In the wake of constant cyber attacks and acts of cyber espionage against the United States, the President signed an Executive Order effectively initiating the first program to impose sanctions on foreign individuals who engage in destructive and malicious behavior in the cyber realm. This “national emergency,” which President Obama deemed imminent, has created the need for significant action to enforce penalties and deter threats against the U.S. that would impact critical infrastructure or intellectual property.
In an article in The Washington Post, Ellen Nakashima asserts that this executive move will expand the resources available to the Administration to “punish and deter” by vesting power in the Treasury Secretary to target foreign adversaries that elicit malicious activity in cyberspace.
This new sanctions program is an application of the President’s already existing authority given to him by Congress. The International Emergency Economic Powers Act of 1977 allows the President to issue executive orders for targeted sanctions in response to a “national emergency.” Moreover, the 2015 National Defense Authorization Act (Section 1637) allows the President to implement targeted sanctions on cyber-espionage threats specifically and only requires an annual report to Congress.
This executive order is also not President Obama’s first to create additional sanctions and expand preexisting ones, especially with North Korea. Most recently, President Obama issued an executive order on January 2 that imposed additional sanctions in response to North Korea’s hacking of Sony. He also issued executive orders in April 2011 and August 2010 that imposed targeted sanctions on North Korea.
Ensuring these new sanctions are effective requires using the new authority to target violating entities. To date, the Obama Administration has pursued a policy of timid incrementalism when responding to North Korean violations. In his paper on North Korean sanctions, Bruce Klingner, Senior Research Fellow for Northeast Asia at The Heritage Foundation, said, “Responding with strong rhetoric and minimalist measures has only encouraged North Korea to remain on course.” This new sanction program is an opportunity for President Obama to follow through with his tough talk on North Korea and the increasing number of other cybersecurity threats.
Following the North Korean attacks on Sony, Klingner and David Inserra, Research Associate for Homeland Security and Cybersecurity at The Heritage Foundation, recommended the Administration review existing laws and executive orders to assess if new measures were necessary to deal with cyber threats and “deter further aggression by other malicious nations.” This executive order ensures the necessary tools are available to punish and deter serious cyber aggression ranging from widespread cyber espionage to cyber warfare. Now they must be used; as failure to do so will leave the U.S. increasingly vulnerable to numerous threats.
The President’s action is just the starting point, however. For a more effective cybersecurity policy, Congress should consider its own potential actions:
To promote cybersecurity, further cyber legislation needs to focus on facilitating information sharing between the public sector and the private sector. Rather than minimally effective regulations, legislation should encourage private-sector efforts that promote awareness, education, and training so companies can begin to take more effective precautions to protect themselves. A limited, defined set of cyber self-defense standards would also allow willing companies to better protect and innovate in cyberspace, going beyond just complying with obligations.
It is essential that the federal government play a role in cyber protection, especially when the homeland, individuals, and our critical infrastructure are exposed.
Emily Runge and Jennifer Guthrie are currently members of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.