With Sony in mind, Obama signs new cyberwar E.O., but will he enforce it?

On Wednesday, the President signed a new executive order authorizing sanctions against anyone the State and Treasury Departments decide has engaged in conduct we’d colloquially call cyberespionage, cyberwarfare, or cyberterrorism. The new categories of sanctionable conduct include —

(A) harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;

(B) significantly compromising the provision of services by one or more entities in a critical infrastructure sector;

(C) causing a significant disruption to the availability of a computer or network of computers; or

(D) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain. [link]

The E.O. also targets the theft of trade secrets and intellectual property, and in a novel provision, also authorizes the blocking of property of those who profit from those crimes. Deep breath now:

(A) to be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States; [link]

The order also contains standard (but crucial) clauses authorizing sanctions for assisting, sponsoring, facilitating, or attempting to commit those crimes. In a significant omission, it does not authorize sanctions against those who threaten to commit them.

For the most part, however, the new E.O. follows a well-worn path. It essentially does to certain cybercriminals and their enablers what Executive Order 13,224 does to terrorists and their enablers, or what Executive Order 13,382 does to proliferators and their enablers. The main substantive differences are the targeting of those who profit from the crimes, and a provision for the exclusion of aliens who are designated under the new order (something that Section 206 of the NKSEA would also do to enablers of North Korea’s illicit, prohibited, or sanctionable activities, including cyberwarfare).

In an accompanying Q&A and blog post, the White House names China, Russia, Iran, and North Korea as being responsible for the conduct the E.O. is meant to target. And yet the Obama Administration hasn’t designated anyone under this new executive order yet.

The program’s effectiveness will depend on its implementation, said Bruce Klingner, senior research fellow for Northeast Asia at the Heritage Foundation. On North Korea, for instance, he said that the administration “has pursued a policy of timid incrementalism — of talking a tough game, but not following through on its rhetoric.” [Washington Post, Ellen Nakashima]

And crucially, the Sony hackers operated more-or-less openly from Chinese soil, to no less an extent than the Taliban allowed Al Qaeda to operate from Afghan soil. What the law enforcement people will tell you is that to shut down that kind of behavior, you have to show the hosts and sponsors that you’re willing (even eager) to go after them, too.

But James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, said the new program is promising — especially as a tool to combat one of the nation’s top cyberthreats: economic espionage by China.

“You have to create a process to change the behavior of people who do cyber-economic espionage,” he said. “Some of that is to create a way to say it’s not penalty free. This is an effective penalty. So it moves them in the right direction.” [WaPo]

Both Klingner and Lewis are correct, but the early signs aren’t encouraging. The new E.O. does fill key gaps in our authorities against cyberespionage and the theft of intellectual property, and those things are doing great damage to our economy and our national security. But the absence of designations suggests that like E.O. 13,687, this may turn out to be another empty threat, at least until we have a president who’s tough-minded enough to protect our interests and our most fundamental freedoms from foreign threats.

In the case of Sony, for example, the Administration already had sufficient tools to sanction those responsible. The threats against “The Interview” moviegoers were clearly terrorism, and the administration could just as well have designated those responsible under Executive Order 13,224, or even charged them criminally under Chapter 113B of Title 18. So why didn’t it? Probably because that would have undermined the State Department’s flat-earth dogma that North Korea hasn’t sponsored an act of terrorism since 1987. North Korea’s December 2014 attacks against South Korean nuclear power plants, which were reportedly meant to cause a reactor malfunction, could also have been designated under E.O. 13,224, and if the evidence was strong enough, should have been.

It may be that the administration is as worried about Congress as it is about the North Koreans, and is trying to stay ahead of it and protect its own role. For example, the new Congress recently passed discretionary sanctions authorities against cyberespionage in Section 1637 of the Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015. Section 104(a) of the NKSEA will also provide for mandatory sanctions against North Korean hackers, and Section 104(b) will provide for discretionary sanctions against their enablers.