Will Executive Order Impact Cybercrime?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/will-executive-order-impact-cybercrime-a-8070

President Obama on April 1 issued an executive order that allows the U.S.
government to block or seize the assets of suspected "malicious cyber
actors." But some legal and security experts already are questioning
whether the order is legally defensible or will have any meaningful impact
on either cybercrime or online espionage.

"There are so many problems with this," attorney Mark Rasch, a former U.S.
Department of Justice official who created its computer crime unit, tells
Information Security Media Group, citing, for example, the government's
ability to presume someone is guilty, without first having to prove it. "In
general, sanctions are a political tool for putting pressure on
recalcitrant governments to change their ways, [but] these sanctions are a
legal tool to impose punishment without trial on persons we believe to be
criminals and hackers."

The Obama administration, however, says that the executive order -
officially titled "Blocking the Property of Certain Persons Engaging in
Significant Malicious Cyber-Enabled Activities" is necessary to give the
U.S. government much-needed new legal tools in its fight against cybercrime
and online espionage. The executive order represents the first time that
the White House has authorized broad sanctions to be imposed specifically
for cyber-attacks, and regardless of the location of whoever is behind the
attacks.

"Our primary focus will be on cyberthreats from overseas,Obama writes on
news website Medium. "In many cases, diplomatic and law enforcement tools
will still be our most effective response. But targeted sanctions, used
judiciously, will give us a new and powerful way to go after the worst of
the worst."

The executive order authorizes the Secretary of the Treasury - in
consultation with the Attorney General and the Secretary of State - to
impose such sanctions "on individuals or entities that engage in malicious
cyber-enabled activities that create a significant threat to the national
security, foreign policy or economic health or financial stability of the
United States," Obama says in an April 1 statement distributed by the White
House.

While the executive order doesn't define "significant," it says sanctions
can be imposed for a variety of reasons, for example, in response to
attacks that target critical infrastructure, which disrupt networks - via
distributed denial-of-service attacks, for instance - as well as for
targeting or stealing trade secrets or personally identifiable information,
and for computer crime in general.

Intent: To Fill Gaps

White House Cybersecurity Coordinator Michael Daniel says the executive
order is meant to expand the "spectrum of tools" that the government can
use to combat cyber-attacks, by supplementing current diplomatic, law
enforcement, military, economic and intelligence capabilities.

"It is designed to fill in a gap that we have identified where individuals
carrying out significant malicious cyber-attacks are located in places that
it's difficult for our diplomatic and law enforcement tools to reach -
whether because they're behind the borders of a country that has weak
cybersecurity laws, or the government is complicit in or turning a blind
eye to the activity that is happening, and we don't have good law
enforcement relationships or other kinds of relationships," he said on an
April 1 a press call. "So what we're doing is putting in place a tool that
will enable us to impose costs on those actors."

John Smith, the Treasury Department's acting director of the Office of
Foreign Assets Control, or OFAC, which administers and enforces U.S.
economic sanctions programs, said on the press call that the executive
order elevates cyber-attacks to the realm of such activities as
counterterrorism, narcotics trafficking and transnational crime, which the
United States targets, regardless of where they're based. Smith says the
administration is hoping that by designating cybercrime and online
espionage in this manner, more countries will be spurred to put a stop to
related activities inside their borders, or which touches their financial
system.

Sony Hack Inspired Order

The Washington Post reports that the executive order has been under
development for the past two years. But Daniel says the need for the
executive order was highlighted after the president called for a
"proportional response" to the hack attack against Sony Pictures. "That
process informed us as we were finishing up this executive order and
highlighted the need for us to have this capability and to have this tool."

The move follows another executive order, signed by the president in
January, that imposed sanctions on 10 individuals and three entities
associated with the North Korean government, after the FBI attributed the
November 2014 hack and wiper malware attack against Sony Pictures
Entertainment to "North Korea actors." But numerous information security
experts have continued to question that attribution.

Questioning the Rationale

And some legal and security experts are now questioning the rationale
behind the new executive order. "It's really built out of frustration,
because the international legal process does not deal effective with
cybercrime," says Rasch, the former DOJ official. "So there's the urge to
take the law into your own hands. Resist that urge."

Rasch adds that another problem with the executive order is that it's not
aimed just at state sponsors - or nation-state-backed attackers - but
anyone who the U.S. believes has broken the law. Furthermore, it allows the
government to impose punishments, such as seizing U.S. citizens' assets,
without any due process, or having to first prove the government's case.

The administration says that anyone who wants to contest sanctions that get
imposed using this executive order can do so with OFAC, or by filing a
lawsuit against the federal government.

Cybercrime Impact?

But will the executive order lead to any meaningful reduction in cybercrime
or online espionage? "I'm somewhat skeptical, to say the least," Sean
Sullivan, a security adviser for Helsinki, Finland-based anti-virus firm
F-Secure, tells ISMG. "There's a great deal of Russian-speaker-based
'espionage as a service' that would be very difficult to do much about. And
China seems even more of a challenge. But then again, maybe there are some
officials who do actually have American assets to go after - New York real
estate, for example."

James A. Lewis, a cyberpolicy expert at the Center for Strategic and
International Studies, believes that the new program could have an impact,
for example to combat Chinese-promulgated economic espionage. "You have to
create a process to change the behavior of people who do cyber-economic
espionage," he tells The Washington Post. "Some of that is to create a way
to say it's not penalty free. This is an effective penalty. So it moves
them in the right direction."

But Rasch thinks it's unlikely that the executive order would fulfill the
stated White House purpose of deterring future cybercrime, espionage and
large-scale attacks. "The rogues are not going to be deterred by this," he
says. "The state sponsors are not going to be deterred by this."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!