President Obama on Wednesday signed a new executive order which authorizes the U.S. government to block the financial assets of malicious actors involved in cyber attacks against US targets.
According to the White House, the new program authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to “sanction malicious cyber actors whose actions threaten the national security, foreign policy, or economic health or financial stability of the United States.”
“Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit,” President Obama wrote in a blog post.
“From now on, we have the power to freeze their assets, make it harder for them to do business with U.S. companies, and limit their ability to profit from their misdeeds.”
According to the White House, the new executive order is specifically designed to be used to go after the “most significant malicious cyber actors” and something that would not be used use every day.
“Law-abiding companies have absolutely nothing to worry about; for them, it’s business as usual. We will never use it to try to silence free expression online or curb Internet freedom,” Lisa Monaco, Assistant to the President for Homeland Security and Counterterrorism, wrote in a blog post on the White House web site. “Nor will this authority be used to go after legitimate cybersecurity researchers or innocent victims whose computers are compromised. It is designed to be used in conjunction with our other authorities — including law enforcement and diplomatic efforts — to help deter and disrupt the worst of the cyber threats that we face.”
The Executive Order will help address and respond to significant cyber attacks, which could include:
• Harming or significantly compromising the provision of services by entities in a critical infrastructure sector
• Significantly disrupting the availability of a computer or network of computers, including through a distributed denial-of-service attack
• Misappropriating funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain
• Knowingly receiving or using trade secrets that were stolen by cyber-enabled means for commercial or competitive advantage or private financial gain
• Attempting, assisting, or providing material support for any of the harms listed above
“The President’s Executive Order is intended to provide a means for the US Government to penalize and deter criminal acts that can’t easily be meaningfully addressed otherwise. Only time will tell whether it’s able to do this successfully, but at first blush the framework looks pretty reasonable,” Corey Thomas, CEO of Rapid7, told SecurityWeek. “It includes thresholds for the harm that must be caused in order to pursue this kind of penalty, as well as details on the process for vetting perpetrators.”
Thomas also explained the importance that the Department of Treasury said it doesn’t intend to pursue security researchers under this order.
“Security research is essential for understanding how cyber attackers operate, and identifying issues that provide them with opportunities for exploitation,” Thomas said. “The findings help businesses and consumers protect themselves, yet in order to do this, researchers have to behave like attackers, and this can lead to legal complications and uncertainty.
“It’s challenging to create policy that protects researchers without providing a ‘backdoor’ for criminals, so it’s a positive step to see the Government clearly distinguishing between types of actors and committing upfront to not pursue researchers,” Thomas said.
While the executive order gives the government a new tool to deter malicious attacks, the challenge lies in knowing who to punish, security experts warned.