On April 1, U.S. President Barack Obama signed an executive order expanding Washington’s ability to deter cyberattacks, by empowering the government to apply financial sanctions on hackers and companies overseas that benefit from cyber-espionage. The directive authorizes the secretary of the treasury, in consultation with the attorney general and secretary of state, to impose sanctions on individuals and entities that he determines are responsible for, or complicit in, malicious cyber-enabled activities that may constitute a threat to U.S. national security, foreign policy, economic health or financial stability. The measure was no April Fool’s Day joke. Indeed, it reflects a move by the U.S. to tap its traditional—that is, non-cyber—sources of power in order to promote security in cyberspace. For beleaguered systems administrators and cybersecurity professionals, the move, which represents yet another brick in the foundation of a deterrent posture, is cause for celebration.
The available sanctions are limited, but essentially enable the Treasury Department to freeze assets within U.S. reach of those entities that Treasury Secretary Jacob Lew deems a threat to national interests. Lew may also sanction entities that receive or use secrets and information misappropriated by cyber means and prohibit the entry into the United States of individuals associated with them. While such sanctions would not likely prevent or appreciably affect state-sponsored campaigns, such as China’s ongoing espionage efforts and recent attacks on anti-censorship organizations or North Korea’s coercive raids on Sony, they have the potential to affect criminal organizations, which historically account for a vast number of cyberattacks.
The measures couldn’t have come any sooner, given the financial costs of those kinds of attacks. In its last report on Internet crime, from 2013, the FBI reported receiving 262,813 complaints with an adjusted dollar loss of $782 million. Of course, only a small portion of cybercrime victims actually report their losses. The cybersecurity firm Norton estimated that in 2012, 71 million Americans were victims of cybercrime, among 556 million victims globally, at estimated financial costs of $20.7 billion and $110 billion, respectively. Unfortunately, the U.S. has had few means of responding to these attacks. While its criminal laws make it possible to prosecute cybercrimes, the simple truth is that a vast number of cybercriminals attack from overseas, well beyond the reach of the American criminal justice system, notwithstanding the occasional high-profile arrest and prosecution.