US to enact sanctions against foreign cyber attackers

US president Barack Obama has signed on Wednesday a new executive order aimed at imposing “sanctions on individuals or entities that engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”

“The malicious cyber-enabled activity must have the purpose or effect of significantly harming or compromising critical infrastructure; misappropriating funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain; knowingly receiving or using trade secrets that were stolen by cyber-enabled means for commercial or competitive advantage or private financial gain; disrupting the availability of a computer or network of computers (for example, through a denial of service attack); and attempting, assisting or providing material support for any of the above activities,” the president explained.

This new executive order will allow the Secretary of the Treasury (in consultation with the Attorney General and the Secretary of State) to effectively freeze any assets these individuals or groups might have in the US, and make it harder for them to do business with US-based companies, including US-based financial institutions.

This order also authorizes travel sanctions against the actors.

President Obama did not name any specific individuals or groups as examples, but has noted that the past months have proved that “these threats can emanate from a range of sources.”

The NYT reports that Michael Daniel, the president’s online security coordinator, has also assured that the powers granted with this order will not be used to target free speech or to interfering with the free and open Internet, and to target “innocent victims of people whose computers were taken over and used by malicious actors.”

“President Obama’s latest executive order makes good, common sense. It goes towards what is commercially responsible and draws a line in the sand,” commented Bob West, Chief Trust Officer at CipherCloud. “If we can discover who the people or groups are behind cyber attacks, we now have the legal right to take action.

“While attribution is challenging, technology evolves at a fast pace. We should have much more advanced forensics tools in the near future that will allow us to determine with certainty who is responsible for a specific attack. As challenging as attribution is, there needs to be balance between bringing criminals to justice and protecting a citizen’s right to privacy,” he noted.

“Protecting information takes a concerted, coordinated approach between the private and public sector. Technology vendors need to design their products with security built in and companies need to practice good security hygiene. Finally, Congress must do its part to protect the public with sound legislation.”