In April 2015, President Obama signed Executive Order 13964, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”
Executive Order 13964 took two significant steps toward safeguarding cybersecurity:
- Declaring a state of “national emergency” to deal with the “increasing prevalence and severity of malicious cyber-enabled activities”; and
- Creating a framework for the U.S. to punish malicious cyber actors by blocking a person’s “property or interests” within the U.S. from being “transferred, paid, exported, withdrawn, or otherwise dealt in.”
Current State of Cyber Deterrence
Notwithstanding the declaration of a national emergency, the Executive Order has still not been applied, despite resulting in approximately $760,000 worth of expenses in its first 6 months of existence.
Executive Order 13694 is intended to focus on campaigns of cyber espionage and critical cyber attacks. The continuing news of cyber attacks linked to state actors such as Russia and China, however, is certainly cause for the Order to be brought into play.
FireEye iSIGHT recently published a report showing corporate espionage cyber attacks by Chinese state-affiliated actors in mid-2014. The decrease coincided with the U.S. government indictment of five Chinese army officers for hacking, and was followed less than a year later by Executive Order 13964. The combination of the indictment and the threat of sanctions provided a heightened level of deterrence. The FireEye report indicates that Chinese-supported attacks continue, despite the U.S.’s agreement with China to end economic cyber espionage. The data does not make clear whether there has been a decrease in actual attacks or in attacks with known indicators.
The U.S. has also yet to take any such public action against Russian-backed hackers despite growing Russian cyber activity.
The Path Forward
The FireEye report indicates meaningful progress toward effective cyber deterrence. The U.S. should continue this progress by taking the following concrete steps toward dealing with the ever-changing cyber environment:
- Continue to “name and shame” malicious cyber actors;
- Enact commercial restrictions upon businesses directly or indirectly involved in cybercrimes;
- Reject entry into the United States for individuals associated with organizations or nations suspected of malicious cyber activity; and
- Put Executive Order 13964 into play and show that it is not an empty threat.