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.”
This strategic move by the administration is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government. This sanction program does not target nation states, individuals acting on behalf of those nation states, or victims of malicious cyber activities.
Executive Order 13694 in Practice
The Department of Treasury FAQs and the White House Office of the Press Secretary’s Fact Sheet explain how the program will work. According to the literature, the Treasury’s Office of Foreign Assets Control (OFAC), in coordination with other U.S. government agencies, will identify individuals and entities whose conduct meets the criteria set forth in the order. These individuals and entities will then be designated for sanctions and added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).
Once OFAC determines the specific entities and individuals that are subject to sanctions under the order, all U.S. citizens and permanent resident aliens, all persons and entities within the United States, and all U.S.-incorporated entities and their non-U.S. subsidiaries or branches will be prohibited from engaging in trade or any other transactions with these individuals or entities owned by these individuals.
OFAC cautions that individuals or firms that “facilitate or engage in online commerce are responsible for ensuring that they do not engage in unauthorized transactions of dealings with persons named on the sanctions list or operate in jurisdictions targeted by comprehensive sanctions programs.” At this point, it is unclear how the Treasury will enforce the order and what, if any, penalties will be levied against those not in compliance.[...]