President Barack Obama has signed a new executive order promising to levy economic and travel sanctions on anyone outside the country who launches cyber-attacks which pose a threat to the national security, foreign policy, and economy of the United States.
The document, signed on Wednesday, claims sanctions will be imposed if such attacks pose an “unusual and extraordinary threat” to US interests.
Specifically, it calls out attacks on the critical infrastructure sector; disruption to computer networks; and the misappropriation of funds, trade secrets, personal info, and financial information for commercial or competitive gain.
“From now on, we have the power to freeze their assets, make it harder for them to do business with US companies, and limit their ability to profit from their misdeeds,” Obama said, according to reports.
The move is clearly designed to be a deterrent and can be seen as a step up from previous efforts to name and shame those accused of attacking the US or US companies.
This famously happened in May 2014, when five PLA soldiers were indicted by Washington for cyber-attacks against US firms for economic gain.
Soon after, the army unit responsible was up and running again and back to its old ways, intelligence from cybersecurity firms revealed.
Bob West, chief trust officer at CipherCloud, welcomed the sanctions as “good, common sense.”
“It goes towards what is commercially responsible and draws a line in the sand,” he added. “If we can discover who the people or groups are behind cyber-attacks, we now have the legal right to take action.”
Some commentators have argued that the sanctions will be difficult to enforce given the problem of attribution in cyberspace and the plausible deniability strategy that China and others have often hid behind.
However, West argued that the pace of technological change will help overcome any concerns.
“We should have much more advanced forensics tools in the near future that will allow us to determine with certainty who is responsible for a specific attack,” he said.
“As challenging as attribution is, there needs to be balance between bringing criminals to justice and protecting a citizen’s right to privacy.”