On April 1st of last year, President Obama, by Executive Order 13694, declared a national emergency pursuant to the International Emergency Economic Powers Act to “deal with the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States” posed by malicious cyber-enabled activities.  The Executive Order, which was entitled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activity,” authorized economic sanctions to combat malicious cyber activity.  However, national emergencies sunset after a year, unless a president publishes in the Federal Register and transmits to Congress a notice stating that the emergency is to continue in effect beyond the anniversary date.  On Tuesday, March 29, 2016, President Obama took both of those steps to extend the life of his authority to hit cybersecurity violators with harsh economic sanctions. 

As King & Spalding previously reported, Executive Order 13694 authorized sanctions on individuals or entities that are responsible for, complicit in, or engage in malicious cyber-enabled activities originating or directed from abroad.  The cyber-enabled activities must significantly threaten the national security, foreign policy, economic health or financial stability of the United States.  Additionally, the cyber-enabled activities must have the purpose or effect of:

• harming or significantly compromising the provision of services by an entity in a critical infrastructure sector;
• causing significant disruption to the availability of a computer or network of computers;
• causing significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;
• knowingly receiving or using trade secrets misappropriated through cyber-enabled means for commercial or competitive advantage or private financial gain; or
• materially assisting, sponsoring, or providing financial, material, or technological support for any of the above activities.

Executive Order 13694 also authorized sanctions against those who knowingly receive or benefit from trade secrets misappropriated through cyber-enabled means for commercial or competitive advantage or private financial gain.

On December 31, 2015, the Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued new regulations codifying the U.S. Cyber-Related Sanctions program.  As King & Spalding previously reported, those regulations presented a standard “blocking” program, similar to other programs in which parties are placed on OFAC’s Specially Designated Nationals list.  While no entities or individuals have yet been designated under the Executive Order or regulations, any entities designated under the Cyber-Related Sanctions program in the future will be subject to financial sanctions that include freezes on their U.S. assets and bans on commercial transactions. 

Without any action by the President, both the Executive Order and the regulations implementing it would have expired on April 1, 2016.  However, in a March 29, 2016 letter to Congress, President Obama noted that “[s]ignificant malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States, continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”  In a notice published the same day and published in the Federal Register, President Obama continued for one year the national emergency declared in Executive Order 13694.  Although the government has yet to use the power granted under Executive Order 13694, keeping the state of emergency in place gives the administration a powerful tool in its efforts to combat cybersecurity threats.

Reporter, Ashley B Guffey, Atlanta, + 1 404 572 2763, aguffey@kslaw.com.