U.S. President Barack Obama last week issued an Executive Order declaring a national emergency and deputizing the Treasury Secretary and Attorney General to apply sanctions and other consequences for international actors deemed to have engaged in “cyber-enabled activities” detrimental to U.S. national security, foreign policy, economic health or financial stability.
The order seems to be a well-intentioned response to incidents, such as the recent attack on Sony Pictures Entertainment that was allegedly conducted by hackers backed by the North Korean government. In such attacks, threat groups sponsored by foreign regimes — or simply operating outside the United States — compromise networks belonging to private companies, maintainers of critical infrastructure systems, government entities and other organizations of interest in the U.S.
President Obama writes in the Executive Order, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities [pdf], that the “increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
Well-intentioned or otherwise, research advocacy groups worry that the executive action, like prior orders, and proposed and existing legislation, could have a chilling effect on security research.
The order aims to punish the perpetrators and facilitators of international malicious hacking activities. Unfortunately, as the Electronic Frontier Foundation explained in a blog yesterday, the order is a bad response to a very real problem, comparing the order to certain fundamentally flawed legislative solutions to the cybersecurity problem. It could backfire, the digital rights group worries, and discourage the very research conducted to better protect networks and the data they contain in the first place.
Executive Order from @BarackObama declares a national cyber-emergency, could chill security research via @ThreatpostTweet
Essentially, the order grants the Justice and Treasury departments the authority to block access to the properties and interest in properties of any individuals or groups deemed to be involved in malicious hacking. In other words, the Obama Administration threatens sanctions that would restrict the transfer, withdrawal or export of property, goods and money to those who are determined to be malicious actors. Of course, the sanctioned holdings would have to exist in places under some level of U.S. Government control or, in President Obama’s words, “in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person.”
Like nearly all the U.S. government’s security proposals, this one, the EFF argues, is overly broad in its wording and could be used by the Justice Department to selectively prosecute individuals. While President Obama has offered assurances that this order won’t be deployed against security researchers, the EFF says it is wary of simply trusting the Executive Branch without oversight. Furthermore, they claim there is a long tradition of the Justice Department abusing anti-hacking laws in order to selectively and disproportionately prosecute researchers and hackers, as was the case with Andrew “weev” Auernheimer and Aaron Schwartz.
“That perhaps shouldn’t be surprising, since so far, D.C.’s approach to cybersecurity hasn’t encouraged better security through a better understanding of the threats we face (something security experts internationally have pointed out is necessary),” wrote EFF activist Nadia Kayyali and general council Kurt Opsahl. “Instead of encouraging critical security research into vulnerabilities, or creating a better way to disclose vulnerabilities, this order could actually discourage that research.”
Of particular concern to the EFF is section 1. (ii) (B), which seems to remove the necessity that the target of a particular sanction be located outside the U.S.
“As we’ve had to point out repeatedly in the discussions about reforming the Computer Fraud and Abuse Act, unclear laws, prosecutorial (or in this case, Executive Branch) discretion, coupled with draconian penalties are not the answer to computer crime,” argued Kayyali and Opsahl.