Thursday, April 02, 2015

Cyber Sanctions?


Obama in Louisville, KY on April 2, 2015 at Indatus, a company that provides cloud based communication applications, hardware and infrastructure.

On Wednesday, President Obama signed a new executive order that "authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on those individuals and entities that he determines to be responsible for or complicit in malicious cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, economic health, or financial stability of the United States."


In other words, if you hack the US government and cause a threat to the security (financial or physical), the government can now freeze your bank account or impose a visa ban. These are similar impositions, the White House claims, to counter-terrorism orders.

The way that Obama authorized this Executive Order is the same way that past presidents have done for the 1933 banking crisis or the Korean War or even a 1971 response to inflation.

But further, this order "blocks property of those found to be responsible" for the attacks or it could freeze the assets of of any company that is in the US that has used stolen US intellectual property for a commercial advantage. As some journalists have pointed out, if taken to its logical conclusions, the law could lead to a visa ban on some foreign executives or even the seizure of data centers.

They hope to deter potential attackers by giving them something to consider when deciding to illegally hack the US. In addition, they “don’t want to just deter those with their fingers on the keyboard but those who are funding and enabling those groups to carry out their activity,” said Michael Daniel, special adviser to the president on cybersecurity.

However, the Electronic Frontier Foundation and Errata Security both expressed concern over the administrations ability to arbitrarily seize their assets or indite researchers or security consultants who hack to determine vulnerabilities

What will be interesting in the coming years is how exactly this will be applied. Journalist, security advisers, and academics have been hard pressed to come up with examples. The Sony attack would not count. The denial of service attacks against banks might have counted. So what WILL count?

That remains to be seen.

No comments: