An Executive Order signed by President Barack Obama on April 1 is the latest in a series of moves by the U.S. government to help impede cyber-criminal activity aimed at the United States.
The order gives the Treasury Department, working with the Attorney General and the State Department, the power to block the transfer of funds between entities inside and outside the U.S. that attack computers or networks to steal money, trade secrets, personal information or other data to the detriment of the government and its citizens.
The order officially declares an emergency and includes other broad powers, such as the ability to block travel to the U.S. by people involved in such attacks. The order specifically includes the ability to block donations to groups that carry out such activities.
The action is clearly aimed at providing greater consequences for people or organizations that break into U.S. computers in an attempt to profit from the activity. This would include groups that steal credit card numbers or other personal information in cyber-attacks, such as those launched again Home Depot or Target.
The order also covers attempts to steal corporate information, such as the endless attacks by the Chinese army against U.S. defense contractors and it would even include Distributed Denial of Service attacks against Websites and networks in the U.S.
The order’s specific goals are described in a sort of FAQ published by the White House along with the order. In that document, the White House explains that the new order would limit the ability of organizations involved in such attacks to do business with U.S. companies in addition to their ability to transfer money out of the U.S.
While the activities of ransomware operations are not specifically mentioned, this order would allow the Secretary of the Treasury to target Bitcoin exchanges that are used as a way to pay those ransoms.
For the most part, however, the attention of the government will be aimed at cyber-attacks against critical infrastructure, major networks and Websites. It’s worth noting that the order specifically protects people who are innocent participants, such as those who have computers that are used by botnets, and extends protection to security researchers.
In a statement issued in conjunction with the EO, Lisa Monaco, the President’s assistant for cyber-security and counterterrorism, said that the order was first and foremost intended to hurt criminals in the pocketbook.
“Malicious cyber activity—whether it be stealing sensitive information, including personal identifiers, or trade secrets—is often profit-motivated,” Monaco said in a prepared statement. “Because those responsible want to enjoy the ill-gotten proceeds of their activities, sanctions can have a significant impact. By freezing assets of those subject to sanctions and making it more difficult for them to do business with U.S. entities, we can remove a powerful economic motivation for committing these acts in the first place.”
White House Sanctions Attempt to Hit Cyber-Crime in the Pocketbook
Monaco also said that law-abiding U.S. companies have nothing to worry about. “We will never use it to try to silence free expression online or curb Internet freedom,” Monaco said. This raises the question about those who donate to help fund activities such as WikiLeaks, an organization that clearly fits the description of organizations that would fall under the sanctions of the order.
The U.S. Supreme Court has repeatedly ruled, most recently in the Citizens United decision, that donations of money equate to speech and are protected under the First Amendment. Would those donations be sanctioned? Monaco’s statement would indicate that they would not, but nothing in the order says that.
The bigger question, of course, is whether this Executive Order will actually accomplish anything. The answer is, “maybe.” The problem with issuing sanctions against most state operated attackers is the issue of diplomacy and practicality. The problem with issuing sanctions against most cyber-criminals is finding them. Neither of those problems is made easier by the EO.
In the case of state-sponsored attacks, such as the Chinese army’s constant attempts to steal trade secrets, classified information, email addresses or anything else that is not nailed down, is it a practicality? Can you really issue trade sanctions against China? Not without risking a trade war that damages both sides. And if you try to issue sanctions against the Chinese army, what exactly would you block?
While it’s possible that this order might provide a way to block some activities, it’s hard to see how it will accomplish much on its own. However, as an important weapon in the much larger arsenal of cyber-weapons at the disposal of the U.S. government, it provides an important capability. One can, after all, accomplish a great deal by following the money.
An excellent example from an earlier time is the conviction of the famous gangster Al Capone on tax evasion charges. Capone was never tried for the vast array of crimes for which he was responsible, but he was caught by his own money trail. Because he didn’t pay taxes on his ill-gotten gains, he spent most of the rest of his days in the slammer.
This sort of approach does have possibilities in fighting cyber-crime. After all, most such crime is aimed at making a profit, but if those criminal organizations can’t get access to the money, there’s no point in being in that business. Assuming, of course, that the Treasury Department can find a place in the money trail to cut things off.
For those organizations, cutting off the flow of money is like cutting off the air they breathe. They will soon die. But that’s not the case with state-sponsored attacks—after all, they have their own supply of money.