WASHINGTON--President Barack Obama on Wednesday moved to create
a new program of sanctions against other nations and people outside
the U.S. who participate in significant cyberattacks against U.S.
citizens, companies or government entities, expanding federal
protections in response to growing threats from hackers around the
world.
The new powers would allow the Treasury Department to
penalize--by freezing assets or locking access to the banking
system--any person or institution that engages in large-scale
cyberattacks that "significantly" harm or compromise "critical
infrastructure" such as nuclear plants, water treatment facilities,
or the financial system.
Sanctions also could be imposed in response to cyberattacks that
attack economic resources, trade secrets, personal information, or
a range of other things.
White House officials describe the sanctions as a new item in
the "toolbox" that the government can use to respond to such
attacks, though it remains unclear how frequently they would employ
the sanctions.
"We intend to use this tool judiciously and in extraordinary
circumstances," John Smith, the acting director of Treasury's
Office of Foreign Assets Control, told reporters in a conference
call. "This authority is not designed to police the Internet or
stifle technological innovation."
Rep. Mike McCaul (R., Texas), chairman of the House Committee on
Homeland Security, said he was "pleased" with the move but said it
represented a series of half steps by the White House to address
cyberattacks.
"While this action to impose sanctions on hackers is an
important step, unfortunately it further illustrates the
administration's piecemeal approach to confronting these growing
cyber threats," he said.
The White House's description of the sanctions program suggests
it could apply to virtually any major breach by overseas hackers,
as they often target personal information, trade secrets, or other
data.
It could also lead to lobbying by U.S. firms to sanction people
they believe have hacked their networks, though it is unclear how
the U.S. government might respond to such requests.
In December, the Treasury Department announced sanctions against
several North Koreans the department alleged were tied to a
large-scale cyberattack against Sony Pictures Entertainment.
White House officials said the new sanction rules would make it
easier to impose these penalties and create a separate regime
specifically designed to deter hackers.
The executive order would supplement legislation set for debate
in Congress later this month that would encourage companies and the
federal government to share more information about cyberthreats
with each other, following large-scale breaches at numerous large
companies, including Target, Home Depot, Sony Pictures
Entertainment, as well as J.P. Morgan Chase & Co. and a host of
other firms.
One of the many complaints from companies is that some
cyberattacks are believed to be connected to foreign governments,
particularly North Korea and China, and it is unclear what
deterrents the U.S. government has in place to prevent foreign
countries from engaging in these attacks.
The White House could try and use its new sanctions powers as a
way of addressing this.
"I intend to employ the authorities of my office and this
administration, including diplomatic engagement, trade policy
tools, and law enforcement mechanisms, to counter the threat posed
by malicious cyber actors," Mr. Obama said in a statement
accompanying the executive order.
The executive order also allows the Treasury Department to
impose sanctions on anyone who "knowingly" receives or uses
information that has been stolen through a cyberattack, or provides
any assistance in an attempted attack.
A key question in the new sanctions order is how the Treasury
Department will decide whether a breach is "significant."
The word "significant" or "significantly" appears in the
four-page executive order seven times, and it is used as a
barometer to measure whether a cyberattack merits a sanctions
response. But the White House, so far, hasn't defined what sort of
attack would meet that threshold, possibly giving the Treasury
Department flexibility in how the new powers are used.
Write to Damian Paletta at damian.paletta@wsj.com
Access Investor Kit for The Home Depot, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US4370761029
Access Investor Kit for JPMorgan Chase & Co.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US46625H1005
Subscribe to WSJ: http://online.wsj.com?mod=djnwires