Last week, the Obama administration rolled out an executive order on cyber sanctions (Adam Segal’s excellent first take is here). During the various press briefings explaining the order, administration officials responsibly chose not to speculate on the circumstances under which they might use this authority. No longer having the burden of being responsible, let me do what people in think tanks are supposed to do and offer some wild conjecture. Below are three potential targets for sanctions under this executive order.
Bulletproof Hosting Providers
Bulletproof Hosting Providers get their name because they ignore requests of victims of cyber crime and slow-roll law enforcement. They would be a perfect target for the new sanctions. Cyber criminals use these companies to host the command and control infrastructure for their malicious activity. For example, bulletproof providers played a significant role in the 2012-13 denial of service attacks against the financial sector by hosting the infrastructure used to flood the banks with junk traffic. Under the new sanctions regime, these hosting providers could be sanctioned for aiding the crime that they make possible.
An interesting question is whether legitimate hosting companies that often have servers taken over for malicious purposes could be the target of sanctions if they are unresponsive to takedown requests. While Michael Daniel’s blog post says point blank that the order won’t be used to target "people whose computers are unwittingly hijacked by botnets or hackers," nothing in the actual order would seem to prevent that.
Vulnerability and Attack Tool Resellers
Let’s imagine a hypothetical event in which a malicious cyber actor purchases a vulnerability on the grey market from a company like Vupen. The malicious cyber actor uses the vulnerability to carry out an attack like the one against Sony. In this scenario, the reseller will likely argue that they only sell to legitimate users of their products—law enforcement, military, and government intelligence agencies. The U.S. government is unlikely to be swayed by that argument if the company’s products are used to carry out cyber espionage or a destructive attack against a U.S. target, and could sanction the company accordingly.
Where this could get tricky is with dual-use tools, the kind that are used both by malicious cyber actors and legitimate network security penetration testing companies. The most obvious example here is the Metasploit Framework, maintained by a very well respected and completely legitimate Boston-based company Rapid7. Could a company like Rapid7 be sanctioned if the tool it hosts is found to have been used by a malicious cyber actor? Again, Daniel expressly says it won’t be used to target "the cybersecurity research community" but that is a promise made in a blog post not a restraint written into policy or law. This administration is likely to honor it. Future administrations, who knows?
Because most financial transactions run through the United States and its allies, targeting the transactions of adversaries is always put on the table as an option to deal with problematic companies. Bitcoin has made that much harder. This executive order could help address the problem of bitcoin’s use by cyber criminals.
If, for instance, a bulletproof hosting provider or a vulnerability reseller chooses to get paid in bitcoin, any bitcoin exchange that participates in the transaction could be subject to sanctions. That might make bitcoin exchanges take a closer look at who they are doing business with.
Will the U.S. government try and use sanctions against targets like these? I don’t know. The specific facts around each of these scenarios and the overall geopolitical environment at the time will determine whether the lawyers say "yes" and the policymakers say "go." But even if the sanctions are never used, we can expect that their use will be threatened to get legitimate companies to be more responsive and to get marginally bad actors to clean up their acts.