United States Goes on the Offensive Against International Cybercrime

2015 Cybersecurity Executive Order
April.13.2015

On April 1, President Obama signed an Executive Order to combat the "national emergency" sparked by a rapidly evolving global cybercrime environment. The Executive Order directs the U.S. Treasury Department to impose sanctions on persons who are identified as being connected to certain "cyber-enabled activities" that threaten or could threaten U.S. national security, foreign policy or economic interests. United States government guidance indicates that such persons are likely to include, for example, participants in cyberattacks relating to U.S. "critical infrastructure," as listed in a 2013 Presidential Policy Directive, including the chemical, defense industrial, food and agriculture, information technology, and transportation systems sectors (to name only a few).

As Orrick, Herrington & Sutcliffe partner Harry Clark recently noted in an interview with Law360, the Administration's grant of sanctions authority places cybercrime on par with terrorism and related activities that have traditionally attracted the U.S. Government's most exacting scrutiny and stiffest sanctions penalties. Although the Executive Order itself does not designate persons to be sanctioned for cybercrime purposes, companies should expect that the Treasury Department will make such designations. Companies that do not regularly consult the Treasury Department's Specially Designated Nationals (SDN) list should stand up and take note.

Background: 2013 Cybersecurity Executive Order and Other Recent Developments

In the absence of a comprehensive legal regime to fight cyberterrorism, ^[1] the U.S. Government has taken several recent steps to combat the rise of international cybercrime. Specifically:

In 2013, President Obama issued a Cybersecurity Executive Order that focused on the identification and protection of critical infrastructure (such as utilities, financial services companies, and health care providers) against cyberattacks. The 2013 Executive Order directed the National Institute of Standards and Technology (NIST) to develop a cybersecurity "framework" of best practices that focused sharply on the protection of private critical infrastructure and cyber threat and intelligence information-sharing.
In May 2014, the U.S. Department of Justice indicted five Chinese military officers for cyberespionage – the first time the United States had charged nationals of a foreign power for spying on American firms. Though largely symbolic, the indictment marked an aggressive enforcement move in the U.S. campaign against international cybercrime.
Just last month, the National Security Agency and U.S. Cyber Command leader Admiral Michael S. Rogers testified to the Senate Armed Services Committee that the U.S. must go on the offensive, suggesting that it should utilize cyberattacks to protect national interests and that current deterrence measures are simply insufficient. While the U.S. Government's apparent role in targeted cyberattacks like Stuxnet and its mass surveillance programs has been well-publicized, Admiral Rogers' remarks make clear that some among the U.S. intelligence leadership are intent on using cyberespionage and disruption techniques as affirmative weapons.

U.S. Treasury's Powers Under the 2015 Cybersecurity Executive Order

Against this background, the 2015 Executive Order gives the Treasury Department specific authority to target malicious actors who, for example, profit from or bankroll international cybercrime, including the theft of trade secrets from U.S. critical infrastructure and major computer networks. Specifically, the Treasury Department can sanction such actors by blocking assets within the United States or held by U.S. persons outside the United States in which the designated person has an interest.

As a result, the EO will generally forbid U.S. persons from engaging, directly or indirectly, in transactions that involve property interests of persons designated as being sanctioned under the EO. These prohibitions extend to legal entities that are 50%-or-more owned by sanctioned persons. More specifically:

Section 1 blocks transfer and exportation of any property in the U.S. (or in the possession or control of a U.S. person) if the U.S. Government determines that the property owner (or an interest holder in the property) engaged in certain cyber-enabled activities originating from outside the U.S., if
Similarly, Section 2 blocks transfer and exportation of property in the U.S. (or in the possession or control of a U.S. person) if the U.S. Government determines that the property owner (or an interest holder in the property) engaged in the following cyber-enabled activities, including:
Section 7 finds that because funds can be transferred instantaneously, no notice to the property owner is required before blocking, regardless of the owner's nationality.

Conclusion

Companies that already comply with the existing U.S. sanctions regime are unlikely to require wholesale procedural changes as a result of the 2015 Executive Order. The sanctions program against cybercriminals will align with current requirements that companies refrain from participating in transactions that involve SDNs or entities that are directly or indirectly owned (50% or more) by one or more sanctioned persons or entities.

However, companies that touch digital currency should pay particular attention, as the game is about to change. Digital currency continues to be linked to cybercrime. And as massive online criminal enterprises such as Silk Road continue to use digital currency as the monetary instrument of choice, companies that facilitate storage of, or accept transactions in, digital currency will now be expected to have policies and procedures to potentially freeze accounts. Indeed, as Clark noted last week in an article focusing on recent settlements by PayPal and Schlumberger following sanctions violations, companies should increase vigilance and place significant emphasis on strong internal controls to ensure compliance with U.S. economic sanctions requirements.
___________________________________________________________________

^[1] According to the Congressional Research Service, as of 2013, more than 50 statutes addressed various aspects of cybersecurity in the absence of a unified framework. Some experts believe that this patchwork of statutes may be insufficient to protect United States critical infrastructure. Congressional Research Service, The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress at 1 (December 15, 2014). ___________________________________________________________________

Orrick's Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.