White House Executive Order Declares Cyber National Emergency

New Obama Administration Executive Order declares a cyber-national emergency and research advocates worry that sanctions could chill security research work.

U.S. President Barack Obama last week issued an Executive Order declaring a national emergency and deputizing the Treasury Secretary and Attorney General to apply sanctions and other consequences for international actors deemed to have engaged in “cyber-enabled activities” detrimental to U.S. national security, foreign policy, economic health or financial stability.

The order seems to be a well-intentioned response to incidents, such as the recent attack on Sony Pictures Entertainment that was allegedly conducted by hackers backed by the North Korean government. In such attacks, threat groups sponsored by foreign regimes  — or simply operating outside the United States — compromise networks belonging to private companies, maintainers of critical infrastructure systems, government entities and other organizations of interest in the U.S.

President Obama writes in the Executive Order, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities [pdf], that the “increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

Well-intentioned or otherwise, research advocacy groups worry that the executive action, like prior orders, and proposed and existing legislation, could have a chilling effect on security research.

The order aims to punish the perpetrators and facilitators of international malicious hacking activities. Unfortunately, as the Electronic Frontier Foundation explained in a blog yesterday, the order is a bad response to a very real problem, comparing the order to certain fundamentally flawed legislative solutions to the cybersecurity problem. It could backfire, the digital rights group worries, and discourage the very research conducted to better protect networks and the data they contain in the first place.

Essentially, the order grants the Justice and Treasury departments the authority to block access to the properties and interest in properties of any individuals or groups deemed to be involved in malicious hacking. In other words, the Obama Administration threatens sanctions that would restrict the transfer, withdrawal or export of property, goods and money to those who are determined to be malicious actors. Of course, the sanctioned holdings would have to exist in places under some level of U.S. Government control or, in President Obama’s words, “in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person.”

Like nearly all the U.S. government’s security proposals, this one, the EFF argues, is overly broad in its wording and could be used by the Justice Department to selectively prosecute individuals. While President Obama has offered assurances that this order won’t be deployed against security researchers, the EFF says it is wary of simply trusting the Executive Branch without oversight. Furthermore, they claim there is a long tradition of the Justice Department abusing anti-hacking laws in order to selectively and disproportionately prosecute researchers and hackers, as was the case with Andrew “weev” Auernheimer and Aaron Schwartz.

“That perhaps shouldn’t be surprising, since so far, D.C.’s approach to cybersecurity hasn’t encouraged better security through a better understanding of the threats we face (something security experts internationally have pointed out is necessary),” wrote EFF activist Nadia Kayyali and general council Kurt Opsahl. “Instead of encouraging critical security research into vulnerabilities, or creating a better way to disclose vulnerabilities, this order could actually discourage that research.”

Of particular concern to the EFF is section 1. (ii) (B), which seems to remove the necessity that the target of a particular sanction be located outside the U.S.

“As we’ve had to point out repeatedly in the discussions about reforming the Computer Fraud and Abuse Act, unclear laws, prosecutorial (or in this case, Executive Branch) discretion, coupled with draconian penalties are not the answer to computer crime,” argued Kayyali and Opsahl.

Suggested articles


  • Galileo on

    So much for the 5th amendment...
  • Bryan S on

    Like UAV drone attacks against suspected, but never proven to be, terrorists, the Obama administration is now going to financially attack anybody who it deems to be a threat to national security. However honesty don't see how a cyber attack on Sony is a threat to US national security. Sony is a Japanese company last time I checked, right? This is the ultimate case of the pot calling the kettle black. The NSA hacks everybody and anybody including German Chancellor Angela Merkel, yet the US government has the audacity to do this? The NSA is the king of hacking and illegally spying on people, including on its own citizens in the United States. The United States of America is not a Democracy. Rather the United States of America is a hypocrisy who loves the starts wars under the guise of regime change to steal natural resources from the host country. It's up to the citizens of United States to stop this. In the Constitution of United States you have the right to remove your government if they are deemed corrupt or go against the founding fathers' idea of the U.S. Constitution and the Bill of Rights. If the people in United States do not do this, then they can't complain at all whatsoever. I think it's about time that other countries activate financial sanctions against the United States of America. This well include changing the global currency from the US dollar to something else. Perhaps we should use the gold standard globally? Perhaps we should use the euro as the new global currency? I honestly don't understand how a country, who creates money out of thin air, can still remain financially strong-how is this possible? The other countries of the world haven't had the power to take the financial control of the world away from United States. . They just have to work together to do it. I think it would be funny if China called in all of its debts against the United States. Last time I checked US government owes China about $4 trillion US dollars. To the user Gallio, the US Bill of Rights is a joke. It really hasn't meant anything since the US Federal Reserve was created in the early 1900s.
    • Glen Richardson on

      Brian S - Who are you? - It seems like you know quite a bit about the state of things today.. Very interesting read!
  • james on

    US GOVERNMENT HACKERS (not including the private or undeclared privately owned companies that are paid by the US to spy and hack.) (Stuxnet anybody?) Office of the Director of National Intelligence Independent agencies Central Intelligence Agency (CIA) United States Department of Defense Defense Intelligence Agency (DIA) National Security Agency (NSA) National Geospatial-Intelligence Agency (NGA) National Reconnaissance Office (NRO) Air Force Intelligence, Surveillance and Reconnaissance Agency (AFISRA) Army Military Intelligence (MI) Marine Corps Intelligence Activity (MCIA) Office of Naval Intelligence (ONI) United States Department of Energy Office of Intelligence and Counterintelligence (OICI) United States Department of Homeland Security Office of Intelligence and Analysis (I&A) Coast Guard Intelligence (CGI) United States Department of Justice Federal Bureau of Investigation (FBI) Drug Enforcement Administration, Office of National Security Intelligence (DEA/ONSI) United States Department of State Bureau of Intelligence and Research (INR) United States Department of the Treasury Office of Terrorism and Financial Intelligence (TFI)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.