Effective immediately, the Treasury Department’s Office of Foreign Assets Control has implemented new rules that execute an executive order issued in April by President Barack Obama. That order authorized sanctions against countries and foreign nationals involved in cyber-attacks against U.S. citizens, companies, or government agencies.
The new rules build upon the Executive Order, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” and formalize a strategy used to increase sanctions against North Korea in response to its alleged role in the hacking of Sony and resulting leaks from its entertainment division.
The regulations, released on Dec. 31, were published in abbreviated form to provide immediate guidance to the public. OFAC intends to supplement the release with a more comprehensive set of regulations, which may include additional interpretive and definitional guidance. Because the regulations involve a foreign affairs function and Executive Order, Administrative Procedure Act requirements for a notice of proposed rulemaking and public comment period were not required.
The rulemaking formally extends sanctions against any foreign nation or individual determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, “to be responsible for, complicit in, or to engaged in, directly or indirectly, cyber-enabled activities” that have materially contributed to a significant threat to national security, foreign policy, economic health, or financial stability.
Specific actions addressed by the rules include: harming or significantly compromising by a computer or network of computers that support infrastructure; and causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
The rules cover any government or party that “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of” cyber-crimes.
Sanctions include, but are not limited to: any contribution or provision of funds, goods, or services by, to, or for the benefit of any person whose property and interests in property are blocked; and the receipt of any contribution or provision of funds, goods, or services from any such person. Immigration and travel bans will also be imposed.
Any transaction that evades or avoids the prohibitions set forth in the order are prohibited.