April 7, 2015

By Richard Nephew

President Obama issued a new Executive Order (E.O.) on April 1, putting in place new authorities for the imposition of sanctions against those involved in significant, malicious cyber-enabled activities. This authority, generally speaking, allows the Secretary of the Treasury to impose an asset freeze on any individual or entity found to be involved in these activities and for the Secretary of State to prohibit their travel to the United States (subject to some exceptions). Initial responses in press reports are positive, with some noting that this is a vital tool in the overall US response to an increasingly dangerous cyber-world. And the President’s statement on the issuance of the E.O. underscores his own determination to address this threat through all available tools.

However, there are two curiosities with the Executive Order that bear more attention and consideration from the perspective of sanctions policy specifically.

First, the Executive Order was issued without an Annex, meaning that no individuals or entities were actually sanctioned as of April 1. That, in and of itself, is not a problem. I participated in the drafting and execution of seven different Executive Orders on Iran during my time at the White House and only one of them contained an Annex of designated individuals and entities (E.O. 13606, Blocking the Property and Suspending Entry Into the United States of Certain Persons With Respect to Grave Human Rights Abuses by the Governments of Iran and Syria via Information Technology, issued on April 22, 2012). However, these authorities all dealt with an established sanctions program, involving hundreds of already-sanctioned Iranian entities and individuals. An Annex, specifying additional targets, was less important in this context.

Here, an Executive Order was issued without providing any real sense of who will be targeted. Certainly, modifications to the E.O. – made apparently at the request of the President, according to background quotes given by a Senior Administration Official – underscore the fact that the targets will not be “Joe Schmo” but rather those who engage in activity that “is on a scale that’s harmful to the United States as a whole.”[1]

Quite probably, this is intended to deal with situations such as North Korea’s assault on Sony Pictures last year and Iran’s alleged attacks on U.S. financial institutions since 2011, or from non-governmental cyber-criminals.

But, the authority itself is not limited to such obvious bad actors and could include representatives of governments with which the United States has complex and important relationships. For example, will Chinese hackers, acting at the behest of the Chinese government? The FBI issued a warning to private industry only six months ago, suggesting that this was a real and active threat.[2] Doing so could have serious consequences for the U.S.-China relationship, particularly given Chinese views of sanctions as a policy tool.

This is not to say that sanctions should not be considered or implemented in such a circumstance. I have personally supported the imposition of sanctions against Chinese entities for violations of U.S. sanctions and continue to see them as a valid tool in some instances. But, if a large attack were to come from China (or, indeed, from people acting on the behalf of other governments), then there would be a clear requirement to utilize these authorities in direct response.

Doubtless, creating a sense that this could be the consequence is intended to deter attacks in the future. But, if deterrence fails, then a response must be forthcoming and by raising the stakes in this public fashion, the burden will be on the Administration to respond directly. And, this raises an even more serious question about whether the deterrent impact of this E.O. – which can only target individuals and entities, not governments – is going to be sufficient to merit the risk it creates of either acting or failing to act.

Second, the E.O. does not stop with just malicious attacks but also includes cyber-espionage as a possible sanctionable offense. This is a real threat that potentially costs billions to the United States economy every year, according to the FBI.[3] But, the threat itself comes from a variety of places. A U.S. National Counterintelligence Executive report from 2011 noted that China and Russia are primary sources of this threat, and diplomatically notes that “certain” U.S. partners are also involved in this activity.[4] Former Secretary of Defense and CIA Director Bob Gates noted in 2014 that as many as 15 countries probably conduct economic espionage against the United States, singling out France as an example of an ally that engages in the activity.[5]

Under the definitions included in this E.O., the governments of China and France are themselves not potentially sanctionable, but certainly entities under their control and individuals involved would be. The question becomes: does the Administration intend to use this authority in an even-handed way to deal with problems from China as it would problems from France?

This post should not be misconstrued as either suggesting that China (or any other actor) should be shielded from the consequences of their misconduct, or that the United States does not have the responsibility to protect itself in this fashion. However, the Executive Order issued on April 1 does raise uncomfortable questions about the use of sanctions in this fashion. If the United States does believe that these activities are objectionable regardless of source, then it would be reasonable to suspect that individuals and entities based in France, China, or anywhere else would be subject to these sanctions. If such targets are not sanctioned, then the Administration has opened itself up to the charge that its sanctions are inherently discriminatory, undermining the very norm that the Administration is seeking to promote through this step. And, if the implementation problems created by the need to manage these competing interests result in no sanctions being imposed whatsoever, then this E.O. will become a paper tiger.

And what would we say if China, France or any other country created a similar sanctions structure that could target U.S. entities and individuals? The United States government would disavow any conduct that it believes to be criminal, even if it originates from the United States, but sanctions actions on the part of governments can often be subject to a fairly complex “eye of the beholder” test.

In all, the E.O. issued on April 1 may be the beginning of a new front for U.S. sanctions policy but it comes with serious complications for the future.

Richard Nephew is Director of the Economic Statecraft, Sanctions, and Energy Markets program at Columbia University’s Center on Global Energy Policy, and the former Deputy Coordinator for Sanctions Policy at the State Department.

[1] Nakashima, Ellen, April 2, 2015, “U.S. establishes sanctions program to combat cyberattacks, cyberspying,” The Washington Post.\, http://www.washingtonpost.com/world/national-security/us-to-establish-sa...

[2] Nakashima, Ellen and Ashkan Soltani, October 15, 2004, “FBI warns industry of Chinese cyber campaign,” The Washington Post, http://www.washingtonpost.com/world/national-security/fbi-warns-industry...

[4] Office of the National Counterintelligence Executive, 2011, “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace, Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011“ found at: http://ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collecti...

[5] Keck, Zachary, May 23, 2014, “Robert Gates: Most Countries Conduct Economic Espionage,” The Diplomat Found at: http://thediplomat.com/2014/05/robert-gates-most-countries-conduct-econo...