On April 1st, President Obama announced Executive Order 13694 to freeze and deny financial assets of those deemed to be participating in cybercrime or cyberespionage. He invoked, among other things, his power to declare national emergencies.
It was not a prank.
Many have raised questions about the order’s breadth and effectiveness. While it doesn’t target domestic and non-cyber means of identity theft specifically, the order could have a huge impact once it is applied to identity theft perpetrators abroad, as it extends the reach of the federal government to punish and eventually deter overseas networks plying their grift in the digital realm.
Following a recent announcement from the FBI of a $3M reward for a very wanted overseas cybercriminal, the order demonstrates that the federal government is trying to get at the financial incentives both on the enforcement and deterrent levels.
The constraints implied by these criteria-upon-criteria are somewhat muddied by their ambiguity. For example, the order neither defines “cyber-enabled activities,” nor does a prior definition exist in other US law or regulation. The Treasury Department’s OFAC FAQ says this about the definition:
E.O. 13694, malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.
The use of the vague term “cyber-enabled activities” is symptomatic of the federal government’s ongoing problem regarding a definition, or lack thereof, for cybercrime—as distinguished from crimes in the real world or other threats such as international cyberterrorism from adversaries like Iran. According to the Congressional Research Service (CRS), there is little public information about the balance of identity theft committed by domestic and international perpetrators.
In addition, there are questions about those who may be eligible for sanctions. The order does not, on its face, target American citizens. However, the Electronic Frontier Foundation (EFF) notes that the order is “dangerously overbroad” and may apply to persons acting to improve information system security. For example, penetration-testing requires the acquisition of access without other measures such as spear-phishing for credentials. The OFAC FAQ says that these measures are not “intended” to target those conducting penetration-testing or similar methods. EFF, however, recalls that non-government security researchers discovered Heartbleed and other major security vulnerabilities and emphasizes that these researchers “should not have to question whether or not they will be subject to sanctions.”
Additionally, EFF notes that one part of the order would place on the list of sanctioned persons anyone who materially supports those who are sanctioned, or whose property is blocked because of the order, concluding, “…we have serious concerns about how the order applies to everyone.” However, since this section of the order deals with the “misappropriation of trade secrets [emphasis mine] by cyber means,” it seems to pertain only to those engaged in the cyberespionage of intellectual property and other proprietary information, rather than the theft of PII for private use or gain.
One practical check on this broad reach is the attribution problem in cyberspace. As Fahmida Rashid at SecurityWeek observes, “attackers can…make it seem as if attacks originated from a different location. Malware can contain false data to shift culpability…knowing who actually did the attack is a hard problem to solve, and when sanctions are involved, it’s a question no one wants to get wrong.” This may limit the effectiveness of the order. Additionally, since cyberthieves operate under various stolen identities and nicknames, they can sometimes hit even businesses that are strongly vigilant in protecting information, as Experian was when it inadvertently sold personal data to a Vietnamese national in 2013. Finally, even if attribution is accurate, there are unanswered questions about if, where, or how the offending individuals or their governments will retaliate.
Solving the attribution problem, in fact, will depend on the February 2015 Executive Order encouraging the formation of “Information Sharing and Analysis Organizations” (ISAOs) to share cyber threat indicators, as well as legislation on sharing between private companies and the federal government. Businesses’ participation in ISAOs would broaden the volume of intelligence to establish attribution and make these sanctions determinations. Thus, only when one looks at the two orders together does a clear incentive for companies to participate emerge. Companies have potential intelligence but no means to apply it; government officials have the means but limited data to tell them whom to punish. These orders resolve that conundrum.