President Obama signed an executive order today that allows the U.S. Department of the Treasury to sanction individuals or entities involved in "significant malicious cyber-enabled activities" (you can read the order here). The sanctions, which could involve travel bans to the United States or the seizure of funds, would be levied against those who engage in attacks that disrupt or destroy critical infrastructure networks, or who steal intellectual property or trade secrets. State-owned enterprises or entities that benefit from cyber espionage could also be the target of sanctions.
This is, as others have noted, a big deal. For years, pundits, including myself, have been saying that the costs of hacking had to be raised, and the next steps would be sanctions targeting individuals. In a June 2014 Asia Unbound podcast, Special Advisor to the President and Senior Director for Asian Affairs at the National Security Council Evan Medeiros hinted that after indicting the five PLA hackers, the Obama administration was thinking about how to penalize the state-owned enterprises that were the recipients of the stolen intellectual property.
Three quick questions:
How and how often the order will be implemented? It is unlikely to have much effect on North Korean and Iranian hackers, since both of those countries are already under substantial sanction regimes. The same might be said of Russia, since the United States and its European allies have levied sanctions in the wake of the crisis in Crimea. Does that mean China is the main target? Even if it is China, the idea might be to deter the next generation of hackers rather than prevent the current wave of attacks. That is, a PLA attacker may not think much about travel to the United States now, but a college student who has not yet traveled down that road might think twice. They may still have dreams of visiting Los Angeles.
If China is the main target, what does Washington think Beijing’s response will be? Right now, the two sides are involved in a complicated dance, where each step seems to be matched by the other. The United States claims China is behind attacks on U.S. networks, China claims the United States is the real evil empire in cyberspace, hacking the entire world. Beijing uses Washington’s demands for backdoors in encryption as justification for similar demands in the revised anti-terror law. Chinese and U.S. tech companies are blocked from each other’s market because of security concerns. If the United States places a travel ban on a Chinese hacker, should NSA employees think twice before they book a tour to see the Forbidden City? Where does the tit-for-tat end?
Finally, the executive order says any case must be supported with evidence that can withstand a court challenge. Does that mean we should expect to see the government roll out even more technical details to be used for the attribution of attacks? In the past, the intelligence agencies have hesitated because they wanted to protect their sources and methods. Will the order result in the NSA and others burning more intelligence to levy sanctions?
We will have to wait and see how these three questions play out, but there is no doubt that this is a major policy development.