Obama Expands the US Response to Cyber Attacks

President Obama on Wednesday signed an executive order expanding his administration's ability to respond to malicious cyberattacks by allowing financial penalties to be inflicted on foreign actors who engage in destructive hacking campaigns.

"Cyberthreats pose one of the most serious economic and national security challenges to the United States, and my administration is pursuing a comprehensive strategy to confront them," Obama said in a statement. "As we have seen in recent months, these threats can emanate from a range of sources and target our critical infrastructure, our companies, and our citizens. This executive order offers a targeted tool for countering the most significant cyberthreats that we face."

The order allows the secretary of the Treasury, in consultation with the attorney general and secretary of State, to impose financial sanctions—such as freezing of assets or prohibition of commercial trade—on individuals or groups responsible for malicious cyberattacks that "create a significant threat to U.S. national security, foreign policy, or economic health or financial stability of the United States," Obama said.

Administration officials have long indicated a desire to strengthen the government's ability to respond to and penalize those engaging in cyberattacks. The massive hit on Sony Pictures last Thanksgiving—which the White House publicly blamed on North Korea—increased the urgency to bolster the nation's cyberdefenses. 

In January, Obama signed a separate executive order allowing for further sanctions against designated North Korean targets, but that action was limited solely to government officials in that country and not tethered directly to the Sony cyberattack. Wednesday's order will broaden the government's authority to permit the levying of sanctions against those directly responsible for hacking activities—and officials will not need to acquire a discrete order to respond to each attack.

Data breaches in recent years at places like Target, Home Depot, and Anthem Insurance have resulted in the heist of the personal data of millions of consumers, ranging from credit-card information to Social Security numbers and health information. But hundreds if not thousands of cyberattacks are waged daily against the United States, officials have said, and many of them originate overseas. China and Russia have been identified as particularly aggressive and adept at cyberintrusion and cyberespionage.

The order limits the government's authority to impose sanctions to attacks deemed significant enough to merit such a response. The types of attacks fit for a counterpunch include those that harm or compromise a critical infrastructure sector, disrupt the availability of a computer or network or computers (such as a distributed denial-of-service attack), or cause "significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain," according to a White House fact sheet.

In addition, sanctions can be imposed on those that knowingly receive or use trade secrets acquired via cybertheft, when the theft is "reasonably likely to result" in a threat to the nation's security or economic health. 

The order also allows for sanctions against actors even if the cyberattack is not successful. Those hit with sanctions would be barred from entering the United States.

White House cybersecurity coordinator Michael Daniel told reporters the powers under the order were intended to "fill in a gap" that exists between the law-enforcement and diplomatic means currently available to pursue malicious hackers. The new authority was vital but "not one that we are expected to use every day," Daniel said.

But at least some privacy advocates—who have been leery of Obama's overall cybersecurity push in recent months—were skeptical that Wednesday's order is necessary.

"This order raises more questions than it answers," said Amie Stepanovich, senior policy counsel with the digital-rights group Access. "We already have strong rules to address criminal activity while protecting human rights. The Obama administration is inventing new authorities to solve these problems rather than using the tools it already has. To further complicate matters, the administration's executive order is incredibly broad, addressing attacks against any entity from nuclear reactors to shopping websites."

Obama, in a post published Wednesday on Medium, attempted to dispel privacy and civil-liberties concerns about the new executive order.

"Sanctions will in no way target the unwitting victims of cyberattacks, like people whose computers are hijacked by botnets," Obama wrote. "Nor does this executive order target the legitimate cybersecurity research community or professionals who help companies improve their cybersecurity. And unlike some other countries, we will never try to silence free expression online or curb Internet freedom."