WASHINGTON President Obama signed an executive order Wednesday giving the Treasury Department new powers to impose sanctions against entities that carry out or benefit from cyberattacks against U.S. "critical infrastructure," including the financial sector.
"Cyber threats pose one of the most serious economic and national security challenges to the United States, and my Administration is pursuing a comprehensive strategy to confront them," Obama said. "This Executive Order offers a targeted tool for countering the most significant cyber threats that we face."
The order, which follows a series of other initiatives undertaken by the White House to fight cyber-attacks, lays out a potentially sweeping scope of possible threats that could spur sanctions. Individuals or entities that are shown to "engage in significant malicious cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy or economic health or financial stability" could be subject to penalties such as freezing of assets or denial of entry into the U.S. sanctions.
For an attack to be severe enough to spur the new sanctions, it has to harm or severely compromise the function of "critical infrastructure sectors." Those include finance, energy, transportation or water treatment facilities. The sanctions can also be triggered for activities that disrupting services of entities that support a critical infrastructure sector. An attack that causes a "significant disruption" to computer networks or that causes the "significant misappropriation of funds or economic resources" would also potentially qualify for sanctions.
Michael Daniel, a special assistant to the president and cybersecurity coordinator, said the executive order was meant to be broad enough to include a wide variety of attacks but also to set the bar high enough that sanctions would not be applied haphazardly.
"We want to have this tool as a deterrent to those that would consider carrying out some of these activities," Daniel said in a briefing for reporters. "It's both targeted, in the sense that it has to be very significant and meet those four harms, but it's also very broad in that those harms cut across a wide swath of activity."
Daniel said the sanctions "fill a gap" that previously made it challenging to pressure groups located in countries with lax cybersecurity enforcement or governments that are complicit in cyber-attacks themselves. Yet he declined to name specific examples of threats subject to the sanctions and said the administration is not presently targeting any individuals for penalties under the executive order.
Yet he signaled that attacks on banks and the financial sector would qualify as significant enough to warrant the new sanctions.
"Something that has the potential to cause widespread disruption to our financial sector, something that would meet the significance test for the financial stability of the United States, if we can make the case we would consider using this tool," Daniel said.
The order comes as cybersecurity takes on an increasingly prominent role as financial stability issue, spurring banks and government officials to develop better solutions for preventing attacks or limiting their damage.
The White House announcement followed a set of earlier measures announced by the administration this year, including support for cybersecurity legislation and creation of a new agency to facilitating the sharing of information about new threats. The House Permanent Select Committee on Intelligence last week passed a bill that would ease private companies' ability to share information on data breaches.
In a statement, American Bankers Association chief executive Frank Keating said Wednesday's order "sends a strong signal to cybercriminals and foreign entities that America is committed to fighting this increasing threat."
"U.S. businesses are committed to working with the government to help protect our critical infrastructure and the economic security of our country," Keating said.