Cyber Attack in the United States

We live in an information age – almost every aspect of our daily lives is entwined in some way with the Internet. Here’s the problem: The very networks that we rely on to enable many aspects of our increasingly digital lives are vulnerable to cyberattack. Every day, malicious actors are targeting our businesses, trade secrets and critical infrastructure, and sensitive information – and many of these attacks originate from outside our borders.

We have seen a significant increase in the frequency, scale, and sophistication of cyber incidents targeting the American people, including everything from large data breaches and significant intrusions to destructive and coercive cyber attacks intended to influence the way ordinary Americans exercise their constitutional rights. In many cases, these threats stem from actors overseas using malicious cyber activities to inflict harm on Americans without ever leaving their desks.

No one connected to the Internet is immune from these harms — not businesses, not private citizens, and not the government. Moreover, the implications of these harms are as real as they are complex — everyone can feel the effects of malicious cyber activity, from the consumer who is forced to deal with the consequences of a data breach affecting a business with whom he or she deals, to the company whose trade secret is stolen by faraway competitors.

We are at a transformational moment in how we approach cybersecurity. The actions we take today will help ensure that the Internet remains an enabler of global commerce and innovation.

A significant part of the U.S. government’s actions in the cybersecurity realm are focused on network defense and incident response. In this regard, we are working to enhance cybersecurity capabilities both in government and across the private sector. Initiatives like the Cybersecurity Framework have helped industry not only respond to threats and recover from attacks, but prevent them in the first place. We’ve bolstered the government’s cyber defenses, enhanced information sharing with the private sector, and we are forming the Cyber Threat Intelligence Integration Center (CTIIC), which will provide integrated all-source analysis of cyber threats and help ensure that the U.S. government is sharing the intelligence needed to defend critical networks. The President has taken executive action to expand private-sector information sharing and to protect consumers. He has also sent Congress proposed legislation that would better protect consumers who have been the victims of identity theft, modernize the tools law enforcement uses to investigate and deter cybercrimes, and promote increased cyber threat information sharing among private-sector entities and the government.

Efforts to improve our defenses and response capabilities are essential, but insufficient standing alone. We can and must do more. In particular, we need to deter malicious cyber activity and to impose costs in response to the most significant cyber intrusions and attacks, especially when those responsible try to hide behind international boundaries. Effective incident response requires the ability to increase the costs and reduce the economic benefits from malicious cyber activity. And this means, in addition to our existing tools, we need a capability to deter and impose costs on those responsible for significant harmful cyber activity where it really hurts — at their bottom line.

When it comes to the worst actors, one of the biggest challenges we currently face is developing tools that will allow us to respond appropriately, proportionately, and effectively to malicious cyber-enabled activities, and to deter others from engaging in similar activities. With an Executive Order (from President Obama), the U.S. government has a new way to confront the growing threat posed by significant malicious cyber actors that may be beyond the reach of our existing capabilities.

The Executive Order

This Executive Order authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on those individuals and entities that he determines to be responsible for or complicit in malicious cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, economic health, or financial stability of the United States.

Malicious cyber activity — whether it be stealing sensitive information, including personal identifiers, or trade secrets — is often profit-motivated. Because those responsible want to enjoy the ill-gotten proceeds of their activities, sanctions can have a significant impact. By freezing assets of those subject to sanctions and making it more difficult for them to do business with U.S. entities, we can remove a powerful economic motivation for committing these acts in the first place. With this new tool, malicious cyber actors who would target our critical infrastructure or seek to take down Internet services would be subject to these costs when designated for sanctions.

This new executive order is specifically designed to be used to go after the most significant malicious cyber actors we face. It is not a tool that we will use every day. Law-abiding companies have absolutely nothing to worry about; for them, it’s business as usual. We will never use it to try to silence free expression online or curb Internet freedom. Nor will this authority be used to go after legitimate cybersecurity researchers or innocent victims whose computers are compromised. It is designed to be used in conjunction with our other authorities — including law enforcement and diplomatic efforts — to help deter and disrupt the worst of the cyber threats that we face.

This much is clear: Our ability to connect reliably and communicate freely online is a bedrock of U.S. companies’ innovation and our global economic competitiveness. That is why strengthening U.S. cybersecurity is and will remain a defining challenge of the 21st century, and why we will continue to take action to protect our companies and our citizens from the greatest threats we face — online and off.

Kinds of malicious cyber-enabled activities does this Exectuive Order cover

The Executive Order is tailored to address and respond to the harms caused by significant malicious cyber-enabled activities. These activities include:

Harming or significantly compromising the provision of services by entities in a critical infrastructure sector
Significantly disrupting the availability of a computer or network of computers, including through a distributed denial-of-service attack
Misappropriating funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain
Knowingly receiving or using trade secrets that were stolen by cyber-enabled means for commercial or competitive advantage or private financial gain
Attempting, assisting, or providing material support for any of the harms listed above
Our focus will be on the most significant cyber threats we face – namely, on actors whose malicious activities could pose a significant threat to the national security, foreign policy, economic health, or financial stability of the United States.

The Target and the Sanctions

This tool will be used to go after the worst of the worst of malicious cyber actors: Those whose cyber activities – whether directed against our critical infrastructure, our companies, or our citizens – could threaten the national security, foreign policy, economic health, or financial stability of the United States.

Malicious cyber actors often rely on U.S. infrastructure to commit the acts described in the Order, and they often use our financial institutions or partners to transfer their money. By sanctioning these actors, we can limit their access to the U.S. financial system and U.S. technology supply and infrastructure. Basically, sanctioning them can harm their ability to both commit these malicious acts and to profit from them.

The President signed an Executive Order in January 2015 authorizing additional sanctions on the Democratic People’s Republic of Korea (DPRK). That Executive Order was a response to the DPRK Government’s ongoing provocative, destabilizing, and repressive actions and policies, particularly its destructive and coercive cyber attack against Sony Pictures Entertainment and threats against movie theaters and moviegoers.

Other ways we can respond to cyber threats

President Obama is using a broad range of tools – including diplomatic engagement, trade policy, and law enforcement mechanisms – to address cybersecurity threats like these. We are bolstering the government’s network defenses, sharing more information with the private sector, and standing up the Cyber Threat Intelligence Integration Center (CTIIC) to provide integrated analysis of foreign cyber threats within the federal government and help ensure that our government centers that are responsible for cybersecurity and network defense have access to the intelligence they need to perform their missions.

Moreover, he has sent Congress legislation to further enhance our cybersecurity by strengthening protections for victims of identity theft, modernizing law enforcement tools for investigating and deterring cybercrimes, and promoting increased cyber threat information-sharing among the private sector and government.

U.S. government use of these sanctions

This authority will be used in a targeted and coordinated manner in response to the most significant cyber threats we face, whether they are directed against our critical infrastructure, our companies, or our citizens, when the activities could threaten the national security, foreign policy, the economic health, or financial stability of the United States.

In addition, it’s important to know who we are not targeting. These sanctions will in no way target the victims of cyberattacks, like people whose computers are unwittingly hijacked by botnets or hackers. Nor is this Order designed to prevent or interfere with the cybersecurity research community when they are working with companies to identify vulnerabilities so they can improve their cybersecurity. The targets of these sanctions are malicious actors whose actions undermine our national security.