Recently the U.S. government added a tool to the toolset it can use against those who attack US-based systems and data. The executive order signed by President Obama authorizes financial sanctions against individuals and organizations that are responsible for theft of trade secrets or certain types of attacks against U.S. networks.
According to this White House statement, the executive order authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on individuals or entities that engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy, economic health, or the financial stability of the United States.
This executive order won’t be used against run of the mill attacks, but those that have the “purpose or effect” of causing significant harm or compromise of critical infrastructure; misappropriating funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
An interesting aspect of the order that is going largely unnoticed is that it covers “knowingly receiving or using trade secrets that were stolen by cyber-enabled means for commercial or competitive advantage or private financial gain.” This could be an interesting trigger to look forward in the future: how will companies prove, or at least make their case to the U.S. government, that it is their IP in use and that it was stolen?
Another aspect that caught my eye was the call for sanctions for attempting, assisting, or providing material support for any of the above activities. What will qualify for this? While it likely wouldn’t hold in court, would developing an open source utility that is used in an attack enough? What about the full disclosure of a software vulnerability and it’s exploit by the attackers? What about online security tutorials, if it is discovered that the attackers used what was learned in those lessons to launch important parts of their attack? Some of this may be a stretch; still it will be interesting to see where the line is drawn.
Many question whether the sanctions will be useful, or how the U.S. will manage to be able to impose sanctions that reach the bad actors. Michael Daniel, special assistant to the President and cybersecurity coordinator provided some answers in his Whitehouse.gov blog post, Our Latest Tool to Combat Cyber Attacks: What You Need to Know: “Malicious cyber actors often rely on U.S. infrastructure to commit the acts described in the Order, and they often use our financial institutions or partners to transfer their money. By sanctioning these actors, we can limit their access to the U.S. financial system and U.S. technology supply and infrastructure. Basically, sanctioning them can harm their ability to both commit these malicious acts and to profit from them,” Daniel wrote.
The giant pink elephant in the room on this executive order is the ability to accurately attribute the attacks to the actual attackers. This is an incredibly difficult thing to do with any cyber attack, but especially so for those attacks that span international borders. There’s nothing to stop an attacker from compromising servers anywhere, concealing their tracks, and then launching attacks from some fully unaware organization. Without some type of human intelligence, such as a source that reports on the attackers and provides convincing and corroborating evidence, most incidents will be tough to hold sanctions against, it’s very challenging to make a reasonable case with digital forensics alone.
What standard of proof will the U.S. use to impose sanctions? How will nations, corporations, or individuals plead their case should they believe they have been wrongly accused? What if an enterprise tries to claim it was breached in an attempt to get sanctions imposed upon a foreign competitor?
And finally, and this is a biggie: how will other governments respond with their own rules for cyber attack sanctions? What will their due diligence be? Their burden of proof when they accuse U.S. companies or the businesses of European companies? This isn’t a one-way street.
It’s important to raise the barriers of cyber attacks as high as we can, and sanctions can be a powerful additional way to do that. But there are many important questions about how and when these sanctions will be imposed, and under what conditions, as well as the level of proof governments reveal that factored into their decision-making.