WASHINGTON--President Barack Obama on Wednesday moved to create
a new program of sanctions against other nations and people outside
the U.S. who participate in significant cyberattacks against U.S.
citizens, companies or government entities, expanding federal
protections in response to growing threats from hackers around the
world.
The new powers would allow the Treasury Department to
penalize--by freezing assets or locking access to the banking
system--any person or institution that engages in large-scale
cyberattacks that "significantly" harm or compromise "critical
infrastructure" such as nuclear plants, water treatment facilities,
or the financial system. Sanctions could also be imposed in
response to cyberattacks that attack economic resources, trade
secrets, personal information, or a range of other things.
The White House's description of the sanctions program suggests
it could apply to virtually any breach by overseas hackers, as they
often target personal information, trade secrets, or other
data.
The executive order would supplement legislation set for debate
in Congress later this month that would encourage companies and the
federal government to share more information about cyberthreats
with each other, following large-scale breaches at numerous large
companies, including Target, Home Depot, Sony Pictures
Entertainment, as well as J.P. Morgan Chase & Co. and a host of
other firms.
One of the many complaints from companies is that some
cyberattacks are believed to be connected to foreign governments,
particularly North Korea and China, and it is unclear what
deterrents the U.S. government has in place to prevent foreign
countries from engaging in these attacks. The White House could try
and use its new sanctions powers as a way of addressing this.
"I intend to employ the authorities of my office and this
administration, including diplomatic engagement, trade policy
tools, and law enforcement mechanisms, to counter the threat posed
by malicious cyber actors," Mr. Obama said in a statement
accompanying the executive order.
The executive order also allows the Treasury Department to
impose sanctions on anyone who "knowingly" receives or uses
information that has been stolen through a cyberattack, or provides
any assistance in an attempted attack.
A key question in the new sanctions order is how the Treasury
Department will decide whether a breach is "significant." The word
"significant" or "significantly" appears in the four-page executive
order seven times, and it is used as a barometer to measure whether
a cyberattack merits a sanctions response. But the White House, so
far, hasn't defined what sort of attack would meet that threshold,
possibly giving the Treasury Department flexibility in how the new
powers are used.
Write to Damian Paletta at damian.paletta@wsj.com
Access Investor Kit for The Home Depot, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US4370761029
Access Investor Kit for JPMorgan Chase & Co.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US46625H1005
Subscribe to WSJ: http://online.wsj.com?mod=djnwires