Sanctions for Cyber Hackers? The White House Considers its Options

In April, in response to the cyberattacks on Sony Pictures last November, President Obama announced an executive action that allows the Treasury Department to impose punitive financial sanctions on hackers that threaten national security. In light of the recent cyberattacks on the computer system at the Office of Personnel Management, during which hackers gained access to the personal data from more than four million federal employees, White House officials say that President Obama is weighing the use of the executive order.
The Executive Order allows the Secretary of the Treasury, upon consultation with the Secretary of State and the Attorney General, to impose financial sanctions on groups or individuals that commit malicious cyber actions that present significant threats to the national security or financial stability of the United States.  The Order also allows the Treasury secretary to sanction those who benefit from such actions. Under the Order, the administration could freeze assets in the United States, cut the groups or individuals off from American technology and goods, or even prohibit Americans from conducting business with those who sponsor cyberattacks.
The cyberattacks on the Office of Personnel Management (“OPM”) announced last week have been described as “among the largest known thefts of government data in history” and many sources link the attack to China. OPM announced the breach last week and at that time said that it did not believe military and intelligence personnel were impacted by the attack.  However, during the investigation into that attack, another breach was discovered, and officials are now saying that that the breach did disclose information about military and intelligence personnel. While the OPM has not confirmed exactly what information was stolen during the hack, sources say that the information could be used to carry out fraud or identity theft. Some of the records that the hackers are suspected of accessing could include a form known as “Standard Form 86.” This form requires applicants to disclose deeply personal information including information relating to drug and alcohol use, financial solvency, and mental illness. For millions of people, this personal information and other identifying information like name, address, and Social Security Number could be in the hands of Chinese hackers.

 On Friday, the White House press secretary Josh Earnest addressed the possibility of using the sanctioning powers of the Executive Order that the president signed in April.

Earnest said, “This newly available option is one that is on the table.” While this Order was originally signed in response to the Sony cyber-attacks that officials suspect were carried out by North Korea, the decision to impose sanctions on China is not one to take lightly because it could impact the working relationships the two countries have been building in areas other than cyber security. In fact, the administration has yet to confirm that the Chinese government played a role in the recent cyber threats.
While it is uncertain what if any legal action will be taken against the perpetrators of these attacks, the OPM has announced that it plans to notify all affected parties and will let them know what information is potentially compromised. The OPM Press Secretary Samuel Schumach said, “We plan to notify affected individuals within 30 days of verifying that additional information was likely taken as we did in the last instance.”