Sanctions: America’s best new weapon against cyber crime
Kiboshing cyber criminals has been tough work for the United States—not least because so many of the perpetrators fall outside the country’s jurisdiction. That’s why President Obama celebrated his April Fool’s Day by signing an executive order intended to stop these hackers from continuing to laugh all the way to the bank. He was not, as one might glean from his post on the blogging platform Medium, in a joking mood:
Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit. From now on, we have the power to freeze their assets, make it harder for them to do business with U.S. companies, and limit their ability to profit from their misdeeds.
The latest move grants the executive branch additional muscle to deal with a growing security problem, establishing new punishments for overseas hackers. Namely, a sanction program.
According to the directive signed on Wednesday, the Secretary of the Treasury now has the authority “to impose sanctions on individuals or entities that engage in significant malicious cyber-enabled activities” in those cases that pose “a significant threat to the national security, foreign policy or economic health or financial stability of the United States.” That means that with input from the attorney general and secretary of state, treasury secretary Jack Lew can block financial transactions, freeze assets, and otherwise restrict an alleged cyber criminal’s ability to travel or move money.
It’s a move ripped straight from the global threat mitigation playbook. In the U.S., authorities have had success in handicapping drug traffickers (like the Sinaloa cartel in Mexico), terrorists (like al Qaeda) and crime rings (like the Yakuza in Japan) this way. At the beginning of the year, the president also placed harsher economic sanctions on North Korea following the country’s alleged cyber attack on Sony Pictures—a move, based on existing authority, that seems to have presaged the advent of the White House’s new weapon against cyber crime.
Even though the announced sanctioning capability only inhibits cyber criminals’ access to the U.S. financial system, the restriction may have big ripples throughout the realm of global commerce. As other banks learn who is engaging in cyber crime, they may stop doing business with them—a potentially huge deterrent for bad actors. It’s a smart strategy for the U.S. government, which has been all but impotent up till now in its responses to cyber theft: name, shame, constrain.
An even bigger boon would be that the sanctions spark a dialogue between countries toward establishing the norms of behavior in cyber space. The move could lead to guidelines that dictate what’s okay and what’s out of bounds when it comes to states’ digital deportment. (We’ve already seen some slippage in China’s historically unconditional denial that it engages in cyber war. And in May, a grand jury in the U.S. indicted five members of the People’s Liberation Army in China for cyber espionage.)
Dmitri Alperovitch, co-founder and CTO of the security firm CrowdStrike, who has advocated for the use of sanctions against cyber criminals for years, seems elated with the Obama administration’s latest step. “While it remains to be seen how often these powers are used by the U.S. government and who might end up on the receiving end of these sanctions, I cannot understate the momentous impact of this action,” he writes on his company’s blog. “The administration deserves tremendous credit for taking this extraordinary bold step.”
There’s just one issue, and that’s the question of attribution. The treasury is going to have to make sure they’ve got the right person (or company), which can be a difficult proposition in cyber space. One that becomes even more difficult when botmasters hijack innocent people’s machines and use them to launch attacks. It’s no simple task, to use language that Lew reportedly used in a statement, “to expose and financially isolate those who hide in the shadows of the Internet.”
In the above mentioned Medium post, President Obama maintains that the sanctions “used judiciously, will give us a new and powerful way to go after the worst of the worst.” To further clarify the executive order’s intended impact and quell possible concerns, it published a Q&A on its site.
These sanctions will in no way target the victims of cyberattacks, like people whose computers are unwittingly hijacked by botnets or hackers. Nor is this Order designed to prevent or interfere with the cybersecurity research community when they are working with companies to identify vulnerabilities so they can improve their cybersecurity. The targets of these sanctions are malicious actors whose actions undermine our national security.
Like the enterprises it targets, crime is a business. A winning strategy is increasing costs for adversaries to dissuade them from attacking in the first place. That’s the idea behind the U.S. treasury’s new powers; it’s a game of economics. Aimed at the right wrongdoers, it just might work.
Watch more business news from Fortune: