The U.S. government declares cybercrime a ‘national emergency’
The White House issued a new Executive Order (1. April) authorizing targeted sanctions against individuals or entities whose actions in cyberspace result in significant threats to the national security, foreign policy, economic health or financial stability of the United States.
It gives authorities the power to freeze assets, and also allows sanctions to be applied against companies that knowingly use stolen trade secrets. The wording of the new executive order certainly adds an element of drama, stating that “the increasing prevalence and severity of malicious cyber-enabled activities” pose an “unusual and extraordinary threat” to the national security, foreign policy, and economy of the US.
“The same technologies that help keep our military strong are used by hackers in China and Russia to target our defense contractors and systems that support our troops. Networks that control much of our critical infrastructure — including our financial systems and power grids — are probed for vulnerabilities by foreign governments and criminals” Obama said.
Financial systems, businesses and trade secrets are all in danger from cyber attacks originating overseas and, as said by Obama, costing American jobs.
“Iranian hackers have targeted American banks. The North Korean cyber attack on Sony Pictures destroyed data and disabled thousands of computers. In other recent breaches that have made headlines, more than 100 million Americans had their personal data compromised, including credit card and medical information”.
A significant part of the U.S. government’s actions in the cybersecurity realm are focused on network defense and incident response.
“In response to these cyber threats, our government is using every tool at our disposal — including diplomacy, law enforcement, and cooperation with other nations and the private sector — to strengthen our defenses and detect, prevent, respond to, and recover from attacks”. Barack Obama also concluded that it is often hard to pursue attackers either because of weak or poorly-enforced foreign laws, or because some governments are either unwilling or unable to crack down on those responsible.
The primary focus will be on attackers from outside the US, and while diplomacy and law-enforcement tools will still be the most effective response, “targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst”.
“These sanctions are meant to protect our national security, personal privacy and civil liberties. As such, sanctions will in no way target the unwitting victims of cyberattacks, like people whose computers are hijacked by botnets.”
White House homeland security adviser Lisa Monaco said there had been a significant increase in the frequency, scale and sophistication of cyber incidents targeting the US in the past year – stealing sensitive information or trade secrets – is often profit-motivated, sanctions can be effective because it stops criminals enjoying “the ill-gotten proceeds of their activities”.
But Wednesday’s order also takes aim at hacks “significantly disrupting the availability of a computer or network of computers,” which would certainly apply to the Sony attack. The new order also targets the receipt or use of stolen trade secrets or sensitive information.
Nick Akerman, attorney and computer crime expert with Dorsey & Whitney in New York, said tagging the problem as a national emergency is long overdue, but added he forsees problems in enforcing the new order, specifically with “being able to determine who is responsible for the hacking and whether the right person, company or foreign government is the object of the sanctions. For example, if an oversees company is believed to have hacked into a U.S. company to steal competitively sensitive information, what standard of proof will be used to determine whether that foreign company’s products will be banned from the entering the U.S.?”
Internet service providers are also supportive of legislation that would make it easier for them to share threat information among themselves and with the government, so long as there are liability protections for that sharing.