After spending a week trying to narrow its scope, President Obama on Wednesday released an executive order that still grants the White House broad authority to sanction individuals and organizations engaged in civil society online.
The order targets entities located partially or wholly outside the United States “directly or indirectly” responsible for cyber-activities “harming, or otherwise significantly compromising…entities in a critical infrastructure sector.”
“I’m for the first time authorizing targeted sanctions against individuals or entities whose actions in cyberspace result in significant threats to the national security, foreign policy, or economic health or financial stability of the United States,” the President wrote in an article published on Medium to accompany the executive order. He also described the threat of such attacks as a “national emergency.”
According to the Department of Homeland Security, “critical infrastructure sectors” can include just about anything—from a nuclear reactor, water treatment plant, or US military base, to a sports stadium motel or casino. The “Commercial Facilities Sector” is one of 16 “critical infrastructure sectors” recognized by DHS. Others include financial services, food and agriculture and information technology.
The order also targets cyber actors believed to be stealing trade secrets and engaging in other types of thievery and any groups that appear to be benefiting from those acts.
It is unclear to the extent this could impact journalists. Whether by a similarly calculated intent or not, Wikileaks, was effectively sanctioned a few years ago, when its payment processing service providers stopped servicing the journalistic outfit after coming under pressure from the US government. Provisions of the executive order do include language targeting those “causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”
President Obama made clear the executive order was in response to a series of cyber attacks carried out late last year against US companies.
“Iranian hackers have targeted American banks. The North Korean cyber attack on Sony Pictures destroyed data and disabled thousands of computers. In other recent breaches that have made headlines, more than 100 million Americans had their personal data compromised, including credit card and medical information,” the President wrote.
The Washington Post reports that the order was supposed to be released last week, but was delayed after the President “wanted the language clarified to convey that the program was aimed at significant malicious cyberactivity.”
“You can’t use it to go after Joe Schmo the petty criminal,” an official told the paper, adding, “You’ve got to be able to demonstrate [the activity] is on a scale that’s harmful to the United States as a whole.”
The White House, however, could be hard-pressed to explain how a cyber-intrusion into a film studio like Sony Pictures is a “national emergency.” There are still lingering doubts as to if the North Korean government—which the President authorized sanctions against in response to the incident—was even responsible for infiltrating the Hollywood company. Private tech security firms have alleged that Sony insiders were the more-likely culprits.
The administration has also never shied away from accusing news publishers, like Wikileaks, The Guardian, and The New York Times, of doing harm to the US military—one of DHS’s critical infrastructure sectors—by publishing “stolen” state secrets.