2015 Cybersecurity Executive Order
On April 1, President Obama signed an Executive Order to combat the "national emergency" sparked by a rapidly evolving global cybercrime environment. The Executive Order directs the U.S. Treasury Department to impose sanctions on persons who are identified as being connected to certain "cyber-enabled activities" that threaten or could threaten U.S. national security, foreign policy or economic interests. United States government guidance indicates that such persons are likely to include, for example, participants in cyberattacks relating to U.S. "critical infrastructure," as listed in a 2013 Presidential Policy Directive, including the chemical, defense industrial, food and agriculture, information technology, and transportation systems sectors (to name only a few).
As Orrick, Herrington & Sutcliffe partner Harry Clark recently noted in an interview with Law360, the Administration's grant of sanctions authority places cybercrime on par with terrorism and related activities that have traditionally attracted the U.S. Government's most exacting scrutiny and stiffest sanctions penalties. Although the Executive Order itself does not designate persons to be sanctioned for cybercrime purposes, companies should expect that the Treasury Department will make such designations. Companies that do not regularly consult the Treasury Department's Specially Designated Nationals (SDN) list should stand up and take note.
In the absence of a comprehensive legal regime to fight cyberterrorism,  the U.S. Government has taken several recent steps to combat the rise of international cybercrime. Specifically:
Against this background, the 2015 Executive Order gives the Treasury Department specific authority to target malicious actors who, for example, profit from or bankroll international cybercrime, including the theft of trade secrets from U.S. critical infrastructure and major computer networks. Specifically, the Treasury Department can sanction such actors by blocking assets within the United States or held by U.S. persons outside the United States in which the designated person has an interest.
As a result, the EO will generally forbid U.S. persons from engaging, directly or indirectly, in transactions that involve property interests of persons designated as being sanctioned under the EO. These prohibitions extend to legal entities that are 50%-or-more owned by sanctioned persons. More specifically:
Companies that already comply with the existing U.S. sanctions regime are unlikely to require wholesale procedural changes as a result of the 2015 Executive Order. The sanctions program against cybercriminals will align with current requirements that companies refrain from participating in transactions that involve SDNs or entities that are directly or indirectly owned (50% or more) by one or more sanctioned persons or entities.
However, companies that touch digital currency should pay particular attention, as the game is about to change. Digital currency continues to be linked to cybercrime. And as massive online criminal enterprises such as Silk Road continue to use digital currency as the monetary instrument of choice, companies that facilitate storage of, or accept transactions in, digital currency will now be expected to have policies and procedures to potentially freeze accounts. Indeed, as Clark noted last week in an article focusing on recent settlements by PayPal and Schlumberger following sanctions violations, companies should increase vigilance and place significant emphasis on strong internal controls to ensure compliance with U.S. economic sanctions requirements.
 According to the Congressional Research Service, as of 2013, more than 50 statutes addressed various aspects of cybersecurity in the absence of a unified framework. Some experts believe that this patchwork of statutes may be insufficient to protect United States critical infrastructure. Congressional Research Service, The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress at 1 (December 15, 2014). ___________________________________________________________________
Orrick's Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.