Sanctions: US action on cyber crime

On 1st April, President Obama issued an Executive Order (“EO”) giving the US Government the right to respond to cyber attacks. The US is the first country to take the step of establishing a economic sanctions programme in response to alleged cyber attacks. This was not an “April fool” spoof, but the timing could have made people think twice.

The EO will potentially impact both individuals and other entities (called Specially Designated Nationals (SDNs) or “designees” for short) if they are seen as responsible for attacks that are based on “cyber enabled activites”which threaten the national security, foreign policy goals, economic health, or the financial stability of the US.

The White House blog has explained that the EO will be used to impose targeted sanctions against the “worst of the worst” malicious cyber actors, as well as companies that knowingly use stolen trade secrets.

Specifically, the EO authoriszes the Treasury Department’s Office of Foreign Assets Control (OFAC) to freeze the designees’ assets.

Although no one has have yet been named, we think this EO was issued with specific threat actors in mind and we may expect designations to follow shortly. Given the EO’s broad scope that covers “entities” (including foreign governments and their affiliates), it may also be used to helpdeter state-sponsored cybercrimes.

Once designees are announced, US persons, companies and financial institutions should then take steps to ensure they do not engage in prohibited dealings with them. Additionally, the EO suspends any entry into the US by any individuals determined by OFAC to meet the criteria for designation.

Designation could have much wider consequences for businesses outside of the US, because an entity in which an SDN has a 50 percent or greater interest is also blocked. This means U.S. persons and businesses may not engage in negotiations, or enter into contracts, or process transactions involving a blocked individual when that blocked individual is acting on behalf of the non-blocked entity that he or she controls.

As we have seen in the recent past financial institutions who do not comply with their sanctions related obligations can be exposed to significant criminal and civil penalties for violations of the US International Emergency Economic Powers Act (IEEPA) or other US state based state legislation.

Companies doing business in the critical infrastructure sectors listed below should also monitor any future designations of persons or entities as Specially Designated Nationals (SDNs), and consider developing an initial plan for compliance. If you are working in the industries or contracting with them in the US, then take note.

The US Government defines “critical infrastructure sector” as:

  • Chemical;
  • Commercial Facilities;
  • Communications;
  • Critical Manufacturing;
  • Dams;
  • Defence Industrial Base;
  • Emergency Services;
  • Energy;
  • Financial Services;
  • Food and Agriculture;
  • Government Facilities;
  • Healthcare and Public Health;
  • Information Technology;
  • Nuclear Reactors, Materials, and Waste;
  • Transportation Systems;
  • Waste and Wastewater Systems.

In addition, institutions that are targeted by cyber criminals will see an increase in government inquiries to assist them in building cases against potential targets of these new sanctions.

The EO does not define “cyber enabled activities,” but OFAC stated in its FAQs that it will likely define the term to include any act that is primarily accomplished through or facilitated by computers or other electronic devices.

Please contact me if you have any further questions.

Published by

Robert Metcalf

Robert Metcalf

Robert Metcalf
Director Cybersecurity
Birchstrasse 160
8050 Zürich
+41 58 792 9242

Robert is a director working in PwC Switzerland's Digital Services team. He has more than 12 years of information security experience and more than 15 years with PwC. He is an information security management professional, with knowledge of information security frameworks, security governance, the ISO 27000 family of standards and best practice across all industry sectors. His focus is on financial services regulations, together with EU and Swiss federal and cantonal level data protection compliance and privacy requirements. Robert has an ability to translate complex information security, technical and regulatory data protection matters into a business context for senior management. During the past year he has worked across the financial services sector, using his knowledge and real life experience to deliver quality technical and business consulting, highlighting and focusing on the areas of security and technology risk at his clients.