Overview

On April 1, 2015, the Obama Administration issued an Executive Order that will sanction individuals and entities that attempt, carry out or support malicious cyber-enabled activities that pose a significant threat to U.S. national security, foreign policy, as well as the country's economic health and financial stability. Often, these activities are carried out by non-U.S. persons working, in whole or in part, outside of the United States; as such, they may be beyond the reach of traditional U.S. law enforcement authorities. Therefore, the Administration is imposing financial sanctions against these parties in the same way that foreign terrorists, narcotics traffickers and criminal organizations are targeted. The Executive Order directs the State Department to impose travel bans on designated parties, prohibiting their entry into the United States, and orders the Treasury Department's Office of Foreign Assets Control ("OFAC") to freeze their assets. Of greatest significance is the fact that U.S. persons¹ will be prohibited from engaging in virtually all dealings with designated parties, including transfers or receipts of funds, goods, services or donations that involve the newly sanctioned targets. The State and Treasury Departments will soon begin identifying and formally designating parties that will be sanctioned under the Executive Order. Therefore, U.S. companies are urged to take steps now to ensure that their OFAC compliance programs will effectively address this new set of sanctions.

At a granular level, the Executive Order focuses on certain cyber-enabled activities that compromise computers or networks that support a critical infrastructure sector², impede the provision of services by critical infrastructure sector entities, cause significant computer or network disruptions, or result in the misappropriation of funds, economic resources, trade secrets, personal identification information or financial data for commercial, competitive or private gain. These activities may include gaining unauthorized access to computer systems through remote access, bypassing firewalls, or compromising the security of hardware or software. The Executive Order also sanctions parties who have knowingly obtained or used trade secrets that were misappropriated through cyber-enabled means. It is important to note, as in other OFAC sanctions programs, parties that are owned by, controlled by, or who serve as agents for the designated sanctions targets will also themselves be subject to the Executive Order.

In the list of FAQs relating to the Executive Order posted on its website, OFAC notes that the sanctions do not apply to legitimate cyber-enabled activities, such as lawful penetration testing as part of academic research, commercial innovation, competitions, or conventions. The order also does not target legitimate network defense and maintenance activities performed by authorized security experts or companies. Further, individual victims whose computers have been compromised and unwittingly used in subsequent malicious cyber-related activities will also not be targeted under the sanctions.

Significance

At the present time, U.S. persons are not required to take any immediate and affirmative actions to comply with the Executive Order as no parties have been formally designated by the Departments of State and Treasury. Once parties have been so designated, however, they will be added to OFAC's Specially Designated Nationals List ("SDN List"). U.S. persons will then be expected to take steps to avoid dealings with designated parties or any entity that is owned or controlled by them. To this end, U.S. companies in particular are expected to ensure that their OFAC compliance policies and procedures will effectively address these new sanctions. Their compliance programs should include screening, training, regular internal auditing, and the establishment of swift issue escalation mechanisms. The consequences of non-compliance with these new sanctions are severe and may include the imposition of maximum civil penalties of up to $250,000 per violation, criminal fines, imprisonment, negative publicity, and possibly the suspension of export privileges in certain cases.  

¹ The term U.S. person encompasses U.S. citizens, lawful permanent residents, individuals protected under U.S. immigration laws, and foreign persons physically located in the United States. The term also includes U.S. companies and business entities, their foreign branches, and foreign businesses that are separately incorporated to do business in the United States.

²The term critical infrastructure refers to sixteen distinct sectors: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; nuclear reactors, materials and waste; transportation; and, water and wastewater systems.