On April 1, 2015, President Obama issued an Executive Order (the “Cyber EO”) authorizing the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) to designate as Specially Designated Nationals (“SDNs”) certain persons that have engaged in “significant malicious cyber-enabled activities.” No party has yet been designated under the Cyber EO. OFAC has stated in its Frequently Asked Questions (FAQs) that the Cyber EO is “intended to address situations where, for jurisdictional or other issues,” significant actors “may be beyond the reach of other authorities available to the U.S. government,” which is similar to the intent behind certain other OFAC programs, such as the Foreign Sanctions Evaders program.
US Persons and persons otherwise subject to OFAC jurisdiction (e.g., non-US persons that cause prohibited acts to occur in the United States or by US Persons) are prohibited from dealing with SDNs, as well as their 50%-or-more owned entities (collectively, “Blocked Persons”). In addition, the property and interests in property of such Blocked Persons must be frozen if they come within the United States or the possession/control of a US Person.
The Cyber EO targets a broad range of “cyber-enabled activities” that are “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” In particular, the Cyber EO authorizes designation of (i) parties “responsible for or complicit in or [who] have engaged in, directly or indirectly, cyber-enabled activities” that originate or are directed from outside the United States and that have the purpose or effect of:
(A) harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
(B) significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
(C) causing a significant disruption to the availability of a computer or network of computers; or
(D) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
In addition, the Cyber EO authorizes designation of (ii) parties “responsible for or complicit in or [who] have engaged in . . . the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated,” as well as (iii) parties who have “materially” supported parties blocked pursuant to the Cyber EO, (iv) parties who are owned or controlled by, or acting or purporting to act on behalf of those blocked parties, and (v) parties that have attempted to engage in the targeted activities.
According to OFAC’s accompanying FAQs, the term “cyber-related activities” will be further defined in forthcoming OFAC regulations. For current purposes, these activities include “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.” OFAC’s FAQs clarify that the Cyber EO is not meant to target:
legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems, or systems they are otherwise authorized to manage;
legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies;
activities to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events; or
unwitting owners of compromised computers.