cybersecurity alert/media/files/insights/... · 2015-09-17 · cybersecurity alert new us sanctions...

4
CYBERSECURITY ALERT NEW US SANCTIONS PROGRAM TO COMBAT CYBERCRIMES: 3 ACTION STEPS FOR TECH COMPANIES SEPTEMBER 2015 1 | CYBERSECURITY ALERT By Jim Halpert , Lawrence E. Levinson, Richard Newcomb, Rochelle Eva Stern, Tara Swaminatha and Sydney M. White The new sanctions in President Barack Obama’s Executive Order 13694 of April 1, 2015, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” target individuals and organizations overseas who engage in cyberattacks or commercial espionage outside the US that are likely to result in a threat to national security or financial stability of the US. Specifically, EO 13694 expands the US government’s arsenal of authorities to reach cybercriminals and those that steal intellectual property, trade secrets and sensitive information by imposing blocking sanctions on them. Sanctions are a particularly important tool in this context because cyberattacks are often committed remotely from countries without extradition treaties with the US. For US law enforcement authorities ability to bring enforcement actions against perpetrators or pursue other legal remedies, this has been a formidable hurdle. To help implement these new sanctions and facilitate designation, the US government has encouraged US companies to share with it information on theft of IP and other trade secrets. However, the EO also raises issues for US companies about how to comply so as to avoid potential exposure. I. TARGETED ACTIVITIES UNDER EO 13694 EO 13694 targets persons engaged in “cyber-enabled activities reasonably likely to result in, or [that] have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” Among these are the following: (i) Those “responsible for or complicit in or [who] have engaged in, directly or indirectly, cyber- enabled activities” that originate or are directed from outside the United States and that have the purpose or effect of: (A) harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector

Upload: others

Post on 21-Feb-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: CYBERSECURITY ALERT/media/files/insights/... · 2015-09-17 · CYBERSECURITY ALERT NEW US SANCTIONS PROGRAM TO COMBAT CYBERCRIMES: 3 ACTION STEPS FOR TECH COMPANIES SEPTEMBER 2015

CYBERSECURITY ALERT

NEW US SANCTIONS PROGRAM TO COMBAT CYBERCRIMES: 3 ACTION STEPS FOR TECH COMPANIES

SEPTEMBER 2015

1 | CYBERSECURITY ALERT

By Jim Halpert, Lawrence E. Levinson, Richard Newcomb, Rochelle Eva Stern, Tara Swaminatha and Sydney M. White

The new sanctions in President Barack Obama’s Executive Order 13694 of April 1, 2015, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” target individuals and organizations overseas who engage in cyberattacks or commercial espionage outside the US that are likely to result in a threat to national security or financial stability of the US.

Specifically, EO 13694 expands the US government’s arsenal of authorities to reach cybercriminals and those that steal intellectual property, trade secrets and sensitive information by imposing blocking sanctions on them.

Sanctions are a particularly important tool in this context because cyberattacks are often committed remotely from countries without extradition treaties with the US. For US law enforcement authorities ability to bring enforcement actions against perpetrators or pursue other legal remedies, this has been a formidable hurdle.

To help implement these new sanctions and facilitate designation, the US government has encouraged US companies to share with it information on theft of IP and

other trade secrets. However, the EO also raises issues for US companies about how to comply so as to avoid potential exposure.

I. TARGETED ACTIVITIES UNDER EO 13694

EO 13694 targets persons engaged in “cyber-enabled activities reasonably likely to result in, or [that] have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” Among these are the following:

(i) Those “responsible for or complicit in or [who] have engaged in, directly or indirectly, cyber-enabled activities” that originate or are directed from outside the United States and that have the purpose or effect of:

(A) harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector

Page 2: CYBERSECURITY ALERT/media/files/insights/... · 2015-09-17 · CYBERSECURITY ALERT NEW US SANCTIONS PROGRAM TO COMBAT CYBERCRIMES: 3 ACTION STEPS FOR TECH COMPANIES SEPTEMBER 2015

2 | CYBERSECURITY ALERT

(B) significantly compromising the provision of services by one or more entities in a critical infrastructure sector

(C) causing a significant disruption to the availability of a computer or network of computers or

(D) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain

(ii) Those “responsible for or complicit in or [who] have engaged in .the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated”

(iii) Those who have “materially” supported parties blocked pursuant EO 13694

(iv) Those who are owned or controlled by, or acting or purporting to act on behalf of those blocked parties and

(v) Those that have attempted to engage in the targeted activities.

Critical infrastructure is defined under EO 13694 by reference to the Presidential Policy Directive – Critical Infrastructure Security and Resilience, which designated 16 critical infrastructure sectors (chemical, commercial facilities, communications, critical manufacturing; dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors/materials/waste, transportation systems, and water and wastewater systems). Other important terms in EO 13694 are yet to be defined, so OFAC has issued guidance in its Frequently Asked Questions 444–452 to assist companies in understanding the scope of the Order.

II. OFAC GUIDANCE – COMPLIANCE ISSUES FOR US COMPANIES

US persons, including firms that facilitate or engage in online commerce, are responsible for ensuring that they do not: 1) operate in any jurisdictions targeted by comprehensive sanctions programs or 2) engage in unauthorized transactions or dealings with persons named on any of OFAC’s sanctions lists. Moreover, all transactions by US persons, wherever located, with entities on the Specially Designated National (SDN) list (including any entity in which such named persons own a 50 percent or greater interest) are prohibited, and property and property interests of an SDN within the United States or in the possession or control of US persons, wherever located, must be blocked.

While no individuals or entities have yet been added to the list of SDNs under this authority, the United State Treasury has encouraged all potentially injured companies, including, “technology companies,” to evaluate their current policies before listing occurs and, where necessary, “develop a tailored, risk-based compliance program, which may include sanctions list screening or other appropriate measures.”

Recognizing that legitimate activities could be misunderstood to be targeted by the language of EO 13694, OFAC’s FAQs provide preliminary definitions of “cyber-enabled activities and “malicious cyber-enabled activities,” as well as examples of legitimate activities not covered by the Order. OFAC anticipates that future regulations will define “cyber-enabled activities” as “any act that is primarily accomplished through or facilitated by computers or other electronic devices,” and “malicious cyber-enabled activities” as “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.” OFAC’s FAQs indicate that the following types of “legitimate” cyber-enabled activities are not targeted by EO 13694:

Page 3: CYBERSECURITY ALERT/media/files/insights/... · 2015-09-17 · CYBERSECURITY ALERT NEW US SANCTIONS PROGRAM TO COMBAT CYBERCRIMES: 3 ACTION STEPS FOR TECH COMPANIES SEPTEMBER 2015

3 | CYBERSECURITY ALERT

• Legitimatenetworkdefense,maintenanceorotherauthorized activities performed by security experts that ensure and promote the security of information systems

• Thelegitimateandauthorizeduseofpenetrationtesting and other methodologies to test the security of information systems

• Activitiestopreventorinterferewithlegitimatecyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions or competitions

• Othersimilargoodfaitheventsand

• Personswhosepersonalcomputers(orothernetworkedelectronic devices) are, without their knowledge or consent, used in malicious cyber-enabled activities (e.g.,indenial-of-serviceattacksagainstUSfinancialinstitutions).

• Thenewsanctionsaretobedeployedinconjunctionwith diplomatic and law enforcement strategies as part of a “whole-of-government strategy to combat cyber-threats.”

III. HOW CAN DLA PIPER HELP? 3 ACTION STEPS FOR TECHNOLOGY COMPANIES

Sanctions compliance is a factually intensive exercise and our team of sanctions professionals will be pleased to help you navigate these issues.

To the extent that a company does not have a compliance program, or has business or business relationships that could be affected by sanctions, it should consider doing the following:

• Identifyandunderstandfullyanyandalldirectandindirect business ties and assess the legal consequences of any prohibitions that may impact your business

• Knowyourcustomer(orcounterparty)—checkthenamesof all potential parties to a transaction against names on OFAC’s lists to determine whether a parties is owned 50 percent or more by a listed entity

• Implementappropriatebusinessstrategiesandlegal measures to protect against and minimize the consequences of future sanctions prohibitions.

Page 4: CYBERSECURITY ALERT/media/files/insights/... · 2015-09-17 · CYBERSECURITY ALERT NEW US SANCTIONS PROGRAM TO COMBAT CYBERCRIMES: 3 ACTION STEPS FOR TECH COMPANIES SEPTEMBER 2015

www.dlapiper.com

Copyright © 2015 DLA Piper LLP (US).All rights reserved.This bulletin is intended as a general overview and discussion of the subjects dealt with. It is not intended, and should not be used, as a substitute for taking legal advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising.Circular 230 Notice: In compliance with US Treasury Regulations, please be advised that any tax advice given herein (or in any attachment) was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding tax penalties or (ii) promoting, marketing or recommending to another person any transaction or matter addressed herein.

ABOUT US

DLAPiperisagloballawfirmwithlawyersintheAmericas,AsiaPacific,EuropeandtheMiddleEast,positioning us to help companies with their legal needs around the world. To learn more, visit www.dlapiper.com.

FOR MORE INFORMATION

For more information about addressing cyberthreats, contact:

Tara SwaminathaT +1 202 799 [email protected]