On December 31, 2015, the Office of Foreign Assets Control (OFAC) issued regulations which codify and provide further details on the cybersecurity sanction program introduced on April 1, 2015 under Executive Order (E.O.) 13694. While the Obama administration still has yet to make its first designations under the new program, it will be one to watch in 2016 given the high profile and geo-political challenges of cybercrime.
As explained in our previous client alert, E.O. 13694 authorizes the Secretary of the Treasury (in consultation with the Attorney General and Secretary of State) to sanction persons that have (1) participated in malicious cyber-enabled activities constituting a “significant threat to the national security, foreign policy, or economic health or financial stability of the United States,” or (2) misappropriated trade secrets for commercial or financial gain outside the United States.
The new regulations are codified at 31 C.F.R. Part 578. They have been published in abbreviated form and thus far are limited to boilerplate provisions contained in other “targeted” sanctions programs. OFAC indicated that it intends at some future time to supplement the abbreviated regulations, which may include interpretive and definitional guidance as well as general licenses and statements of licensing policy. For example, OFAC has defined the following terms thus far only in FAQ 447:
- “Cyber-enabled” activities would include “any act that is primarily accomplished through or facilitated by computers or other electronic devices.”
- “Malicious cyber-enabled activities” would mean “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.”
It will be worth monitoring how OFAC continues to clarify the scope and intent of this new sanctions tool.